DumpThatLSASS - 通过从磁盘上获取新的 DbgHelp.dll 副本,加上函数和字符串混淆,通过 Unhook MiniDumpWriteDump 转储 LSASS,它包含 Anti-sandbox,如果您在性能不佳的虚拟机下运行它,您需要取消注释与它相关的代码并重新编译。

Created at: 2022-09-25 06:37:06
Language: C++


It's Fully Undetectable and bypass almost all the vendors AV/EDRs, it doesn't bypass RunAsPPL

Dumping LSASS by Unhooking MiniDumpWriteDump by getting a fresh DbgHelp.dll copy from the disk , plus functions and strings obfuscation, duplicate lsass handle from existed processes.

The execution may take time, bcz of sandboxing check


it contains Anti-sandbox , if you run it under unperformant Virtual Machine you need to uncomment the code related to Anti-Debuging and Anti-Sandboxing at the beginning of the main and recompile.