Closed rtpt-romankarwacik closed 2 weeks ago
Hello, thank you for the PR! Before I can merge it, I'd like to ask a few questions mainly on the testing/signature side:
have you tested this on all/multiple versions of windows? did it pass on all of them?
I tested it against Win 10 19H1 18362 w/o Credential Guard, and Win 11 23H2 22631 with Credential Guard enabled . For those two it worked.
would it be possible for you to give sample dumps so I can integrate those in the tests?
I uploaded credential_guard_win11_23H2_22631.dmp
to the Nextcloud containing the dump with credential guard enabled on Win 11 23H2 22631.
Small correction, I noticed a dump created by NativeDump does not contain msv1_0.dll
, so it does not parse properly. Additionaly, in the minidump library the CSDVersionRva
is not properly set and also crashes in https://github.com/skelsec/minidump/blob/main/minidump/streams/SystemInfoStream.py#L283, commenting the line out was the workaround I took. Not sure if this is something that should be handled by the library, or if NativeDump should include this info.
EDIT: See nativedump_credential_guard_win11_23H2_22631.dmp
in the NextCloud folder.
Sorry for the delay! I've tested it and it works! Thank you for your contribution!
This adds the changes from https://github.com/ly4k/Pypykatz for detecting LSA Isolated Data.