Dump LSASS By Custom Code

Introduction

After compromising a machine, antivirus software must not detect the Red Team operator's actions. And in the process of moving from a compromised machine to another, it needs to dump credentials. If you're going to use Mimikatz, you will be detected by antivirus. If you don't want to be caught, you have to make your tool. We can do that with the MiniDumpWriteDump function to dump the LSASS process.

LSASS process

Local Security Authority Subsystem Service (LSASS) is a process in Microsoft Windows operating systems that is responsible for enforcing the security policy on the system. It verifies users logging on to a Windows computer or server, handles password changes, and creates access tokens.

This means that any user logging into the machine will have their credentials stored in the LSASS process.

Custom Code

In dbghelp.dll, there's a function named MiniDumpWriteDump. With MiniDumpWriteDump, we can dump the LSASS process's content into a file to extracting credentials.

The Syntax for MiniDumpWriteDump is:

BOOL MiniDumpWriteDump(
  [in] HANDLE                            hProcess,
  [in] DWORD                             ProcessId,
  [in] HANDLE                            hFile,
  [in] MINIDUMP_TYPE                     DumpType,
  [in] PMINIDUMP_EXCEPTION_INFORMATION   ExceptionParam,
  [in] PMINIDUMP_USER_STREAM_INFORMATION UserStreamParam,
  [in] PMINIDUMP_CALLBACK_INFORMATION    CallbackParam
);

Now let’s do our C# code with a bit of help from Pinvoke.

C# Signature for MiniDumpWriteDump:

And we need to OpenProcess function.

C# Signature for OpenProcess:

At this time, we have all the pieces we need. Now let's write the code.

First, we need to get the LSASS process ID.

Then, Get a handle on the LSASS process.

After that, Dump LSASS process’s content to file.

The finally block.

Compile it

Now we can compile it with CSC as DLL.

C:\Windows\Microsoft.NET\Framework\v4.0.30319\Csc.exe /target:library /out:dumper.dll dump.cs

After compiling the source code, Let's check now whether any antivirus catches the tool or not.

As shown in the results, it is detected by no one! Awesome.

Test Time with Defender

As we have a DLL file, we can run it directly from Powershell via Reflection.Assembly.

First, load the DLL file.

Then, run it.

We managed to dump the LSASS process and bypass Windows Defender.

Last Move

We can make a PowerShell script to dump the LSASS process with DLL reflection.

You can import the LSASS-Dumper function and run it.

Last updated

Was this helpful?