diff options
| author | clymb3r <bialek.joseph@gmail.com> | 2014-04-16 21:02:50 -0700 |
|---|---|---|
| committer | clymb3r <bialek.joseph@gmail.com> | 2014-04-16 21:02:50 -0700 |
| commit | b783b459c12112509a733253df9f5935e104200c (patch) | |
| tree | e58bce1f7d2f2584d1426262cc609f153d774e51 /Exfiltration/mimikatz-1.0/driver/ssdt.c | |
| parent | 47b90647c11cb4956c735cfa47628dc7dcb03bb6 (diff) | |
| parent | 946328cf9e6d6c60eca2bb9d71a38e210c1c3b6c (diff) | |
| download | PowerSploit-b783b459c12112509a733253df9f5935e104200c.tar.gz PowerSploit-b783b459c12112509a733253df9f5935e104200c.zip | |
Merge branch 'master' of https://github.com/mattifestation/PowerSploit
Conflicts:
Recon/Get-ComputerDetails.ps1
Recon/Recon.psd1
Diffstat (limited to 'Exfiltration/mimikatz-1.0/driver/ssdt.c')
| -rw-r--r-- | Exfiltration/mimikatz-1.0/driver/ssdt.c | 83 |
1 files changed, 0 insertions, 83 deletions
diff --git a/Exfiltration/mimikatz-1.0/driver/ssdt.c b/Exfiltration/mimikatz-1.0/driver/ssdt.c deleted file mode 100644 index 688dfb2..0000000 --- a/Exfiltration/mimikatz-1.0/driver/ssdt.c +++ /dev/null @@ -1,83 +0,0 @@ -#include "ssdt.h" - -#ifdef _M_X64 -PSERVICE_DESCRIPTOR_TABLE KeServiceDescriptorTable = NULL; -#endif - -NTSTATUS kSSDT(LPWSTR pszDest, size_t cbDest, LPWSTR *ppszDestEnd, size_t *pcbRemaining) -{ - NTSTATUS status; - USHORT idxFunction; - ULONG_PTR funcAddr; - - #ifdef _M_X64 - status = getKeServiceDescriptorTable(); - if(NT_SUCCESS(status)) - { - #endif - *ppszDestEnd = pszDest; *pcbRemaining= cbDest; - status = RtlStringCbPrintfExW(*ppszDestEnd, *pcbRemaining, ppszDestEnd, pcbRemaining, STRSAFE_NO_TRUNCATION , L"kSSDT - KeServiceDescriptorTable\t: %p\nkSSDT - KeServiceDescriptorTable.TableSize\t: %u\n", KeServiceDescriptorTable, KeServiceDescriptorTable->TableSize); - for(idxFunction = 0; (idxFunction < KeServiceDescriptorTable->TableSize) && NT_SUCCESS(status) ; idxFunction++) - { - #ifdef _M_IX86 - funcAddr = (ULONG_PTR) KeServiceDescriptorTable->ServiceTable[idxFunction]; - #else - funcAddr = (ULONG_PTR) KeServiceDescriptorTable->OffsetToService; - if(INDEX_OS < INDEX_VISTA) - { - funcAddr += KeServiceDescriptorTable->OffsetToService[idxFunction] & ~EX_FAST_REF_MASK; - } - else - { - funcAddr += KeServiceDescriptorTable->OffsetToService[idxFunction] >> 4; - } - #endif - - status = RtlStringCbPrintfExW(*ppszDestEnd, *pcbRemaining, ppszDestEnd, pcbRemaining, STRSAFE_NO_TRUNCATION, L"[%4u]\t: ", idxFunction); - if(NT_SUCCESS(status)) - { - status = getModuleFromAddr(funcAddr, *ppszDestEnd, *pcbRemaining, ppszDestEnd, pcbRemaining); - if(NT_SUCCESS(status) || status == STATUS_NOT_FOUND) - { - status = RtlStringCbPrintfExW(*ppszDestEnd, *pcbRemaining, ppszDestEnd, pcbRemaining, STRSAFE_NO_TRUNCATION, L"\n"); - } - } - } - #ifdef _M_X64 - } - #endif - return status; -} - -#ifdef _M_X64 -NTSTATUS getKeServiceDescriptorTable() -{ - NTSTATUS retour = STATUS_NOT_FOUND; - - UCHAR PTRN_WALL_Ke[] = {0x00, 0x00, 0x4d, 0x0f, 0x45, 0xd3, 0x42, 0x3b, 0x44, 0x17, 0x10, 0x0f, 0x83}; - LONG OFFS_WNO8_Ke = -19; - LONG OFFS_WIN8_Ke = -16; - - PUCHAR refDebut = NULL, refFin = NULL; LONG offsetTo = 0; - UNICODE_STRING maRoutine; - PUCHAR baseSearch = NULL; - - if(KeServiceDescriptorTable) - { - retour = STATUS_SUCCESS; - } - else - { - RtlInitUnicodeString(&maRoutine, L"ZwUnloadKey"); - if(baseSearch = (PUCHAR) MmGetSystemRoutineAddress(&maRoutine)) - { - refDebut= baseSearch - 21*PAGE_SIZE; - refFin = baseSearch + 16*PAGE_SIZE; - offsetTo = (INDEX_OS < INDEX_8) ? OFFS_WNO8_Ke : OFFS_WIN8_Ke; - - retour = genericPointerSearch((PUCHAR *) &KeServiceDescriptorTable, refDebut, refFin, PTRN_WALL_Ke, sizeof(PTRN_WALL_Ke), offsetTo); - } - } - return retour; -} -#endif
\ No newline at end of file |