mirror of https://github.com/tongzx/nt5src
You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
856 lines
24 KiB
856 lines
24 KiB
//+-----------------------------------------------------------------------
|
|
//
|
|
// Microsoft Windows
|
|
//
|
|
// Copyright (c) Microsoft Corporation 1991 - 1992
|
|
//
|
|
// File:
|
|
//
|
|
// Contents:
|
|
//
|
|
//
|
|
// History:
|
|
//
|
|
//------------------------------------------------------------------------
|
|
|
|
|
|
extern "C"
|
|
{
|
|
#include <nt.h>
|
|
#include <ntrtl.h>
|
|
#include <nturtl.h>
|
|
#include <windows.h>
|
|
}
|
|
#include <stdio.h>
|
|
|
|
#include <ntsdexts.h>
|
|
|
|
#include <dsysdbg.h>
|
|
#define SECURITY_PACKAGE
|
|
#define SECURITY_WIN32
|
|
#include <security.h>
|
|
#include <kerberos.h>
|
|
#include <secint.h>
|
|
#include <cryptdll.h>
|
|
|
|
#include <..\client2\kerb.hxx>
|
|
#include <..\client2\kerbp.h>
|
|
|
|
typedef struct _KDC_DOMAIN_INFO {
|
|
LIST_ENTRY Next;
|
|
UNICODE_STRING DnsName;
|
|
UNICODE_STRING NetbiosName;
|
|
struct _KDC_DOMAIN_INFO * ClosestRoute; // Points to referral target
|
|
ULONG Flags;
|
|
ULONG Attributes;
|
|
ULONG Type;
|
|
LONG References;
|
|
|
|
//
|
|
// Types used during building the tree
|
|
//
|
|
|
|
struct _KDC_DOMAIN_INFO * Parent;
|
|
ULONG Touched;
|
|
} KDC_DOMAIN_INFO, *PKDC_DOMAIN_INFO;
|
|
|
|
#define AllocHeap(x) RtlAllocateHeap(RtlProcessHeap(), HEAP_ZERO_MEMORY, x)
|
|
#define FreeHeap(x) RtlFreeHeap(RtlProcessHeap(), 0, x)
|
|
|
|
PNTSD_EXTENSION_APIS pExtApis;
|
|
HANDLE hDbgThread;
|
|
HANDLE hDbgProcess;
|
|
|
|
#define DebuggerOut (pExtApis->lpOutputRoutine)
|
|
#define GetExpr (PVOID) (pExtApis->lpGetExpressionRoutine)
|
|
#define InitDebugHelp(hProc,hThd,pApis) {hDbgProcess = hProc; hDbgThread = hThd; pExtApis = pApis;}
|
|
|
|
char * ContextState[] = {
|
|
"IdleState",
|
|
"TgtRequestSentState",
|
|
"TgtReplySentState",
|
|
"ApRequestSentState",
|
|
"ApReplySentState",
|
|
"AuthenticatedState",
|
|
"ErrorMessageSentState",
|
|
"InvalidState"};
|
|
|
|
void PrintContextAttributes( ULONG Attributes)
|
|
{
|
|
DebuggerOut(" ContextAttributes\t0x%lx:", Attributes);
|
|
if (Attributes & KERB_CONTEXT_MAPPED)
|
|
{
|
|
DebuggerOut(" KERB_CONTEXT_MAPPED");
|
|
}
|
|
if (Attributes & KERB_CONTEXT_OUTBOUND)
|
|
{
|
|
DebuggerOut(" KERB_CONTEXT_OUTBOUND");
|
|
}
|
|
if (Attributes & KERB_CONTEXT_INBOUND)
|
|
{
|
|
DebuggerOut(" KERB_CONTEXT_INBOUND");
|
|
}
|
|
if (Attributes & KERB_CONTEXT_USED_SUPPLIED_CREDS)
|
|
{
|
|
DebuggerOut(" KERB_CONTEXT_USED_SUPPLIED_CREDS");
|
|
}
|
|
if (Attributes & KERB_CONTEXT_USER_TO_USER)
|
|
{
|
|
DebuggerOut(" KERB_CONTEXT_USER_TO_USER");
|
|
}
|
|
if (Attributes & KERB_CONTEXT_REQ_SERVER_NAME)
|
|
{
|
|
DebuggerOut(" KERB_CONTEXT_REQ_SERVER_NAME");
|
|
}
|
|
if (Attributes & KERB_CONTEXT_REQ_SERVER_REALM)
|
|
{
|
|
DebuggerOut(" KERB_CONTEXT_REQ_SERVER_REALM");
|
|
}
|
|
