search

skelsec / pypykatz

Mimikatz implementation in pure Python
MIT License
2.81k stars 371 forks source link

TypeError: find_in_module() got an unexpected keyword argument 'find_first' #98

Closed mark-lowe closed 2 years ago

mark-lowe commented 2 years ago

Firstly, thanks for writing such a great tool.

I ran into the following error when using pypykatz via the memprocfs plugin on Windows 10, Python 3.9 64-bit. I've suggested a fix below.

===== BASIC INFO. SUBMIT THIS IF THERE IS AN ISSUE =====
CPU arch: X64
OS: None
BuildNumber: 19041
MajorVersion: 6
MSV timestamp: 399066004

Traceback (most recent call last):
  File "C:\Users\x\AppData\Local\Programs\Python\Python39\Lib\site-packages\pypykatz\pypykatz.py", line 261, in get_lsa
    lsa_dec = LsaDecryptor.choose(self.reader, lsa_dec_template, self.sysinfo)
  File "C:\Users\x\AppData\Local\Programs\Python\Python39\Lib\site-packages\pypykatz\lsadecryptor\lsa_decryptor.py", line 20, in choose
    return LsaDecryptor_NT6(reader, decryptor_template, sysinfo)
  File "C:\Users\x\AppData\Local\Programs\Python\Python39\Lib\site-packages\pypykatz\lsadecryptor\lsa_decryptor_nt6.py", line 22, in __init__
    self.acquire_crypto_material()
  File "C:\Users\x\AppData\Local\Programs\Python\Python39\Lib\site-packages\pypykatz\lsadecryptor\lsa_decryptor_nt6.py", line 26, in acquire_crypto_material
    sigpos = self.find_signature()
  File "C:\Users\x\AppData\Local\Programs\Python\Python39\Lib\site-packages\pypykatz\lsadecryptor\lsa_decryptor_nt6.py", line 44, in find_signature
    fl = self.reader.find_in_module('lsasrv.dll', self.decryptor_template.key_pattern.signature, find_first = True)
TypeError: find_in_module() got an unexpected keyword argument 'find_first'

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "C:\Users\x\Desktop\memprocfs\plugins\pym_pypykatz\pym_pypykatz.py", line 107, in process_lsass
    mimi.start()
  File "C:\Users\x\AppData\Local\Programs\Python\Python39\Lib\site-packages\pypykatz\pypykatz.py", line 350, in start
    self.lsa_decryptor = self.get_lsa()
  File "C:\Users\x\AppData\Local\Programs\Python\Python39\Lib\site-packages\pypykatz\pypykatz.py", line 267, in get_lsa
    raise Exception('All detection methods failed.')
Exception: All detection methods failed.

I also found a similar bug report while googling: https://issueexplorer.com/issue/ufrisk/MemProcFS-plugins/1

I noted that find_in_module() method doesn't actually use the find_first argument, so I just removed it from all callers.

Callers were found like this (on a different linux system, so I could use grep):

/usr/local/lib/python3.8/dist-packages/pypykatz# grep "find_first *=" . -ir | grep -v "def find_in_module"
./lsadecryptor/lsa_decryptor_nt6.py:            fl = self.reader.find_in_module('lsasrv.dll', self.decryptor_template.key_pattern.signature, find_first = True)
./lsadecryptor/package_commons.py:              fl = self.reader.find_in_module(module_name, self.decryptor_template.signature, find_first = True)
./commons/readers/local/live_reader.py:         t = self.reader.search_module(module_name, pattern, find_first = find_first, reverse_order = reverse_order)
./alsadecryptor/lsa_decryptor_nt6.py:           fl = await self.reader.find_in_module('lsasrv.dll', self.decryptor_template.key_pattern.signature, find_first = True)
./alsadecryptor/package_commons.py:             fl = await self.reader.find_in_module(module_name, self.decryptor_template.signature, find_first = True)

In each case, I removed ", find_first = True" from the above code, then it worked.

I noticed that the same problem was not present in the lsa_decryptor_nt5 code, so this may not affect all users.

skelsec commented 2 years ago

I couldn't reproduce this error, it might have been an issue caused by you having an outdated minidump module. I close this issue now, but feel free to reopen if you still encounter this error.