Primary Use Case

This tool is designed for security researchers, red teamers, and forensic analysts who need to extract LSASS memory dumps from Windows endpoints without triggering common detection mechanisms. It is especially useful in scenarios requiring stealthy credential dumping or memory forensics where traditional minidump files are easily flagged by AV/EDR solutions.

Key Features

Dumps LSASS memory without creating a Minidump file, generating 3 JSON and 1 ZIP file instead

Uses only NTAPI functions to perform all operations, avoiding common API calls like OpenProcess

Splits the dumping process into three separate programs (Lock, Shock, Barrel) to reduce detection

Supports overwriting ntdll.dll .text section to bypass API hooking via three different methods

Available in multiple programming languages including .NET, Python, Golang, C/C++, BOF, Crystal, Nim, and Rust

Can operate without reading the PEB structure (supports peb-unreadable environments)

Compatible with latest Windows versions and tested against common AV and EDR solutions

Includes a Python script to generate a Minidump file from the JSON and ZIP outputs

Insights & Recommendations

TrickDump will not work if Protected Process Light (PPL) is enabled on LSASS or if the binaries are not compiled as 64-bit. Stealthiness depends on the chosen language 'flavour' and customization of binaries; using uncommon languages and overwrite methods can improve evasion. The tool avoids creating any Minidump files on disk or memory during dumping, reducing forensic footprints. It is recommended to test in controlled environments before deployment and verify compatibility with target Windows versions and security products.

Installation

Clone the repository from GitHub: git clone https://github.com/ricardojoserf/TrickDump.git
Choose your preferred language branch (e.g., main for .NET, python-flavour for Python, golang-flavour for Go)
Build or compile the binaries according to the language-specific instructions in the chosen branch
Ensure the target system is 64-bit and PPL (Protected Process Light) is not enabled
Optionally, use the peb-unreadable branch if PEB reading is restricted on the target system

Usage

Lock.exe [disk/knowndlls/debugproc]

Executes the first step to gather OS information and prepare for dumping, optionally overwriting ntdll.dll using one of three methods

Shock.exe [disk/knowndlls/debugproc]

Executes the second step to obtain SeDebugPrivilege, open LSASS handle, and collect module information

Barrel.exe [disk/knowndlls/debugproc]

Executes the final step to dump LSASS memory regions into JSON and ZIP files

python3 create_dump.py [-l LOCK_JSON] [-s SHOCK_JSON] [-b BARREL_JSON] [-z BARREL_ZIP] [-o OUTPUT_FILE]

Generates a Minidump file from the JSON and ZIP files produced by the three-step dumping process

Smart Usage Notes

Leverage TrickDump in red team engagements to simulate stealthy credential dumping and test detection capabilities of endpoint defenses.Integrate the JSON and ZIP output parsing into blue team forensic workflows to improve incident response and memory analysis.Use the multi-language support to embed TrickDump capabilities into custom offensive or defensive tooling for flexibility.Employ the API hooking bypass techniques to evaluate EDR resilience against stealthy memory dumping attacks.Combine TrickDump with threat hunting to proactively detect anomalous LSASS memory access patterns indicative of credential theft.

OpenSec Atlas

TrickDump

About This Tool

Primary Use Case

Key Features

Insights & Recommendations

Installation

Usage

Smart Usage Notes

Security Capability Profile

Tags

You Might Also Like