ricardojoserf
Error calling NtAdjustPrivilegesToken
Expected vs Actual Behavior
I got the Error calling NtAdjustPrivilegesToken. NTSTATUS: 0x106. Maybe you need to calculate the LowPart of the LUID using LookupPrivilegeValue
Specifications
- Operative system: I am running on Windows 11 Pro 24H2 10.0.26100 N/A Build 26100
This version of nativedump.exe is compiled as x64 in visual studio 2022.
Steps to Reproduce the Problem
.\nativedump.exe
[+] Process PID: 800
[-] Error calling NtAdjustPrivilegesToken. NTSTATUS: 0x106. Maybe you need to calculate the LowPart of the LUID using LookupPrivilegeValue
Hello @royaliceblue . What branch are you using? What AV is installed in your Windows 11 machine?
Hi @ricardojoserf , I am using the main branch and I have disabled all AV in my Windows 11 machine. Thanks.
Hello @royaliceblue , I tested the .NET version and it works in my Windows 11 VM, I am updating it in case this is not working in the latest versions. You can find the file here: https://mega.nz/folder/hlMHkQzB#s94r930qFWSmTyaAi8L-bA
I dont have a Windows 11 Pro so please let me know if it works with the files I uploaded to Mega
Hi @ricardojoserf , thank you so much for providing the executables. Please look at the results below when ran on Windows 11 Pro with dotnet_nativedump.exe
Hi @royaliceblue , I think I can guess the problem from the output of the command now. The PEB structure in the lsass process of your system is not readable, which means the tool can not read the necessary information from the process. This happens sometimes because security solutions decide to make this information unreadable, you can install Process Hacker (now aclled System Informer - https://systeminformer.sourceforge.io/downloads) and you can check that memory is not readable even if you are administrator. So please let me know first if you have any AV or EDR installed; and second if PPL is enabled (in the route "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa", the value of the RunAsPPL key).
Hi @ricardojoserf , thank you for investigating the issue.
You are right. I found that the main feature to disable lies under Windows Security > Device Security > Core isolation > Local Security Authority protection. After this protection is turned off in Defender, the .dmp file will be generated successfully. It will be helpful if you can let others know of this in your repo's readme.md.
Problem
However, I tried many different ways to processed this .dmp file, but I always get an error.
First method: Pypykatz
pypykatz lsa minidump ./proc_836.dmp
INFO:pypykatz:Parsing file ./proc_836.dmp
ERROR:pypykatz:Minidump parsing error!
...
UnicodeDecodeError: 'utf-16-le' codec can't decode bytes in position 3224-3225: illegal UTF-16 surrogate
decoding with 'utf-16-le' codec failed
ERROR:pypykatz:Error while parsing file ./proc_836.dmp
As shown in: https://www.vidrasec.com/blog/dump-hashes-in-windows-11-24h2/ and https://github.com/skelsec/pypykatz/issues/174
pypykatz have implemented updates to process .dmp files for 24H2. But the .dmp file generated could not be processed by pypykatz.
Second method: Mimikatz
.\mimikatz.exe
.#####. mimikatz 2.2.0 (x64) #19041 Sep 19 2022 17:44:08
.## ^ ##. "A La Vie, A L'Amour" - (oe.eo)
## / \ ## /*** Benjamin DELPY `gentilkiwi` ( [email protected] )
## \ / ## > https://blog.gentilkiwi.com/mimikatz
'## v ##' Vincent LE TOUX ( [email protected] )
'#####' > https://pingcastle.com / https://mysmartlogon.com ***/
mimikatz # sekurlsa::minidump .\proc_744.dmp
Switch to MINIDUMP : '.\proc_744.dmp'
mimikatz # sekurlsa::logonpasswords
Opening : '.\proc_744.dmp' file for minidump...
ERROR kuhl_m_sekurlsa_acquireLSA ; Logon list
mimikatz # exit
Bye!
The classic ERROR kuhl_m_sekurlsa_acquireLSA error after processing the .dmp file. However, this method must be outdated for Windows 11 24H2.
Please let me know if this issue is beyond the scope of NativeDump. Lastly, please let me know how you would process the .dmp file generated from NativeDump.
Thanks @ricardojoserf !
Hi @royaliceblue , nice! At least you could extract the information and generate a Minidump file. I do not recommend Mimikatz for reading dumps from Windows 11, latest versions are not supported and you would not be able to read the Minidump even if these were generated by typical tools such as Task Manager or Procdump to create it. However, pypykatz from version 0.6.11 supports 24H2 versions of Windows, can you let me know which version are you using? I got the same erros as you, then installed the latest version of Pypykatz in WSL and could successfully read the file generated with NativeDump. If you have the latest version, do you get the same results using the .NET and the Go versions? If you still get the error, if this is a test VM, could you upload the file to Mega, Drive or similar and send me a link so I can check it?
Hi @ricardojoserf , I got the same results as you. Only Pypykatz installed in WSL is able to read the .dmp file. However, even when Pypykatz is updated to the latest version in my Kali Linux, the error mentioned above appears.
Do you know the reason why this is happening? Thanks for your time and I would like to know if there are better ways rather than transferring the files to WSL!
Hi @royaliceblue , that is great to hear. I will create an issue in the Pypykatz repository because I have no idea why it happens, but it is curious we are having the same behavior in our environments. I will close this issue for now, I hope the tool works for you in the future, and if you like it do not forget to hit the Star button ;) Cheers!
Hi @ricardojoserf , thanks for creating the issue! Yes, I have already starred the repository as it has helped me. If you need assistance to update any troubleshooting tips on your repo, please do not hesitate to let me know! I can perhaps make a fork and submit a pull request to help you :)