ULONG_PTR kuhl_m_sekurlsa_utils_pFromLinkedListByLuid(ULONG_PTR pSecurityStruct, ULONG LUIDoffset, PLUID luidToFind)
{
PVOID buffer;
ULONG_PTR resultat = 0, pStruct = 0;
if(buffer = LocalAlloc(LPTR, LUIDoffset + sizeof(LUID)))
{
if(ReadMemory(pSecurityStruct, &pStruct, sizeof(PVOID), NULL))
{
while(pStruct != pSecurityStruct)
{
if(ReadMemory(pStruct, buffer, LUIDoffset + sizeof(LUID), NULL))
{
if(RtlEqualLuid(luidToFind, (PLUID) ((PBYTE) buffer + LUIDoffset)))
{
resultat = pStruct;
break;
}
pStruct = (ULONG_PTR) ((PLIST_ENTRY) buffer)->Flink;
}
else break;
}
}
LocalFree(buffer);
}
return resultat;
}
void CALLBACK kuhl_m_sekurlsa_enum_logon_callback_kerberos(IN ULONG_PTR pKerbGlobalLogonSessionTable, IN PKIWI_BASIC_SECURITY_LOGON_SESSION_DATA pData)
{
KIWI_KERBEROS_LOGON_SESSION session;
UNICODE_STRING pinCode;
KIWI_KERBEROS_KEYS_LIST_6 keyList;
PKERB_HASHPASSWORD_6 pHashPassword;
DWORD i;
ULONG_PTR ptr;
if(ptr = kuhl_m_sekurlsa_utils_pFromAVLByLuid(pKerbGlobalLogonSessionTable, FIELD_OFFSET(KIWI_KERBEROS_LOGON_SESSION, LocallyUniqueIdentifier), pData->LogonId))
{
if(ReadMemory(ptr, &session, sizeof(KIWI_KERBEROS_LOGON_SESSION), NULL))
{
kuhl_m_sekurlsa_genericCredsOutput(&session.credentials, pData->LogonId, 0);
if(session.pinCode)
if(ReadMemory((ULONG_PTR) session.pinCode, &pinCode, sizeof(UNICODE_STRING), NULL))
kuhl_m_sekurlsa_genericCredsOutput((PKIWI_GENERIC_PRIMARY_CREDENTIAL) &pinCode, pData->LogonId, KUHL_SEKURLSA_CREDS_DISPLAY_PINCODE);
if(session.pKeyList)
if(ReadMemory((ULONG_PTR) session.pKeyList, &keyList, sizeof(KIWI_KERBEROS_KEYS_LIST_6) - sizeof(KERB_HASHPASSWORD_6), NULL))
if(pHashPassword = (PKERB_HASHPASSWORD_6) LocalAlloc(LPTR, keyList.cbItem * sizeof(KERB_HASHPASSWORD_6)))
{
if(ReadMemory((ULONG_PTR) session.pKeyList + sizeof(KIWI_KERBEROS_KEYS_LIST_6) - sizeof(KERB_HASHPASSWORD_6), pHashPassword, keyList.cbItem * sizeof(KERB_HASHPASSWORD_6), NULL))
{
dprintf("\n\t * Key List");
for(i = 0; i < keyList.cbItem; i++)
kuhl_m_sekurlsa_genericCredsOutput((PKIWI_GENERIC_PRIMARY_CREDENTIAL) (pHashPassword + i), pData->LogonId, KUHL_SEKURLSA_CREDS_DISPLAY_KEY_LIST);
}
LocalFree(pHashPassword);
}
}
}
else dprintf("KO");
}
static PVOID GetPsGetCurrentProcess(HBITMAP hManager, HBITMAP hWorker, PEPROCESS_OFFSETS offsets) {
PVOID systemProcess;
LIST_ENTRY ActiveProcessLinks;
ULONG64 UniqueProcessId;
PVOID currentProcess;
systemProcess = GetPsInitialSystemProcess(hManager, hWorker);
if (ReadMemory(hManager, hWorker, (PVOID)((ULONG64)systemProcess + offsets->UniqueProcessId + sizeof(ULONG64)), &ActiveProcessLinks, sizeof(LIST_ENTRY)) == FALSE) {
LOG("[-] Unable To Read Initial System Process ActiveProcessLinks\n");
return NULL;
}
do {
currentProcess = (PVOID)((ULONG64)ActiveProcessLinks.Flink - offsets->UniqueProcessId - sizeof(ULONG64));
ReadMemory(hManager, hWorker, (PVOID)((ULONG64)currentProcess + offsets->UniqueProcessId), &UniqueProcessId, sizeof(ULONG64));
if (GetCurrentProcessId() == UniqueProcessId) { return currentProcess; }
ReadMemory(hManager, hWorker, (PVOID)((ULONG64)currentProcess + offsets->UniqueProcessId + sizeof(ULONG64)), &ActiveProcessLinks, sizeof(LIST_ENTRY));
} while (currentProcess != (PVOID)((ULONG64)ActiveProcessLinks.Flink - offsets->UniqueProcessId - sizeof(ULONG64)));
LOG("[-] Unable To Locate The Current Process In The List\n");
return NULL;
}
PDLL_INFO
AddDllToList(
HANDLE hProcess,
ULONG DllAddr,
LPSTR DllName,
ULONG DllSize
)
{
IMAGE_DOS_HEADER dh;
IMAGE_NT_HEADERS nh;
ULONG i;
PDLL_INFO DllInfo;
//