if (Attributes & KERB_CONTEXT_IMPORTED)
|
|
{
|
|
DebuggerOut(" KERB_CONTEXT_IMPORTED");
|
|
}
|
|
if (Attributes & KERB_CONTEXT_EXPORTED)
|
|
{
|
|
DebuggerOut(" KERB_CONTEXT_EXPORTED");
|
|
}
|
|
DebuggerOut("\n");
|
|
}
|
|
void PrintContextFlags ( ULONG Flags)
|
|
{
|
|
DebuggerOut(" ContextFlags for 0x%lx are:\n", Flags);
|
|
if (Flags & 0x00000001)
|
|
{
|
|
DebuggerOut("\tISC(ASC)_REQ(RET)_DELEGATE\n");
|
|
}
|
|
if (Flags & 0x00000002)
|
|
{
|
|
DebuggerOut("\tISC(ASC)_REQ(RET)_MUTUAL_AUTH\n");
|
|
}
|
|
if (Flags & 0x00000004)
|
|
{
|
|
DebuggerOut("\tISC(ASC)_REQ(RET)_REPLAY_DETECT\n");
|
|
}
|
|
if (Flags & 0x00000008)
|
|
{
|
|
DebuggerOut("\tISC(ASC)_REQ(RET)_SEQUENCE_DETECT\n");
|
|
}
|
|
if (Flags & 0x00000010)
|
|
{
|
|
DebuggerOut("\tISC(ASC)_REQ(RET)_CONFIDENTIALITY\n");
|
|
}
|
|
if (Flags & 0x00000020)
|
|
{
|
|
DebuggerOut("\tISC(ASC)_REQ(RET)_USE_SESSION_KEY\n");
|
|
}
|
|
if (Flags & 0x00000040)
|
|
{
|
|
DebuggerOut("\tISC_REQ_PROMPT_FOR_CREDS or ISC_RET_USED_COLLECTED_CREDS\n");
|
|
}
|
|
if (Flags & 0x00000080)
|
|
{
|
|
DebuggerOut("\tISC_REQ_USE_SUPPLIED_CREDS or ISC_RET_USED_SUPPLIED_CREDS\n");
|
|
}
|
|
if (Flags & 0x00000100)
|
|
{
|
|
DebuggerOut("\tISC(ASC)_REQ_ALLOCATE_MEMORY or ISC(ASC)_RET_ALLOCATED_MEMORY\n");
|
|
}
|
|
if (Flags & 0x00000200)
|
|
{
|
|
DebuggerOut("\tISC(ASC)_REQ_USE_DCE_STYLE or ISC(ASC)_RET_USED_DCE_STYLE\n");
|
|
}
|
|
if (Flags & 0x00000400)
|
|
{
|
|
DebuggerOut("\tISC(ASC)_REQ(RET)_DATAGRAM\n");
|
|
}
|
|
if (Flags & 0x00000800)
|
|
{
|
|
DebuggerOut("\tISC(ASC)_REQ(RET)_CONNECTION\n");
|
|
}
|
|
if (Flags & 0x00001000)
|
|
{
|
|
DebuggerOut("\tISC(ASC)_REQ_CALL_LEVEL or ISC_RET_INTERMEDIATE_RETURN\n");
|
|
}
|
|
if (Flags & 0x00002000)
|
|
{
|
|
DebuggerOut("\tISC(ASC)_RET_CALL_LEVEL\n");
|
|
}
|
|
if (Flags & 0x00004000)
|
|
{
|
|
DebuggerOut("\tISC_REQ(RET)_EXTENDED_ERROR or ASC_RET_THIRD_LEG_FAILED\n");
|
|
}
|
|
if (Flags & 0x00008000)
|
|
{
|
|
DebuggerOut("\tISC_REQ(RET)_STREAM or ASC_REQ(RET)_EXTENDED_ERROR\n");
|
|
}
|
|
if (Flags & 0x00010000)
|
|
{
|
|
DebuggerOut("\tISC_REQ(RET)_INTEGRITY or ASC_REQ(RET)_STREAM\n");
|
|
}
|
|
if (Flags & 0x00020000)
|
|
{
|
|
DebuggerOut("\tISC_REQ(RET)_IDENTIFY or ASC_REQ(RET)_INTEGRITY\n");
|
|
}
|
|
if (Flags & 0x00040000)
|
|
{
|
|
DebuggerOut("\tISC_REQ(RET)_NULL_SESSION or ASC_REQ(RET)_LICENSING\n");
|
|
}
|
|
if (Flags & 0x00080000)
|
|
{
|
|
DebuggerOut("\tISC_REQ(RET)_MANUAL_CRED_VALIDATION or ASC_REQ(RET)_IDENTIFY\n");
|
|
}
|
|
if (Flags & 0x00100000)
|
|
{
|
|
DebuggerOut("\tISC_REQ(RET)_DELEGATE_IF_SAFE or ASC_REQ_ALLOW_NULL_SESSION or ASC_RET_NULL_SESSION\n");
|
|
}
|
|
if (Flags & 0x00200000)
|
|
{
|
|
DebuggerOut("\tASC_REQ(RET)_ALLOW_NON_USER_LOGONS\n");
|
|
}
|
|
if (Flags & 0x00400000)
|
|
{
|
|
DebuggerOut("\tASC_REQ(RET)_ALLOW_CONTEXT_REPLAY\n");
|
|
}
|
|
}
|
|
SECURITY_STATUS
|
|
ReadMemory( PVOID pvAddress,
|
|
ULONG cbMemory,
|
|
