search

skelsec / pypykatz

Mimikatz implementation in pure Python
MIT License
2.87k stars 379 forks source link

ValueError: 15 is not a valid PROCESSOR_LEVEL #30

Closed aas-n closed 5 years ago

aas-n commented 5 years ago

Hi mate,

Thank you for your hard work. Pypykatz is really awesome. I experience a little problem here when parsing a minidump on a fresh installed Windows.

Here how to reproduce:

Here is my ProcDump:

procdump64.exe -accepteula -ma lsass.exe lsass.dmp

ProcDump v9.0 - Sysinternals process dump utility
Copyright (C) 2009-2017 Mark Russinovich and Andrew Richards
Sysinternals - www.sysinternals.com

[08:11:06] Dump 1 initiated: C:\lsass.dmp
[08:11:06] Dump 1 writing: Estimated dump file size is 45 MB.
[08:11:06] Dump 1 complete: 45 MB written in 0.3 seconds
[08:11:07] Dump count reached.

When I try to parse it, it fails with ValueError: 15 is not a valid PROCESSOR_LEVEL.

INFO:root:Parsing file lsass.dmp
DEBUG:root:Found ThreadListStream @684 Size: 388
DEBUG:root:Found ThreadInfoListStream @808 Size: 524
DEBUG:root:== ThreadInfoList ==
ThreadId | DumpFlags | DumpError | ExitStatus | CreateTime         | ExitTime | KernelTime | UserTime | StartAddress   | Affinity
---------------------------------------------------------------------------------------------------------------------------------
0x234    | None      | 0         | 0x103      | 132120735554477257 | 0        | 0          | 156250   | 0x7ff67c284080 | 1       
0x248    | None      | 0         | 0x103      | 132120735557657209 | 0        | 0          | 0        | 0x7ff8312e3820 | 1       
0x24c    | None      | 0         | 0x103      | 132120735557906553 | 0        | 0          | 0        | 0x7ff83566ff80 | 1       
0x914    | None      | 0         | 0x103      | 132120736219064206 | 0        | 0          | 0        | 0x7ff82522a2b0 | 1       
0xbfc    | None      | 0         | 0x103      | 132120737056810042 | 0        | 5468750    | 4843750  | 0x7ff83566ff80 | 1       
0x404    | None      | 0         | 0x103      | 132120751006547693 | 0        | 4375000    | 5312500  | 0x7ff83566ff80 | 1       
0xc14    | None      | 0         | 0x103      | 132120827606871525 | 0        | 0          | 156250   | 0x7ff83566ff80 | 1       
0xd50    | None      | 0         | 0x103      | 132120829169704025 | 0        | 0          | 0        | 0x7ff8311651d0 | 1       

DEBUG:root:Found ModuleListStream @a14 Size: 8968
DEBUG:root:Found UnloadedModuleListStream @2d1c Size: 36
DEBUG:root:Found TokenStream @2d40 Size: 704
DEBUG:root:TokenStream parsing is not implemented (Missing documentation)
DEBUG:root:Found Memory64ListStream @26be3 Size: 8192
DEBUG:root:Found MemoryInfoListStream @1e6e3 Size: 34048
DEBUG:root:Found SystemInfoStream @f8 Size: 56
ERROR:root:Error while parsing file lsass.dmp
ValueError: 15 is not a valid PROCESSOR_LEVEL

