From 6380612263c2ff85b32d6a411a7a00566d6e2b43 Mon Sep 17 00:00:00 2001 From: HuysukeSan Date: Sun, 23 Oct 2016 14:27:17 +0200 Subject: [PATCH 1/4] =?UTF-8?q?modification=20de=20l'attribut=20ULInt32=20?= =?UTF-8?q?car=20pas=20d=C3=A9finis=20de=20la=20m=C3=AAme=20facon=20dans?= =?UTF-8?q?=20le=20module=20construct?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- FrancescoPicasso/mimikatz.py | 70 ++++++++++++++++++------------------ 1 file changed, 35 insertions(+), 35 deletions(-) diff --git a/FrancescoPicasso/mimikatz.py b/FrancescoPicasso/mimikatz.py index 08fb680..be77485 100644 --- a/FrancescoPicasso/mimikatz.py +++ b/FrancescoPicasso/mimikatz.py @@ -179,18 +179,18 @@ class LsaDecryptor(): MSSK_TAG = 0x4d53534b HARD_KEY = construct.Struct('KIWI_HARD_KEY', - construct.ULInt32('cbSecret'), + construct.Int32ul('cbSecret'), construct.Field('data', lambda ctx: ctx.cbSecret)) # Modified to include HARD_KEY size. BCRYPT_KEY = construct.Struct('KIWI_BCRYPT_KEY', - construct.ULInt32('size'), - construct.ULInt32('tag'), # 'MSSK'. - construct.ULInt32('type'), - construct.ULInt32('unk0'), - construct.ULInt32('unk1'), - construct.ULInt32('unk2'), - construct.ULInt32('cbSecret')) + construct.Int32ul('size'), + construct.Int32ul('tag'), # 'MSSK'. + construct.Int32ul('type'), + construct.Int32ul('unk0'), + construct.Int32ul('unk1'), + construct.Int32ul('unk2'), + construct.Int32ul('cbSecret')) def __init__(self): self.iv = '' @@ -225,7 +225,7 @@ def get_key(self, pos, key_offset): if data: kbk = self.BCRYPT_KEY.parse(data) if kbk.tag == self.MSSK_TAG: - adjust = construct.ULInt32('').sizeof() + adjust = construct.Int32ul('').sizeof() size = kbk.cbSecret + adjust ptr_key = ptr_key + self.BCRYPT_KEY.sizeof() - adjust data = self.get_data(ptr_key, size) @@ -311,11 +311,11 @@ class LsaDecryptor_Vista_x86(LsaDecryptor_x86): PTR_DES_KEY_OFFSET = -70; BCRYPT_HANDLE_KEY = construct.Struct('KIWI_BCRYPT_HANDLE_KEY', - construct.ULInt32('size'), - construct.ULInt32('tag'), # Tag 'UUUR', 0x55555552. - construct.ULInt32('ptr_void_algorithm'), - construct.ULInt32('ptr_kiwi_bcrypt_key'), - construct.ULInt32('ptr_unknown')) + construct.Int32ul('size'), + construct.Int32ul('tag'), # Tag 'UUUR', 0x55555552. + construct.Int32ul('ptr_void_algorithm'), + construct.Int32ul('ptr_kiwi_bcrypt_key'), + construct.Int32ul('ptr_unknown')) def __init__(self, lsass_task): LsaDecryptor_x86.__init__(self, lsass_task) @@ -330,11 +330,11 @@ class LsaDecryptor_Win7_x86(LsaDecryptor_x86): PTR_DES_KEY_OFFSET = -70; BCRYPT_HANDLE_KEY = construct.Struct('KIWI_BCRYPT_HANDLE_KEY', - construct.ULInt32('size'), - construct.ULInt32('tag'), # Tag 'UUUR', 0x55555552. - construct.ULInt32('ptr_void_algorithm'), - construct.ULInt32('ptr_kiwi_bcrypt_key'), - construct.ULInt32('ptr_unknown')) + construct.Int32ul('size'), + construct.Int32ul('tag'), # Tag 'UUUR', 0x55555552. + construct.Int32ul('ptr_void_algorithm'), + construct.Int32ul('ptr_kiwi_bcrypt_key'), + construct.Int32ul('ptr_unknown')) def __init__(self, lsass_task): LsaDecryptor_x86.