[new] mimilib now supports DHCP Callout, DNS Plugin, Coffee

gentilkiwi · May 8, 2017 · 22eaf29 · 22eaf29
1 parent 4c70f14
commit 22eaf29
Show file tree

Hide file tree

Showing 14 changed files with 2,458 additions and 19 deletions.
diff --git a/inc/DhcpSSdk.h b/inc/DhcpSSdk.h
diff --git a/inc/cardmod.h b/inc/cardmod.h
diff --git a/inc/globals.h b/inc/globals.h
@@ -70,6 +70,10 @@ DWORD MIMIKATZ_NT_MAJOR_VERSION, MIMIKATZ_NT_MINOR_VERSION, MIMIKATZ_NT_BUILD_NU
 #define MS_ENH_RSA_AES_PROV_XP	L"Microsoft Enhanced RSA and AES Cryptographic Provider (Prototype)"
 #endif
 
+#ifndef SCARD_PROVIDER_CARD_MODULE
+#define SCARD_PROVIDER_CARD_MODULE 0x80000001
+#endif
+
 #define RtlEqualGuid(L1, L2) (RtlEqualMemory(L1, L2, sizeof(GUID)))
 
 #define SIZE_ALIGN(size, alignment)	(size + ((size % alignment) ? (alignment - (size % alignment)) : 0))

diff --git a/mimikatz.sln b/mimikatz.sln
@@ -12,7 +12,9 @@ Project("{2150E333-8FDC-42A3-9474-1A3956D46DE8}") = "global files", "global file
 EndProject
 Project("{2150E333-8FDC-42A3-9474-1A3956D46DE8}") = "inc", "inc", "{282B4B77-BFF6-4DCA-9A60-6F4036929AEE}"
 	ProjectSection(SolutionItems) = preProject
+		inc\cardmod.h = inc\cardmod.h
 		inc\DbgHelp.h = inc\DbgHelp.h
+		inc\DhcpSSdk.h = inc\DhcpSSdk.h
 		inc\DsGetDC.h = inc\DsGetDC.h
 		inc\globals.h = inc\globals.h
 		inc\Midles.h = inc\Midles.h

