search

gentilkiwi / mimikatz

A little tool to play with Windows security
http://blog.gentilkiwi.com/mimikatz
19.1k stars 3.65k forks source link

wine - debian - unimplemented function msasn1.dll.ASN1_CreateModule #206

Closed MrFreshnis closed 5 years ago

MrFreshnis commented 5 years ago

Hi,

i want to run mimikatz on debian to read a dmp file but i get that output:

Unhandled exception: unimplemented function msasn1.dll.ASN1_CreateModule called in 64-bit code (0x000000007b44fdc6).
Register dump:
 rip:000000007b44fdc6 rsp:000000000020faf0 rbp:000000000020fc60 eflags:00000206 (   - --  I   - -P- )
 rax:000000000020fb10 rbx:0000000080000100 rcx:000000000020fb10 rdx:000000000020fb30
 rsi:000000000020fca0 rdi:000000000020fb40  r8:0000000000000002  r9:000000000020fc90 r10:0000000000000002
 r11:000000000020fd38 r12:0000000000000000 r13:0000000000000000 r14:0000000000000000 r15:0000000000000000
Stack dump:
0x000000000020faf0:  000000000020fb10 0000000000000000
0x000000000020fb00:  0000000000000000 0000000000000000
0x000000000020fb10:  0000000180000100 0000000000000000
0x000000000020fb20:  000000007b44fdc6 0000000000000002
0x000000000020fb30:  00007fc74cba2000 00007fc74cba346e
0x000000000020fb40:  0000000000000000 0000000000000000
0x000000000020fb50:  0000000000202020 0000000000000000
0x000000000020fb60:  0000000000ffffff ffffffff00ffffff
0x000000000020fb70:  0000000000202020 0000000000000000
0x000000000020fb80:  0000000000000000 0000000000000000
0x000000000020fb90:  0000000000000000 0000000000000000
0x000000000020fba0:  0000000000000000 8e4566ecd7cc9f00
Backtrace:
=>0 0x000000007b44fdc6 GetFirmwareEnvironmentVariableW+0x216() in kernel32 (0x000000000020fc60)
  1 0x00007fc74cba1c59 in msasn1 (+0x11c58) (0x000000000020fc90)
  2 0x00007fc74cba1647 in msasn1 (+0x11646) (0x0000000000010490)
  3 0x0000000140001488 in mimikatz (+0x1487) (0x0000000000010490)
  4 0x000000014005b2e4 in mimikatz (+0x5b2e3) (0x0000000000010490)
  5 0x000000014005b123 in mimikatz (+0x5b122) (0x0000000000010490)
  6 0x000000014008f495 in mimikatz (+0x8f494) (0x000000000022ffd0)
  7 0x000000007b4816e1 PowerClearRequest+0x14e0() in kernel32 (0x000000000022ffd0)
0x000000007b44fdc6 GetFirmwareEnvironmentVariableW+0x216 in kernel32: movq  0x00000000000000b8(%rsp),%rax
Modules:
Module  Address                 Debug info  Name (102 modules)
ELF         7b400000-        7b831000   Dwarf           kernel32<elf>
  \-PE          7b420000-        7b831000   \               kernel32
ELF         7bc00000-        7bd2d000   Deferred        ntdll<elf>
  \-PE          7bc20000-        7bd2d000   \               ntdll
ELF         7c000000-        7c005000   Deferred        <wine-loader>
PE         140000000-       1400f6000   Export          mimikatz
ELF     7fc74bd04000-    7fc74bd51000   Deferred        libgssapi_krb5.so.2
ELF     7fc74bd51000-    7fc74bd58000   Deferred        libkeyutils.so.1
ELF     7fc74bd58000-    7fc74bd67000   Deferred        libkrb5support.so.0
ELF     7fc74bd67000-    7fc74bd6d000   Deferred        libcom_err.so.2
ELF     7fc74bd6d000-    7fc74bda1000   Deferred        libk5crypto.so.3
ELF     7fc74bda1000-    7fc74be81000   Deferred        libkrb5.so.3
ELF     7fc74beaa000-    7fc74bec7000   Deferred        kerberos<elf>
  \-PE      7fc74beb0000-    7fc74bec7000   \               kerberos
ELF     7fc74bec7000-    7fc74bef1000   Deferred        imm32<elf>
  \-PE      7fc74bed0000-    7fc74bef1000   \               imm32
ELF     7fc74c0b2000-    7fc74c0ef000   Deferred        libexpat.so.1
ELF     7fc74c0ef000-    7fc74c135000   Deferred        libfontconfig.so.1
ELF     7fc74c135000-    7fc74c16e000   Deferred        libpng16.so.16
ELF     7fc74c16e000-    7fc74c22a000   Deferred        libfreetype.so.6
ELF     7fc74c22a000-    7fc74c258000   Deferred        libtinfo.so.6
ELF     7fc74c258000-    7fc74c281000   Deferred        libncurses.so.6
ELF     7fc74c2aa000-    7fc74c38c000   Deferred        msvcrt<elf>
  \-PE      7fc74c2d0000-    7fc74c38c000   \               msvcrt
ELF     7fc74c38c000-    7fc74c40f000   Deferred        libgmp.so.10
ELF     7fc74c40f000-    7fc74c448000   Deferred        libhogweed.so.4
ELF     7fc74c448000-    7fc74c480000   Deferred        libnettle.so.6
ELF     7fc74c480000-    7fc74c693000   Deferred        libtasn1.so.6
ELF     7fc74c693000-    7fc74c817000   Deferred        libunistring.so.2
ELF     7fc74c817000-    7fc74c836000   Deferred        libidn2.so.0
ELF     7fc74c836000-    7fc74c965000   Deferred        libp11-kit.so.0
ELF     7fc74c965000-    7fc74cb10000   Deferred        libgnutls.so.30
ELF     7fc74cb10000-    7fc74cb2d000   Deferred        libsasl2.so.2
ELF     7fc74cb2d000-    7fc74cb81000   Deferred        libldap_r-2.4.so.2
ELF     7fc74cb84000-    7fc74cb8d000   Deferred        libuuid.so.1
ELF     7fc74cb8d000-    7fc74cbaa000   Dwarf           msasn1<elf>
  \-PE      7fc74cb90000-    7fc74cbaa000   \               msasn1
ELF     7fc74cbaa000-    7fc74cc16000   Deferred        wldap32<elf>
  \-PE      7fc74cbc0000-    7fc74cc16000   \               wldap32
