-
-
Notifications
You must be signed in to change notification settings - Fork 2.5k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Debugging lsass with x64dbg #2411
Comments
You could try something like https://github.com/brock7/xdbg or cheat engine's SEH debugging. I don't really know how to solve a deadlock in the kernel, so if you find anything let me know. |
I couldn't get it working with xdbg, same result. However, I found out the way to do it:
Apart from that I don't think you can fix it from x64dbg as it seems related to the kernel indeed. |
I looked into this because I was highly skeptical of @dirkjanm's claim that disabling the debug privilege option somehow fixed this problem. Why is this? Because a process started as Fortunately it was quite easy to find the cause (highlighted in red - ignore the top part of the stack as my symbols for this version of ntoskrnl seem to be missing): I can't really blame whoever wrote this function, since this is exactly how the MSDN sample code does it, but it's a little-known secret that With the fixed TitanEngine, you can now attach to |
Ha nice find! looking forward to be able to use it without jumping through hoops to run it as SYSTEM. Appreciate you looking into it :) |
Created another TitanEngine PR with a tentative fix for lsass dying on detach: x64dbg/TitanEngine#7. I say tentative because I can't really explain why this fix works or why there was a difference between admin and Note for @dirkjanm: the undocumented
|
Hey,
I'm trying to understand some Windows internals and looking at logon packages and stuff, which are part of the
lsass
process.I'd like to do this with x64dbg and actually have done so in the past, but I can't get it to work on recent Windows 10 builds. As you may be aware lsass is responsible for a lot of the security things taking place in Windows, so debugging it is quite tricky.
At the moment I attach to the lsass process, x64dbg freezes and stops doing whatever it normally does, at which point a hard reboot is the only option since the whole OS freezes. Likely this is because attaching to a process suspends the threads of this process, but the attach process itself also needs a functioning lsass process for whatever reason, thus causing a deadlock. I've attached x64dbg to x64dbg to figure out where the issue is taking place, and it seems to be the
DebugActiveProcess
call in kernel32 that hangs the whole thing.I tried this with various builds of x64dbg ranging from a build from january to the latest snapshot (snapshot_2020-07-29_04-15) and also with various Windows 10 versions (for example 1909) and they all show the same behavior. Interesting enough I did some debugging successfully on lsass with Server 2016 last year (but not sure which build), so it did work at some point.
Is there a way to work around this? I'd love to be able to use x64dbg instead of having to go into kernel debug mode with other tools.
The text was updated successfully, but these errors were encountered: