Kali Linux

DuplicateDump : Dumping LSASS With A Duplicated Handle From Custom LSA Plugin

DuplicateDump is a fork of MirrorDump with following modifications:

  • DInovke implementation
  • LSA plugin DLL written in C++ which could be clean up after dumping LSASS. MirrorDump compile LSA plugin as .NET assembly which would not be unloaded by LSASS process. That’s why MirrorDump failed to delete the plugin.
  • PID of dump process (i.e., DuplicateDump) is shared to LSA plugin through named pipe
  • Passing value “0” instead of LSASS PID to MiniDumpWriteDump. This prevent MiniDumpWriteDump from opening its own handle to LSASS

DuplicateDump add custom LSA plugin that duplicate LSASS process handle from the LSASS process to DuplicateDump. So DuplicateDump has a ready to use process handle to LSASS without invoking OpenProcess.

Testing

By loading DuplicateDump in memory, it was able to dump LSASS memory without detection on

  • Symantec 14.3
  • Kaspersky Enterprise
  • Windows Defender

Detected by Cortex XDR, Crowdstrike. Failed to dump lsass without detection on SentinalOne.

Usage

Compile LSA plugin (export either SpLsaModeInitialize or dllMain function) and provide the full path of DLL to DuplicateDump

.\DuplicateDump.exe –help
-f, –filename=VALUE The path to write the dump file to
-p, –plugin=VALUE Full file path to LSA plugin
-c, –compress GZip and delete the dump file on disk
-d, –DebugPriv Obtain SeDebugPrivilege
-h, –help Display this help

Example

.\DuplicateDump.exe -f test -c -p C:\LSAPlugin.dll
[+] Loading LSA security package
[+] Named pipe connected and replying with current PID 6492
[+] Found duplicated LSASS process handle 0x3d0
[+] Compressed dump file saved to test.gz

R K

Recent Posts

Pystinger : Bypass Firewall For Traffic Forwarding Using Webshell

Pystinger is a Python-based tool that enables SOCKS4 proxying and port mapping through webshells. It…

1 week ago

CVE-Search : A Tool To Perform Local Searches For Known Vulnerabilities

Introduction When it comes to cybersecurity, speed and privacy are critical. Public vulnerability databases like…

1 week ago

CVE-Search : A Tool To Perform Local Searches For Known Vulnerabilities

Introduction When it comes to cybersecurity, speed and privacy are critical. Public vulnerability databases like…

1 week ago

How to Bash Append to File: A Simple Guide for Beginners

If you are working with Linux or writing bash scripts, one of the most common…

1 week ago

Mastering the Bash Case Statement with Simple Examples

What is a bash case statement? A bash case statement is a way to control…

1 week ago

How to Check if a File Exists in Bash – Simply Explained

Why Do We Check Files in Bash? When writing a Bash script, you often work…

1 week ago