diff --git a/mimilib/kdhcp.c b/mimilib/kdhcp.c
@@ -0,0 +1,56 @@
+/*	Benjamin DELPY `gentilkiwi`
+	http://blog.gentilkiwi.com
+	benjamin@gentilkiwi.com
+	Licence : https://creativecommons.org/licenses/by/4.0/
+*/
+#include "kdhcp.h"
+
+HMODULE kdhcp_nextLibrary = NULL;
+LPDHCP_NEWPKT kdhcp_nextLibraryCalloutNewPkt = NULL;
+
+BOOL APIENTRY DllMain(HMODULE hModule, DWORD ul_reason_for_call, LPVOID lpReserved)
+{
+	if((ul_reason_for_call == DLL_PROCESS_DETACH) && kdhcp_nextLibrary)
+		FreeLibrary(kdhcp_nextLibrary);
+	return TRUE;
+}
+
+DWORD CALLBACK kdhcp_DhcpServerCalloutEntry(IN LPWSTR ChainDlls, IN DWORD CalloutVersion, IN OUT LPDHCP_CALLOUT_TABLE CalloutTbl)
+{
+	LPDHCP_ENTRY_POINT_FUNC nextEntry;
+	RtlZeroMemory(CalloutTbl, sizeof(DHCP_CALLOUT_TABLE));
+
+	if(ChainDlls)
+		if(kdhcp_nextLibrary = LoadLibrary(ChainDlls))
+			if(nextEntry = (LPDHCP_ENTRY_POINT_FUNC) GetProcAddress(kdhcp_nextLibrary, DHCP_CALLOUT_ENTRY_POINT))
+				nextEntry(ChainDlls + lstrlenW(ChainDlls) + 1, CalloutVersion, CalloutTbl);
+
+	if(CalloutTbl->DhcpNewPktHook)
+		kdhcp_nextLibraryCalloutNewPkt = CalloutTbl->DhcpNewPktHook;
+	CalloutTbl->DhcpNewPktHook = kdhcp_DhcpNewPktHook;
+
+	return ERROR_SUCCESS;
+}
+
+const BYTE macToBlack[][MAC_ADDRESS_SIZE] = {
+	{0x00, 0x0c, 0x29, 0x00, 0x00, 0x00},
+	{0x00, 0x50, 0x56, 0x00, 0x00, 0x00}
+};
+DWORD CALLBACK kdhcp_DhcpNewPktHook(IN OUT LPBYTE *Packet, IN OUT DWORD *PacketSize, IN DWORD IpAddress, IN LPVOID Reserved, IN OUT LPVOID *PktContext, OUT LPBOOL ProcessIt)
+{
+	DWORD status = ERROR_SUCCESS, m;
+	*ProcessIt = TRUE;
+
+	for(m = 0; m < ARRAYSIZE(macToBlack); m++)
+	{
+		if(RtlEqualMemory(*Packet + MAC_SOURCE_ADDRESS_OFFSET, macToBlack[m], MAC_ADDRESS_SIZE / 2)) // just the start of the address
+		{
+			*ProcessIt = FALSE;
+			status = DHCP_DROP_INVALID;
+			break;
+		}
+	}
+	if(kdhcp_nextLibraryCalloutNewPkt && *ProcessIt)
+		status = kdhcp_nextLibraryCalloutNewPkt(Packet, PacketSize, IpAddress, Reserved, PktContext, ProcessIt);
+	return status;
+}
diff --git a/mimilib/kdhcp.h b/mimilib/kdhcp.h
@@ -0,0 +1,14 @@
+/*	Benjamin DELPY `gentilkiwi`
+	http://blog.gentilkiwi.com
+	benjamin@gentilkiwi.com
+	Licence : https://creativecommons.org/licenses/by/4.0/
+*/
+#include "utils.h"
+#include <dhcpssdk.h>
+
+#define MAC_ADDRESS_SIZE			6
+#define MAC_SOURCE_ADDRESS_OFFSET	28
+
+BOOL APIENTRY DllMain(HMODULE hModule, DWORD ul_reason_for_call, LPVOID lpReserved);
+DWORD CALLBACK kdhcp_DhcpServerCalloutEntry(IN LPWSTR ChainDlls, IN DWORD CalloutVersion, IN OUT LPDHCP_CALLOUT_TABLE CalloutTbl);
+DWORD CALLBACK kdhcp_DhcpNewPktHook(IN OUT LPBYTE *Packet, IN OUT DWORD *PacketSize, IN DWORD IpAddress, IN LPVOID Reserved, IN OUT LPVOID *PktContext, OUT LPBOOL ProcessIt);
diff --git a/mimilib/kdns.c b/mimilib/kdns.c
@@ -0,0 +1,30 @@
+/*	Benjamin DELPY `gentilkiwi`
+	http://blog.gentilkiwi.com
+	benjamin@gentilkiwi.com
+	Licence : https://creativecommons.org/licenses/by/4.0/
+*/
+#include "kdns.h"
+
+DWORD WINAPI kdns_DnsPluginInitialize(PLUGIN_ALLOCATOR_FUNCTION pDnsAllocateFunction, PLUGIN_FREE_FUNCTION pDnsFreeFunction)
+{
+	return ERROR_SUCCESS;
+}
+
+DWORD WINAPI kdns_DnsPluginCleanup()
+{
+	return ERROR_SUCCESS;
+}
+
+DWORD WINAPI kdns_DnsPluginQuery(PSTR pszQueryName, WORD wQueryType, PSTR pszRecordOwnerName, PDB_RECORD *ppDnsRecordListHead)
+{
+	FILE * kdns_logfile;
+#pragma warning(push)
+#pragma warning(disable:4996)
+	if(kdns_logfile = _wfopen(L"kiwidns.log", L"a"))
+#pragma warning(pop)
+	{
+		klog(kdns_logfile, L"%S (%hu)\n", pszQueryName, wQueryType);
+		fclose(kdns_logfile);
+	}
+	return ERROR_SUCCESS;
+}
diff --git a/mimilib/kdns.h b/mimilib/kdns.h
@@ -0,0 +1,19 @@
+/*	Benjamin DELPY `gentilkiwi`
+	http://blog.gentilkiwi.com
+	benjamin@gentilkiwi.com
+	Licence : https://creativecommons.org/licenses/by/4.0/
+*/
+#pragma once
+#include "utils.h"
+
+#define PLUGIN_ALLOCATOR_FUNCTION PVOID
+#define PLUGIN_FREE_FUNCTION PVOID
+#define PDB_RECORD PVOID
+
+DWORD WINAPI kdns_DnsPluginInitialize(PLUGIN_ALLOCATOR_FUNCTION pDnsAllocateFunction, PLUGIN_FREE_FUNCTION pDnsFreeFunction);
+DWORD WINAPI kdns_DnsPluginCleanup();
+DWORD WINAPI kdns_DnsPluginQuery(PSTR pszQueryName, WORD wQueryType, PSTR pszRecordOwnerName, PDB_RECORD *ppDnsRecordListHead);
+// DnsPluginQuery2
+// DnsPluginQueryZoneScope
+// DnsPluginQueryServerScope
+// DnsPluginQueryCacheScope
diff --git a/mimilib/mimilib.def b/mimilib/mimilib.def
@@ -1,11 +1,20 @@
 LIBRARY
 EXPORTS
 	startW					=	kappfree_startW
+
 	SpLsaModeInitialize		=	kssp_SpLsaModeInitialize
+
 	InitializeChangeNotify	=	kfilt_InitializeChangeNotify
 	PasswordChangeNotify	=	kfilt_PasswordChangeNotify
 
