public static CloudapTemplate get_template(SystemInfo.MINIDUMP_SYSTEM_INFO sysinfo) { CloudapTemplate template = new CloudapTemplate(); if (sysinfo.BuildNumber <= (int)SystemInfo.WindowsBuild.WIN_10_1903) { return(template); } if (sysinfo.ProcessorArchitecture == SystemInfo.PROCESSOR_ARCHITECTURE.AMD64) { template.signature = new byte[] { 0x44, 0x8b, 0x01, 0x44, 0x39, 0x42, 0x18, 0x75 }; template.first_entry_offset = -9; template.list_entry = typeof(KIWI_CLOUDAP_LOGON_LIST_ENTRY); } else if (sysinfo.ProcessorArchitecture == SystemInfo.PROCESSOR_ARCHITECTURE.INTEL) { template.signature = new byte[] { 0x8b, 0x31, 0x39, 0x72, 0x10, 0x75 }; template.first_entry_offset = -8; template.list_entry = typeof(KIWI_CLOUDAP_LOGON_LIST_ENTRY); } else { throw new Exception(String.Format("Could not identify template! Architecture: %s sysinfo.BuildNumber: %s", sysinfo.ProcessorArchitecture, sysinfo.BuildNumber)); } template.luidOffset = StructFieldOffset(template.list_entry, "LocallyUniqueIdentifier"); template.cacheOffset = StructFieldOffset(template.list_entry, "cacheEntry"); template.cbPRTOffset = StructFieldOffset(typeof(KIWI_CLOUDAP_CACHE_LIST_ENTRY), "cbPRT"); template.PRTOffset = StructFieldOffset(typeof(KIWI_CLOUDAP_CACHE_LIST_ENTRY), "PRT"); template.tonameOffset = StructFieldOffset(typeof(KIWI_CLOUDAP_CACHE_LIST_ENTRY), "toname"); return(template); }
public static RdpTemplate get_template(SystemInfo.MINIDUMP_SYSTEM_INFO sysinfo) { RdpTemplate template = new RdpTemplate(); if (sysinfo.BuildNumber >= (int)SystemInfo.WindowsMinBuild.WIN_8) { List <byte[]> signatures = new List <byte[]> { new byte[] { 0x00, 0x00, 0x00, 0x00, 0xbb, 0x47 }, new byte[] { 0x00, 0x00, 0x00, 0x00, 0xf3, 0x47 }, new byte[] { 0x00, 0x00, 0x00, 0x00, 0x3b, 0x01 }, }; template.signature = signatures; template.first_entry_offset = 0; template.cred_struct = new WTS_KIWI(); } else { List <byte[]> signatures = new List <byte[]>() { new byte[] { 0xc8, 0x00, 0x00, 0x00, 0xc8, 0x00, 0x00, 0x00 } }; template.signature = signatures; template.first_entry_offset = 16; template.cred_struct = new WTS_KIWI_2008R2(); } return(template); }
//https://github.com/skelsec/pypykatz/blob/bd1054d1aa948133a697a1dfcb57a5c6463be41a/pypykatz/commons/common.py#L162 public static ulong get_ptr(BinaryReader fileBinaryReader, long pos, SystemInfo.MINIDUMP_SYSTEM_INFO sysinfo) { fileBinaryReader.BaseStream.Seek(pos, 0); if (sysinfo.ProcessorArchitecture == SystemInfo.PROCESSOR_ARCHITECTURE.AMD64) { UInt32 ptr = Minidump.Helpers.ReadUInt32(fileBinaryReader); return((ulong)ptr); } else { UInt16 ptr = Minidump.Helpers.ReadUInt16(fileBinaryReader); return((ulong)ptr); } }
public static object get_template(SystemInfo.MINIDUMP_SYSTEM_INFO sysinfo) { if (sysinfo.ProcessorArchitecture == SystemInfo.PROCESSOR_ARCHITECTURE.INTEL) { throw new Exception($"X86 not yet supported"); } else { if (sysinfo.BuildNumber < (int)SystemInfo.WindowsMinBuild.WIN_VISTA) { //return lsaTemplate_NT5.get_template(sysinfo); throw new Exception($"NT5 not yet supported"); } else { return(lsaTemplate_NT6.get_template(sysinfo)); } } }
public static SspTemplate get_template(SystemInfo.MINIDUMP_SYSTEM_INFO sysinfo) { var template = new SspTemplate(); template.list_entry = new KIWI_SSP_CREDENTIAL_LIST_ENTRY(); if (sysinfo.ProcessorArchitecture == SystemInfo.PROCESSOR_ARCHITECTURE.AMD64) { if (sysinfo.BuildNumber < (int)SystemInfo.WindowsMinBuild.WIN_VISTA) { template.signature = new byte[] { 0xc7, 0x43, 0x24, 0x43, 0x72, 0x64, 0x41, 0xff, 0x15 }; template.first_entry_offset = 16; } else if ((int)SystemInfo.WindowsMinBuild.WIN_VISTA <= sysinfo.BuildNumber && sysinfo.BuildNumber < (int)SystemInfo.WindowsBuild.WIN_10_1507) { template.signature = new byte[] { 0xc7, 0x47, 0x24, 0x43, 0x72, 0x64, 0x41, 0x48, 0x89, 0x47, 0x78, 0xff, 0x15 }; template.first_entry_offset = 20; } else if (sysinfo.BuildNumber >= (int)SystemInfo.WindowsBuild.WIN_10_1507) { template.signature = new byte[] { 0x24, 0x43, 0x72, 0x64, 0x41, 0xff, 0x15 }; template.first_entry_offset = 14; } else { //currently doesnt make sense, but keeping it here for future use throw new Exception($"Unknown buildnumber! {sysinfo.BuildNumber}"); } } else if (sysinfo.ProcessorArchitecture == SystemInfo.PROCESSOR_ARCHITECTURE.INTEL) { template.signature = new byte[] { 0x1c, 0x43, 0x72, 0x64, 0x41, 0xff, 0x15 }; template.first_entry_offset = 12; } else { throw new Exception($"Unknown architecture! {sysinfo.ProcessorArchitecture}"); } return(template); }
