proctools: extracting information and dumping sensitive strings from Windows processes

dumping Windows processes

proctools

Small toolkit for extracting information and dumping sensitive strings from Windows processes. Made to accompany another project that’s in the works.

  • procsearch – find sensitive strings in the target process memory
    • searches for a parsed string in readable process memory, if found, display a range of valid ASCII chars around the search string
  • procinfo – display the following file version information for the process executable:
    • process name
    • description
    • product name
    • file version
    • internal name
    • company name
    • comments
    • legal copyright
    • legal trademarks
    • product version
    • private build
    • special build
  • procargs – extract command line arguments for the target process
  • prockill – terminate target process

procsearch.cpp

Dump process memory and search for readable strings. PID, search string, and range are supplied only for this version. When the search string is found, the range parameter indicates how many characters each side of the found string should be printed as long as they’re valid ASCII.

Compile in VS. Example below dumping user information from Outlook process:

PS C:\Users\capde> .\procsearch.exe 7592 "email" 500

[+] Search string "email" FOUND: (...) "age_group": "adult", "association_status": "{\"com.microsoft.Olk\":\"associated\"}"
,"authority": "https://login.microsoftonline.com/consumers", "birthday": "1969-3-1", "display_name": "John Doe",
"email": "capdevuser001@outlook.com", "first_name": "John", "id": "3a25f54136ac887c", "last_name": "Doe", "location":
"UK", "login_name":"capdevuser001@outlook.com","onprem_sid": "", "password_change_url": "", "phone_number": "" (...)

Not functioning correctly with Inline-Execute-Assembly. I’m working on resolving this and the C++ BOF version which should allow greater search ranges than the C version currently.

procsearch-BOF.c

Compile and load the .cna:

x86_64-w64-mingw32-gcc -c procsearch-BOF.c -o procsearch-BOF.o

The BOF version is sensitive with buffer sizes so the <range> option isn’t present and the output is somewhat limited. Feel free to play around with the buffer sizes but be wary you may get __chkstk errors or the beacon may hang if too large.

Ideally wanted to write this in C++ which I’ve had working locally with bof-vs but running in beacon returns some mangled unknown symbol errors or crashes. Will update you when possible. There’s probably a better way of implementing the search function/buffers in C but that’ll work for now.

I wouldn’t recommend searching for a single character like "." in a very large process as it may hang the beacon. Recommend a minimum of 3 or 4-character search strings when using BOF. You can crank the range up with the C++ version.

Download & Use