Closed kapiushion closed 2 months ago
ricardojoserf
commented
3 months ago Hi @kapiushion ! Thanks for letting me know. Please tell me the branch of the project you used and the Windows version where you found the problem. If you dont mind sharing the Minidump files would be great, please send them to ricardojoserf@protonmail.com . I will try to find the errors using MinidumpParser (https://github.com/ricardojoserf/MinidumpParser) Thanks! :)
kapiushion
commented
3 months ago hey for sure. i tried with all the branch, i also modified the code a little bit to include some stuff, but even with the vanilla ones, and the modified ones, neither worked. the OS version: i tried in multiples OS windows server 2022 : 10.0.20348 N/A Build 20348 windows 11: 10.0.22631 N/A Build 22631 windows 10: 10.0.19045 N/A Build 19045 in any of them worked. i will send you the DMP file to the email. thanks for the quick response. BTW i also checked (https://github.com/ricardojoserf/MinidumpParser) and it fails
[+] Minidump file to analyze: dump.test
[+] Reading Header at 0x0
[+] Signature: 0x504D444D
[+] Version: 42899
[+] ImplementationVersion: 0
[+] NumberOfStreams: 3
[+] StreamDirectoryRva: 0x20
[+] CheckSum: 0x0
[+] TimeDateStamp: 0
[+] Reading Stream Directory content at 0x20
[+] Address: 0x0044 - 0x007B Size: 56 Stream Type: SystemInfoStream (7)
[+] Address: 0x007C - 0x00EB Size: 112 Stream Type: ModuleListStream (4)
[+] Address: 0x012A - 0x29E9 Size: 10432 Stream Type: Memory64ListStream (9)
[+] Reading SystemInfoStream at 0x44
[+] ProcessorArchitecture: 0x9
[+] ProcessorLevel: 0x0
[+] ProcessorRevision: 0x0
[+] NumberOfProcessors: 0x0
[+] ProductType: 0x0
[+] MajorVersion: 0xA
[+] MinorVersion: 0x0
[+] BuildNumber: 0x5867
[+] PlatformId: 0x0
[+] uint_unknown1: 0x0
[+] uint_unknown2: 0x0
[+] ProcessorFeatures: 0x0
[+] ProcessorFeatures2: 0x0
[+] uint_unknown3: 0x0
[+] ushort_unknown4: 0x0
[+] byte_unknown5: 0x0
[+] Reading ModuleListStream at 0x7C
Unhandled Exception:
System.Runtime.InteropServices.MarshalDirectiveException: Structure field of type ModuleInfo[] can't be marshalled as LPArray
at (wrapper other) MinidumpParser.Structs+ModuleListStream.PtrToStructure(intptr,object)
at (wrapper managed-to-native) System.Runtime.InteropServices.Marshal.PtrToStructure(intptr,System.Type)
at MinidumpParser.Program.MarshalBytesTo[T] (System.Byte[] bytes) [0x0000f] in <7a93d0fb7e8444a0b08d00f58625f445>:0
at MinidumpParser.Program.ParseModuleListStream (System.IO.FileStream fs, MinidumpParser.Structs+MinidumpStreamDirectoryEntry streamInfo) [0x00025] in <7a93d0fb7e8444a0b08d00f58625f445>:0
at MinidumpParser.Program.Main (System.String[] args) [0x0034e] in <7a93d0fb7e8444a0b08d00f58625f445>:0
[ERROR] FATAL UNHANDLED EXCEPTION: System.Runtime.InteropServices.MarshalDirectiveException: Structure field of type ModuleInfo[] can't be marshalled as LPArray
at (wrapper other) MinidumpParser.Structs+ModuleListStream.PtrToStructure(intptr,object)
at (wrapper managed-to-native) System.Runtime.InteropServices.Marshal.PtrToStructure(intptr,System.Type)
at MinidumpParser.Program.MarshalBytesTo[T] (System.Byte[] bytes) [0x0000f] in <7a93d0fb7e8444a0b08d00f58625f445>:0
at MinidumpParser.Program.ParseModuleListStream (System.IO.FileStream fs, MinidumpParser.Structs+MinidumpStreamDirectoryEntry streamInfo) [0x00025] in <7a93d0fb7e8444a0b08d00f58625f445>:0
at MinidumpParser.Program.Main (System.String[] args) [0x0034e] in <7a93d0fb7e8444a0b08d00f58625f445>:0
Thank you I received it, I will take a look as soon as I can. Could you please run Trickdump as well and let me know if that is working for you or not? The link is https://github.com/ricardojoserf/TrickDump And please share the code you changed/added :)
kapiushion
commented
3 months ago Hey thanks for reaching back. i tried the TrickDump, but it fails when running Shock.exe, it fails in get a handle to lsass(Ofcourse it being ran from High integrity and no PPL).i did not had more time to dig into the code of this one today, but i will attach you the fail that it pops when trying to run.
