Conversation

Create suspended process. Copy Peb, VadRoot, and DirBase from lsass eprocess into suspended eprocess. Dump suspended proc. I'm not responsible for your bsod.

gist.github.com

dump lsass but in a weird way you probably shouldn't do in prod with a vulnerable driver

dump lsass but in a weird way you probably shouldn't do in prod with a vulnerable driver - lel.cpp

Valentin

@EOSkyfail

Dec 3, 2022

And why not read lsass memory directly with the vulnerable driver?

#ifndef hjonk

@_mmpte_software

Dec 3, 2022

Passing a few dozen MB of data through an 8B swap space would be slow as hell, and would take like 2500000 calls to DeviceIoControl to read ~20MB. Plus I am lazy and don't want to parse the vad tree.

Valentin

@EOSkyfail

Dec 3, 2022

Another maybe more stable approach could be elevating handle permission (open a handle with low priv to lsass and DKOM it afterwards) or you could inject code to the kernel that iterates lsass memory with NtQueryVirtualMemory and dumps it to disk

namazso

@namazso

the reads might be detected using ETW, while code in kernel might be blocked by VBS. That's not to say there isn't a better method, you could probably do some pointer swap to memcpy.

6:05 PM · Dec 3, 2022

I agree with both of you, I wanted to avoid opening a handle to lsass entirely. My first thought was to use KernelForge but once I had this idea I really just wanted to make it work -- not saying this is the best way or the most stable way. Just thought it was interesting.

Valentin

@EOSkyfail

Dec 3, 2022

ETW can easily be temporarily disabled with one write