Open nbaertsch opened 3 months ago
Would love to help but it will take me some time to get up to speed on the custom implementation and dump format 😅
Great work on this!
Thanks for reporting this. Gonna check on this later when I'm on my computer but my first guess is the offsets in the dump file, specifically the offset to the Unicode Module Name, are off. That should be called PointerName in the CreateDump.nim file.
If you'd like to help (which I would greatly appreciate) , the custom functionality is based on the NativeDump C# tool. The accompanying blog post is extremely helpful in understanding the minidump format.
Otherwise, the best way for me to troubleshoot it is to submit the dump file (assuming it isn't from a machine you care about). I'll look into it regardless though.
Using the custom minidump implementation results in a dump file that is not parse-able by pypykatz.
pypykatz lsa info <file.dmp>
results inUnicodeDecodeError: 'utf-16-le' codec can't decode bytes in position 86712-86713: illegal encoding
.To simplify testing, I am writing the unencrypted dump to disk:
I can see the correct magic bytes
MDMP
at the beginning of the dump file.Can provide more info if needed. Test machine is running vanilla Defender.
22H2 Build 19045.4291