i tried from a beacon session(Execute-Assembly) and from disk. both of them failed. at the beginning i realized it must be related with the IPv4 obfuscation you are doing for GetProcessByName but i changed that for clear text, and also fails
.\shock.exe
shock.exe :
+ CategoryInfo : NotSpecified: (:String) [], RemoteException
+ FullyQualifiedErrorId : NativeCommandError
Unhandled Exception: System.MissingMethodException: Method not found: 'System.String System.String.TrimEnd(Char)'. at Shock.Program.decodeIPv4(List`1 ipv4_str_list) at Shock.Program.Shock(String file_name) at Shock.Program.Main(String[] args).\shock.exe
[+] Process handle: 0
[-] It was not possible to get a process handle. If you get 0xC0000022 errors probably PEB is unreadable.
i will dig more into the code tomorrow. and finally related with the changes i make to the NativeDUmp, those were only changes for evasion purposes. i added some custom unhooking and Syscalls using Dinvoke. nothing fancy, but i also did not touched the Dump functionality, how ever if you want me to share it with you just let me know.
lephong99
commented
2 months ago Thank you I received it, I will take a look as soon as I can. Could you please run Trickdump as well and let me know if that is working for you or not? The link is https://github.com/ricardojoserf/TrickDump And please share the code you changed/added :)
Hi, I also have the same issue as above, can you show me how to fix it?
ricardojoserf
commented
2 months ago Hi @lephong99 , I have been exchanging messages with @kapiushion and created the debug branch some days ago to try to find why now it is not working for you. Please run it on your Windows 10 machine, pipe the output to a text file (for exmaple "NativeDump.exe > log.txt") and send me the Minidump file and the text file please :) You can share the link here or send it to my email ricardojoserf@protonmail.com
Best regards,
Ricardo
lephong99
commented
2 months ago Hi @lephong99 , I have been exchanging messages with @kapiushion and created the debug branch some days ago to try to find why now it is not working for you. Please run it on your Windows 10 machine, pipe the output to a text file (for exmaple "NativeDump.exe > log.txt") and send me the Minidump file and the text file please :) You can share the link here or send it to my email ricardojoserf@protonmail.com
Best regards,
Ricardo
Does this only run on windows 10? i try it on windows 11 but it failed
ricardojoserf
commented
2 months ago Hi @lephong99 , I have been exchanging messages with @kapiushion and created the debug branch some days ago to try to find why now it is not working for you. Please run it on your Windows 10 machine, pipe the output to a text file (for exmaple "NativeDump.exe > log.txt") and send me the Minidump file and the text file please :) You can share the link here or send it to my email ricardojoserf@protonmail.com Best regards, Ricardo
Does this only run on windows 10? i try it on windows 11 but it failed
Hi @lephong99 , it is tested on Windows 10 and 11, I think it should work in more Windows versions. Which version are you testing in?
lephong99
commented
2 months ago Hi @lephong99 , I have been exchanging messages with @kapiushion and created the debug branch some days ago to try to find why now it is not working for you. Please run it on your Windows 10 machine, pipe the output to a text file (for exmaple "NativeDump.exe > log.txt") and send me the Minidump file and the text file please :) You can share the link here or send it to my email ricardojoserf@protonmail.com Best regards, Ricardo
Does this only run on windows 10? i try it on windows 11 but it failed
Hi @lephong99 , it is tested on Windows 10 and 11, I think it should work in more Windows versions. Which version are you testing in?
OS Name: Microsoft Windows 11 Home Single Language OS Version: 10.0.22631 N/A Build 22631 This is my version. I just sent you an email. Please check it for me.
ricardojoserf
commented
2 months ago Hi, I tested the Minidump files sent by both @kapiushion and @lephong99 and it is possible to read the NTLM hashes using "sekurlsa::minidump mini.dmp" and "sekurlsa::logonPasswords" with Mimikatz updated for Windows 11. The Minidumps generated by this tool can not be read by WinDbg, and I am not sure pypykatz is updated to read Windows 11 Minidumps, so I recommend using Mimikatz. I will close the issue for now, if anyone has any other problem with this can send me a message and/or reopen the issue. Cheers!
