Skip to content

Get-ADPen/thc-ImpeXary

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

4 Commits
.github
.github
 
 
assets
assets
 
 
drivers
drivers
 
 
src
src
 
 
.gitignore
.gitignore
 
 
LICENSE.md
LICENSE.md
 
 
Makefile
Makefile
 
 
README.md
README.md
 
 
impexary.cna
impexary.cna
 
 

Repository files navigation

AdverXarial Projects

thc-ImpeXary

LICENSE LICENSE-ADVERXARIAL

Extractor LSASS via physical memory read primitives in vulnerable kernel binary and drivers.

Extract LSASS credentials directly from physical memory by abusing signed vulnerable drivers with physical memory read primitives via MmMapIoSpace, bypassing traditional user-mode detection capabilities.

This release of impexary uses drivers that have already been publicly disclosed as vulnerable. For best results, impexary is intended to operate with kernel drivers that expose read-memory primitive vulnerabilities and are not blocked during loading or publicly known.

This public release does not include exploits for previously undisclosed drivers.

Instead, the project is designed to be modular and extensible, allowing users to research their own drivers and integrate them by extending the read-memory primitive functions in utils.c.

Internally, we have automated the discovery and exploitation process and maintain several signed kernel drivers with written exploits.

Usage

  • Run make to compile the BOFs.

  • Load the impexary.cna Aggressor Script into your Script Manager.

  • To run impexary, use the command impexary [logonpasswords/wdigest] -prv <provider id>.

You can run the help command in your Beacon console with: help impexary.

beacon> help impexary
Synopsis: impexary [logonpasswords/wdigest] -prv <provider id>
Description:
  Dump credentials from LSASS by using signed kernel drivers to read physical memory.

Examples:
  impexary logonpasswords -prv 1
  impexary wdigest

Windows for Pentesting

These are simply the versions we manually stress tested. Major versions such as 1607 should not have breaking changes across minor build updates.

  • Windows Server 2012 R2
    • Version 6.3 (OS Build: 9600)
  • Windows Server 2016
    • Version 1607 (OS Build: 14393.693)
  • Windows Server 2019
    • Version 1809 (OS Build: 17763.3650)
  • Windows 10
    • Version 21H2 (OS Build: 19044.6809)
    • Version 22H2 (OS Build: 19045.6466)
  • Windows Server 2022
    • Version 21H2 (OS Build: 20348.587)

Warning

While impexary has been tested thoroughly, you should use discretion if deploying in production. impexary leverages vulnerable kernel drivers. It is possible errors may result in a BSOD.

Thanks To

Teams and Contributor

CONTACT

For more, please contact me at byt3n33dl3@pm.me

About

Extracting LSASS via physical memory read primitives in vulnerable kernel binary and drivers

byt3n33dl3.github.io

Topics

binary-exploitation cobalt-strike red-team osee lsass adversary-simulation havocframework adverxarial

Resources

Readme

License

AGPL-3.0 license
Activity
Custom properties

Stars

0 stars

Watchers

0 watching

Forks

0 forks
Report repository

Releases 1

LSASS extractor! Latest
Feb 7, 2026

Sponsor this project

  •  
Learn more about GitHub Sponsors

Packages

 
 
 

Contributors

Languages