https://github.com/safedv/rustivedump

LSASS memory dumper using only NTAPIs, creating a minimal minidump, built in Rust with no_std and independent of the C runtime (CRT). It can be compiled as shellcode (PIC), supports XOR encryption, and remote file transmission.
https://github.com/safedv/rustivedump

lsass-dump offensive-security position-independent-code redteam rust-lang

Last synced: 2 days ago
JSON representation

LSASS memory dumper using only NTAPIs, creating a minimal minidump, built in Rust with no_std and independent of the C runtime (CRT). It can be compiled as shellcode (PIC), supports XOR encryption, and remote file transmission.

• Host: GitHub
• URL: https://github.com/safedv/rustivedump
• Owner: safedv
• License: mit
• Created: 2024-10-06T16:01:49.000Z (about 1 month ago)
• Default Branch: main
• Last Pushed: 2024-10-14T16:42:44.000Z (about 1 month ago)
• Last Synced: 2024-11-13T07:01:53.608Z (2 days ago)
• Topics: lsass-dump, offensive-security, position-independent-code, redteam, rust-lang
• Language: Rust
• Homepage:
• Size: 74.2 KB
• Stars: 248
• Watchers: 1
• Forks: 33
• Open Issues: 0
• Metadata Files:
  • Readme: readme.md
  • License: LICENSE

Awesome Lists containing this project

README

        
## **RustiveDump**

**RustiveDump** is a Rust-based tool designed to dump the memory of the **lsass.exe** process using **only NT system calls**.

It creates a minimal minidump file from scratch, containing essential components like **SystemInfo**, **ModuleList**, and **Memory64List**, with support for **XOR encryption** and **remote transmission**.

Additionally, RustiveDump now implements the design of [Rustic64](https://github.com/safedv/Rustic64), allowing it to be compiled as **Position Independent Code (PIC)**, making it more versatile.

This project is a personal learning experience, focusing on leveraging native Windows APIs for memory dumping and building a minimalistic minidump file entirely from the ground up.

## **Key Features**

1. **NT System Calls for Everything**:

   RustiveDump bypasses standard APIs and leverages NT system calls for all its operations.

2. **No-Std and CRT-Independent**:  

   RustiveDump is built using Rust's `no_std` feature, which removes reliance on Rust's standard library, and it's also **CRT library independent**. This resulting in a lean release build of only **18KB**.

3. **Position Independent Code (PIC)**:  

   RustiveDump now implements the design of Rustic64, allowing it to be compiled as `shellcode (PIC)`, making it more versatile.

4. **Indirect NT Syscalls**:  

   The tool uses indirect syscalls, retrieving system service numbers (SSN) with techniques like **Hell’s Gate**, **Halo's Gate**, and **Tartarus' Gate**.

5. **Lean Memory Dump**:  

   RustiveDump generates a focused memory dump, containing only essential data (i.e., **SystemInfo**, **ModuleList**, and **Memory64List**), ensuring no bloated files—just enough to feed your memory analysis tools like **Mimikatz** or **Pypykatz**.

6. **XOR Encryption**:  

   RustiveDump can encrypt the dump file using XOR before saving or transmitting it, adding an extra layer of security to the dumped memory.

7. **Remote File Transmission**:  

   The dump file can be sent directly to a remote server using **winsock** APIs calls

8. **Debug Mode**:  

   The debug mode provides detailed logs of each step, which can be enabled during the build process.

## **How it works**

1. **Enable SeDebugPrivilege**:  

   RustiveDump uses `NtOpenProcessToken` and `NtAdjustPrivilegesToken` to enable **SeDebugPrivilege**, allowing access to protected processes like **lsass.exe**.

2. **LSASS Process Access**:  

   The tool locates the **lsass.exe** process by querying `NtQuerySystemInformation` to get a snapshot of active processes, and then opens a process handle using `NtOpenProcess` with the `PROCESS_QUERY_INFORMATION` and `PROCESS_VM_READ` access rights.

3. **Memory Regions Handling**:  

   RustiveDump scans through the memory regions of the process using `NtQueryVirtualMemory` and dumps committed and accessible memory using `NtReadVirtualMemory`.

4. **Module Information**:  

   RustiveDump retrieves a list of modules loaded by **lsass.exe** using `NtQueryInformationProcess` to extract the **ModuleList** from the remote PEB (Process Environment Block).

5. **Memory Dump Creation**:  

   The dump is saved locally using `NtCreateFile` and `NtWriteFile`, or sent to a remote server. If desired, the dump can also be encrypted with XOR before being saved or transmitted.

## **Build**

RustiveDump offers several configurable build options through **cargo make** to customize the behavior of the tool. You can enable features like **XOR encryption**, **remote file transmission** and **verbose logging**.

**Available Features:**

- **xor**: Encrypts the dump file using XOR encryption.

- **debug**: Enables detailed logs for each step of the process.

- **remote**: Sends the dump file to a remote server via Winsock.

- **lsasrv**: Filters the memory dump to include only the `lsasrv.dll` module from **lsass.exe**.

### **Build Options**

To build RustiveDump with different combinations of features, use the following commands:

- **Basic build** (save dump locally without additional features):

  ```bash

  cargo make

  ```

- **Build with specific features**

  ```bash

  cargo make --env FEATURES=xor,remote,lsasrv,debug

  ```

- **Build as Shellcode (PIC)**

  ```bash

  cargo make --env FEATURES=xor,remote pic

  ```

## **Memory Dump File Structure**

RustiveDump generates a minimalistic minidump file, including only the essential components for tools like **Mimikatz** and **Pypykatz**. The file consists of three core streams:

1. **SystemInfo Stream**: OS version and architecture details.

2. **ModuleList Stream**: Lists modules loaded in **lsass.exe**.

3. **Memory64List Stream**: Memory regions from **lsass.exe**.

For more details on the Minidump file structure, see: [Minidump (MDMP) format documentation]().

## Disclaimer

This project is intended **for educational and research purposes only**. RustiveDump is a minimalist memory dumper built for learning purposes. Use it responsibly, and remember, if you misuse it, that’s on you—not me!

Always follow ethical guidelines and legal frameworks when doing security research (and, you know, just in general).

## **Credits**

- Inspired by [NativeDump](https://github.com/ricardojoserf/NativeDump) by [ricardojoserf](https://github.com/ricardojoserf). Thanks to the author for sharing their work.

## **Contributions**

Contributions are welcome! If you want to help improve RustiveDump or report bugs, feel free to open an issue or a pull request in the repository.

---