parse_minidump_external fails

[aas-n]

Hi skelsec,

I have a little problem with this machine:

C:\>systeminfo

Host Name:                 DC1-2016
OS Name:                   Microsoft Windows Server 2016 Datacenter
OS Version:                10.0.14393 N/A Build 14393
OS Manufacturer:           Microsoft Corporation
OS Configuration:          Primary Domain Controller

I make a ProcDump using this:

C:\>procdump64.exe -accepteula -ma lsass.exe dump.dmp

ProcDump v9.0 - Sysinternals process dump utility
Copyright (C) 2009-2017 Mark Russinovich and Andrew Richards
Sysinternals - www.sysinternals.com

[19:01:14] Dump 1 initiated: C:\dump.dmp
[19:01:14] Dump 1 writing: Estimated dump file size is 208 MB.
[19:01:14] Dump 1 complete: 208 MB written in 0.5 seconds
[19:01:15] Dump count reached.

It works as expected when I try to parse locally with

pypykatz lsa minidump dump.dmp

But when I use parse_minidump_external() function, I have this stacktrace:

Process Process-3:
Traceback (most recent call last):
[...]
  File "/home/aas/spraykatz/core/ParseDump.py", line 23, in parseDump
    result = pypykatz.parse_minidump_external(dump)
  File "/home/aas/.local/lib/python3.6/site-packages/pypykatz/pypykatz.py", line 96, in parse_minidump_external
    mimi.start()
  File "/home/aas/.local/lib/python3.6/site-packages/pypykatz/pypykatz.py", line 245, in start
    self.get_logoncreds()
  File "/home/aas/.local/lib/python3.6/site-packages/pypykatz/pypykatz.py", line 146, in get_logoncreds
    logoncred_decryptor.start()
  File "/home/aas/.local/lib/python3.6/site-packages/pypykatz/lsadecryptor/packages/msv/decryptor.py", line 367, in start
    self.walk_list(entry_ptr, self.add_entry)
  File "/home/aas/.local/lib/python3.6/site-packages/pypykatz/lsadecryptor/package_commons.py", line 179, in walk_list
    callback(entry)
  File "/home/aas/.local/lib/python3.6/site-packages/pypykatz/lsadecryptor/packages/msv/decryptor.py", line 281, in add_entry
    self.parse_credman_credentials(entry)
  File "/home/aas/.local/lib/python3.6/site-packages/pypykatz/lsadecryptor/packages/msv/decryptor.py", line 301, in parse_credman_credentials
    if list_starter.start.value != list_starter.start.location:
AttributeError: 'NoneType' object has no attribute 'start'

Do you have any idea?

Note: The problematic dump weighs 200MB. If you want, I can upload it.

[aas-n]

I deploy the exact same machine on Azure, and this time, the stacktrace is:

Process Process-5:
Traceback (most recent call last):
[...]
  File "/home/aas/spraykatz/core/ParseDump.py", line 23, in parseDump
    result = pypykatz.parse_minidump_external(dump)
  File "/home/aas/.local/lib/python3.6/site-packages/pypykatz/pypykatz.py", line 96, in parse_minidump_external
    mimi.start()
  File "/home/aas/.local/lib/python3.6/site-packages/pypykatz/pypykatz.py", line 245, in start
    self.get_logoncreds()
  File "/home/aas/.local/lib/python3.6/site-packages/pypykatz/pypykatz.py", line 146, in get_logoncreds
    logoncred_decryptor.start()
  File "/home/aas/.local/lib/python3.6/site-packages/pypykatz/lsadecryptor/packages/msv/decryptor.py", line 367, in start
    self.walk_list(entry_ptr, self.add_entry)
  File "/home/aas/.local/lib/python3.6/site-packages/pypykatz/lsadecryptor/package_commons.py", line 179, in walk_list
    callback(entry)
  File "/home/aas/.local/lib/python3.6/site-packages/pypykatz/lsadecryptor/packages/msv/decryptor.py", line 284, in add_entry
    self.walk_list(entry.Credentials_list_ptr, self.add_credentials)
  File "/home/aas/.local/lib/python3.6/site-packages/pypykatz/lsadecryptor/package_commons.py", line 174, in walk_list
    entry = entry_ptr.read(self.reader)
  File "/home/aas/.local/lib/python3.6/site-packages/minidump/win_datatypes.py", line 19, in read
    reader.move(self.value)
  File "/home/aas/.local/lib/python3.6/site-packages/minidump/minidumpreader.py", line 84, in move
    self._select_segment(address)
  File "/home/aas/.local/lib/python3.6/site-packages/minidump/minidumpreader.py", line 55, in _select_segment
    raise Exception('Memory address 0x%08x is not in process memory space' % requested_position)
Exception: Memory address 0x00100010 is not in process memory space

Hope it helps...

[skelsec]

Please send the dump file. (I guess you can upload to the link shown on the readme)

[aas-n]

Hi, I already did it. Tell me if you want me to upload it again. Thanks.

[skelsec]

I see 2 different dump files uploaded recently. One works with default parsing and with parse_external. The second one (which is win 2012) did not work at all, because of a parsing error in one of the structures. The error is fixed now in the GH version and should be working. Please confirm and close the issue. As for the parse_minidump_external part. I made some tests and it seems to be working well. Please use the attached script to check if it's in fact broken in the future. I took a look at how you are invoking the function in your code and while it looks okayish it kinda missing a lot of exception handling around the network/impacket side so I'd recommend double checking if all the SMB file handling and buffering working as it should. But this is not part of pypykatz so I'm going back curing my hangover.
Nah, just kiddingsince I hate being vague. Basically what is wrong with your Dump class is:

1. you put a lot of network operations in the constructor, shouldn't be doing that. create an open function instead
2. The fileopen call tries to obtain ALL permissions to a file, but you just want to read it, and procdump might create a file that is not owned by the account you are using for SMB and might not be writable
3. EXCEPTION HANDLING in almost all functions. This is a network operation thus you can't really control what will happen during reads/opens/etc.

external_test.txt

[aas-n]

Hi, Indeed, you are right, I should be more rigorous. As I am not a good developper, I take every advices. About the two dumps, I confirm it works as expected now. Thank you for your hard work :).

[vysecurity]

Exception: Memory address 0x0a0007d0 is not in process memory space