proctools: extracting information and dumping sensitive strings from Windows processes

by ddos ·

proctools

Small toolkit for extracting information and dumping sensitive strings from Windows processes. Made to accompany another project that’s in the works.

  • procsearch – find sensitive strings in the target process memory
    • searches for a parsed string in readable process memory, if found, display a range of valid ASCII chars around the search string
  • procinfo – display the following file version information for the process executable:
    • process name
    • description
    • product name
    • file version
    • internal name
    • company name
    • comments
    • legal copyright
    • legal trademarks
    • product version
    • private build
    • special build
  • procargs – extract command line arguments for the target process
  • prockill – terminate target process

procsearch.cpp

Dump process memory and search for readable strings. PID, search string, and range are supplied only for this version. When the search string is found, the range parameter indicates how many characters each side of the found string should be printed as long as they’re valid ASCII.

procsearch-BOF.c

The BOF version is sensitive with buffer sizes so the <range> option isn’t present and the output is somewhat limited. Feel free to play around with the buffer sizes but be wary you may get __chkstk errors or the beacon may hang if too large.

procinfo.cs

C# utility to print all file version information for the supplied pid.

procinfo-BOF.c

C BOF that replicates some of the above functionality, needs to figure out issues dumping VerQueryValue(lpVersionInfo, "\\StringFileInfo\\040904b0\\... values.

procargs-BOF.c

Extract command line arguments for the specified process.

prockill-BOF.c

Terminate a process

Tags: dumping sensitive stringsWindows processes