// first look to see if the dll is already in the list
//
DllInfo = FindDllByAddress( DllAddr );
if (!DllSize) {
//
// read the pe image headers to get the image size
//
if (!ReadMemory(
hProcess,
(PVOID) DllAddr,
&dh,
sizeof(dh)
)) {
return NULL;
}
if (dh.e_magic == IMAGE_DOS_SIGNATURE) {
if (!ReadMemory(
hProcess,
(PVOID)(DllAddr + dh.e_lfanew),
&nh,
sizeof(nh)
)) {
return NULL;
}
DllSize = nh.OptionalHeader.SizeOfImage;
} else {
DllSize = 0;
}
}
DllInfo = FindAvailDll();
if (!DllInfo) {
return NULL;
}
DllInfo->Size = DllSize;
strncat( DllInfo->Name, DllName, MAX_NAME_SZ-1 );
DllInfo->BaseAddress = DllAddr;
DllInfo->InList = FALSE;
DllInfo->Enabled = TRUE;
return DllInfo;
}
trap_retval ReqChecksum_mem( void )
/******************************/
{
trap_elen len;
int i;
trap_elen read;
checksum_mem_req *acc;
checksum_mem_ret *ret;
char buffer[256];
_DBG1(( "AccChkSum\n" ));
acc = GetInPtr( 0 );
ret = GetOutPtr( 0 );
len = acc->len;
ret->result = 0;
while( len >= sizeof( buffer ) ) {
read = ReadMemory( &acc->in_addr, buffer, sizeof( buffer ) );
for( i = 0; i < read; ++i ) {
ret->result += buffer[ i ];
}
if( read != sizeof( buffer ) )
return( sizeof( *ret ) );
len -= sizeof( buffer );
acc->in_addr.offset += sizeof( buffer );
}
if( len != 0 ) {
read = ReadMemory( &acc->in_addr, buffer, len );
for( i = 0; i < read; ++i ) {
ret->result += buffer[ i ];
}
}
return( sizeof( ret ) );
}
trap_retval ReqChecksum_mem( void )
{
unsigned len;
int i;
int read;
checksum_mem_req *acc;
checksum_mem_ret *ret;
_DBG1(( "AccChkSum" ));
acc = GetInPtr( 0 );
ret = GetOutPtr( 0 );
len = acc->len;
ret->result = 0;
while( len >= BUFF_SIZE ) {
read = ReadMemory( &acc->in_addr, (byte *)&UtilBuff, BUFF_SIZE );
acc->in_addr.offset += BUFF_SIZE;
for( i = 0; i < read; ++i ) {
ret->result += UtilBuff[ i ];
}
if( read != BUFF_SIZE ) return( sizeof( *ret ) );
len -= BUFF_SIZE;
}
if( len != 0 ) {
read = ReadMemory( &acc->in_addr, (byte *)&UtilBuff, len );
if( read == len ) {
for( i = 0; i < len; ++i ) {
ret->result += UtilBuff[ i ];
}
}
}
return( sizeof( *ret ) );
}
bool CPathOfExile::GetPlayerExp(PLAYEREXP* exp)
{
DWORD dwPlayerBase = GetPlayerBase();
if ( dwPlayerBase )
{
DWORD arOffsets[] = { 0x14 };
DWORD dwStatsPtr = GetMultiLevelPointer32(dwPlayerBase + 0x4, arOffsets);
if ( dwStatsPtr )
{
DWORD dwValue = 0;
ReadMemory(dwStatsPtr + 0x34, &dwValue, sizeof(dwValue));
exp->Current = dwValue;
ReadMemory(dwStatsPtr + 0x44, &dwValue, sizeof(dwValue));
exp->CurrentLevel = dwValue;
exp->Minimum = s_ExperienceThresholds[exp->CurrentLevel];
exp->Maximum = s_ExperienceThresholds[exp->CurrentLevel + 1];
return true;
}
}
return false;
}
ULONG_PTR kuhl_m_sekurlsa_utils_pFromAVLByLuidRec(ULONG_PTR pTable, ULONG LUIDoffset, PLUID luidToFind)
{
ULONG_PTR resultat = 0;
PVOID buffer;
RTL_AVL_TABLE maTable;
if(ReadMemory(pTable, &maTable, sizeof(RTL_AVL_TABLE), NULL))
{
if(pTable = (ULONG_PTR) maTable.OrderedPointer)
{
if(buffer = LocalAlloc(LPTR, LUIDoffset + sizeof(LUID)))
{
if(ReadMemory(pTable, buffer, LUIDoffset + sizeof(LUID), NULL))
{
if(RtlEqualLuid(luidToFind, (PLUID) ((PBYTE) buffer + LUIDoffset)))
resultat = (ULONG_PTR) maTable.OrderedPointer;
}
LocalFree(buffer);
}
}
if(!resultat && (pTable = (ULONG_PTR) maTable.BalancedRoot.LeftChild))
resultat = kuhl_m_sekurlsa_utils_pFromAVLByLuidRec(pTable, LUIDoffset, luidToFind);
if(!resultat && (pTable = (ULONG_PTR) maTable.BalancedRoot.RightChild))
resultat = kuhl_m_sekurlsa_utils_pFromAVLByLuidRec(pTable, LUIDoffset, luidToFind);
}
return resultat;
}