PVOID pvLocalMemory)
|
|
{
|
|
SIZE_T cbActual = cbMemory;
|
|
|
|
if (ReadProcessMemory(hDbgProcess, pvAddress, pvLocalMemory, cbMemory, &cbActual))
|
|
{
|
|
if (cbActual != cbMemory)
|
|
{
|
|
DebuggerOut(" counts don't match\n");
|
|
return(-1);
|
|
}
|
|
return(0);
|
|
}
|
|
DebuggerOut(" GetLastError from readMemory is %d\n", GetLastError());
|
|
return(GetLastError());
|
|
|
|
}
|
|
|
|
SECURITY_STATUS
|
|
WriteMemory(PVOID pvLocalMemory,
|
|
ULONG cbMemory,
|
|
PVOID pvAddress)
|
|
{
|
|
SIZE_T cbActual = cbMemory;
|
|
|
|
if (WriteProcessMemory(hDbgProcess, pvAddress, pvLocalMemory, cbMemory, &cbActual))
|
|
{
|
|
if (cbActual != cbMemory)
|
|
{
|
|
return(-1);
|
|
}
|
|
return(0);
|
|
}
|
|
return(GetLastError());
|
|
}
|
|
|
|
DWORD
|
|
GetDword(PVOID pvMemory)
|
|
{
|
|
DWORD dwVal;
|
|
SIZE_T cbActual = sizeof(DWORD);
|
|
|
|
if (ReadProcessMemory(hDbgProcess, pvMemory, &dwVal, sizeof(DWORD), &cbActual))
|
|
{
|
|
if (cbActual != sizeof(DWORD))
|
|
{
|
|
return((DWORD) -1);
|
|
}
|
|
return(dwVal);
|
|
}
|
|
return((DWORD) -1);
|
|
}
|
|
|
|
#define TIMEBUF_SZ 64
|
|
char *Months[] = { "", "Jan", "Feb", "Mar", "Apr", "May", "Jun", "Jul",
|
|
"Aug", "Sep", "Oct", "Nov", "Dec" };
|
|
void CTimeStamp(PTimeStamp ptsTime,
|
|
LPSTR pszTimeBuf)
|
|
{
|
|
SYSTEMTIME stTime;
|
|
FILETIME tLocal;
|
|
SYSTEMTIME stLocal;
|
|
|
|
if (ptsTime->HighPart == 0)
|
|
{
|
|
strcpy(pszTimeBuf, "<Zero>");
|
|
}
|
|
else if (ptsTime->HighPart >= 0x7FFFFFFF)
|
|
{
|
|
strcpy(pszTimeBuf, "<Never>");
|
|
}
|
|
FileTimeToLocalFileTime((LPFILETIME) ptsTime, &tLocal);
|
|
FileTimeToSystemTime((LPFILETIME) ptsTime, &stTime);
|
|
FileTimeToSystemTime(&tLocal, &stLocal);
|
|
sprintf(pszTimeBuf, "%02d:%02d:%02d.%03d, %s %02d, %d UTC (%02d:%02d:%02d.%03d, %s %02d, %d Local)", stTime.wHour,
|
|
stTime.wMinute, stTime.wSecond, stTime.wMilliseconds,
|
|
Months[stTime.wMonth], stTime.wDay, stTime.wYear,
|
|
stLocal.wHour, stLocal.wMinute, stLocal.wSecond, stLocal.wMilliseconds, Months[stLocal.wMonth], stLocal.wDay, stLocal.wYear);
|
|
}
|
|
|
|
void ContextTimeStamp(PTimeStamp ptsTime,
|
|
LPSTR pszTimeBuf)
|
|
{
|
|
// We set local times in sspi
|
|
SYSTEMTIME stTime;
|
|
FILETIME tutc;
|
|
SYSTEMTIME stLocal;
|
|
TimeStamp Time;
|
|
|
|
if (ReadMemory( ptsTime, sizeof( TimeStamp), &Time))
|
|
{
|
|
DebuggerOut(" Could not read context\n");
|
|
return;
|
|
}
|
|
if (Time.HighPart == 0)
|
|
{
|
|
strcpy(pszTimeBuf, "<Zero>");
|
|
}
|
|
else if (Time.HighPart >= 0x7FFFFFFF)
|
|
{
|
|
strcpy(pszTimeBuf, "<Never>");
|
|
}
|
|
FileTimeToSystemTime((LPFILETIME) &Time, &stLocal);
|
|
LocalFileTimeToFileTime((LPFILETIME) &Time, &tutc);
|
|
FileTimeToSystemTime(&tutc, &stTime);
|
|
sprintf(pszTimeBuf, "%02d:%02d:%02d.%03d, %s %02d, %d UTC (%02d:%02d:%02d.%03d, %s %02d, %d Local)", stTime.wHour,
|
|
stTime.wMinute, stTime.wSecond, stTime.wMilliseconds,
|
|
Months[stTime.wMonth], stTime.wDay, stTime.wYear,
