pypykatz parsing fails w/ 'useCustom'

RePRGM / Nimperiments

Various one-off pentesting projects written in Nim. Updates happen on a whim.

143 stars 15 forks source link

pypykatz parsing fails w/ 'useCustom' #5

Open nbaertsch opened 3 months ago

nbaertsch commented 3 months ago

Using the custom minidump implementation results in a dump file that is not parse-able by pypykatz.

pypykatz lsa info <file.dmp> results in UnicodeDecodeError: 'utf-16-le' codec can't decode bytes in position 86712-86713: illegal encoding.

To simplify testing, I am writing the unencrypted dump to disk:

var f = open("./twin.duh.mp.txt", fmWrite)
discard f.writeBuffer(mdump[0].addr, mdump.len)
f.close()

I can see the correct magic bytes MDMP at the beginning of the dump file.

Can provide more info if needed. Test machine is running vanilla Defender.

22H2 Build 19045.4291

nbaertsch commented 3 months ago

Would love to help but it will take me some time to get up to speed on the custom implementation and dump format 😅

Great work on this!

RePRGM commented 3 months ago

Thanks for reporting this. Gonna check on this later when I'm on my computer but my first guess is the offsets in the dump file, specifically the offset to the Unicode Module Name, are off. That should be called PointerName in the CreateDump.nim file.

If you'd like to help (which I would greatly appreciate) , the custom functionality is based on the NativeDump C# tool. The accompanying blog post is extremely helpful in understanding the minidump format.

Otherwise, the best way for me to troubleshoot it is to submit the dump file (assuming it isn't from a machine you care about). I'll look into it regardless though.