I'm trying to create a program that utilises the MiniDumpWriteDump Windows API to dump another process's memory. However, it keeps returning an error saying The handle is invalid. I'm pretty confident in my process handle because I've used the OpenProcess Windows API before, so I think it's how I'm using CreateFileW.
I have looked at examples online like this one but I can't get anything working.
Here is my code so far:
package main
import (
"fmt"
"os"
"strconv"
"syscall"
"unsafe"
)
var kernel32 = syscall.NewLazyDLL("kernel32.dll")
var procOpenProcess = kernel32.NewProc("OpenProcess")
var procCreateFileW = kernel32.NewProc("CreateFileW")
var procCloseHandle = kernel32.NewProc("CloseHandle")
var dbghelp = syscall.NewLazyDLL("Dbghelp.dll")
var procMiniDumpWriteDump = dbghelp.NewProc("MiniDumpWriteDump")
func main() {
fmt.Println("[ ] Starting Enum-DumpProcessMemory
")
pid, _ := strconv.Atoi(os.Args[1])
fmt.Println("[-] PID :", pid)
processHandle, _, _ := procOpenProcess.Call(uintptr(0xFFFF), uintptr(1), uintptr(pid))
fmt.Println("[-] Process Handle :", processHandle)
path, _ := syscall.UTF16PtrFromString(os.Args[2])
fileHandle, _, _ := procCreateFileW.Call(uintptr(unsafe.Pointer(path)), syscall.GENERIC_READ, syscall.FILE_SHARE_READ|syscall.FILE_SHARE_WRITE, 0, syscall.OPEN_EXISTING, syscall.FILE_ATTRIBUTE_NORMAL, 0)
fmt.Println("[-] File Handle :", fileHandle)
ret, _, err := procMiniDumpWriteDump.Call(uintptr(processHandle), uintptr(pid), uintptr(fileHandle), 0x00061907, 0, 0, 0)
if ret != 0 {
fmt.Println("[+] Process memory dump successful")
} else {
fmt.Println("[x] Process memory dump not successful")
fmt.Println(err)
}
}
Here is the output:
> .\Enum-DumpProcessMemory.exe 6892 C:\Users\user\Documents\dump.dmp
[ ] Starting Enum-DumpProcessMemory
[-] PID : 6892
[-] Process Handle : 236
[-] File Handle : 18446744073709551615
[x] Process memory dump not successful
The handle is invalid.
