LSASS memory dumper using direct system calls and API unhooking.
Recent malware research shows that there is an increase in malware that is using direct system calls to evade user-mode API hooks used by security products. This tool demonstrates the use of direct System Calls and API unhooking and combine these techniques in a proof of concept code which can be used to create a LSASS memory dump using Cobalt Strike, while not touching disk and evading AV/EDR monitored user-mode API calls.
Two versions of the code are included:
- An executable and a DLL version of the code.
- An sRDI version of the code is provided, including a Cobalt Strike agressor script.