__init__(self, lsass_task) @@ -348,8 +348,8 @@ class LsaDecryptor_Vista_x64(LsaDecryptor_x64): PTR_DES_KEY_OFFSET = -69; BCRYPT_HANDLE_KEY = construct.Struct('KIWI_BCRYPT_HANDLE_KEY', - construct.ULInt32('size'), - construct.ULInt32('tag'), # Tag 'UUUR', 0x55555552. + construct.Int32ul('size'), + construct.Int32ul('tag'), # Tag 'UUUR', 0x55555552. construct.ULInt64('ptr_void_algorithm'), construct.ULInt64('ptr_kiwi_bcrypt_key'), construct.ULInt64('ptr_unknown')) @@ -367,8 +367,8 @@ class LsaDecryptor_Win7_x64(LsaDecryptor_x64): PTR_DES_KEY_OFFSET = -61; BCRYPT_HANDLE_KEY = construct.Struct('KIWI_BCRYPT_HANDLE_KEY', - construct.ULInt32('size'), - construct.ULInt32('tag'), # Tag 'UUUR', 0x55555552. + construct.Int32ul('size'), + construct.Int32ul('tag'), # Tag 'UUUR', 0x55555552. construct.ULInt64('ptr_void_algorithm'), construct.ULInt64('ptr_kiwi_bcrypt_key'), construct.ULInt64('ptr_unknown')) @@ -474,21 +474,21 @@ class Wdigest_x86(Wdigest, Mimikatz_x86): """TODO: add description.""" WDIGEST_LIST_ENTRY = construct.Struct('WdigestListEntry', - construct.ULInt32('previous'), - construct.ULInt32('next'), - construct.ULInt32('usage_count'), - construct.ULInt32('this_entry'), + construct.Int32ul('previous'), + construct.Int32ul('next'), + construct.Int32ul('usage_count'), + construct.Int32ul('this_entry'), construct.ULInt64('luid'), construct.ULInt64('flag'), construct.ULInt16('user_len'), construct.ULInt16('user_max_len'), - construct.ULInt32('user_string_ptr'), + construct.Int32ul('user_string_ptr'), construct.ULInt16('domain_len'), construct.ULInt16('domain_max_len'), - construct.ULInt32('domain_string_ptr'), + construct.Int32ul('domain_string_ptr'), construct.ULInt16('password_len'), construct.ULInt16('password_max_len'), - construct.ULInt32('password_encrypted_ptr')) + construct.Int32ul('password_encrypted_ptr')) def __init__(self, lsass_task, credentials_obj): Mimikatz_x86.__init__(self, lsass_task) @@ -501,22 +501,22 @@ class Wdigest_x64(Wdigest, Mimikatz_x64): WDIGEST_LIST_ENTRY = construct.Struct('WdigestListEntry', construct.ULInt64('previous'), construct.ULInt64('next'), - construct.ULInt32('usage_count'), - construct.ULInt32('align1'), + construct.Int32ul('usage_count'), + construct.Int32ul('align1'), construct.ULInt64('this_entry'), construct.ULInt64('luid'), construct.ULInt64('flag'), construct.ULInt16('user_len'), construct.ULInt16('user_max_len'), - construct.ULInt32('align2'), + construct.Int32ul('align2'), construct.ULInt64('user_string_ptr'), construct.ULInt16('domain_len'), construct.ULInt16('domain_max_len'), - construct.ULInt32('align3'), + construct.Int32ul('align3'), construct.ULInt64('domain_string_ptr'), construct.ULInt16('password_len'), construct.ULInt16('password_max_len'), - construct.ULInt32('align4'), + construct.Int32ul('align4'), construct.ULInt64('password_encrypted_ptr')) def __init__(self, lsass_task, credentials_obj): From 9e1afd99247b47598c6ea2c594a3a27676ad5a36 Mon Sep 17 00:00:00 2001 From: HuysukeSan Date: Sun, 23 Oct 2016 14:42:33 +0200 Subject: [PATCH 2/4] =?UTF-8?q?modification=20de=20l'attribut=20Field=20ca?