Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Lsaas process finder fails #90

Closed
VakarisZ opened this issue Sep 3, 2021 · 2 comments · Fixed by #93
Closed

Lsaas process finder fails #90

VakarisZ opened this issue Sep 3, 2021 · 2 comments · Fixed by #93

Comments

@VakarisZ
Copy link
Contributor

VakarisZ commented Sep 3, 2021

The line in live_reader_ctypes.py:68:

pid_to_name[pid] = QueryFullProcessImageNameW(process_handle)

fails to me with an error (WinError 31) A device attached to the system is not functioning. This fails the whole mimikatz collection, even though the lsass process was already found and is in pid_to_name dict.

I've seen the stale #69 PR that also addresses this. @skelsec @ebfe90 let me know if you intend to fix it. If not, I'll open up my own PR.

@skelsec
Copy link
Owner

skelsec commented Sep 4, 2021

Hello! Can you please send some more info so I can try to track down this issue?
Windows version/pypykatz version/is there Av running/other stuff you feel relevant

@VakarisZ
Copy link
Contributor Author

VakarisZ commented Sep 6, 2021

I'm using windows 10, tried versions 0.3.12 and the latest (0.5.2). AV is running. But none of this is relevant, because the error is thrown from the lower level function windll.kernel32.QueryFullProcessImageNameW. The issue of your package is that this error is not handled even though the lsass process was already found. Simply moving the pid_to_name[pid] = QueryFullProcessImageNameW(process_handle) into the try block solved this issue for me (the error gets caught and the code continues).

VakarisZ added a commit to VakarisZ/pypykatz that referenced this issue Sep 6, 2021
…tz to fail even if just a single name resolve fails(skelsec#90)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging a pull request may close this issue.

2 participants