Dumpscan is a command-line tool designed to extract and dump secrets from kernel and Windows Minidump formats. Kernel-dump parsing is provided by volatility3.
Note: Testing has only been performed on Windows 10 and 11 64-bit hosts and processes. Feel free to file an issue for additional versions. Linux testing TBD.
As a command-line tool, installation is recommended using pipx. This allows for easy updates and well and ensuring it is installed in its own virtual environment.
pipx install dumpscan
pipx inject dumpscan git+https://github.com/volatilityfoundation/volatility3#39e812a
Usage: dumpscan [OPTIONS] COMMAND [ARGS]…
Scan memory dumps for secrets and keys
╭─ Options ────────────────────────────────────────────────────────────────────────────────────────╮
│ │
│ –help Show this message and exit. │
│ │
╰──────────────────────────────────────────────────────────────────────────────────────────────────╯
╭─ Commands ───────────────────────────────────────────────────────────────────────────────────────╮
│ │
│ kernel Scan kernel dump using volatility │
│ minidump Scan a user-mode minidump │
│ │
╰──────────────────────────────────────────────────────────────────────────────────────────────────╯
In the case for subcommands that extract certificates, you can provide --output/-o <dir> to output any discovered certificates to disk.
As mentioned, kernel analysis is performed by Volatility3. cmdline, envar, and pslist are direct calls to the Volatility3 plugins, while symcrypt and x509 are custom plugins.
Usage: dumpscan kernel [OPTIONS] COMMAND [ARGS]…
Scan kernel dump using volatility
╭─ Options ────────────────────────────────────────────────────────────────────────────────────────╮
│ │
│ –help Show this message and exit. │
│ │
╰──────────────────────────────────────────────────────────────────────────────────────────────────╯
╭─ Commands ───────────────────────────────────────────────────────────────────────────────────────╮
│ │
│ cmdline List command line for processes (Only for Windows) │
│ envar List process environment variables (Only for Windows) │
│ pslist List all the processes and their command line arguments │
│ symcrypt Scan a kernel-mode dump for symcrypt objects │
│ x509 Scan a kernel-mode dump for x509 certificates │
│ │
╰──────────────────────────────────────────────────────────────────────────────────────────────────╯
Supports Windows Minidump format.
Note: This has only been tested on 64-bit processes on Windows 10+. 32-bit processes requires additional work but isn’t a priority.
Usage: dumpscan minidump [OPTIONS] COMMAND [ARGS]…
Scan a user-mode minidump
╭─ Options ────────────────────────────────────────────────────────────────────────────────────────╮
│ │
│ –help Show this message and exit. │
│ │
╰──────────────────────────────────────────────────────────────────────────────────────────────────╯
╭─ Commands ───────────────────────────────────────────────────────────────────────────────────────╮
│ │
│ cmdline Dump the command line string │
│ envar Dump the environment variables in a minidump │
│ symcrypt Scan a minidump for symcrypt objects │
│ x509 Scan a minidump for x509 objects │
│ │
╰──────────────────────────────────────────────────────────────────────────────────────────────────╯
When people ask how UDP works, the simplest answer is this: UDP sends data quickly…
Endpoint Detection and Response (EDR) solutions have become a cornerstone of modern cybersecurity, designed to…
A large-scale malware campaign leveraging AI-assisted development techniques has been uncovered, revealing how attackers are…
How Does a Firewall Work Step by Step? What Is a Firewall and How Does…
People trying to securely connect to work are being tricked into doing the exact opposite.…
A newly disclosed Android vulnerability is making noise for a good reason. Researchers showed that…