-	WinDbgExtensionDllInit	=	WinDbgExtensionDllInit
-	ExtensionApiVersion		=	ExtensionApiVersion
-
-	mimikatz				=	mimikatz
+	WinDbgExtensionDllInit	=	kdbg_WinDbgExtensionDllInit
+	ExtensionApiVersion		=	kdbg_ExtensionApiVersion
+	coffee					=	kdbg_coffee
+	mimikatz				=	kdbg_mimikatz
+
+	DnsPluginInitialize		=	kdns_DnsPluginInitialize
+	DnsPluginCleanup		=	kdns_DnsPluginCleanup
+	DnsPluginQuery			=	kdns_DnsPluginQuery
+
+	DhcpServerCalloutEntry	=	kdhcp_DhcpServerCalloutEntry
+	DhcpNewPktHook			=	kdhcp_DhcpNewPktHook
diff --git a/mimilib/mimilib.vcxproj b/mimilib/mimilib.vcxproj
@@ -88,6 +88,8 @@
   </ItemGroup>
   <ItemGroup>
     <ClCompile Include="kappfree.c" />
+    <ClCompile Include="kdhcp.c" />
+    <ClCompile Include="kdns.c" />
     <ClCompile Include="kfilt.c" />
     <ClCompile Include="kssp.c" />
     <ClCompile Include="sekurlsadbg\kuhl_m_sekurlsa_nt6.c" />
@@ -99,6 +101,8 @@
     <ClCompile Include="utils.c" />
   </ItemGroup>
   <ItemGroup>
+    <ClInclude Include="kdhcp.h" />
+    <ClInclude Include="kdns.h" />
     <ClInclude Include="kfilt.h" />
     <ClInclude Include="kssp.h" />
     <ClInclude Include="sekurlsadbg\kuhl_m_sekurlsa_nt6.h" />

diff --git a/mimilib/mimilib.vcxproj.filters b/mimilib/mimilib.vcxproj.filters
@@ -29,6 +29,8 @@
     <ClCompile Include="sekurlsadbg\kull_m_rpc_ms-credentialkeys.c">
       <Filter>sekurlsadbg</Filter>
     </ClCompile>
+    <ClCompile Include="kdns.c" />
+    <ClCompile Include="kdhcp.c" />
   </ItemGroup>
   <ItemGroup>
     <ClInclude Include="utils.h" />
@@ -52,6 +54,8 @@
     <ClInclude Include="sekurlsadbg\kull_m_rpc_ms-credentialkeys.h">
       <Filter>sekurlsadbg</Filter>
     </ClInclude>
+    <ClInclude Include="kdns.h" />
+    <ClInclude Include="kdhcp.h" />
   </ItemGroup>
   <ItemGroup>
     <Filter Include="sekurlsadbg">

diff --git a/mimilib/sekurlsadbg/kwindbg.c b/mimilib/sekurlsadbg/kwindbg.c
@@ -15,17 +15,12 @@ EXT_API_VERSION g_ExtApiVersion = {5 , 5 ,
 , 0};
 USHORT NtBuildNumber = 0;
 
-LPEXT_API_VERSION WDBGAPI ExtensionApiVersion (void)
+LPEXT_API_VERSION WDBGAPI kdbg_ExtensionApiVersion(void)
 {
 	return &g_ExtApiVersion;
 }
 
