ret2src
commented
6 months ago Had exactly the same issue on a Windows Server 2012 dump last week. Figured it had to do with the old Windows Server version, but apparently it happens on newer versions as well?
Here's the information from my error message:
INFO:pypykatz:Parsing file lsass.dmp
INFO:pypykatz:===== BASIC INFO. SUBMIT THIS IF THERE IS AN ISSUE =====
INFO:pypykatz:pypyKatz version: 0.6.6
INFO:pypykatz:CPU arch: X64
INFO:pypykatz:OS: Windows Server 2012
INFO:pypykatz:BuildNumber: 9200
INFO:pypykatz:MajorVersion: 6
INFO:pypykatz:MSV timestamp: 0
INFO:pypykatz:===== BASIC INFO END =====
ERROR:pypykatz:Error while parsing file lsass.dmp
Traceback (most recent call last):
File "/usr/lib/python3/dist-packages/pypykatz/pypykatz.py", line 261, in get_lsa
lsa_dec = LsaDecryptor.choose(self.reader, lsa_dec_template, self.sysinfo)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/usr/lib/python3/dist-packages/pypykatz/lsadecryptor/lsa_decryptor.py", line 20, in choose
return LsaDecryptor_NT6(reader, decryptor_template, sysinfo)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/usr/lib/python3/dist-packages/pypykatz/lsadecryptor/lsa_decryptor_nt6.py", line 22, in __init__
self.acquire_crypto_material()
File "/usr/lib/python3/dist-packages/pypykatz/lsadecryptor/lsa_decryptor_nt6.py", line 26, in acquire_crypto_material
sigpos = self.find_signature()
^^^^^^^^^^^^^^^^^^^^^
File "/usr/lib/python3/dist-packages/pypykatz/lsadecryptor/lsa_decryptor_nt6.py", line 44, in find_signature
fl = self.reader.find_in_module('lsasrv.dll', self.decryptor_template.key_pattern.signature, find_first = True)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/usr/lib/python3/dist-packages/minidump/minidumpreader.py", line 272, in find_in_module
t = self.reader.search_module(module_name, pattern, find_first = find_first, reverse_order = reverse_order, chunksize = self.segment_chunk_size)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/usr/lib/python3/dist-packages/minidump/minidumpreader.py", line 337, in search_module
raise Exception('Could not find module! %s' % module_name)
Exception: Could not find module! lsasrv.dll
During handling of the above exception, another exception occurred:
Traceback (most recent call last):
File "/usr/lib/python3/dist-packages/pypykatz/lsadecryptor/cmdhelper.py", line 260, in run
mimi = pypykatz.parse_minidump_file(args.memoryfile, packages=args.packages)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/usr/lib/python3/dist-packages/pypykatz/pypykatz.py", line 151, in parse_minidump_file
raise e
File "/usr/lib/python3/dist-packages/pypykatz/pypykatz.py", line 147, in parse_minidump_file
mimi.start(packages)
File "/usr/lib/python3/dist-packages/pypykatz/pypykatz.py", line 350, in start
self.lsa_decryptor = self.get_lsa()
^^^^^^^^^^^^^^
File "/usr/lib/python3/dist-packages/pypykatz/pypykatz.py", line 267, in get_lsa
raise Exception('All detection methods failed.')
Exception: All detection methods failed.
Traceback (most recent call last):
File "/usr/lib/python3/dist-packages/pypykatz/pypykatz.py", line 261, in get_lsa
lsa_dec = LsaDecryptor.choose(self.reader, lsa_dec_template, self.sysinfo)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/usr/lib/python3/dist-packages/pypykatz/lsadecryptor/lsa_decryptor.py", line 20, in choose
return LsaDecryptor_NT6(reader, decryptor_template, sysinfo)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/usr/lib/python3/dist-packages/pypykatz/lsadecryptor/lsa_decryptor_nt6.py", line 22, in __init__
self.acquire_crypto_material()
File "/usr/lib/python3/dist-packages/pypykatz/lsadecryptor/lsa_decryptor_nt6.py", line 26, in acquire_crypto_material
sigpos = self.find_signature()
^^^^^^^^^^^^^^^^^^^^^
File "/usr/lib/python3/dist-packages/pypykatz/lsadecryptor/lsa_decryptor_nt6.py", line 44, in find_signature
fl = self.reader.find_in_module('lsasrv.dll', self.decryptor_template.key_pattern.signature, find_first = True)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/usr/lib/python3/dist-packages/minidump/minidumpreader.py", line 272, in find_in_module
t = self.reader.search_module(module_name, pattern, find_first = find_first, reverse_order = reverse_order, chunksize = self.segment_chunk_size)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/usr/lib/python3/dist-packages/minidump/minidumpreader.py", line 337, in search_module
raise Exception('Could not find module! %s' % module_name)
Exception: Could not find module! lsasrv.dll
During handling of the above exception, another exception occurred:
Traceback (most recent call last):
File "/usr/lib/python3/dist-packages/pypykatz/lsadecryptor/cmdhelper.py", line 260, in run
mimi = pypykatz.parse_minidump_file(args.memoryfile, packages=args.packages)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/usr/lib/python3/dist-packages/pypykatz/pypykatz.py", line 151, in parse_minidump_file
raise e
File "/usr/lib/python3/dist-packages/pypykatz/pypykatz.py", line 147, in parse_minidump_file
mimi.start(packages)
File "/usr/lib/python3/dist-packages/pypykatz/pypykatz.py", line 350, in start
self.lsa_decryptor = self.get_lsa()
^^^^^^^^^^^^^^
File "/usr/lib/python3/dist-packages/pypykatz/pypykatz.py", line 267, in get_lsa
raise Exception('All detection methods failed.')
Exception: All detection methods failed.Unfortunately, I cannot provide the dump file, as it contains sensitive customer data.
sva-tastaturlandwirt
This week I had three seperate instances where I got this error message trying to parse a lsass dump:
Info for the other lsass dumps:
Doesn't seem to be a pypykatz specific error as I wasn't able to parse the dumps with mimikatz either.
Unfortunately I cannot provide the full dumps as they were acquired during assessments.