ELF     7fc74cc16000-    7fc74cc30000   Deferred        winsta<elf>
  \-PE      7fc74cc20000-    7fc74cc30000   \               winsta
ELF     7fc74cc30000-    7fc74cc49000   Deferred        winscard<elf>
  \-PE      7fc74cc40000-    7fc74cc49000   \               winscard
ELF     7fc74cc49000-    7fc74cccc000   Deferred        setupapi<elf>
  \-PE      7fc74cc60000-    7fc74cccc000   \               setupapi
ELF     7fc74cccc000-    7fc74cce9000   Deferred        hid<elf>
  \-PE      7fc74ccd0000-    7fc74cce9000   \               hid
ELF     7fc74cce9000-    7fc74cd04000   Deferred        userenv<elf>
  \-PE      7fc74ccf0000-    7fc74cd04000   \               userenv
ELF     7fc74cd04000-    7fc74cd2f000   Deferred        shcore<elf>
  \-PE      7fc74cd10000-    7fc74cd2f000   \               shcore
ELF     7fc74cd2f000-    7fc74d740000   Deferred        shell32<elf>
  \-PE      7fc74cd50000-    7fc74d740000   \               shell32
ELF     7fc74d740000-    7fc74d782000   Deferred        secur32<elf>
  \-PE      7fc74d750000-    7fc74d782000   \               secur32
ELF     7fc74d782000-    7fc74d799000   Deferred        samlib<elf>
  \-PE      7fc74d790000-    7fc74d799000   \               samlib
ELF     7fc74d799000-    7fc74d827000   Deferred        shlwapi<elf>
  \-PE      7fc74d7b0000-    7fc74d827000   \               shlwapi
ELF     7fc74d827000-    7fc74d9b6000   Deferred        oleaut32<elf>
  \-PE      7fc74d850000-    7fc74d9b6000   \               oleaut32
ELF     7fc74d9b6000-    7fc74db79000   Deferred        ole32<elf>
  \-PE      7fc74d9e0000-    7fc74db79000   \               ole32
ELF     7fc74db79000-    7fc74dbbb000   Deferred        ws2_32<elf>
  \-PE      7fc74db80000-    7fc74dbbb000   \               ws2_32
ELF     7fc74dbbb000-    7fc74dbed000   Deferred        iphlpapi<elf>
  \-PE      7fc74dbc0000-    7fc74dbed000   \               iphlpapi
ELF     7fc74dbed000-    7fc74dc90000   Deferred        rpcrt4<elf>
  \-PE      7fc74dc00000-    7fc74dc90000   \               rpcrt4
ELF     7fc74dc90000-    7fc74dcc7000   Deferred        netapi32<elf>
  \-PE      7fc74dca0000-    7fc74dcc7000   \               netapi32
ELF     7fc74dcc7000-    7fc74dce1000   Deferred        libresolv.so.2
ELF     7fc74dce3000-    7fc74dcf4000   Deferred        liblber-2.4.so.2
ELF     7fc74dcf4000-    7fc74dd0a000   Deferred        fltlib<elf>
  \-PE      7fc74dd00000-    7fc74dd0a000   \               fltlib
ELF     7fc74dd0a000-    7fc74dd2d000   Deferred        dnsapi<elf>
  \-PE      7fc74dd10000-    7fc74dd2d000   \               dnsapi
ELF     7fc74dd2d000-    7fc74dd51000   Deferred        bcrypt<elf>
  \-PE      7fc74dd30000-    7fc74dd51000   \               bcrypt
ELF     7fc74dd51000-    7fc74ded6000   Deferred        gdi32<elf>
  \-PE      7fc74dd70000-    7fc74ded6000   \               gdi32
ELF     7fc74ded6000-    7fc74e14c000   Deferred        user32<elf>
  \-PE      7fc74df00000-    7fc74e14c000   \               user32
ELF     7fc74e14c000-    7fc74e23e000   Deferred        crypt32<elf>
  \-PE      7fc74e160000-    7fc74e23e000   \               crypt32
ELF     7fc74e23e000-    7fc74e45c000   Deferred        libz.so.1
ELF     7fc74e460000-    7fc74e46a000   Deferred        libffi.so.6
ELF     7fc74e46a000-    7fc74e485000   Deferred        version<elf>
  \-PE      7fc74e470000-    7fc74e485000   \               version
ELF     7fc74e485000-    7fc74e4a8000   Deferred        cabinet<elf>
  \-PE      7fc74e490000-    7fc74e4a8000   \               cabinet
ELF     7fc74e5a8000-    7fc74e645000   Deferred        advapi32<elf>
  \-PE      7fc74e5c0000-    7fc74e645000   \               advapi32
ELF     7fc74ea10000-    7fc74ea25000   Deferred        libnss_files.so.2
ELF     7fc74ec25000-    7fc74ec3f000   Deferred        libgcc_s.so.1
ELF     7fc74ec3f000-    7fc74edc2000   Deferred        libm.so.6
ELF     7fc74edc4000-    7fc74edc9000   Deferred        libdl.so.2
ELF     7fc74edc9000-    7fc74ef8a000   Deferred        libc.so.6
ELF     7fc74ef8a000-    7fc74efab000   Deferred        libpthread.so.0
ELF     7fc74efad000-    7fc74efc3000   Deferred        cryptdll<elf>
  \-PE      7fc74efb0000-    7fc74efc3000   \               cryptdll
ELF     7fc74f17e000-    7fc74f1a8000   Deferred        ld-linux-x86-64.so.2
Threads:
process  tid      prio (all id:s are in hex)
00000008 (D) Z:\root\Downloads\x64\mimikatz.exe
    00000009    0 <==
0000000e services.exe
    00000021    0
    0000001c    0
    00000018    0
    00000013    0
    00000010    0
    0000000f    0
00000011 winedevice.exe
    00000019    0
    00000017    0
    00000016    0
    00000012    0
0000001a plugplay.exe
    0000001e    0
    0000001d    0
    0000001b    0
0000001f winedevice.exe
    00000026    0
    00000023    0
    00000022    0
    00000020    0
00000024 explorer.exe
    00000029    0
    00000028    0
    00000027    0
    00000025    0
System information:
    Wine build: wine-4.0 (Debian 4.0-1)
    Platform: x86_64
    Version: Windows 7
    Host system: Linux
    Host version: 4.19.0-kali4-amd64

