First issue was symbols in windbg. Most importantly, NO symbols for windbg. I found this article that lets you remotely download them:
http://support.microsoft.com/kb/311503
.sympath SRV*f:\localsymbols*http://msdl.microsoft.com/download/symbols
0: kd> .sympath SRV*f:\localsymbols*http://msdl.microsoft.com/download/symbols
Symbol search path is: SRV*f:\localsymbols*http://msdl.microsoft.com/download/symbols
Expanded Symbol search path is: srv*f:\localsymbols*http://msdl.microsoft.com/download/symbols
0: kd> .reload
Loading Kernel Symbols
...............................................................
................................................................
..............
Loading User Symbols
Loading unloaded module list
.........
Second issue was creating the dmp file. I tried volatility's imagecopy and The Windows Memory Toolkit. Neither produced a dump file that would work with windbg for Windows 8 or Windows 2012. What did work was VMWare's vmss2core utility.
Note for VMware workstation/fusion you need to pass it the .vmsn and .vmem files (shown above)
For VMware ESXi i just needed to pass the .vmsn file
The rest follows the same flow as the previous post
1. Load the memory.dmp file vmss2core created
2. Fix your symbols (shown above)
3. Load the mimilib.dll file
kd> .load C:\users\user\desktop\mimilib.dll
4. Find the lsass process
kd> !process 0 0 lsass.exe
PROCESS ffffe00112f08080
SessionId: 0 Cid: 01e8 Peb: 7ff623aac000 ParentCid: 0194
DirBase: 06291000 ObjectTable: ffffc001f8f0c400 HandleCount:
Image: lsass.exe
kd> .process /r /p ffffe00112f08080
Implicit process is now ffffe001`12f08080
Loading User Symbols
................................................................
kd> !mimikatz
7. Drink Beers
4 comments:
from Benjamin
http://blog.gentilkiwi.com/retro-ingenierie/symboles-microsoft-windbg-ida-process-explorer-monitor
Very practical research! Can you apply your approach to an inception FireWire raw memory dump file, in your opinion? I have a 4GB memdump file akqired via FireWire from a customer laptop, but get the following error message, if I try to bin2dmp it:
"Initializing memory descriptors... Done.
Looking for kernel variables... Failed.
Cannot open file. Please check if the file is not being used."
thx in advance and thx for all your great input in the last couple of years!
@anoymous i dont know on that one. sorry.
You may find useful to know that there is also a custom volatility plugin that promises to dump the passwords directly from the ram dump, without the need to open the image with WinDbg:
http://blog.digital-forensics.it/2014/03/et-voila-le-mimikatz-offline.html
https://code.google.com/p/hotoloti/
I didn't tested it but from the source it appears to support Windows 7 and Vista only, both 32 and 64.
Post a Comment