Skip to content
Permalink
Browse files

[new] mimilib now supports DHCP Callout, DNS Plugin, Coffee

  • Loading branch information
gentilkiwi committed May 8, 2017
1 parent 4c70f14 commit 22eaf29e75a0da2628991d7efdaf68563ce0b340

Large diffs are not rendered by default.

Large diffs are not rendered by default.

@@ -70,6 +70,10 @@ DWORD MIMIKATZ_NT_MAJOR_VERSION, MIMIKATZ_NT_MINOR_VERSION, MIMIKATZ_NT_BUILD_NU
#define MS_ENH_RSA_AES_PROV_XP L"Microsoft Enhanced RSA and AES Cryptographic Provider (Prototype)"
#endif

#ifndef SCARD_PROVIDER_CARD_MODULE
#define SCARD_PROVIDER_CARD_MODULE 0x80000001
#endif

#define RtlEqualGuid(L1, L2) (RtlEqualMemory(L1, L2, sizeof(GUID)))

#define SIZE_ALIGN(size, alignment) (size + ((size % alignment) ? (alignment - (size % alignment)) : 0))
@@ -12,7 +12,9 @@ Project("{2150E333-8FDC-42A3-9474-1A3956D46DE8}") = "global files", "global file
EndProject
Project("{2150E333-8FDC-42A3-9474-1A3956D46DE8}") = "inc", "inc", "{282B4B77-BFF6-4DCA-9A60-6F4036929AEE}"
ProjectSection(SolutionItems) = preProject
inc\cardmod.h = inc\cardmod.h
inc\DbgHelp.h = inc\DbgHelp.h
inc\DhcpSSdk.h = inc\DhcpSSdk.h
inc\DsGetDC.h = inc\DsGetDC.h
inc\globals.h = inc\globals.h
inc\Midles.h = inc\Midles.h
@@ -0,0 +1,56 @@
/* Benjamin DELPY `gentilkiwi`
http://blog.gentilkiwi.com
benjamin@gentilkiwi.com
Licence : https://creativecommons.org/licenses/by/4.0/
*/
#include "kdhcp.h"

HMODULE kdhcp_nextLibrary = NULL;
LPDHCP_NEWPKT kdhcp_nextLibraryCalloutNewPkt = NULL;

BOOL APIENTRY DllMain(HMODULE hModule, DWORD ul_reason_for_call, LPVOID lpReserved)
{
if((ul_reason_for_call == DLL_PROCESS_DETACH) && kdhcp_nextLibrary)
FreeLibrary(kdhcp_nextLibrary);
return TRUE;
}

DWORD CALLBACK kdhcp_DhcpServerCalloutEntry(IN LPWSTR ChainDlls, IN DWORD CalloutVersion, IN OUT LPDHCP_CALLOUT_TABLE CalloutTbl)
{
LPDHCP_ENTRY_POINT_FUNC nextEntry;
RtlZeroMemory(CalloutTbl, sizeof(DHCP_CALLOUT_TABLE));

if(ChainDlls)
if(kdhcp_nextLibrary = LoadLibrary(ChainDlls))
if(nextEntry = (LPDHCP_ENTRY_POINT_FUNC) GetProcAddress(kdhcp_nextLibrary, DHCP_CALLOUT_ENTRY_POINT))
nextEntry(ChainDlls + lstrlenW(ChainDlls) + 1, CalloutVersion, CalloutTbl);

if(CalloutTbl->DhcpNewPktHook)
kdhcp_nextLibraryCalloutNewPkt = CalloutTbl->DhcpNewPktHook;
CalloutTbl->DhcpNewPktHook = kdhcp_DhcpNewPktHook;

return ERROR_SUCCESS;
}

const BYTE macToBlack[][MAC_ADDRESS_SIZE] = {
{0x00, 0x0c, 0x29, 0x00, 0x00, 0x00},
{0x00, 0x50, 0x56, 0x00, 0x00, 0x00}
};
DWORD CALLBACK kdhcp_DhcpNewPktHook(IN OUT LPBYTE *Packet, IN OUT DWORD *PacketSize, IN DWORD IpAddress, IN LPVOID Reserved, IN OUT LPVOID *PktContext, OUT LPBOOL ProcessIt)
{
DWORD status = ERROR_SUCCESS, m;
*ProcessIt = TRUE;

for(m = 0; m < ARRAYSIZE(macToBlack); m++)
{
if(RtlEqualMemory(*Packet + MAC_SOURCE_ADDRESS_OFFSET, macToBlack[m], MAC_ADDRESS_SIZE / 2)) // just the start of the address
{
*ProcessIt = FALSE;
status = DHCP_DROP_INVALID;
break;
}
}
if(kdhcp_nextLibraryCalloutNewPkt && *ProcessIt)
status = kdhcp_nextLibraryCalloutNewPkt(Packet, PacketSize, IpAddress, Reserved, PktContext, ProcessIt);
return status;
}
@@ -0,0 +1,14 @@
/* Benjamin DELPY `gentilkiwi`
http://blog.gentilkiwi.com
benjamin@gentilkiwi.com
Licence : https://creativecommons.org/licenses/by/4.0/
*/
#include "utils.h"
#include <dhcpssdk.h>

#define MAC_ADDRESS_SIZE 6
#define MAC_SOURCE_ADDRESS_OFFSET 28

BOOL APIENTRY DllMain(HMODULE hModule, DWORD ul_reason_for_call, LPVOID lpReserved);
DWORD CALLBACK kdhcp_DhcpServerCalloutEntry(IN LPWSTR ChainDlls, IN DWORD CalloutVersion, IN OUT LPDHCP_CALLOUT_TABLE CalloutTbl);
DWORD CALLBACK kdhcp_DhcpNewPktHook(IN OUT LPBYTE *Packet, IN OUT DWORD *PacketSize, IN DWORD IpAddress, IN LPVOID Reserved, IN OUT LPVOID *PktContext, OUT LPBOOL ProcessIt);
@@ -0,0 +1,30 @@
/* Benjamin DELPY `gentilkiwi`
http://blog.gentilkiwi.com
benjamin@gentilkiwi.com
Licence : https://creativecommons.org/licenses/by/4.0/
*/
#include "kdns.h"

DWORD WINAPI kdns_DnsPluginInitialize(PLUGIN_ALLOCATOR_FUNCTION pDnsAllocateFunction, PLUGIN_FREE_FUNCTION pDnsFreeFunction)
{
return ERROR_SUCCESS;
}

DWORD WINAPI kdns_DnsPluginCleanup()
{
return ERROR_SUCCESS;
}

DWORD WINAPI kdns_DnsPluginQuery(PSTR pszQueryName, WORD wQueryType, PSTR pszRecordOwnerName, PDB_RECORD *ppDnsRecordListHead)
{
FILE * kdns_logfile;
#pragma warning(push)
#pragma warning(disable:4996)
if(kdns_logfile = _wfopen(L"kiwidns.log", L"a"))
#pragma warning(pop)
{
klog(kdns_logfile, L"%S (%hu)\n", pszQueryName, wQueryType);
fclose(kdns_logfile);
}
return ERROR_SUCCESS;
}
@@ -0,0 +1,19 @@
/* Benjamin DELPY `gentilkiwi`
http://blog.gentilkiwi.com
benjamin@gentilkiwi.com
Licence : https://creativecommons.org/licenses/by/4.0/
*/
#pragma once
#include "utils.h"

#define PLUGIN_ALLOCATOR_FUNCTION PVOID
#define PLUGIN_FREE_FUNCTION PVOID
#define PDB_RECORD PVOID

DWORD WINAPI kdns_DnsPluginInitialize(PLUGIN_ALLOCATOR_FUNCTION pDnsAllocateFunction, PLUGIN_FREE_FUNCTION pDnsFreeFunction);
DWORD WINAPI kdns_DnsPluginCleanup();
DWORD WINAPI kdns_DnsPluginQuery(PSTR pszQueryName, WORD wQueryType, PSTR pszRecordOwnerName, PDB_RECORD *ppDnsRecordListHead);
// DnsPluginQuery2
// DnsPluginQueryZoneScope
// DnsPluginQueryServerScope
// DnsPluginQueryCacheScope
@@ -1,11 +1,20 @@
LIBRARY
EXPORTS
startW = kappfree_startW

