-
Notifications
You must be signed in to change notification settings - Fork 235
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Werfault technique returns empty lsass dump #21
Comments
I love that you used the debug release and the -p param, not that many people are aware of their existence 😄 |
I'm a big fan of your work btw 😛 |
eheh glad about that :D I was running tests on machines without AV or EDR installed... I tried it on a Windows Server 2019, Win10 1909, Win10 1809. I think there is some bogus code somewhere because on a Win10 1809 i saw the dump generated with few bytes: Which Windows version have you been able to test successfully? |
Wow that is very weird, I will do some testing. |
Ok , i found the bug. Your code is enabling the SeDebugPrivilege after executing the "werfault" technique, while it's indeed required before. Your tests were succesfully highly likely because you were running from a SYSTEM shell or a shell with SeDebugPrivilege already enabled (default is disabled) ;) Now works :) Sending a PR soon. |
Hi @S4ntiagoP ,
the werfault technique seems cool and has some potential :)
However, i run it on a Windows 1909 and i got an empty lsass dump:
This is the output of the debug release:
Any idea why it's not working?
The text was updated successfully, but these errors were encountered: