search

ufrisk / MemProcFS

MemProcFS
GNU Affero General Public License v3.0
3k stars 371 forks source link

pypykatz parsing_error.txt #232

Closed belveruski closed 4 months ago

belveruski commented 11 months ago

Hi,

On linux i use the lastest release of MemProcFS 5.8.15

$ ./memprocfs -device ~/challenges/htb/reminiscent/flounder-pc-memdump.elf -mount ~/challenges/htb/reminiscent/memprocfs -forensic 1
Initialized 64-bit Windows 6.1.7601

==============================  MemProcFS  ==============================
 - Author:           Ulf Frisk - pcileech@frizk.net                      
 - Info:             https://github.com/ufrisk/MemProcFS                 
 - Discord:          https://discord.gg/BCmfBhDPXX                       
 - License:          GNU Affero General Public License v3.0              
   --------------------------------------------------------------------- 
   MemProcFS is free open source software. If you find it useful please  
   become a sponsor at: https://github.com/sponsors/ufrisk Thank You :)  
   --------------------------------------------------------------------- 
 - Version:          5.8.15 (Linux)
 - Mount Point:      /home/tsurugi/challenges/htb/reminiscent/memprocfs           
 - Tag:              7601_8e078ecd        
 - Operating System: Windows 6.1.7601 (X64)
==========================================================================

When i try to parse automaticaly the minidump of the lsass process i get the following error in the file memprocfs/py/secrets/parsing_error.txt :

pypykatz plugin tried to parse the lsass.exe process in your memory dump but failed.
This could be caused by multiple things:
    1. The pypykatz's parser code is potato
    2. MemProcFs could not fully parse the memory, usually this happens with incorrect memory dump files.
        Check for error strings like "Could not load segment data"

In case you are cretain the problem is caused by the parser, 
please submit an issue with the info below this line:
===== BASIC INFO. SUBMIT THIS IF THERE IS AN ISSUE =====
CPU arch: X64
OS: None
BuildNumber: 7601
MajorVersion: 6
MSV timestamp: 1422929682

Traceback (most recent call last):
  File "/home/tsurugi/.local/lib/python3.8/site-packages/pypykatz/pypykatz.py", line 261, in get_lsa
    lsa_dec = LsaDecryptor.choose(self.reader, lsa_dec_template, self.sysinfo)
  File "/home/tsurugi/.local/lib/python3.8/site-packages/pypykatz/lsadecryptor/lsa_decryptor.py", line 20, in choose
    return LsaDecryptor_NT6(reader, decryptor_template, sysinfo)
  File "/home/tsurugi/.local/lib/python3.8/site-packages/pypykatz/lsadecryptor/lsa_decryptor_nt6.py", line 22, in __init__
    self.acquire_crypto_material()
  File "/home/tsurugi/.local/lib/python3.8/site-packages/pypykatz/lsadecryptor/lsa_decryptor_nt6.py", line 26, in acquire_crypto_material
    sigpos = self.find_signature()
  File "/home/tsurugi/.local/lib/python3.8/site-packages/pypykatz/lsadecryptor/lsa_decryptor_nt6.py", line 44, in find_signature
    fl = self.reader.find_in_module('lsasrv.dll', self.decryptor_template.key_pattern.signature, find_first = True)
TypeError: find_in_module() got an unexpected keyword argument 'find_first'

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "/home/tsurugi/tools/memprocfs/plugins/pym_pypykatz/pym_pypykatz.py", line 107, in process_lsass
    mimi.start()
  File "/home/tsurugi/.local/lib/python3.8/site-packages/pypykatz/pypykatz.py", line 350, in start
    self.lsa_decryptor = self.get_lsa()
  File "/home/tsurugi/.local/lib/python3.8/site-packages/pypykatz/pypykatz.py", line 267, in get_lsa
    raise Exception('All detection methods failed.')
Exception: All detection methods failed.

I try to manualy parse the minidump, and it's work, I don't understand why I get this error with the pypykatz plugin integrated into memprocfs.

$ pypykatz lsa minidump minidump.dmp

INFO:pypykatz:Parsing file minidump.dmp
FILE: ======== minidump.dmp =======
== LogonSession ==
authentication_id 96476 (178dc)
session_id 1
username user
domainname FLOUNDER-PC
logon_server FLOUNDER-PC
logon_time 2017-10-04T18:04:36.818750+00:00
sid S-1-5-21-1473209517-4047410871-3154729988-1005
luid 96476
..............................................

Thank you in advance for your help and your work.

ufrisk commented 11 months ago

Thanks, I'll look into this. There is probably something wrong with the pypykatz module. Anyway it's not really a big issue as I can see it's working with pypykatz proper. Still an issue though.

ufrisk commented 4 months ago

I think there might have been an issue with pypykatz. Unfortunately I won't be looking into this since this feature was abused.