SpLsaModeInitialize = kssp_SpLsaModeInitialize

InitializeChangeNotify = kfilt_InitializeChangeNotify
PasswordChangeNotify = kfilt_PasswordChangeNotify

WinDbgExtensionDllInit = WinDbgExtensionDllInit
ExtensionApiVersion = ExtensionApiVersion

mimikatz = mimikatz
WinDbgExtensionDllInit = kdbg_WinDbgExtensionDllInit
ExtensionApiVersion = kdbg_ExtensionApiVersion
coffee = kdbg_coffee
mimikatz = kdbg_mimikatz

DnsPluginInitialize = kdns_DnsPluginInitialize
DnsPluginCleanup = kdns_DnsPluginCleanup
DnsPluginQuery = kdns_DnsPluginQuery

DhcpServerCalloutEntry = kdhcp_DhcpServerCalloutEntry
DhcpNewPktHook = kdhcp_DhcpNewPktHook
@@ -88,6 +88,8 @@
</ItemGroup>
<ItemGroup>
<ClCompile Include="kappfree.c" />
<ClCompile Include="kdhcp.c" />
<ClCompile Include="kdns.c" />
<ClCompile Include="kfilt.c" />
<ClCompile Include="kssp.c" />
<ClCompile Include="sekurlsadbg\kuhl_m_sekurlsa_nt6.c" />
@@ -99,6 +101,8 @@
<ClCompile Include="utils.c" />
</ItemGroup>
<ItemGroup>
<ClInclude Include="kdhcp.h" />
<ClInclude Include="kdns.h" />
<ClInclude Include="kfilt.h" />
<ClInclude Include="kssp.h" />
<ClInclude Include="sekurlsadbg\kuhl_m_sekurlsa_nt6.h" />
@@ -29,6 +29,8 @@
<ClCompile Include="sekurlsadbg\kull_m_rpc_ms-credentialkeys.c">
<Filter>sekurlsadbg</Filter>
</ClCompile>
<ClCompile Include="kdns.c" />
<ClCompile Include="kdhcp.c" />
</ItemGroup>
<ItemGroup>
<ClInclude Include="utils.h" />
@@ -52,6 +54,8 @@
<ClInclude Include="sekurlsadbg\kull_m_rpc_ms-credentialkeys.h">
<Filter>sekurlsadbg</Filter>
</ClInclude>
<ClInclude Include="kdns.h" />
<ClInclude Include="kdhcp.h" />
</ItemGroup>
<ItemGroup>
<Filter Include="sekurlsadbg">
@@ -15,17 +15,12 @@ EXT_API_VERSION g_ExtApiVersion = {5 , 5 ,
, 0};
USHORT NtBuildNumber = 0;

LPEXT_API_VERSION WDBGAPI ExtensionApiVersion (void)
LPEXT_API_VERSION WDBGAPI kdbg_ExtensionApiVersion(void)
{
return &g_ExtApiVersion;
}

VOID CheckVersion(void)
{
return;
}

VOID WDBGAPI WinDbgExtensionDllInit(PWINDBG_EXTENSION_APIS lpExtensionApis, USHORT usMajorVersion, USHORT usMinorVersion)
VOID WDBGAPI kdbg_WinDbgExtensionDllInit(PWINDBG_EXTENSION_APIS lpExtensionApis, USHORT usMajorVersion, USHORT usMinorVersion)
{
ExtensionApis = *lpExtensionApis;
NtBuildNumber = usMinorVersion;
@@ -80,7 +75,12 @@ const KUHL_M_SEKURLSA_ENUM_HELPER lsassEnumHelpers[] = {
{sizeof(KIWI_MSV1_0_LIST_63), FIELD_OFFSET(KIWI_MSV1_0_LIST_63, LocallyUniqueIdentifier), FIELD_OFFSET(KIWI_MSV1_0_LIST_63, LogonType), FIELD_OFFSET(KIWI_MSV1_0_LIST_63, Session), FIELD_OFFSET(KIWI_MSV1_0_LIST_63, UserName), FIELD_OFFSET(KIWI_MSV1_0_LIST_63, Domaine), FIELD_OFFSET(KIWI_MSV1_0_LIST_63, Credentials), FIELD_OFFSET(KIWI_MSV1_0_LIST_63, pSid), FIELD_OFFSET(KIWI_MSV1_0_LIST_63, CredentialManager), FIELD_OFFSET(KIWI_MSV1_0_LIST_63, LogonTime), FIELD_OFFSET(KIWI_MSV1_0_LIST_63, LogonServer)},
};