unsigned ReqChecksum_mem()
{
unsigned short len;
int i;
unsigned short read;
checksum_mem_req *acc;
checksum_mem_ret *ret;
_DBG1(( "AccChkSum\n" ));
acc = GetInPtr( 0 );
ret = GetOutPtr( 0 );
len = acc->len;
ret->result = 0;
while( len >= BUFF_SIZE ) {
read = ReadMemory( (addr48_ptr *)&acc->in_addr, &UtilBuff, BUFF_SIZE );
for( i = 0; i < read; ++i ) {
ret->result += UtilBuff[ i ];
}
if( read != BUFF_SIZE ) return( sizeof( *ret ) );
len -= BUFF_SIZE;
}
if( len != 0 ) {
read = ReadMemory( (addr48_ptr *)&acc->in_addr, &UtilBuff, len );
if( read == len ) {
for( i = 0; i < len; ++i ) {
ret->result += UtilBuff[ i ];
}
}
}
return( sizeof( ret ) );
}
void tenkValidate(PVOID heapHandle) {
struct HPool *heap;
struct DestroyStruct dStruct;
struct HeapChunk *curChunk;
ULONG chunkPtr;
ULONG i, nextIndex;
BOOL screwed = FALSE;
heap = getHeap(&heapModel, heapHandle);
i = heap->inUseHead;
while (i != NULLNODE) {
if (CHUNK(i).free) {
// CHUNK(i).nextInUse must be equal to the next ptr
if(!ReadMemory((ULONG64)(CHUNK(i).addr)+4, (PVOID) &chunkPtr, 4, NULL)) {
dprintf("[T] Unable to read memory at address 0x%08x\n!");
return;
}
// Find next free chunk - continue if there are no more
nextIndex = CHUNK(i).nextInUse;
while (nextIndex != NULLNODE && !(CHUNK(nextIndex).free))
nextIndex = CHUNK(nextIndex).nextInUse;
if (nextIndex == NULLNODE) {
i = CHUNK(i).nextInUse;
continue;
}
// Validate next free chunk
if (CHUNK(nextIndex).addr != (PVOID) chunkPtr) {
dprintf("[T] Corruped next pointer for chunk at 0x%08x\n", CHUNK(i).addr);
dprintf(">\tGot: 0x%08x\tExpected: 0x%08x\n", chunkPtr, CHUNK(nextIndex).addr);
screwed = TRUE;
}
// next free chunk prev, must equal CHUNK(i).addr
if(!ReadMemory((ULONG64)CHUNK(nextIndex).addr, (PVOID) &chunkPtr, 4, NULL)) {
dprintf("[T] Unable to read memory at address 0x%08x\n!");
return;
}
if ((PVOID) chunkPtr != CHUNK(i).addr) {
dprintf("[T] Corruped prev pointer for chunk at 0x%08x\n", CHUNK(nextIndex).addr);
dprintf(">\tGot: 0x%08x\tExpected: 0x%08x\n", chunkPtr, CHUNK(i).addr);
screwed = TRUE;
}
} else {
}
i = CHUNK(i).nextInUse;
}
dprintf("[T] Validation complete: ");
if (!screwed)
dprintf("all known free chunks are correct\n");
else
dprintf("errors found\n");
}
void
poolDumpHive(
IN PCMHIVE pHive
)
{
CMHIVE CmHive;
ULONG BytesRead;
WCHAR FileName[HBASE_NAME_ALLOC/2 + 1];
CHAR buf[512];
ULONG cb;
dprintf("\ndumping hive at %lx ",pHive);
ReadMemory((DWORD)pHive,
&CmHive,
sizeof(CmHive),
&BytesRead);
if (BytesRead < sizeof(CmHive)) {
dprintf("\tRead %lx bytes from %lx\n",BytesRead,pHive);
return;
}
ReadMemory((DWORD)&CmHive.Hive.BaseBlock->FileName,
FileName,
sizeof(FileName),
&BytesRead);
if (BytesRead < sizeof(FileName)) {
wcscpy(FileName, L"UNKNOWN");
} else {
if (FileName[0]==L'\0') {
wcscpy(FileName, L"NONAME");
} else {
FileName[HBASE_NAME_ALLOC/2]=L'\0';
}
}
dprintf("(%ws)\n",FileName);
dprintf(" %d KCBs open\n",CmHive.KcbCount);
dprintf(" Stable Length = %lx\n",CmHive.Hive.Storage[Stable].Length);
if (SavePages) {
sprintf(buf,
"%ws %d %d\n",
FileName,
CmHive.Hive.Storage[Stable].Length,
CmHive.Hive.Storage[Volatile].Length);
WriteFile( TempFile, buf, strlen(buf), &cb, NULL );
}
poolDumpMap(CmHive.Hive.Storage[Stable].Length,
CmHive.Hive.Storage[Stable].Map);
dprintf(" Volatile Length = %lx\n",CmHive.Hive.Storage[Volatile].Length);
poolDumpMap(CmHive.Hive.Storage[Volatile].Length,
CmHive.Hive.Storage[Volatile].Map);
}
VOID
DumpIrpContextFromThread (
IN ULONG Thread,
IN ULONG Options
)
/*++
Routine Description:
Dump an IrpContext given a Thread.
Arguments:
Address - Gives the address of the Thread where the IrpContext can be found
Return Value:
None
--*/
{
ULONG Result;
ULONG OurStackAddress;
PIRP_CONTEXT pIrpContext;
dprintf( "\n Thread @ %08lx", Thread );
if (!ReadMemory( (DWORD) (Thread + 0x214),
&OurStackAddress,
sizeof(OurStackAddress),
&Result)) {
dprintf( "%08lx: Could not read Thread + 0x214\n", Thread + 0x214 );
return;
}
dprintf( "\n Our stack @ %08lx", OurStackAddress );
if (!ReadMemory( (DWORD) (OurStackAddress + 0x18),
&pIrpContext,
sizeof(pIrpContext),
&Result)) {
dprintf( "%08lx: Could not read OurStackAddress + 0x18\n", OurStackAddress + 0x18 );
return;
}
DumpIrpContext( (ULONG) pIrpContext, Options );
dprintf( "\n" );
return;
}
void CALLBACK kuhl_m_sekurlsa_enum_logon_callback_credman(IN ULONG_PTR reserved, IN PKIWI_BASIC_SECURITY_LOGON_SESSION_DATA pData)
{
KIWI_CREDMAN_SET_LIST_ENTRY setList;
KIWI_CREDMAN_LIST_STARTER listStarter;
DWORD nbCred = 0;
ULONG_PTR pCur, pRef;
KIWI_GENERIC_PRIMARY_CREDENTIAL kiwiCreds;
ULONG CredOffsetIndex;
PBYTE buffer;
if(NtBuildNumber < KULL_M_WIN_BUILD_7)
CredOffsetIndex = 0;
else
CredOffsetIndex = 1;
if(pData->pCredentialManager)
{
if(ReadMemory((ULONG_PTR) pData->pCredentialManager, &setList, sizeof(KIWI_CREDMAN_SET_LIST_ENTRY), NULL))
{
if(setList.list1)
{
pRef = (ULONG_PTR) setList.list1 + FIELD_OFFSET(KIWI_CREDMAN_LIST_STARTER, start);
if(ReadMemory((ULONG_PTR) setList.list1, &listStarter, sizeof(KIWI_CREDMAN_LIST_STARTER), NULL))
{
if(buffer = (PBYTE) LocalAlloc(LPTR, credhelper[CredOffsetIndex].structSize))
{
if(pCur = (ULONG_PTR) listStarter.start)
{
while(pCur != pRef)
{
pCur -= credhelper[CredOffsetIndex].offsetFLink;
if(ReadMemory(pCur, buffer, credhelper[CredOffsetIndex].structSize, NULL))
{
dprintf("\n\t [%08x]", nbCred);
kiwiCreds.UserName = *(PUNICODE_STRING) (buffer + credhelper[CredOffsetIndex].offsetUsername);
kiwiCreds.Domaine = *(PUNICODE_STRING) (buffer + credhelper[CredOffsetIndex].offsetDomain);
kiwiCreds.Password.Length = kiwiCreds.Password.MaximumLength = *(PUSHORT) (buffer + credhelper[CredOffsetIndex].offsetCbPassword);;
kiwiCreds.Password.Buffer = *(PWSTR *) (buffer + credhelper[CredOffsetIndex].offsetPassword);
kuhl_m_sekurlsa_genericCredsOutput(&kiwiCreds, pData->LogonId, KUHL_SEKURLSA_CREDS_DISPLAY_CREDMANPASS);
pCur = (ULONG_PTR) *(PVOID *) (buffer + credhelper[CredOffsetIndex].offsetFLink);
}
else break;
nbCred++;
}
}
LocalFree(buffer);
}
}
}
}
}
}
ULONG
GetAddressState(
IN PVOID VirtualAddress
)
{
ULONG Address;
ULONG result;
ULONG flags = 0;
PMMPTE Pte;
PMMPTE Pde;
ULONG PdeContents;
ULONG PteContents;
if (MI_IS_PHYSICAL_ADDRESS (VirtualAddress)) {
return ADDRESS_VALID;
}
Address = (ULONG)VirtualAddress;
Pde = (PMMPTE)MiGetPdeAddress (Address);
Pte = (PMMPTE)MiGetPteAddress (Address);
if ( !ReadMemory( (DWORD)Pde,
&PdeContents,
sizeof(ULONG),
&result) ) {
