DuplicateDump: Dumping LSASS with a duplicated handle

DuplicateDump

DuplicateDump is a fork of MirrorDump with the following modifications:

• DInovke implementation
• LSA plugin DLL has been written in C++ which could be cleaned up after dumping LSASS. MirrorDump compiles the LSA plugin as a .NET assembly which would not be unloaded by LSASS process. That’s why MirrorDump failed to delete the plugin.
• PID of dump process (i.e., DuplicateDump) is shared to LSA plugin through named pipe
• Passing value “0” instead of LSASS PID to MiniDumpWriteDump. This prevents MiniDumpWriteDump from opening its own handle to LSASS

DuplicateDump adds a custom LSA plugin that duplicates the LSASS process handle from the LSASS process to DuplicateDump. So DuplicateDump has a ready-to-use process handle to LSASS without invoking OpenProcess.

Testing

By loading DuplicateDump in memory, it was able to dump LSASS memory without detection on

• Symantec 14.3
• Kaspersky Enterprise
• Windows Defender

Detected by Cortex XDR, Crowdstrike. Failed to dump lsass without detection on SentinelOne.

Improvement

• DuplicateDump use DInvoke to call API AddSecurityPackage to load an LSA plugin. You could use RPC calls without having to invoke that API call directly. Check details in XPN’s blog post

• Recently, splinter_code discovered that SecLogon could be leveraged to dump LSASS. Strongly recommend you to study his blog post.

Download