工具简介
POSTDump是ReactOS minidump函数(如nanodump)的C#/.NET实现,从而避免调用Windows API MiniDumpWriteDump函数,它使用几种技术绕过EDR Hook和PPI保护来执行内存转储(lsass)。
![可绕过EDR和PPL保护内存转储工具]( "可绕过EDR和PPL保护内存转储工具")
工具参数
下载地址
https://github.com/YOLOP0wn/POSTDump
例如NanoDump,您可以对小型转储进行加密或使用无效签名;支持使用ProcExp驱动程序转储/终止受保护的进程。
c:Temp>PostDump.exe --help-o, --output Output filename [default: Machine_datetime.dmp] (fullpath handled)-e, --encrypt Encrypt dump in-memory-s, --signature Generate invalid Minidump signature--snap Use snapshot technic--fork Use fork technic [default]--elevate-handle Open a handle to LSASS with low privileges and duplicate it to gain higher privileges--duplicate-elevate Look for existing lsass handle to duplicate and elevate--asr Attempt LSASS dump using ASR bypass (win10/11/2019) (no signature/no encrypt)--driver Use Process Explorer driver to open lsass handle (bypass PPL) and dump lsass--kill [processID] Use Process Explorer driver to kill process and exit--help Display this help screen.--version Display version information.
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论