Small toolkit for extracting information and dumping sensitive strings from Windows processes . Made to accompany FormThief.
- procsearch - find sensitive strings in target process memory
- searches for parsed string in readable process memory, if found, displays a range of valid ASCII chars around the search string
- procinfo - display the following file version information for the process executable:
- process name
- description
- product name
- file version
- internal name
- company name
- comments
- legal copyright
- legal trademarks
- product version
- private build
- special build
- procargs - extract command line arguments for target process
- prockill - terminate target process
Dump process memory and search for readable strings. PID, search string, and range supplied only for this version. When the search string is found, the range parameter indicates how many characters each side of the found string should be printed as long as they're valid ASCII.
Compile in VS. Example below dumping user information from Outlook process:
PS C:\Users\capde> .\procsearch.exe 7592 "email" 500
[+] Search string "email" FOUND: (...) "age_group": "adult", "association_status": "{\"com.microsoft.Olk\":\"associated\"}"
,"authority": "https://login.microsoftonline.com/consumers", "birthday": "1969-3-1", "display_name": "John Doe",
"email": "capdevuser001@outlook.com", "first_name": "John", "id": "3a25f54136ac887c", "last_name": "Doe", "location":
"UK", "login_name":"capdevuser001@outlook.com","onprem_sid": "", "password_change_url": "", "phone_number": "" (...)
Not functioning correctly with Inline-Execute-PE. I'm working on resolving this and the C++ BOF version which should allow greater search ranges than the C version currently.
Compile and load the .cna:
x86_64-w64-mingw32-gcc -c procsearch-BOF.c -o procsearch-BOF.o
The BOF version is sensitive with buffer sizes so the <range> option isn't present and the output is somewhat limited. Feel free to play around with the buffer sizes but be wary you may get __chkstk errors or the beacon may hang if too large.
Ideally wanted to write this in C++ which I've had working locally with bof-vs but running in beacon returns some mangled unknown symbol errors or crashes. Will update when possible. There's probably a better way of implementing search function/buffers in C but this'll work for now.
I wouldn't recommend searching for a single character like "." in a very large process as it may hang the beacon. Recommend minimum 3 or 4 character search strings when using BOF. You can really crank the range up with the C++ version.
Example dumping dummy user data from Outlook process:
procsearch-BOF.mp4
C# utility to print all file version information for the supplied pid. Compile in VS or with csc:
C BOF that replicates some of the above functionality, need to figure out issues dumping VerQueryValue(lpVersionInfo, "\\StringFileInfo\\040904b0\\... values.
Compile and load .cna:
x86_64-w64-mingw32-gcc -c procinfo-BOF.c -o procinfo-BOF.o
Extract command line arguments for the specified process. Compile and load .cna:
x86_64-w64-mingw32-gcc -c procargs.c -o procargs-BOF.o
Terminate a process (or just use kill in CS, not sure why I made this):
x86_64-w64-mingw32-gcc -c prockill-BOF.c -o prockill-BOF.o
