Dumpscan is a command-line tool designed to extract and dump secrets from kernel and Windows Minidump formats. Kernel-dump parsing is provided by volatility3.
Note: Testing has only been performed on Windows 10 and 11 64-bit hosts and processes. Feel free to file an issue for additional versions. Linux testing TBD.
As a command-line tool, installation is recommended using pipx. This allows for easy updates and well and ensuring it is installed in its own virtual environment.
pipx install dumpscan
pipx inject dumpscan git+https://github.com/volatilityfoundation/volatility3#39e812a
Usage: dumpscan [OPTIONS] COMMAND [ARGS]…
Scan memory dumps for secrets and keys
╭─ Options ────────────────────────────────────────────────────────────────────────────────────────╮
│ │
│ –help Show this message and exit. │
│ │
╰──────────────────────────────────────────────────────────────────────────────────────────────────╯
╭─ Commands ───────────────────────────────────────────────────────────────────────────────────────╮
│ │
│ kernel Scan kernel dump using volatility │
│ minidump Scan a user-mode minidump │
│ │
╰──────────────────────────────────────────────────────────────────────────────────────────────────╯
In the case for subcommands that extract certificates, you can provide --output/-o <dir> to output any discovered certificates to disk.
As mentioned, kernel analysis is performed by Volatility3. cmdline, envar, and pslist are direct calls to the Volatility3 plugins, while symcrypt and x509 are custom plugins.
Usage: dumpscan kernel [OPTIONS] COMMAND [ARGS]…
Scan kernel dump using volatility
╭─ Options ────────────────────────────────────────────────────────────────────────────────────────╮
│ │
│ –help Show this message and exit. │
│ │
╰──────────────────────────────────────────────────────────────────────────────────────────────────╯
╭─ Commands ───────────────────────────────────────────────────────────────────────────────────────╮
│ │
│ cmdline List command line for processes (Only for Windows) │
│ envar List process environment variables (Only for Windows) │
│ pslist List all the processes and their command line arguments │
│ symcrypt Scan a kernel-mode dump for symcrypt objects │
│ x509 Scan a kernel-mode dump for x509 certificates │
│ │
╰──────────────────────────────────────────────────────────────────────────────────────────────────╯
Supports Windows Minidump format.
Note: This has only been tested on 64-bit processes on Windows 10+. 32-bit processes requires additional work but isn’t a priority.
Usage: dumpscan minidump [OPTIONS] COMMAND [ARGS]…
Scan a user-mode minidump
╭─ Options ────────────────────────────────────────────────────────────────────────────────────────╮
│ │
│ –help Show this message and exit. │
│ │
╰──────────────────────────────────────────────────────────────────────────────────────────────────╯
╭─ Commands ───────────────────────────────────────────────────────────────────────────────────────╮
│ │
│ cmdline Dump the command line string │
│ envar Dump the environment variables in a minidump │
│ symcrypt Scan a minidump for symcrypt objects │
│ x509 Scan a minidump for x509 objects │
│ │
╰──────────────────────────────────────────────────────────────────────────────────────────────────╯
Cybersecurity tools play a critical role in safeguarding digital assets, systems, and networks from malicious…
MODeflattener is a specialized tool designed to reverse OLLVM's control flow flattening obfuscation through static…
"My Awesome List" is a curated collection of tools, libraries, and resources spanning various domains…
CVE-2018-17463, a type confusion vulnerability in Chrome’s V8 JavaScript engine, allowed attackers to execute arbitrary…
The blog post "Chrome Browser Exploitation, Part 1: Introduction to V8 and JavaScript Internals" provides…
The exploitation of CVE-2018-17463, a type confusion vulnerability in Chrome’s V8 JavaScript engine, relies on…