RustiveDump is a Rust-based tool designed to dump the memory of the lsass.exe process using only NT system calls.
It creates a minimal minidump file from scratch, containing essential components like SystemInfo, ModuleList, and Memory64List, with support for XOR encryption and remote transmission.
This project is a personal learning experience, focusing on leveraging native Windows APIs for memory dumping and building a minimalistic minidump file entirely from the ground up.
no_std
feature, which removes reliance on Rust’s standard library, and it’s also CRT library independent. This resulting in a lean release build of only 18KB.NtOpenProcessToken
and NtAdjustPrivilegesToken
to enable SeDebugPrivilege, allowing access to protected processes like lsass.exe.NtQuerySystemInformation
to get a snapshot of active processes, and then opens a process handle using NtOpenProcess
with the PROCESS_QUERY_INFORMATION
and PROCESS_VM_READ
access rights.NtQueryVirtualMemory
and dumps committed and accessible memory using NtReadVirtualMemory
.NtQueryInformationProcess
to extract the ModuleList from the remote PEB (Process Environment Block).NtCreateFile
and NtWriteFile
, or sent to a remote server. If desired, the dump can also be encrypted with XOR before being saved or transmitted.RustiveDump offers several configurable build options through cargo make to customize the behavior of the tool. You can enable features like XOR encryption, remote file transmission and verbose logging.
Available Features:
lsasrv.dll
module from lsass.exe.To build RustiveDump with different combinations of features, use the following commands:
cargo make
cargo make --env FEATURES=xor,remote,lsasrv,verbose
RustiveDump generates a minimalistic minidump file, including only the essential components for tools like Mimikatz and Pypykatz. The file consists of three core streams.
For more details on the Minidump file structure, see: Minidump (MDMP) format documentation.
This C# program finds Windows Defender folder exclusions using Windows Defender through its command-line tool…
Argus is an all-in-one, Python-powered toolkit designed to streamline the process of information gathering and…
A specialized tool designed for user enumeration on the Slack platform. This powerful utility aids…
This repository will be used to add documents, pictures, etc on LEA efforts; Indictments, Seizure…
A cheat sheet for pentesters and researchers about deserialization vulnerabilities in various Java (JVM) serialization…
Short: a Red Team's SIEM. Longer: a Red Team's SIEM that serves two main goals:…