dprintf("%08lx: Unable to get PDE\n",Pde);
return ADDRESS_NOT_VALID;
}
if (PdeContents & MM_PTE_VALID_MASK) {
if (PdeContents & MM_PTE_LARGE_PAGE_MASK) {
return ADDRESS_VALID;
}
if ( !ReadMemory( (DWORD)Pte,
&PteContents,
sizeof(ULONG),
&result) ) {
dprintf("%08lx: Unable to get PTE\n",Pte);
return ADDRESS_NOT_VALID;
}
if (PteContents & MM_PTE_VALID_MASK) {
return ADDRESS_VALID;
}
if (PteContents & MM_PTE_TRANSITION_MASK) {
if (!(PteContents & MM_PTE_PROTOTYPE_MASK)) {
return ADDRESS_TRANSITION;
}
}
}
return ADDRESS_NOT_VALID;
}
void CALLBACK kuhl_m_sekurlsa_enum_logon_callback_livessp(IN ULONG_PTR pLiveGlobalLogonSessionList, IN PKIWI_BASIC_SECURITY_LOGON_SESSION_DATA pData)
{
KIWI_LIVESSP_LIST_ENTRY credentials;
KIWI_LIVESSP_PRIMARY_CREDENTIAL primaryCredential;
ULONG_PTR ptr;
if(ptr = kuhl_m_sekurlsa_utils_pFromLinkedListByLuid(pLiveGlobalLogonSessionList, FIELD_OFFSET(KIWI_LIVESSP_LIST_ENTRY, LocallyUniqueIdentifier), pData->LogonId))
{
if(ReadMemory(ptr, &credentials, sizeof(KIWI_LIVESSP_LIST_ENTRY), NULL))
if(ptr = (ULONG_PTR) credentials.suppCreds)
if(ReadMemory(ptr, &primaryCredential, sizeof(KIWI_LIVESSP_PRIMARY_CREDENTIAL), NULL))
kuhl_m_sekurlsa_genericCredsOutput(&primaryCredential.credentials, pData->LogonId, (NtBuildNumber != 9431) ? 0 : KUHL_SEKURLSA_CREDS_DISPLAY_NODECRYPT);
} else dprintf("KO");
}
void CALLBACK kuhl_m_sekurlsa_enum_logon_callback_tspkg(IN ULONG_PTR pTSGlobalCredTable, IN PKIWI_BASIC_SECURITY_LOGON_SESSION_DATA pData)
{
KIWI_TS_CREDENTIAL credentials;
KIWI_TS_PRIMARY_CREDENTIAL primaryCredential;
ULONG_PTR ptr;
if(ptr = kuhl_m_sekurlsa_utils_pFromAVLByLuid(pTSGlobalCredTable, FIELD_OFFSET(KIWI_TS_CREDENTIAL, LocallyUniqueIdentifier), pData->LogonId))
{
if(ReadMemory(ptr, &credentials, sizeof(KIWI_TS_CREDENTIAL), NULL))
if(ReadMemory((ULONG_PTR) credentials.pTsPrimary, &primaryCredential, sizeof(KIWI_TS_PRIMARY_CREDENTIAL), NULL))
kuhl_m_sekurlsa_genericCredsOutput(&primaryCredential.credentials, pData->LogonId, KUHL_SEKURLSA_CREDS_DISPLAY_DOMAIN);
}
else dprintf("KO");
}
VOID
WinDbgExtensionDllInit(
PWINDBG_EXTENSION_APIS lpExtensionApis,
USHORT MajorVersion,
USHORT MinorVersion
)
{
ULONG_PTR offKeProcessorArchitecture;
ULONG Result;
ExtensionApis = *lpExtensionApis;
SavedMajorVersion = MajorVersion;
SavedMinorVersion = MinorVersion;
bDebuggingChecked = (SavedMajorVersion == 0x0c);
usProcessorArchitecture = (USHORT)-1;
offKeProcessorArchitecture = GetExpression("KeProcessorArchitecture");
if (offKeProcessorArchitecture != 0)
ReadMemory(offKeProcessorArchitecture, &usProcessorArchitecture,
sizeof(USHORT), &Result);
if (usProcessorArchitecture >= cArchitecture) {
#ifdef IA64
GetEProcessData = GetEProcessData_IA64;
#else
GetEProcessData = GetEProcessData_X86;
#endif
} else {
GetEProcessData = aGetEProcessDataFunc[usProcessorArchitecture];
}
//
// Read the user probe address from the target system.
