nanodump

[SIXSlu]

Hey there Sliver community,

Not trying to pester the devs with my questions, seeing how trivial this is - I can only assume that this is not a bug but an issue on my side.

I have two questions on nanodump as a BoF:
Anyone gotten it to work with Windows 11? - I try to parse the dump with pypykatz and am getting nowhere. Seems like the dump is misaligned. Running pypykatz -v lsa minidump results in:
INFO:pypykatz:Parsing file ../lsass.dmp
DEBUG:pypykatz:Failed to automatically detect correct LSA template! Reason: Memory address 0x7ffca96e52e8 is not in process memory space
DEBUG:pypykatz:Testing all available templates! Expect warnings!
DEBUG:pypykatz:signature not found! 8364243000448b4dd8488b0d
DEBUG:pypykatz:signature not found! 8364243000448b4dd8488b0d
DEBUG:pypykatz:signature not found! 8364243000448b4dd8488b0d
DEBUG:pypykatz:signature not found! 8364243000448b4c2448488b0d
DEBUG:pypykatz:signature not found! 8364243000448b4c2448488b0d
INFO:pypykatz:===== BASIC INFO. SUBMIT THIS IF THERE IS AN ISSUE =====
INFO:pypykatz:pypyKatz version: 0.6.6
INFO:pypykatz:CPU arch: X64
INFO:pypykatz:OS: Windows 10
INFO:pypykatz:BuildNumber: 22621
INFO:pypykatz:MajorVersion: 6
INFO:pypykatz:MSV timestamp: 3050432716
INFO:pypykatz:===== BASIC INFO END =====
ERROR:pypykatz:Error while parsing file ../lsass.dmp

Second - and I think this is way more important from an OpSec perspective. Is there any way I can loot the output of nanodump directly back to the server (fileless)?

Cheers for anyone willing to respond!

[SIXSlu]

Tested with Win10 - works like a charm. Guess nanodump isn't yet up to spec to perform dumps of lsass in win11?

[SIXSlu]

And then I learned some stuff about CredentialGuard and windows 11...

[SIXSlu]

might be even ASR.... if anyone has some good papers on the matter, shout out!