Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Fix typos and do minor cosmetic language tweaks #1

Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
17 changes: 8 additions & 9 deletions README.md
Original file line number Diff line number Diff line change
@@ -1,24 +1,23 @@
### Dumpert, a LSASS memory dumper using direct system calls and API unhooking
### Dumpert, an LSASS memory dumper using direct system calls and API unhooking

Recent malware research shows that there is an increase in malware that is using direct system calls to evade user-mode API hooks used by security products.
These tools demonstrates the use of direct System Calls and API unhooking and combine these techniques in a proof of concept code which can be used to create a LSASS memory dump using Cobalt Strike,
while not touching disk and evading AV/EDR monitored user-mode API calls.
This tool demonstrates the use of direct System Calls and API unhooking and combine these techniques in a proof of concept code which can be used to create an LSASS memory dump using Cobalt Strike, while not touching disk and evading AV/EDR-monitored user-mode API calls.

More info about the used techniques can be found on the following Blog:
https://outflank.nl/blog/2019/06/19/red-team-tactics-combining-direct-system-calls-and-srdi-to-bypass-av-edr/

Two version of the code are included:
Two versions of the code are included:

An executable version and a DLL version of the code.
The DLL version can be run as follow:
An executable and a DLL version.
The DLL version can be run as follows:

```
rundll32.exe C:\Dumpert\Outflank-Dumpert.dll,Dump
```

Also a sRDI version of the code is provided, including an Cobalt Strike agressor script.
Also, an sRDI version of the code is provided, including a Cobalt Strike agressor script.
This script uses shinject to inject the sRDI shellcode version of the dumpert DLL into the current process.
Then it waits a few seconds for the lsass minidump to finish and finally download the minidump file from the victim host.
Then it waits a few seconds for the lsass minidump to finish and finally downloads the minidump file from the victim host.

Compile instructions:

Expand All @@ -27,4 +26,4 @@ This project is written in C and assembly.
You can use Visual Studio to compile it from source.
```

The sRDI code can be found here: https://github.com/monoxgas/sRDI
The sRDI code can be found here: https://github.com/monoxgas/sRDI