NanoDump: creates a minidump of the LSASS process

by ddos ·

NanoDump

A flexible tool that creates a minidump of the LSASS process.

Feature

Process forking

 

To avoid opening a handle to LSASS with PROCESS_VM_READ, you can use the --fork parameter.
This will make nanodump create a handle to LSASS with PROCESS_CREATE_PROCESS access and then create a ‘clone’ of the process. This new process will then be dumped. While this will result in a process creation and deletion, it removes the need to read LSASS directly.

Snapshot

Similarly to the --fork option, you can use --snapshot to create a snapshot of the LSASS process.
This will make nanodump create a handle to LSASS with PROCESS_CREATE_PROCESS access and then create a snapshot of the process using PssNtCaptureSnapshot. This new process will then be dumped. The snapshot will be freed automatically upon completion.

Handle duplication

As opening a handle to LSASS can be detected, nanodump can instead search for existing handles to LSASS.
If one is found, it will copy it and use it to create the minidump.
Note that it is not guaranteed to find such a handle.

Elevate handle

You can obtain a handle to LSASS with PROCESS_QUERY_LIMITED_INFORMATION, which is likely to be whitelisted, and then elevate that handle by duplicating it.

Seclogon handle leak local

To avoid opening a handle to LSASS, you can use abuse the seclogon service by calling CreateProcessWithLogonW to leak an LSASS handle into the nanodump binary.
To enable this feature, use the --seclogon-leak-local parameter.
Take into account that when used from Cobalt Strike, an unsigned nanodump binary needs to be written to disk to use this feature.

Seclogon handle leak remote

This technique is very similar to the previous one, but instead of leaking the handle into nanodump, it is leaked into another binary and then duplicated so that nanodump can used it. Use the --seclogon-leak-remote flag to access this functionality.

Seclogon handle duplication

You can trick the seclogon process into opening a handle to LSASS and duplicating it before it is closed, by winning a race condition using file locks. Use the --seclogon-duplicate flag to access this functionality.

Load nanodump as an SSP

You can load nanodump as an SSP in LSASS to avoid opening a handle.
When the DLL has been loaded into LSASS, the parameters will be passed via a named pipe and once the dump is completed, DllMain will return FALSE to make LSASS unload the nanodump DLL.
You can hardcode the parameters into the DLL and avoid using the named pipe altogether with the compiler flag PASS_PARAMS_VIA_NAMED_PIPES=0.

Upload and load a nanodump DLL

By default, an unsigned nanodump DLL will be uploaded to the Temp folder which will be deleted automatically.

beacon> nanodump_ssp -v -w C:\Windows\Temp\lsass.dmp
If you want to load a pre-existing DLL, you can run:
beacon> nanodump_ssp -v -w C:\Windows\Temp\lsass.dmp --load-dll C:\Windows\Temp\ssp.dll

PPL Dump exploit

If LSASS is running as Protected Process Light (PPL), you can try to bypass it using a userland exploit discovered by Project Zero. If it is successful, the dump will be written to disk.

Note that this vulnerability has been fixed in the July 2022 update pack (Windows 10 21H2 Build 19044.1826)

To access this feature, use the nanodump_ppl_dump command

beacon> nanodump_ppl_dump -v -w C:\Windows\Temp\lsass.dmp

PPL Medic exploit

Nanodump also implements the PPLMedic exploit, which works on systems that have the July 2022 update pack. The parameters will be passed to the nanodump DLL via a named pipe. You can hardcode the parameters into the DLL and avoid using the named pipe altogether with the compiler flag PASS_PARAMS_VIA_NAMED_PIPES=0.

To access this feature, use the nanodump_ppl_medic command

beacon> nanodump_ppl_medic -v -w C:\Windows\Temp\lsass.dmp

WerFault

You can force the WerFault.exe process to create a full memory dump of LSASS. Take into consideration that this requires the ability to write to the registry

Because the dump is not made by nanodump, it will always have a valid signature.

Silent Process Exit

To leverage the Silent Process Exit technique, use the --silent-process-exit parameter and the path where the dump should be created.

beacon> nanodump --silent-process-exit C:\Windows\Temp\
A dump of the nanodump process will also be created, similar to this:
PS C:\> dir 'C:\Windows\Temp\lsass.exe-(PID-648)-4035593\'

Directory: C:\Windows\Temp\lsass.exe-(PID-648)-4035593

Mode                 LastWriteTime         Length Name
----                 -------------         ------ ----
-a----         6/23/2022   7:40 AM       58830409 lsass.exe-(PID-648).dmp
-a----         6/23/2022   7:40 AM        7862825 nanodump.x64.exe-(PID-3224).dmp
Shtinkering

You can also use the Shtinkering technique, which requires nanodump to run under SYSTEM:

beacon> nanodump --shtinkering
The dump will tipically be created under C:\Windows\system32\config\systemprofile\AppData\Local\CrashDumps

Spoof the callstack

You can open a handle to LSASS with a fake callstack to make the function call look a bit more legitimate (especially if run as BOF).
To access this feature, use the paramter --spoof-callstack.

Install & Use

Copyright (c) 2024 Fortra

Tags: LSASS process