RustiveDump is a Rust-based tool designed to dump the memory of the lsass.exe process using only NT system calls.
It creates a minimal minidump file from scratch, containing essential components like SystemInfo, ModuleList, and Memory64List, with support for XOR encryption and remote transmission.
This project is a personal learning experience, focusing on leveraging native Windows APIs for memory dumping and building a minimalistic minidump file entirely from the ground up.
no_std
feature, which removes reliance on Rust’s standard library, and it’s also CRT library independent. This resulting in a lean release build of only 18KB.NtOpenProcessToken
and NtAdjustPrivilegesToken
to enable SeDebugPrivilege, allowing access to protected processes like lsass.exe.NtQuerySystemInformation
to get a snapshot of active processes, and then opens a process handle using NtOpenProcess
with the PROCESS_QUERY_INFORMATION
and PROCESS_VM_READ
access rights.NtQueryVirtualMemory
and dumps committed and accessible memory using NtReadVirtualMemory
.NtQueryInformationProcess
to extract the ModuleList from the remote PEB (Process Environment Block).NtCreateFile
and NtWriteFile
, or sent to a remote server. If desired, the dump can also be encrypted with XOR before being saved or transmitted.RustiveDump offers several configurable build options through cargo make to customize the behavior of the tool. You can enable features like XOR encryption, remote file transmission and verbose logging.
Available Features:
lsasrv.dll
module from lsass.exe.To build RustiveDump with different combinations of features, use the following commands:
cargo make
cargo make --env FEATURES=xor,remote,lsasrv,verbose
RustiveDump generates a minimalistic minidump file, including only the essential components for tools like Mimikatz and Pypykatz. The file consists of three core streams.
For more details on the Minidump file structure, see: Minidump (MDMP) format documentation.
Playwright-MCP (Model Context Protocol) is a cutting-edge tool designed to bridge the gap between AI…
JBDev is a specialized development tool designed to streamline the creation and debugging of jailbreak…
The Kereva LLM Code Scanner is an innovative static analysis tool tailored for Python applications…
Nuclei-Templates-Labs is a dynamic and comprehensive repository designed for security researchers, learners, and organizations to…
SSH-Stealer and RunAs-Stealer are malicious tools designed to stealthily harvest SSH credentials, enabling attackers to…
Control flow flattening is a common obfuscation technique used by OLLVM (Obfuscator-LLVM) to transform executable…