Ricardo
lephong99
commented
2 months ago Hi, I tested the Minidump files sent by both @kapiushion and @lephong99 and it is possible to read the NTLM hashes using "sekurlsa::minidump mini.dmp" and "sekurlsa::logonPasswords" with Mimikatz updated for Windows 11. The Minidumps generated by this tool can not be read by WinDbg, and I am not sure pypykatz is updated to read Windows 11 Minidumps, so I recommend using Mimikatz. I will close the issue for now, if anyone has any other problem with this can send me a message and/or reopen the issue. Cheers!
Ricardo
Thank you bro, I have another question, when I run the nativedump.exe file on windows server 2012 R2 it shows an error as shown below. Is there any way to fix this error?
ricardojoserf
commented
2 months ago Hi, I tested the Minidump files sent by both @kapiushion and @lephong99 and it is possible to read the NTLM hashes using "sekurlsa::minidump mini.dmp" and "sekurlsa::logonPasswords" with Mimikatz updated for Windows 11. The Minidumps generated by this tool can not be read by WinDbg, and I am not sure pypykatz is updated to read Windows 11 Minidumps, so I recommend using Mimikatz. I will close the issue for now, if anyone has any other problem with this can send me a message and/or reopen the issue. Cheers! Ricardo
Thank you bro, I have another question, when I run the nativedump.exe file on windows server 2012 R2 it shows an error as shown below. Is there any way to fix this error?
Hi @lephong99 , you are welcome! :) That NTSTATUS 0x106 means not all privileges could be assigned. Could you try from a cmd as administrator, and if that fails as SYSTEM?
But probably the problem is that instead of the typical Advapi!OpenProcessToken, Advapi!LookupPrivilegeValue and Advapi!AdjustTokenPrivilege, the program uses ntdll!NtOpenProcessToken, ntdll!NtAdjustPrivilegesToken and the hardcoded value of 20 for the Luid (which is constant in all latest Windows versions). For Windows Server 2012, the hardcoded value 20 is maybe incorrect and you must update the code to call Advapi!LookupPrivilegeValue
Ricardo
lephong99
commented
2 months ago Hi, I tested the Minidump files sent by both @kapiushion and @lephong99 and it is possible to read the NTLM hashes using "sekurlsa::minidump mini.dmp" and "sekurlsa::logonPasswords" with Mimikatz updated for Windows 11. The Minidumps generated by this tool can not be read by WinDbg, and I am not sure pypykatz is updated to read Windows 11 Minidumps, so I recommend using Mimikatz. I will close the issue for now, if anyone has any other problem with this can send me a message and/or reopen the issue. Cheers! Ricardo
Thank you bro, I have another question, when I run the nativedump.exe file on windows server 2012 R2 it shows an error as shown below. Is there any way to fix this error?
Hi @lephong99 , you are welcome! :) That NTSTATUS 0x106 means not all privileges could be assigned. Could you try from a cmd as administrator, and if that fails as SYSTEM?
I used cmd with admin rights but it still reported the above error. Then I combined godpotato to get SYStem rights and it reported the following error:
I tried on window server 2012 R2 with x64-base PC and nativedump build is x64. What is this error?
ricardojoserf
commented
2 months ago Hi, I tested the Minidump files sent by both @kapiushion and @lephong99 and it is possible to read the NTLM hashes using "sekurlsa::minidump mini.dmp" and "sekurlsa::logonPasswords" with Mimikatz updated for Windows 11. The Minidumps generated by this tool can not be read by WinDbg, and I am not sure pypykatz is updated to read Windows 11 Minidumps, so I recommend using Mimikatz. I will close the issue for now, if anyone has any other problem with this can send me a message and/or reopen the issue. Cheers! Ricardo
Thank you bro, I have another question, when I run the nativedump.exe file on windows server 2012 R2 it shows an error as shown below. Is there any way to fix this error?
Hi @lephong99 , you are welcome! :) That NTSTATUS 0x106 means not all privileges could be assigned. Could you try from a cmd as administrator, and if that fails as SYSTEM?
I used cmd with admin rights but it still reported the above error. Then I combined godpotato to get SYStem rights and it reported the following error:
I tried on window server 2012 R2 with x64-base PC and nativedump build is x64. What is this error?
