Dumpert
Dumpert copied to clipboard
outflanknl
Unable to dump LSASS memory on Windows 10 with Kasperky Total Security
C:\Windows\Temp>.\Outflank-Dumpert.exe
________ __ _____.__ __
\_____ \ __ ___/ |__/ ____\ | _____ ____ | | __
/ | \| | \ __\ __\| | \__ \ / \| |/ /
/ | \ | /| | | | | |__/ __ \| | \ <
\_______ /____/ |__| |__| |____(____ /___| /__|_ \
\/ \/ \/ \/
Dumpert
By Cneeliz @Outflank 2019
[1] Checking OS version details:
[+] Operating System is Windows 10 or Server 2016, build number 18363
[+] Mapping version specific System calls.
[2] Checking Process details:
[+] Process ID of lsass.exe is: 584
[+] NtReadVirtualMemory function pointer at: 0x00007FFF92C3C840
[+] NtReadVirtualMemory System call nr is: 0x3f
[+] Unhooking NtReadVirtualMemory.
[3] Create memorydump file:
[+] Open a process handle.
[+] Dump lsass.exe memory to: \??\C:\Windows\Temp\dumpert.dmp
[!] Failed to create minidump, error code: 80070005
C:\Windows\Temp>systeminfo
Host Name: DESKTOP-1
OS Name: Microsoft Windows 10 Pro
OS Version: 10.0.18363 N/A Build 18363
OS Manufacturer: Microsoft Corporation
OS Configuration: Standalone Workstation
OS Build Type: Multiprocessor Free
Registered Owner: localhost
It would be great if error code 80070005 could be explained please so that the same can be attempted
i'm also facing same issue @transilience did you find any solution for it?
80070005 error code is ACCESS DENIED. Not sure if it is about access to dumpert.dll or to lsass.exe process (likely the later). Good news - when Kaspersky is in Pause mode, lsass.exe can be dumped (unlike using standard tools - Kaspersky's drivers block dumping lsass even when it is Paused)
