search

skelsec / pypykatz

Mimikatz implementation in pure Python
MIT License
2.81k stars 371 forks source link

ERROR: "Signature not found" on lsass dump of Windows Server 2022 #94

Closed wetterSpitze closed 2 years ago

wetterSpitze commented 2 years ago

Hello,

i recently dumped the LSASS of a Windows Server 2022 Datacenter Edition with:

PS C:\Windows\system32> Get-Process lsass | select -expand id
704
PS C:\Windows\system32> rundll32.exe C:\windows\System32\comsvcs.dll, MiniDump 704 C:\lsass.dmp full

after trying to extract the credentials via pypykatz lsa minidump lsass.dmp i got some base64 encoded Signature was not found error

$ pypykatz lsa minidump lsass.dmp

== Errors ==
msv_exception_please_report U2lnbmF0dXJlIHdhcyBub3Q...==

$ echo "U2lnbmF0dXJlIHdhcyBub3Q...==" | base64 -d     

Signature was not found in module lsasrv.dll Signature: 33ff4189374c8bf34585c074

File "/home/<username>/.local/lib/python3.9/site-packages/pypykatz/pypykatz.py", line 354, in start
self.get_logoncreds()

File "/home/<username>/.local/lib/python3.9/site-packages/pypykatz/pypykatz.py", line 241, in get_logoncreds
logoncred_decryptor.start()

File "/home/<username>/.local/lib/python3.9/site-packages/pypykatz/lsadecryptor/packages/msv/decryptor.py", line 409, in start
entry_ptr_value, entry_ptr_loc = self.find_first_entry()

File "/home/<username>/.local/lib/python3.9/site-packages/pypykatz/lsadecryptor/packages/msv/decryptor.py", line 288, in find_first_entry
position = self.find_signature('lsasrv.dll',self.decryptor_template.signature)

File "/home/<username>/.local/lib/python3.9/site-packages/pypykatz/lsadecryptor/package_commons.py", line 71, in find_signature
raise Exception('Signature was not found in module %s Signature: %s' % (module_name, self.decryptor_template.signature.hex()))

Is it possible that support for windows server 2022 is currently not implemented or have i done some mistake while dumping?

Same dump and extract method on windows server 2019 is working properly btw.

skelsec commented 2 years ago

I tested it today and it works for me on the latest eval iso for win2022. (by just dumping lsass form task manager) So I will leave this issue open if others have this problem they can write here otherwise it will be closed as not reproducable in some weeks

skelsec commented 2 years ago

Finally I could reproduce this issue with a different win2022 server, the updates have been added on the prochetta version, soon it will come to the public version as well.

wetterSpitze commented 2 years ago

Hi skelsec. Thx alot for your efforts regarding this issue! Im really looking foreward to use pypykatzs new release on win 2022 machines šŸ„³