KslDump is a post-exploitation tool designed to dump LSASS memory even when Protected Process Light (PPL) is enabled. It achieves this without loading external drivers by repurposing a vulnerable version of the Microsoft-signed KslD.sys driver typically left on disk by Windows Defender updates.
Key Features
- Leverages the Bring the Microsoft Vulnerable Driver (BMVD) technique using pre-installed, signed binaries.
- Defeats KASLR using driver sub-commands to retrieve CPU control registers including CR3 and IDTR.
- Provides unrestricted physical and kernel virtual memory read primitives via the
MmCopyMemoryAPI. - Bypasses PPL by accessing LSASS memory through the kernel-mode physical memory path, ignoring usermode API restrictions.
- Automated kernel walking to locate EPROCESS structures and Directory Table Bases (DTB) for targeted process memory extraction.
Use Cases
- Bypassing LSASS protection mechanisms during red team operations to harvest NT hashes.
- Performing memory forensics and credential extraction in environments where third-party drivers are blocked by HVCI.
- Demonstrating the risks of stale, signed vulnerable binaries remaining in the Windows component store.