= =?UTF-8?q?r=20pas=20d=C3=A9finis=20de=20la=20m=C3=AAme=20facon=20dans=20l?= =?UTF-8?q?e=20module=20construct=20=20Field=20=3D>=20FormatField?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- FrancescoPicasso/mimikatz.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/FrancescoPicasso/mimikatz.py b/FrancescoPicasso/mimikatz.py index be77485..e2169a7 100644 --- a/FrancescoPicasso/mimikatz.py +++ b/FrancescoPicasso/mimikatz.py @@ -180,7 +180,7 @@ class LsaDecryptor(): HARD_KEY = construct.Struct('KIWI_HARD_KEY', construct.Int32ul('cbSecret'), - construct.Field('data', lambda ctx: ctx.cbSecret)) + construct.FormatField('data', lambda ctx: ctx.cbSecret)) # Modified to include HARD_KEY size. BCRYPT_KEY = construct.Struct('KIWI_BCRYPT_KEY', From c3e4cfe31fc4940c6339df54b405a18fc09e1075 Mon Sep 17 00:00:00 2001 From: HuysukeSan Date: Sun, 23 Oct 2016 14:46:02 +0200 Subject: [PATCH 3/4] =?UTF-8?q?Revert=20"modification=20de=20l'attribut=20?= =?UTF-8?q?Field=20car=20pas=20d=C3=A9finis=20de=20la=20m=C3=AAme=20facon?= =?UTF-8?q?=20dans=20le=20module=20construct=20=20Field=20=3D>=20FormatFie?= =?UTF-8?q?ld"?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit This reverts commit 9e1afd99247b47598c6ea2c594a3a27676ad5a36. --- FrancescoPicasso/mimikatz.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/FrancescoPicasso/mimikatz.py b/FrancescoPicasso/mimikatz.py index e2169a7..be77485 100644 --- a/FrancescoPicasso/mimikatz.py +++ b/FrancescoPicasso/mimikatz.py @@ -180,7 +180,7 @@ class LsaDecryptor(): HARD_KEY = construct.Struct('KIWI_HARD_KEY', construct.Int32ul('cbSecret'), - construct.FormatField('data', lambda ctx: ctx.cbSecret)) + construct.Field('data', lambda ctx: ctx.cbSecret)) # Modified to include HARD_KEY size. BCRYPT_KEY = construct.Struct('KIWI_BCRYPT_KEY', From 62240b448964403f5f4767147991ce60bd6f5604 Mon Sep 17 00:00:00 2001 From: HuysukeSan Date: Sun, 23 Oct 2016 15:17:58 +0200 Subject: [PATCH 4/4] =?UTF-8?q?=20modification=20des=20attributs=20ULInt..?= =?UTF-8?q?=20car=20pas=20d=C3=A9finis=20de=20la=20m=C3=AAme=20facon=20dan?= =?UTF-8?q?s=20le=20module=20construct=20=20ULInt..=20=3D>=20Int..ul?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- FrancescoPicasso/mimikatz.py | 56 ++++++++++++++++++------------------ 1 file changed, 28 insertions(+), 28 deletions(-) diff --git a/FrancescoPicasso/mimikatz.py b/FrancescoPicasso/mimikatz.py index be77485..320f4fb 100644 --- a/FrancescoPicasso/mimikatz.py +++ b/FrancescoPicasso/mimikatz.py @@ -350,9 +350,9 @@ class LsaDecryptor_Vista_x64(LsaDecryptor_x64): BCRYPT_HANDLE_KEY = construct.Struct('KIWI_BCRYPT_HANDLE_KEY', construct.Int32ul('size'), construct.Int32ul('tag'), # Tag 'UUUR', 0x55555552. - construct.ULInt64('ptr_void_algorithm'), - construct.ULInt64('ptr_kiwi_bcrypt_key'), - construct.ULInt64('ptr_unknown')) + construct.Int64ul('ptr_void_algorithm'), + construct.Int64ul('ptr_kiwi_bcrypt_key'), + construct.Int64ul('ptr_unknown')) def __init__(self, lsass_task): LsaDecryptor_x64.