{"id":25265,"date":"2022-06-19T12:04:14","date_gmt":"2022-06-19T12:04:14","guid":{"rendered":"https:\/\/kalilinuxtutorials.com\/?p=25265"},"modified":"2022-06-19T12:04:15","modified_gmt":"2022-06-19T12:04:15","slug":"nanodump","status":"publish","type":"post","link":"https:\/\/kalilinuxtutorials.com\/nanodump\/","title":{"rendered":"Nanodump : A Crappy LSASS Dumper With No ASCII Art"},"content":{"rendered":"\n<p><strong>Nanodump<\/strong>, a flexible tool that creates a minidump of the LSASS process.<\/p>\n\n\n\n<h2 class=\"has-text-align-center has-vivid-green-cyan-background-color has-background wp-block-heading\" id=\"user-content-features\">Features<\/h2>\n\n\n\n<ul class=\"wp-block-list\"><li>It uses syscalls (with&nbsp;SysWhispers2) for most operations.<\/li><li>Syscalls are called from an&nbsp;<strong>ntdll<\/strong>&nbsp;address to bypass some syscall detections.<\/li><li>It sets the syscall callback hook to NULL.<\/li><li>Windows APIs are called using dynamic invoke.<\/li><li>You can choose to download the dump without touching disk or write it to a file.<\/li><li>The minidump by default has an invalid signature to avoid detection.<\/li><li>It reduces the size of the dump by ignoring irrelevant DLLs. The (nano)dump tends to be arround 10 MiB in size.<\/li><li>You don&#8217;t need to provide the PID of LSASS.<\/li><li>No calls to&nbsp;<strong>dbghelp<\/strong>&nbsp;or any other library are made, all the dump logic is implemented in nanodump.<\/li><li>Supports process forking.<\/li><li>Supports snapshots.<\/li><li>Supports handle duplication.<\/li><li>Supports MalSecLogon.<\/li><li>Supports the PPL userland exploit.<\/li><li>You can load nanodump in LSASS as a Security Support Provider (SSP).<\/li><li>You can use the .exe version to run&nbsp;<strong>nanodump<\/strong>&nbsp;outside of Cobalt Strike&nbsp;\ud83d\ude04.<\/li><\/ul>\n\n\n\n<h2 class=\"has-text-align-center has-vivid-green-cyan-background-color has-background wp-block-heading\" id=\"user-content-usage\"> Usage<\/h2>\n\n\n\n<h3 class=\"has-text-align-center wp-block-heading\"><a href=\"https:\/\/github.com\/helpsystems\/nanodump#clone\"><\/a>Clone<\/h3>\n\n\n\n<p class=\"has-vivid-green-cyan-color has-black-background-color has-text-color has-background\"><strong>git clone https:\/\/github.com\/helpsystems\/nanodump.git<\/strong><\/p>\n\n\n\n<h3 class=\"has-text-align-center wp-block-heading\">Compile (optional)<\/h3>\n\n\n\n<p><strong>On Linux with MinGW<\/strong><\/p>\n\n\n\n<p class=\"has-vivid-green-cyan-color has-black-background-color has-text-color has-background\"><\/p>\n\n\n\n<p><strong>On Windows with MSVC<\/strong>&nbsp;(No BOF support)<\/p>\n\n\n\n<p class=\"has-vivid-green-cyan-color has-black-background-color has-text-color has-background\"><strong>nmake -f Makefile.msvc<\/strong><\/p>\n\n\n\n<h3 class=\"has-text-align-center wp-block-heading\">Import<\/h3>\n\n\n\n<p>Import the&nbsp;<code><strong>NanoDump.cna<\/strong><\/code>&nbsp;script on Cobalt Strike.<\/p>\n\n\n\n<h3 class=\"has-text-align-center wp-block-heading\"><a href=\"https:\/\/github.com\/helpsystems\/nanodump#run\"><\/a>Run<\/h3>\n\n\n\n<p>Run the&nbsp;<code><strong>nanodump<\/strong><\/code>&nbsp;command in the Beacon console.<\/p>\n\n\n\n<p class=\"has-vivid-green-cyan-color has-black-background-color has-text-color has-background\"><strong>beacon&gt; nanodump<\/strong><\/p>\n\n\n\n<h3 class=\"has-text-align-center wp-block-heading\">Restore the signature<\/h3>\n\n\n\n<p>Once you downloaded the minidump, restore the invalid signature<\/p>\n\n\n\n<p class=\"has-vivid-green-cyan-color has-black-background-color has-text-color has-background\"><strong>scripts\/restore_signature<\/strong><\/p>\n\n\n\n<h2 class=\"has-light-green-cyan-background-color has-background wp-block-heading\" id=\"user-content-fork\">Process forking<\/h2>\n\n\n\n<p>To avoid opening a handle to LSASS with&nbsp;<code><strong>PROCESS_VM_READ<\/strong><\/code>, you can use the&nbsp;<code><strong>--fork<\/strong><\/code>&nbsp;parameter.<br>This will make nanodump create a handle to LSASS with&nbsp;<code><strong>PROCESS_CREATE_PROCESS<\/strong><\/code>&nbsp;access and then create a &#8216;clone&#8217; of the process. This new process will then be dumped. While this will result in a process creation and deletion, it removes the need to read LSASS directly.<\/p>\n\n\n\n<h2 class=\"has-text-align-center has-vivid-green-cyan-background-color has-background wp-block-heading\" id=\"user-content-snapshot\"> Snapshot<\/h2>\n\n\n\n<p>Similarly to the&nbsp;<code><strong>--fork<\/strong><\/code>&nbsp;option, you can use&nbsp;<code><strong>--snapshot<\/strong><\/code>&nbsp;to create a snapshot of the LSASS process.<br>This will make nanodump create a handle to LSASS with&nbsp;<code><strong>PROCESS_CREATE_PROCESS<\/strong><\/code>&nbsp;access and then create a snapshot of the process using&nbsp;<code><strong>PssNtCaptureSnapsho<\/strong>t<\/code>. This new process will then be dumped. The snapshot will be freed automatically upon completion.<\/p>\n\n\n\n<h2 class=\"has-text-align-center has-vivid-green-cyan-background-color has-background wp-block-heading\" id=\"user-content-handledup\"> Handle duplication<\/h2>\n\n\n\n<p>As opening a handle to LSASS can be detected, nanodump can instead search for existing handles to LSASS.<br>If one is found, it will copy it and use it to create the minidump.<br>Note that it is not guaranteed to find such handle.<\/p>\n\n\n\n<h2 class=\"has-text-align-center has-vivid-green-cyan-background-color has-background wp-block-heading\" id=\"user-content-malseclogon\"> MalSecLogon<\/h2>\n\n\n\n<p>To avoid opening a handle to LSASS, you can use MalSecLogon, which is a technique that (ab)uses&nbsp;<code><strong>CreateProcessWithLogonW<\/strong><\/code>&nbsp;to leak an LSASS handle.