search

skelsec / minidump

Python library to parse and read Microsoft minidump file format
MIT License
271 stars 55 forks source link

Memory address 0x00100010 is not in process memory space #9

Closed aas-n closed 4 years ago

aas-n commented 4 years ago

Hi skelsec,

A problem with that machine:

C:\>systeminfo

Host Name:                 SQL-2012
OS Name:                   Microsoft Windows Server 2012 Datacenter
OS Version:                6.2.9200 N/A Build 9200
OS Manufacturer:           Microsoft Corporation
OS Configuration:          Member Server

I procdump with the following command:

C:\>procdump64.exe -accepteula -ma lsass.exe lsass2.dmp

ProcDump v9.0 - Sysinternals process dump utility
Copyright (C) 2009-2017 Mark Russinovich and Andrew Richards
Sysinternals - www.sysinternals.com

[21:22:35] Dump 1 initiated: C:\lsass2-1.dmp
[21:22:35] Dump 1 writing: Estimated dump file size is 31 MB.
[21:22:35] Dump 1 complete: 32 MB written in 0.1 seconds
[21:22:35] Dump count reached.

When trying to parse with pypykatz, I have the following stacktrace:

aas@SPRAYLOVE:~$ pypykatz lsa minidump lsass2.dmp
INFO:root:Parsing file lsass2.dmp
INFO:pypykatz:===== BASIC INFO. SUBMIT THIS IF THERE IS AN ISSUE =====
INFO:pypykatz:CPU arch: X64
INFO:pypykatz:OS: Windows Server 2012
INFO:pypykatz:BuildNumber: 9200
INFO:pypykatz:MajorVersion: 6 
INFO:pypykatz:MSV timestamp: 1567034068
INFO:pypykatz:===== BASIC INFO END =====
ERROR:root:Error while parsing file lsass2.dmp
Traceback (most recent call last):
  File "/home/aas/.local/lib/python3.6/site-packages/pypykatz/lsadecryptor/cmdhelper.py", line 195, in run
    mimi = pypykatz.parse_minidump_file(args.memoryfile)
  File "/home/aas/.local/lib/python3.6/site-packages/pypykatz/pypykatz.py", line 66, in parse_minidump_file
    raise e
  File "/home/aas/.local/lib/python3.6/site-packages/pypykatz/pypykatz.py", line 62, in parse_minidump_file
    mimi.start()
  File "/home/aas/.local/lib/python3.6/site-packages/pypykatz/pypykatz.py", line 245, in start
    self.get_logoncreds()
  File "/home/aas/.local/lib/python3.6/site-packages/pypykatz/pypykatz.py", line 146, in get_logoncreds
    logoncred_decryptor.start()
  File "/home/aas/.local/lib/python3.6/site-packages/pypykatz/lsadecryptor/packages/msv/decryptor.py", line 367, in start
    self.walk_list(entry_ptr, self.add_entry)
  File "/home/aas/.local/lib/python3.6/site-packages/pypykatz/lsadecryptor/package_commons.py", line 179, in walk_list
    callback(entry)
  File "/home/aas/.local/lib/python3.6/site-packages/pypykatz/lsadecryptor/packages/msv/decryptor.py", line 284, in add_entry
    self.walk_list(entry.Credentials_list_ptr, self.add_credentials)
  File "/home/aas/.local/lib/python3.6/site-packages/pypykatz/lsadecryptor/package_commons.py", line 174, in walk_list
    entry = entry_ptr.read(self.reader)
  File "/home/aas/.local/lib/python3.6/site-packages/minidump/win_datatypes.py", line 19, in read
    reader.move(self.value)
  File "/home/aas/.local/lib/python3.6/site-packages/minidump/minidumpreader.py", line 84, in move
    self._select_segment(address)
  File "/home/aas/.local/lib/python3.6/site-packages/minidump/minidumpreader.py", line 55, in _select_segment
    raise Exception('Memory address 0x%08x is not in process memory space' % requested_position)
Exception: Memory address 0x00100010 is not in process memory space
Traceback (most recent call last):
  File "/home/aas/.local/lib/python3.6/site-packages/pypykatz/lsadecryptor/cmdhelper.py", line 195, in run
    mimi = pypykatz.parse_minidump_file(args.memoryfile)
  File "/home/aas/.local/lib/python3.6/site-packages/pypykatz/pypykatz.py", line 66, in parse_minidump_file
    raise e
  File "/home/aas/.local/lib/python3.6/site-packages/pypykatz/pypykatz.py", line 62, in parse_minidump_file
    mimi.start()
  File "/home/aas/.local/lib/python3.6/site-packages/pypykatz/pypykatz.py", line 245, in start
    self.get_logoncreds()
  File "/home/aas/.local/lib/python3.6/site-packages/pypykatz/pypykatz.py", line 146, in get_logoncreds
    logoncred_decryptor.start()
  File "/home/aas/.local/lib/python3.6/site-packages/pypykatz/lsadecryptor/packages/msv/decryptor.py", line 367, in start
    self.walk_list(entry_ptr, self.add_entry)
  File "/home/aas/.local/lib/python3.6/site-packages/pypykatz/lsadecryptor/package_commons.py", line 179, in walk_list
    callback(entry)
  File "/home/aas/.local/lib/python3.6/site-packages/pypykatz/lsadecryptor/packages/msv/decryptor.py", line 284, in add_entry
    self.walk_list(entry.Credentials_list_ptr, self.add_credentials)
  File "/home/aas/.local/lib/python3.6/site-packages/pypykatz/lsadecryptor/package_commons.py", line 174, in walk_list
    entry = entry_ptr.read(self.reader)
  File "/home/aas/.local/lib/python3.6/site-packages/minidump/win_datatypes.py", line 19, in read
    reader.move(self.value)
  File "/home/aas/.local/lib/python3.6/site-packages/minidump/minidumpreader.py", line 84, in move
    self._select_segment(address)
  File "/home/aas/.local/lib/python3.6/site-packages/minidump/minidumpreader.py", line 55, in _select_segment
    raise Exception('Memory address 0x%08x is not in process memory space' % requested_position)
Exception: Memory address 0x00100010 is not in process memory space

Do you have any hint? Thank you.

dump.zip

skelsec commented 4 years ago

This is a pypykatz issue, closing it here.