Browse by type
A sophisticated, covert LSASS dumper using C++ and MASM x64.
As seen on Binary Defense and Cyber Security News
Don't be evil with this. I created this tool to learn. I'm not responsible if the Feds knock on your door.
Historically was able to (and may presently still) bypass - Windows Defender - Malwarebytes Anti-Malware - CrowdStrike Falcon EDR (Falcon Complete + OverWatch) - Palo Alto Cortex xDR (When combined with strong initial access methods)
Avoids detection by using various means, such as:
- Manually implementing NTAPI operations through indirect system calls
- ~~Disabling~~ Breaking telemetry features (i.e ETW)
- Polymorphism through compile-time hash generation
- Obfuscating API function names and pointers
- Duplicating existing LSASS handles instead of opening new ones
- Creating offline copies of the LSASS process to perform memory dumps on
- Corrupting the MDMP signature of dropped files
- Probably other stuff I forgot to mention here
$ claude mcp add LetMeowIn \
-- python -m otcore.mcp_server <graph>