Hi @lephong99 . I edited my previous reply but I will repeat it here: The problem is probably that instead of the typical Advapi!OpenProcessToken, Advapi!LookupPrivilegeValue and Advapi!AdjustTokenPrivilege, the program uses ntdll!NtOpenProcessToken, ntdll!NtAdjustPrivilegesToken and the hardcoded value of 20 for the Luid (which is constant in all latest Windows versions). For Windows Server 2012, the hardcoded value 20 is maybe incorrect and you must update the code to call Advapi!LookupPrivilegeValue. The NTSTATUS 0xC0000008 from last screenshot means STATUS_INVALID_HANDLE, so maybe you did not get the SeDebugPrivilege for the process.
lephong99
commented
2 months ago Hi, I tested the Minidump files sent by both @kapiushion and @lephong99 and it is possible to read the NTLM hashes using "sekurlsa::minidump mini.dmp" and "sekurlsa::logonPasswords" with Mimikatz updated for Windows 11. The Minidumps generated by this tool can not be read by WinDbg, and I am not sure pypykatz is updated to read Windows 11 Minidumps, so I recommend using Mimikatz. I will close the issue for now, if anyone has any other problem with this can send me a message and/or reopen the issue. Cheers! Ricardo
Thank you bro, I have another question, when I run the nativedump.exe file on windows server 2012 R2 it shows an error as shown below. Is there any way to fix this error?
Hi @lephong99 , you are welcome! :) That NTSTATUS 0x106 means not all privileges could be assigned. Could you try from a cmd as administrator, and if that fails as SYSTEM?
I used cmd with admin rights but it still reported the above error. Then I combined godpotato to get SYStem rights and it reported the following error:
Hi @lephong99 . I edited my previous reply but I will repeat it here: The problem is probably that instead of the typical Advapi!OpenProcessToken, Advapi!LookupPrivilegeValue and Advapi!AdjustTokenPrivilege, the program uses ntdll!NtOpenProcessToken, ntdll!NtAdjustPrivilegesToken and the hardcoded value of 20 for the Luid (which is constant in all latest Windows versions). For Windows Server 2012, the hardcoded value 20 is maybe incorrect and you must update the code to call Advapi!LookupPrivilegeValue. The NTSTATUS 0xC0000008 from last screenshot means STATUS_INVALID_HANDLE, so maybe you did not get the SeDebugPrivilege for the process.
Can you help me fix any part of the code to run on windows server 2012?
ricardojoserf
commented
2 months ago Hi, I tested the Minidump files sent by both @kapiushion and @lephong99 and it is possible to read the NTLM hashes using "sekurlsa::minidump mini.dmp" and "sekurlsa::logonPasswords" with Mimikatz updated for Windows 11. The Minidumps generated by this tool can not be read by WinDbg, and I am not sure pypykatz is updated to read Windows 11 Minidumps, so I recommend using Mimikatz. I will close the issue for now, if anyone has any other problem with this can send me a message and/or reopen the issue. Cheers! Ricardo
Thank you bro, I have another question, when I run the nativedump.exe file on windows server 2012 R2 it shows an error as shown below. Is there any way to fix this error?
Hi @lephong99 , you are welcome! :) That NTSTATUS 0x106 means not all privileges could be assigned. Could you try from a cmd as administrator, and if that fails as SYSTEM?
I used cmd with admin rights but it still reported the above error. Then I combined godpotato to get SYStem rights and it reported the following error:
Hi @lephong99 . I edited my previous reply but I will repeat it here: The problem is probably that instead of the typical Advapi!OpenProcessToken, Advapi!LookupPrivilegeValue and Advapi!AdjustTokenPrivilege, the program uses ntdll!NtOpenProcessToken, ntdll!NtAdjustPrivilegesToken and the hardcoded value of 20 for the Luid (which is constant in all latest Windows versions). For Windows Server 2012, the hardcoded value 20 is maybe incorrect and you must update the code to call Advapi!LookupPrivilegeValue. The NTSTATUS 0xC0000008 from last screenshot means STATUS_INVALID_HANDLE, so maybe you did not get the SeDebugPrivilege for the process.
Can you help me fix any part of the code to run on windows server 2012?
