search

OmriBaso / RToolZ

A Stealthy Lsass Dumper - can abuse ProcExp152.sys driver to dump PPL Lsass, no dbghelp.lib calls.
313 stars 44 forks source link

Dump is not created #1

Open oliv4s opened 1 year ago

oliv4s commented 1 year ago

I'm trying to dump a PPL lsass process using the tools and I'm getting stuck at this point:

PS C:\Users\test\Downloads> .\OmriRToolZ.exe --write .\a.txt --valid -m 3 -p 864
got priv!
[+] Trying driver mode handle
HANDLE 000000000000009C
[+] omg got ppl to handle!
PS C:\Users\test\Downloads>

But the dump file is never created... PROCEXP152.sys driver is loaded (Process Explorer is running)

What I'm missing? Thanks!

OmriBaso commented 1 year ago

Hey,

Please contact me by mail or linkdin. Before that, try using a full path for the --write variable and DO NOT point into an already existing file.

oliv4s commented 1 year ago

I already tried using the full path in --writeflag. Where I can find your email?

OmriBaso commented 1 year ago

@oliv4s j3wker@gmail.com - Contact me