<br>To enable this feature, use the&nbsp;<code><strong>--malseclogon<\/strong><\/code>&nbsp;parameter.<br>Take into account that an unsigned nanodump binary needs to be written to disk to use this feature.<\/p>\n\n\n\n<h2 class=\"has-text-align-center has-vivid-green-cyan-background-color has-background wp-block-heading\" id=\"user-content-malseclogon-and-duplicate\"> MalSecLogon and handle duplication<\/h2>\n\n\n\n<p>As said before, using MalSecLogon requires a nanodump binary to be written to disk.<br>This can be avoided if&nbsp;<code><strong>--malseclogon<\/strong><\/code>&nbsp;and&nbsp;<code><strong>--dup<\/strong><\/code>&nbsp;are used together with&nbsp;<code><strong>--binary<\/strong><\/code>.<br>The trick is to leak a handle to LSASS using MalSecLogon, but instead of leaking it into nanodump.exe, leak it into another binary and then duplicate the leaked handle so that nanodump can used it.<\/p>\n\n\n\n<h2 class=\"has-text-align-center has-vivid-green-cyan-background-color has-background wp-block-heading\" id=\"user-content-ssp\"> Load nanodump as an SSP<\/h2>\n\n\n\n<p>You can load nanodump as an SSP in LSASS to avoid opening a handle. The dump will be written to disk with an invalid signature at&nbsp;<code><strong>C:\\Windows\\Temp\\report.docx<\/strong><\/code>&nbsp;by default. Once the dump is completed,&nbsp;<code><strong>DllMain<\/strong><\/code>&nbsp;will return FALSE to make LSASS unload the nanodump DLL.<br>To change the dump path and signature configuration, modify the function&nbsp;<code><strong>NanoDump<\/strong><\/code>&nbsp;in&nbsp;entry.c&nbsp;and recompile.<\/p>\n\n\n\n<h3 class=\"has-text-align-center wp-block-heading\"><a href=\"https:\/\/github.com\/helpsystems\/nanodump#upload-and-load-a-nanodump-dll\"><\/a>Upload and load a nanodump DLL<\/h3>\n\n\n\n<p>If used with no parameters, an unsigned nanodump DLL will be uploaded to the Temp folder. Once the dump has been created, manually delete the DLL with the&nbsp;<code><strong>delete_file<\/strong><\/code>&nbsp;command.<\/p>\n\n\n\n<p class=\"has-vivid-green-cyan-color has-black-background-color has-text-color has-background\">b<strong>eacon&gt; load_ssp<br>beacon&gt; delete_file C:\\Windows\\Temp[RANDOM].dll<\/strong><\/p>\n\n\n\n<h2 class=\"has-text-align-center has-vivid-green-cyan-background-color has-background wp-block-heading\" id=\"user-content-ppl\">PPL bypass<\/h2>\n\n\n\n<p>If LSASS is running as Protected Process Light (PPL), you can try to bypass it using a userland exploit discovered by Project Zero. If it is successful, the dump will be written to disk.<\/p>\n\n\n\n<p>To access this feature, use the&nbsp;<code><strong>nanodump_ppl<\/strong><\/code>&nbsp;command<\/p>\n\n\n\n<p class=\"has-vivid-green-cyan-color has-black-background-color has-text-color has-background\"><strong>beacon&gt; nanodump_ppl -v -w C:\\Windows\\Temp\\lsass.dmp<\/strong><\/p>\n\n\n\n<h2 class=\"has-text-align-center has-vivid-green-cyan-background-color has-background wp-block-heading\" id=\"user-content-params\">Parameters<\/h2>\n\n\n\n<h4 class=\"has-text-align-center wp-block-heading\"><a href=\"https:\/\/github.com\/helpsystems\/nanodump#--getpid\"><\/a>&#8211;getpid<\/h4>\n\n\n\n<p>Get PID of LSASS and leave.<br>This is just for convenience, nanodump does not need the PID of LSASS.<\/p>\n\n\n\n<h4 class=\"has-text-align-center wp-block-heading\"><a href=\"https:\/\/github.com\/helpsystems\/nanodump#--write--w--path--required-for-exe\"><\/a>&#8211;write -w &lt; path &gt; (required for EXE)<\/h4>\n\n\n\n<p>Where to write the dumpfile.<\/p>\n\n\n\n<ul class=\"wp-block-list\"><li><strong>BOF<\/strong>: If this parameter is not provided, the dump will be downloaded in a fileless manner.<\/li><li><strong>EXE<\/strong>: This parameter is required given that no C2 channel exists<\/li><\/ul>\n\n\n\n<h4 class=\"has-text-align-center wp-block-heading\"><a href=\"https:\/\/github.com\/helpsystems\/nanodump#--valid--v\"><\/a>&#8211;valid -v<\/h4>\n\n\n\n<p>The minidump will have a valid signature.<br>If not entered, the signature will be invalid. Before analyzing the dump restore the signature of the dump, with:<br><code><strong>scripts\/restore_signature &lt;dumpfile&gt;<\/strong><\/code><\/p>\n\n\n\n<h4 class=\"has-text-align-center wp-block-heading\"><a href=\"https:\/\/github.com\/helpsystems\/nanodump#--fork--f\"><\/a>&#8211;fork -f<\/h4>\n\n\n\n<p>Fork LSASS and dump this new process.<\/p>\n\n\n\n<h4 class=\"has-text-align-center wp-block-heading\"><a href=\"https:\/\/github.com\/helpsystems\/nanodump#--snapshot--s\"><\/a>&#8211;snapshot -s<\/h4>\n\n\n\n<p>Create a snapshot of LSASS and dump this new process.<\/p>\n\n\n\n<h4 class=\"has-text-align-center wp-block-heading\"><a href=\"https:\/\/github.com\/helpsystems\/nanodump#--dup--d\"><\/a>&#8211;dup -d<\/h4>\n\n\n\n<p>Try to find an existing handle to LSASS and duplicate it.<\/p>\n\n\n\n<h4 class=\"has-text-align-center wp-block-heading\"><a href=\"https:\/\/github.com\/helpsystems\/nanodump#--malseclogon--m\"><\/a>&#8211;malseclogon -m<\/h4>\n\n\n\n<p>Leak a handle to LSASS using MalSecLogon.<br><strong>If used as BOF, an unsigned binary will be written to disk unless &#8211;dup is also provided!<\/strong><\/p>\n\n\n\n<h4 class=\"has-text-align-center wp-block-heading\"><a href=\"https:\/\/github.com\/helpsystems\/nanodump#--binary--b--path-\"><\/a>&#8211;binary -b &lt; path &gt;<\/h4>\n\n\n\n<p>Path to a binary such as&nbsp;<code><strong>C:\\Windows\\notepad.exe<\/strong><\/code>.<br>This option is used exclusively with&nbsp;<code><strong>--malseclogon<\/strong><\/code>&nbsp;and&nbsp;<code><strong>--dup<\/strong><\/code>.