Cyber security

TrickDump – Evading Detection With Advanced Memory Dump Techniques

TrickDump dumps the lsass process without creating a Minidump file, generating instead 3 JSON and 1 ZIP file with the memory region dumps. In three steps:

  • Lock: Get OS information using RtlGetVersion.
  • Shock: Get SeDebugPrivilege privilege with NtOpenProcessToken and NtAdjustPrivilegeToken, open a handle with NtGetNextProcess and NtQueryInformationProcess and then get modules information using NtQueryInformationProcess and NtReadVirtualMemory.
  • Barrel: Get SeDebugPrivilege privilege, open a handle and then get information and dump memory regions using NtQueryVirtualMemory and NtReadVirtualMemory.

In the attack system, use the create_dump.py script to generate the Minidump file:

python3 create_dump.py [-l LOCK_JSON] [-s SHOCK_JSON] [-b BARREL_JSON] [-z BARREL_ZIP] [-o OUTPUT_FILE] 

The benefits of this technique are:

  • There is never a valid Minidump file in disk, memory or the network traffic.
  • There is not a single program or process executing the whole attack but three separate ones, which may raise less flags.
    • If you already have information about the OS of the target machine you can skip the first step (“Lock”).
  • The programs only use NTAPIS (this project is a variant of NativeDump).
  • It does not use OpenProcess or NtOpenProcess to get the lsass process handle with the PROCESS_VM_OPERATION and PROCESS_VM_WRITE access rights.
  • Each program allows to overwrite the ntdll.dll library “.text” section to bypass API hooking:
    • “disk”: Using a DLL already on disk. If a second argument is not used the path is “C:\Windows\System32\ntdll.dll”.
    • “knowndlls”: Using the KnownDlls folder.
    • “debugproc”: Using a process created in debug mode. If a second argument is not used the process is “c:\windows\system32\calc.exe”.

For more information click here.

Varshini

Varshini is a Cyber Security expert in Threat Analysis, Vulnerability Assessment, and Research. Passionate about staying ahead of emerging Threats and Technologies.

Recent Posts

Playwright-MCP : A Powerful Tool For Browser Automation

Playwright-MCP (Model Context Protocol) is a cutting-edge tool designed to bridge the gap between AI…

3 weeks ago

JBDev : A Tool For Jailbreak And TrollStore Development

JBDev is a specialized development tool designed to streamline the creation and debugging of jailbreak…

3 weeks ago

Kereva LLM Code Scanner : A Revolutionary Tool For Python Applications Using LLMs

The Kereva LLM Code Scanner is an innovative static analysis tool tailored for Python applications…

3 weeks ago

Nuclei-Templates-Labs : A Hands-On Security Testing Playground

Nuclei-Templates-Labs is a dynamic and comprehensive repository designed for security researchers, learners, and organizations to…

3 weeks ago

SSH-Stealer : The Stealthy Threat Of Advanced Credential Theft

SSH-Stealer and RunAs-Stealer are malicious tools designed to stealthily harvest SSH credentials, enabling attackers to…

3 weeks ago

ollvm-unflattener : A Tool For Reversing Control Flow Flattening In OLLVM

Control flow flattening is a common obfuscation technique used by OLLVM (Obfuscator-LLVM) to transform executable…

3 weeks ago