__init__(self, lsass_task) @@ -369,9 +369,9 @@ class LsaDecryptor_Win7_x64(LsaDecryptor_x64): BCRYPT_HANDLE_KEY = construct.Struct('KIWI_BCRYPT_HANDLE_KEY', construct.Int32ul('size'), construct.Int32ul('tag'), # Tag 'UUUR', 0x55555552. - construct.ULInt64('ptr_void_algorithm'), - construct.ULInt64('ptr_kiwi_bcrypt_key'), - construct.ULInt64('ptr_unknown')) + construct.Int64ul('ptr_void_algorithm'), + construct.Int64ul('ptr_kiwi_bcrypt_key'), + construct.Int64ul('ptr_unknown')) def __init__(self, lsass_task): LsaDecryptor_x64.__init__(self, lsass_task) @@ -478,16 +478,16 @@ class Wdigest_x86(Wdigest, Mimikatz_x86): construct.Int32ul('next'), construct.Int32ul('usage_count'), construct.Int32ul('this_entry'), - construct.ULInt64('luid'), - construct.ULInt64('flag'), - construct.ULInt16('user_len'), - construct.ULInt16('user_max_len'), + construct.Int64ul('luid'), + construct.Int64ul('flag'), + construct.Int16ul('user_len'), + construct.Int16ul('user_max_len'), construct.Int32ul('user_string_ptr'), - construct.ULInt16('domain_len'), - construct.ULInt16('domain_max_len'), + construct.Int16ul('domain_len'), + construct.Int16ul('domain_max_len'), construct.Int32ul('domain_string_ptr'), - construct.ULInt16('password_len'), - construct.ULInt16('password_max_len'), + construct.Int16ul('password_len'), + construct.Int16ul('password_max_len'), construct.Int32ul('password_encrypted_ptr')) def __init__(self, lsass_task, credentials_obj): @@ -499,25 +499,25 @@ class Wdigest_x64(Wdigest, Mimikatz_x64): """TODO: add description.""" WDIGEST_LIST_ENTRY = construct.Struct('WdigestListEntry', - construct.ULInt64('previous'), - construct.ULInt64('next'), + construct.Int64ul('previous'), + construct.Int64ul('next'), construct.Int32ul('usage_count'), construct.Int32ul('align1'), - construct.ULInt64('this_entry'), - construct.ULInt64('luid'), - construct.ULInt64('flag'), - construct.ULInt16('user_len'), - construct.ULInt16('user_max_len'), + construct.Int64ul('this_entry'), + construct.Int64ul('luid'), + construct.Int64ul('flag'), + construct.Int16ul('user_len'), + construct.Int16ul('user_max_len'), construct.Int32ul('align2'), - construct.ULInt64('user_string_ptr'), - construct.ULInt16('domain_len'), - construct.ULInt16('domain_max_len'), + construct.Int64ul('user_string_ptr'), + construct.Int16ul('domain_len'), + construct.Int16ul('domain_max_len'), construct.Int32ul('align3'), - construct.ULInt64('domain_string_ptr'), - construct.ULInt16('password_len'), - construct.ULInt16('password_max_len'), + construct.Int64ul('domain_string_ptr'), + construct.Int16ul('password_len'), + construct.Int16ul('password_max_len'), construct.Int32ul('align4'), - construct.ULInt64('password_encrypted_ptr')) + construct.Int64ul('password_encrypted_ptr')) def __init__(self, lsass_task, credentials_obj): Mimikatz_x64.__init__(self, lsass_task)