Saturday, July 16, 2022
HomeHackerDevice To Extract And Dump Secrets and techniques From Kernel And Home...

Device To Extract And Dump Secrets and techniques From Kernel And Home windows Minidump Codecs




Dumpscan is a command-line software designed to extract and dump secrets and techniques from kernel and Home windows Minidump codecs. Kernel-dump parsing is supplied by volatility3.

Options

Notice: Testing has solely been carried out on Home windows 10 and 11 64-bit hosts and processes. Be at liberty to file a problem for added variations. Linux testing TBD.

Set up

As a command-line software, set up is beneficial utilizing pipx. This permits for straightforward updates and properly and making certain it’s put in in its personal digital atmosphere.

pipx set up dumpscan
pipx inject dumpscan git+https://github.com/volatilityfoundation/volatility3#39e812a

Utilization

 Utilization: dumpscan [OPTIONS] COMMAND [ARGS]...

Scan reminiscence dumps for secrets and techniques and keys

╭─ Choices ────────────────────────────────────────────────────────────────────────────────────────╮
│ │
│ --help Present this message and exit. &#9474 ;
│ │
╰──────────────────────────────────────────────────────────────────────────────────────────────────╯
╭─ Instructions ───────────────────────────────────────────────────────────────────────────────────────╮
│ │
│ kernel Scan kernel dump utilizing volatility │
│ minidump Scan a user-mode minidump │
│ │
╰──────────────────────────────────────────────────────────────────────────────────────────────────╯

Within the case for subcommands that extract certificates, you’ll be able to present --output/-o <dir> to output any found certificates to disk.

Kernel Mode

As talked about, kernel evaluation is carried out by Volatility3. cmdline, envar, and pslist are direct calls to the Volatility3 plugins, whereas symcrypt and x509 are customized plugins.

 Utilization: dumpscan kernel [OPTIONS] COMMAND [ARGS]...

Scan kernel dump utilizing volatility

╭─ Choices ────────────────────────────────────────────────────────────────────────────────────────╮
│ │
│ --help Present this message and exit. ╰
│ │
╰──────────────────────────────────────────────────────────────────────────────────────────────────╯
╭─ Instructions ───────────────────────────────────────────────────────────────────────────────────────╮
│ │
│ cmdline Listing command line for processes (Just for Home windows) │
│ envar Listing course of atmosphere variables (Just for Home windows) │
│ pslist Listing all of the processes and their command lin e arguments │
│ symcrypt Scan a kernel-mode dump for symcrypt objects │
│ x509 Scan a kernel-mode dump for x509 certificates │
│ │
╰──────────────────────────────────────────────────────────────────────────────────────────────────╯

Minidump Mode

Helps Home windows Minidump format.

Notice: This has solely been examined on 64-bit processes on Home windows 10+. 32-bit processes requires further work however is not a precedence.

 Utilization: dumpscan minidump [OPTIONS] COMMAND [ARGS]...

Scan a user-mode minidump

╭─ Choices ────────────────────────────────────────────────────────────────────────────────────────╮
│ │
│ --help Present this message and exit. │
│ │
╰──────────────────────────────────────────────────────────────────────────────────────────────────╯
╭─ Instructions ───────────────────────────────────────────────────────────────────────────────────────╮
│ │
│ cmdline Dump the command line string │
│ envar Dump the atmosphere variables in a minidump │
│ symcrypt Scan a minidump for symcrypt objects │
│ x509 Scan a minidump for x509 objects │
│ │
╰──────────────────────────────────────────────────────────────────────────────────────────────────╯

Constructed With

Acknowledgements

  • Due to F-Safe and the physmem2profit undertaking for offering the thought to make use of assemble for parsing minidumps.
  • Due to Skelsec and his minidump undertaking which helped me determine to parse minidumps.

To-Do

  • Confirm use in opposition to 32-bit minidumps
  • Create a coredump parser for Linux course of dumps
  • Confirm volatility plugins work in opposition to Linux kernel dumps
  • Add an HTML report that reveals all plugins
  • Code refactoring to make extra extensible
  • MORE SECRETS



RELATED ARTICLES

LEAVE A REPLY

Please enter your comment!
Please enter your name here

- Advertisment -
Google search engine

Most Popular

Recent Comments