|
|
stLocal.wHour, stLocal.wMinute, stLocal.wSecond, stLocal.wMilliseconds, Months[stLocal.wMonth], stLocal.wDay, stLocal.wYear);
|
|
}
|
|
|
|
void
|
|
MapString(PSECURITY_STRING pClientString,
|
|
PSECURITY_STRING pLocalString)
|
|
{
|
|
if (!pLocalString->Buffer)
|
|
{
|
|
pLocalString->Buffer = (PWSTR) AllocHeap(pClientString->Length + 2);
|
|
if (pLocalString->Buffer == NULL)
|
|
{
|
|
return;
|
|
}
|
|
pLocalString->MaximumLength = pClientString->Length + 2;
|
|
}
|
|
|
|
RtlZeroMemory(pLocalString->Buffer, pLocalString->MaximumLength);
|
|
|
|
if (!ReadMemory(pClientString->Buffer, pClientString->Length, pLocalString->Buffer))
|
|
{
|
|
pLocalString->Length = pClientString->Length;
|
|
}
|
|
else
|
|
{
|
|
DebuggerOut("\nWarning: could not read string @%x\n", pClientString->Buffer);
|
|
}
|
|
|
|
}
|
|
|
|
void PrintSid(PVOID pvSid)
|
|
{
|
|
SID Sid;
|
|
PSID pSid;
|
|
UNICODE_STRING ucsSid;
|
|
|
|
DebuggerOut(" UserSid \t0x%lx ", pvSid);
|
|
if (pvSid)
|
|
{
|
|
if (ReadMemory(pvSid, sizeof(SID), &Sid))
|
|
{
|
|
DebuggerOut("Could not read from %x\n", pvSid);
|
|
}
|
|
|
|
pSid = AllocHeap(RtlLengthRequiredSid(Sid.SubAuthorityCount));
|
|
if (pSid == NULL)
|
|
{
|
|
return;
|
|
}
|
|
if (ReadMemory(pvSid, RtlLengthRequiredSid(Sid.SubAuthorityCount), pSid))
|
|
{
|
|
DebuggerOut("Could not read from %x\n", pvSid);
|
|
}
|
|
|
|
RtlConvertSidToUnicodeString(&ucsSid, pSid, TRUE);
|
|
DebuggerOut(" %wZ", &ucsSid);
|
|
RtlFreeUnicodeString(&ucsSid);
|
|
FreeHeap(pSid);
|
|
}
|
|
DebuggerOut("\n");
|
|
}
|
|
|
|
VOID
|
|
PrintEType(
|
|
ULONG EType
|
|
)
|
|
{
|
|
switch(EType)
|
|
{
|
|
case KERB_ETYPE_NULL:
|
|
DebuggerOut("KERB_ETYPE_NULL\n"); break;
|
|
case KERB_ETYPE_DES_CBC_CRC:
|
|
DebuggerOut("KERB_ETYPE_DES_CBC_CRC\n"); break;
|
|
case KERB_ETYPE_DES_CBC_MD4:
|
|
DebuggerOut("KERB_ETYPE_DES_CBC_MD4\n"); break;
|
|
case KERB_ETYPE_DES_CBC_MD5:
|
|
DebuggerOut("KERB_ETYPE_DES_CBC_MD5\n"); break;
|
|
case KERB_ETYPE_OLD_RC4_MD4:
|
|
DebuggerOut("KERB_ETYPE_OLD_RC4_MD4\n"); break;
|
|
case KERB_ETYPE_OLD_RC4_PLAIN:
|
|
DebuggerOut("KERB_ETYPE_OLD_RC4_PLAIN\n"); break;
|
|
case KERB_ETYPE_OLD_RC4_LM:
|
|
DebuggerOut("KERB_ETYPE_OLD_RC4_LM\n"); break;
|
|
case KERB_ETYPE_OLD_RC4_SHA:
|
|
DebuggerOut("KERB_ETYPE_OLD_RC4_SHA\n"); break;
|
|
case KERB_ETYPE_OLD_DES_PLAIN:
|
|
DebuggerOut("KERB_ETYPE_OLD_DES_PLAIN\n"); break;
|
|
case KERB_ETYPE_RC4_MD4:
|
|
DebuggerOut("KERB_ETYPE_RC4_MD4\n"); break;
|
|
case KERB_ETYPE_RC4_PLAIN2:
|
|
DebuggerOut("KERB_ETYPE_RC4_PLAIN2\n"); break;
|
|
case KERB_ETYPE_RC4_LM:
|
|
DebuggerOut("KERB_ETYPE_RC4_LM\n"); break;
|
|
case KERB_ETYPE_RC4_SHA:
|
|
DebuggerOut("KERB_ETYPE_RC4_SHA\n"); break;
|
|
case KERB_ETYPE_DES_PLAIN:
|
|
DebuggerOut("KERB_ETYPE_DES_PLAIN\n"); break;
|
|
case KERB_ETYPE_RC4_PLAIN:
|
|
DebuggerOut("KERB_ETYPE_RC4_PLAIN\n"); break;
|
|
case KERB_ETYPE_RC4_HMAC_OLD:
|
|
