https://github.com/cybersecurityup/lsassdumpsyscall

Lsass Dump using MiniDump Method and Direct Syscall Technique
https://github.com/cybersecurityup/lsassdumpsyscall

Last synced: 4 months ago
JSON representation

Lsass Dump using MiniDump Method and Direct Syscall Technique

• Host: GitHub
• URL: https://github.com/cybersecurityup/lsassdumpsyscall
• Owner: CyberSecurityUP
• Created: 2024-07-22T00:40:04.000Z (almost 2 years ago)
• Default Branch: main
• Last Pushed: 2024-07-22T03:01:46.000Z (almost 2 years ago)
• Last Synced: 2025-10-03T19:35:20.603Z (9 months ago)
• Language: C++
• Homepage:
• Size: 712 KB
• Stars: 4
• Watchers: 1
• Forks: 3
• Open Issues: 1
• Metadata Files:
  • Readme: README.md

Awesome Lists containing this project

README

          
# LsassDumpSyscall

## Overview

LsassDumpSyscall is a specialized utility designed to securely dump the memory contents of the `lsass.exe` process, which is crucial for managing security policies and storing security information on Windows operating systems. The primary objective of this tool is to facilitate security research and testing by enabling the analysis of `lsass.exe` without leveraging high-profile tools like Mimikatz that are commonly detected by antivirus software.

- **Direct System Calls**: The tool bypasses the Windows API layer by utilizing direct system calls to interact with the operating system. This method minimizes the tool's footprint and avoids common API hooking techniques used by malware detection systems.

- **Elevated Privilege Checks**: It ensures that it is run with elevated privileges (administrator rights), which are necessary for accessing `lsass.exe` memory.

- **Debug Privilege Enabling**: The utility attempts to enable debug privileges for the process to ensure it can access sensitive processes like `lsass.exe`.

- **Memory Dumping**: Utilizes the `MiniDumpWriteDump` function to create a complete memory dump of `lsass.exe`, which can be useful for forensic analysis and security research.

## System Requirements

- Windows operating system with administrative privileges.

- Proper configuration to allow for direct system calls (may require adjustments on different versions of Windows).

Use this table for Syscall Numbers (https://j00ru.vexillium.org/syscalls/nt/64/)

## References

https://github.com/Offensive-Panda/D3MPSEC/tree/main

https://github.com/outflanknl/Dumpert