DECLARE_API(mimikatz)
DECLARE_API(kdbg_coffee)
{
dprintf("\n ( (\n ) )\n .______.\n | |]\n \\ /\n `----'\n");
}

DECLARE_API(kdbg_mimikatz)
{
ULONG_PTR pInitializationVector = 0, phAesKey = 0, ph3DesKey = 0, pLogonSessionList = 0, pLogonSessionListCount = 0, pSecData = 0, pDomainList = 0;
PLIST_ENTRY LogonSessionList;
@@ -59,10 +59,10 @@ typedef struct _KUHL_M_SEKURLSA_ENUM_HELPER {
ULONG offsetToLogonServer;
} KUHL_M_SEKURLSA_ENUM_HELPER, *PKUHL_M_SEKURLSA_ENUM_HELPER;

LPEXT_API_VERSION WDBGAPI ExtensionApiVersion (void);
VOID CheckVersion(void);
VOID WDBGAPI WinDbgExtensionDllInit (PWINDBG_EXTENSION_APIS lpExtensionApis, USHORT usMajorVersion, USHORT usMinorVersion);
DECLARE_API(mimikatz);
LPEXT_API_VERSION WDBGAPI kdbg_ExtensionApiVersion(void);
VOID WDBGAPI kdbg_WinDbgExtensionDllInit (PWINDBG_EXTENSION_APIS lpExtensionApis, USHORT usMajorVersion, USHORT usMinorVersion);
DECLARE_API(kdbg_coffee);
DECLARE_API(kdbg_mimikatz);

VOID kuhl_m_sekurlsa_genericCredsOutput(PKIWI_GENERIC_PRIMARY_CREDENTIAL mesCreds, PLUID luid, ULONG flags);
VOID kuhl_m_sekurlsa_genericKeyOutput(struct _KIWI_CREDENTIAL_KEY * key);
@@ -131,6 +131,8 @@ BOOL kull_m_crypto_close_hprov_delete_container(HCRYPTPROV hProv)
}
}
}
if(!status)
PRINT_ERROR_AUTO(L"CryptGetProvParam/CryptAcquireContextA");
return status;
}

@@ -554,9 +556,10 @@ BOOL kull_m_crypto_DerAndKeyToPfx(LPCVOID der, DWORD derLen, LPCVOID key, DWORD
CryptDestroyKey(hCryptKey);
}
else PRINT_ERROR_AUTO(L"CryptImportKey");
CryptReleaseContext(hCryptProv, 0);
if(!CryptAcquireContext(&hCryptProv, infos.pwszContainerName, NULL, PROV_RSA_FULL, CRYPT_DELETEKEYSET))
PRINT_ERROR(L"Unable to delete temp keyset %s\n", infos.pwszContainerName);
kull_m_crypto_close_hprov_delete_container(hCryptProv);
//CryptReleaseContext(hCryptProv, 0);
//if(!CryptAcquireContext(&hCryptProv, infos.pwszContainerName, NULL, PROV_RSA_FULL, CRYPT_DELETEKEYSET))
// PRINT_ERROR(L"Unable to delete temp keyset %s\n", infos.pwszContainerName);
}
else PRINT_ERROR_AUTO(L"CryptAcquireContext");
LocalFree(infos.pwszContainerName);

0 comments on commit 22eaf29

Please sign in to comment.
You can’t perform that action at this time.