minidump lsa seems to just lock up pypykatz
ceramic-skate0 opened this issue · 3 comments
When I run pypykatz lsa minidump <minidump file>
(from nanodump (sig restored)) pypykatz seems to not return output from what i can tell it just locks up console with no output. Its been 3 days ive let the app run on this minidump file and it returns no output doesnt appear to crash. Any thoughts?
Thus far i have tried upgrade from old pypykatz to new version. github install, pip3 install, and all install methods on fresh ubuntu machine.
I have seem similar behavior lately,
you could try to use an older version of pypykatz and see if there is any difference and also, try to dump lsass with process hacker or some tool that let's windows create the dump, to make sure this is not an issue with nanodump
Thank you for the issue. I added some modifications and new templates to pypykatz in the latest update, however the worst they can do is crash, I've not experienced an infinite-loop behavior before. I've re-tested the code on my test-dump collection and everything is in order so I see the following possibilities:
- It is in fact a bug introduced in the new version. In this case I'd need a dump file that can reproduce this issue.
- It is a problem in nanodump (maybe it needs some changes to work with the new pypykatz version?)
I'll keep this issue open and encourage anyone to please please please send an offending dumpfile so I can fix this.
pypykatz -vvv lsa minidump
shows me that its getting hung on lsa_decryptor_nt6.py
method find_signature(self) around line 42. i think i never hit the if statement at line 44. I also never hit line 28 print statement. maybe issue is finding lsasrv.dll
? idk yet for sure. I do get the expected errors before running restore_signature.sh
from nanodump. after running the shell script on it seems to work and i get the hang issue.
Running mimidump --all <dump file>
shows the dll in modules list.
After running mimikatz
with commands from nanodump
repo the error kuhl_m_sekurlsa_acquireLSA ; Memory opening
comes back. indicating issues with nanodump dump file.
nanodump commands used was beacon system shell on box nanodump --write C:\Temp\lsass.dmp
&& nanodump
.