NativeDump: Stealthy LSASS Dumping Tool Bypasses EDRs Using Only NTAPIs

NativeDump allows to dump the lsass process using only NTAPIs generating a Minidump file with only the streams needed to be parsed by tools like Mimikatz or Pypykatz (SystemInfo, ModuleList and Memory64List Streams).

• NTOpenProcessToken and NtAdjustPrivilegeToken to get the “SeDebugPrivilege” privilege
• RtlGetVersion to get the Operating System version details (Major version, minor version and build number). This is necessary for the SystemInfo Stream
• NtQueryInformationProcess and NtReadVirtualMemory to get the lsasrv.dll address. This is the only module necessary for the ModuleList Stream
• NtOpenProcess to get a handle for the lsass process
• NtQueryVirtualMemory and NtReadVirtualMemory to loop through the memory regions and dump all possible ones. At the same time it populates the Memory64List Stream

The tool has been tested against the latest Windows versions with the most common security solutions (Microsoft Defender for Endpoints, CrowdStrike…) and works fine, but stealthiness will depend on the “flavour” you choose: use uncommon languages and customize the binaries for the best results! However, it does not work if PPL is enabled.

Now it is possible to execute the programs without reading the PEB, check the peb-unreadable branch 🙂

Some benefits of this technique are:

• It does not use the well-known dbghelp!MinidumpWriteDump function
• It only uses functions from Ntdll.dll, so it is possible to bypass API hooking by remapping the library
• The Minidump file does not have to be written to disk, you can transfer its bytes (encoded or encrypted) to a remote machine

You can find the project in different “flavours” (or languages):

• main – .NET basic implementation (this branch)

• python-flavour – Python implementation with 3 ntdll.dll overwrite methods + Exfiltrate to remote machine

• golang-flavour – Golang implementation with 3 ntdll.dll overwrite methods + Exfiltrate to remote machine

• c-flavour – C/C++ implementation with 3 ntdll.dll overwrite methods

• bof-flavour – BOF file with 3 ntdll.dll overwrite methods

• rust-flavour – Rust implementation by @safedv

• crystal-flavour – Crystal implementation with ntdll.dll overwrite capabilities

• nim-flavour – Nim implementation with ntdll.dll overwrite capabilities

Other interesting branches using .NET:

• remote – Exfiltrate to remote machine + 3 ntdll.dll overwrite methods + Dynamic function resolution + String AES encryption + XOR-encoding Minidump content

• all-modules – Get the information for all modules (not only lsasrv.dll)

• peb-unreadable – Implementation without reading lsass’ PEB structure + 3 ntdll.dll overwrite methods

Download