{"id":13839643,"url":"https://github.com/outflanknl/Dumpert","last_synced_at":"2025-07-11T06:31:00.537Z","repository":{"id":43040140,"uuid":"192397590","full_name":"outflanknl/Dumpert","owner":"outflanknl","description":"LSASS memory dumper using direct system calls and API unhooking.","archived":false,"fork":false,"pushed_at":"2021-01-05T08:58:26.000Z","size":85,"stargazers_count":1485,"open_issues_count":6,"forks_count":243,"subscribers_count":37,"default_branch":"master","last_synced_at":"2024-11-05T13:26:36.318Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":"","language":"C","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/outflanknl.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null}},"created_at":"2019-06-17T18:22:01.000Z","updated_at":"2024-11-04T23:23:50.000Z","dependencies_parsed_at":"2022-08-12T10:11:17.825Z","dependency_job_id":null,"html_url":"https://github.com/outflanknl/Dumpert","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/outflanknl%2FDumpert","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/outflanknl%2FDumpert/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/outflanknl%2FDumpert/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/outflanknl%2FDumpert/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/outflanknl","download_url":"https://codeload.github.com/outflanknl/Dumpert/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":225699955,"owners_count":17510432,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2024-08-04T17:00:32.171Z","updated_at":"2024-11-21T08:31:21.587Z","avatar_url":"https://github.com/outflanknl.png","language":"C","funding_links":[],"categories":["C","C (286)","Red Team"],"sub_categories":["Credential Dumping"],"readme":"### Dumpert, an LSASS memory dumper using direct system calls and API unhooking\n\nRecent malware research shows that there is an increase in malware that is using direct system calls to evade user-mode API hooks used by security products.\nThis tool demonstrates the use of direct System Calls and API unhooking and combine these techniques in a proof of concept code which can be used to create a LSASS memory dump using Cobalt Strike, \nwhile not touching disk and evading AV/EDR monitored user-mode API calls.\n\nMore info about the used techniques can be found on the following Blog: \nhttps://outflank.nl/blog/2019/06/19/red-team-tactics-combining-direct-system-calls-and-srdi-to-bypass-av-edr/\n\nTwo versions of the code are included:\n\nAn executable and a DLL version of the code. \nThe DLL version can be run as follows:\n\n```\nrundll32.exe C:\\Dumpert\\Outflank-Dumpert.dll,Dump\n```\n\nAlso, an sRDI version of the code is provided, including a Cobalt Strike agressor script.\nThis script uses shinject to inject the sRDI shellcode version of the dumpert DLL into the current process. \nThen it waits a few seconds for the lsass minidump to finish and finally downloads the minidump file from the victim host.\n\nCompile instructions:\n\n```\nThis project is written in C and assembly.\nYou can use Visual Studio to compile it from source.\n```\n\nThe sRDI code can be found here: https://github.com/monoxgas/sRDI\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Foutflanknl%2FDumpert","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Foutflanknl%2FDumpert","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Foutflanknl%2FDumpert/lists"}