<\/p>\n\n\n\n<h2 class=\"has-text-align-center has-vivid-green-cyan-background-color has-background wp-block-heading\" id=\"user-content-examples\"> Examples<\/h2>\n\n\n\n<p>Read LSASS indirectly by creating a fork and write the dump to disk with an invalid signature:<\/p>\n\n\n\n<p class=\"has-vivid-green-cyan-color has-black-background-color has-text-color has-background\"><strong>beacon&gt; nanodump &#8211;fork &#8211;write C:\\lsass.dmp<\/strong><\/p>\n\n\n\n<p>Use MalSecLogon to leak an LSASS handle in a notepad process, duplicate that handle to get access to LSASS, then read it indirectly by creating a fork and download the dump with a valid signature:<\/p>\n\n\n\n<p class=\"has-vivid-green-cyan-color has-black-background-color has-text-color has-background\"><strong>beacon&gt; nanodump &#8211;malseclogon &#8211;dup &#8211;fork &#8211;binary C:\\Windows\\notepad.exe &#8211;valid<\/strong><\/p>\n\n\n\n<p>Get a handle with MalSecLogon, read LSASS indirectly by using a fork and write the dump to disk with a valid signature (a nanodump binary will be uploaded!):<\/p>\n\n\n\n<p class=\"has-vivid-green-cyan-color has-black-background-color has-text-color has-background\"><strong>beacon&gt; nanodump &#8211;malseclogon &#8211;fork &#8211;valid &#8211;write C:\\Windows\\Temp\\lsass.dmp<\/strong><\/p>\n\n\n\n<h2 class=\"has-light-green-cyan-background-color has-background wp-block-heading\" id=\"user-content-redirectors\">HTTPS redirectors<\/h2>\n\n\n\n<p>If you are using an HTTPS redirector (as you should), you might run into issues when downloading the dump filessly due to the size of the requests that leak the dump.<br>Increase the max size of requests on your web server to allow nanodump to download the dump.<\/p>\n\n\n\n<h4 class=\"has-light-green-cyan-background-color has-background wp-block-heading\"><a href=\"https:\/\/github.com\/helpsystems\/nanodump#nginx\"><\/a>NGINX<\/h4>\n\n\n\n<p class=\"has-vivid-green-cyan-color has-black-background-color has-text-color has-background\"><strong>location ~ ^\u2026$ {<br>\u2026<br>client_max_body_size 50M;<br>}<\/strong><\/p>\n\n\n\n<p class=\"has-light-green-cyan-background-color has-background\">A<strong>pache2<\/strong><\/p>\n\n\n\n<p class=\"has-vivid-green-cyan-color has-black-background-color has-text-color has-background\"><strong>LimitRequestBody 52428800<\/strong><\/p>\n\n\n\n<div class=\"wp-block-buttons is-content-justification-center is-layout-flex wp-container-core-buttons-is-layout-16018d1d wp-block-buttons-is-layout-flex\">\n<div class=\"wp-block-button is-style-outline is-style-outline--1\"><a class=\"wp-block-button__link has-vivid-cyan-blue-background-color has-background\" href=\"https:\/\/github.com\/helpsystems\/nanodump\"><strong>Download<\/strong><\/a><\/div>\n<\/div>\n","protected":false},"excerpt":{"rendered":"<p>Nanodump, a flexible tool that creates a minidump of the LSASS process. Features It uses syscalls (with&nbsp;SysWhispers2) for most operations. Syscalls are called from an&nbsp;ntdll&nbsp;address to bypass some syscall detections. It sets the syscall callback hook to NULL. Windows APIs are called using dynamic invoke. You can choose to download the dump without touching disk [&hellip;]<\/p>\n","protected":false},"author":4,"featured_media":25283,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"fifu_image_url":"https:\/\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEiENqdJgkaKOZyrSip4JpvgCc11J3ltKXyqXatcgV-lb51ne0HFzgDv7Arz615o2IjKIMAXAuV2GOG6IdOAf8UTyaxGLe0ZKuM5f_XmPf-elci0irrjb-VYujcBVv5SWimshUFrU5cmJ8jfiBnMiiNhcdz97Zt4R7-8m5ayuax3zY320-yLsBH2F_3m\/s728\/nanodump-a-crappy-lsass-dumper-with-no-ascii-art.png","fifu_image_alt":"","_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[28],"tags":[5293,5291,5292,5290],"class_list":["post-25265","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-kali","tag-ascii-art","tag-crappy-lsass","tag-dumper","tag-nanodump"],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v27.0 - https:\/\/yoast.com\/product\/yoast-seo-wordpress\/ -->\n<title>Nanodump : A Crappy LSASS Dumper With No ASCII Art<\/title>\n<meta name=\"description\" content=\"Nanodump, a flexible tool that creates a minidump of the LSASS process. It uses syscalls (with\u00a0SysWhispers2) for most operations.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/kalilinuxtutorials.com\/nanodump\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Nanodump : A Crappy LSASS Dumper With No ASCII Art\" \/>\n<meta property=\"og:description\" content=\"Nanodump, a flexible tool that creates a minidump of the LSASS process. It uses syscalls (with\u00a0SysWhispers2) for most operations.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/kalilinuxtutorials.com\/nanodump\/\" \/>\n<meta property=\"og:site_name\" content=\"Kali Linux Tutorials\" \/>\n<meta property=\"article:published_time\" content=\"2022-06-19T12:04:14+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2022-06-19T12:04:15+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEiENqdJgkaKOZyrSip4JpvgCc11J3ltKXyqXatcgV-lb51ne0HFzgDv7Arz615o2IjKIMAXAuV2GOG6IdOAf8UTyaxGLe0ZKuM5f_XmPf-elci0irrjb-VYujcBVv5SWimshUFrU5cmJ8jfiBnMiiNhcdz97Zt4R7-8m5ayuax3zY320-yLsBH2F_3m\/s728\/nanodump-a-crappy-lsass-dumper-with-no-ascii-art.png\" \/>\n<meta name=\"author\" content=\"R K\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:image\" content=\"https:\/\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEiENqdJgkaKOZyrSip4JpvgCc11J3ltKXyqXatcgV-lb51ne0HFzgDv7Arz615o2IjKIMAXAuV2GOG6IdOAf8UTyaxGLe0ZKuM5f_XmPf-elci0irrjb-VYujcBVv5SWimshUFrU5cmJ8jfiBnMiiNhcdz97Zt4R7-8m5ayuax3zY320-yLsBH2F_3m\/s728\/nanodump-a-crappy-lsass-dumper-with-no-ascii-art.png\" \/>\n<meta