Dumping Process Memory with Custom C# Code

Hello All,

Introduction

As a process of learning how to use Windows API and refreshing my knowledge about c# programming. I plan to learn and code some applications in c# leveraging Windows API for learning & developing tools which can be used during red team engagements.

In this post I will share a simple code written in c# leveraging Windows API to dump the process memory for any running process in windows.

Note:- I am not the first person to write such a code. There are many code samples available on the internet.

What is memory dumping ?

Memory dumping is a process in which the content of the memory is stored in a file for analyzing the reason for the crash or it can be useful for extracting sensitive information from the memory of the running process.

One of the use cases for dumping the memory of the process can be to extract credentials from the Local Security Authority Subsystem Service (LSASS) process.

What is Local Security Authority Subsystem Service (LSASS) ?

Local Security Authority Subsystem Service (LSASS) is a process in Microsoft Windows operating systems that is responsible for enforcing the security policy on the system. It verifies users logging on to a Windows computer or server, handles password changes, creates access tokens, etc.

One of the famous tools for extracting credentials from the LSASS process is Mimikatz and mostly all the av & edr solutions detect the usage of Mimikatz. So it's risky for red teams to run default Mimikatz in the target environment directly which has such products deployed for detection of so-called malicious applications.

Note:- Just replacing few known words from Mimikatz source code can bypass various av & edr solutions.

About the Code

As mentioned earlier the code is developed in C# and I have leveraged Windows API MiniDumpWriteDump function of Dbghelp.dll, Dbgcore.dll for dumping the memory of the running process. There are various types of MiniDump, but in this code I am using MiniDumpWithFullMemory type for dumping the memory of the running process.


The complete code can be found here

Demo

1) Compiling the application

The application needs to be build based on the specific windows system architecture on which you need to dump the memory of the running process.
I will be using this tool on a 64 bit system, hence I have compiled this application with a 64 bit configuration setting.


2) Dumping the memory of the process running with user privilege.
The application can dump process memory based on the process name or process id. To view the help section the application should be executed without any arguments.


Dumping notepad process memory using the process name as the argument.


Dumping notepad process memory using the process id as the argument.


3) Dumping the memory of the process running with a system privilege.
The application needs to be executed under high integrity to dump memory of the process running with system privileges.


4) Using Mimikatz to extract credentials from the lsass dump.


Detection

Monitor process loading Dbghelp.dllDbgcore.dll DLL's and MiniDumpWriteDump function call.


References

https://docs.microsoft.com/en-us/windows/win32/api/minidumpapiset/nf-minidumpapiset-minidumpwritedump
https://blogs.msdn.microsoft.com/dondu/2010/10/24/writing-minidumps-in-c/
https://github.com/GhostPack/SharpDump

Thanks for reading the post.

Special thanks to all my friends who help / supported / motivated me for writing blogs. 🙏



Comments

Popular posts from this blog

Information Disclosure - Internal Path Disclosure (PHPWCMS) - CVE-2018-12990

Introduction to Callidus

Process Injection - Part I