DebuggerOut("KERB_ETYPE_RC4_HMAC_OLD\n"); break;
|
|
case KERB_ETYPE_RC4_HMAC_OLD_EXP:
|
|
DebuggerOut("KERB_ETYPE_RC4_HMAC_OLD_EXP\n"); break;
|
|
case KERB_ETYPE_RC4_PLAIN_EXP:
|
|
DebuggerOut("KERB_ETYPE_RC4_PLAIN_EXP\n"); break;
|
|
case KERB_ETYPE_DSA_SIGN:
|
|
DebuggerOut("KERB_ETYPE_DSA_SIGN\n"); break;
|
|
case KERB_ETYPE_RSA_PRIV:
|
|
DebuggerOut("KERB_ETYPE_RSA_PRIV\n"); break;
|
|
case KERB_ETYPE_RSA_PUB:
|
|
DebuggerOut("KERB_ETYPE_RSA_PUB\n"); break;
|
|
case KERB_ETYPE_RSA_PUB_MD5:
|
|
DebuggerOut("KERB_ETYPE_RSA_PUB_MD5\n"); break;
|
|
case KERB_ETYPE_RSA_PUB_SHA1:
|
|
DebuggerOut("KERB_ETYPE_RSA_PUB_SHA1\n"); break;
|
|
case KERB_ETYPE_PKCS7_PUB:
|
|
DebuggerOut("KERB_ETYPE_PKCS7_PUB\n"); break;
|
|
case KERB_ETYPE_DES_CBC_MD5_NT:
|
|
DebuggerOut("KERB_ETYPE_DES_CBC_MD5_NT\n"); break;
|
|
default:
|
|
DebuggerOut("Unknown EType: 0x%lx\n", EType); break;
|
|
}
|
|
}
|
|
VOID
|
|
ShowKerbContext(
|
|
IN PVOID pContext
|
|
)
|
|
{
|
|
KERB_CONTEXT Context;
|
|
CHAR TimeBuf[80];
|
|
SECURITY_STRING sLocal;
|
|
sLocal.Buffer = NULL;
|
|
|
|
if (ReadMemory( pContext, sizeof( KERB_CONTEXT), &Context ))
|
|
{
|
|
DebuggerOut(" Could not read context\n");
|
|
return;
|
|
}
|
|
|
|
CTimeStamp( &Context.Lifetime, TimeBuf );
|
|
DebuggerOut(" Lifetime \t%s\n", TimeBuf );
|
|
|
|
CTimeStamp( &Context.RenewTime, TimeBuf );
|
|
DebuggerOut(" RenewTime \t%s\n", TimeBuf );
|
|
|
|
MapString( &Context.ClientName, &sLocal);
|
|
DebuggerOut(" ClientName \t%ws\n", sLocal.Buffer);
|
|
FreeHeap(sLocal.Buffer);
|
|
sLocal.Buffer = NULL;
|
|
|
|
MapString( &Context.ClientRealm, &sLocal);
|
|
DebuggerOut(" ClientRealm \t%ws\n", sLocal.Buffer);
|
|
FreeHeap(sLocal.Buffer);
|
|
sLocal.Buffer = NULL;
|
|
|
|
DebuggerOut(" Process ID \t0x%lx\n", Context.ClientProcess);
|
|
DebuggerOut(" LogonId \t0x%lx : 0x%lx\n", Context.LogonId.LowPart, Context.LogonId.HighPart );
|
|
DebuggerOut(" TokenHandle \t0x%lx\n", Context.TokenHandle );
|
|
DebuggerOut(" CredentialHandle\t0x%lx\n", Context.CredentialHandle);
|
|
DebuggerOut(" SessionKey type \t");
|
|
PrintEType(Context.SessionKey.keytype);
|
|
DebuggerOut(" SessionKey length \t0x%lx\n", Context.SessionKey.keyvalue.length);
|
|
DebuggerOut(" Nonce \t0x%lx\n", Context.Nonce);
|
|
DebuggerOut(" ReceiveNonce \t0x%lx\n", Context.ReceiveNonce);
|
|
DebuggerOut(" ContextFlags \t0x%lx\n", Context.ContextFlags);
|
|
PrintContextAttributes(Context.ContextAttributes);
|
|
DebuggerOut(" EncryptionType \t");
|
|
PrintEType(Context.EncryptionType);
|
|
PrintSid(Context.UserSid);
|
|
DebuggerOut(" ContextState \t%s\n", ContextState[Context.ContextState]);
|
|
DebuggerOut(" Retries \t0x%lx\n", Context.Retries );
|
|
DebuggerOut(" TicketKey type \t");
|
|
PrintEType(Context.TicketKey.keytype);
|
|
DebuggerOut(" TicketKey length\t0x%lx\n", Context.TicketKey.keyvalue.length);
|
|
DebuggerOut(" TicketCacheEntry\t0x%lx\n", Context.TicketCacheEntry);
|
