Would read over segment boundaries

[forensenellanebbia]

Error details Minidump: 20190422_lsass.exe_10.0.10586x86.DMP (uploaded)_ Error:

(rekall) ubuntu@vmubuntudskt:~$ pypykatz minidump '/home/ubuntu/Desktop/20190422_lsass.exe_10.0.10586_x86.DMP' INFO:root:Parsing file /home/ubuntu/Desktop/20190422_lsass.exe_10.0.10586_x86.DMP ERROR:root:Error while parsing file /home/ubuntu/Desktop/20190422_lsass.exe_10.0.10586_x86.DMP Traceback (most recent call last): File "/home/ubuntu/pypykatz/pypykatz/main.py", line 116, in main mimi = pypykatz.parse_minidump_file(args.minidumpfile) File "/home/ubuntu/pypykatz/pypykatz/pypykatz.py", line 56, in parse_minidump_file mimi.start() File "/home/ubuntu/pypykatz/pypykatz/pypykatz.py", line 171, in start self.get_kerberos() File "/home/ubuntu/pypykatz/pypykatz/pypykatz.py", line 155, in get_kerberos dec.start() File "/home/ubuntu/pypykatz/pypykatz/lsadecryptor/packages/kerberos/decryptor.py", line 100, in start key_list.read(self.reader, self.decryptor_template.hash_password_struct) File "/home/ubuntu/pypykatz/pypykatz/lsadecryptor/packages/kerberos/templates.py", line 954, in read self.KeyEntries.append(keyentries_type(reader)) File "/home/ubuntu/pypykatz/pypykatz/lsadecryptor/packages/kerberos/templates.py", line 921, in init self.unk0 = PVOID(reader).value File "/home/ubuntu/rekall/lib/python3.6/site-packages/minidump/win_datatypes.py", line 39, in init super().init(reader, None) #with void we cannot determine the final type File "/home/ubuntu/rekall/lib/python3.6/site-packages/minidump/win_datatypes.py", line 12, in init self.value = reader.read_uint() File "/home/ubuntu/rekall/lib/python3.6/site-packages/minidump/minidumpreader.py", line 161, in read_uint return int.from_bytes(self.read(4), byteorder = 'little', signed = False) File "/home/ubuntu/rekall/lib/python3.6/site-packages/minidump/minidumpreader.py", line 135, in read raise Exception('Would read over segment boundaries!') Exception: Would read over segment boundaries! Traceback (most recent call last): File "/home/ubuntu/pypykatz/pypykatz/main.py", line 116, in main mimi = pypykatz.parse_minidump_file(args.minidumpfile) File "/home/ubuntu/pypykatz/pypykatz/pypykatz.py", line 56, in parse_minidump_file mimi.start() File "/home/ubuntu/pypykatz/pypykatz/pypykatz.py", line 171, in start self.get_kerberos() File "/home/ubuntu/pypykatz/pypykatz/pypykatz.py", line 155, in get_kerberos dec.start() File "/home/ubuntu/pypykatz/pypykatz/lsadecryptor/packages/kerberos/decryptor.py", line 100, in start key_list.read(self.reader, self.decryptor_template.hash_password_struct) File "/home/ubuntu/pypykatz/pypykatz/lsadecryptor/packages/kerberos/templates.py", line 954, in read self.KeyEntries.append(keyentries_type(reader)) File "/home/ubuntu/pypykatz/pypykatz/lsadecryptor/packages/kerberos/templates.py", line 921, in init self.unk0 = PVOID(reader).value File "/home/ubuntu/rekall/lib/python3.6/site-packages/minidump/win_datatypes.py", line 39, in init super().init(reader, None) #with void we cannot determine the final type File "/home/ubuntu/rekall/lib/python3.6/site-packages/minidump/win_datatypes.py", line 12, in init self.value = reader.read_uint() File "/home/ubuntu/rekall/lib/python3.6/site-packages/minidump/minidumpreader.py", line 161, in read_uint return int.from_bytes(self.read(4), byteorder = 'little', signed = False) File "/home/ubuntu/rekall/lib/python3.6/site-packages/minidump/minidumpreader.py", line 135, in read raise Exception('Would read over segment boundaries!') Exception: Would read over segment boundaries!

Operating system details OS name: Windows 10 Pro OS version: 10.0.10586 CPU architecture: x86 msv1_0.dll timestamp: 30/10/2015 05:44Z

Pypykatz installation Pypykatz installed through git clone on Ubuntu 18.04.2 with Python 3.6.7.

Thanks!

[skelsec]

Do you have like a warehouse full of lsass dumps? Not that I mind, just please give a hint on what is your success/fail ratio parsing them with pypykatz because I get a bit worried that my SW is full of bugs (I mean I know it is, but only seeing the failures gives me a bad feeling)

It is fixed now, pls confirm.

[forensenellanebbia]

No warehouse, at the moment just a good amount of free time and curiosity. It's now working. Thanks for your time and the fix.