Closed byehack closed 6 months ago
lsass.zip Dumped via taskmgr on Windows 11 build 22000
from pypykatz.pypykatz import pypykatz from pypykatz.dpapi.structures.blob import DPAPI_BLOB results = pypykatz.parse_minidump_file("lsass.DMP") results.reader.reader.file_handle.close() results = results.to_dict() chrome_mkey = b'\x01\x00\x00\x00\xd0\x8c\x9d\xdf\x01\x15\xd1\x11\x8cz\x00\xc0O\xc2\x97\xeb\x01\x00\x00\x00\xd3\x93\xd5m\x8f\x12\xd8L\x98\\-}\xc8\x12\x03\x8b\x10\x00\x00\x00\x1e\x00\x00\x00M\x00i\x00c\x00r\x00o\x00s\x00o\x00f\x00t\x00 \x00E\x00d\x00g\x00e\x00\x00\x00\x10f\x00\x00\x00\x01\x00\x00 \x00\x00\x00\xef\xe8K>x\x95\xbd\xc9\xde\x15\x97\xd7\x84\xf8\xd1\x8e\x15\xbf\xba\x07\t\xb4\x9a\xc5\x9b/Fk\xc0\xed\xf1&\x00\x00\x00\x00\x0e\x80\x00\x00\x00\x02\x00\x00 \x00\x00\x00\xdf\n\xf8\x15\x8dv\xc2{\x81\xdd\x94\x1b1\xa38\xa4\xb6\xaa\xf3\x83\xfe\xe8\x99\'\xdeF\x14\xb5\xb8\xc2Jm0\x00\x00\x00\xde \xe3\xfa\xa4\xfav\xea@\xafv\xa3\xa6\xc2C;\x0c\x85\xa0\xbdS0\xc1\\\xff\xf8\xe6\x99\'D\x9f\xbc\xc8\x87\xa6\xa6$a fn\x0e9\xf2Wj4\xd9@\x00\x00\x00\xfb4\xdeC\x91&h1O\xe9<":D\x84=\x07BM\xae\xbd`\xf5\xfc\xf6\xf9\'\xbf\xf5\x9ece\xb80\xc8c\xd6\xfd\xcef\x9a\x9bxzg\xdb\xc2\xa5\xaf\xf8\x17\xdc\x9f\xda\xe7n[,\x92]\xf3!j ' blob = DPAPI_BLOB.from_bytes(chrome_mkey) creds = results["logon_sessions"][328474]["dpapi_creds"] mk = next(cred["masterkey"] for cred in creds if cred["key_guid"] == blob.masterkey_guid) # sekurlsa::minidump lsass.DMP # sekurlsa::dpapi mimikatz_mk_result = bytes.fromhex("8c65b4a6c78098e5cc5fbb3ff678ca16552f0b032e94e33bc65c0316e55744341ade4712d24588d9534d8bb44abd14431d8b9b52c290a170d8e5ab7a66621c91") try: blob.decrypt(mk) except: print("invalid pypykatz masterkey. retry with mimikatz masterkey.") blob.decrypt(mimikatz_mk_result) print("success")
Dump File:
lsass.zip Dumped via taskmgr on Windows 11 build 22000
Repro: