Closed ghost closed 2 years ago
physics-sec
commented
2 years ago I have seem similar behavior lately, you could try to use an older version of pypykatz and see if there is any difference and also, try to dump lsass with process hacker or some tool that let's windows create the dump, to make sure this is not an issue with nanodump
skelsec
commented
2 years ago Thank you for the issue. I added some modifications and new templates to pypykatz in the latest update, however the worst they can do is crash, I've not experienced an infinite-loop behavior before. I've re-tested the code on my test-dump collection and everything is in order so I see the following possibilities:
I'll keep this issue open and encourage anyone to please please please send an offending dumpfile so I can fix this.
ghost
commented
2 years ago pypykatz -vvv lsa minidump shows me that its getting hung on lsa_decryptor_nt6.py method find_signature(self) around line 42. i think i never hit the if statement at line 44. I also never hit line 28 print statement. maybe issue is finding lsasrv.dll? idk yet for sure. I do get the expected errors before running restore_signature.sh from nanodump. after running the shell script on it seems to work and i get the hang issue.
Running mimidump --all <dump file> shows the dll in modules list.
After running mimikatz with commands from nanodump repo the error kuhl_m_sekurlsa_acquireLSA ; Memory opening comes back. indicating issues with nanodump dump file.
nanodump commands used was beacon system shell on box nanodump --write C:\Temp\lsass.dmp && nanodump.
When I run
pypykatz lsa minidump <minidump file>(from nanodump (sig restored)) pypykatz seems to not return output from what i can tell it just locks up console with no output. Its been 3 days ive let the app run on this minidump file and it returns no output doesnt appear to crash. Any thoughts?Thus far i have tried upgrade from old pypykatz to new version. github install, pip3 install, and all install methods on fresh ubuntu machine.