Dumpscan is a command-line software designed to extract and dump secrets and techniques from kernel and Home windows Minidump codecs. Kernel-dump parsing is supplied by volatility3.
Options
- x509 Public and Non-public key (PKCS #8/PKCS #1) parsing
- SymCrypt parsing
- Supported constructions
- SYMCRYPT_RSAKEY – Determines if the important thing construction additionally has a non-public key
- Matching to public certificates present in the identical course of
- Extra SymCrypt constructions to come back
- Supported constructions
- Atmosphere variables
- Command line arguments
Notice: Testing has solely been carried out on Home windows 10 and 11 64-bit hosts and processes. Be at liberty to file a problem for added variations. Linux testing TBD.
Set up
As a command-line software, set up is beneficial utilizing pipx. This permits for straightforward updates and properly and making certain it’s put in in its personal digital atmosphere.
pipx set up dumpscan
pipx inject dumpscan git+https://github.com/volatilityfoundation/volatility3#39e812a
Utilization
Utilization: dumpscan [OPTIONS] COMMAND [ARGS]...Scan reminiscence dumps for secrets and techniques and keys
â•â”€ Choices ────────────────────────────────────────────────────────────────────────────────────────╮
│ │
│ --help Present this message and exit. │ ;
│ │
╰──────────────────────────────────────────────────────────────────────────────────────────────────╯
â•â”€ Instructions ───────────────────────────────────────────────────────────────────────────────────────╮
│ │
│ kernel Scan kernel dump utilizing volatility │
│ minidump Scan a user-mode minidump │
│ │
╰──────────────────────────────────────────────────────────────────────────────────────────────────╯
Within the case for subcommands that extract certificates, you’ll be able to present --output/-o <dir>
to output any found certificates to disk.
Kernel Mode
As talked about, kernel evaluation is carried out by Volatility3. cmdline
, envar
, and pslist
are direct calls to the Volatility3 plugins, whereas symcrypt
and x509
are customized plugins.
Utilization: dumpscan kernel [OPTIONS] COMMAND [ARGS]...Scan kernel dump utilizing volatility
â•â”€ Choices ────────────────────────────────────────────────────────────────────────────────────────╮
│ │
│ --help Present this message and exit. ╰
│ │
╰──────────────────────────────────────────────────────────────────────────────────────────────────╯
â•â”€ Instructions ───────────────────────────────────────────────────────────────────────────────────────╮
│ │
│ cmdline Listing command line for processes (Just for Home windows) │
│ envar Listing course of atmosphere variables (Just for Home windows) │
│ pslist Listing all of the processes and their command lin e arguments │
│ symcrypt Scan a kernel-mode dump for symcrypt objects │
│ x509 Scan a kernel-mode dump for x509 certificates │
│ │
╰──────────────────────────────────────────────────────────────────────────────────────────────────╯
Minidump Mode
Helps Home windows Minidump format.
Notice: This has solely been examined on 64-bit processes on Home windows 10+. 32-bit processes requires further work however is not a precedence.
Utilization: dumpscan minidump [OPTIONS] COMMAND [ARGS]...Scan a user-mode minidump
â•â”€ Choices ────────────────────────────────────────────────────────────────────────────────────────╮
│ │
│ --help Present this message and exit. │
│ │
╰──────────────────────────────────────────────────────────────────────────────────────────────────╯
â•â”€ Instructions ───────────────────────────────────────────────────────────────────────────────────────╮
│ │
│ cmdline Dump the command line string │
│ envar Dump the atmosphere variables in a minidump │
│ symcrypt Scan a minidump for symcrypt objects │
│ x509 Scan a minidump for x509 objects │
│ │
╰──────────────────────────────────────────────────────────────────────────────────────────────────╯
Constructed With
Acknowledgements
- Due to F-Safe and the physmem2profit undertaking for offering the thought to make use of
assemble
for parsing minidumps. - Due to Skelsec and his minidump undertaking which helped me determine to parse minidumps.
To-Do
- Confirm use in opposition to 32-bit minidumps
- Create a coredump parser for Linux course of dumps
- Confirm volatility plugins work in opposition to Linux kernel dumps
- Add an HTML report that reveals all plugins
- Code refactoring to make extra extensible
- MORE SECRETS