1. Support for parsing x509 public and private keys (PKCS #8/PKCS #1);
2. SupportSymCryptParsing;
3. Support extracting and parsing environment variables;
4. Support running the tool with command line parameters to control the tool's operation;
Tool components
Tool installation
We recommend that researchers widely usepipxTo install Dumpscan:
pipx install dumpscan pipx inject dumpscan git+https://github.com/volatilityfoundation/volatility3#39e812a
Tool usage
Usage: dumpscan [OPTIONS] COMMAND [ARGS]... Scan memory dumps for secrets and keys ╭─ Options ────────────────────────────────────────────────────────────────────────────────────────╮ │ │ │ --help Display help information and exit │ │ │ ╰──────────────────────────────────────────────────────────────────────────────────────────────────╯ ╭─ Commands ───────────────────────────────────────────────────────────────────────────────────────╮ │ │ │ kernel Use volatility to scan kernel dump │ │ minidump Scan user mode minidump │ ││ ╰──────────────────────────────────────────────────────────────────────────────────────────────────╯
For subcommands that can extract certificates, we can use the "--output/-o <dir>" option to specify the directory where the scanned certificates will be extracted.
Kernel mode
The kernel analysis function implemented by this tool is achieved through Volatility3, the "cmdline", "envar", and "pslist" commands will directly call Volatility3 plugins, while "symcrypt" and "x509" are custom plugins:
Usage: dumpscan kernel [OPTIONS] COMMAND [ARGS]... Scan kernel dump using volatility ╭─ Options ────────────────────────────────────────────────────────────────────────────────────────╮ │ │ --help Display help information and exit │ ╰──────────────────────────────────────────────────────────────────────────────────────────────────╯ ╭─ Commands ───────────────────────────────────────────────────────────────────────────────────────╮ │ │ cmdline Enumerate process command line information (only supported on Windows) │ envar Enumerate process environment variables (only supported on Windows) │ pslist Enumerate all processes and corresponding command line parameters │ symcrypt Scan SymCrypt objects in kernel mode dump │ x509 Scan x509 certificates in kernel mode dump │ ╰──────────────────────────────────────────────────────────────────────────────────────────────────╯
Minidump mode
This tool also supports Windows Minidump format, but this feature has only been tested on 64-bit processes of Windows 10+, and 32-bit processes may require additional processing.
Usage: dumpscan minidump [OPTIONS] COMMAND [ARGS]... Scan a user-mode minidump ╭─ Options ────────────────────────────────────────────────────────────────────────────────────────╮ │ │ --help Display help information and exit │ │ ╰──────────────────────────────────────────────────────────────────────────────────────────────────╯ ╭─ Commands ───────────────────────────────────────────────────────────────────────────────────────╮ │ │ cmdline Export command line strings │ │ envar Export environment variables │ symcrypt Scan symcrypt objects in minidump │ x509 Scan x509 objects in minidump │ ╰──────────────────────────────────────────────────────────────────────────────────────────────────╯
License agreement
The development and release of this project followMITOpen source license agreement.
Project address
Dumpscan:【GitHub Gateway】
Reference materials
https://github.com/volatilityfoundation/volatility3
评论已关闭