search

skelsec / pypykatz

Mimikatz implementation in pure Python
MIT License
2.88k stars 380 forks source link

Memory address is not in process memory space #114

Open yofbalibump opened 1 year ago

yofbalibump commented 1 year ago

Hi, I've got an LSASS memory dump that I'm unable to parse with pypykatz. The file is shared in the issue

Here is the message I get : ` % pypykatz lsa minidump ../lsass.DMP INFO:pypykatz:Parsing file ../lsass.DMP INFO:pypykatz:===== BASIC INFO. SUBMIT THIS IF THERE IS AN ISSUE ===== INFO:pypykatz:pypyKatz version: 0.6.3 INFO:pypykatz:CPU arch: X64 INFO:pypykatz:OS: Windows 10 INFO:pypykatz:BuildNumber: 22621 INFO:pypykatz:MajorVersion: 6 INFO:pypykatz:MSV timestamp: 42982603 INFO:pypykatz:===== BASIC INFO END ===== ERROR:pypykatz:Error while parsing file ../lsass.DMP Traceback (most recent call last): File "\~/pypykatz/pypykatz/pypykatz.py", line 260, in get_lsa lsa_dec = LsaDecryptor.choose(self.reader, lsa_dec_template, self.sysinfo) File "\~/pypykatz/pypykatz/lsadecryptor/lsa_decryptor.py", line 20, in choose return LsaDecryptor_NT6(reader, decryptor_template, sysinfo) File "\~/pypykatz/pypykatz/lsadecryptor/lsa_decryptor_nt6.py", line 22, in init self.acquire_crypto_material() File "\~/pypykatz/pypykatz/lsadecryptor/lsa_decryptor_nt6.py", line 30, in acquire_crypto_material self.iv = self.get_IV(sigpos) File "\~/pypykatz/pypykatz/lsadecryptor/lsa_decryptor_nt6.py", line 66, in get_IV self.reader.move(ptr_iv) File "\~/.local/lib/python3.9/site-packages/minidump/minidumpreader.py", line 136, in move self._select_segment(address) File "\~/.local/lib/python3.9/site-packages/minidump/minidumpreader.py", line 104, in _select_segment raise Exception('Memory address 0x%08x is not in process memory space' % requested_position) Exception: Memory address 0x7ffd903728b8 is not in process memory space

During handling of the above exception, another exception occurred:

Traceback (most recent call last): File "\~/pypykatz/pypykatz/lsadecryptor/cmdhelper.py", line 242, in run mimi = pypykatz.parse_minidump_file(args.memoryfile, packages=args.packages) File "\~/pypykatz/pypykatz/pypykatz.py", line 150, in parse_minidump_file raise e File "\~/pypykatz/pypykatz/pypykatz.py", line 146, in parse_minidump_file mimi.start(packages) File "\~/pypykatz/pypykatz/pypykatz.py", line 349, in start self.lsa_decryptor = self.get_lsa() File "\~/pypykatz/pypykatz/pypykatz.py", line 266, in get_lsa raise Exception('All detection methods failed.') Exception: All detection methods failed. Traceback (most recent call last): File "\~/pypykatz/pypykatz/pypykatz.py", line 260, in get_lsa lsa_dec = LsaDecryptor.choose(self.reader, lsa_dec_template, self.sysinfo) File "\~/pypykatz/pypykatz/lsadecryptor/lsa_decryptor.py", line 20, in choose return LsaDecryptor_NT6(reader, decryptor_template, sysinfo) File"\~/pypykatz/pypykatz/lsadecryptor/lsa_decryptor_nt6.py", line 22, in init self.acquire_crypto_material() File "\~/pypykatz/pypykatz/lsadecryptor/lsa_decryptor_nt6.py", line 30, in acquire_crypto_material self.iv = self.get_IV(sigpos) File "\~/pypykatz/pypykatz/lsadecryptor/lsa_decryptor_nt6.py", line 66, in get_IV self.reader.move(ptr_iv) File "\~/.local/lib/python3.9/site-packages/minidump/minidumpreader.py", line 136, in move self._select_segment(address) File "\~/.local/lib/python3.9/site-packages/minidump/minidumpreader.py", line 104, in _select_segment raise Exception('Memory address 0x%08x is not in process memory space' % requested_position) Exception: Memory address 0x7ffd903728b8 is not in process memory space

During handling of the above exception, another exception occurred:

Traceback (most recent call last): File "\~/pypykatz/pypykatz/lsadecryptor/cmdhelper.py", line 242, in run mimi = pypykatz.parse_minidump_file(args.memoryfile, packages=args.packages) File "\~/pypykatz/pypykatz/pypykatz.py", line 150, in parse_minidump_file raise e File "\~/pypykatz/pypykatz/pypykatz.py", line 146, in parse_minidump_file mimi.start(packages) File "\~/pypykatz/pypykatz/pypykatz.py", line 349, in start self.lsa_decryptor = self.get_lsa() File "\~/pypykatz/pypykatz/pypykatz.py", line 266, in get_lsa raise Exception('All detection methods failed.') Exception: All detection methods failed. `

Here is the dump lsass.zip

Thanks in advance

jjsdub556 commented 1 year ago

Hey! Is there any chance this is a Windows 11 lsass dump? I've got the same issue with Win11 dump. BTH pypy identifies OS as Win10: INFO:pypykatz:pypyKatz version: 0.6.3 INFO:pypykatz:CPU arch: X64 INFO:pypykatz:OS: Windows 10 INFO:pypykatz:BuildNumber: 22621

skelsec commented 1 year ago

Thank you for the comment, I actually fixed the parsing (not the OS detection) not long after the issue was created, however since this is a new feature only Porchetta Industries subscribers have access to it until March.
There is a quick-n-easy way to have access to this feature without subscription, and that is to use the WASM-based Octopwn tool.

HatchiFr commented 1 year ago

Hi, I have exactly the same issue with a dump from Windows 11.

codekoala commented 1 year ago

I had a similar Memory address ... is not in process memory space error coming out of pypykatz 0.6.6 today. The same dump parsed beautifully with Octopwn.

this is a new feature only Porchetta Industries subscribers have access to it until March.

Has the GA release of this update been postponed?

skelsec commented 1 year ago

A user from discord sent me a win11 dump that causes this issue. It has been resolved on the Prochetta repo.
This repo will get an update as soon as my time allows.
In the meantime, the new OctoPwn version can also parse the dumpfile.