public static LiveSspTemplate get_template(SystemInfo.MINIDUMP_SYSTEM_INFO sysinfo) { var template = new LiveSspTemplate(); if (sysinfo.ProcessorArchitecture == SystemInfo.PROCESSOR_ARCHITECTURE.AMD64) { template.signature = new byte[] { 0x74, 0x25, 0x8b }; template.first_entry_offset = -7; } else if (sysinfo.ProcessorArchitecture == SystemInfo.PROCESSOR_ARCHITECTURE.INTEL) { template.signature = new byte[] { 0x8b, 0x16, 0x39, 0x51, 0x24, 0x75, 0x08 }; template.first_entry_offset = -8; } else { throw new Exception($"Unknown architecture! {sysinfo.ProcessorArchitecture}"); } return(template); }
public static CredmanTemplate get_template(SystemInfo.MINIDUMP_SYSTEM_INFO sysinfo) { CredmanTemplate template = new CredmanTemplate(); if (sysinfo.ProcessorArchitecture == SystemInfo.PROCESSOR_ARCHITECTURE.AMD64) { if (sysinfo.BuildNumber < (int)SystemInfo.WindowsMinBuild.WIN_VISTA) { template.list_entry = typeof(KIWI_CREDMAN_LIST_ENTRY_5); template.offset = 0; } else if ((int)SystemInfo.WindowsMinBuild.WIN_VISTA <= sysinfo.BuildNumber && sysinfo.BuildNumber < (int)SystemInfo.WindowsMinBuild.WIN_7) { template.list_entry = typeof(KIWI_CREDMAN_LIST_ENTRY_60); template.offset = 0; } else { template.list_entry = typeof(KIWI_CREDMAN_LIST_ENTRY); template.offset = 0; } } else if (sysinfo.BuildNumber < (int)SystemInfo.WindowsMinBuild.WIN_VISTA) { template.list_entry = typeof(KIWI_CREDMAN_LIST_ENTRY_5_X86); template.offset = -32; } else if ((int)SystemInfo.WindowsMinBuild.WIN_VISTA <= sysinfo.BuildNumber && sysinfo.BuildNumber < (int)SystemInfo.WindowsMinBuild.WIN_7) { template.list_entry = typeof(KIWI_CREDMAN_LIST_ENTRY_60_X86); template.offset = -32; } else { template.list_entry = typeof(KIWI_CREDMAN_LIST_ENTRY_X86); template.offset = -32; } return(template); }
public static MsvTemplate get_template(SystemInfo.MINIDUMP_SYSTEM_INFO sysinfo) { var template = new MsvTemplate(); template.MSV1CredentialsOffset = FieldOffset <KIWI_MSV1_0_PRIMARY_CREDENTIALS>("Credentials"); template.MSV1PrimaryOffset = FieldOffset <KIWI_MSV1_0_PRIMARY_CREDENTIALS>("Primary"); template.PasswordOffset = 0; //identify credential session list structure to be used if (sysinfo.BuildNumber < (int)SystemInfo.WindowsMinBuild.WIN_2K3) { template.list_entry = typeof(KIWI_MSV1_0_LIST_51); } else if (sysinfo.BuildNumber < (int)SystemInfo.WindowsMinBuild.WIN_VISTA) { template.list_entry = typeof(KIWI_MSV1_0_LIST_52); } else if (sysinfo.BuildNumber < (int)SystemInfo.WindowsMinBuild.WIN_7) { template.list_entry = typeof(KIWI_MSV1_0_LIST_60); } else if (sysinfo.BuildNumber < (int)SystemInfo.WindowsMinBuild.WIN_8) { //do not do that :) //skelsec if (sysinfo.msv_dll_timestamp > 0x53480000) { template.list_entry = typeof(KIWI_MSV1_0_LIST_61_ANTI_MIMIKATZ); } else { template.list_entry = typeof(KIWI_MSV1_0_LIST_61); } } else if (sysinfo.BuildNumber < (int)SystemInfo.WindowsMinBuild.WIN_BLUE) { //template.list_entry = PKIWI_MSV1_0_LIST_62 Console.WriteLine(sysinfo.msv_dll_timestamp); if (sysinfo.msv_dll_timestamp > 0x53480000) { template.list_entry = typeof(KIWI_MSV1_0_LIST_63); } else { template.list_entry = typeof(KIWI_MSV1_0_LIST_62); } } else { template.list_entry = typeof(KIWI_MSV1_0_LIST_63); } template.ListTypeSize = Marshal.SizeOf(template.list_entry); template.LocallyUniqueIdentifierOffset = StructFieldOffset(template.list_entry, "LocallyUniqueIdentifier"); template.LogonTypeOffset = StructFieldOffset(template.list_entry, "LogonType"); template.SessionOffset = StructFieldOffset(template.list_entry, "Session"); template.UserNameListOffset = StructFieldOffset(template.list_entry, "UserName"); template.DomainOffset = StructFieldOffset(template.list_entry, "Domain"); template.CredentialsOffset = StructFieldOffset(template.list_entry, "Credentials"); template.pSidOffset = StructFieldOffset(template.list_entry, "pSid"); template.CredentialManagerOffset = StructFieldOffset(template.list_entry, "CredentialManager"); template.LogonTimeOffset = StructFieldOffset(template.list_entry, "LogonTime"); template.LogonServerOffset = StructFieldOffset(template.list_entry, "LogonServer"); // if (sysinfo.BuildNumber < (int)SystemInfo.WindowsBuild.WIN_10_1507) { template.credential_entry = typeof(MSV1_0_PRIMARY_CREDENTIAL); } else if (sysinfo.BuildNumber < (int)SystemInfo.WindowsBuild.WIN_10_1511) { template.credential_entry = typeof(MSV1_0_PRIMARY_CREDENTIAL_10_OLD); } else if (sysinfo.BuildNumber < (int)SystemInfo.WindowsBuild.WIN_10_1607) { template.credential_entry = typeof(MSV1_0_PRIMARY_CREDENTIAL_10); } else { template.credential_entry = typeof(MSV1_0_PRIMARY_CREDENTIAL_10_1607); template.PasswordOffset = -2; } template.LogonDomainNameOffset = StructFieldOffset(template.credential_entry, "LogonDomainName"); template.UserNameOffset = StructFieldOffset(template.credential_entry, "UserName"); template.LmOwfPasswordOffset = StructFieldOffset(template.credential_entry, "LmOwfPassword") + template.PasswordOffset; template.NtOwfPasswordOffset = StructFieldOffset(template.credential_entry, "NtOwfPassword") + template.PasswordOffset; template.ShaOwPasswordOffset = StructFieldOffset(template.credential_entry, "ShaOwPassword") + template.PasswordOffset; if (template.credential_entry != typeof(MSV1_0_PRIMARY_CREDENTIAL_10_1607)) { template.DPAPIProtectedOffset = 0; } else { template.DPAPIProtectedOffset = FieldOffset <MSV1_0_PRIMARY_CREDENTIAL_10_1607>("DPAPIProtected"); } if (sysinfo.ProcessorArchitecture == SystemInfo.PROCESSOR_ARCHITECTURE.AMD64) { if ((int)SystemInfo.WindowsMinBuild.WIN_XP <= sysinfo.BuildNumber && sysinfo.BuildNumber < (int)SystemInfo.WindowsMinBuild.WIN_2K3) { template.signature = new byte[] { 0x4c, 0x8b, 0xdf, 0x49, 0xc1, 0xe3, 0x04, 0x48, 0x8b, 0xcb, 0x4c, 0x03, 0xd8 }; template.first_entry_offset = -4; template.LogonSessionListCountOffset = 0; } else if ((int)SystemInfo.WindowsMinBuild.WIN_2K3 <= sysinfo.BuildNumber && sysinfo.BuildNumber < (int)SystemInfo.WindowsMinBuild.WIN_VISTA) { template.signature = new byte[] { 0x4c, 0x8b, 0xdf, 0x49, 0xc1, 0xe3, 0x04, 0x48, 0x8b, 0xcb, 0x4c, 0x03, 0xd8 }; template.first_entry_offset = -4; template.LogonSessionListCountOffset = -45; } else if ((int)SystemInfo.WindowsMinBuild.WIN_VISTA <= sysinfo.BuildNumber && sysinfo.BuildNumber < (int)SystemInfo.WindowsMinBuild.WIN_7) { template.signature = new byte[] { 0x33, 0xff, 0x45, 0x85, 0xc0, 0x41, 0x89, 0x75, 0x00, 0x4c, 0x8b, 0xe3, 0x0f, 0x84 }; template.first_entry_offset = 21; template.LogonSessionListCountOffset = -4; } else if ((int)SystemInfo.WindowsMinBuild.WIN_7 <= sysinfo.BuildNumber && sysinfo.BuildNumber < (int)SystemInfo.WindowsMinBuild.WIN_8) { template.signature = new byte[] { 0x33, 0xf6, 0x45, 0x89, 0x2f, 0x4c, 0x8b, 0xf3, 0x85, 0xff, 0x0f, 0x84 }; template.first_entry_offset = 19; template.LogonSessionListCountOffset = -4; } else if ((int)SystemInfo.WindowsMinBuild.WIN_8 <= sysinfo.BuildNumber && sysinfo.BuildNumber < (int)SystemInfo.WindowsMinBuild.WIN_BLUE) { template.signature = new byte[] { 0x33, 0xff, 0x41, 0x89, 0x37, 0x4c, 0x8b, 0xf3, 0x45, 0x85, 0xc0, 0x74 }; template.first_entry_offset = 16; template.LogonSessionListCountOffset = -4; } else if ((int)SystemInfo.WindowsMinBuild.WIN_BLUE <= sysinfo.BuildNumber && sysinfo.BuildNumber < (int)SystemInfo.WindowsBuild.WIN_10_1507) { template.signature = new byte[] { 0x8b, 0xde, 0x48, 0x8d, 0x0c, 0x5b, 0x48, 0xc1, 0xe1, 0x05, 0x48, 0x8d, 0x05 }; template.first_entry_offset = 36; template.LogonSessionListCountOffset = -6; } else if ((int)SystemInfo.WindowsBuild.WIN_10_1507 <= sysinfo.BuildNumber && sysinfo.BuildNumber < (int)SystemInfo.WindowsBuild.WIN_10_1703) { //1503 and 1603 template.signature = new byte[] { 0x33, 0xff, 0x41, 0x89, 0x37, 0x4c, 0x8b, 0xf3, 0x45, 0x85, 0xc0, 0x74 }; template.first_entry_offset = 16; template.LogonSessionListCountOffset = -4; } else if ((int)SystemInfo.WindowsBuild.WIN_10_1703 <= sysinfo.BuildNumber && sysinfo.BuildNumber < (int)SystemInfo.WindowsBuild.WIN_10_1803) { //1703 template.signature = new byte[] { 0x33, 0xff, 0x45, 0x89, 0x37, 0x48, 0x8b, 0xf3, 0x45, 0x85, 0xc9, 0x74 }; template.first_entry_offset = 23; template.LogonSessionListCountOffset = -4; } else if ((int)SystemInfo.WindowsBuild.WIN_10_1803 <= sysinfo.BuildNumber && sysinfo.BuildNumber < (int)SystemInfo.WindowsBuild.WIN_10_1903) { //1803 template.signature = new byte[] { 0x33, 0xff, 0x41, 0x89, 0x37, 0x4c, 0x8b, 0xf3, 0x45, 0x85, 0xc9, 0x74 }; template.first_entry_offset = 23; template.LogonSessionListCountOffset = -4; } else { //1903 template.signature = new byte[] { 0x33, 0xff, 0x41, 0x89, 0x37, 0x4c, 0x8b, 0xf3, 0x45, 0x85, 0xc0, 0x74 }; template.first_entry_offset = 23; template.LogonSessionListCountOffset = -4; } } else if (sysinfo.ProcessorArchitecture == SystemInfo.PROCESSOR_ARCHITECTURE.INTEL) { if ((int)SystemInfo.WindowsMinBuild.WIN_XP <= sysinfo.BuildNumber && sysinfo.BuildNumber < (int)SystemInfo.WindowsMinBuild.WIN_2K3) { template.signature = new byte[] { 0xff, 0x50, 0x10, 0x85, 0xc0, 0x0f, 0x84 }; template.first_entry_offset = 24; template.LogonSessionListCountOffset = 0; } else if ((int)SystemInfo.WindowsMinBuild.WIN_2K3 <= sysinfo.BuildNumber && sysinfo.BuildNumber < (int)SystemInfo.WindowsMinBuild.WIN_VISTA) { template.signature = new byte[] { 0x89, 0x71, 0x04, 0x89, 0x30, 0x8d, 0x04, 0xbd }; template.first_entry_offset = -11; template.LogonSessionListCountOffset = -43; } else if ((int)SystemInfo.WindowsMinBuild.WIN_VISTA <= sysinfo.BuildNumber && sysinfo.BuildNumber < (int)SystemInfo.WindowsMinBuild.WIN_8) { template.signature = new byte[] { 0x89, 0x71, 0x04, 0x89, 0x30, 0x8d, 0x04, 0xbd }; template.first_entry_offset = -11; template.LogonSessionListCountOffset = -42; } else if ((int)SystemInfo.WindowsMinBuild.WIN_8 <= sysinfo.BuildNumber && sysinfo.BuildNumber < (int)SystemInfo.WindowsMinBuild.WIN_BLUE) { template.signature = new byte[] { 0x8b, 0x45, 0xf8, 0x8b, 0x55, 0x08, 0x8b, 0xde, 0x89, 0x02, 0x89, 0x5d, 0xf0, 0x85, 0xc9, 0x74 }; template.first_entry_offset = 18; template.LogonSessionListCountOffset = -4; } else if ((int)SystemInfo.WindowsMinBuild.WIN_BLUE <= sysinfo.BuildNumber && sysinfo.BuildNumber < (int)SystemInfo.WindowsBuild.WIN_10_1507) { template.signature = new byte[] { 0x8b, 0x4d, 0xe4, 0x8b, 0x45, 0xf4, 0x89, 0x75, 0xe8, 0x89, 0x01, 0x85, 0xff, 0x74 }; template.first_entry_offset = 16; template.LogonSessionListCountOffset = -4; } else if ((int)sysinfo.BuildNumber >= (int)SystemInfo.WindowsBuild.WIN_10_1507) { template.signature = new byte[] { 0x8b, 0x4d, 0xe8, 0x8b, 0x45, 0xf4, 0x89, 0x75, 0xec, 0x89, 0x01, 0x85, 0xff, 0x74 }; template.first_entry_offset = 16; template.LogonSessionListCountOffset = -4; } else { throw new Exception($"Could not identify template! {sysinfo.BuildNumber}"); } } else { throw new Exception($"Unknown architecture! {sysinfo.ProcessorArchitecture}"); } return(template); }
//https://github.com/skelsec/pypykatz/blob/bd1054d1aa948133a697a1dfcb57a5c6463be41a/pypykatz/commons/common.py#L168 public static ulong get_ptr_with_offset(BinaryReader fileBinaryReader, long pos, SystemInfo.MINIDUMP_SYSTEM_INFO sysinfo) { if (sysinfo.ProcessorArchitecture == SystemInfo.PROCESSOR_ARCHITECTURE.AMD64) { fileBinaryReader.BaseStream.Seek(pos, SeekOrigin.Begin); UInt32 ptr = Minidump.Helpers.ReadUInt32(fileBinaryReader); return((ulong)(pos + 4 + ptr)); } else { fileBinaryReader.BaseStream.Seek(pos, SeekOrigin.Begin); UInt16 ptr = Minidump.Helpers.ReadUInt16(fileBinaryReader); return(ptr); } }
public static TspkgTemplate get_template(SystemInfo.MINIDUMP_SYSTEM_INFO sysinfo) { TspkgTemplate template = new TspkgTemplate(); if (sysinfo.ProcessorArchitecture == SystemInfo.PROCESSOR_ARCHITECTURE.AMD64) { template.signature = new byte[] { 0x48, 0x83, 0xec, 0x20, 0x48, 0x8d, 0x0d }; template.avl_offset = 7; if (sysinfo.BuildNumber < (int)SystemInfo.WindowsBuild.WIN_10_1607) { template.TSCredTypeSize = Marshal.SizeOf(new KIWI_TS_CREDENTIAL()); template.TSCredLocallyUniqueIdentifierOffset = FieldOffset <KIWI_TS_CREDENTIAL>("LocallyUniqueIdentifier"); template.TSCredOffset = FieldOffset <KIWI_TS_CREDENTIAL>("pTsPrimary"); } else if (sysinfo.BuildNumber >= (int)SystemInfo.WindowsBuild.WIN_10_1607) { template.TSCredTypeSize = Marshal.SizeOf(new KIWI_TS_CREDENTIAL_1607()); template.TSCredLocallyUniqueIdentifierOffset = FieldOffset <KIWI_TS_CREDENTIAL_1607>("LocallyUniqueIdentifier"); template.TSCredOffset = FieldOffset <KIWI_TS_CREDENTIAL_1607>("pTsPrimary"); } else { //currently doesnt make sense, but keeping it here for future use throw new Exception($"Unknown buildnumber! {sysinfo.BuildNumber}"); } } else if (sysinfo.ProcessorArchitecture == SystemInfo.PROCESSOR_ARCHITECTURE.INTEL) { if (sysinfo.BuildNumber < (int)SystemInfo.WindowsMinBuild.WIN_8) { template.signature = new byte[] { 0x8b, 0xff, 0x55, 0x8b, 0xec, 0x51, 0x56, 0xbe }; template.avl_offset = 8; template.TSCredTypeSize = Marshal.SizeOf(new KIWI_TS_CREDENTIAL_1607()); template.TSCredLocallyUniqueIdentifierOffset = FieldOffset <KIWI_TS_CREDENTIAL_1607>("LocallyUniqueIdentifier"); template.TSCredOffset = FieldOffset <KIWI_TS_CREDENTIAL_1607>("pTsPrimary"); } else if ((int)SystemInfo.WindowsMinBuild.WIN_8 <= sysinfo.BuildNumber && sysinfo.BuildNumber < (int)SystemInfo.WindowsMinBuild.WIN_BLUE) { template.signature = new byte[] { 0x8b, 0xff, 0x53, 0xbb }; template.avl_offset = 4; template.TSCredTypeSize = Marshal.SizeOf(new KIWI_TS_CREDENTIAL()); template.TSCredLocallyUniqueIdentifierOffset = FieldOffset <KIWI_TS_CREDENTIAL>("LocallyUniqueIdentifier"); template.TSCredOffset = FieldOffset <KIWI_TS_CREDENTIAL>("pTsPrimary"); } else if ((int)SystemInfo.WindowsMinBuild.WIN_BLUE <= sysinfo.BuildNumber && sysinfo.BuildNumber < (int)SystemInfo.WindowsBuild.WIN_10_1607) { template.signature = new byte[] { 0x8b, 0xff, 0x57, 0xbf }; template.avl_offset = 4; template.TSCredTypeSize = Marshal.SizeOf(new KIWI_TS_CREDENTIAL_1607()); template.TSCredLocallyUniqueIdentifierOffset = FieldOffset <KIWI_TS_CREDENTIAL_1607>("LocallyUniqueIdentifier"); template.TSCredOffset = FieldOffset <KIWI_TS_CREDENTIAL_1607>("pTsPrimary"); } else if (sysinfo.BuildNumber >= (int)SystemInfo.WindowsBuild.WIN_10_1607) { template.signature = new byte[] { 0x8b, 0xff, 0x57, 0xbf }; template.avl_offset = 4; template.TSCredTypeSize = Marshal.SizeOf(new KIWI_TS_CREDENTIAL_1607()); template.TSCredLocallyUniqueIdentifierOffset = FieldOffset <KIWI_TS_CREDENTIAL_1607>("LocallyUniqueIdentifier"); template.TSCredOffset = FieldOffset <KIWI_TS_CREDENTIAL_1607>("pTsPrimary"); } } else { throw new Exception($"Unknown architecture! {sysinfo.ProcessorArchitecture}"); } return(template); }
