Skip to content
This repository has been archived by the owner on Jan 21, 2021. It is now read-only.

updating mimikatz... #147

Closed
jun0s opened this issue Jun 4, 2016 · 6 comments
Closed

updating mimikatz... #147

jun0s opened this issue Jun 4, 2016 · 6 comments
Assignees
@mattifestation

Comments

@jun0s
Copy link

jun0s commented Jun 4, 2016

I always update mimikatz, but since this change... "gentilkiwi/mimikatz@8159455"
(new sid module)

this happens locally;

PS C:\Users\userxs> invoke-mimikatz
New function reference is null, this is almost certainly a bug in this script. Function: 73. Dll: WLDAP32.dll
En C:\Windows\system32\WindowsPowerShell\v1.0\Modules\powersploit\Exfiltration\Invoke-Mimikatz.ps1: 1714 Carácter: 7

  • ... Throw "New function reference is null, this is almost cer ...
  •             ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    • CategoryInfo : OperationStopped: (New function re...ll: WLDAP32.dll:String) [], RuntimeException
    • FullyQualifiedErrorId : New function reference is null, this is almost certainly a bug in this script. Function: 73. Dll: WLDAP32.dll

i solve this, by removing that "if sentence" from the code...

if ($NewThunkRef -eq $null -or $NewThunkRef -eq [IntPtr]::Zero)
{
Throw "New function reference is null, this is almost certainly a bug in this script. Function: $ProcedureName. Dll: $ImportDllPath"
}

but i doubt it´s the right thing... i´m not a programmer.

thank u guys!!
@gentilkiwi
Copy link

gentilkiwi commented Jun 8, 2016
edited
Loading

In fact, reflective script of @clymb3r does not really deal with ordinal imports... and LDAP functions are imported by ordinal imports.
But because he already made all the hard work, it's easy to fix :)

Around line 1690, replace

[IntPtr]$NewThunkRef = $Win32Functions.GetProcAddress.Invoke($ImportDllHandle, $ProcedureName)

by

if($ProcedureName -is [string])
{
    [IntPtr]$NewThunkRef = $Win32Functions.GetProcAddress.Invoke($ImportDllHandle, $ProcedureName)
}
else
{
    [IntPtr]$NewThunkRef = $Win32Functions.GetProcAddressOrdinal.Invoke($ImportDllHandle, $ProcedureName)
}

Get-RemoteProcAddress might have the problem too, but it does not seem to be used for local or remote powershell (only when the DLL is injected in another process than powershell)

@jun0s
Copy link
Author

jun0s commented Jun 9, 2016

Thank you very much @gentilkiwi that works. :D

@jun0s jun0s closed this as completed Jun 9, 2016
@gentilkiwi
Copy link

I'm not certain that this issue must be closed.
This could be the case when one of @clymb3r, @mattifestation or @HarmJ0y will have fixed the Invoke-Mimikatz.ps1 script :)

15pp5b

@jun0s
Copy link
Author

jun0s commented Jun 13, 2016

lol ....

@jun0s jun0s reopened this Jun 13, 2016
byt3bl33d3r pushed a commit to byt3bl33d3r/CrackMapExec that referenced this issue Jun 29, 2016
Initial commit of the enum_chrome module (resolves half of #112)
74f7465 
The modyle uses Mimikatz's new DPAPI Chrome module to decrypt saved
chrome credentials

Additionally a new version of Invoke-Mimikatz.ps1 script has been added
that contains the latest Mimikatz binaries and a patch for it to work
when injected
(PowerShellMafia/PowerSploit#147)
@byt3bl33d3r byt3bl33d3r mentioned this issue Jun 29, 2016
Closed
@HarmJ0y
Copy link
Contributor

HarmJ0y commented Jul 15, 2016

@mattifestation is currently fixing the bug and updating Mimikatz to the latest release 👍

mattifestation pushed a commit that referenced this issue Jul 15, 2016
#147 Bugfix: Invoke-Mimikatz
fee3b4c 
Invoke-Mimikatz was not not handling functions exported by ordinal.
Thank you @gentilkiwi for the suggested fix!
@mattifestation mattifestation self-assigned this Jul 15, 2016
@mattifestation
Copy link
Contributor

Updated lib 66c93f9

@OJ OJ mentioned this issue Dec 7, 2016
Closed
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees

@mattifestation mattifestation

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@mattifestation @gentilkiwi @HarmJ0y @jun0s