A Stealthy Lsass Dumper - can abuse ProcExp152.sys driver to dump PPL Lsass.

No calls to MiniDump or any dbghelp.lib methods, all of the dumping process is done MANUALLY by the dumper while reducing the dump size to minimal by removing unessacery DLLs.

The OmriToolZ have 3 methods to dump lsass:

1. The first method is simply using direct syscalls to get an lsass handle.
2. The second method, an handle to lsass is being requested with the PROCESS_CREATE_PROCESS permissions, create a new process in the name of lsass and forks the new process in order to get PROCESS_ALL_ACCESS to lsass.exe (some kind of handle privilege escaltion).
3. The third method can only work with PROCEXP152.sys DRIVER loaded, this method will obtain an HANDLE to the driver and abuse it to get an handle on the LSASS.exe process
   this can be used to bypass "RunAsPPL" lsass defense.

--valid - flag will be used to generate a dump without randomizing the signiture, if it is not used you must use the restore_signature.sh script.
--write - specifies the path where you throw the dump into the disk.
-m - specifies the methods listed above.
-p - the PID of lsass.exe

1. Some of the code was taken and modified from the https://github.com/helpsystems/nanodump project.