|
}
|
|
|
|
VOID
|
|
DumpContext(
|
|
HANDLE hProcess,
|
|
HANDLE hThread,
|
|
DWORD dwCurrentPc,
|
|
PNTSD_EXTENSION_APIS lpExt,
|
|
LPSTR pszCommand)
|
|
{
|
|
PVOID pContext;
|
|
|
|
InitDebugHelp( hProcess,
|
|
hThread,
|
|
lpExt);
|
|
|
|
pContext = GetExpr( pszCommand );
|
|
|
|
if ( pContext == NULL ) {
|
|
|
|
return;
|
|
}
|
|
|
|
ShowKerbContext( pContext );
|
|
|
|
}
|
|
|
|
void PrintLogonType(SECURITY_LOGON_TYPE LogonType)
|
|
{
|
|
switch(LogonType)
|
|
{
|
|
case Interactive:
|
|
DebuggerOut("Interactive\n"); break;
|
|
case Network:
|
|
DebuggerOut("Network\n"); break;
|
|
case Batch:
|
|
DebuggerOut("Batch\n"); break;
|
|
case Service:
|
|
DebuggerOut("Service\n"); break;
|
|
case Proxy:
|
|
DebuggerOut("Proxy\n"); break;
|
|
case Unlock:
|
|
DebuggerOut("Unlock\n"); break;
|
|
default:
|
|
DebuggerOut("Unknown Logon Type: 0x%lx\n", LogonType); break;
|
|
}
|
|
}
|
|
|
|
VOID
|
|
ShowKerbTCacheEntry(PVOID pCache)
|
|
{
|
|
/*
|
|
typedef struct _KERB_TICKET_CACHE_ENTRY {
|
|
KERBEROS_LIST_ENTRY ListEntry;
|
|
PKERB_INTERNAL_NAME ServiceName;
|
|
PKERB_INTERNAL_NAME TargetName;
|
|
UNICODE_STRING DomainName;
|
|
UNICODE_STRING TargetDomainName;
|
|
UNICODE_STRING AltTargetDomainName;
|
|
PKERB_INTERNAL_NAME ClientName;
|
|
ULONG TicketFlags;
|
|
ULONG CacheFlags;
|
|
KERB_ENCRYPTION_KEY SessionKey;
|
|
TimeStamp KeyExpirationTime;
|
|
TimeStamp StartTime;
|
|
TimeStamp EndTime;
|
|
TimeStamp RenewUntil;
|
|
KERB_TICKET Ticket;
|
|
TimeStamp TimeSkew;
|
|
} KERB_TICKET_CACHE_ENTRY, *PKERB_TICKET_CACHE_ENTRY;
|
|
*/
|
|
KERB_TICKET_CACHE_ENTRY Cache;
|
|
CHAR TimeBuf[64];
|
|
SECURITY_STRING sLocal;
|
|
ULONG Temp;
|
|
sLocal.Buffer = NULL;
|
|
|
|
if (ReadMemory( pCache, sizeof( KERB_TICKET_CACHE_ENTRY), &Cache))
|
|
{
|
|
DebuggerOut(" Could not read ticket cache entry\n");
|
|
return;
|
|
}
|
|
DebuggerOut(" ServiceName \t0x%lx\n", Cache.ServiceName);
|
|
DebuggerOut(" TargetName \t0x%lx\n", Cache.TargetName);
|
|
|
|
MapString( &Cache.DomainName, &sLocal);
|
|
DebuggerOut(" DomainName \t%ws\n", sLocal.Buffer);
|
|
FreeHeap(sLocal.Buffer);
|
|
sLocal.Buffer = NULL;
|
|
|
|
MapString( &Cache.TargetDomainName, &sLocal);
|
|
DebuggerOut(" TargetDomainName \t%ws\n", sLocal.Buffer);
|
|
FreeHeap(sLocal.Buffer);
|
|
sLocal.Buffer = NULL;
|
|
|
|
MapString( &Cache.AltTargetDomainName, &sLocal);
|
|
DebuggerOut(" AltTargetDomainName \t%ws\n", sLocal.Buffer);
|
|
FreeHeap(sLocal.Buffer);
|
|
sLocal.Buffer = NULL;
|
|
|
|
DebuggerOut(" ClientName \t0x%lx\n", Cache.ClientName);
|
|
DebuggerOut(" TicketFlags \t0x%lx\n", Cache.TicketFlags);
|
|
DebuggerOut(" CacheFlags \t0x%lx\n", Cache.CacheFlags);
|
|
DebuggerOut(" EncryptionType \t");
|
|
PrintEType(Cache.SessionKey.keytype);
|
|
CTimeStamp( &Cache.KeyExpirationTime, TimeBuf );
|
|
DebuggerOut(" KeyExpirationTime \t%s\n", TimeBuf );
|
|
CTimeStamp( &Cache.StartTime, TimeBuf );
|
|
