Ecosyste.ms: Awesome
An open API service indexing awesome lists of open source software.
https://github.com/outflanknl/Dumpert
LSASS memory dumper using direct system calls and API unhooking.
https://github.com/outflanknl/Dumpert
Last synced: 21 days ago
JSON representation
LSASS memory dumper using direct system calls and API unhooking.
- Host: GitHub
- URL: https://github.com/outflanknl/Dumpert
- Owner: outflanknl
- Created: 2019-06-17T18:22:01.000Z (over 5 years ago)
- Default Branch: master
- Last Pushed: 2021-01-05T08:58:26.000Z (almost 4 years ago)
- Last Synced: 2024-11-05T13:26:36.318Z (about 1 month ago)
- Language: C
- Homepage:
- Size: 83 KB
- Stars: 1,485
- Watchers: 37
- Forks: 243
- Open Issues: 6
-
Metadata Files:
- Readme: README.md
Awesome Lists containing this project
- awesome-hacking-lists - outflanknl/Dumpert - LSASS memory dumper using direct system calls and API unhooking. (C)
README
### Dumpert, an LSASS memory dumper using direct system calls and API unhooking
Recent malware research shows that there is an increase in malware that is using direct system calls to evade user-mode API hooks used by security products.
This tool demonstrates the use of direct System Calls and API unhooking and combine these techniques in a proof of concept code which can be used to create a LSASS memory dump using Cobalt Strike,
while not touching disk and evading AV/EDR monitored user-mode API calls.More info about the used techniques can be found on the following Blog:
https://outflank.nl/blog/2019/06/19/red-team-tactics-combining-direct-system-calls-and-srdi-to-bypass-av-edr/Two versions of the code are included:
An executable and a DLL version of the code.
The DLL version can be run as follows:```
rundll32.exe C:\Dumpert\Outflank-Dumpert.dll,Dump
```Also, an sRDI version of the code is provided, including a Cobalt Strike agressor script.
This script uses shinject to inject the sRDI shellcode version of the dumpert DLL into the current process.
Then it waits a few seconds for the lsass minidump to finish and finally downloads the minidump file from the victim host.Compile instructions:
```
This project is written in C and assembly.
You can use Visual Studio to compile it from source.
```The sRDI code can be found here: https://github.com/monoxgas/sRDI