Conversation

Passing a few dozen MB of data through an 8B swap space would be slow as hell, and would take like 2500000 calls to DeviceIoControl to read ~20MB. Plus I am lazy and don't want to parse the vad tree.
2
1
Another maybe more stable approach could be elevating handle permission (open a handle with low priv to lsass and DKOM it afterwards) or you could inject code to the kernel that iterates lsass memory with NtQueryVirtualMemory and dumps it to disk
1
1
the reads might be detected using ETW, while code in kernel might be blocked by VBS. That's not to say there isn't a better method, you could probably do some pointer swap to memcpy.
I agree with both of you, I wanted to avoid opening a handle to lsass entirely. My first thought was to use KernelForge but once I had this idea I really just wanted to make it work -- not saying this is the best way or the most stable way. Just thought it was interesting.
1