DebuggerOut(" StartTime \t%s\n", TimeBuf );
|
|
CTimeStamp( &Cache.EndTime, TimeBuf );
|
|
DebuggerOut(" Endtime \t%s\n", TimeBuf );
|
|
CTimeStamp( &Cache.RenewUntil, TimeBuf );
|
|
DebuggerOut(" RenewUntil \t%s\n", TimeBuf );
|
|
}
|
|
|
|
VOID
|
|
ShowKerbLSession(
|
|
IN PVOID pSession
|
|
)
|
|
{
|
|
KERB_LOGON_SESSION Session;
|
|
CHAR TimeBuf[64];
|
|
SECURITY_STRING sLocal;
|
|
ULONG_PTR Temp;
|
|
sLocal.Buffer = NULL;
|
|
|
|
if (ReadMemory( pSession, sizeof( KERB_LOGON_SESSION), &Session))
|
|
{
|
|
DebuggerOut(" Could not read logon session\n");
|
|
return;
|
|
}
|
|
//DebuggerOut(" Credential \t0x%lx\n", Session.SspCredentials);
|
|
DebuggerOut(" LogonId \t0x%lx : 0x%lx\n", Session.LogonId.LowPart, Session.LogonId.HighPart );
|
|
CTimeStamp( &Session.Lifetime, TimeBuf );
|
|
DebuggerOut(" Lifetime \t%s\n", TimeBuf );
|
|
//PrintPCred(Session.PrimaryCredentials);
|
|
|
|
MapString( &Session.PrimaryCredentials.UserName, &sLocal);
|
|
DebuggerOut(" UserName \t%ws\n", sLocal.Buffer);
|
|
FreeHeap(sLocal.Buffer);
|
|
sLocal.Buffer = NULL;
|
|
|
|
MapString( &Session.PrimaryCredentials.DomainName, &sLocal);
|
|
DebuggerOut(" DomainName \t%ws\n", sLocal.Buffer);
|
|
FreeHeap(sLocal.Buffer);
|
|
sLocal.Buffer = NULL;
|
|
|
|
DebuggerOut(" Passwords \t0x%lx\n", Session.PrimaryCredentials.Passwords);
|
|
DebuggerOut(" OldPasswords \t0x%lx\n", Session.PrimaryCredentials.OldPasswords);
|
|
DebuggerOut(" PublicKeyCreds \t0x%lx\n", Session.PrimaryCredentials.PublicKeyCreds);
|
|
DebuggerOut(" LogonSessionFlags\t0x%lx\n", Session.LogonSessionFlags);
|
|
|
|
// ServerTicketCache
|
|
Temp = (ULONG_PTR)pSession+ FIELD_OFFSET(KERB_LOGON_SESSION, PrimaryCredentials) + FIELD_OFFSET(KERB_PRIMARY_CREDENTIAL, ServerTicketCache);
|
|
|
|
DebuggerOut(" ServerTicketCache \t0x%p\n", Temp);
|
|
|
|
// AuthenticationTicketCache
|
|
Temp = (ULONG_PTR)pSession+ FIELD_OFFSET(KERB_LOGON_SESSION, PrimaryCredentials) + FIELD_OFFSET(KERB_PRIMARY_CREDENTIAL, AuthenticationTicketCache);
|
|
|
|
DebuggerOut(" AuthenticationTicketCache \t0x%p\n", Temp );
|
|
|
|
|
|
}
|
|
|
|
VOID
|
|
DumpLSession(
|
|
HANDLE hProcess,
|
|
HANDLE hThread,
|
|
DWORD dwCurrentPc,
|
|
PNTSD_EXTENSION_APIS lpExt,
|
|
LPSTR pszCommand)
|
|
{
|
|
PVOID pSession;
|
|
|
|
InitDebugHelp( hProcess,
|
|
hThread,
|
|
lpExt);
|
|
|
|
pSession = GetExpr( pszCommand );
|
|
|
|
if ( pSession == NULL ) {
|
|
|
|
return;
|
|
}
|
|
|
|
ShowKerbLSession( pSession);
|
|
|
|
}
|
|
|
|
VOID
|
|
DumpTCacheEntry(
|
|
HANDLE hProcess,
|
|
HANDLE hThread,
|
|
DWORD dwCurrentPc,
|
|
PNTSD_EXTENSION_APIS lpExt,
|
|
LPSTR pszCommand)
|
|
{
|
|
PVOID pCache;
|
|
|
|
InitDebugHelp( hProcess,
|
|
hThread,
|
|
lpExt);
|
|
|
|
pCache = GetExpr( pszCommand );
|
|
|
|
if ( pCache == NULL ) {
|
|
|
|
return;
|
|
}
|
|
|
|
ShowKerbTCacheEntry( pCache);
|
|
}
|
|
|
|
/*
|
|
VOID
|
|
ShowDomainList(PVOID pDomain)
|
|
{
|
|
PLIST_ENTRY DomainList = (PLIST_ENTRY) pDomain;