//
// N.B. The user probe address is constant on MIPS, Alpha, and the PPC.
// On the x86, it may not be defined for the target system if it
// does not contain the code to support 3gb of user address space.
//
UserProbeAddress = GetExpression("MmUserProbeAddress");
if ((UserProbeAddress == 0) ||
(ReadMemory(UserProbeAddress,
&UserProbeAddress,
sizeof(UserProbeAddress),
&Result) == FALSE)) {
UserProbeAddress = 0x7fff0000;
}
return;
}
void CALLBACK kuhl_m_sekurlsa_enum_logon_callback_tspkg(IN ULONG_PTR pTSGlobalCredTable, IN PKIWI_BASIC_SECURITY_LOGON_SESSION_DATA pData)
{
KIWI_TS_PRIMARY_CREDENTIAL primaryCredential;
ULONG_PTR ptr;
PVOID buffer;
LONG TsOffsetIndex = (NtBuildNumber < KULL_M_WIN_BUILD_10_1607) ? 0 : 1;
if(ptr = kuhl_m_sekurlsa_utils_pFromAVLByLuid(pTSGlobalCredTable, tsCredentialHelper[TsOffsetIndex].offsetToLuid, pData->LogonId))
{
if(ReadMemory(ptr + tsCredentialHelper[TsOffsetIndex].offsetToTsPrimary, &buffer, sizeof(PVOID), NULL))
if(ReadMemory((ULONG_PTR) buffer, &primaryCredential, sizeof(KIWI_TS_PRIMARY_CREDENTIAL), NULL))
kuhl_m_sekurlsa_genericCredsOutput(&primaryCredential.credentials, pData->LogonId, KUHL_SEKURLSA_CREDS_DISPLAY_DOMAIN);
}
else dprintf("KO");
}
bool
CrashInfo::GetDSOInfo()
{
Phdr* phdrAddr = reinterpret_cast<Phdr*>(m_auxvValues[AT_PHDR]);
int phnum = m_auxvValues[AT_PHNUM];
assert(m_auxvValues[AT_PHENT] == sizeof(Phdr));
if (phnum <= 0 || phdrAddr == nullptr) {
return false;
}
TRACE("DSO: phdr %p phnum %d\n", phdrAddr, phnum);
// Search for the program PT_DYNAMIC header
ElfW(Dyn)* dynamicAddr = nullptr;
for (int i = 0; i < phnum; i++, phdrAddr++)
{
Phdr ph;
if (!ReadMemory(phdrAddr, &ph, sizeof(ph))) {
return false;
}
TRACE("DSO: phdr %p type %d (%x) vaddr %016lx memsz %016lx offset %016lx\n",
phdrAddr, ph.p_type, ph.p_type, ph.p_vaddr, ph.p_memsz, ph.p_offset);
if (ph.p_type == PT_DYNAMIC)
{
dynamicAddr = reinterpret_cast<ElfW(Dyn)*>(ph.p_vaddr);
}
else if (ph.p_type == PT_GNU_EH_FRAME)
void D3D::Update()
{
ReadMemory(0);
//// Camera
//projection->_11 = projection->_22 / (windowWidth / windowHeight);
//viewMatrix = CreateConstantBuffer(sizeof(XMFLOAT4X4), view);
//projectionMatrix = CreateConstantBuffer(sizeof(XMFLOAT4X4), projection);
//// Indices
//D3D11_BUFFER_DESC cbDesc;
//cbDesc.ByteWidth = sizeof(int) * 6;
//cbDesc.Usage = D3D11_USAGE_DYNAMIC;
//cbDesc.BindFlags = D3D11_BIND_INDEX_BUFFER;
//cbDesc.CPUAccessFlags = D3D11_CPU_ACCESS_WRITE;
//cbDesc.MiscFlags = 0;
//cbDesc.StructureByteStride = 0;
//D3D11_SUBRESOURCE_DATA cbInitData;
//cbInitData.pSysMem = meshes.back().indices.data();
//cbInitData.SysMemPitch = 0;
//cbInitData.SysMemSlicePitch = 0;
//device->CreateBuffer(&cbDesc, &cbInitData, &meshes.back().meshesBuffer[0]);
createBool = true;
}
bool ExtensionInit()
{
char FDP_SHMNameBuffer[256];
ULONG ulMemoryRead = 0;
dprintf("Extension initialization...\n");
if (InitializeIDebug() == false){
dprintf("Failed to InitializeIDebug\n");
return false;
}
dprintf("Getting FDP SHM from Winbagility...\n");
ReadMemory(0xDEADCACABABECAFE, FDP_SHMNameBuffer, 256, &ulMemoryRead);
dprintf("Trying to connect to FDP %s\n", FDP_SHMNameBuffer);
pFDP = FDP_OpenSHM(FDP_SHMNameBuffer);
if (pFDP != NULL){
dprintf("Connected to %s\n", FDP_SHMNameBuffer);
return true;
}
else{
dprintf("Failed to connect to FDP %s\n", FDP_SHMNameBuffer);
