LSA signature not found

[Wowhere]

Describe the bug LSA signature not found. Use volatility3-pypykatz plugin for volatility, but as i see error from pypykatz code. The same error if use pypykatz against exctracted lsass.dmp. Dump is correct, at least i can get hashdump and process handles from dump, using another volatility plugins

Volatility Version: develop, today (10.05.2024) Operating System: Kali Linux Python Version: 3.11.7

Steps to reproduce the behavior:

1. Use command 'python3 vol.py -f ~/testy-tms/silver.raw -l t1 windows.volu_pypykatz.pypykatz'
2. See error Traceback (most recent call last): File "/home/andy/2/volatility3/vol.py", line 7, in import volatility3.cli File "/home/andy/2/volatility3/volatility3/cli/init.py", line 29, in from volatility3.cli import text_renderer, volargparse File "/home/andy/2/volatility3/volatility3/cli/text_renderer.py", line 22, in import capstone File "/home/andy/.local/lib/python3.11/site-packages/capstone/init.py", line 380, in import pkg_resources File "/home/andy/.local/lib/python3.11/site-packages/pkg_resources/init.py", line 3324, in @_call_aside ^^^^^^^^^^^ File "/home/andy/.local/lib/python3.11/site-packages/pkg_resources/init.py", line 3299, in _call_aside f(*args, **kwargs) File "/home/andy/.local/lib/python3.11/site-packages/pkg_resources/init.py", line 3337, in _initialize_master_working_set working_set = WorkingSet._build_master() ^^^^^^^^^^^^^^^^^^^^^^^^^^ File "/home/andy/.local/lib/python3.11/site-packages/pkg_resources/init.py", line 622, in _build_master ws = cls() ^^^^^ File "/home/andy/.local/lib/python3.11/site-packages/pkg_resources/init.py", line 615, in init self.add_entry(entry) File "/home/andy/.local/lib/python3.11/site-packages/pkg_resources/init.py", line 671, in add_entry for dist in find_distributions(entry, True): File "/home/andy/.local/lib/python3.11/site-packages/pkg_resources/init.py", line 2133, in find_on_path yield from factory(fullpath) File "/home/andy/.local/lib/python3.11/site-packages/pkg_resources/init.py", line 2190, in distributions_from_metadata if len(os.listdir(path)) == 0: ^^^^^^^^^^^^^^^^ KeyboardInterrupt

[pmehax0r]

same issue for me as well, here are the error details: INFO:pypykatz:pypyKatz version: 0.6.8 INFO:pypykatz:CPU arch: X64 INFO:pypykatz:OS: Windows 10 INFO:pypykatz:BuildNumber: 19041 INFO:pypykatz:MajorVersion: 6 INFO:pypykatz:MSV timestamp: 46191720

the error is "LSA Signature not found"

Using a PowerShell tool I managed to extract info about the crypto: Pattern : 8364243000488D45E0448B4DD8488D15 AES-Offset : 16 IV-Offset : 67 key-struct : Get-BCRYPT_KEY81 DES-Offset : -89 key-handle : Get-BCRYPT_HANDLE_KEY

but for some reason the pattern does not exist in the lsasrv data. the minidump is created by memprocfs

[skelsec]

Dear all, The problem with parsing lsass which is extracted by memory capture tools is referred to as memory smearing which is a known behavior of all forensics tools. There are no plans to add more heuristics to pypykatz to battle this issue, as this problem is not something worth addressing on a global level.
I can tell you how I solve this problem:

• take memory snapshot multiple times, there is a good chance you'll get at least one dump which is parsable.
• modify pypykatz code to suite your needs. by manually identifying key locations, you can edit the code to either look for the smeared values, or add a static offset where you expect the structures to be present.

[skelsec]

The RAM dump was made by "Magnet RAM Forensics", lsass.dmp was extracted from RAM dump by MemProcFS, minidump module for extracted lsass.dmp doesnt show errors minidump_output.txt

The problem is that "show no errors" doesn't mean that the actual data in the regions were captured correctly, it merely tell you that all regions were accounted for and the minidump file could be reconstructed. Sometimes even that is not correct, especially with "Magnet dump" which is the usual suspect of causing some issues.

[pmehax0r]

Thank you for the info Skelsec! The memory dump I've collected has been created using Dumpit. Funny enough it works really well with some Windows builds but fails with others. I will try to play with the structures and see if I can identify something. On the specific machine that it failed creating multiple dumps did not help (so far) unfortunately, so I will try to work with pypykatz and try to modify it a bit. Thank you for your amazing work with pypykatz!