name=\"twitter:creator\" content=\"@CyberEdition\" \/>\n<meta name=\"twitter:site\" content=\"@CyberEdition\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"R K\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"5 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\/\/kalilinuxtutorials.com\/nanodump\/#article\",\"isPartOf\":{\"@id\":\"https:\/\/kalilinuxtutorials.com\/nanodump\/\"},\"author\":{\"name\":\"R K\",\"@id\":\"https:\/\/kalilinuxtutorials.com\/#\/schema\/person\/69444b58b9e267a4cf08fceb34b6f6ad\"},\"headline\":\"Nanodump : A Crappy LSASS Dumper With No ASCII Art\",\"datePublished\":\"2022-06-19T12:04:14+00:00\",\"dateModified\":\"2022-06-19T12:04:15+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/kalilinuxtutorials.com\/nanodump\/\"},\"wordCount\":1056,\"commentCount\":0,\"publisher\":{\"@id\":\"https:\/\/kalilinuxtutorials.com\/#organization\"},\"image\":{\"@id\":\"https:\/\/kalilinuxtutorials.com\/nanodump\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEiENqdJgkaKOZyrSip4JpvgCc11J3ltKXyqXatcgV-lb51ne0HFzgDv7Arz615o2IjKIMAXAuV2GOG6IdOAf8UTyaxGLe0ZKuM5f_XmPf-elci0irrjb-VYujcBVv5SWimshUFrU5cmJ8jfiBnMiiNhcdz97Zt4R7-8m5ayuax3zY320-yLsBH2F_3m\/s728\/nanodump-a-crappy-lsass-dumper-with-no-ascii-art.png\",\"keywords\":[\"ASCII Art\",\"Crappy LSASS\",\"Dumper\",\"Nanodump\"],\"articleSection\":[\"Kali Linux\"],\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"CommentAction\",\"name\":\"Comment\",\"target\":[\"https:\/\/kalilinuxtutorials.com\/nanodump\/#respond\"]}]},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/kalilinuxtutorials.com\/nanodump\/\",\"url\":\"https:\/\/kalilinuxtutorials.com\/nanodump\/\",\"name\":\"Nanodump : A Crappy LSASS Dumper With No ASCII Art\",\"isPartOf\":{\"@id\":\"https:\/\/kalilinuxtutorials.com\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\/\/kalilinuxtutorials.com\/nanodump\/#primaryimage\"},\"image\":{\"@id\":\"https:\/\/kalilinuxtutorials.com\/nanodump\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEiENqdJgkaKOZyrSip4JpvgCc11J3ltKXyqXatcgV-lb51ne0HFzgDv7Arz615o2IjKIMAXAuV2GOG6IdOAf8UTyaxGLe0ZKuM5f_XmPf-elci0irrjb-VYujcBVv5SWimshUFrU5cmJ8jfiBnMiiNhcdz97Zt4R7-8m5ayuax3zY320-yLsBH2F_3m\/s728\/nanodump-a-crappy-lsass-dumper-with-no-ascii-art.png\",\"datePublished\":\"2022-06-19T12:04:14+00:00\",\"dateModified\":\"2022-06-19T12:04:15+00:00\",\"description\":\"Nanodump, a flexible tool that creates a minidump of the LSASS process. It uses syscalls (with\u00a0SysWhispers2) for most operations.\",\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/kalilinuxtutorials.com\/nanodump\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/kalilinuxtutorials.com\/nanodump\/#primaryimage\",\"url\":\"https:\/\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEiENqdJgkaKOZyrSip4JpvgCc11J3ltKXyqXatcgV-lb51ne0HFzgDv7Arz615o2IjKIMAXAuV2GOG6IdOAf8UTyaxGLe0ZKuM5f_XmPf-elci0irrjb-VYujcBVv5SWimshUFrU5cmJ8jfiBnMiiNhcdz97Zt4R7-8m5ayuax3zY320-yLsBH2F_3m\/s728\/nanodump-a-crappy-lsass-dumper-with-no-ascii-art.png\",\"contentUrl\":\"https:\/\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEiENqdJgkaKOZyrSip4JpvgCc11J3ltKXyqXatcgV-lb51ne0HFzgDv7Arz615o2IjKIMAXAuV2GOG6IdOAf8UTyaxGLe0ZKuM5f_XmPf-elci0irrjb-VYujcBVv5SWimshUFrU5cmJ8jfiBnMiiNhcdz97Zt4R7-8m5ayuax3zY320-yLsBH2F_3m\/s728\/nanodump-a-crappy-lsass-dumper-with-no-ascii-art.png\",\"width\":\"728\",\"height\":\"380\"},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/kalilinuxtutorials.com\/#website\",\"url\":\"https:\/\/kalilinuxtutorials.com\/\",\"name\":\"Kali Linux Tutorials\",\"description\":\"Kali Linux Tutorials\",\"publisher\":{\"@id\":\"https:\/\/kalilinuxtutorials.com\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/kalilinuxtutorials.com\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\/\/kalilinuxtutorials.com\/#organization\",\"name\":\"Kali Linux Tutorials\",\"url\":\"https:\/\/kalilinuxtutorials.com\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/kalilinuxtutorials.com\/#\/schema\/logo\/image\/\",\"url\":\"https:\/\/kalilinuxtutorials.com\/wp-content\/uploads\/2025\/07\/Kali.png\",\"contentUrl\":\"https:\/\/kalilinuxtutorials.com\/wp-content\/uploads\/2025\/07\/Kali.png\",\"width\":272,\"height\":90,\"caption\":\"Kali Linux Tutorials\"},\"image\":{\"@id\":\"https:\/\/kalilinuxtutorials.com\/#\/schema\/logo\/image\/\"},\"sameAs\":[\"https:\/\/x.com\/CyberEdition\",\"https:\/\/www.threads.com\/@cybersecurityedition\",\"https:\/\/www.linkedin.com\/company\/cyberedition\",\"https:\/\/www.instagram.com\/cybersecurityedition\/\"]},{\"@type\":\"Person\",\"@id\":\"https:\/\/kalilinuxtutorials.com\/#\/schema\/person\/69444b58b9e267a4cf08fceb34b6f6ad\",\"name\":\"R K\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/kalilinuxtutorials.com\/#\/schema\/person\/image\/\",\"url\":\"https:\/\/secure.gravatar.com\/avatar\/d3937c9687f2da11bc0a716404ff91779fe19ca115208dbf66167ad353aca5aa?s=96&d=mm&r=g\",\"contentUrl\":\"https:\/\/secure.gravatar.com\/avatar\/d3937c9687f2da11bc0a716404ff91779fe19ca115208dbf66167ad353aca5aa?s=96&d=mm&r=g\",\"caption\":\"R K\"},\"url\":\"https:\/\/kalilinuxtutorials.com\/author\/ranjith\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Nanodump : A Crappy LSASS Dumper With No ASCII Art","description":"Nanodump, a flexible tool that creates a minidump of the LSASS process. It uses syscalls (with\u00a0SysWhispers2) for most operations.