Git Product home page Git Product logo

Comments (4)

skelsec avatar skelsec commented on August 24, 2024

The error this time is on your end. This is not a minidump file :)
What tool did you use to create this image?

from pypykatz.

forensenellanebbia avatar forensenellanebbia commented on August 24, 2024

My mistake, I should have double-checked the file! I wrongly thought I was generating a minidump by using rekall's memdump plugin. This time I don't have a live VM, but a memory dump from an old CTF. If you want to have a look at it, I uploaded the dump (1 GB) to Dropbox : https://www.dropbox.com/s/4g4vzh51tqy4xo3/win10.img.zip?dl=0
Thanks in any case ;)

This is the error I get when I try pypykatz against the dump on Ubuntu:

< begin >
(MyEnv) ubuntu@vmubuntudskt:~$ pypykatz rekall '/home/ubuntu/Desktop/win10.img'
INFO:root:Generating grammar tables from /usr/lib/python3.6/lib2to3/Grammar.txt
INFO:root:Generating grammar tables from /usr/lib/python3.6/lib2to3/PatternGrammar.txt
WARNING:rekall.plugins.tools:Webconsole disabled: cannot import name 'webconsole_plugin'
INFO:root:Invoking recall on file /home/ubuntu/Desktop/win10.img
INFO:pypykatz:Autodetected physical address space FileAddressSpace
INFO:pypykatz:Loaded profile pe from Local Cache - (in 0.7019617557525635 sec)
INFO:pypykatz:Loaded profile nt/GUID/C68EE22FDCF6477895C54A862BE165671 from Local Cache - (in 4.020295143127441 sec)
INFO:pypykatz:Loaded profile nt/eprocess_index from Local Cache - (in 1.3534009456634521 sec)
INFO:pypykatz:Detected ntkrnlmp.pdb with GUID C68EE22FDCF6477895C54A862BE165671
INFO:pypykatz:Searching LSASS process
INFO:pypykatz:Detected kernel base at 0xF8032801A000
INFO:pypykatz:WARNING! msv.dll timestamp not found! This could cause errors with older windows builds. You might need to specify it manually for anti_mimikatz structs!
Traceback (most recent call last):
File "/home/ubuntu/MyEnv/bin/pypykatz", line 11, in
load_entry_point('pypykatz==0.0.6', 'console_scripts', 'pypykatz')()
File "/home/ubuntu/MyEnv/lib/python3.6/site-packages/pypykatz/main.py", line 86, in main
mimi = pypykatz.parse_memory_dump_rekall(args.memoryfile, args.timestamp_override)
File "/home/ubuntu/MyEnv/lib/python3.6/site-packages/pypykatz/pypykatz.py", line 65, in parse_memory_dump_rekall
mimi.start()
File "/home/ubuntu/MyEnv/lib/python3.6/site-packages/pypykatz/pypykatz.py", line 168, in start
self.lsa_decryptor = self.get_lsa()
File "/home/ubuntu/MyEnv/lib/python3.6/site-packages/pypykatz/pypykatz.py", line 98, in get_lsa
lsa_dec = LsaDecryptor(self.reader, lsa_dec_template, self.sysinfo)
File "/home/ubuntu/MyEnv/lib/python3.6/site-packages/pypykatz/lsadecryptor/lsa_decryptor.py", line 21, in init
self.acquire_crypto_material()
File "/home/ubuntu/MyEnv/lib/python3.6/site-packages/pypykatz/lsadecryptor/lsa_decryptor.py", line 25, in acquire_crypto_material
sigpos = self.find_signature()
File "/home/ubuntu/MyEnv/lib/python3.6/site-packages/pypykatz/lsadecryptor/lsa_decryptor.py", line 43, in find_signature
fl = self.reader.find_in_module('lsasrv.dll', self.decryptor_template.key_pattern.signature)
File "/home/ubuntu/MyEnv/lib/python3.6/site-packages/pypykatz/commons/readers/rekall/rekallreader.py", line 214, in find_in_module
scanner = scan.MultiStringScanner(
NameError: name 'scan' is not defined
< end >

If I try with MemProcFS 2.3 (with MemProcFS-plugins + pip install pypykatz + python-3.6.6-embed-amd64 and no other python installation in the vm) on Windows 10, the file parsing_error.txt in py\secrets shows this error message:

< begin >
pypykatz plugin tried to parse the lsass.exe process in your memory dump but failed.
This could be caused by multiple things:
1. The pypykatz's parser code is potato
2. MemProcFs could not fully parse the memory, usually this happens with incorrect memory dump files.
Check for error strings like "Could not load segment data"
In case you are cretain the problem is caused by the parser,
please submit an issue with the info below this line:
===== BASIC INFO. SUBMIT THIS IF THERE IS AN ISSUE =====
CPU arch: X64
OS: None
BuildNumber: 10240
MajorVersion: 6
MSV timestamp: 1436498059
Traceback (most recent call last):
File "C:\Users\standard\Desktop\MemProc\plugins\pym_pypykatz\pym_pypykatz.py", line 110, in process_lsass
mimi.start()
File "C:\Users\standard\Desktop\MemProc\python\Lib\site-packages\pypykatz\pypykatz.py", line 169, in start
self.get_logoncreds()
File "C:\Users\standard\Desktop\MemProc\python\Lib\site-packages\pypykatz\pypykatz.py", line 93, in get_logoncreds
logoncred_decryptor.start()
File "C:\Users\standard\Desktop\MemProc\python\Lib\site-packages\pypykatz\lsadecryptor\packages\msv\decryptor.py", line 334, in start
self.walk_list(entry_ptr, self.add_entry)
File "C:\Users\standard\Desktop\MemProc\python\Lib\site-packages\pypykatz\lsadecryptor\package_commons.py", line 176, in walk_list
callback(entry)
File "C:\Users\standard\Desktop\MemProc\python\Lib\site-packages\pypykatz\lsadecryptor\packages\msv\decryptor.py", line 254, in add_entry
self.walk_list(entry.Credentials_list_ptr, self.add_credentials)
File "C:\Users\standard\Desktop\MemProc\python\Lib\site-packages\pypykatz\lsadecryptor\package_commons.py", line 176, in walk_list
callback(entry)
File "C:\Users\standard\Desktop\MemProc\python\Lib\site-packages\pypykatz\lsadecryptor\packages\msv\decryptor.py", line 263, in add_credentials
self.add_primary_credentials
File "C:\Users\standard\Desktop\MemProc\python\Lib\site-packages\pypykatz\lsadecryptor\package_commons.py", line 176, in walk_list
callback(entry)
File "C:\Users\standard\Desktop\MemProc\python\Lib\site-packages\pypykatz\lsadecryptor\packages\msv\decryptor.py", line 296, in add_primary_credentials
self.log('%s: \n%s' % (self.decryptor_template.decrypted_credential_struct.name, hexdump(dec_data)))
File "C:\Users\standard\Desktop\MemProc\python\Lib\site-packages\pypykatz\commons\common.py", line 219, in hexdump
for i in xrange(0, len(src), length):
TypeError: object of type 'NoneType' has no len()_
< end >

from pypykatz.

skelsec avatar skelsec commented on August 24, 2024

ha! good finding. Not sure why it happens, never seen it in the minidump files, however the fix seems to be easy.
Should be working now, please confirm.

from pypykatz.

forensenellanebbia avatar forensenellanebbia commented on August 24, 2024

I've just tried with rekall and confirm it is working. Thanks again!

from pypykatz.

Related Issues (20)

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.