Skip to content

ricardojoserf/NativeDump

BranchesTags
 
 

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

19 Commits
Decoder
Decoder
 
 
NativeDump
NativeDump
 
 
NativeDump.sln
NativeDump.sln
 
 
README.md
README.md
 
 

Repository files navigation

NativeDump - "delegates" branch

This branch implements:

  • Ntdll.dll remapping by overwriting the process library ".text" section with the clean section from the file "C:\Windows\System32\ntdll.dll"
  • Dynamic function resolution using function delegates and custom implementations for GetModuleHandle and GetProcAddress
  • AES encryption for all relevant strings in the program ("lsass", "lsasrv.dll", function names...)
  • XOR-encoding the Minidump file bytes

Usage

NativeDump.exe [DUMP_FILE] [xor]
  • DUMP_FILE: Name of file to create. The default file name is "proc_.dmp".
  • "xor": Add the word "xor" after the file name to XOR the Minidump file bytes with the default value 0xCC.

You can update these values in the first lines of the Main function in Program.cs, included the XOR byte 0xCC (if you change it, update the Decoder project as well).

Example

Using the default values:

img

Using XOR-encoding:

img

About

Dump lsass using only NTAPI functions by hand-crafting Minidump files (without MiniDumpWriteDump!!!)

ricardojoserf.github.io/nativedump/

Topics

security-tools lsass ntapi redteam-tools ntdll-unhooking lsass-dump

Resources

Readme
Activity

Stars

705 stars

Watchers

6 watching

Forks

98 forks
Report repository

Releases

No releases published

Contributors

Languages