SAMDump is a tool designed to extract Windows Security Account Manager (SAM) and SYSTEM files using the Volume Shadow Copy Service (VSS). It can create a shadow copy if none exists and supports multiple exfiltration options, including saving files locally or transferring them over a network. The tool employs XOR encoding for obfuscation, making it harder for security solutions to detect its activities. It requires elevated privileges to operate and automatically deletes created shadow copies after about five minutes. The implementation spans several programming languages: C++, C#, Crystal, and Python. Each version has its own functionality, with the Python implementation needing the `comtypes` library. The main executable, `SAMDump.exe`, includes various options for local saving, remote sending, and encoding. For remote transfers, a Python server (`server.py`) receives the files, automatically handling XOR decoding and formatting filenames with the sender's IP and date. Another script, `xor-decoder.py`, allows users to decode the files locally with specified keys. Using NT API calls—specifically `NtCreateFile`, `NtReadFile`, and `NtWriteFile`—SAMDump bypasses some monitoring mechanisms and user-mode API hooks that traditional methods might trigger. This approach allows it to operate more stealthily compared to standard Windows API functions. The tool aims to automate the extraction process in a way that minimizes detection, leveraging the common presence of VSS in modern Windows systems while avoiding signature-based detection methods.