Dumpy This tool dynamically calls MiniDumpWriteDump to dump | HackGit
Dumpy
This tool dynamically calls MiniDumpWriteDump to dump lsass memory content. This process is done without opening a new process handle to lsass and using DInvoke_rs to make it harder to detect its malicious behaviour.
In order to obtain a valid process handle without calling OpenProcess over lsass, all process handles in the system are analyzed using NtQuerySystemInformation, NtDuplicateObject, NtQueryObject and QueryFullProcessImageNameW.
NtOpenProcess is hooked before calling MiniDumpWriteDump to avoid the opening of a new process handle over lsass.
NTFS Transaction are used in order to xor the memory dump before storing it on disk.