aboutsummaryrefslogtreecommitdiff
path: root/Exfiltration/mimikatz-1.0/mimikatz/modules/mod_mimikatz_process.cpp
diff options
context:
space:
mode:
Diffstat (limited to 'Exfiltration/mimikatz-1.0/mimikatz/modules/mod_mimikatz_process.cpp')
-rw-r--r--Exfiltration/mimikatz-1.0/mimikatz/modules/mod_mimikatz_process.cpp298
1 files changed, 298 insertions, 0 deletions
diff --git a/Exfiltration/mimikatz-1.0/mimikatz/modules/mod_mimikatz_process.cpp b/Exfiltration/mimikatz-1.0/mimikatz/modules/mod_mimikatz_process.cpp
new file mode 100644
index 0000000..d18ca8b
--- /dev/null
+++ b/Exfiltration/mimikatz-1.0/mimikatz/modules/mod_mimikatz_process.cpp
@@ -0,0 +1,298 @@
+/* Benjamin DELPY `gentilkiwi`
+ http://blog.gentilkiwi.com
+ benjamin@gentilkiwi.com
+ Licence : http://creativecommons.org/licenses/by/3.0/fr/
+*/
+#include "mod_mimikatz_process.h"
+#include "..\global.h"
+
+vector<KIWI_MIMIKATZ_LOCAL_MODULE_COMMAND> mod_mimikatz_process::getMimiKatzCommands()
+{
+ vector<KIWI_MIMIKATZ_LOCAL_MODULE_COMMAND> monVector;
+ monVector.push_back(KIWI_MIMIKATZ_LOCAL_MODULE_COMMAND(list, L"list", L"Liste les processus"));
+ monVector.push_back(KIWI_MIMIKATZ_LOCAL_MODULE_COMMAND(start, L"start", L"Exécute un processus, /paused et/ou /sudo"));
+ monVector.push_back(KIWI_MIMIKATZ_LOCAL_MODULE_COMMAND(suspend, L"suspend", L"Suspend l\'exécution d\'un processus"));
+ monVector.push_back(KIWI_MIMIKATZ_LOCAL_MODULE_COMMAND(resume, L"resume", L"Reprend un processus"));
+ monVector.push_back(KIWI_MIMIKATZ_LOCAL_MODULE_COMMAND(stop, L"stop", L"Stoppe un (ou plusieurs) processus"));
+ monVector.push_back(KIWI_MIMIKATZ_LOCAL_MODULE_COMMAND(modules, L"modules", L"Liste les modules (pour le moment du PID courant)"));
+ monVector.push_back(KIWI_MIMIKATZ_LOCAL_MODULE_COMMAND(iat, L"iat", L"Liste la table d\'adressage"));
+ return monVector;
+}
+
+bool mod_mimikatz_process::start(vector<wstring> * arguments)
+{
+ if(!arguments->empty())
+ {
+ wstring commande = arguments->back();
+ bool paused = false;
+ bool sudo = false;
+
+ (*outputStream) << L"Demande d\'exécution de : \'" << commande << L"'" << endl;
+ PROCESS_INFORMATION pi = {INVALID_HANDLE_VALUE, INVALID_HANDLE_VALUE, 0, 0};
+
+ switch(arguments->size())
+ {
+ case 2:
+ if(_wcsicmp(arguments->front().c_str(), L"/paused") == 0)
+ paused = true;
+ else if(_wcsicmp(arguments->front().c_str(), L"/sudo") == 0)
+ sudo = true;
+ else
+ goto doStartProcess_syntaxerror;
+
+ break;
+ case 3:
+ if(_wcsicmp(arguments->front().c_str(), L"/paused") == 0)
+ paused = true;
+ else
+ goto doStartProcess_syntaxerror;
+
+ if(_wcsicmp(arguments->at(1).c_str(), L"/sudo") == 0)
+ sudo = true;
+ else
+ goto doStartProcess_syntaxerror;
+
+ break;
+ }
+
+ if(mod_process::start(&commande, &pi, paused, sudo))
+ {
+ if(paused)
+ (*outputStream) << L" * Le Thread principal est suspendu ! Reprise avec : thread::resume " << pi.dwThreadId << endl;
+
+ if(sudo)
+ (*outputStream) << L" * Le processus est démarré avec de fausses données d\'identification" << endl;
+
+ printInfosFromPid(pi.dwProcessId, pi.dwThreadId);
+ }
+ else (*outputStream) << L"mod_process::start ; " << mod_system::getWinError() << endl;
+ }
+ else
+ {
+doStartProcess_syntaxerror:
+ (*outputStream) << L"Erreur de syntaxe ; " << L"process::start [/paused] [/sudo] commande" << endl;
+ }
+
+ return true;
+}
+
+bool mod_mimikatz_process::stop(vector<wstring> * arguments)
+{
+ for(vector<wstring>::iterator monProcessName = arguments->begin(); monProcessName != arguments->end(); monProcessName++)
+ {
+ mod_process::KIWI_PROCESSENTRY32 monProcess;
+ wstring procName = *monProcessName;
+
+ if(mod_process::getUniqueForName(&monProcess, &procName))
+ {
+ (*outputStream) << L"Fin de : " << procName << L'\t';
+ if(mod_process::stop(monProcess.th32ProcessID))
+ (*outputStream) << L"OK";
+ else
+ (*outputStream) << L"KO - mod_process::stop ; " << mod_system::getWinError();
+ (*outputStream) << endl;
+ }
+ else (*outputStream) << L"mod_process::getUniqueForName ; " << mod_system::getWinError() << endl;
+ }
+
+ return true;
+}
+
+
+bool mod_mimikatz_process::suspend(vector<wstring> * arguments)
+{
+ for(vector<wstring>::iterator monProcessName = arguments->begin(); monProcessName != arguments->end(); monProcessName++)
+ {
+ mod_process::KIWI_PROCESSENTRY32 monProcess;
+ wstring procName = *monProcessName;
+
+ if(mod_process::getUniqueForName(&monProcess, &procName))
+ {
+ (*outputStream) << L"Suspension de : " << procName << L'\t';
+ if(mod_process::suspend(monProcess.th32ProcessID))
+ (*outputStream) << L"OK";
+ else
+ (*outputStream) << L"KO - mod_process::suspend ; " << mod_system::getWinError();
+ (*outputStream) << endl;
+ }
+ else (*outputStream) << L"mod_process::getUniqueForName ; " << mod_system::getWinError() << endl;
+ }
+
+ return true;
+}
+
+
+bool mod_mimikatz_process::resume(vector<wstring> * arguments)
+{
+ for(vector<wstring>::iterator monProcessName = arguments->begin(); monProcessName != arguments->end(); monProcessName++)
+ {
+ mod_process::KIWI_PROCESSENTRY32 monProcess;
+ wstring procName = *monProcessName;
+
+ if(mod_process::getUniqueForName(&monProcess, &procName))
+ {
+ (*outputStream) << L"Reprise de : " << procName << L'\t';
+ if(mod_process::resume(monProcess.th32ProcessID))
+ (*outputStream) << L"OK";
+ else
+ (*outputStream) << L"KO - mod_process::resume ; " << mod_system::getWinError();
+ (*outputStream) << endl;
+ }
+ else (*outputStream) << L"mod_process::getUniqueForName ; " << mod_system::getWinError() << endl;
+ }
+
+ return true;
+}
+
+
+
+
+bool mod_mimikatz_process::list(vector<wstring> * arguments)
+{
+ vector<mod_process::KIWI_PROCESSENTRY32> * vectorProcess = new vector<mod_process::KIWI_PROCESSENTRY32>();
+ if(mod_process::getList(vectorProcess))
+ {
+ (*outputStream) << L"PID\tPPID\t#Ths\tpri\timage" << endl;
+ for(vector<mod_process::KIWI_PROCESSENTRY32>::iterator monProcess = vectorProcess->begin(); monProcess != vectorProcess->end(); monProcess++)
+ {
+ (*outputStream) <<
+ setw(5) << setfill(wchar_t(' ')) << monProcess->th32ProcessID << L'\t' <<
+ setw(5) << setfill(wchar_t(' ')) << monProcess->th32ParentProcessID << L'\t' <<
+ setw(5) << setfill(wchar_t(' ')) << monProcess->cntThreads << L'\t' <<
+ setw(5) << setfill(wchar_t(' ')) << monProcess->pcPriClassBase << L'\t' <<
+ monProcess->szExeFile <<
+ endl;
+ }
+ }
+ else (*outputStream) << L"mod_process::getList ; " << mod_system::getWinError() << endl;
+
+ delete vectorProcess;
+ return true;
+}
+
+bool mod_mimikatz_process::modules(vector<wstring> * arguments)
+{
+ DWORD processId = 0 ;
+
+ if(!arguments->empty() && !(arguments->size() > 1))
+ {
+ wstringstream monBuffer;
+ monBuffer << arguments->front();
+ monBuffer >> processId;
+ }
+
+ vector<mod_process::KIWI_MODULEENTRY32> * vectorModules = new vector<mod_process::KIWI_MODULEENTRY32>();
+ if(mod_process::getModulesListForProcessId(vectorModules, &processId))
+ {
+ (*outputStream) << L"@Base\tTaille\tModule\tPath" << endl;
+ for(vector<mod_process::KIWI_MODULEENTRY32>::iterator monModule = vectorModules->begin(); monModule != vectorModules->end(); monModule++)
+ {
+ (*outputStream) << monModule->modBaseAddr << L'\t' << monModule->modBaseSize << '\t' << monModule->szModule << L'\t' << monModule->szExePath << endl;
+ }
+ }
+ else
+ (*outputStream) << L"mod_process::getModulesListForProcessId ; " << mod_system::getWinError() << endl;
+
+ delete vectorModules;
+ return true;
+}
+
+bool mod_mimikatz_process::iat(vector<wstring> * arguments)
+{
+ wstring process;
+ wstring module;
+
+ switch(arguments->size())
+ {
+ case 2:
+ process = arguments->at(0);
+ module = arguments->at(1);
+ break;
+ case 1:
+ process = arguments->at(0);
+ break;
+ default:
+ ;
+ }
+
+ mod_process::KIWI_PROCESSENTRY32 monProcess;
+ if(mod_process::getUniqueForName(&monProcess, &process))
+ {
+ if(HANDLE monHandle = OpenProcess(PROCESS_QUERY_INFORMATION | PROCESS_VM_READ, false, monProcess.th32ProcessID))
+ {
+ if(module.empty() || (module.front() != L'*'))
+ {
+ if(module.empty())
+ module.assign(process);
+
+ mod_process::KIWI_MODULEENTRY32 * monModule = new mod_process::KIWI_MODULEENTRY32();
+ if(mod_process::getUniqueModuleForName(monModule, &module, &monProcess.th32ProcessID))
+ {
+ printIATFromModule(monModule, monHandle);
+ }
+ else (*outputStream) << L"mod_process::getUniqueModuleForName ; " << mod_system::getWinError() << endl;
+ delete monModule;
+ }
+ else
+ {
+ vector<mod_process::KIWI_MODULEENTRY32> * vectorModules = new vector<mod_process::KIWI_MODULEENTRY32>();
+ if(mod_process::getModulesListForProcessId(vectorModules, &monProcess.th32ProcessID))
+ {
+ for(vector<mod_process::KIWI_MODULEENTRY32>::iterator monModule = vectorModules->begin(); monModule != vectorModules->end(); monModule++)
+ printIATFromModule(&*monModule, monHandle);
+ }
+ else (*outputStream) << L"mod_process::getModulesListForProcessId ; " << mod_system::getWinError() << endl;
+
+ delete vectorModules;
+ }
+
+ CloseHandle(monHandle);
+ }
+ }
+ else (*outputStream) << L"mod_process::getUniqueForName ; " << mod_system::getWinError() << endl;
+
+ return true;
+}
+
+void mod_mimikatz_process::printInfosFromPid(DWORD &PID, DWORD ThreadId)
+{
+ (*outputStream) << L"PID : " << PID << endl;
+
+ if(ThreadId)
+ {
+ (*outputStream) << L"ThreadID : " << ThreadId << endl;
+ }
+
+ LUID monId = {0, 0};
+ if(mod_process::getAuthentificationIdFromProcessId(PID, monId))
+ {
+ (*outputStream) << "AuthId_h : " << monId.HighPart << endl;
+ (*outputStream) << "AuthId_l : " << monId.LowPart << endl;
+ }
+ else (*outputStream) << L"Erreur : " << mod_system::getWinError() << endl;
+}
+
+void mod_mimikatz_process::printIATFromModule(mod_process::KIWI_MODULEENTRY32 * monModule, HANDLE monHandle)
+{
+ (*outputStream) << monModule->szModule << L" -> " << monModule->szExePath << endl;
+ PBYTE baseAddr = reinterpret_cast<PBYTE>(monModule->modBaseAddr);
+
+ vector<pair<string, vector<mod_process::KIWI_IAT_MODULE>>> * monIAT = new vector<pair<string, vector<mod_process::KIWI_IAT_MODULE>>>();
+ if(mod_process::getIAT(baseAddr, monIAT, monHandle))
+ {
+ for(vector<pair<string, vector<mod_process::KIWI_IAT_MODULE>>>::iterator monModuleImporte = monIAT->begin(); monModuleImporte != monIAT->end(); monModuleImporte++)
+ {
+ (*outputStream) << L" - Imports depuis : " << monModuleImporte->first.c_str() << endl;
+ for(vector<mod_process::KIWI_IAT_MODULE>::iterator maFonctionImporte = monModuleImporte->second.begin(); maFonctionImporte != monModuleImporte->second.end(); maFonctionImporte++)
+ {
+ (*outputStream) << L" " << maFonctionImporte->ptrToFunc << L" -> " << maFonctionImporte->ptrFunc << L' ';
+ if(maFonctionImporte->Ordinal != 0)
+ (*outputStream) << L"O# " << maFonctionImporte->Ordinal;
+ else
+ (*outputStream) << maFonctionImporte->funcName.c_str();
+ (*outputStream) << endl;
+ }
+ }
+ }
+ delete monIAT;
+}
generated by cgit v1.2.3 (git 2.39.1) at 2025-05-26 05:10:41 +0000