MemoryDumper is a tool to create an encrypted memory dump of the lsass.exe process and then decrypt it offline to retrieve password hashes. The project consists of two parts: MemoryDumper.cpp
, which creates the encrypted memory dump, and Decrypt.cpp
, which decrypts the encrypted dump file.
At the time of release, the tool is able to dump the LSASS memory with Windows Defender on a Windows Server 2022.
Note: This tool is not intended for use against EDRs, as they pose a different challenge that requires advanced evasion techniques. We are currently working on developing tools specifically for this purpose, so stay tuned for future updates.
Authors:
- Visual Studio (or another C++ compiler)
- Crypto++ library
- Clone the repository or download the source files.
- Install the Crypto++ library: https://www.cryptopp.com/wiki/Visual_Studio
- Create a new Visual Studio project and add the
MemoryDumper.cpp
andDecrypt.cpp
files. - Set up the project to use the Crypto++ library.
- Compile the project.
-
Run the compiled MemoryDumper.exe with administrative privileges to create an encrypted memory dump of the lsass.exe process. The encrypted dump file will be saved as
encrypted_lsass.dmp
in the *C:\Windows\tasks* directory. -
To decrypt the encrypted memory dump, run the compiled Decrypt.exe and provide the path to the encrypted dump file as a command-line argument. The decrypted memory dump will be saved as
decrypted.dmp
in the same directory as Decrypt.exe.
-
The program starts by enabling the
SeDebugPrivilege
and checking if it's running as an elevated process. This is necessary to access the lsass.exe process and dump its memory. -
It creates a new file named
lsass.dmp
in the C:\Windows\tasks\ directory to store the memory dump. -
The program searches for the lsass.exe process and retrieves its process ID.
-
It opens a handle to the lsass.exe process with
PROCESS_ALL_ACCESS
permission. -
The program loads the
Dbghelp.dll
library and retrieves theMiniDumpWriteDump
function address. -
The
MiniDumpWriteDump
function is called with the lsass.exe process handle, process ID, and dump file handle, which creates a full memory dump of the lsass.exe process. -
After creating the memory dump, the program encrypts it using the
EncFile
function, which utilizes the AES encryption algorithm with CBC mode. The encrypted dump is saved asencrypted_lsass.dmp
in the C:\Windows\tasks\ directory. -
The original, unencrypted memory dump (
lsass.dmp
) is deleted.
-
The key and initialization vector (IV) used for AES decryption are defined in the source code. These values should match the ones used in the MemoryDumper.cpp for encryption.
-
The
Decrypt
function is called with the input file path, key, and IV. It reads the encrypted input file and decrypts it using the AES decryption algorithm with CBC mode. The decrypted data is written to a new file nameddecrypted.dmp
.
The MemoryDumper and Decrypt programs work together to create an encrypted memory dump of the lsass.exe process and then decrypt it for further analysis. The encryption and decryption processes use the AES algorithm with CBC mode to ensure the dump does not get detected.
Contributions are welcome! If you have any ideas or improvements, please submit a pull request or open an issue to discuss the changes.
This project is licensed under the MIT License. Please see the LICENSE file for details.
This tool is provided for educational and research purposes only. The authors are not responsible for any damage caused by the misuse of this tool.