From c5168cdba6a3b2d7dd8d79c8ac9583d3ace6a504 Mon Sep 17 00:00:00 2001 From: mattifestation Date: Mon, 3 Feb 2014 17:13:35 -0500 Subject: Removed mimikatz. This doesn't need to reside in PowerSploit. Those that are truly paranoid should validate that the embedded executable in Invoke-Mimikatz.ps1 is indeed mimikatz. This was causing AV to flag upon downloading PowerSploit. --- Exfiltration/mimikatz-1.0/driver/modules.c | 110 ----------------------------- 1 file changed, 110 deletions(-) delete mode 100644 Exfiltration/mimikatz-1.0/driver/modules.c (limited to 'Exfiltration/mimikatz-1.0/driver/modules.c') diff --git a/Exfiltration/mimikatz-1.0/driver/modules.c b/Exfiltration/mimikatz-1.0/driver/modules.c deleted file mode 100644 index 7ca3551..0000000 --- a/Exfiltration/mimikatz-1.0/driver/modules.c +++ /dev/null @@ -1,110 +0,0 @@ -#include "modules.h" - -NTSTATUS kModulesList(LPWSTR pszDest, size_t cbDest, LPWSTR *ppszDestEnd, size_t *pcbRemaining) -{ - NTSTATUS status = STATUS_SUCCESS; - ULONG i; - ULONG modulesSize; - AUX_MODULE_EXTENDED_INFO* modules; - ULONG numberOfModules; - - *ppszDestEnd = pszDest; - *pcbRemaining= cbDest; - - status = AuxKlibInitialize(); - if(NT_SUCCESS(status)) - { - status = AuxKlibQueryModuleInformation(&modulesSize, sizeof(AUX_MODULE_EXTENDED_INFO), NULL); - if (NT_SUCCESS(status)) - { - if(modulesSize > 0) - { - numberOfModules = modulesSize / sizeof(AUX_MODULE_EXTENDED_INFO); - modules = (AUX_MODULE_EXTENDED_INFO*) ExAllocatePoolWithTag(PagedPool, modulesSize, POOL_TAG); - - if(modules != NULL) - { - status = AuxKlibQueryModuleInformation(&modulesSize, sizeof(AUX_MODULE_EXTENDED_INFO), modules); - if (NT_SUCCESS(status)) - { - for(i = 0; i < numberOfModules; i++) - { - status = RtlStringCbPrintfExW(*ppszDestEnd, *pcbRemaining, ppszDestEnd, pcbRemaining, STRSAFE_NO_TRUNCATION, - L"%p - %.8u [%S] %S\n", - modules[i].BasicInfo.ImageBase, - modules[i].ImageSize, - modules[i].FullPathName + modules[i].FileNameOffset, - modules[i].FullPathName - ); - } - } - ExFreePoolWithTag(modules, POOL_TAG); - } - } - } - } - - return status; -} - -NTSTATUS getModuleFromAddr(ULONG_PTR theAddr, LPWSTR pszDest, size_t cbDest, LPWSTR *ppszDestEnd, size_t *pcbRemaining) -{ - NTSTATUS status = STATUS_SUCCESS; - ULONG i; - ULONG modulesSize; - AUX_MODULE_EXTENDED_INFO* modules; - ULONG numberOfModules; - - *ppszDestEnd = pszDest; - *pcbRemaining= cbDest; - - status = AuxKlibInitialize(); - if(NT_SUCCESS(status)) - { - status = AuxKlibQueryModuleInformation(&modulesSize, sizeof(AUX_MODULE_EXTENDED_INFO), NULL); - if (NT_SUCCESS(status)) - { - if(modulesSize > 0) - { - numberOfModules = modulesSize / sizeof(AUX_MODULE_EXTENDED_INFO); - modules = (AUX_MODULE_EXTENDED_INFO*) ExAllocatePoolWithTag(PagedPool, modulesSize, POOL_TAG); - - if(modules != NULL) - { - status = AuxKlibQueryModuleInformation(&modulesSize, sizeof(AUX_MODULE_EXTENDED_INFO), modules); - if (NT_SUCCESS(status)) - { - for(i = 0; i < numberOfModules; i++) - { - status = STATUS_NOT_FOUND; - if(theAddr >= (ULONG_PTR) modules[i].BasicInfo.ImageBase && theAddr < ((ULONG_PTR) modules[i].BasicInfo.ImageBase + modules[i].ImageSize)) - { - status = RtlStringCbPrintfExW(*ppszDestEnd, *pcbRemaining, ppszDestEnd, pcbRemaining, STRSAFE_NO_TRUNCATION, - L"%p [%S+%u]", - theAddr, - modules[i].FullPathName + modules[i].FileNameOffset, - theAddr - (ULONG_PTR) modules[i].BasicInfo.ImageBase - ); - break; - } - - - } - - if(status == STATUS_NOT_FOUND) - { - status = RtlStringCbPrintfExW(*ppszDestEnd, *pcbRemaining, ppszDestEnd, pcbRemaining, STRSAFE_NO_TRUNCATION, L"%p [?]", theAddr); - if (NT_SUCCESS(status)) status = STATUS_NOT_FOUND; - } - } - ExFreePoolWithTag(modules, POOL_TAG); - } - } - } - } - - return status; -} - - - -- cgit v1.2.3