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/kalilinuxtutorials.com\/nanodump\/","og_locale":"en_US","og_type":"article","og_title":"Nanodump : A Crappy LSASS Dumper With No ASCII Art","og_description":"Nanodump, a flexible tool that creates a minidump of the LSASS process. It uses syscalls (with\u00a0SysWhispers2) for most operations.","og_url":"https:\/\/kalilinuxtutorials.com\/nanodump\/","og_site_name":"Kali Linux Tutorials","article_published_time":"2022-06-19T12:04:14+00:00","article_modified_time":"2022-06-19T12:04:15+00:00","og_image":[{"url":"https:\/\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEiENqdJgkaKOZyrSip4JpvgCc11J3ltKXyqXatcgV-lb51ne0HFzgDv7Arz615o2IjKIMAXAuV2GOG6IdOAf8UTyaxGLe0ZKuM5f_XmPf-elci0irrjb-VYujcBVv5SWimshUFrU5cmJ8jfiBnMiiNhcdz97Zt4R7-8m5ayuax3zY320-yLsBH2F_3m\/s728\/nanodump-a-crappy-lsass-dumper-with-no-ascii-art.png","type":"","width":"","height":""}],"author":"R K","twitter_card":"summary_large_image","twitter_image":"https:\/\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEiENqdJgkaKOZyrSip4JpvgCc11J3ltKXyqXatcgV-lb51ne0HFzgDv7Arz615o2IjKIMAXAuV2GOG6IdOAf8UTyaxGLe0ZKuM5f_XmPf-elci0irrjb-VYujcBVv5SWimshUFrU5cmJ8jfiBnMiiNhcdz97Zt4R7-8m5ayuax3zY320-yLsBH2F_3m\/s728\/nanodump-a-crappy-lsass-dumper-with-no-ascii-art.png","twitter_creator":"@CyberEdition","twitter_site":"@CyberEdition","twitter_misc":{"Written by":"R K","Est. reading time":"5 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/kalilinuxtutorials.com\/nanodump\/#article","isPartOf":{"@id":"https:\/\/kalilinuxtutorials.com\/nanodump\/"},"author":{"name":"R K","@id":"https:\/\/kalilinuxtutorials.com\/#\/schema\/person\/69444b58b9e267a4cf08fceb34b6f6ad"},"headline":"Nanodump : A Crappy LSASS Dumper With No ASCII Art","datePublished":"2022-06-19T12:04:14+00:00","dateModified":"2022-06-19T12:04:15+00:00","mainEntityOfPage":{"@id":"https:\/\/kalilinuxtutorials.com\/nanodump\/"},"wordCount":1056,"commentCount":0,"publisher":{"@id":"https:\/\/kalilinuxtutorials.com\/#organization"},"image":{"@id":"https:\/\/kalilinuxtutorials.com\/nanodump\/#primaryimage"},"thumbnailUrl":"https:\/\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEiENqdJgkaKOZyrSip4JpvgCc11J3ltKXyqXatcgV-lb51ne0HFzgDv7Arz615o2IjKIMAXAuV2GOG6IdOAf8UTyaxGLe0ZKuM5f_XmPf-elci0irrjb-VYujcBVv5SWimshUFrU5cmJ8jfiBnMiiNhcdz97Zt4R7-8m5ayuax3zY320-yLsBH2F_3m\/s728\/nanodump-a-crappy-lsass-dumper-with-no-ascii-art.png","keywords":["ASCII Art","Crappy LSASS","Dumper","Nanodump"],"articleSection":["Kali Linux"],"inLanguage":"en-US","potentialAction":[{"@type":"CommentAction","name":"Comment","target":["https:\/\/kalilinuxtutorials.com\/nanodump\/#respond"]}]},{"@type":"WebPage","@id":"https:\/\/kalilinuxtutorials.com\/nanodump\/","url":"https:\/\/kalilinuxtutorials.com\/nanodump\/","name":"Nanodump : A Crappy LSASS Dumper With No ASCII Art","isPartOf":{"@id":"https:\/\/kalilinuxtutorials.com\/#website"},"primaryImageOfPage":{"@id":"https:\/\/kalilinuxtutorials.com\/nanodump\/#primaryimage"},"image":{"@id":"https:\/\/kalilinuxtutorials.com\/nanodump\/#primaryimage"},"thumbnailUrl":"https:\/\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEiENqdJgkaKOZyrSip4JpvgCc11J3ltKXyqXatcgV-lb51ne0HFzgDv7Arz615o2IjKIMAXAuV2GOG6IdOAf8UTyaxGLe0ZKuM5f_XmPf-elci0irrjb-VYujcBVv5SWimshUFrU5cmJ8jfiBnMiiNhcdz97Zt4R7-8m5ayuax3zY320-yLsBH2F_3m\/s728\/nanodump-a-crappy-lsass-dumper-with-no-ascii-art.png","datePublished":"2022-06-19T12:04:14+00:00","dateModified":"2022-06-19T12:04:15+00:00","description":"Nanodump, a flexible tool that creates a minidump of the LSASS process. It uses syscalls (with\u00a0SysWhispers2) for most operations.","inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/kalilinuxtutorials.com\/nanodump\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/kalilinuxtutorials.com\/nanodump\/#primaryimage","url":"https:\/\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEiENqdJgkaKOZyrSip4JpvgCc11J3ltKXyqXatcgV-lb51ne0HFzgDv7Arz615o2IjKIMAXAuV2GOG6IdOAf8UTyaxGLe0ZKuM5f_XmPf-elci0irrjb-VYujcBVv5SWimshUFrU5cmJ8jfiBnMiiNhcdz97Zt4R7-8m5ayuax3zY320-yLsBH2F_3m\/s728\/nanodump-a-crappy-lsass-dumper-with-no-ascii-art.png","contentUrl":"https:\/\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEiENqdJgkaKOZyrSip4JpvgCc11J3ltKXyqXatcgV-lb51ne0HFzgDv7Arz615o2IjKIMAXAuV2GOG6IdOAf8UTyaxGLe0ZKuM5f_XmPf-elci0irrjb-VYujcBVv5SWimshUFrU5cmJ8jfiBnMiiNhcdz97Zt4R7-8m5ayuax3zY320-yLsBH2F_3m\/s728\/nanodump-a-crappy-lsass-dumper-with-no-ascii-art.png","width":"728","height":"380"},{"@type":"WebSite","@id":"https:\/\/kalilinuxtutorials.com\/#website","url":"https:\/\/kalilinuxtutorials.com\/","name":"Kali Linux Tutorials","description":"Kali Linux Tutorials","publisher":{"@id":"https:\/\/kalilinuxtutorials.com\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/kalilinuxtutorials.com\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/kalilinuxtutorials.com\/#organization","name":"Kali Linux Tutorials","url":"https:\/\/kalilinuxtutorials.com\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/kalilinuxtutorials.com\/#\/schema\/logo\/image\/","url":"https:\/\/kalilinuxtutorials.com\/wp-content\/uploads\/2025\/07\/Kali.png","contentUrl":"https:\/\/kalilinuxtutorials.com\/wp-content\/uploads\/2025\/07\/Kali.png","width":272,"height":90,"caption":"Kali Linux Tutorials"},"image":{"@id":"https:\/\/kalilinuxtutorials.com\/#\/schema\/logo\/image\/"},"sameAs":["https:\/\/x.com\/CyberEdition","https:\/\/www.threads.com\/@cybersecurityedition","https:\/\/www.linkedin.com\/company\/cyberedition","https:\/\/www.instagram.com\/cybersecurityedition\/"]},{"@type":"Person","@id":"https:\/\/kalilinuxtutorials.com\/#\/schema\/person\/69444b58b9e267a4cf08fceb34b6f6ad","name":"R K","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/kalilinuxtutorials.com\/#\/schema\/person\/image\/","url":"https:\/\/secure.gravatar.com\/avatar\/d3937c9687f2da11bc0a716404ff91779fe19ca115208dbf66167ad353aca5aa?