Dump Failed

[crisprss]

HI, the technique seems cool:)
However I failed the test in the virtual machine，the system version is Win10 1809 17763.1577, and I've set the DumpType in registry

[crisprss]

Besides, lsass is not set in PPL as protect

[spicy-bear]

dump still failing

[DayJun]

look at kernel32!WerpReportFaultInternal, the message structure is a little bit different.
In some versions, it's size if 0xf0. But in newer versions, it is 0xf8
@crisprss @spicy-bear

typedef struct _MappedViewStruct
{
    DWORD Size;
    DWORD TargetProcessPid;
    DWORD TargetThreadTid;
    DWORD Filler0[39];
    EXCEPTION_POINTERS* ExceptionPointers;
#ifndef _WIN64
    DWORD Filler1;
#endif
    DWORD NtErrorCode;
    DWORD Filler2;
    HANDLE hTargetProcess;
#ifndef _WIN64
    DWORD Filler3;
#endif
    HANDLE hTargetThread;
#ifndef _WIN64
    DWORD Filler4;
#endif
    HANDLE hRecoveryEvent;
#ifndef _WIN64
    DWORD Filler5;
#endif
    HANDLE hCompletionEvent;
#ifndef _WIN64
    DWORD Filler6;
#endif
    DWORD Filler7;
    DWORD Filler8;
    DWORD Null01;
    DWORD Null02;
    DWORD NtStatusErrorCode;
    DWORD Null03;
    DWORD TickCount;
    DWORD Unk101;
} MappedViewStruct, *PMappedViewStruct;

After delete Null01 and Null02, the code runs correctly.