A sophisticated, covert LSASS dumper using C++ and MASM x64.
Don't be evil with this. I created this tool to learn. I'm not responsible if the Feds knock on your door.
Historically was able to (and may presently still) bypass
- Windows Defender
- Malwarebytes Anti-Malware
- CrowdStrike Falcon EDR (Falcon Complete + OverWatch)
Avoids detection by using various means, such as:
- Manually implementing NTAPI operations through indirect system calls
DisablingBreaking telemetry features (i.e ETW)- Polymorphism through compile-time hash generation
- Obfuscating API function names and pointers
- Duplicating existing LSASS handles instead of opening new ones
- Creating offline copies of the LSASS process to perform memory dumps on
- Corrupting the
MDMP
signature of dropped files - Probably other stuff I forgot to mention here
- Only works on x64 architecture
- Relies on there being existing opened LSASS handles on target systems
- Don't expect this to be undetectable forever 🙂