Dumpscan is a command-line tool designed to extract and dump secrets from kernel and Windows Minidump formats. Kernel-dump parsing is provided by volatility3.
Note: Testing has only been performed on Windows 10 and 11 64-bit hosts and processes. Feel free to file an issue for additional versions. Linux testing TBD.
As a command-line tool, installation is recommended using pipx. This allows for easy updates and well and ensuring it is installed in its own virtual environment.
pipx install dumpscan
pipx inject dumpscan git+https://github.com/volatilityfoundation/volatility3#39e812a
Usage: dumpscan [OPTIONS] COMMAND [ARGS]...
Scan memory dumps for secrets and keys
╭─ Options ────────────────────────────────────────────────────────────────────────────────────────╮
│ │
│ --help Show this message and exit. │ ;
│ │
╰──────────────────────────────────────────────────────────────────────────────────────────────────╯
╭─ Commands ───────────────────────────────────────────────────────────────────────────────────────╮
│ │
│ kernel Scan kernel dump using volatility │
│ minidump Scan a user-mode minidump │
│ │
╰──────────────────────────────────────────────────────────────────────────────────────────────────╯
In the case for subcommands that extract certificates, you can provide --output/-o <dir>
to output any discovered certificates to disk.
As mentioned, kernel analysis is performed by Volatility3. cmdline
, envar
, and pslist
are direct calls to the Volatility3 plugins, while symcrypt
and x509
are custom plugins.
Usage: dumpscan kernel [OPTIONS] COMMAND [ARGS]...
Scan kernel dump using volatility
╭─ Options ────────────────────────────────────────────────────────────────────────────────────────╮
│ │
│ --help Show this message and exit. ╰
│ │
╰──────────────────────────────────────────────────────────────────────────────────────────────────╯
╭─ Commands ───────────────────────────────────────────────────────────────────────────────────────╮
│ │
│ cmdline List command line for processes (Only for Windows) │
│ envar List process environment variables (Only for Windows) │
│ pslist List all the processes and their command lin e arguments │
│ symcrypt Scan a kernel-mode dump for symcrypt objects │
│ x509 Scan a kernel-mode dump for x509 certificates │
│ │
╰──────────────────────────────────────────────────────────────────────────────────────────────────╯
Supports Windows Minidump format.
Note: This has only been tested on 64-bit processes on Windows 10+. 32-bit processes requires additional work but isn't a priority.
Usage: dumpscan minidump [OPTIONS] COMMAND [ARGS]...
Scan a user-mode minidump
╭─ Options ────────────────────────────────────────────────────────────────────────────────────────╮
│ │
│ --help Show this message and exit. │
│ │
╰──────────────────────────────────────────────────────────────────────────────────────────────────╯
╭─ Commands ───────────────────────────────────────────────────────────────────────────────────────╮
│ │
│ cmdline Dump the command line string │
│ envar Dump the environment variables in a minidump │
│ symcrypt Scan a minidump for symcrypt objects │
│ x509 Scan a minidump for x509 objects │
│ │
╰──────────────────────────────────────────────────────────────────────────────────────────────────╯
construct
for parsing minidumps.Click to Open Code Editor