Inject-LogonCredentials has been renamed to Invoke-CredentialInjection.

Added a check to ensure the script isn't being run from Session0 with the "NewWinLogon" flag. This flag does not work in Session0 because winlogon.exe tries to load stuff from user32.dll which requires a desktop is present. This is not possible in Session0 because there is no desktop/GUI, so it causes winlogon to load and then immediately close with error code c0000142 indicating a DLL failed to initialize. There is no way to fix this that I know of, if you need to run the script from Session0 use the "ExistingWinLogon" flag.
2014-02-12 13:52:41 -08:00 · 2014-02-12 13:52:41 -08:00 · b684da050a
parent bb41ab98ca
commit b684da050a
5 changed files with 3432 additions and 3423 deletions
--- a/Exfiltration/Exfiltration.psd1
+++ b/Exfiltration/Exfiltration.psd1
@ -75,7 +75,7 @@ ModuleList = @(@{ModuleName = 'Exfiltration'; ModuleVersion = '1.0.0.0'; GUID =
 # List of all files packaged with this module
 FileList = 'Exfiltration.psm1', 'Exfiltration.psd1', 'Get-TimedScreenshot.ps1', 'Out-Minidump.ps1',
           'Get-Keystrokes.ps1', 'Get-GPPPassword.ps1', 'Usage.md', 'Invoke-Mimikatz.ps1',
-		   'Invoke-NinjaCopy.ps1', 'Invoke-TokenManipulation.ps1', 'Inject-LogonCredentials.ps1'
+		   'Invoke-NinjaCopy.ps1', 'Invoke-TokenManipulation.ps1', 'Invoke-CredentialInjection.ps1'

 # Private data to pass to the module specified in RootModule/ModuleToProcess
 # PrivateData = ''
--- a/Exfiltration/Inject-LogonCredentials.ps1
+++ b/Exfiltration/Inject-LogonCredentials.ps1
--- a/Exfiltration/Invoke-CredentialInjection.ps1
+++ b/Exfiltration/Invoke-CredentialInjection.ps1
--- a/Exfiltration/LogonUser/LogonUser/logon/logon.cpp
+++ b/Exfiltration/LogonUser/LogonUser/logon/logon.cpp
@ -32,26 +32,29 @@ extern "C" __declspec( dllexport ) void VoidFunc()
 	wchar_t* password = new wchar_t[strSize];
 	DWORD bytesRead = 0;

-	BOOL success = ReadFile(pipe, domain, strSize, &bytesRead, NULL);
+	BOOL success = ReadFile(pipe, domain, bytesToRead, &bytesRead, NULL);
 	if (!success)
 	{
 		return;
 	}
 	domain[bytesRead/2] = '\0';
+	bytesRead = 0;

-	success = ReadFile(pipe, username, strSize-2, &bytesRead, NULL);
+	success = ReadFile(pipe, username, bytesToRead, &bytesRead, NULL);
 	if (!success)
 	{
 		return;
 	}
 	username[bytesRead/2] = '\0';
+	bytesRead = 0;

-	success = ReadFile(pipe, password, strSize-2, &bytesRead, NULL);
+	success = ReadFile(pipe, password, bytesToRead, &bytesRead, NULL);
 	if (!success)
 	{
 		return;
 	}
 	password[bytesRead/2] = '\0';
+	bytesRead = 0;

 	//Get the logon type from the pipe
 	USHORT logonType = 10;
@ -60,6 +63,7 @@ extern "C" __declspec( dllexport ) void VoidFunc()
 	{
 		return;
 	}
+	bytesRead = 0;

 	//Get the authentication package to use. 1 = Msv1_0, 2 = Kerberos
 	USHORT authPackageToUse = 0;
@ -68,7 +72,7 @@ extern "C" __declspec( dllexport ) void VoidFunc()
 	{
 		return;
 	}
-	
+	bytesRead = 0;

 	/////////////
 	//Build the parameters to call LsaLogonUser with
--- a/Exfiltration/LogonUser/LogonUser/logon/logon.vcxproj
+++ b/Exfiltration/LogonUser/LogonUser/logon/logon.vcxproj
@ -1,5 +1,5 @@
 <?xml version="1.0" encoding="utf-8"?>
-<Project DefaultTargets="Build" ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
+<Project DefaultTargets="Build" ToolsVersion="12.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
  <ItemGroup Label="ProjectConfigurations">
    <ProjectConfiguration Include="Debug|Win32">
      <Configuration>Debug</Configuration>
@ -27,26 +27,26 @@
  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'" Label="Configuration">
    <ConfigurationType>DynamicLibrary</ConfigurationType>
    <UseDebugLibraries>true</UseDebugLibraries>
-    <PlatformToolset>v110</PlatformToolset>
+    <PlatformToolset>v120</PlatformToolset>
    <CharacterSet>Unicode</CharacterSet>
  </PropertyGroup>
  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'" Label="Configuration">
    <ConfigurationType>DynamicLibrary</ConfigurationType>
    <UseDebugLibraries>true</UseDebugLibraries>
-    <PlatformToolset>v110</PlatformToolset>
+    <PlatformToolset>v120</PlatformToolset>
    <CharacterSet>Unicode</CharacterSet>
  </PropertyGroup>
  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'" Label="Configuration">
    <ConfigurationType>DynamicLibrary</ConfigurationType>
    <UseDebugLibraries>false</UseDebugLibraries>
-    <PlatformToolset>v110</PlatformToolset>
+    <PlatformToolset>v120</PlatformToolset>
    <WholeProgramOptimization>true</WholeProgramOptimization>
    <CharacterSet>Unicode</CharacterSet>
  </PropertyGroup>
  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'" Label="Configuration">
    <ConfigurationType>DynamicLibrary</ConfigurationType>
    <UseDebugLibraries>false</UseDebugLibraries>
-    <PlatformToolset>v110</PlatformToolset>
+    <PlatformToolset>v120</PlatformToolset>
    <WholeProgramOptimization>true</WholeProgramOptimization>
    <CharacterSet>Unicode</CharacterSet>
  </PropertyGroup>