SkillAgentSearch skills...

LsassReflectDumping

This tool leverages the Process Forking technique using the RtlCreateProcessReflection API to clone the lsass.exe process. Once the clone is created, it utilizes MINIDUMP_CALLBACK_INFORMATION callbacks to generate a memory dump of the cloned process

GenerateConvertImprove

Install / Use

/learn @Offensive-Panda/LsassReflectDumping
About this skill

Quality Score

0/100

Supported Platforms

Universal

README

LsassReflectDumping

This tool leverages the Process Forking technique using the RtlCreateProcessReflection API to clone the lsass.exe process. Once the clone is created, it utilizes MINIDUMP_CALLBACK_INFORMATION callbacks to generate a memory dump of the cloned process.

Steps

  • Getting the handle of Lsass.exe process
  • Cloning Lsass.exe process using RtlCreateProcessReflection (Process Forking)
  • Using MINIDUMP_CALLBACK_INFORMATION callbacks to create cloned process minidump
  • Confirming the dump content and size.
  • Terminating the cloned process.

Usage

Simply execute the compiled file.

ReflectDump.exe

Offline Dumping

Use Mimikatz or Pypykatz to parse the dump file offline.

sekurlsa::minidump [filename] sekurlsa::logonpasswords
pypykatz lsa minidump [filename]

Upcoming Features

* Encrypt dump before writing on disk to bypass static detection.
* Exfiltrate on C2 Server

Disclaimer

The content provided on this repository is for educational and informational purposes only.

Reference

https://www.deepinstinct.com/blog/dirty-vanity-a-new-approach-to-code-injection-edr-bypass

Offensive-Panda

View profile

View on GitHub
GitHub Stars216
CategoryDevelopment
Updated19d ago
Forks27
Offensive-Panda/LsassReflectDumping

Languages

C++

Security Score

100/100

Audited on Mar 9, 2026

No findings