Parsing a LSASS dump using Pypykatz fails

[jsdhasfedssad]

Hi,

Thank you for this tool.

I am unable to parse a LSASS dump file that was dumped locally using PPLBlade or that was sent to my Kali machine via netcat using pypykatz. It does not matter if the file was previously obfuscated or not. If I manually dump LSASS using Task Manager pypykatz can parse the file without issues.

pypykatz lsa minidump lsass.dmp INFO:pypykatz:Parsing file lsass.dmp INFO:pypykatz:===== BASIC INFO. SUBMIT THIS IF THERE IS AN ISSUE ===== INFO:pypykatz:pypyKatz version: 0.6.6 INFO:pypykatz:CPU arch: X64 INFO:pypykatz:OS: Windows Server 2016 Technical Preview INFO:pypykatz:BuildNumber: 17763 INFO:pypykatz:MajorVersion: 6 INFO:pypykatz:MSV timestamp: 0 INFO:pypykatz:===== BASIC INFO END ===== ERROR:pypykatz:Error while parsing file lsass.dmp Traceback (most recent call last): File "/usr/lib/python3/dist-packages/pypykatz/pypykatz.py", line 261, in get_lsa lsa_dec = LsaDecryptor.choose(self.reader, lsa_dec_template, self.sysinfo) ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ File "/usr/lib/python3/dist-packages/pypykatz/lsadecryptor/lsa_decryptor.py", line 20, in choose return LsaDecryptor_NT6(reader, decryptor_template, sysinfo) ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ File "/usr/lib/python3/dist-packages/pypykatz/lsadecryptor/lsa_decryptor_nt6.py", line 22, in init self.acquire_crypto_material() File "/usr/lib/python3/dist-packages/pypykatz/lsadecryptor/lsa_decryptor_nt6.py", line 26, in acquire_crypto_material sigpos = self.find_signature() ^^^^^^^^^^^^^^^^^^^^^ File "/usr/lib/python3/dist-packages/pypykatz/lsadecryptor/lsa_decryptor_nt6.py", line 44, in find_signature fl = self.reader.find_in_module('lsasrv.dll', self.decryptor_template.key_pattern.signature, find_first = True) ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ File "/usr/lib/python3/dist-packages/minidump/minidumpreader.py", line 272, in find_in_module t = self.reader.search_module(module_name, pattern, find_first = find_first, reverse_order = reverse_order, chunksize = self.segment_chunk_size) ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ File "/usr/lib/python3/dist-packages/minidump/minidumpreader.py", line 337, in search_module raise Exception('Could not find module! %s' % module_name) Exception: Could not find module! lsasrv.dll

During handling of the above exception, another exception occurred:

Traceback (most recent call last): File "/usr/lib/python3/dist-packages/pypykatz/lsadecryptor/cmdhelper.py", line 260, in run mimi = pypykatz.parse_minidump_file(args.memoryfile, packages=args.packages) ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ File "/usr/lib/python3/dist-packages/pypykatz/pypykatz.py", line 151, in parse_minidump_file raise e File "/usr/lib/python3/dist-packages/pypykatz/pypykatz.py", line 147, in parse_minidump_file mimi.start(packages) File "/usr/lib/python3/dist-packages/pypykatz/pypykatz.py", line 350, in start self.lsa_decryptor = self.get_lsa() ^^^^^^^^^^^^^^ File "/usr/lib/python3/dist-packages/pypykatz/pypykatz.py", line 267, in get_lsa raise Exception('All detection methods failed.') Exception: All detection methods failed. Traceback (most recent call last): File "/usr/lib/python3/dist-packages/pypykatz/pypykatz.py", line 261, in get_lsa lsa_dec = LsaDecryptor.choose(self.reader, lsa_dec_template, self.sysinfo) ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ File "/usr/lib/python3/dist-packages/pypykatz/lsadecryptor/lsa_decryptor.py", line 20, in choose return LsaDecryptor_NT6(reader, decryptor_template, sysinfo) ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ File "/usr/lib/python3/dist-packages/pypykatz/lsadecryptor/lsa_decryptor_nt6.py", line 22, in init self.acquire_crypto_material() File "/usr/lib/python3/dist-packages/pypykatz/lsadecryptor/lsa_decryptor_nt6.py", line 26, in acquire_crypto_material sigpos = self.find_signature() ^^^^^^^^^^^^^^^^^^^^^ File "/usr/lib/python3/dist-packages/pypykatz/lsadecryptor/lsa_decryptor_nt6.py", line 44, in find_signature fl = self.reader.find_in_module('lsasrv.dll', self.decryptor_template.key_pattern.signature, find_first = True) ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ File "/usr/lib/python3/dist-packages/minidump/minidumpreader.py", line 272, in find_in_module t = self.reader.search_module(module_name, pattern, find_first = find_first, reverse_order = reverse_order, chunksize = self.segment_chunk_size) ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ File "/usr/lib/python3/dist-packages/minidump/minidumpreader.py", line 337, in search_module raise Exception('Could not find module! %s' % module_name) Exception: Could not find module! lsasrv.dll

During handling of the above exception, another exception occurred:

Traceback (most recent call last): File "/usr/lib/python3/dist-packages/pypykatz/lsadecryptor/cmdhelper.py", line 260, in run mimi = pypykatz.parse_minidump_file(args.memoryfile, packages=args.packages) ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ File "/usr/lib/python3/dist-packages/pypykatz/pypykatz.py", line 151, in parse_minidump_file raise e File "/usr/lib/python3/dist-packages/pypykatz/pypykatz.py", line 147, in parse_minidump_file mimi.start(packages) File "/usr/lib/python3/dist-packages/pypykatz/pypykatz.py", line 350, in start self.lsa_decryptor = self.get_lsa() ^^^^^^^^^^^^^^ File "/usr/lib/python3/dist-packages/pypykatz/pypykatz.py", line 267, in get_lsa raise Exception('All detection methods failed.') Exception: All detection methods failed.