[go: up one dir, main page]
Skip to content
/ TrickDump Public

Dump lsass using only NTAPIs running 3 programs to create 3 JSON and 1 ZIP file... and generate the MiniDump later!

ricardojoserf.github.io/trickdump/
353 stars 39 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

ricardojoserf/TrickDump

BranchesTags
 
 

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

63 Commits
Barrel
Barrel
 
 
Lock
Lock
 
 
Shock
Shock
 
 
Trick
Trick
 
 
README.md
README.md
 
 
TrickDump.sln
TrickDump.sln
 
 
create_dump.py
create_dump.py
 
 

Repository files navigation

TrickDump - "c-flavour" branch

This branch implements the same functionality as the main branch but using C/C++.

Lock.exe [disk/knowndlls/debugproc]

Shock.exe [disk/knowndlls/debugproc]

Barrel.exe [disk/knowndlls/debugproc]

You can execute the programs directly without overwriting the ntdll.dll library:

img1

Or use one of the three different overwrite techniques ("disk", "knowndlls" or "debugproc"):

img2

Then use the create_dump.py script to generate the Minidump file in the attack system:

python3 create_dump.py [-l LOCK_JSON] [-s SHOCK_JSON] [-b BARREL_JSON] [-z BARREL_ZIP] [-o OUTPUT_FILE]

img4

All in one

If you prefer to execute only one binary, Trick.exe generates a ZIP file containing the 3 JSON files and the ZIP file with the memory regions:

Trick.exe [disk/knowndlls/debugproc]

It creates the ZIP file locally, optionally using a ntdll.dll overwrite method:

img5

With a ZIP file like this, unzip it and create the Minidump file using create_dump.py:

img7

About

Dump lsass using only NTAPIs running 3 programs to create 3 JSON and 1 ZIP file... and generate the MiniDump later!

ricardojoserf.github.io/trickdump/

Topics

security-tools mimikatz lsass redteam-tools lsass-dump

Resources

Readme
Activity

Stars

353 stars

Watchers

1 watching

Forks

39 forks
Report repository

Sponsor this project

Languages