return false;
}
return false;
}
unsigned ReqSet_watch()
{
watch *curr;
set_watch_req *acc;
set_watch_ret *ret;
int i;
int needed;
_DBG1(( "AccSetWatch\n" ));
acc = GetInPtr( 0 );
ret = GetOutPtr( 0 );
ret->multiplier = 5000;
ret->err = 0;
curr = WatchPoints + WatchCount;
curr->addr.segment = acc->watch_addr.segment;
curr->addr.offset = acc->watch_addr.offset;
curr->linear = DPMIGetSegmentBaseAddress( curr->addr.segment ) + curr->addr.offset;
curr->len = acc->size;
curr->dregs = ( curr->linear & (curr->len-1) ) ? 2 : 1;
curr->handle = -1;
curr->handle2 = -1;
curr->value = 0;
ReadMemory( (addr48_ptr *)&acc->watch_addr, (byte far *)&curr->value, curr->len );
++WatchCount;
needed = 0;
for( i = 0; i < WatchCount; ++i ) {
needed += WatchPoints[ i ].dregs;
}
if( needed <= 4 ) ret->multiplier |= USING_DEBUG_REG;
return( sizeof( *ret ) );
}
BOOL
IsTransmitIrpBusy(
PIRP Irp
)
{
IRP localIrp;
ULONG result;
if( Irp == NULL ) {
return FALSE;
}
if( !ReadMemory(
(DWORD)Irp,
&localIrp,
sizeof(localIrp),
&result
) ) {
return FALSE;
}
return localIrp.UserIosb != 0;
} // IsTransmitIrpBusy
VOID
SetDepthLookaside (
IN ULONG Address,
IN PUCHAR Name,
IN ULONG Depth
)
/*++
Routine Description:
Set the depth of a specific lookaside list.
Arguments:
Address - Gives the address of the lookaside list to reset
Name - Gives an optional name of to print in case of errors
Depth - Supplies the depth to set the lookaside list to
Return Value:
None
--*/
{
NPAGED_LOOKASIDE_LIST Lookaside;
ULONG Results;
//
// Read the lookaside list from memory
//
if (!ReadMemory( (ULONG)Address, &Lookaside, sizeof(NPAGED_LOOKASIDE_LIST), &Results ) ||
(Results < sizeof(NPAGED_LOOKASIDE_LIST))) {
dprintf("Can't read lookaside \"%s\" at 0x%08lx\n", Name, Address);
}
//
// Set the depth
//
Lookaside.L.Depth = (USHORT)Depth;
//
// Write it back out
//
if (!WriteMemory( (ULONG)Address, &Lookaside, sizeof(NPAGED_LOOKASIDE_LIST), &Results ) ||
(Results < sizeof(NPAGED_LOOKASIDE_LIST))) {
dprintf("Can't write lookaside \"%s\" at 0x%08lx\n", Name, Address);
}
return;
}
BOOL kuhl_m_sekurlsa_utils_getSid(IN PSID * pSid)
{
BOOL status = FALSE;
BYTE nbAuth;
DWORD sizeSid;
ULONG_PTR buffer = (ULONG_PTR) *pSid;
*pSid = NULL;
if(ReadMemory(buffer + 1, &nbAuth, sizeof(BYTE), NULL))
{
sizeSid = 4 * nbAuth + 6 + 1 + 1;
if(*pSid = LocalAlloc(LPTR, sizeSid))
status = ReadMemory(buffer, *pSid, sizeSid, NULL);
}
return status;
}
CStringW ReadMemoryStringW( size_t address, SIZE_T max )
{
auto buffer = std::make_unique<wchar_t[ ]>( max + 1 );
SIZE_T bytesRead;
if ( ReadMemory( (PVOID) address, buffer.get( ), max * sizeof( wchar_t ), &bytesRead ) != 0 )
{
bytesRead /= sizeof( wchar_t );
for ( int i = 0; i < bytesRead; i++ )
{
if ( !( iswprint( buffer[ i ] ) ) && buffer[ i ] != '\0' )
buffer[ i ] = '.';
}
buffer[ bytesRead ] = '\0';
return CStringW( buffer.get( ) );
} else {
#ifdef _DEBUG
PrintOut( _T( "[ReadMemoryString]: Failed to read memory, GetLastError() = %s" ), Utils::GetLastErrorString( ).GetString( ) );
#endif
return CStringW( L".." );
}
}
trap_retval ReqRead_mem( void )
/**************************/
{
read_mem_req *acc;
acc = GetInPtr( 0 );
return( ReadMemory( &acc->mem_addr, GetOutPtr( 0 ), acc->len ) );
}
VOID
DumpIrpContext (
IN ULONG Address,
IN ULONG Options
)
/*++
Routine Description:
Dump an IrpContext.
