Decondition Enumerator

TL;DR: MDE has some "behaviour tracking" thresholds, allowing interesting deconditioning attacks:

Direct Deconditioning

with LSASS dumping as an example

direct: open lsass and call MiniDumpWriteDump --> block
decondition: open any non-critical process and call MiniDumpWriteDump (20x), then open lsass and call MiniDumpWriteDump --> ok

with LSASS dumping as an example

A.exe.exe opens lsass and calls MiniDumpWriteDump --> block
A'.exe, deconditions (20x), then opens lsass and calls MiniDumpWriteDump --> ok
A.exe opens lsass and calls MiniDumpWriteDump --> ok A'.exe deconditioned lsass dumping for all exes similar to A'.exe, or even ALL exes (TODO verify)

Name		Name	Last commit message	Last commit date
Latest commit History 13 Commits
LsassReader		LsassReader
.gitattributes		.gitattributes
.gitignore		.gitignore
Decondition-Enumerator.sln		Decondition-Enumerator.sln
LICENSE.txt		LICENSE.txt
README.md		README.md
sigcheck.exe		sigcheck.exe
ssdeep.exe		ssdeep.exe
tlsh.exe		tlsh.exe