How KslDump Uses a Microsoft Driver to Bypass PPL and Dump LSASS Credentials via Registry Edit

The KslDump tool leverages the Microsoft‑signed KslD.sys driver and its SubCmd 12 wrapper to bypass Windows PPL protection, read LSASS memory through physical access, and extract clear‑text credentials, requiring only local admin rights and a registry ImagePath change.

Black & White Path
Black & White Path
Black & White Path
How KslDump Uses a Microsoft Driver to Bypass PPL and Dump LSASS Credentials via Registry Edit

Background

On July 1, 2026, security researcher Dinosn posted a tweet stating, “Why bring your own knife when Defender already left one in the kitchen?” The tweet referred to an open‑source tool named KslDump, developed by researcher andreisss and published on GitHub. KslDump can extract credentials from the LSASS process that runs under Protected Process Light (PPL) protection, and the entire attack chain uses only Microsoft‑signed components—no third‑party driver, unsigned code, or exploit is required.

KslDump attack concept diagram
KslDump attack concept diagram

Core Technique: The “death path” of PPL protection

What is PPL?

PPL (Protected Process Light) is a Windows mechanism introduced to prevent credential theft. Starting with Windows 11 22H2, LSASS runs in PPL mode, blocking even local administrators from accessing its memory via OpenProcess or ReadProcessMemory. However, PPL only protects the user‑mode API path; it does not restrict kernel‑mode physical memory access.

KslD.sys – the backdoor left by Microsoft

Microsoft Defender includes a kernel driver named KslD.sys, which is signed and trusted. The driver exposes a device object \\.\KslD and supports an IOCTL code 0x222044. Among its sub‑commands, SubCmd 12 wraps the kernel API MmCopyMemory, allowing arbitrary physical or virtual memory reads and writes without any PPL checks, as long as the address and size are valid.

SubCmd 2 – returns CR3, IDTR and immediately defeats KASLR.

SubCmd 12 – calls MmCopyMemory to read/write any kernel/physical memory without verifying process protection level.

Why the patch caused “second‑hand damage”

Researchers reported the issue to Microsoft Security Response Center (MSRC) on March 7, 2026. Microsoft responded that the technique is not a vulnerability because it requires pre‑existing administrator privileges. Microsoft later released a new KslD.sys (82 KB) that clears the MmCopyMemory pointer, but the old vulnerable driver (333 KB) remains in C:\Windows\System32\drivers\KslD.sys. By changing the ImagePath registry value to point to the old driver and restarting the service, an attacker can re‑enable the backdoor.

Attack Flow: Six steps to obtain clear‑text passwords

Registry tampering : modify

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\KslD\ImagePath

to point to the old driver, set AllowedProcessName to the attacker‑controlled process name, and restart the KslD service.

Bypass KASLR : invoke SubCmd 2 to retrieve CR3 and IDTR, then compute the base address of ntoskrnl.exe from the lowest ISR address in the IDT.

Kernel roaming : locate the SYSTEM process’s EPROCESS via PsInitialSystemProcess, traverse ActiveProcessLinks to find lsass.exe, and read LSASS’s DTB (page‑directory base) from EPROCESS+0x28.

Physical memory read (key to bypass PPL) : use SubCmd 12 with flags=1 for physical reads, walk the page tables based on LSASS’s DTB, and read LSASS’s physical pages directly, completely bypassing PPL.

Key extraction : walk the PEB to locate lsasrv.dll, scan its .text section for LSA key signatures, and follow the BCRYPT chain to obtain AES/3DES parameters and IV.

Credential export : enumerate the LogonSessionList, decrypt MSV1_0 credentials, and output NT hashes.

The entire process relies solely on Microsoft‑signed components; no external driver, unsigned code, or exploit is needed.

KslDump attack flow diagram
KslDump attack flow diagram

Microsoft’s response

MSRC replied that the attack depends on pre‑existing admin rights and therefore is not a vulnerability, declined to assign a CVE, and did not publish an official fix. The old vulnerable driver remains on many Windows installations worldwide.

Why the issue is dangerous

Low attack barrier – only local admin rights are required, which are common in workstation environments.

Abuse of the signature trust model – HVCI and driver blocklists do not block Microsoft‑signed drivers, allowing the backdoor.

Detection difficulty – the chain uses only legitimate signed components, evading typical EDR hooks and driver‑load monitoring.

Wide impact – all Windows 11 22H2+ systems and Windows Server 2025 machines with LSASS running under PPL are potentially vulnerable.

Mitigation recommendations

Delete the old KslD.sys from C:\Windows\System32\drivers if it exists.

Enable Credential Guard to isolate credentials with hardware‑based virtualization, preventing LSASS memory reads.

Enable HVCI to enforce code‑integrity policies and restrict kernel memory modifications.

Monitor KslD service restarts and watch for changes to the ImagePath registry value.

Apply the principle of least privilege to limit the number of local administrators.

Tool acquisition

KslDump is open‑source and can be cloned from https://github.com/andreisss/KslDump. It requires local administrator rights, Python 3.x with the cryptography library (install via pip install cryptography), and the presence of the old 333 KB KslD.sys driver at C:\Windows\System32\drivers\KslD.sys.

Footer image
Footer image
Original Source

Signed-in readers can open the original source through BestHub's protected redirect.

Sign in to view source
Republication Notice

This article has been distilled and summarized from source material, then republished for learning and reference. If you believe it infringes your rights, please contactadmin@besthub.devand we will review it promptly.

securityWindowsKernel DriverPPLCredential DumpingKslDump
Black & White Path
Written by

Black & White Path

We are the beacon of the cyber world, a stepping stone on the road to security.

0 followers
Reader feedback

How this landed with the community

Sign in to like

Rate this article

Was this worth your time?

Sign in to rate
Discussion

0 Comments

Thoughtful readers leave field notes, pushback, and hard-won operational detail here.