public static DpapiTemplate get_template(SystemInfo.MINIDUMP_SYSTEM_INFO sysinfo) { DpapiTemplate template = new DpapiTemplate(); template.list_entry = new KIWI_MASTERKEY_CACHE_ENTRY(); if (sysinfo.ProcessorArchitecture == SystemInfo.PROCESSOR_ARCHITECTURE.AMD64) { if (sysinfo.BuildNumber < (int)SystemInfo.WindowsMinBuild.WIN_VISTA) { template.signature = new byte[] { 0x4d, 0x3b, 0xee, 0x49, 0x8b, 0xfd, 0x0f, 0x85 }; template.first_entry_offset = -4; } else if ((int)SystemInfo.WindowsMinBuild.WIN_VISTA <= sysinfo.BuildNumber && sysinfo.BuildNumber < (int)SystemInfo.WindowsMinBuild.WIN_7) { template.signature = new byte[] { 0x49, 0x3b, 0xef, 0x48, 0x8b, 0xfd, 0x0f, 0x84 }; template.first_entry_offset = -4; } else if ((int)SystemInfo.WindowsMinBuild.WIN_7 <= sysinfo.BuildNumber && sysinfo.BuildNumber < (int)SystemInfo.WindowsMinBuild.WIN_8) { template.signature = new byte[] { 0x33, 0xc0, 0xeb, 0x20, 0x48, 0x8d, 0x05 }; template.first_entry_offset = 7; } else if ((int)SystemInfo.WindowsMinBuild.WIN_8 <= sysinfo.BuildNumber && sysinfo.BuildNumber < (int)SystemInfo.WindowsMinBuild.WIN_BLUE) { template.signature = new byte[] { 0x4c, 0x89, 0x1f, 0x48, 0x89, 0x47, 0x08, 0x49, 0x39, 0x43, 0x08, 0x0f, 0x85 }; template.first_entry_offset = -4; } else if ((int)SystemInfo.WindowsMinBuild.WIN_BLUE <= sysinfo.BuildNumber && sysinfo.BuildNumber < (int)SystemInfo.WindowsBuild.WIN_10_1507) { template.signature = new byte[] { 0x08, 0x48, 0x39, 0x48, 0x08, 0x0f, 0x85 }; template.first_entry_offset = -10; } else if ((int)SystemInfo.WindowsBuild.WIN_10_1507 <= sysinfo.BuildNumber && sysinfo.BuildNumber < (int)SystemInfo.WindowsBuild.WIN_10_1607) { template.signature = new byte[] { 0x48, 0x89, 0x4e, 0x08, 0x48, 0x39, 0x48, 0x08 }; template.first_entry_offset = -7; } else if (sysinfo.BuildNumber >= (int)SystemInfo.WindowsBuild.WIN_10_1607) { template.signature = new byte[] { 0x48, 0x89, 0x4f, 0x08, 0x48, 0x89, 0x78, 0x08 }; template.first_entry_offset = 11; } else { //currently doesnt make sense, but keeping it here for future use throw new Exception($"Unknown architecture! {sysinfo.ProcessorArchitecture}"); } } else if (sysinfo.ProcessorArchitecture == SystemInfo.PROCESSOR_ARCHITECTURE.INTEL) { if (sysinfo.BuildNumber < (int)SystemInfo.WindowsMinBuild.WIN_8) { template.signature = new byte[] { 0x33, 0xc0, 0x40, 0xa3 }; template.first_entry_offset = -4; } else if ((int)SystemInfo.WindowsMinBuild.WIN_8 <= sysinfo.BuildNumber && sysinfo.BuildNumber < (int)SystemInfo.WindowsMinBuild.WIN_BLUE) { template.signature = new byte[] { 0x8b, 0xf0, 0x81, 0xfe, 0xcc, 0x06, 0x00, 0x00, 0x0f, 0x84 }; template.first_entry_offset = -16; } else if (sysinfo.BuildNumber >= (int)SystemInfo.WindowsMinBuild.WIN_BLUE) { template.signature = new byte[] { 0x33, 0xc0, 0x40, 0xa3 }; template.first_entry_offset = -4; } } else { throw new Exception($"Unknown architecture! {sysinfo.ProcessorArchitecture}"); } return(template); }
public static KerberosTemplate get_template(SystemInfo.MINIDUMP_SYSTEM_INFO sysinfo) { KerberosTemplate template = new KerberosTemplate(); if (sysinfo.ProcessorArchitecture == SystemInfo.PROCESSOR_ARCHITECTURE.AMD64) { if ((int)SystemInfo.WindowsMinBuild.WIN_XP <= sysinfo.BuildNumber && sysinfo.BuildNumber < (int)SystemInfo.WindowsMinBuild.WIN_2K3) { template.signature = new byte[] { 0x48, 0x3b, 0xfe, 0x0f, 0x84 }; template.first_entry_offset = -4; template.LogonSessionType = typeof(KIWI_KERBEROS_LOGON_SESSION_10); template.LogonSessionTypeSize = Marshal.SizeOf(typeof(KIWI_KERBEROS_LOGON_SESSION_10)); template.PrimaryCredentialType = typeof(KIWI_KERBEROS_10_PRIMARY_CREDENTIAL); } else if ((int)SystemInfo.WindowsMinBuild.WIN_2K3 <= sysinfo.BuildNumber && sysinfo.BuildNumber < (int)SystemInfo.WindowsMinBuild.WIN_VISTA) { template.signature = new byte[] { 0x48, 0x3b, 0xfe, 0x0f, 0x84 }; template.first_entry_offset = -4; template.LogonSessionType = typeof(KIWI_KERBEROS_LOGON_SESSION_10); template.LogonSessionTypeSize = Marshal.SizeOf(typeof(KIWI_KERBEROS_LOGON_SESSION_10)); template.PrimaryCredentialType = typeof(KIWI_KERBEROS_10_PRIMARY_CREDENTIAL); } else if ((int)SystemInfo.WindowsMinBuild.WIN_VISTA <= sysinfo.BuildNumber && sysinfo.BuildNumber < (int)SystemInfo.WindowsMinBuild.WIN_7) { template.signature = new byte[] { 0x48, 0x8b, 0x18, 0x48, 0x8d, 0x0d }; template.first_entry_offset = 6; template.LogonSessionType = typeof(KIWI_KERBEROS_LOGON_SESSION_10); template.LogonSessionTypeSize = Marshal.SizeOf(typeof(KIWI_KERBEROS_LOGON_SESSION_10)); template.PrimaryCredentialType = typeof(KIWI_KERBEROS_10_PRIMARY_CREDENTIAL); } else if ((int)SystemInfo.WindowsMinBuild.WIN_7 <= sysinfo.BuildNumber && sysinfo.BuildNumber < (int)SystemInfo.WindowsMinBuild.WIN_8) { template.signature = new byte[] { 0x48, 0x8b, 0x18, 0x48, 0x8d, 0x0d }; template.first_entry_offset = 6; template.LogonSessionType = typeof(KIWI_KERBEROS_LOGON_SESSION_10); template.LogonSessionTypeSize = Marshal.SizeOf(typeof(KIWI_KERBEROS_LOGON_SESSION_10)); template.PrimaryCredentialType = typeof(KIWI_KERBEROS_10_PRIMARY_CREDENTIAL); } else if ((int)SystemInfo.WindowsMinBuild.WIN_8 <= sysinfo.BuildNumber && sysinfo.BuildNumber < (int)SystemInfo.WindowsBuild.WIN_10_1507) { template.signature = new byte[] { 0x48, 0x8b, 0x18, 0x48, 0x8d, 0x0d }; template.first_entry_offset = 6; template.LogonSessionType = typeof(KIWI_KERBEROS_LOGON_SESSION_10); template.LogonSessionTypeSize = Marshal.SizeOf(typeof(KIWI_KERBEROS_LOGON_SESSION_10)); template.PrimaryCredentialType = typeof(KIWI_KERBEROS_10_PRIMARY_CREDENTIAL); } else if ((int)SystemInfo.WindowsBuild.WIN_10_1507 <= sysinfo.BuildNumber && sysinfo.BuildNumber < (int)SystemInfo.WindowsBuild.WIN_10_1511) { template.signature = new byte[] { 0x48, 0x8b, 0x18, 0x48, 0x8d, 0x0d }; template.first_entry_offset = 6; template.LogonSessionType = typeof(KIWI_KERBEROS_LOGON_SESSION_10); template.LogonSessionTypeSize = Marshal.SizeOf(typeof(KIWI_KERBEROS_LOGON_SESSION_10)); template.PrimaryCredentialType = typeof(KIWI_KERBEROS_10_PRIMARY_CREDENTIAL); } else if ((int)SystemInfo.WindowsBuild.WIN_10_1511 <= sysinfo.BuildNumber && sysinfo.BuildNumber < (int)SystemInfo.WindowsBuild.WIN_10_1607) { template.signature = new byte[] { 0x48, 0x8b, 0x18, 0x48, 0x8d, 0x0d }; template.first_entry_offset = 6; template.LogonSessionType = typeof(KIWI_KERBEROS_LOGON_SESSION_10); template.LogonSessionTypeSize = Marshal.SizeOf(typeof(KIWI_KERBEROS_LOGON_SESSION_10)); template.PrimaryCredentialType = typeof(KIWI_KERBEROS_10_PRIMARY_CREDENTIAL); } else if (sysinfo.BuildNumber >= (int)SystemInfo.WindowsBuild.WIN_10_1607) { template.signature = new byte[] { 0x48, 0x8b, 0x18, 0x48, 0x8d, 0x0d }; template.first_entry_offset = 6; template.LogonSessionType = typeof(KIWI_KERBEROS_LOGON_SESSION_10_1607); template.LogonSessionTypeSize = Marshal.SizeOf(typeof(KIWI_KERBEROS_LOGON_SESSION_10_1607)); template.PrimaryCredentialType = typeof(KIWI_KERBEROS_10_PRIMARY_CREDENTIAL_1607); } else { throw new Exception(String.Format("Could not identify template! Architecture: %s sysinfo.BuildNumber: %s", sysinfo.ProcessorArchitecture, sysinfo.BuildNumber)); } template.SessionCredentialOffset = StructFieldOffset(template.LogonSessionType, "credentials"); template.SessionUserNameOffset = StructFieldOffset(template.PrimaryCredentialType, "UserName"); template.SessionDomainOffset = StructFieldOffset(template.PrimaryCredentialType, "Domain"); template.SessionPasswordOffset = StructFieldOffset(template.PrimaryCredentialType, "Password"); } else if (sysinfo.ProcessorArchitecture == SystemInfo.PROCESSOR_ARCHITECTURE.INTEL) { if ((int)SystemInfo.WindowsMinBuild.WIN_XP <= sysinfo.BuildNumber && sysinfo.BuildNumber < (int)SystemInfo.WindowsMinBuild.WIN_2K3) { template.signature = new byte[] { 0x8B, 0x7D, 0x08, 0x8B, 0x17, 0x39, 0x50 }; template.first_entry_offset = -8; } else if ((int)SystemInfo.WindowsMinBuild.WIN_2K3 <= sysinfo.BuildNumber && sysinfo.BuildNumber < (int)SystemInfo.WindowsMinBuild.WIN_VISTA) { template.signature = new byte[] { 0x8B, 0x7D, 0x08, 0x8B, 0x17, 0x39, 0x50 }; template.first_entry_offset = -8; } else if ((int)SystemInfo.WindowsMinBuild.WIN_VISTA <= sysinfo.BuildNumber && sysinfo.BuildNumber < (int)SystemInfo.WindowsMinBuild.WIN_7) { template.signature = new byte[] { 0x53, 0x8b, 0x18, 0x50, 0x56 }; template.first_entry_offset = -11; } else if ((int)SystemInfo.WindowsMinBuild.WIN_7 <= sysinfo.BuildNumber && sysinfo.BuildNumber < (int)SystemInfo.WindowsMinBuild.WIN_8) { template.signature = new byte[] { 0x53, 0x8b, 0x18, 0x50, 0x56 }; template.first_entry_offset = -11; } else if ((int)SystemInfo.WindowsMinBuild.WIN_8 <= sysinfo.BuildNumber && sysinfo.BuildNumber < (int)SystemInfo.WindowsBuild.WIN_BLUE) { template.signature = new byte[] { 0x57, 0x8b, 0x38, 0x50, 0x68 }; template.first_entry_offset = -14; } else if ((int)SystemInfo.WindowsMinBuild.WIN_BLUE <= sysinfo.BuildNumber && sysinfo.BuildNumber < (int)SystemInfo.WindowsBuild.WIN_10_1507) { template.signature = new byte[] { 0x56, 0x8b, 0x30, 0x50, 0x57 }; template.first_entry_offset = -15; } else if ((int)SystemInfo.WindowsBuild.WIN_10_1507 <= sysinfo.BuildNumber && sysinfo.BuildNumber < (int)SystemInfo.WindowsBuild.WIN_10_1511) { //###DOUBLE CHECK THE STRUCTURES BELOW LINE!!!! //### kerbHelper[N] -> KerberosReferences... {-15,7}}, here N= 7 template.signature = new byte[] { 0x56, 0x8b, 0x30, 0x50, 0x57 }; template.first_entry_offset = -15; } else if ((int)SystemInfo.WindowsBuild.WIN_10_1511 <= sysinfo.BuildNumber && sysinfo.BuildNumber < (int)SystemInfo.WindowsBuild.WIN_10_1903) { template.signature = new byte[] { 0x56, 0x8b, 0x30, 0x50, 0x57 }; template.first_entry_offset = -15; } else if ((int)SystemInfo.WindowsBuild.WIN_10_1903 <= sysinfo.BuildNumber) { template.signature = new byte[] { 0x56, 0x8b, 0x30, 0x50, 0x53 }; template.first_entry_offset = -15; } } else { throw new Exception($"Unknown architecture! {sysinfo.ProcessorArchitecture}"); } return(template); }
public static WdigestTemplate get_template(SystemInfo.MINIDUMP_SYSTEM_INFO sysinfo) { WdigestTemplate template = new WdigestTemplate(); template.USERNAME_OFFSET = 0x30; template.HOSTNAME_OFFSET = 0x40; template.PASSWORD_OFFSET = 0x50; if (sysinfo.ProcessorArchitecture == SystemInfo.PROCESSOR_ARCHITECTURE.AMD64) { if ((int)SystemInfo.WindowsMinBuild.WIN_XP <= sysinfo.BuildNumber && sysinfo.BuildNumber < (int)SystemInfo.WindowsMinBuild.WIN_2K3) { template.signature = new byte[] { 0x48, 0x3b, 0xda, 0x74 }; template.first_entry_offset = -4; template.primary_offset = 36; template.list_entry = new KIWI_WDIGEST_LIST_ENTRY(); } else if ((int)SystemInfo.WindowsMinBuild.WIN_2K3 <= sysinfo.BuildNumber && sysinfo.BuildNumber < (int)SystemInfo.WindowsMinBuild.WIN_VISTA) { template.signature = new byte[] { 0x48, 0x3b, 0xda, 0x74 }; template.first_entry_offset = -4; template.primary_offset = 48; template.list_entry = new KIWI_WDIGEST_LIST_ENTRY(); } else if (sysinfo.BuildNumber >= (int)SystemInfo.WindowsMinBuild.WIN_VISTA) { template.signature = new byte[] { 0x48, 0x3b, 0xd9, 0x74 }; template.first_entry_offset = -4; template.primary_offset = 48; template.list_entry = new KIWI_WDIGEST_LIST_ENTRY(); } else { throw new Exception($"Unknown BuildNumber! {sysinfo.BuildNumber}"); } } else if (sysinfo.ProcessorArchitecture == SystemInfo.PROCESSOR_ARCHITECTURE.INTEL) { if ((int)SystemInfo.WindowsMinBuild.WIN_XP <= sysinfo.BuildNumber && sysinfo.BuildNumber < (int)SystemInfo.WindowsMinBuild.WIN_2K3) { template.signature = new byte[] { 0x74, 0x18, 0x8b, 0x4d, 0x08, 0x8b, 0x11 }; template.first_entry_offset = -6; template.primary_offset = 36; template.list_entry = new KIWI_WDIGEST_LIST_ENTRY(); } else if ((int)SystemInfo.WindowsMinBuild.WIN_2K3 <= sysinfo.BuildNumber && sysinfo.BuildNumber < (int)SystemInfo.WindowsMinBuild.WIN_VISTA) { template.signature = new byte[] { 0x74, 0x18, 0x8b, 0x4d, 0x08, 0x8b, 0x11 }; template.first_entry_offset = -6; template.primary_offset = 28; template.list_entry = new KIWI_WDIGEST_LIST_ENTRY(); } else if ((int)SystemInfo.WindowsMinBuild.WIN_VISTA <= sysinfo.BuildNumber && sysinfo.BuildNumber < (int)SystemInfo.WindowsMinBuild.WIN_BLUE) { template.signature = new byte[] { 0x74, 0x11, 0x8b, 0x0b, 0x39, 0x4e, 0x10 }; template.first_entry_offset = -6; template.primary_offset = 32; template.list_entry = new KIWI_WDIGEST_LIST_ENTRY(); } else if ((int)SystemInfo.WindowsMinBuild.WIN_BLUE <= sysinfo.BuildNumber && sysinfo.BuildNumber < (int)SystemInfo.WindowsMinBuild.WIN_10) { template.signature = new byte[] { 0x74, 0x15, 0x8b, 0x0a, 0x39, 0x4e, 0x10 }; template.first_entry_offset = -4; template.primary_offset = 32; template.list_entry = new KIWI_WDIGEST_LIST_ENTRY(); } else if (sysinfo.BuildNumber >= (int)SystemInfo.WindowsMinBuild.WIN_10) { template.signature = new byte[] { 0x74, 0x15, 0x8b, 0x0a, 0x39, 0x4e, 0x10 }; template.first_entry_offset = -6; template.primary_offset = 32; template.list_entry = new KIWI_WDIGEST_LIST_ENTRY(); } else { template.signature = new byte[] { 0x74, 0x15, 0x8b, 0x17, 0x39, 0x56, 0x10 }; template.first_entry_offset = -6; template.primary_offset = 32; template.list_entry = new KIWI_WDIGEST_LIST_ENTRY(); } } else { throw new Exception($"Unknown architecture! {sysinfo.ProcessorArchitecture}"); } return(template); }
