POSTDump: perform minidump of LSASS process using few technics to avoid detection
POSTDump
Another tool to perform a minidump of the LSASS process using a few technics to avoid detection.
POSTDump is the C# / .NET implementation of the ReactOS minidump function (like nanodump), thus avoiding call to the Windows API MiniDumpWriteDump function. The dump logic code is saved under the POSTMinidump project, feel free to use it for your own projects.
Such as NanoDump, you can encrypt or use an invalid signature for the minidump.
The usage of the ProcExp driver is supported to dump/kill protected processes.
Evasion
- Usage of indirect syscall along with Halo’s gate technique to retrieve syscalls IDs
- No memory Allocation/Protection call is performed for indirect syscall, instead, free RWX codecave found in the current process is used
- ETW patching
- No call to MiniDumpWriteDump
Improvements idea
- Implement more dump techniques (seclogon, PPLMedic, Shtinkering ..)
- More evasion techniques (callstack spoofing)
- Implement Godfault to avoid driver usage
