Since reverse shell files typically transmit non-HTTP requests, I developed a separate payload to dump the lsass.exe process.

Dump lsass

First, I obtain a snapshot to locate the PID of lsass.exe, then use OpenProcess to establish a handle:

1
2
3
4
5
6
7


// 2. Call OpenProcess (PROCESS_ALL_ACCESS), get lsass.exe handle

let lsass_handle = OpenProcess(
    PROCESS_ALL_ACCESS,
    0,
    lsass_pid
);

I then utilize the MiniDumpWriteDump function

1
2
3
4
5
6
7
8
9


let success = MiniDumpWriteDump(
    lsass_handle,
    lsass_pid,
    dump_file.as_raw_handle() as windows_sys::Win32::Foundation::HANDLE,
    dump_type,
    null(),
    null(),
    null()
);

The dump of lsass.exe was successfully obtained. Image description

Using PEStudio to analyze the Import Address Table (IAT) Image description As shown here, the Import Address Table (IAT) clearly contains suspicious function calls such as MiniDumpWriteDump, which are easily identifiable indicators of malicious behavior.

VirusTotal Analysis: Image description Detection rate: 8/72

Notably, Microsoft’s Defender flagged the sample on VirusTotal, while most other AV and EDR vendor engines did not mark it as malicious.

The analysis also flagged the dumping of sensitive information files. Image description

Valloc

The executable file was converted into a raw binary format.

I leveraged VirtualAlloc to allocate a region of memory with executable permissions, into which the shellcode was written and subsequently executed.

VirusTotal: Image description Detection rate: 36/72

By using x64dbg’s trace feature, it is easy to quickly observe when kernel32.dll calls VirtualAlloc. Image description

Valloc pointer

Image description Detection rate: 30/72

Also easy to observe kernel32.dll calls VirtualAlloc by x64dbg. Image description

Process Injection

I use OpenProcess open a handle, allocate executable memory, then write shellcode into the allocated memory. Execute the shellcode with a remote thread.

VirusTotal: Image description Detection rate: 23/72

Using x64dbg, it is straightforward to observe kernel32.dll invoking VirtualAlloc. Image description

WriteProcessMemory Image description

CreateRemoteThread Image description

Process Hollowing

VirusTotal:

Image description Detection rate: 22/72

Similarly as process injection, but not use VirtualAlloc.

Process Hollowing Antistring

In order to evade EDR monitoring, I employ unhooking methods to bypass hooked APIs.

VirusTotal: Image description Detection rate: 5/72 (!)

I rename the dump file to txt extension file. But still get rate 5/72 Image description

CrowdStrike Falcon change Win/malicious_confidence_70% (D) to Win/malicious_confidence_60% (D)

Bypass Sigma Rules!

2025/09/23 Edit:

After re-analyzing the sample on September 18, I observed clear shellcode indicators. Image description

The Next

I’ve decided not to convert the payload to shellcode for now. Instead, I will resolve all Win32 APIs to native/syscall entry points and, without using MiniDumpWriteDump, collect LSASS process data and extract the required artifacts directly from memory.