Browse by type

Shadow Dumper is a powerful tool used to dump LSASS (Local Security Authority Subsystem Service) memory, often needed in penetration testing and red teaming activities. It offers flexible options to users and uses multiple advanced techniques to dump memory, allowing to access sensitive data in LSASS memory.
[!CAUTION] It's important to note that this project is only for educational and research purposes, and any unauthorized use of it could lead to legal consequences.
[!NOTE] V1.0 Compatibility: Windows (x64) [Tested with x64 build] on Windows 10 Version 22H2 (OS build 19045.5487) with major 10.0 [You may face issues on latest releases in some methods, this can be due to version of mimikatz]
To run ShadowDumper, execute the compiled binary from the powershell.
Default Mode (V1.0) - No Parameter Provided: Show the user friendly console with multiple options to execute

Default Mode (V2.0) - No Parameter Provided: Show the user friendly console with multiple options to execute

CommandLine Mode (V1.0) - Parameter: -h: Displays a help menu with all available options.

CommandLine Mode (V2.0) - Parameter: -h: Displays a help menu with all available options.

ShadowDumper.exe
- Parameter: 1: To dump lsass memory using unhooking technique to inject modified mimikatz binary [Token Elevation, SAM Dumping, Vault Credentials, Lsass Hashes Dumping].
ShadowDumper.exe
- Parameter: 2: To dump lsass memory using unhooking technique to inject binary using direct syscalls with MDWD.
ShadowDumper.exe
- Parameter: 3: To dump lsass memory using simple MiniDumpWriteDump API.
ShadowDumper.exe
- Parameter: 4: To dump lsass memory using MINIDUMP_CALLBACK_INFORMATION callbacks and encrypt the dumps before writing on disk as per your choice.
ShadowDumper.exe
- Parameter: 5: To dump lsass memory using process forking technique and encrypt the dumps before writing on disk as per your choice.
ShadowDumper.exe
- Parameter: 6: To dump lsass memory using direct syscalls with MiniDumpWriteDump.
ShadowDumper.exe
- Parameter: 7: To dump lsass memory using direct syscalls (native dump with needed streams for parsing offline).
ShadowDumper.exe
- Parameter: 8: To decrypt the dump file before offline parsing with tools like (mimikatz or pypykatz).
Demonstrates the working of ShadowDumper (V1.0).

Demonstrates the working of ShadowDumper (V2.0).

- Defense Evasion Techniques: Add more advance defense evasion techniques.
- Exfiltrate: Exfiltrate dump file over C2 server.
- Enhancement: Add more techniques to dump lsass memory.
Stay tuned for future releases!
Have questions, ideas, or want to collaborate? Reach out to the author for a conversation, or jump right in and contribute via GitHub Issues. Let's make something great together!
$ claude mcp add ShadowDumper \
-- python -m otcore.mcp_server <graph>