public static LsaTemplate_NT6 get_template(SystemInfo.MINIDUMP_SYSTEM_INFO sysinfo) { var template = new LsaTemplate_NT6(); template.nt_major = "6"; if (sysinfo.ProcessorArchitecture == SystemInfo.PROCESSOR_ARCHITECTURE.INTEL) { if (sysinfo.BuildNumber <= (int)SystemInfo.WindowsMinBuild.WIN_XP) { throw new Exception("Maybe implemented later"); } else if (sysinfo.BuildNumber <= (int)SystemInfo.WindowsMinBuild.WIN_2K3) { template.nt_major = "5"; //template = templates["nt5"]["x86"]["1"]; template.key_pattern = new LSA_x86_1().key_pattern; template.key_handle_struct = new LSA_x86_1().key_handle_struct; template.key_struct = new LSA_x86_1().key_struct; } else if ((int)SystemInfo.WindowsMinBuild.WIN_VISTA <= sysinfo.BuildNumber && sysinfo.BuildNumber < (int)SystemInfo.WindowsMinBuild.WIN_7) { //1 //template = templates["nt6"]["x86"]["1"]; template.key_pattern = new LSA_x86_1().key_pattern; template.key_handle_struct = new LSA_x86_1().key_handle_struct; template.key_struct = new LSA_x86_1().key_struct; } else if ((int)SystemInfo.WindowsMinBuild.WIN_7 <= sysinfo.BuildNumber && sysinfo.BuildNumber < (int)SystemInfo.WindowsMinBuild.WIN_8) { //2 //template = templates["nt6"]["x86"]["2"]; template.key_pattern = new LSA_x86_2().key_pattern; template.key_handle_struct = new LSA_x86_2().key_handle_struct; template.key_struct = new LSA_x86_2().key_struct; } else if ((int)SystemInfo.WindowsMinBuild.WIN_8 <= sysinfo.BuildNumber && sysinfo.BuildNumber < (int)SystemInfo.WindowsMinBuild.WIN_BLUE) { //3 //template = templates["nt6"]["x86"]["3"]; template.key_pattern = new LSA_x86_3().key_pattern; template.key_handle_struct = new LSA_x86_3().key_handle_struct; template.key_struct = new LSA_x86_3().key_struct; } else if ((int)SystemInfo.WindowsMinBuild.WIN_BLUE <= sysinfo.BuildNumber && sysinfo.BuildNumber < (int)SystemInfo.WindowsMinBuild.WIN_10) { //4 //template = templates["nt6"]["x86"]["4"]; template.key_pattern = new LSA_x86_4().key_pattern; template.key_handle_struct = new LSA_x86_4().key_handle_struct; template.key_struct = new LSA_x86_4().key_struct; } else if ((int)SystemInfo.WindowsMinBuild.WIN_10 <= sysinfo.BuildNumber && sysinfo.BuildNumber <= (int)SystemInfo.WindowsBuild.WIN_10_1507) { //5 //template = templates["nt6"]["x86"]["5"]; template.key_pattern = new LSA_x86_5().key_pattern; template.key_handle_struct = new LSA_x86_5().key_handle_struct; template.key_struct = new LSA_x86_5().key_struct; } else if (sysinfo.BuildNumber > (int)SystemInfo.WindowsBuild.WIN_10_1507) { //6 //template = templates["nt6"]["x86"]["6"]; template.key_pattern = new LSA_x86_6().key_pattern; template.key_handle_struct = new LSA_x86_6().key_handle_struct; template.key_struct = new LSA_x86_6().key_struct; } } else if (sysinfo.ProcessorArchitecture == SystemInfo.PROCESSOR_ARCHITECTURE.AMD64) { if (sysinfo.BuildNumber <= (int)SystemInfo.WindowsMinBuild.WIN_XP) { throw new Exception("Maybe implemented later"); } else if (sysinfo.BuildNumber <= (int)SystemInfo.WindowsMinBuild.WIN_2K3) { throw new Exception("Maybe implemented later"); } else if (sysinfo.BuildNumber < (int)SystemInfo.WindowsMinBuild.WIN_7) { //vista //1 //template = templates["nt6"]["x64"]["1"]; template.key_pattern = new LSA_x64_1().key_pattern; template.key_handle_struct = new LSA_x64_1().key_handle_struct; template.key_struct = new LSA_x64_1().key_struct; } else if (sysinfo.BuildNumber < (int)SystemInfo.WindowsMinBuild.WIN_8) { //win 7 //2 //template = templates["nt6"]["x64"]["2"]; template.key_pattern = new LSA_x64_2().key_pattern; template.key_handle_struct = new LSA_x64_2().key_handle_struct; template.key_struct = new LSA_x64_2().key_struct; } else if (sysinfo.BuildNumber < (int)SystemInfo.WindowsMinBuild.WIN_10) { //win 8 and blue //3 if (sysinfo.BuildNumber < (int)SystemInfo.WindowsMinBuild.WIN_BLUE) { //template = templates["nt6"]["x64"]["3"]; template.key_pattern = new LSA_x64_3().key_pattern; template.key_handle_struct = new LSA_x64_3().key_handle_struct; template.key_struct = new LSA_x64_3().key_struct; //win8 //3 } else { //template = templates["nt6"]["x64"]["4"]; template.key_pattern = new LSA_x64_4().key_pattern; template.key_handle_struct = new LSA_x64_4().key_handle_struct; template.key_struct = new LSA_x64_4().key_struct; //4 //win blue } } else if (sysinfo.BuildNumber < (int)SystemInfo.WindowsBuild.WIN_10_1809) { //template = templates["nt6"]["x64"]["5"]; template.key_pattern = new LSA_x64_5().key_pattern; template.key_handle_struct = new LSA_x64_5().key_handle_struct; template.key_struct = new LSA_x64_5().key_struct; //5 } else { //template = templates["nt6"]["x64"]["6"]; template.key_pattern = new LSA_x64_6().key_pattern; template.key_handle_struct = new LSA_x64_6().key_handle_struct; template.key_struct = new LSA_x64_6().key_struct; //1809 //6 } } else { throw new Exception($"Unknown architecture! {sysinfo.ProcessorArchitecture}"); } return(template); }