Exfiltration/mimikatz-1.0/driver/notify_reg.c


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137

#include "notify_reg.h"

ULONG * CmpCallBackCount		= NULL;
PVOID * CmpCallBackVector		= NULL;
PLIST_ENTRY CallbackListHead	= NULL;

NTSTATUS kListNotifyRegistry(LPWSTR pszDest, size_t cbDest, LPWSTR *ppszDestEnd, size_t *pcbRemaining)
{
	NTSTATUS status;
	ULONG i;
	PKIWI_CALLBACK monCallBack;
	PLIST_ENTRY maListe;
	PKIWI_REGISTRY6_CALLBACK monCallBack6;

	*ppszDestEnd = pszDest; *pcbRemaining= cbDest;
	status = RtlStringCbPrintfExW(*ppszDestEnd, *pcbRemaining, ppszDestEnd, pcbRemaining, STRSAFE_NO_TRUNCATION, L"kListNotifyRegistry\n\n");
	if(NT_SUCCESS(status))
	{
		status = getNotifyRegistryRoutine();
		if(NT_SUCCESS(status))
		{
			if(INDEX_OS < INDEX_VISTA)
			{
				for(i = 0; (i < *CmpCallBackCount) && NT_SUCCESS(status) ; i++)
				{
					monCallBack = (PKIWI_CALLBACK) KIWI_mask3bits(CmpCallBackVector[i]);
					if(monCallBack != NULL)
					{
						status = RtlStringCbPrintfExW(*ppszDestEnd, *pcbRemaining, ppszDestEnd, pcbRemaining, STRSAFE_NO_TRUNCATION, L"[%.2u] ", i);
						if(NT_SUCCESS(status))
						{
							status = getModuleFromAddr((ULONG_PTR) monCallBack->callback, *ppszDestEnd, *pcbRemaining, ppszDestEnd, pcbRemaining);
							if(NT_SUCCESS(status) || status == STATUS_NOT_FOUND)
							{
								status = RtlStringCbPrintfExW(*ppszDestEnd, *pcbRemaining, ppszDestEnd, pcbRemaining, STRSAFE_NO_TRUNCATION,
									L" - cookie %#.I64x\n", *(monCallBack->opt_cookie)
								);
							}
						}
					}
				}
			}
			else
			{
				for(maListe = CallbackListHead->Flink, i = 0; (maListe != CallbackListHead) && NT_SUCCESS(status) ; maListe = maListe->Flink, i++)
				{
					monCallBack6 = (PKIWI_REGISTRY6_CALLBACK) (((ULONG_PTR) maListe) + sizeof(LIST_ENTRY) + 2*((INDEX_OS < INDEX_7) ? sizeof(PVOID) : sizeof(ULONG)));
					status = RtlStringCbPrintfExW(*ppszDestEnd, *pcbRemaining, ppszDestEnd, pcbRemaining, STRSAFE_NO_TRUNCATION, L"[%.2u] ", i);
					if(NT_SUCCESS(status))
					{
						status = getModuleFromAddr((ULONG_PTR) monCallBack6->callback, *ppszDestEnd, *pcbRemaining, ppszDestEnd, pcbRemaining);
						if(NT_SUCCESS(status) || status == STATUS_NOT_FOUND)
						{
							status = RtlStringCbPrintfExW(*ppszDestEnd, *pcbRemaining, ppszDestEnd, pcbRemaining, STRSAFE_NO_TRUNCATION,
								L" - alt %wZ - cookie %#.I64x\n", &(monCallBack6->altitude), monCallBack6->cookie);
						}
					}
				}
			}
		}
	}
	return status;
}

NTSTATUS getNotifyRegistryRoutine()
{
	NTSTATUS retour = STATUS_NOT_FOUND;
	#ifdef _M_X64
		UCHAR PTRN_WNT5_Vector[]= {0x4c, 0x8d, 0x3d};
		UCHAR PTRN_WNT5_Count[]	= {0x0f, 0xc1, 0x05};
		
		UCHAR PTRN_WN60_Head[]	= {0x48, 0x8b, 0xf0, 0x48};
		LONG OFFS_WN60_Head		= -9;
		UCHAR PTRN_WALL_Head[]	= {0x48, 0x8b, 0xf8, 0x48};
		LONG OFFS_WALL_Head		= -9;
	#elif defined _M_IX86
		UCHAR PTRN_WNT5_Vector[]= {0x53, 0x56, 0x57, 0xbb};
		UCHAR PTRN_WNT5_Count[]	= {0xff, 0xb9};
		
		UCHAR PTRN_WN60_Head[]	= {0x8b, 0xcb, 0xe8};
		LONG OFFS_WN60_Head		= 12;
		UCHAR PTRN_WN61_Head[]	= {0x8b, 0xc7, 0xe8};
		LONG OFFS_WN61_Head		= -4;
		UCHAR PTRN_WIN8_Head[]	= {0x53, 0x8d, 0x55};
		LONG OFFS_WIN8_Head		= -4;
	#endif
	PUCHAR refDebut = (PUCHAR) CmUnRegisterCallback, refFin = refDebut + PAGE_SIZE;
	PUCHAR pattern = NULL; SIZE_T taille = 0; LONG offsetTo = 0;
	
	if((CmpCallBackVector && CmpCallBackCount) || CallbackListHead)
	{
		retour = STATUS_SUCCESS;
	}
	else
	{
		if(INDEX_OS < INDEX_VISTA)	
		{
			retour = genericPointerSearch((PUCHAR *) &CmpCallBackVector, refDebut, refFin, PTRN_WNT5_Vector, sizeof(PTRN_WNT5_Vector), sizeof(PTRN_WNT5_Vector));
			if(NT_SUCCESS(retour))
			{
				retour = genericPointerSearch((PUCHAR *) &CmpCallBackCount, refDebut, refFin, PTRN_WNT5_Count, sizeof(PTRN_WNT5_Count), sizeof(PTRN_WNT5_Count));
			}
		}
		else
		{
			if(INDEX_OS < INDEX_7)
			{
				pattern = PTRN_WN60_Head;
				taille  = sizeof(PTRN_WN60_Head);
				offsetTo= OFFS_WN60_Head;
			}
			else
			{
				#ifdef _M_X64
					pattern = PTRN_WALL_Head;
					taille  = sizeof(PTRN_WALL_Head);
					offsetTo= OFFS_WALL_Head;
				#elif defined _M_IX86
					if(INDEX_OS < INDEX_8)
					{
						pattern = PTRN_WN61_Head;
						taille  = sizeof(PTRN_WN61_Head);
						offsetTo= OFFS_WN61_Head;
					}
					else
					{
						pattern = PTRN_WIN8_Head;
						taille  = sizeof(PTRN_WIN8_Head);
						offsetTo= OFFS_WIN8_Head;
					}
				#endif
			}
			retour = genericPointerSearch((PUCHAR *) &CallbackListHead, refDebut, refFin, pattern, taille, offsetTo);
		}
	}
	return retour;
}