Kali Linux

HandleKatz : PIC Lsass Dumper Using Cloned Handles

HandleKatz tool was implemented as part of our Brucon2021 conference talk and demonstrates the usage of cloned handles to Lsass in order to create an obfuscated memory dump of the same.

It compiles down to an executable living fully in its text segment. Thus, the extracted .text segment of the PE file is fully position independent code (=PIC), meaning that it can be treated like any shellcode.

The execution of HandleKatz in memory has a very small footprint, as itself does not allocate any more executable memory and can therefore efficiently be combined with concepts such as (Phantom)DLL-Hollowing as described by @_ForrestOrr. This is in contrast to PIC PE loaders, such as Donut, SRDI or Reflective Loaders which, during PE loading, allocate more executable memory. Additionally, it makes use of a modified version of ReactOS MiniDumpWriteDumpA using direct system calls to write an obfuscated dump to disk.

For detailed information please refer to the PDF file PICYourMalware.pdf in this repository.

Usage

  • make all to build HandleKatzPIC.exe, HandleKatz.bin and loader.exe

Please note that different compiler (versions) yield different results. This might produce a PE file with relocations.

All tests were carried out using x86_64-w64-mingw32-gcc mingw-gcc version 11.2.0 (GCC). The produced PIC was successfully tested on: Windows 10 Pro 10.0.17763. On other versions of windows, API hashes might differ.

To use the PIC, cast a pointer to the shellcode in executable memory and call it according to the definition:

DWORD handleKatz(BOOL b_only_recon, char* ptr_output_path, uint32_t pid, char* ptr_buf_output);
  • b_only_recon If set, HandleKatz will only enumerate suitable handles without dumping
  • ptr_output_path Determines where the obfuscated dump will be written to
  • pid What PID to clone a handle from
  • ptr_buf_output A char pointer to which HandleKatz writes its internal output

For deobfuscation of the dump file, the script Decoder.py can be used.

Loader implements a sample loader for HandleKatz:

loader.exe –pid:7331 –outfile:C:\Temp\dump.obfuscated

Detection

As cloned handles are used along with modified ReactOS code, no ProcessAccess events can be observed on Lsass. However, ProcessAccess events on programs which hold a handle to Lsass can be observed.

Defenders can monitor for Process Access masks with set PROCESS_DUP_HANDLE (0x0040) to identify the usage of this tool.

Download
R K

Leave a Comment
Share
Published by
R K
Tags: Cloned HandlesHandleKatzLsass DumperPIC
5 years ago

Recent Posts

Best OSINT Tools for Journalists 2026: Verify Sources, Images and Claims

Journalists use OSINT to verify public information before publishing. In 2026, misinformation, AI-generated images, fake…

6 hours ago

Install Docker on Ubuntu 20.04: Complete Step-by-Step Guide

Docker is an open-source platform that lets you package and run applications inside containers. Each container…

17 hours ago

Install PostgreSQL on Ubuntu: Database Setup and Admin Guide

PostgreSQL (often called Postgres) is an open-source relational database system. It supports advanced features like JSON…

18 hours ago

Install Xrdp Remote Desktop on Ubuntu: Setup and Connect

Xrdp is an open-source server that lets you connect to your Ubuntu machine from another computer…

18 hours ago

Tomcat 9 on Ubuntu 20.04: Install, Configure, and Start

Apache Tomcat is an open-source web server and Java servlet container. It is one of the…

18 hours ago

Automatic Updates on Ubuntu: Set Up unattended-upgrades

Keeping your Ubuntu system updated is one of the best ways to protect it. Security…

19 hours ago