Dumping Process Memory with Custom C# Code
Hello All,
Introduction
As a process of learning how to use Windows API and refreshing my knowledge about c# programming. I plan to learn and code some applications in c# leveraging Windows API for learning & developing tools which can be used during red team engagements.
In this post I will share a simple code written in c# leveraging Windows API to dump the process memory for any running process in windows.
Note:- I am not the first person to write such a code. There are many code samples available on the internet.
What is memory dumping ?
Memory dumping is a process in which the content of the memory is stored in a file for analyzing the reason for the crash or it can be useful for extracting sensitive information from the memory of the running process.
One of the use cases for dumping the memory of the process can be to extract credentials from the Local Security Authority Subsystem Service (LSASS) process.
What is Local Security Authority Subsystem Service (LSASS) ?
Local Security Authority Subsystem Service (LSASS) is a process in Microsoft Windows operating systems that is responsible for enforcing the security policy on the system. It verifies users logging on to a Windows computer or server, handles password changes, creates access tokens, etc.
One of the famous tools for extracting credentials from the LSASS process is Mimikatz and mostly all the av & edr solutions detect the usage of Mimikatz. So it's risky for red teams to run default Mimikatz in the target environment directly which has such products deployed for detection of so-called malicious applications.
Note:- Just replacing few known words from Mimikatz source code can bypass various av & edr solutions.
About the Code
As mentioned earlier the code is developed in C# and I have leveraged Windows API MiniDumpWriteDump function of Dbghelp.dll, Dbgcore.dll for dumping the memory of the running process. There are various types of MiniDump, but in this code I am using MiniDumpWithFullMemory type for dumping the memory of the running process.
The complete code can be found here
Demo
1) Compiling the application
The application needs to be build based on the specific windows system architecture on which you need to dump the memory of the running process.
I will be using this tool on a 64 bit system, hence I have compiled this application with a 64 bit configuration setting.
2) Dumping the memory of the process running with user privilege.
The application can dump process memory based on the process name or process id. To view the help section the application should be executed without any arguments.
Dumping notepad process memory using the process name as the argument.
Dumping notepad process memory using the process id as the argument.
3) Dumping the memory of the process running with a system privilege.
The application needs to be executed under high integrity to dump memory of the process running with system privileges.
4) Using Mimikatz to extract credentials from the lsass dump.
Detection
Monitor process loading Dbghelp.dll, Dbgcore.dll DLL's and MiniDumpWriteDump function call.
References
https://docs.microsoft.com/en-us/windows/win32/api/minidumpapiset/nf-minidumpapiset-minidumpwritedump
https://blogs.msdn.microsoft.com/dondu/2010/10/24/writing-minidumps-in-c/
https://github.com/GhostPack/SharpDump
Thanks for reading the post.
Special thanks to all my friends who help / supported / motivated me for writing blogs. 🙏
Introduction
As a process of learning how to use Windows API and refreshing my knowledge about c# programming. I plan to learn and code some applications in c# leveraging Windows API for learning & developing tools which can be used during red team engagements.
In this post I will share a simple code written in c# leveraging Windows API to dump the process memory for any running process in windows.
Note:- I am not the first person to write such a code. There are many code samples available on the internet.
What is memory dumping ?
Memory dumping is a process in which the content of the memory is stored in a file for analyzing the reason for the crash or it can be useful for extracting sensitive information from the memory of the running process.
One of the use cases for dumping the memory of the process can be to extract credentials from the Local Security Authority Subsystem Service (LSASS) process.
What is Local Security Authority Subsystem Service (LSASS) ?
Local Security Authority Subsystem Service (LSASS) is a process in Microsoft Windows operating systems that is responsible for enforcing the security policy on the system. It verifies users logging on to a Windows computer or server, handles password changes, creates access tokens, etc.
One of the famous tools for extracting credentials from the LSASS process is Mimikatz and mostly all the av & edr solutions detect the usage of Mimikatz. So it's risky for red teams to run default Mimikatz in the target environment directly which has such products deployed for detection of so-called malicious applications.
Note:- Just replacing few known words from Mimikatz source code can bypass various av & edr solutions.
About the Code
As mentioned earlier the code is developed in C# and I have leveraged Windows API MiniDumpWriteDump function of Dbghelp.dll, Dbgcore.dll for dumping the memory of the running process. There are various types of MiniDump, but in this code I am using MiniDumpWithFullMemory type for dumping the memory of the running process.
Demo
1) Compiling the application
The application needs to be build based on the specific windows system architecture on which you need to dump the memory of the running process.
I will be using this tool on a 64 bit system, hence I have compiled this application with a 64 bit configuration setting.
2) Dumping the memory of the process running with user privilege.
The application can dump process memory based on the process name or process id. To view the help section the application should be executed without any arguments.
Dumping notepad process memory using the process name as the argument.
Dumping notepad process memory using the process id as the argument.
3) Dumping the memory of the process running with a system privilege.
The application needs to be executed under high integrity to dump memory of the process running with system privileges.
4) Using Mimikatz to extract credentials from the lsass dump.
Detection
Monitor process loading Dbghelp.dll, Dbgcore.dll DLL's and MiniDumpWriteDump function call.
References
https://docs.microsoft.com/en-us/windows/win32/api/minidumpapiset/nf-minidumpapiset-minidumpwritedump
https://blogs.msdn.microsoft.com/dondu/2010/10/24/writing-minidumps-in-c/
https://github.com/GhostPack/SharpDump
Thanks for reading the post.
Special thanks to all my friends who help / supported / motivated me for writing blogs. 🙏
Comments
Post a Comment