DumpThatLSASS :: Knowledge Base (KB)

DumpThatLSASS

Dumping LSASS by Unhooking MiniDumpWriteDump by getting a fresh DbgHelp.dll copy from the disk , plus functions and strings obfuscation , it contains Anti-sandbox , if you run it under unperformant Virtual Machine you need to uncomment the code related to it and recompile.

It’s Fully Undetectable and bypass almost all the vendors AV/EDRs, it doesn’t bypass RunAsPPL. Dumping LSASS by Unhooking MiniDumpWriteDump by getting a fresh DbgHelp.dll copy from the disk , plus functions and strings obfuscation, duplicate lsass handle from existed processes. The execution may take time, bcz of sandboxing check.

Compilation

Download source and compile with for example Visual Studio.

The binaries below are compiled on Windows 11 21H2 Build 22000.1335 on the 27th of December 2022.

Attachments

MiniDump_x64.exe (16 kb)

MiniDump_x86.exe (13 kb)

Usage

Start CMD or PowerShell as (local) administrator.

.\MiniDump_(x64/x86).exe

Examples

example

URL list

Github.com - DumpThatLSASS