Is there someone who got an idea ? Thank you in advance

gentilkiwi commented 5 years ago

Yep, maybe use Windows to use mimikatz , even in a VM ?

Or propose a patch to Wine project to support Windows functions...

Or better, build your own mimikatz version without ASN1 dependencies... you only read a dump file.

Don't use Wine with Debian if you don't know how it works.

skelsec commented 5 years ago

@MrFreshnis if you are open to try something new, I could recommend pypykatz which is mimikatz in python. It can parse your minidump file on linux.

MrFreshnis commented 5 years ago

Yep, maybe use Windows to use mimikatz , even in a VM ?

Or propose a patch to Wine project to support Windows functions...

Or better, build your own mimikatz version without ASN1 dependencies... you only read a dump file.

Don't use Wine with Debian if you don't know how it works.

@gentilkiwi I did it already with a VM but i want to know what might be the solution for that issue is. Nevertheless Thanks

MrFreshnis commented 5 years ago

@MrFreshnis if you are open to try something new, I could recommend pypykatz which is mimikatz in python. It can parse your minidump file on linux.

@skelsec Nice. Thank you very much. I will try it out.

gentilkiwi commented 5 years ago

i want to know what might be the solution for that issue is. Nevertheless Thanks

All is in my message in fact :)

But it will be more playskool with @skelsec script :)

MrFreshnis commented 5 years ago

But it will be more playskool with @skelsec script :)

i'm going to play with both of them. ;-)

alex9099 commented 4 years ago

I know this is closed, but it seems to work on a 32 bit prefix with winetricks msasn1