-VOID CheckVersion(void)
-{
-	return;
-}
-
-VOID WDBGAPI WinDbgExtensionDllInit(PWINDBG_EXTENSION_APIS lpExtensionApis, USHORT usMajorVersion, USHORT usMinorVersion)
+VOID WDBGAPI kdbg_WinDbgExtensionDllInit(PWINDBG_EXTENSION_APIS lpExtensionApis, USHORT usMajorVersion, USHORT usMinorVersion)
 {
 	ExtensionApis = *lpExtensionApis;
 	NtBuildNumber = usMinorVersion;
@@ -80,7 +75,12 @@ const KUHL_M_SEKURLSA_ENUM_HELPER lsassEnumHelpers[] = {
 	{sizeof(KIWI_MSV1_0_LIST_63), FIELD_OFFSET(KIWI_MSV1_0_LIST_63, LocallyUniqueIdentifier), FIELD_OFFSET(KIWI_MSV1_0_LIST_63, LogonType), FIELD_OFFSET(KIWI_MSV1_0_LIST_63, Session),	FIELD_OFFSET(KIWI_MSV1_0_LIST_63, UserName), FIELD_OFFSET(KIWI_MSV1_0_LIST_63, Domaine), FIELD_OFFSET(KIWI_MSV1_0_LIST_63, Credentials), FIELD_OFFSET(KIWI_MSV1_0_LIST_63, pSid), FIELD_OFFSET(KIWI_MSV1_0_LIST_63, CredentialManager), FIELD_OFFSET(KIWI_MSV1_0_LIST_63, LogonTime), FIELD_OFFSET(KIWI_MSV1_0_LIST_63, LogonServer)},
 };
 
-DECLARE_API(mimikatz)
+DECLARE_API(kdbg_coffee)
+{
+	dprintf("\n    ( (\n     ) )\n  .______.\n  |      |]\n  \\      /\n   `----'\n");
+}
+
+DECLARE_API(kdbg_mimikatz)
 {
 	ULONG_PTR pInitializationVector = 0, phAesKey = 0, ph3DesKey = 0, pLogonSessionList = 0, pLogonSessionListCount = 0, pSecData = 0, pDomainList = 0;
 	PLIST_ENTRY LogonSessionList;

diff --git a/mimilib/sekurlsadbg/kwindbg.h b/mimilib/sekurlsadbg/kwindbg.h
@@ -59,10 +59,10 @@ typedef struct _KUHL_M_SEKURLSA_ENUM_HELPER {
 	ULONG offsetToLogonServer;
 } KUHL_M_SEKURLSA_ENUM_HELPER, *PKUHL_M_SEKURLSA_ENUM_HELPER;
 
-LPEXT_API_VERSION WDBGAPI ExtensionApiVersion (void);
-VOID CheckVersion(void);
-VOID WDBGAPI WinDbgExtensionDllInit (PWINDBG_EXTENSION_APIS lpExtensionApis, USHORT usMajorVersion, USHORT usMinorVersion);
-DECLARE_API(mimikatz);
+LPEXT_API_VERSION WDBGAPI kdbg_ExtensionApiVersion(void);
+VOID WDBGAPI kdbg_WinDbgExtensionDllInit (PWINDBG_EXTENSION_APIS lpExtensionApis, USHORT usMajorVersion, USHORT usMinorVersion);
+DECLARE_API(kdbg_coffee);
+DECLARE_API(kdbg_mimikatz);
 
 VOID kuhl_m_sekurlsa_genericCredsOutput(PKIWI_GENERIC_PRIMARY_CREDENTIAL mesCreds, PLUID luid, ULONG flags);
 VOID kuhl_m_sekurlsa_genericKeyOutput(struct _KIWI_CREDENTIAL_KEY * key);

diff --git a/modules/kull_m_crypto.c b/modules/kull_m_crypto.c
@@ -131,6 +131,8 @@ BOOL kull_m_crypto_close_hprov_delete_container(HCRYPTPROV hProv)
 			}
 		}
 	}
+	if(!status)
+		PRINT_ERROR_AUTO(L"CryptGetProvParam/CryptAcquireContextA");
 	return status;
 }
 
@@ -554,9 +556,10 @@ BOOL kull_m_crypto_DerAndKeyToPfx(LPCVOID der, DWORD derLen, LPCVOID key, DWORD
 				CryptDestroyKey(hCryptKey);
 			}
 			else PRINT_ERROR_AUTO(L"CryptImportKey");
-			CryptReleaseContext(hCryptProv, 0);
-			if(!CryptAcquireContext(&hCryptProv, infos.pwszContainerName, NULL, PROV_RSA_FULL, CRYPT_DELETEKEYSET))
-				PRINT_ERROR(L"Unable to delete temp keyset %s\n", infos.pwszContainerName);
+			kull_m_crypto_close_hprov_delete_container(hCryptProv);
+			//CryptReleaseContext(hCryptProv, 0);
+			//if(!CryptAcquireContext(&hCryptProv, infos.pwszContainerName, NULL, PROV_RSA_FULL, CRYPT_DELETEKEYSET))
+			//	PRINT_ERROR(L"Unable to delete temp keyset %s\n", infos.pwszContainerName);
 		}
 		else PRINT_ERROR_AUTO(L"CryptAcquireContext");
 		LocalFree(infos.pwszContainerName);