search

GhostPack / Rubeus

Trying to tame the three-headed dog.
Other
4.11k stars 778 forks source link

LsaRegisterLogonProcess incorrect signature #106

Closed maxspb89 closed 2 years ago

maxspb89 commented 2 years ago

Executing x86 Rubeus dump on Windows7x64 gives such error as: 

Action: Dump Kerberos Ticket Data (All Users)

[*] Current LUID    : *******

[X] Exception: Rubeus.lib.Interop.NtException: NTSTATUS error code 0xC0000140: Unknown error (0xc0000140)
   at Rubeus.LSA.EnumerateTickets(Boolean extractTicketData, LUID targetLuid, String targetService, String targetUser, String targetServer, Boolean includeComputerAccounts, Boolean
 silent)

[!] Unhandled Rubeus exception:

System.NullReferenceException: Object reference not set to an instance of an object.
   at Rubeus.LSA.DisplaySessionCreds(List`1 sessionCreds, TicketDisplayFormat displayFormat, Boolean showAll)
   at Rubeus.Commands.Dump.Execute(Dictionary`2 arguments)
   at Rubeus.Domain.CommandCollection.ExecuteCommand(String commandName, Dictionary`2 arguments)
   at Rubeus.Program.MainExecute(String commandName, Dictionary`2 parsedArgs)

After inspection of LsaRegisterLogonProcess P/Invoke signature and MSDN , I've found that 'ref' specifier is missing at the first arg.

[DllImport("secur32.dll", SetLastError = true)]
        public static extern int LsaRegisterLogonProcess(
            LSA_STRING_IN LogonProcessName,
            out IntPtr LsaHandle,
            out ulong SecurityMode
        );

Proof: (https://docs.microsoft.com/en-us/windows/win32/api/ntsecapi/nf-ntsecapi-lsaregisterlogonprocess) [in] PLSA_STRING LogonProcessName : Pointer to an LSA_STRING structure identifying the logon application.

So, the signature should be:

[DllImport("secur32.dll", SetLastError = true)]
        public static extern int LsaRegisterLogonProcess(
            ref LSA_STRING_IN LogonProcessName,
            out IntPtr LsaHandle,
            out ulong SecurityMode
        );

and call:

public static IntPtr LsaRegisterLogonProcessHelper()
        {
            // helper that establishes a connection to the LSA server and verifies that the caller is a logon application
            //  used for Kerberos ticket enumeration for ALL users

            var logonProcessName = "User32LogonProcesss"; // yes I know this is "weird" ;)
            Interop.LSA_STRING_IN LSAString;
            var lsaHandle = IntPtr.Zero;
            UInt64 securityMode = 0;

            LSAString.Length = (ushort)logonProcessName.Length;
            LSAString.MaximumLength = (ushort)(logonProcessName.Length + 1);
            LSAString.Buffer = logonProcessName;

            var ret = Interop.LsaRegisterLogonProcess(ref LSAString, out lsaHandle, out securityMode);

            return lsaHandle;
        }