Arguments:
Address - Gives the address of the IrpContext to dump
Return Value:
None
--*/
{
ULONG Result;
PIRP_CONTEXT pIrpContext;
IRP_CONTEXT IrpContext;
dprintf( "\n IrpContext @ %08lx", Address );
pIrpContext = (PIRP_CONTEXT) Address;
if ( !ReadMemory( (DWORD) pIrpContext,
&IrpContext,
sizeof( IrpContext ),
&Result) ) {
dprintf( "%08lx: Unable to read pIrpContext\n", pIrpContext );
return;
}
if (IrpContext.NodeTypeCode != NTFS_NTC_IRP_CONTEXT) {
dprintf( "\nIRP_CONTEXT signature does not match, probably not an IRP_CONTEXT" );
return;
}
if (Options >= 1) {
DumpFileObjectFromIrp( (ULONG) IrpContext.OriginatingIrp, Options - 1 );
}
dprintf( "\n" );
return;
}
DUMPED_PE GetRemotePE(DWORD dwPid)
{
ULONG64 dwBaseAddress = 0;
ULONG64 dwImageSize = 0;
HANDLE HProcess;
DUMPED_PE DumpedPE;
DumpedPE.pDump = NULL;
DumpedPE.dwImageSize = 0;
if ((HProcess = GetHandleProcess(dwPid)) == NULL)
return DumpedPE;
dwBaseAddress = GetRemoteBaseAddress(HProcess);
dwImageSize = GetModuleSize(dwPid, dwBaseAddress);
printf("[+] dwBaseAddress : 0x%016llX\n", dwBaseAddress);
printf("[+] dwImageSize : 0x%016llX\n", dwImageSize);
DumpedPE.dwImageSize = dwImageSize;
DumpedPE.pDump = (PBYTE)VirtualAlloc(NULL, (SIZE_T)dwImageSize, MEM_COMMIT | MEM_RESERVE, PAGE_READWRITE);
printf("[+] VirtualAlloc: %08X\n", DumpedPE.pDump);
printf("[+] dwImageSize: %08X\n", dwImageSize);
printf("[+] VirtualAlloc + dwImageSize: %08X\n", (DWORD)DumpedPE.pDump + dwImageSize);
if (DumpedPE.pDump == NULL) {
fprintf(stderr, "[-] VirtualAlloc failed\n");
return DumpedPE;
}
if (Is64BitProcess(HProcess) == TRUE) {
if (ReadMemory(HProcess, (PVOID64)(dwBaseAddress), DumpedPE.pDump, (SIZE_T)dwImageSize) == FALSE) {
fprintf(stderr, "[-] GetRemotePE - ReadMemory failed\n");
VirtualFree(DumpedPE.pDump, (SIZE_T)dwImageSize, 0);
DumpedPE.pDump = NULL;
return DumpedPE;
}
}
else {
if (ReadMemory(HProcess, (LPCVOID)(dwBaseAddress), DumpedPE.pDump, (SIZE_T)dwImageSize) == FALSE) {
fprintf(stderr, "[-] GetRemotePE - ReadMemory failed\n");
VirtualFree(DumpedPE.pDump, (SIZE_T)dwImageSize, 0);
DumpedPE.pDump = NULL;
return DumpedPE;
}
}
return DumpedPE;
}
void CALLBACK kuhl_m_sekurlsa_enum_logon_callback_wdigest(IN ULONG_PTR pl_LogSessList, IN PKIWI_BASIC_SECURITY_LOGON_SESSION_DATA pData)
{
ULONG_PTR ptr;
BYTE buffer[offsetWDigestPrimary + sizeof(KIWI_GENERIC_PRIMARY_CREDENTIAL)];
if(ptr = kuhl_m_sekurlsa_utils_pFromLinkedListByLuid(pl_LogSessList, FIELD_OFFSET(KIWI_WDIGEST_LIST_ENTRY, LocallyUniqueIdentifier), pData->LogonId))
{
if(ReadMemory(ptr, buffer, sizeof(buffer), NULL))
kuhl_m_sekurlsa_genericCredsOutput((PKIWI_GENERIC_PRIMARY_CREDENTIAL) (buffer + offsetWDigestPrimary), pData->LogonId, 0);
}
else dprintf("KO");
}
