TrickDump - Dump lsass without generating a Minidump file
TrickDump allows to dump the lsass process without generating a Minidump file, generating instead three JSON files and one zip file with memory regions’ dumps.
NativeDump update - Python and Golang ports
NativeDump allows to dump the lsass process using only NTAPIs. The original project is written in .NET and has been ported to Python and Golang, allowing file exfiltration and 3 methods for ntdll overwrite (both optional).
goNtdllOverwrite - API Unhooking in Golang
Overwrite ntdll.dll’s “.text” section using a clean version of the DLL using Golang.
pyNtdllOverwrite - API Unhooking in Python
Overwrite ntdll.dll’s “.text” section using a clean version of the DLL using Python.
Dumping lsass using only NTAPIs by hand-crafting Minidump files
NativeDump allows to dump the lsass process using only NTAPIs generating a Minidump file with only the streams needed to be parsed by tools like Mimikatz or Pypykatz (SystemInfo, ModuleList and Memory64List Streams).
Dumping Jenkins credentials
A very dumb way to access Jenkins protected credentials which I have not found documented anywhere.
C# implementation of GetModuleHandle for remote processes
GetModuleHandle implementation for remote processes in C# using only NTAPIs: NtQueryInformationProcess, NtReadVirtualMemory and NtOpenProcess.
Porting pinvoke.net - A gitbook for P/Invoke definitions
This website contains most of the P/Invoke definitions from the now offline pinvoke.net, adding the link to the Microsoft documentation for each one.