Gh0st
/
PowerSploit
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
PowerSploit/Exfiltration/mimikatz-1.0/driver/notify_reg.c

138 lines
4.3 KiB
C
Raw Blame History

#include "notify_reg.h"
ULONG * CmpCallBackCount = NULL;
PVOID * CmpCallBackVector = NULL;
PLIST_ENTRY CallbackListHead = NULL;
NTSTATUS kListNotifyRegistry(LPWSTR pszDest, size_t cbDest, LPWSTR *ppszDestEnd, size_t *pcbRemaining)
{
NTSTATUS status;
ULONG i;
PKIWI_CALLBACK monCallBack;
PLIST_ENTRY maListe;
PKIWI_REGISTRY6_CALLBACK monCallBack6;
*ppszDestEnd = pszDest; *pcbRemaining= cbDest;
status = RtlStringCbPrintfExW(*ppszDestEnd, *pcbRemaining, ppszDestEnd, pcbRemaining, STRSAFE_NO_TRUNCATION, L"kListNotifyRegistry\n\n");
if(NT_SUCCESS(status))
{
status = getNotifyRegistryRoutine();
if(NT_SUCCESS(status))
{
if(INDEX_OS < INDEX_VISTA)
{
for(i = 0; (i < *CmpCallBackCount) && NT_SUCCESS(status) ; i++)
{
monCallBack = (PKIWI_CALLBACK) KIWI_mask3bits(CmpCallBackVector[i]);
if(monCallBack != NULL)
{
status = RtlStringCbPrintfExW(*ppszDestEnd, *pcbRemaining, ppszDestEnd, pcbRemaining, STRSAFE_NO_TRUNCATION, L"[%.2u] ", i);
if(NT_SUCCESS(status))
{
status = getModuleFromAddr((ULONG_PTR) monCallBack->callback, *ppszDestEnd, *pcbRemaining, ppszDestEnd, pcbRemaining);
if(NT_SUCCESS(status) || status == STATUS_NOT_FOUND)
{
status = RtlStringCbPrintfExW(*ppszDestEnd, *pcbRemaining, ppszDestEnd, pcbRemaining, STRSAFE_NO_TRUNCATION,
L" - cookie %#.I64x\n", *(monCallBack->opt_cookie)
);
}
}
}
}
}
else
{
for(maListe = CallbackListHead->Flink, i = 0; (maListe != CallbackListHead) && NT_SUCCESS(status) ; maListe = maListe->Flink, i++)
{
monCallBack6 = (PKIWI_REGISTRY6_CALLBACK) (((ULONG_PTR) maListe) + sizeof(LIST_ENTRY) + 2*((INDEX_OS < INDEX_7) ? sizeof(PVOID) : sizeof(ULONG)));
status = RtlStringCbPrintfExW(*ppszDestEnd, *pcbRemaining, ppszDestEnd, pcbRemaining, STRSAFE_NO_TRUNCATION, L"[%.2u] ", i);
if(NT_SUCCESS(status))
{
status = getModuleFromAddr((ULONG_PTR) monCallBack6->callback, *ppszDestEnd, *pcbRemaining, ppszDestEnd, pcbRemaining);
if(NT_SUCCESS(status) || status == STATUS_NOT_FOUND)
{
status = RtlStringCbPrintfExW(*ppszDestEnd, *pcbRemaining, ppszDestEnd, pcbRemaining, STRSAFE_NO_TRUNCATION,
L" - alt %wZ - cookie %#.I64x\n", &(monCallBack6->altitude), monCallBack6->cookie);
}
}
}
}
}
}
return status;
}
NTSTATUS getNotifyRegistryRoutine()
{
NTSTATUS retour = STATUS_NOT_FOUND;
#ifdef _M_X64
UCHAR PTRN_WNT5_Vector[]= {0x4c, 0x8d, 0x3d};
UCHAR PTRN_WNT5_Count[] = {0x0f, 0xc1, 0x05};
UCHAR PTRN_WN60_Head[] = {0x48, 0x8b, 0xf0, 0x48};
LONG OFFS_WN60_Head = -9;
UCHAR PTRN_WALL_Head[] = {0x48, 0x8b, 0xf8, 0x48};
LONG OFFS_WALL_Head = -9;
#elif defined _M_IX86
UCHAR PTRN_WNT5_Vector[]= {0x53, 0x56, 0x57, 0xbb};
UCHAR PTRN_WNT5_Count[] = {0xff, 0xb9};
UCHAR PTRN_WN60_Head[] = {0x8b, 0xcb, 0xe8};
LONG OFFS_WN60_Head = 12;
UCHAR PTRN_WN61_Head[] = {0x8b, 0xc7, 0xe8};
LONG OFFS_WN61_Head = -4;
UCHAR PTRN_WIN8_Head[] = {0x53, 0x8d, 0x55};
LONG OFFS_WIN8_Head = -4;
#endif
PUCHAR refDebut = (PUCHAR) CmUnRegisterCallback, refFin = refDebut + PAGE_SIZE;
PUCHAR pattern = NULL; SIZE_T taille = 0; LONG offsetTo = 0;
if((CmpCallBackVector && CmpCallBackCount) || CallbackListHead)
{
retour = STATUS_SUCCESS;
}
else
{
if(INDEX_OS < INDEX_VISTA)
{
retour = genericPointerSearch((PUCHAR *) &CmpCallBackVector, refDebut, refFin, PTRN_WNT5_Vector, sizeof(PTRN_WNT5_Vector), sizeof(PTRN_WNT5_Vector));
if(NT_SUCCESS(retour))
{
retour = genericPointerSearch((PUCHAR *) &CmpCallBackCount, refDebut, refFin, PTRN_WNT5_Count, sizeof(PTRN_WNT5_Count), sizeof(PTRN_WNT5_Count));
}
}
else
{
if(INDEX_OS < INDEX_7)
{
pattern = PTRN_WN60_Head;
taille = sizeof(PTRN_WN60_Head);
offsetTo= OFFS_WN60_Head;
}
else
{
#ifdef _M_X64
pattern = PTRN_WALL_Head;
taille = sizeof(PTRN_WALL_Head);
offsetTo= OFFS_WALL_Head;
#elif defined _M_IX86
if(INDEX_OS < INDEX_8)
{
pattern = PTRN_WN61_Head;
taille = sizeof(PTRN_WN61_Head);
offsetTo= OFFS_WN61_Head;
}
else
{
pattern = PTRN_WIN8_Head;
taille = sizeof(PTRN_WIN8_Head);
offsetTo= OFFS_WIN8_Head;
}
#endif
}
retour = genericPointerSearch((PUCHAR *) &CallbackListHead, refDebut, refFin, pattern, taille, offsetTo);
}
}
return retour;
}
Reference in New Issue View Git Blame Copy Permalink