Summary#
This binary can be used as a LOLBIN as described in the LOLBAS project.
This writeup explores the binary in depth, its functionality, and how to achieve code execution through it. The binary is part of the Windows SDK and is usually located in the following path C:\Program Files (x86)\Windows Kits\10\Debuggers\x64\dumpminitool.exe or C:\Program Files (x86)\Windows Kits\10\Debuggers\x86\dumpminitool.exe depending on your system architecture.
Additional Info#
- The arguments flags are meaningless only the order is important. This means as long as you provide exactly 6 flags and their value the binary will still work. Here are the exact positions for reference:
// Usage: --file <fullyResolvedPath> --processId <processId> --dumpType <dumpType>
args[0] // --file
args[1] // <fullyResolvedPath>
args[2] // --processId
args[3] // <processId>
args[4] // --dumpType
args[5] //<dumpType>- The
processIdargument must be an intereger as it's type casted before storage
int processId = int.Parse(args[3], (IFormatProvider) CultureInfo.InvariantCulture);- There are three types of dump type options:
internal enum MiniDumpTypeOption
{
Full,
WithHeap,
Mini,
}- The dump type value are case sensitive since they are used in a switch case for comparaison
switch (type)
{
case MiniDumpTypeOption.Full:
// Code
case MiniDumpTypeOption.WithHeap:
// Code
case MiniDumpTypeOption.Mini:
// Code
default:
// Code
}- The binary is using
MiniDumpWriteDumpfromDbghelp.dll. - If a dump type other than the ones specified in the ENUM is provided. It will default to using the MiniDumpNormal
switch (type)
{
case MiniDumpTypeOption.Full:
minidumpType = MiniDumpWriteDump.NativeMethods.MinidumpType.MiniDumpWithDataSegs | MiniDumpWriteDump.NativeMethods.MinidumpType.MiniDumpWithFullMemory | MiniDumpWriteDump.NativeMethods.MinidumpType.MiniDumpWithHandleData | MiniDumpWriteDump.NativeMethods.MinidumpType.MiniDumpWithUnloadedModules | MiniDumpWriteDump.NativeMethods.MinidumpType.MiniDumpWithFullMemoryInfo | MiniDumpWriteDump.NativeMethods.MinidumpType.MiniDumpWithThreadInfo | MiniDumpWriteDump.NativeMethods.MinidumpType.MiniDumpWithTokenInformation;
break;
case MiniDumpTypeOption.WithHeap:
minidumpType = MiniDumpWriteDump.NativeMethods.MinidumpType.MiniDumpWithDataSegs | MiniDumpWriteDump.NativeMethods.MinidumpType.MiniDumpWithHandleData | MiniDumpWriteDump.NativeMethods.MinidumpType.MiniDumpWithUnloadedModules | MiniDumpWriteDump.NativeMethods.MinidumpType.MiniDumpWithPrivateReadWriteMemory | MiniDumpWriteDump.NativeMethods.MinidumpType.MiniDumpWithFullMemoryInfo | MiniDumpWriteDump.NativeMethods.MinidumpType.MiniDumpWithThreadInfo | MiniDumpWriteDump.NativeMethods.MinidumpType.MiniDumpWithTokenInformation;
break;
case MiniDumpTypeOption.Mini:
minidumpType = MiniDumpWriteDump.NativeMethods.MinidumpType.MiniDumpWithThreadInfo;
break;
default:
minidumpType = MiniDumpWriteDump.NativeMethods.MinidumpType.MiniDumpNormal;
break;
}
...
...
...
[Flags]
public enum MinidumpType : uint
{
MiniDumpNormal = 0,
MiniDumpWithDataSegs = 1,
MiniDumpWithFullMemory = 2,
...
...
...- The dump is performed by calling MiniDumpWriteDump
for (int index = 0; index < 5 && !MiniDumpWriteDump.NativeMethods.MiniDumpWriteDump(process.Handle, (uint) process.Id, fileStream.SafeFileHandle, dumpType, ref exceptionParam, IntPtr.Zero, IntPtr.Zero); ++index)
{
int forLastWin32Error = Marshal.GetHRForLastWin32Error();
if (forLastWin32Error != -2147024597)
Marshal.ThrowExceptionForHR(forLastWin32Error);
}