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/d3937c9687f2da11bc0a716404ff91779fe19ca115208dbf66167ad353aca5aa?s=96&d=mm&r=g","caption":"R K"},"url":"https:\/\/kalilinuxtutorials.com\/author\/ranjith\/"}]}},"jetpack_featured_media_url":"https:\/\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEiENqdJgkaKOZyrSip4JpvgCc11J3ltKXyqXatcgV-lb51ne0HFzgDv7Arz615o2IjKIMAXAuV2GOG6IdOAf8UTyaxGLe0ZKuM5f_XmPf-elci0irrjb-VYujcBVv5SWimshUFrU5cmJ8jfiBnMiiNhcdz97Zt4R7-8m5ayuax3zY320-yLsBH2F_3m\/s728\/nanodump-a-crappy-lsass-dumper-with-no-ascii-art.png","jetpack_sharing_enabled":true,"jetpack-related-posts":[{"id":30890,"url":"https:\/\/kalilinuxtutorials.com\/postdump\/","url_meta":{"origin":25265,"position":0},"title":"POSTDump &#8211; Evading Detection And Safely Dumping LSASS Memory","author":"Varshini","date":"October 16, 2023","format":false,"excerpt":"Another tool to perform minidump of LSASS process using few technics to avoid detection. POSTDump is the C# \/ .NET implementation of the ReactOS minidump function (like nanodump), thus avoiding call to the Windows API MiniDumpWriteDump function. The dump logic code is saved under the\u00a0POSTMinidump\u00a0project, feel free to use it\u2026","rel":"","context":"In &quot;Cyber security&quot;","block_context":{"text":"Cyber security","link":"https:\/\/kalilinuxtutorials.com\/category\/cyber-security\/"},"img":{"alt_text":"","src":"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEgT6zhlqJ5nkEdv_3U5azWGJVgj1JttxeAVTI04tQL9S9J846Dn0yWaxZU_SZwFPoXPn9j-3YnjdqTyyF7Zf1p-4rnrzkm9k6Jf1JOG5NYKvQSvRCAIx7zgZDEDMv8NO3ktwpcg2Ujd8oDRrsQRFlW82qb5uosYakGAnSv7iL_JBPNBJSrNCEz1Hoy0Uu_y\/s16000\/Untitled%20design%20%2828%29.webp?resize=350%2C200&ssl=1","width":350,"height":200,"srcset":"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEgT6zhlqJ5nkEdv_3U5azWGJVgj1JttxeAVTI04tQL9S9J846Dn0yWaxZU_SZwFPoXPn9j-3YnjdqTyyF7Zf1p-4rnrzkm9k6Jf1JOG5NYKvQSvRCAIx7zgZDEDMv8NO3ktwpcg2Ujd8oDRrsQRFlW82qb5uosYakGAnSv7iL_JBPNBJSrNCEz1Hoy0Uu_y\/s16000\/Untitled%20design%20%2828%29.webp?resize=350%2C200&ssl=1 1x, https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEgT6zhlqJ5nkEdv_3U5azWGJVgj1JttxeAVTI04tQL9S9J846Dn0yWaxZU_SZwFPoXPn9j-3YnjdqTyyF7Zf1p-4rnrzkm9k6Jf1JOG5NYKvQSvRCAIx7zgZDEDMv8NO3ktwpcg2Ujd8oDRrsQRFlW82qb5uosYakGAnSv7iL_JBPNBJSrNCEz1Hoy0Uu_y\/s16000\/Untitled%20design%20%2828%29.webp?resize=525%2C300&ssl=1 1.5x, https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEgT6zhlqJ5nkEdv_3U5azWGJVgj1JttxeAVTI04tQL9S9J846Dn0yWaxZU_SZwFPoXPn9j-3YnjdqTyyF7Zf1p-4rnrzkm9k6Jf1JOG5NYKvQSvRCAIx7zgZDEDMv8NO3ktwpcg2Ujd8oDRrsQRFlW82qb5uosYakGAnSv7iL_JBPNBJSrNCEz1Hoy0Uu_y\/s16000\/Untitled%20design%20%2828%29.webp?resize=700%2C400&ssl=1 2x, https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEgT6zhlqJ5nkEdv_3U5azWGJVgj1JttxeAVTI04tQL9S9J846Dn0yWaxZU_SZwFPoXPn9j-3YnjdqTyyF7Zf1p-4rnrzkm9k6Jf1JOG5NYKvQSvRCAIx7zgZDEDMv8NO3ktwpcg2Ujd8oDRrsQRFlW82qb5uosYakGAnSv7iL_JBPNBJSrNCEz1Hoy0Uu_y\/s16000\/Untitled%20design%20%2828%29.webp?resize=1050%2C600&ssl=1 3x, https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEgT6zhlqJ5nkEdv_3U5azWGJVgj1JttxeAVTI04tQL9S9J846Dn0yWaxZU_SZwFPoXPn9j-3YnjdqTyyF7Zf1p-4rnrzkm9k6Jf1JOG5NYKvQSvRCAIx7zgZDEDMv8NO3ktwpcg2Ujd8oDRrsQRFlW82qb5uosYakGAnSv7iL_JBPNBJSrNCEz1Hoy0Uu_y\/s16000\/Untitled%20design%20%2828%29.webp?resize=1400%2C800&ssl=1 4x"},"classes":[]},{"id":35389,"url":"https:\/\/kalilinuxtutorials.com\/go-lsass\/","url_meta":{"origin":25265,"position":1},"title":"go-lsass : Remote LSASS Memory Dumping via SMB","author":"Varshini","date":"December 6, 2024","format":false,"excerpt":"Package go-lsass is a tool built to dump the memory of the LSASS process remotely by uploading a local LSASS dumper, executing it as a service and then retrieve the dump file using SMB. It is built on top of the library go-smb and is designed to primarily work with\u2026","rel":"","context":"In &quot;Pentesting Tools&quot;","block_context":{"text":"Pentesting Tools","link":"https:\/\/kalilinuxtutorials.com\/category\/penetration-testing-tools\/"},"img":{"alt_text":"","src":"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEjABeRDSMzS78kHoufR8U7YuqUOZThryJ0fVAh9q7RAC1zWmpxZpEmVB9uR6uCYIdqS92IKBBD4Zy1j1XZ3wxSDnu_dMlnOqCrSJRuZQV4H35N3Uerh2l8-nW0pZZa9BAokNBTgAWjKY6aIuo8dxiSR8Pv3rcPeD2NHMeX_NQQwAWwKV7lyXQhXrN3Y_3Fn\/s1600\/go-lsass.webp?resize=350%2C200&ssl=1","width":350,"height":200,"srcset":"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEjABeRDSMzS78kHoufR8U7YuqUOZThryJ0fVAh9q7RAC1zWmpxZpEmVB9uR6uCYIdqS92IKBBD4Zy1j1XZ3wxSDnu_dMlnOqCrSJRuZQV4H35N3Uerh2l8-nW0pZZa9BAokNBTgAWjKY6aIuo8dxiSR8Pv3rcPeD2NHMeX_NQQwAWwKV7lyXQhXrN3Y_3Fn\/s1600\/go-lsass.webp?resize=350%2C200&ssl=1 1x, https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEjABeRDSMzS78kHoufR8U7YuqUOZThryJ0fVAh9q7RAC1zWmpxZpEmVB9uR6uCYIdqS92IKBBD4Zy1j1XZ3wxSDnu_dMlnOqCrSJRuZQV4H35N3Uerh2l8-nW0pZZa9BAokNBTgAWjKY6aIuo8dxiSR8Pv3rcPeD2NHMeX_NQQwAWwKV7lyXQhXrN3Y_3Fn\/s1600\/go-lsass.webp?resize=525%2C300&ssl=1 1.5x, https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEjABeRDSMzS78kHoufR8U7YuqUOZThryJ0fVAh9q7RAC1zWmpxZpEmVB9uR6uCYIdqS92IKBBD4Zy1j1XZ3wxSDnu_dMlnOqCrSJRuZQV4H35N3Uerh2l8-nW0pZZa9BAokNBTgAWjKY6aIuo8dxiSR8Pv3rcPeD2NHMeX_NQQwAWwKV7lyXQhXrN3Y_3Fn\/s1600\/go-lsass.webp?resize=700%2C400&ssl=1 2x, https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEjABeRDSMzS78kHoufR8U7YuqUOZThryJ0fVAh9q7RAC1zWmpxZpEmVB9uR6uCYIdqS92IKBBD4Zy1j1XZ3wxSDnu_dMlnOqCrSJRuZQV4H35N3Uerh2l8-nW0pZZa9BAokNBTgAWjKY6aIuo8dxiSR8Pv3rcPeD2NHMeX_NQQwAWwKV7lyXQhXrN3Y_3Fn\/s1600\/go-lsass.webp?resize=1050%2C600&ssl=1 