Rust in-memory dumper

Related tags

Command-line combine_harvester
Overview

combine

Check your windows local security authority credential's safety with this awesome tool.

Coupled dump decoder @ https://github.com/ruggi99/combine-decoder

Introduction

By readapting the safetydump rust library (many thanks to the author!!!), I have been able to EASILY bypass all the countermeasures put in place by most EDRs, except Kaspersky EDR, and TrendMicro (new detection, from a couple hours ago)

dbghelp!MiniDumpWriteDump with a custom callback could be used, until a year ago, to bypass most antivirus/EDR solutions.

Now, most of them EASILY recognize statically or behaviorally the system API usage pattern, for programs written in languages such as C++, Delphi and C#. (it could be possible anyway thanks to undocumented NtOpenProcessEx but that's another story)

If you have a Go implementation, please give me feedback. I'm on it but still have some bugs related to memory size

I suspect that there is still no way to monitor the MiniDumpWriteDump callback, and all the protection against a possible credential dump via this technique is then entrusted to machine learning detections.

Usage

GUI

image

CMD

image

DECRYPT

image

References

Done thanks to

Many code snippets are from

Disclaimer

I am not responsible for any improper usage of this tool. This is meant for research and security testing purpose.

Notes

The only effective mitigations (that I know of) against this sub-technique are RunAsPPL and CredentialGuard, but it's not always possible to enable these options.

You might also like...
A library for loading and executing PE (Portable Executable) from memory without ever touching the disk

memexec A library for loading and executing PE (Portable Executable) from memory without ever touching the disk This is my own version for specific pr

FssAy 5 Aug 27, 2022
A library and binary for testing unhooking ntdll by identifying hooks via in-memory disassembly
A library and binary for testing unhooking ntdll by identifying hooks via in-memory disassembly

(First Public?) Sample of unhooking ntdll (All Exports & IAT imports) hooks in Rust using in-memory disassembly, avoiding direct syscalls and all hooked functions (incl. hooked NtProtectVirtualMemory)

Signal Labs 52 Apr 9, 2023
A simple code that will load a shellcode directly into RAM memory in a new process
A simple code that will load a shellcode directly into RAM memory in a new process

「 🔄 」About RustSCLoader RustSCLoader is a simple code that has the intention of loading a shellcode directly into RAM memory in a new process that wi

null 5 May 15, 2023
High-Speed Memory Scanner & Analyzer with REST API.

memory-server High-Speed Memory Scanner & Analyzer with REST API. Usage iOS Jailbreaking of iphone is required. Place your PC and iphone in the same n

Kenjiro Ichise 8 Jul 12, 2023
Tool to allow parsing large JSON files without laoding into memory
Tool to allow parsing large JSON files without laoding into memory

Tool to allow parsing large JSON files without laoding into memory. Developed in Rust with adapters in other programming langauges for easy adoption

Salaah Amin 7 Jul 11, 2023
A command line tool that resembles a debugger as well as Cheat Engine, to search for values in memory
A command line tool that resembles a debugger as well as Cheat Engine, to search for values in memory

Summary This is a small command-line tool designed to peek around memory of a running Linux process. It also provides filtering mechanisms similar to

null 213 Jul 4, 2023
A small in-memory filesystem using FUSE.

slabfs A small in-memory filesystem using FUSE. Running Simply run: RUST_LOG="slabfs=trace" cargo r -r -- mountpoint To suppress most log messages:

Carlos López 2 Jul 7, 2023
A library that allows for the arbitrary inspection and manipulation of the memory and code of a process on a Linux system.
A library that allows for the arbitrary inspection and manipulation of the memory and code of a process on a Linux system.

raminspect raminspect is a crate that allows for the inspection and manipulation of the memory and code of a running process on a Linux system. It pro

Liam Germain 24 Sep 26, 2023
Owned container for dynamically-sized types backed by inline memory

sized-dst This crate provides Dst, an owned container for dynamically-sized types (DSTs) that's backed by inline memory. The main use-case is owned tr

Yuhan Lin 8 Sep 6, 2024
Comments
  • Missing LICENSE

    Missing LICENSE

    I see you have no LICENSE for this project. The default is copyright.

    I would suggest releasing the code under the AGPL-3.0-or-later or GPL-3.0-or-later license so that others are encouraged to contribute changes back to your project.

    opened by TechnologyClassroom 0
Owner
Gigi
I love eggs
Gigi
GitHub
Shared memory - A Rust wrapper around native shared memory for Linux and Windows

shared_memory A crate that allows you to share memory between processes. This crate provides lightweight wrappers around shared memory APIs in an OS a

elast0ny 274 Dec 29, 2022
General purpose memory allocator written in Rust.

Memalloc Memory allocator written in Rust. It implements std::alloc::Allocator and std::alloc::GlobalAlloc traits. All memory is requested from the ke

Antonio Sarosi 35 Dec 25, 2022
Fast & Memory Efficient NodeJs Excel Writer using Rust Binding

FastExcel This project need Rust to be installed, check here for Rust installation instruction This project using Rust and Neon as a binding to Rust t

Aditya Kresna 2 Dec 15, 2022
A simple made in Rust crack, automatic for Winrar, activated from shared virtual memory, for studies.

Simple Winrar Crack in Rust What does it do ? A simple project that allows you to modify the license check used by WinRaR, "RegKey" from virtual memor

João Vitor 7 Jan 2, 2023
Use your computer as a cosmic ray detector! One of the memory errors Rust does not protect against.

Your computer can double up as a cosmic ray detector. Yes, really! Cosmic rays hit your computer all the time. If they hit the RAM, this can sometimes

Johanna Sörngård 110 Jun 16, 2023
A safe and idiomatic wrapper over shared memory APIs in rust with proper cleanups.

shmem-bind A safe and idiomatic wrapper over shared memory APIs in rust with proper cleanups. Quick start: check the message-passing example for bette

ArshiA Akhavan 3 Apr 6, 2024
A small, memory efficient crawler written in Rust.

Atra - The smaller way to crawl !!This read me will we reworked in a few days. Currently I am working on a better version and a wiki for the config fi

Felix Engl 3 Mar 23, 2024
A CLI tool which can help you automatically kill process of your choice. Useful for freeing up memory and CPU usage!

Quickiller There are always programs such as chrome that keep eating up your resources even when closed! The only way to prevent this is to kill all o

Codingsquirrel 1 Dec 8, 2021
Memory usage monitor for process trees

gotta-watch-em-all Executes a process with given arguments and monitors, logs when memory usage grows to a new peak. Example: cargo run -- cargo -- bu

Aaron Friel 8 Dec 8, 2022
A simple crate, that protects some variables from being modified by memory tampering tools.

Crate: protected_integer A simple crate, that protects some variables from being modified by memory tampering tools. Usage Add this crate to dependenc

lihe 5 Nov 30, 2022