Comments (2)
Hello,
This is expected behavior, I will expand the wiki about it probably with the text below:
The handledup
method will search for all open process handles in all processes and tests if the given handle is a process handle to LSASS. If it is then it will try to use that handle and if it succeeds then hurray, if not then it will continue with the next available handle.
The handle searching does not know upfront which process has which handles, it simply requests ALL possible handles via windows API call, therefore some "bruteforcing" is needed.
This method can succeed because of two possible reasons:
- a random process has an open handle to LSASS, and you can access this random process via your debug privs
- LSASS itself has an open handle to LSASS by default. You might ask: but then how is this different then the
normal
method. Well, Timmy, the reason is: to access only aprocess handle object
in a given process you need different flags to open the process than if you'd like to read the same process' full memory. Antiviruses tend to focus onWE DEFEAT MIMIKATZ WARRGGGRGAHHH
approach, so they (not all, hence you can't always win) specifically filter/block OpenProcess calls with that one specific flag valuemimikatz
uses. This method doesn't use that specific flag value therefore bypasses this filtering.
I hope this clears it up
from pypykatz.
Many thanks for the super quick response. Really understand the use case now and when this could be useful and when it will trigger/flag. Will close now.
Regards
from pypykatz.
Related Issues (20)
- AttributeError: 'collections.OrderedDict' object has no attribute 'kirbiobj' HOT 2
- LIVE DPAPI wiki mentions "chrome" but it isn't documented HOT 1
- LM Hash not being picked up. HOT 1
- pypykatz lsa minidump lsass.DMP (Exception: All detection methods failed) HOT 3
- The parsing password is hex, how should I use it?
- How to package it into exe? HOT 1
- Errors when 'pypykatz live lsa'
- Is it possible to get account password? HOT 3
- Kali Linux error LibraryNotFoundError: Error detecting the version of libcrypto HOT 10
- Exception: Could not find module! lsasrv.dll HOT 2
- load_rsa_private_numbers() missing 1 required positional argument: 'unsafe_skip_rsa_key_validation' HOT 1
- Win11: Incorrect minidump parse for DPAPI masterkeys
- kerberos brute: 'generator' object is not subscriptable HOT 3
- Exception: Could not find module! lsasrv.dll HOT 2
- Windows7 lsass.DMP under Pypykatz 069 HOT 1
- utf-8 nanodump + pypykatz HOT 2
- No module named 'winacl.dtyp.wcee.cryptoapikey' HOT 1
- LSA signature not found HOT 4
- how to use masterkey to Decrypting files
- Error C2065: 'FFI_STDCALL': undeclared identifier HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from pypykatz.