3x, https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEjABeRDSMzS78kHoufR8U7YuqUOZThryJ0fVAh9q7RAC1zWmpxZpEmVB9uR6uCYIdqS92IKBBD4Zy1j1XZ3wxSDnu_dMlnOqCrSJRuZQV4H35N3Uerh2l8-nW0pZZa9BAokNBTgAWjKY6aIuo8dxiSR8Pv3rcPeD2NHMeX_NQQwAWwKV7lyXQhXrN3Y_3Fn\/s1600\/go-lsass.webp?resize=1400%2C800&ssl=1 4x"},"classes":[]},{"id":35248,"url":"https:\/\/kalilinuxtutorials.com\/shadowdumper\/","url_meta":{"origin":25265,"position":2},"title":"ShadowDumper &#8211; Advanced Techniques For LSASS Memory Extraction","author":"Varshini","date":"November 18, 2024","format":false,"excerpt":"Shadow Dumper is a powerful tool used to dump LSASS (Local Security Authority Subsystem Service) memory, often needed in penetration testing and red teaming activities. It offers flexible options to users and uses multiple advanced techniques to dump memory, allowing to access sensitive data in LSASS memory. Capabilities Unhooked Injection\u2026","rel":"","context":"In &quot;Hacking Tools&quot;","block_context":{"text":"Hacking Tools","link":"https:\/\/kalilinuxtutorials.com\/category\/hacking-tools\/"},"img":{"alt_text":"","src":"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEgxq2jjmgvGfRH_nmitfjFwrfPqJeKGWMaRZUJRYN79JXU0cKq_OaM4EjbQ1zA3SONCL96Nxr3Y_r951_OpLmoUrMtdEQumiYFoeMll1a7fdtrdkMrv9JQY6OwA2MiWJqA8vQ9Ukn0HZ5ttd2P0i70BGJVdjLm0x5VHC0nhyphenhyphentYG6p25_qEX2vuxc_GlEQbt\/s1600\/ShadowDumper%20.webp?resize=350%2C200&ssl=1","width":350,"height":200,"srcset":"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEgxq2jjmgvGfRH_nmitfjFwrfPqJeKGWMaRZUJRYN79JXU0cKq_OaM4EjbQ1zA3SONCL96Nxr3Y_r951_OpLmoUrMtdEQumiYFoeMll1a7fdtrdkMrv9JQY6OwA2MiWJqA8vQ9Ukn0HZ5ttd2P0i70BGJVdjLm0x5VHC0nhyphenhyphentYG6p25_qEX2vuxc_GlEQbt\/s1600\/ShadowDumper%20.webp?resize=350%2C200&ssl=1 1x, https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEgxq2jjmgvGfRH_nmitfjFwrfPqJeKGWMaRZUJRYN79JXU0cKq_OaM4EjbQ1zA3SONCL96Nxr3Y_r951_OpLmoUrMtdEQumiYFoeMll1a7fdtrdkMrv9JQY6OwA2MiWJqA8vQ9Ukn0HZ5ttd2P0i70BGJVdjLm0x5VHC0nhyphenhyphentYG6p25_qEX2vuxc_GlEQbt\/s1600\/ShadowDumper%20.webp?resize=525%2C300&ssl=1 1.5x, https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEgxq2jjmgvGfRH_nmitfjFwrfPqJeKGWMaRZUJRYN79JXU0cKq_OaM4EjbQ1zA3SONCL96Nxr3Y_r951_OpLmoUrMtdEQumiYFoeMll1a7fdtrdkMrv9JQY6OwA2MiWJqA8vQ9Ukn0HZ5ttd2P0i70BGJVdjLm0x5VHC0nhyphenhyphentYG6p25_qEX2vuxc_GlEQbt\/s1600\/ShadowDumper%20.webp?resize=700%2C400&ssl=1 2x, https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEgxq2jjmgvGfRH_nmitfjFwrfPqJeKGWMaRZUJRYN79JXU0cKq_OaM4EjbQ1zA3SONCL96Nxr3Y_r951_OpLmoUrMtdEQumiYFoeMll1a7fdtrdkMrv9JQY6OwA2MiWJqA8vQ9Ukn0HZ5ttd2P0i70BGJVdjLm0x5VHC0nhyphenhyphentYG6p25_qEX2vuxc_GlEQbt\/s1600\/ShadowDumper%20.webp?resize=1050%2C600&ssl=1 3x, https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEgxq2jjmgvGfRH_nmitfjFwrfPqJeKGWMaRZUJRYN79JXU0cKq_OaM4EjbQ1zA3SONCL96Nxr3Y_r951_OpLmoUrMtdEQumiYFoeMll1a7fdtrdkMrv9JQY6OwA2MiWJqA8vQ9Ukn0HZ5ttd2P0i70BGJVdjLm0x5VHC0nhyphenhyphentYG6p25_qEX2vuxc_GlEQbt\/s1600\/ShadowDumper%20.webp?resize=1400%2C800&ssl=1 4x"},"classes":[]},{"id":20423,"url":"https:\/\/kalilinuxtutorials.com\/handlekatz\/","url_meta":{"origin":25265,"position":3},"title":"HandleKatz : PIC Lsass Dumper Using Cloned Handles","author":"R K","date":"November 22, 2021","format":false,"excerpt":"HandleKatz tool was implemented as part of our Brucon2021 conference talk and demonstrates the usage of\u00a0cloned handles to Lsass\u00a0in order to create an obfuscated memory dump of the same. It compiles down to an executable\u00a0living fully in its text segment. Thus, the extracted .text segment of the PE file is\u2026","rel":"","context":"In &quot;Kali Linux&quot;","block_context":{"text":"Kali Linux","link":"https:\/\/kalilinuxtutorials.com\/category\/kali\/"},"img":{"alt_text":"","src":"https:\/\/blogger.googleusercontent.com\/img\/a\/AVvXsEi_no5Uqs-ICZ9HMik4ryvrHrO416lIdEg2e9pjLBezw7vzaIn6OlZJpOWP6bQ4rAVJGn9bn6ruvG0vDkjflgRM_jOZzWzh6rbnKRKqXhohfrgi2Rp90FH1xQaTPxPwIFXSo47zODau597MLhLcjBu70S5XV3fqp-_7rjja-VflEqENZgi7GHUmpHyR=s728","width":350,"height":200,"srcset":"https:\/\/blogger.googleusercontent.com\/img\/a\/AVvXsEi_no5Uqs-ICZ9HMik4ryvrHrO416lIdEg2e9pjLBezw7vzaIn6OlZJpOWP6bQ4rAVJGn9bn6ruvG0vDkjflgRM_jOZzWzh6rbnKRKqXhohfrgi2Rp90FH1xQaTPxPwIFXSo47zODau597MLhLcjBu70S5XV3fqp-_7rjja-VflEqENZgi7GHUmpHyR=s728 1x, https:\/\/blogger.googleusercontent.com\/img\/a\/AVvXsEi_no5Uqs-ICZ9HMik4ryvrHrO416lIdEg2e9pjLBezw7vzaIn6OlZJpOWP6bQ4rAVJGn9bn6ruvG0vDkjflgRM_jOZzWzh6rbnKRKqXhohfrgi2Rp90FH1xQaTPxPwIFXSo47zODau597MLhLcjBu70S5XV3fqp-_7rjja-VflEqENZgi7GHUmpHyR=s728 1.5x, https:\/\/blogger.googleusercontent.com\/img\/a\/AVvXsEi_no5Uqs-ICZ9HMik4ryvrHrO416lIdEg2e9pjLBezw7vzaIn6OlZJpOWP6bQ4rAVJGn9bn6ruvG0vDkjflgRM_jOZzWzh6rbnKRKqXhohfrgi2Rp90FH1xQaTPxPwIFXSo47zODau597MLhLcjBu70S5XV3fqp-_7rjja-VflEqENZgi7GHUmpHyR=s728 2x"},"classes":[]},{"id":34427,"url":"https:\/\/kalilinuxtutorials.com\/trickdump\/","url_meta":{"origin":25265,"position":4},"title":"TrickDump &#8211; Evading Detection With Advanced Memory Dump Techniques","author":"Varshini","date":"August 13, 2024","format":false,"excerpt":"TrickDump dumps the lsass process without creating a Minidump file, generating instead 3 JSON and 1 ZIP file with the memory region dumps. In three steps: Lock: Get OS information using RtlGetVersion. Shock: Get SeDebugPrivilege privilege with NtOpenProcessToken and NtAdjustPrivilegeToken, open a handle with NtGetNextProcess and NtQueryInformationProcess and then get\u2026","rel":"","context":"In &quot;Cyber security&quot;","block_context":{"text":"Cyber