Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Unable to dump LSASS memory on Windows 10 with Kasperky Total Security #4

Open
transilience opened this issue Jun 8, 2020 · 2 comments

Comments

@transilience
Copy link

C:\Windows\Temp>.\Outflank-Dumpert.exe
 ________          __    _____.__                 __
 \_____  \  __ ___/  |__/ ____\  | _____    ____ |  | __
  /   |   \|  |  \   __\   __\|  | \__  \  /    \|  |/ /
 /    |    \  |  /|  |  |  |  |  |__/ __ \|   |  \    <
 \_______  /____/ |__|  |__|  |____(____  /___|  /__|_ \
         \/                             \/     \/     \/
                                  Dumpert
                               By Cneeliz @Outflank 2019

[1] Checking OS version details:
        [+] Operating System is Windows 10 or Server 2016, build number 18363
        [+] Mapping version specific System calls.
[2] Checking Process details:
        [+] Process ID of lsass.exe is: 584
        [+] NtReadVirtualMemory function pointer at: 0x00007FFF92C3C840
        [+] NtReadVirtualMemory System call nr is: 0x3f
        [+] Unhooking NtReadVirtualMemory.
[3] Create memorydump file:
        [+] Open a process handle.
        [+] Dump lsass.exe memory to: \??\C:\Windows\Temp\dumpert.dmp
        [!] Failed to create minidump, error code: 80070005



C:\Windows\Temp>systeminfo

Host Name:                 DESKTOP-1
OS Name:                   Microsoft Windows 10 Pro
OS Version:                10.0.18363 N/A Build 18363
OS Manufacturer:           Microsoft Corporation
OS Configuration:          Standalone Workstation
OS Build Type:             Multiprocessor Free
Registered Owner:          localhost

It would be great if error code 80070005 could be explained please so that the same can be attempted

@kirubaKaranT
Copy link

i'm also facing same issue
@transilience did you find any solution for it?

@janedoe-lab
Copy link

80070005 error code is ACCESS DENIED. Not sure if it is about access to dumpert.dll or to lsass.exe process (likely the later). Good news - when Kaspersky is in Pause mode, lsass.exe can be dumped (unlike using standard tools - Kaspersky's drivers block dumping lsass even when it is Paused)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

3 participants