1 files changed, 84 insertions, 0 deletions

diff --git a/Exfiltration/mimikatz-1.0/modules/mod_process.h b/Exfiltration/mimikatz-1.0/modules/mod_process.h
new file mode 100644
index 0000000..a7acf18
--- /dev/null
+++ b/Exfiltration/mimikatz-1.0/modules/mod_process.h
@@ -0,0 +1,84 @@
+/*	Benjamin DELPY `gentilkiwi`
+	http://blog.gentilkiwi.com
+	benjamin@gentilkiwi.com
+	Licence : http://creativecommons.org/licenses/by/3.0/fr/
+*/
+#pragma once
+#include "globdefs.h"
+#include "secpkg.h"
+#include "mod_ntddk.h"
+#include "mod_memory.h"
+#include "mod_text.h"
+#include <security.h>
+#include <tlhelp32.h>
+
+class mod_process
+{
+public:
+	typedef struct _KIWI_IAT_MODULE
+	{
+		PVOID ptrToFunc;
+		PVOID ptrFunc;
+		WORD Ordinal;		
+		string funcName;
+	} KIWI_IAT_MODULE, *PKIWI_IAT_MODULE;
+
+	typedef struct _KIWI_PROCESSENTRY32
+	{
+		DWORD   dwSize;
+		DWORD   cntUsage;
+		DWORD   th32ProcessID;          // this process
+		ULONG_PTR th32DefaultHeapID;
+		DWORD   th32ModuleID;           // associated exe
+		DWORD   cntThreads;
+		DWORD   th32ParentProcessID;    // this process's parent process
+		LONG    pcPriClassBase;         // Base priority of process's threads
+		DWORD   dwFlags;
+		wstring	szExeFile;    // Path
+	} KIWI_PROCESSENTRY32, *PKIWI_PROCESSENTRY32;
+
+	typedef struct _KIWI_MODULEENTRY32
+	{
+		DWORD   dwSize;
+		DWORD   th32ModuleID;       // This module
+		DWORD   th32ProcessID;      // owning process
+		DWORD   GlblcntUsage;       // Global usage count on the module
+		DWORD   ProccntUsage;       // Module usage count in th32ProcessID's context
+		BYTE  * modBaseAddr;        // Base address of module in th32ProcessID's context
+		DWORD   modBaseSize;        // Size in bytes of module starting at modBaseAddr
+		HMODULE hModule;            // The hModule of this module in th32ProcessID's context
+		wstring	szModule;
+		wstring	szExePath;
+	} KIWI_MODULEENTRY32, *PKIWI_MODULEENTRY32;
+
+	typedef struct _KIWI_VERY_BASIC_MODULEENTRY
+	{
+		BYTE  * modBaseAddr;        // Base address of module in th32ProcessID's context
+		DWORD   modBaseSize;        // Size in bytes of module starting at modBaseAddr
+		wstring	szModule;
+	} KIWI_VERY_BASIC_MODULEENTRY, *PKIWI_VERY_BASIC_MODULEENTRY;
+
+	static bool getList(vector<KIWI_PROCESSENTRY32> * maProcessesvector, wstring * processName = NULL);
+	static bool getUniqueForName(KIWI_PROCESSENTRY32 * monProcess, wstring * processName);
+
+	static bool start(wstring * maCommandLine, PROCESS_INFORMATION * mesInfosProcess, bool paused = false, bool aUsurper = false, HANDLE leToken = NULL);
+	static bool suspend(DWORD & processId);
+	static bool resume(DWORD & processId);
+	static bool stop(DWORD & processId, DWORD exitCode = 0);
+	
+	static bool debug(DWORD & processId);
+
+	static bool getAuthentificationIdFromProcessId(DWORD & processId, LUID & AuthentificationId);
+	static bool getModulesListForProcessId(vector<KIWI_MODULEENTRY32> * maModulevector, DWORD * processId = NULL);
+	static bool getVeryBasicModulesListForProcess(vector<KIWI_VERY_BASIC_MODULEENTRY> * monModuleVector, HANDLE processHandle = INVALID_HANDLE_VALUE);
+	static bool getUniqueModuleForName(KIWI_MODULEENTRY32 * monModule, wstring * moduleName = NULL, DWORD * processId = NULL); 
+
+	static bool getProcessEntryFromProcessId(DWORD processId, KIWI_PROCESSENTRY32 * processKiwi, vector<mod_process::KIWI_PROCESSENTRY32> * mesProcess = NULL);
+
+	static bool getProcessBasicInformation(PROCESS_BASIC_INFORMATION * mesInfos, HANDLE processHandle = INVALID_HANDLE_VALUE);
+	static bool getPeb(PEB * peb, HANDLE processHandle = INVALID_HANDLE_VALUE);
+	static bool getIAT(PBYTE ptrBaseAddr, vector<pair<string, vector<KIWI_IAT_MODULE>>> * monIAT, HANDLE handleProcess = INVALID_HANDLE_VALUE);
+
+	static wstring getUnicodeStringOfProcess(UNICODE_STRING * ptrString, HANDLE process = INVALID_HANDLE_VALUE, PLSA_PROTECT_MEMORY unProtectFunction = NULL);
+	static bool getUnicodeStringOfProcess(UNICODE_STRING * ptrString, BYTE ** monBuffer, HANDLE process, PLSA_PROTECT_MEMORY unProtectFunction = NULL);
+};