security","link":"https:\/\/kalilinuxtutorials.com\/category\/cyber-security\/"},"img":{"alt_text":"","src":"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEhge8lmol9tZGvsYT34G1Pa6vf2i-YKE59kzZddxGEDZO3RT4ITcAFYkFNq16MT0B_ZwC5XIgK6XQW0ztNtD7IWLygGLQevIBe4IBZcQPkDSaLLE11sjRSz9o3A-Lyy6IMewjuD_tkdJd3LiZwjI8Rl6U6lieXCIxUO327fB4_c-j0btXhy5xR9k9k2LhYn\/s16000\/TrickDump%20.webp?resize=350%2C200&ssl=1","width":350,"height":200,"srcset":"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEhge8lmol9tZGvsYT34G1Pa6vf2i-YKE59kzZddxGEDZO3RT4ITcAFYkFNq16MT0B_ZwC5XIgK6XQW0ztNtD7IWLygGLQevIBe4IBZcQPkDSaLLE11sjRSz9o3A-Lyy6IMewjuD_tkdJd3LiZwjI8Rl6U6lieXCIxUO327fB4_c-j0btXhy5xR9k9k2LhYn\/s16000\/TrickDump%20.webp?resize=350%2C200&ssl=1 1x, https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEhge8lmol9tZGvsYT34G1Pa6vf2i-YKE59kzZddxGEDZO3RT4ITcAFYkFNq16MT0B_ZwC5XIgK6XQW0ztNtD7IWLygGLQevIBe4IBZcQPkDSaLLE11sjRSz9o3A-Lyy6IMewjuD_tkdJd3LiZwjI8Rl6U6lieXCIxUO327fB4_c-j0btXhy5xR9k9k2LhYn\/s16000\/TrickDump%20.webp?resize=525%2C300&ssl=1 1.5x, https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEhge8lmol9tZGvsYT34G1Pa6vf2i-YKE59kzZddxGEDZO3RT4ITcAFYkFNq16MT0B_ZwC5XIgK6XQW0ztNtD7IWLygGLQevIBe4IBZcQPkDSaLLE11sjRSz9o3A-Lyy6IMewjuD_tkdJd3LiZwjI8Rl6U6lieXCIxUO327fB4_c-j0btXhy5xR9k9k2LhYn\/s16000\/TrickDump%20.webp?resize=700%2C400&ssl=1 2x, https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEhge8lmol9tZGvsYT34G1Pa6vf2i-YKE59kzZddxGEDZO3RT4ITcAFYkFNq16MT0B_ZwC5XIgK6XQW0ztNtD7IWLygGLQevIBe4IBZcQPkDSaLLE11sjRSz9o3A-Lyy6IMewjuD_tkdJd3LiZwjI8Rl6U6lieXCIxUO327fB4_c-j0btXhy5xR9k9k2LhYn\/s16000\/TrickDump%20.webp?resize=1050%2C600&ssl=1 3x, https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEhge8lmol9tZGvsYT34G1Pa6vf2i-YKE59kzZddxGEDZO3RT4ITcAFYkFNq16MT0B_ZwC5XIgK6XQW0ztNtD7IWLygGLQevIBe4IBZcQPkDSaLLE11sjRSz9o3A-Lyy6IMewjuD_tkdJd3LiZwjI8Rl6U6lieXCIxUO327fB4_c-j0btXhy5xR9k9k2LhYn\/s16000\/TrickDump%20.webp?resize=1400%2C800&ssl=1 4x"},"classes":[]},{"id":32690,"url":"https:\/\/kalilinuxtutorials.com\/nativedump\/","url_meta":{"origin":25265,"position":5},"title":"NativeDump : A Cutting-Edge Approach For Secure Minidump Creation","author":"Varshini","date":"April 9, 2024","format":false,"excerpt":"NativeDump allows to dump the lsass process using only NTAPIs generating a Minidump file with only the streams needed to be parsed by tools like Mimikatz or Pypykatz (SystemInfo, ModuleList and Memory64List Streams). NTOpenProcessToken and NtAdjustPrivilegeToken to get the \"SeDebugPrivilege\" privilege RtlGetVersion to get the Operating System version details (Major\u2026","rel":"","context":"In &quot;Cyber security&quot;","block_context":{"text":"Cyber security","link":"https:\/\/kalilinuxtutorials.com\/category\/cyber-security\/"},"img":{"alt_text":"","src":"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEi5Ft-UOoGI6eIMENI3BEOv6H1NBpCE_VgvLXHbQtSJSDwjzy-zKxXOVwO0MTOOuJjPbjzCH-_v-UY9h1Fhvzlsx5KYwE3YIWQQnSsbe4vVvSzT7MXUq0LTE6UufYmuJWMIlSb1snC0FOzn05-pfgmog3AP3hw9hNrtDjLrdCIrSdJ_cVPYz4cce9GLMp-h\/s16000\/NativeDump%20.webp?resize=350%2C200&ssl=1","width":350,"height":200,"srcset":"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEi5Ft-UOoGI6eIMENI3BEOv6H1NBpCE_VgvLXHbQtSJSDwjzy-zKxXOVwO0MTOOuJjPbjzCH-_v-UY9h1Fhvzlsx5KYwE3YIWQQnSsbe4vVvSzT7MXUq0LTE6UufYmuJWMIlSb1snC0FOzn05-pfgmog3AP3hw9hNrtDjLrdCIrSdJ_cVPYz4cce9GLMp-h\/s16000\/NativeDump%20.webp?resize=350%2C200&ssl=1 1x, https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEi5Ft-UOoGI6eIMENI3BEOv6H1NBpCE_VgvLXHbQtSJSDwjzy-zKxXOVwO0MTOOuJjPbjzCH-_v-UY9h1Fhvzlsx5KYwE3YIWQQnSsbe4vVvSzT7MXUq0LTE6UufYmuJWMIlSb1snC0FOzn05-pfgmog3AP3hw9hNrtDjLrdCIrSdJ_cVPYz4cce9GLMp-h\/s16000\/NativeDump%20.webp?resize=525%2C300&ssl=1 1.5x, https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEi5Ft-UOoGI6eIMENI3BEOv6H1NBpCE_VgvLXHbQtSJSDwjzy-zKxXOVwO0MTOOuJjPbjzCH-_v-UY9h1Fhvzlsx5KYwE3YIWQQnSsbe4vVvSzT7MXUq0LTE6UufYmuJWMIlSb1snC0FOzn05-pfgmog3AP3hw9hNrtDjLrdCIrSdJ_cVPYz4cce9GLMp-h\/s16000\/NativeDump%20.webp?resize=700%2C400&ssl=1 2x, https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEi5Ft-UOoGI6eIMENI3BEOv6H1NBpCE_VgvLXHbQtSJSDwjzy-zKxXOVwO0MTOOuJjPbjzCH-_v-UY9h1Fhvzlsx5KYwE3YIWQQnSsbe4vVvSzT7MXUq0LTE6UufYmuJWMIlSb1snC0FOzn05-pfgmog3AP3hw9hNrtDjLrdCIrSdJ_cVPYz4cce9GLMp-h\/s16000\/NativeDump%20.webp?resize=1050%2C600&ssl=1 3x, https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEi5Ft-UOoGI6eIMENI3BEOv6H1NBpCE_VgvLXHbQtSJSDwjzy-zKxXOVwO0MTOOuJjPbjzCH-_v-UY9h1Fhvzlsx5KYwE3YIWQQnSsbe4vVvSzT7MXUq0LTE6UufYmuJWMIlSb1snC0FOzn05-pfgmog3AP3hw9hNrtDjLrdCIrSdJ_cVPYz4cce9GLMp-h\/s16000\/NativeDump%20.webp?resize=1400%2C800&ssl=1 4x"},"classes":[]}],"_links":{"self":[{"href":"https:\/\/kalilinuxtutorials.com\/wp-json\/wp\/v2\/posts\/25265","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/kalilinuxtutorials.com\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/kalilinuxtutorials.com\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/kalilinuxtutorials.com\/wp-json\/wp\/v2\/users\/4"}],"replies":[{"embeddable":true,"href":"https:\/\/kalilinuxtutorials.com\/wp-json\/wp\/v2\/comments?post=25265"}],"version-history":[{"count":17,"href":"https:\/\/kalilinuxtutorials.com\/wp-json\/wp\/v2\/posts\/25265\/revisions"}],"predecessor-version":[{"id":25731,"href":"https:\/\/kalilinuxtutorials.com\/wp-json\/wp\/v2\/posts\/25265\/revisions\/25731"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/kalilinuxtutorials.com\/wp-json\/wp\/v2\/media\/25283"}],"wp:attachment":[{"href":"https:\/\/kalilinuxtutorials.com\/wp-json\/wp\/v2\/media?parent=25265"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/kalilinuxtutorials.com\/wp-json\/wp\/v2\/categories?post=25265"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/kalilinuxtutorials.com\/wp-json\/wp\/v2\/tags?post=25265"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}