双生工具Doppelganger:模仿LSASS提取和隐藏凭证
Doppelganger 是一种模仿 LSASS 进程以窃取凭据的工具,利用空进程技术和内核漏洞绕过保护机制。它通过克隆 LSASS 创建内存转储,并使用 XOR 加密隐藏数据。该工具包含 Doppelganger shellcode、HollowReaper 空进程注入器和解密脚本 decrypt_xor_dump.py,适用于教育和研究目的。 2025-4-14 05:1:21 Author: github.com(查看原文) 阅读量:27 收藏

Doppelganger is an arcane tool designed to mimic LSASS, extract its secrets, and hide them in plain sight. It builds upon the forbidden arts of HollowReaper, using hollowed processes, kernel exploits, and spectral clones to bypass protection and exfiltrate credentials with stealth.

Doppelganger_logo

📜 The Ritual

🩸 Doppelganger

The soul thief. This shellcode:

🛡️ Disables PPL using the cursed RTCore64.sys driver (BYOVD)

🧬 Clones LSASS into a benign replica

💾 Creates a Minidump from the clone

🗝️ XOR-encrypts the dump and writes it to disk, leaving behind only a shadow

🧿 Utilities

💀 HollowReaper.c

The vessel for your payload. This performs process hollowing, carving out a legitimate process and injecting your shellcode into its husk. 🔧 Instructions for generating the shellcode to embed are provided in the HollowReaper project.

🔐 decrypt_xor_dump.py

A local decryption utility. Use this to restore the original dump from its XOR-obfuscated form.

⚗️ The Components

File Purpose
Doppelganger The shellcode: disable PPL, clone LSASS, dump and XOR
HollowReaper.c Hollow a process and inject shellcode
decrypt_xor_dump.py Python tool to decrypt XOR dump
RTCore64.sys Vulnerable driver used for PPL bypass (BYOVD)

🕯️ Usage Flow

Standalone

In order to use Doppelganger you must place RTCore64.sys in C:\Users\Public. Doppleganger can be used standalone or hollowed through HollowReaper.


Process Hollowed

1️⃣ Compile Doppelganger

2️⃣ Use Donut to convert it into shellcode

.\donut.exe -a 2 -f 7 -i Doppelganger.exe

3️⃣ XOR the shellcode and embed it into HollowReaper.c (look for util files in HollowReaper)

4️⃣ Run HollowReaper to hollow a process and trigger Doppelganger (all files saved to C:\Users\Public)

.\HollowReaper.exe "C:\windows\explorer.exe"

5️⃣ Use decrypt_xor_dump.py to decrypt the dumped file offline

python .\decrypt_xor_dump.py .\doppelganger.dmp

⚠️ Disclaimer:

This tool is provided for educational and research purposes only. Use responsibly. The arcane always watches. 🧿


文章来源: https://github.com/vari-sh/RedTeamGrimoire/tree/main/Doppelganger
如有侵权请联系:admin#unsafe.sh