Scanning memory dumps for secrets using volatility and yara
Project description
Dumpscan is a command-line tool designed to extract and dump secrets from kernel and Windows Minidump formats. Kernel-dump parsing is provided by volatility3.
Features
- x509 Public and Private key (PKCS #8/PKCS #1) parsing
- SymCrypt parsing
- Supported structures
- SYMCRYPT_RSAKEY - Determines if the key structure also has a private key
- Matching to public certificates found in the same process
- More SymCrypt structures to come
- Supported structures
- Environment variables
- Command line arguments
Note: Testing has only been performed on Windows 10 and 11 64-bit hosts and processes. Feel free to file an issue for additional versions. Linux testing TBD.
Installation
As a command-line tool, installation is recommended using pipx. This allows for easy updates and well and ensuring it is installed in its own virtual environment.
pipx install dumpscan
pipx inject dumpscan git+https://github.com/volatilityfoundation/volatility3#39e812a
Usage
Usage: dumpscan [OPTIONS] COMMAND [ARGS]...
Scan memory dumps for secrets and keys
╭─ Options ────────────────────────────────────────────────────────────────────────────────────────╮
│ │
│ --help Show this message and exit. │
│ │
╰──────────────────────────────────────────────────────────────────────────────────────────────────╯
╭─ Commands ───────────────────────────────────────────────────────────────────────────────────────╮
│ │
│ kernel Scan kernel dump using volatility │
│ minidump Scan a user-mode minidump │
│ │
╰──────────────────────────────────────────────────────────────────────────────────────────────────╯
In the case for subcommands that extract certificates, you can provide --output/-o <dir> to output any discovered certificates to disk.
Kernel Mode
As mentioned, kernel analysis is performed by Volatility3. cmdline, envar, and pslist are direct calls to the Volatility3 plugins, while symcrypt and x509 are custom plugins.
Usage: dumpscan kernel [OPTIONS] COMMAND [ARGS]...
Scan kernel dump using volatility
╭─ Options ────────────────────────────────────────────────────────────────────────────────────────╮
│ │
│ --help Show this message and exit. │
│ │
╰──────────────────────────────────────────────────────────────────────────────────────────────────╯
╭─ Commands ───────────────────────────────────────────────────────────────────────────────────────╮
│ │
│ cmdline List command line for processes (Only for Windows) │
│ envar List process environment variables (Only for Windows) │
│ pslist List all the processes and their command line arguments │
│ symcrypt Scan a kernel-mode dump for symcrypt objects │
│ x509 Scan a kernel-mode dump for x509 certificates │
│ │
╰──────────────────────────────────────────────────────────────────────────────────────────────────╯
Minidump Mode
Supports Windows Minidump format.
Note: This has only been tested on 64-bit processes on Windows 10+. 32-bit processes requires additional work but isn't a priority.
Usage: dumpscan minidump [OPTIONS] COMMAND [ARGS]...
Scan a user-mode minidump
╭─ Options ────────────────────────────────────────────────────────────────────────────────────────╮
│ │
│ --help Show this message and exit. │
│ │
╰──────────────────────────────────────────────────────────────────────────────────────────────────╯
╭─ Commands ───────────────────────────────────────────────────────────────────────────────────────╮
│ │
│ cmdline Dump the command line string │
│ envar Dump the environment variables in a minidump │
│ symcrypt Scan a minidump for symcrypt objects │
│ x509 Scan a minidump for x509 objects │
│ │
╰──────────────────────────────────────────────────────────────────────────────────────────────────╯
Built With
Acknowledgements
- Thanks to F-Secure and the physmem2profit project for providing the idea to use
constructfor parsing minidumps. - Thanks to Skelsec and his minidump project which helped me figure out to parse minidumps.
To-Do
- Verify use against 32-bit minidumps
- Create a coredump parser for Linux process dumps
- Verify volatility plugins work against Linux kernel dumps
- Add an HTML report that shows all plugins
- Code refactoring to make more extensible
- MORE SECRETS
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
File details
Details for the file dumpscan-0.1.1.tar.gz.
File metadata
- Download URL: dumpscan-0.1.1.tar.gz
- Upload date:
- Size: 23.8 kB
- Tags: Source
- Uploaded using Trusted Publishing? No
- Uploaded via: poetry/1.2.0b1 CPython/3.10.4 Windows/10
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 | 67a03f4696ba5c18378460b05139b5a92d7bee57828a9a3c8709dccb1965d67f |
|
| MD5 | adb3fc9a376f08314ea6c4c601deb3ca |
|
| BLAKE2b-256 | b18577c4f87de22985855fb7203db7593e0489784735ec802691ceca8b5248ad |
File details
Details for the file dumpscan-0.1.1-py3-none-any.whl.
File metadata
- Download URL: dumpscan-0.1.1-py3-none-any.whl
- Upload date:
- Size: 31.8 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? No
- Uploaded via: poetry/1.2.0b1 CPython/3.10.4 Windows/10
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 | bd67592617c476abe5823e531381dd892c2a8d52958d8dfe1769655e25c11ede |
|
| MD5 | 2803a3de83d94286fe804251f0f79618 |
|
| BLAKE2b-256 | 8b260db3be2e2c760e173401753faee627eaf2bad233292e6884eb2fe65d9273 |