|
|
SECURITY_STRING sLocal;
|
|
PLIST_ENTRY ListEntry;
|
|
PKDC_DOMAIN_INFO Domain;
|
|
|
|
|
|
for (ListEntry = DomainList->Flink;
|
|
ListEntry != DomainList ;
|
|
ListEntry = ListEntry->Flink )
|
|
{
|
|
Domain = (PKDC_DOMAIN_INFO) CONTAINING_RECORD(ListEntry, KDC_DOMAIN_INFO, Next);
|
|
|
|
MapString( &Domain->DnsName, &sLocal);
|
|
DebuggerOut(" DomainName \t%ws\n", sLocal.Buffer);
|
|
FreeHeap(sLocal.Buffer);
|
|
sLocal.Buffer = NULL;
|
|
|
|
if (Domain->ClosestRoute == NULL)
|
|
{
|
|
DebuggerOut(" No closest route\n");
|
|
}
|
|
else
|
|
{
|
|
MapString( Domain->ClosestRoute, &sLocal);
|
|
DebuggerOut(" Closest Route \t%ws\n", sLocal.Buffer);
|
|
FreeHeap(sLocal.Buffer);
|
|
sLocal.Buffer = NULL;
|
|
}
|
|
|
|
if (Domain->Parent == NULL)
|
|
{
|
|
DebuggerOut(" No parent\n");
|
|
}
|
|
else
|
|
{
|
|
MapString( &Domain->Parent->DnsName, &sLocal);
|
|
DebuggerOut(" Parent \t%ws\n", sLocal.Buffer);
|
|
FreeHeap(sLocal.Buffer);
|
|
sLocal.Buffer = NULL;
|
|
}
|
|
}
|
|
}
|
|
|
|
VOID
|
|
DumpReferralTree(
|
|
HANDLE hProcess,
|
|
HANDLE hThread,
|
|
DWORD dwCurrentPc,
|
|
PNTSD_EXTENSION_APIS lpExt,
|
|
LPSTR pszCommand)
|
|
{
|
|
PVOID pDomain;
|
|
|
|
InitDebugHelp( hProcess,
|
|
hThread,
|
|
lpExt);
|
|
|
|
pDomain = GetExpr( pszCommand );
|
|
|
|
if ( pDomain == NULL ) {
|
|
|
|
return;
|
|
}
|
|
ShowDomainList(pDomain);
|
|
}
|
|
*/
|
|
|
|
VOID
|
|
DumpContextFlags(
|
|
HANDLE hProcess,
|
|
HANDLE hThread,
|
|
DWORD dwCurrentPc,
|
|
PNTSD_EXTENSION_APIS lpExt,
|
|
LPSTR pszCommand)
|
|
{
|
|
PVOID pContext;
|
|
|
|
InitDebugHelp( hProcess,
|
|
hThread,
|
|
lpExt);
|
|
|
|
pContext = GetExpr( pszCommand );
|
|
|
|
if ( pContext == NULL ) {
|
|
|
|
return;
|
|
}
|
|
|
|
PrintContextFlags( (ULONG)((ULONG_PTR)pContext) );
|
|
|
|
}
|
|
|
|
VOID
|
|
DumpCTimeStamp(
|
|
HANDLE hProcess,
|
|
HANDLE hThread,
|
|
DWORD dwCurrentPc,
|
|
PNTSD_EXTENSION_APIS lpExt,
|
|
LPSTR pszCommand)
|
|
{
|
|
PVOID pContext;
|
|
CHAR TimeBuf[100];
|
|
|
|
InitDebugHelp( hProcess,
|
|
hThread,
|
|
lpExt);
|
|
|
|
pContext = GetExpr( pszCommand );
|
|
|
|
if ( pContext == NULL ) {
|
|
|
|
return;
|
|
}
|
|
|
|
ContextTimeStamp( (PTimeStamp) pContext, TimeBuf );
|
|
DebuggerOut(" TimeStamp \t%s\n", TimeBuf );
|
|
|
|
}
|
|
|
|
void
|
|
Help( HANDLE hProcess,
|
|
HANDLE hThread,
|
|
DWORD dwCurrentPc,
|
|
PNTSD_EXTENSION_APIS lpExt,
|
|
LPSTR pszCommand)
|
|
{
|
|
|
|
InitDebugHelp(hProcess, hThread, lpExt);
|
|
|
|
DebuggerOut("Kerberos Exts Debug Help\n");
|
|
DebuggerOut(" DumpContext <addr> \tDumps a Kerberos context\n");
|
|
DebuggerOut(" DumpLSession <addr> \tDumps a Kerberos logon session\n");
|
|
DebuggerOut(" DumpTCacheEntry <addr> \tDumps a Kerberos ticket cache entry\n");
|
|
DebuggerOut(" DumpContextFlags <hex ulong>\tDumps an SSPI context flags\n");
|
|
DebuggerOut(" DumpCTimeStamp <hex ulong>\tDumps a Context Expiry Time\n");
|
|
|
|
}
|
|
|