sekurlsa::minidump from nanodump output file

Question

sekurlsa::minidump from nanodump output file

yasminenicol opened this issue 2 years ago · comments

yasminenicol commented 2 years ago

i am using nanodump for dumping lsass.exe. everything is ok, but when i get to mimikatz by following command,got error:

mimikatz.exe "sekurlsa::minidump <path/to/dumpfile>" "sekurlsa::logonPasswords full" exit

mimikatz error: ERROR kuhl_m_sekurlsa_acquireLSA ; Memory opening

i use "x64 nanodump ssp dll", and AddSecurityPackage winapi for attaching to lsass

when i was testing all way's, detect that nanodump specified dump file size(default=>report.docx),is different from procmon.exe Full and Mini dump output.

my test:

procmon full = 71 MB ,procmon mini = 1.6 MB

nanodump = 11 MB

Santi commented 2 years ago

Great!

Santi · Answer 1 · Thu Jan 19 2023 22:34:47 GMT+0800 (China Standard Time)

The SSP module creates a dump file with an invalid signature by default.
Have you tried to restore the signature using the scripts/restore_signature?

yasminenicol · Answer 2 · Sun Jan 22 2023 14:36:06 GMT+0800 (China Standard Time)

The SSP module creates a dump file with an invalid signature by default. Have you tried to restore the signature using the scripts/restore_signature?

very thanks, I'm not familiar with signatures, this approach solved my problem, thanks :)) @S4ntiagoP