Description
Dumps lsass.exe memory to disk using a selectable technique and optionally XOR-encrypts the output.
Overview
This script opens a handle to lsass.exe, captures its memory using the requested technique, and writes the result to disk. On success the cmdlet emits a FileInfo object for the written file so the path can be piped to downstream commands.
The Mimikatz and UnhookSyscalls techniques operate differently: they restore the clean ntdll.dll .text section from disk and inject embedded shellcode into a sacrificial process. For these techniques, -OutputPath and -Encrypt are not applicable and no FileInfo is emitted.
The Stealth technique always applies GZip compression followed by XOR encryption regardless of -Encrypt; use Invoke-ShadowDecrypt to recover the plaintext MDMP.
Parameters
| Parameter | Type | Mandatory | Default | Description |
|---|---|---|---|---|
Technique |
DumpTechnique |
Yes | — | The dump method to use. See the Techniques table below. |
OutputPath |
string |
No | Technique-specific (see table) | Destination file path for the dump. Relative paths are resolved against the current PS location. Not applicable to Mimikatz or UnhookSyscalls. |
Encrypt |
switch |
No | $false |
XOR-encrypt the dump in memory before writing to disk. Supported by Callbacks and Fork only; a warning is emitted if specified for other techniques. |
Techniques
| Technique | Encrypt | Default Output Path | Description |
|---|---|---|---|
Mimikatz |
N/A | Shellcode-controlled | Restores the clean ntdll .text section then injects the embedded Mimikatz shellcode (PAN resource) into a sacrificial process. |
UnhookSyscalls |
N/A | Shellcode-controlled | Same ntdll-unhook pass as Mimikatz, but injects the embedded direct-syscall shellcode (OFF resource) instead. |
Simple |
Unsupported | C:\Users\Public\simpleMDWD.raw |
Straightforward MiniDumpWriteDump call with SeDebugPrivilege. |
Callbacks |
Supported | C:\Users\Public\callback.elf |
IoWriteAllCallback redirects all dbghelp file I/O into an in-memory buffer before writing to disk. |
Fork |
Supported | C:\Users\Public\panda.raw |
RtlCreateProcessReflection fork of lsass; MiniDumpWriteDump is called on the forked handle. |
Syscalls |
Unsupported | C:\Users\Public\sysMDWD.file |
Direct-syscall NtOpenProcess stub opens lsass without touching the Win32 API surface. |
Native |
Unsupported | C:\Users\Public\panda.sense |
Fully native MDMP writer: walks memory with VirtualQueryEx, reads pages with NtReadVirtualMemory, serialises MDMP by hand — no MiniDumpWriteDump dependency. |
Stealth |
Always (GZip+XOR) | C:\Users\Public\stealth_dump.gz |
Direct-syscall NtOpenProcess + MiniDumpWriteDump into a memory-preferred temp file. Output is always GZip-compressed then XOR-encrypted. |
Dependencies
dumpermodule
Operating Systems
- Windows x64
Pre-Requisites
- SeDebugPrivilege (Administrator or equivalent elevated token)
Example Usage
Dump lsass using the Native technique to the default output path:
New-ShadowDump -Technique Native
Dump using Callbacks with XOR encryption to a custom path:
New-ShadowDump -Technique Callbacks -Encrypt -OutputPath C:\Temp\dump.elf
Dump and report the output file name and size:
New-ShadowDump Native | Select-Object FullName, Length
Run the Stealth technique (always encrypts; no -Encrypt needed):
New-ShadowDump -Technique Stealth -OutputPath C:\Temp\out.gz
Example Output
Techniques that write to disk emit a FileInfo object:
FullName : C:\Users\Public\panda.sense
Length : 83886080
The Mimikatz and UnhookSyscalls techniques do not emit a FileInfo — output location is controlled by the injected shellcode.