Skip to content

Latest commit

 

History

History
84 lines (56 loc) · 3.79 KB

README.md

File metadata and controls

84 lines (56 loc) · 3.79 KB

SharpHandler

The tool is now live, but still in beta, I would not recommend using this in opsec heavy engagements for now :P you'll look like a fool if this tool flunks and you burn your opsec ;)

Inspired by this blogpost from @skelsec
For an in-depth explination of what this project is, please read Skelsec's excellent post! :)
This code has been made possible due to:

They are the real MVP's here :)

This project reuses open handles to lsass to parse or minidump lsass, therefore you don't need to use your own lsass handle to interact with it.

Compile instructions

As I've been asked this question a lot, here is a mini tutorial on how to compile this project :) In visual studio, right click the Solution in Solution explorer and click Restore NuGet Packages. also change Any CPU to x64 you can do this by clicking the dropdown arrow next to Any CPU, click configuration manager a new window will pop up, click the dropdown on platform select new and then select x64.

IMPORTANT for D/Invoke!!!
For D/invoke's version of SharpHandler you will need to turn "optimize code" OFF. you can do this by right clicking SharpHandler -> Properties -> Build -> uncheck Optmize code. if you don't do this, the program WILL crash.

caveats

Small caveat, you have to open a handle to LSASS anyway to dupe the handle, but the access level is less than you need than to parse lsass or dump it. You could skip over lsass using the --skip-lsass option in the D/invoke edition, still need to make the change in the P/invoke edition.

bigger caveat, only X64 is supported (for now)

defences

  • This project will open a handle to every single userland process that is running, this is due to the inherit nature of how handle duplication works. You can only figure out the type and access of a handle programmatically, once you've obtained the handle. This should already be a major IoC

  • This project uses sharpdump and sharpkatz under the hood, so any IoC of those projects will automatically be an IoC for this project as well. Yeay IoC inheritance!

   _____ __                     __  __                ____
  / ___// /_  ____ __________  / / / /___ _____  ____/ / /__  _____
  \__ \/ __ \/ __ `/ ___/ __ \/ /_/ / __ `/ __ \/ __  / / _ \/ ___/
 ___/ / / / / /_/ / /  / /_/ / __  / /_/ / / / / /_/ / /  __/ /
/____/_/ /_/\__,_/_/  / .___/_/ /_/\__,_/_/ /_/\__,_/_/\___/_/
                     /_/

Duplicating handles to dump LSASS since 2021, inspired by @Skelsec
developed by @Jean_Maes_1994


 Usage:
  -h, -?, --help             Show Help


  -s, --scan                 Checks if there are dupeable handles to use
  -p, --process=VALUE        the process that you want to use to interact
                               with lsass (has to have a handle to lsass)
  -w, --write                Writes a minidump to location specified with -l
                               thx to sharpdump
  -c, --compress             compressess the minidump and deletes the normal
                               dump from disk (gzip format)
  -l, --location=VALUE       the location to write the minidumpfile to
  -i, --interactive          interactive mode (this mode cannot be used with
                               execute-assembly)
  -d, --dump, --logonpasswords
                             uses sharpkatz (only supports x64 architecture)
                               functionality to live parse lsass (equivalent of
                               logonpasswords)