mirror of
https://github.com/outflanknl/Dumpert.git
synced 2026-06-08 16:37:11 +00:00
Cn33liz
28 lines
1.3 KiB
Markdown
28 lines
1.3 KiB
Markdown
### Dumpert, a LSASS memory dumper using direct system calls and API unhooking
|
|
|
|
Recent malware research shows that there is an increase in malware that is using direct system calls to evade user-mode API hooks used by security products.
|
|
These tools demonstrates the use of direct System Calls and API unhooking and combine these techniques in a proof of concept code which can be used to create a LSASS memory dump using Cobalt Strike,
|
|
while not touching disk and evading AV/EDR monitored user-mode API calls.
|
|
|
|
Two version of the code are included:
|
|
|
|
An executable version and a DLL version of the code.
|
|
The DLL version can be run as follow:
|
|
|
|
```
|
|
rundll32.exe C:\Dumpert\Outflank-Dumpert.dll,Dump
|
|
```
|
|
|
|
Also a sRDI version of the code is provided, including an Cobalt Strike agressor script.
|
|
This script uses shinject to inject the sRDI shellcode version of the dumpert DLL into the current process.
|
|
Then it waits a few seconds for the lsass minidump to finish and finally download the minidump file from the victim host.
|
|
|
|
Compile instructions:
|
|
|
|
```
|
|
This project is written in C and assembly.
|
|
You can use Visual Studio to compile it from source.
|
|
```
|
|
|
|
More info about the used techniques can be found on the following Blog:
|
|
The sRDI code can be found here: https://github.com/monoxgas/sRDI |