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "/usr/local/lib/python3.7/dist-packages/pypykatz/lsadecryptor/cmdhelper.py", line 169, in run
    mimi = pypykatz.parse_minidump_file(args.memoryfile)
  File "/usr/local/lib/python3.7/dist-packages/pypykatz/pypykatz.py", line 52, in parse_minidump_file
    minidump = MinidumpFile.parse(filename)
  File "/usr/local/lib/python3.7/dist-packages/minidump/minidumpfile.py", line 187, in parse
    mf._parse()
  File "/usr/local/lib/python3.7/dist-packages/minidump/minidumpfile.py", line 195, in _parse
    self.__parse_directories()
  File "/usr/local/lib/python3.7/dist-packages/minidump/minidumpfile.py", line 238, in __parse_directories
    self.sysinfo = MinidumpSystemInfo.parse(dir, self.file_handle)
  File "/usr/local/lib/python3.7/dist-packages/minidump/streams/SystemInfoStream.py", line 175, in parse
    si = MINIDUMP_SYSTEM_INFO.parse(chunk)
  File "/usr/local/lib/python3.7/dist-packages/minidump/streams/SystemInfoStream.py", line 92, in parse
    msi.ProcessorLevel = PROCESSOR_LEVEL(int.from_bytes(buff.read(2), byteorder = 'little', signed = False))
  File "/usr/lib/python3.7/enum.py", line 310, in __call__
    return cls.__new__(cls, value)
  File "/usr/lib/python3.7/enum.py", line 564, in __new__
    raise exc
  File "/usr/lib/python3.7/enum.py", line 548, in __new__
    result = cls._missing_(value)
  File "/usr/lib/python3.7/enum.py", line 577, in _missing_
    raise ValueError("%r is not a valid %s" % (value, cls.__name__))
ValueError: 15 is not a valid PROCESSOR_LEVEL
ValueError: 15 is not a valid PROCESSOR_LEVEL

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "/usr/local/lib/python3.7/dist-packages/pypykatz/lsadecryptor/cmdhelper.py", line 169, in run
    mimi = pypykatz.parse_minidump_file(args.memoryfile)
  File "/usr/local/lib/python3.7/dist-packages/pypykatz/pypykatz.py", line 52, in parse_minidump_file
    minidump = MinidumpFile.parse(filename)
  File "/usr/local/lib/python3.7/dist-packages/minidump/minidumpfile.py", line 187, in parse
    mf._parse()
  File "/usr/local/lib/python3.7/dist-packages/minidump/minidumpfile.py", line 195, in _parse
    self.__parse_directories()
  File "/usr/local/lib/python3.7/dist-packages/minidump/minidumpfile.py", line 238, in __parse_directories
    self.sysinfo = MinidumpSystemInfo.parse(dir, self.file_handle)
  File "/usr/local/lib/python3.7/dist-packages/minidump/streams/SystemInfoStream.py", line 175, in parse
    si = MINIDUMP_SYSTEM_INFO.parse(chunk)
  File "/usr/local/lib/python3.7/dist-packages/minidump/streams/SystemInfoStream.py", line 92, in parse
    msi.ProcessorLevel = PROCESSOR_LEVEL(int.from_bytes(buff.read(2), byteorder = 'little', signed = False))
  File "/usr/lib/python3.7/enum.py", line 310, in __call__
    return cls.__new__(cls, value)
  File "/usr/lib/python3.7/enum.py", line 564, in __new__
    raise exc
  File "/usr/lib/python3.7/enum.py", line 548, in __new__
    result = cls._missing_(value)
  File "/usr/lib/python3.7/enum.py", line 577, in _missing_
    raise ValueError("%r is not a valid %s" % (value, cls.__name__))
ValueError: 15 is not a valid PROCESSOR_LEVEL

I have to mention that it works perfectly with Mimikatz. Here the problematic dump. lsass.zip

skelsec commented 5 years ago

Thx for reporting the issue!

This is actually a problem in a different library of mine (minidump). You may thank Microsoft for the "awesome" documentation which contradicts itself. https://docs.microsoft.com/en-us/windows/win32/api/minidumpapiset/ns-minidumpapiset-minidump_system_info https://docs.microsoft.com/en-us/windows/win32/api/sysinfoapi/ns-sysinfoapi-system_info

I'll modify the parser code to give a simple integer for processorlevel instead of enum.

skelsec commented 5 years ago

Fixed. You'll need to check out the latest minidump library from git. Please verify and close if it works on your end as well.

aas-n commented 5 years ago

It seems to be fixed. Thank you for your reactivity. Please continue your hard work.

aas-n commented 5 years ago

Hi mate,

When do you think the minidump library fix will be available for pip3 ? Because at this time, Pypykatz installed by following README instructions fails to parse every dumps.

skelsec commented 5 years ago

I published a new version for minidump and pypykatz a few minutes ago. hope this solves the issues.

aas-n commented 5 years ago

It is all good again. Thank you ;-).