!This program cannot be run in DOS mode.
h.rdata
H.data
.pdata
B.reloc
SUVWATAUAVAWH
(A_A^A]A\_^][
UVWATAUH
A]A\_^]
x ATAUAVH
0A^A]A\
WATAUH
UVWATAUH
PA]A\_^]
WATAUH
0A]A\_
ATAUAVH
A^A]A\
WATAUAVAWH
A_A^A]A\_
WATAUH
HcD$hH
A]A\_
WATAUH
@A]A\_
WATAUH
@A]A\_
WATAUH
@A]A\_
WATAUH
WATAUAVAWH
A_A^A]A\_
WATAUH
@A]A\_
UVWATAUAVAWH
A_A^A]A\_^]
fffffff
fffffff
WATAUAVAWH
)IcyHM
A;<$sn
A;<$s[H
A_A^A]A\_
mimikatz.exe
cmd.exe
powershell.exe
RSDSj#v>
c:\security\mimikatz\mimidrv\objfre_wnet_amd64\amd64\mimidrv.pdb
@SVWATAUAVAWH
t{E97s
A_A^A]A\_^[
IoDeleteSymbolicLink
NtBuildNumber
RtlInitUnicodeString
IoDeleteDevice
MmGetSystemRoutineAddress
_vsnwprintf
KeBugCheck
IofCompleteRequest
IoCreateSymbolicLink
IoCreateDevice
PsProcessType
PsGetProcessImageFileName
PsLookupProcessByProcessId
PsReferencePrimaryToken
ZwOpenProcessTokenEx
IoGetCurrentProcess
ZwSetInformationProcess
ZwClose
ZwDuplicateToken
PsInitialSystemProcess
RtlCompareMemory
ObfDereferenceObject
ObOpenObjectByPointer
PsGetProcessId
PsDereferencePrimaryToken
ExAllocatePoolWithTag
ExFreePoolWithTag
IoFreeMdl
MmProbeAndLockPages
MmUnlockPages
IoAllocateMdl
ZwUnloadKey
IoEnumerateRegisteredFiltersList
KeBugCheckEx
ntoskrnl.exe
FltObjectDereference
FltEnumerateFilters
FltEnumerateInstances
FltGetFilterInformation
FltGetVolumeFromInstance
FLTMGR.SYS
PsGetVersion
ExAllocatePoolWithQuotaTag
ZwQuerySystemInformation
RtlUnwindEx
GlobalSign nv-sa1'0%
GlobalSign CodeSigning CA - G20
110628094616Z
140628094616Z0&1
Benjamin Delpy0
&https://www.globalsign.com/repository/0
-http://crl.globalsign.com/gs/gscodesigng2.crl0P
4http://secure.globalsign.com/cacert/gscodesigng2.crt0
GlobalSign nv-sa1
Root CA1
GlobalSign Root CA0
110413100000Z
260413100000Z0Q1
GlobalSign nv-sa1'0%
GlobalSign CodeSigning CA - G20
CFo~(DP
!http://ocsp.globalsign.com/rootr103
"http://crl.globalsign.com/root.crl0c
&https://www.globalsign.com/repository/0
6d._#O4
Washington1
Redmond1
Microsoft Corporation1)0'
Microsoft Code Verification Root0
060523170051Z
160523171051Z0W1
GlobalSign nv-sa1
Root CA1
GlobalSign Root CA0
Dhttp://crl.microsoft.com/pki/crl/products/MicrosoftCodeVerifRoot.crl0
GlobalSign nv-sa1'0%
GlobalSign CodeSigning CA - G2
$http://blog.gentilkiwi.com/mimikatz 0
ZwSetSystemEnvironmentValueEx
Raw command (not implemented yet) : %s
Input : %s
Output : %s
in (0x%p - %u) ; out (0x%p - %u)
Sig %02x/%02x
[%1x-%1x-%1x]
P-Proc
Token from %u/%-14S
* to %u/%-14S
! ZwSetInformationProcess 0x%08x for %u/%-14S
All privileges for the access token from %u/%-14S
0x%p - %u
0x%p [ ? ]
0x%p [%S + 0x%x]
KeServiceDescriptorTable : 0x%p (%u)
[%5u]
[%.2u]
* %wZ
* Callback [type %u] - Handle 0x%p (@ 0x%p)
PreOperation :
PostOperation :
[%.2u] %wZ
[%.2u] %.*s
[%.2u] %wZ
[%.2u] /
[0x%2x] %s
PreCallback :
PostCallback :
RtlQueryModuleInformation
\DosDevices\mimidrv
\Device\mimidrv
OkayToClose
QueryName
Security
Parse
Delete
Close
Open
Dump
FsRtlAllocateResource
DbgkLkmdUnregisterCallback
CmGetCallbackVersion
CmSetCallbackObjectContext
SeSetAuthorizationCallbacks
CmUnRegisterCallback
CmRegisterCallback
KseRegisterShim
RtlRunOnceInitialize
IoCreateController
ObUnRegisterCallbacks
ObRegisterCallbacks
ObReferenceSecurityDescriptor
ObCreateObjectType
PsSetLoadImageNotifyRoutineEx
SeRegisterLogonSessionTerminatedRoutineEx
PsSetCreateThreadNotifyRoutine
PsSetLoadImageNotifyRoutine
MmProbeAndLockProcessPages
ExSizeOfRundownProtectionCacheAware
IoSetPartitionInformationEx
FsRtlReleaseFile
RtlQueryTimeZoneInformation
NtRequestPort
PsSetLegoNotifyRoutine
IoCreateDriver
EtwEnableTrace
RtlGetSystemBootStatus
KeRegisterProcessorChangeCallback
PsSetCreateProcessNotifyRoutine
RtlGetIntegerAtom
RtlAreAllAccessesGranted
PsReferenceImpersonationToken
SeCreateAccessStateEx
PsRemoveLoadImageNotifyRoutine
PsRemoveCreateThreadNotifyRoutine
NtFindAtom
ObCreateObject
FsRtlAddToTunnelCache
PsAcquireProcessExitSynchronization
MmLockPagableSectionByHandle
RtlUnicodeToMultiByteSize
ExRaiseAccessViolation
PsDereferenceKernelStack
CcSetBcbOwnerPointer
PsReferencePrimaryToken
SET_QUOTA
QUERY_QUOTA
DEVICE_CHANGE
SYSTEM_CONTROL
SET_SECURITY
QUERY_SECURITY
CREATE_MAILSLOT
CLEANUP
LOCK_CONTROL
SHUTDOWN
INTERNAL_DEVICE_CONTROL
DEVICE_CONTROL
FILE_SYSTEM_CONTROL
DIRECTORY_CONTROL
SET_VOLUME_INFORMATION
QUERY_VOLUME_INFORMATION
FLUSH_BUFFERS
SET_EA
QUERY_EA
SET_INFORMATION
QUERY_INFORMATION
CREATE_NAMED_PIPE
CREATE
VS_VERSION_INFO
StringFileInfo
040904b0
ProductName
mimidrv (mimikatz)
ProductVersion
2.2.0.0
CompanyName
gentilkiwi (Benjamin DELPY)
FileDescription
mimidrv for Windows (mimikatz)
FileVersion
2.2.0.0
InternalName
mimidrv
LegalCopyright
Copyright (c) 2007 - 2021 gentilkiwi (Benjamin DELPY)
OriginalFilename
mimidrv.sys
PrivateBuild
Build with love for POC only
SpecialBuild
VarFileInfo
Translation
CrossC
*mimikatz driver 2.2.