Issue when executing "pypykatz lsa minidump lsass.DMP"

skelsec / pypykatz

Mimikatz implementation in pure Python

MIT License

2.77k stars 367 forks source link

Issue when executing "pypykatz lsa minidump lsass.DMP" #123

Open RomanY467 opened 1 year ago

RomanY467 commented 1 year ago

When attempting to parse credentials from the "lsass.DMP" memory dump file using the command "pypykatz lsa minidump lsass.DMP", the pypykatz tool appears to have a memory leak issue. It keeps consuming more and more memory without parsing any credentials. This problem persists even after waiting for an extended period of time. However, parsing the same dump file using Mimikatz works fine. Same problem on kali linux through VM. Environment: Macbook air M1 8GB RAM Operating System: macOS Ventura 13.2 Python version: 3.11.2 pypykatz version: 0.6.6

skelsec commented 1 year ago

Hello, I have not yet encountered this issue myself, if you could share a minidump file with me which would help reproducing this issue it might help solving the problem.
Another test case that you could perform is: can you try running the same command on the same dumpfile but on a PC? Or a Mac that is not using ARM? Reason I'm asking is that there has been already an issue submitted with the cryptography library on M1s which potentially (no likely but who knows) could cause issues.

RomanY467 commented 1 year ago

lsass.DMP.zip

Hello, I have not yet encountered this issue myself, if you could share a minidump file with me which would help reproducing this issue it might help solving the problem. Another test case that you could perform is: can you try running the same command on the same dumpfile but on a PC? Or a Mac that is not using ARM? Reason I'm asking is that there has been already an issue submitted with the cryptography library on M1s which potentially (no likely but who knows) could cause issues.

I used this minidump and extracted credentials using Mimikatz without encountering any issues.

skelsec commented 1 year ago

Thanks for the dump. this is super-interesting! it seems that it's not a pypykatz rather a minidump issue. No worries, I'm also the author of that one :) Will come back soon with a solution. Side note: mimikatz uses windows' built-in parser for minidump files so ovbiously it doesn't have a problem with these

aparker4j commented 4 months ago

Thanks for the dump. this is super-interesting! it seems that it's not a pypykatz rather a minidump issue. No worries, I'm also the author of that one :) Will come back soon with a solution. Side note: mimikatz uses windows' built-in parser for minidump files so ovbiously it doesn't have a problem with these

I've also discovered this issue when utilizing pypykatz on my kali linux VM. It cooks for a few minutes with about 20% memory usage and then skyrokets to 100% and promptly crashes the VM. Have you discovered the cause of this or a means to work around this issue?