I can not guarantee this is the problem because I do not have access to a Windows Server 2012, but I can tell you how I would change the code. Basically you need to add the definition for the function LookupPrivilegeValue:
[DllImport("advapi32.dll", SetLastError = true, CharSet = CharSet.Auto)]
private static extern bool LookupPrivilegeValue(string lpSystemName, string lpName, out LUID lpLuid);Then inside EnableDebugPrivileges function, add the call to LookupPrivilegeValue:
LUID luidWin2012;
if (!LookupPrivilegeValue(null, "SeDebugPrivilege", out luidWin2012)){
Console.WriteLine("Error");
}And update the tokenPrivileges values like this:
TOKEN_PRIVILEGES tokenPrivileges = new TOKEN_PRIVILEGES
{
PrivilegeCount = 1,
Luid = luidWin2012,
Attributes = 0x00000002
};I hope this helps you to fix it, if not I could try to check the program with older Windows versions in the future, but I can not guarantee when I could find the time for it, I hope you can understand. If you find the problem is not this but other, please share it here, I would appreciate it.
lephong99
commented
2 months ago Hi, I tested the Minidump files sent by both @kapiushion and @lephong99 and it is possible to read the NTLM hashes using "sekurlsa::minidump mini.dmp" and "sekurlsa::logonPasswords" with Mimikatz updated for Windows 11. The Minidumps generated by this tool can not be read by WinDbg, and I am not sure pypykatz is updated to read Windows 11 Minidumps, so I recommend using Mimikatz. I will close the issue for now, if anyone has any other problem with this can send me a message and/or reopen the issue. Cheers! Ricardo
Thank you bro, I have another question, when I run the nativedump.exe file on windows server 2012 R2 it shows an error as shown below. Is there any way to fix this error?
Hi @lephong99 , you are welcome! :) That NTSTATUS 0x106 means not all privileges could be assigned. Could you try from a cmd as administrator, and if that fails as SYSTEM?
I used cmd with admin rights but it still reported the above error. Then I combined godpotato to get SYStem rights and it reported the following error:
Hi @lephong99 . I edited my previous reply but I will repeat it here: The problem is probably that instead of the typical Advapi!OpenProcessToken, Advapi!LookupPrivilegeValue and Advapi!AdjustTokenPrivilege, the program uses ntdll!NtOpenProcessToken, ntdll!NtAdjustPrivilegesToken and the hardcoded value of 20 for the Luid (which is constant in all latest Windows versions). For Windows Server 2012, the hardcoded value 20 is maybe incorrect and you must update the code to call Advapi!LookupPrivilegeValue. The NTSTATUS 0xC0000008 from last screenshot means STATUS_INVALID_HANDLE, so maybe you did not get the SeDebugPrivilege for the process.
Can you help me fix any part of the code to run on windows server 2012?
I can not guarantee this is the problem because I do not have access to a Windows Server 2012, but I can tell you how I would change the code. Basically you need to add the definition for the function LookupPrivilegeValue:
[DllImport("advapi32.dll", SetLastError = true, CharSet = CharSet.Auto)] private static extern bool LookupPrivilegeValue(string lpSystemName, string lpName, out LUID lpLuid);Then inside EnableDebugPrivileges function, add the call to LookupPrivilegeValue:
LUID luidWin2012; if (!LookupPrivilegeValue(null, "SeDebugPrivilege", out luidWin2012)){ Console.WriteLine("Error"); }And update the tokenPrivileges values like this:
TOKEN_PRIVILEGES tokenPrivileges = new TOKEN_PRIVILEGES { PrivilegeCount = 1, Luid = luidWin2012, Attributes = 0x00000002 };I hope this helps you to fix it, if not I could try to check the program with older Windows versions in the future, but I can not guarantee when I could find the time for it, I hope you can understand. If you find the problem is not this but other, please share it here, I would appreciate it.
hi @ricardojoserf , thank you so much. I think this tool is blocked by AV because when I run it on a similar machine, it can output the file.
the program works fine, it creates the minidump file, either remote or local, however when trying to parse the DMP file, it always fails. i tried to do it in multiple ways, and it never worked. i tried with mimikatz, windbg, pypykatz, and other tools, and any of them is able to parse the minidump file.
steps to reproduce.
just create a DMP file, and try to parse it, you will find out it does not work
example with pypykatz
example with mimiktaz
windbg fails even when loading the DMP
with tools such as nanodump, mimikatz itself, and other lsass dumpers, there is not any issues when parsing or dumping lsass. also, another thing i figured it out, is that the DMP file is almost double of size of a normal DMP file, and it might be related to the problem.if you want to investigate this behavior, i can attach some of the DMP files that i grabbed(are from labs so no problem :)).