RustiveDump: dump the memory of the lsass.exe process
RustiveDump
RustiveDump is a Rust-based tool designed to dump the memory of the lsass.exe process using only NT system calls.
It creates a minimal minidump file from scratch, containing essential components like SystemInfo, ModuleList, and Memory64List, with support for XOR encryption and remote transmission.
Additionally, RustiveDump now implements the design of Rustic64, allowing it to be compiled as Position Independent Code (PIC), making it more versatile.
This project is a personal learning experience, focusing on leveraging native Windows APIs for memory dumping and building a minimalistic minidump file entirely from the ground up.
Key Features
-
NT System Calls for Everything: RustiveDump bypasses standard APIs and leverages NT system calls for all its operations.
-
No-Std and CRT-Independent:
RustiveDump is built using Rust’sno_std
feature, which removes reliance on Rust’s standard library, and it’s also CRT library independent. This resulting in a lean release build of only 18KB. -
Position Independent Code (PIC):
RustiveDump now implements the design of Rustic64, allowing it to be compiled asshellcode (PIC)
, making it more versatile. -
Indirect NT Syscalls:
The tool uses indirect syscalls, retrieving system service numbers (SSN) with techniques like Hell’s Gate, Halo’s Gate, and Tartarus’ Gate. -
Lean Memory Dump:
RustiveDump generates a focused memory dump, containing only essential data (i.e., SystemInfo, ModuleList, and Memory64List), ensuring no bloated files—just enough to feed your memory analysis tools like Mimikatz or Pypykatz. -
XOR Encryption:
RustiveDump can encrypt the dump file using XOR before saving or transmitting it, adding an extra layer of security to the dumped memory. -
Remote File Transmission:
The dump file can be sent directly to a remote server using winsock APIs calls -
Debug Mode:
The debug mode provides detailed logs of each step, which can be enabled during the build process.
How it works
-
Enable SeDebugPrivilege:
RustiveDump usesNtOpenProcessToken
andNtAdjustPrivilegesToken
to enable SeDebugPrivilege, allowing access to protected processes like lsass.exe. -
LSASS Process Access:
The tool locates the lsass.exe process by queryingNtQuerySystemInformation
to get a snapshot of active processes, and then opens a process handle usingNtOpenProcess
with thePROCESS_QUERY_INFORMATION
andPROCESS_VM_READ
access rights. -
Memory Regions Handling:
RustiveDump scans through the memory regions of the process usingNtQueryVirtualMemory
and dumps committed and accessible memory usingNtReadVirtualMemory
. -
Module Information:
RustiveDump retrieves a list of modules loaded by lsass.exe usingNtQueryInformationProcess
to extract the ModuleList from the remote PEB (Process Environment Block). -
Memory Dump Creation:
The dump is saved locally usingNtCreateFile
andNtWriteFile
, or sent to a remote server. If desired, the dump can also be encrypted with XOR before being saved or transmitted.