Memory address is not in process memory space
yofbalibump opened this issue · 5 comments
Hi, I've got an LSASS memory dump that I'm unable to parse with pypykatz. The file is shared in the issue
Here is the message I get :
` % pypykatz lsa minidump ../lsass.DMP
INFO:pypykatz:Parsing file ../lsass.DMP
INFO:pypykatz:===== BASIC INFO. SUBMIT THIS IF THERE IS AN ISSUE =====
INFO:pypykatz:pypyKatz version: 0.6.3
INFO:pypykatz:CPU arch: X64
INFO:pypykatz:OS: Windows 10
INFO:pypykatz:BuildNumber: 22621
INFO:pypykatz:MajorVersion: 6
INFO:pypykatz:MSV timestamp: 42982603
INFO:pypykatz:===== BASIC INFO END =====
ERROR:pypykatz:Error while parsing file ../lsass.DMP
Traceback (most recent call last):
File "~/pypykatz/pypykatz/pypykatz.py", line 260, in get_lsa
lsa_dec = LsaDecryptor.choose(self.reader, lsa_dec_template, self.sysinfo)
File "~/pypykatz/pypykatz/lsadecryptor/lsa_decryptor.py", line 20, in choose
return LsaDecryptor_NT6(reader, decryptor_template, sysinfo)
File "~/pypykatz/pypykatz/lsadecryptor/lsa_decryptor_nt6.py", line 22, in init
self.acquire_crypto_material()
File "~/pypykatz/pypykatz/lsadecryptor/lsa_decryptor_nt6.py", line 30, in acquire_crypto_material
self.iv = self.get_IV(sigpos)
File "~/pypykatz/pypykatz/lsadecryptor/lsa_decryptor_nt6.py", line 66, in get_IV
self.reader.move(ptr_iv)
File "~/.local/lib/python3.9/site-packages/minidump/minidumpreader.py", line 136, in move
self._select_segment(address)
File "~/.local/lib/python3.9/site-packages/minidump/minidumpreader.py", line 104, in _select_segment
raise Exception('Memory address 0x%08x is not in process memory space' % requested_position)
Exception: Memory address 0x7ffd903728b8 is not in process memory space
During handling of the above exception, another exception occurred:
Traceback (most recent call last):
File "~/pypykatz/pypykatz/lsadecryptor/cmdhelper.py", line 242, in run
mimi = pypykatz.parse_minidump_file(args.memoryfile, packages=args.packages)
File "~/pypykatz/pypykatz/pypykatz.py", line 150, in parse_minidump_file
raise e
File "~/pypykatz/pypykatz/pypykatz.py", line 146, in parse_minidump_file
mimi.start(packages)
File "~/pypykatz/pypykatz/pypykatz.py", line 349, in start
self.lsa_decryptor = self.get_lsa()
File "~/pypykatz/pypykatz/pypykatz.py", line 266, in get_lsa
raise Exception('All detection methods failed.')
Exception: All detection methods failed.
Traceback (most recent call last):
File "~/pypykatz/pypykatz/pypykatz.py", line 260, in get_lsa
lsa_dec = LsaDecryptor.choose(self.reader, lsa_dec_template, self.sysinfo)
File "~/pypykatz/pypykatz/lsadecryptor/lsa_decryptor.py", line 20, in choose
return LsaDecryptor_NT6(reader, decryptor_template, sysinfo)
File"~/pypykatz/pypykatz/lsadecryptor/lsa_decryptor_nt6.py", line 22, in init
self.acquire_crypto_material()
File "~/pypykatz/pypykatz/lsadecryptor/lsa_decryptor_nt6.py", line 30, in acquire_crypto_material
self.iv = self.get_IV(sigpos)
File "~/pypykatz/pypykatz/lsadecryptor/lsa_decryptor_nt6.py", line 66, in get_IV
self.reader.move(ptr_iv)
File "~/.local/lib/python3.9/site-packages/minidump/minidumpreader.py", line 136, in move
self._select_segment(address)
File "~/.local/lib/python3.9/site-packages/minidump/minidumpreader.py", line 104, in _select_segment
raise Exception('Memory address 0x%08x is not in process memory space' % requested_position)
Exception: Memory address 0x7ffd903728b8 is not in process memory space
During handling of the above exception, another exception occurred:
Traceback (most recent call last):
File "~/pypykatz/pypykatz/lsadecryptor/cmdhelper.py", line 242, in run
mimi = pypykatz.parse_minidump_file(args.memoryfile, packages=args.packages)
File "~/pypykatz/pypykatz/pypykatz.py", line 150, in parse_minidump_file
raise e
File "~/pypykatz/pypykatz/pypykatz.py", line 146, in parse_minidump_file
mimi.start(packages)
File "~/pypykatz/pypykatz/pypykatz.py", line 349, in start
self.lsa_decryptor = self.get_lsa()
File "~/pypykatz/pypykatz/pypykatz.py", line 266, in get_lsa
raise Exception('All detection methods failed.')
Exception: All detection methods failed.
`
Here is the dump
lsass.zip
Thanks in advance
Hey! Is there any chance this is a Windows 11 lsass dump? I've got the same issue with Win11 dump. BTH pypy identifies OS as Win10:
INFO:pypykatz:pypyKatz version: 0.6.3
INFO:pypykatz:CPU arch: X64
INFO:pypykatz:OS: Windows 10
INFO:pypykatz:BuildNumber: 22621
Thank you for the comment, I actually fixed the parsing (not the OS detection) not long after the issue was created, however since this is a new feature only Porchetta Industries subscribers have access to it until March.
There is a quick-n-easy way to have access to this feature without subscription, and that is to use the WASM-based Octopwn tool.
Hi, I have exactly the same issue with a dump from Windows 11.
I had a similar Memory address ... is not in process memory space error coming out of pypykatz 0.6.6 today. The same dump parsed beautifully with Octopwn.
this is a new feature only Porchetta Industries subscribers have access to it until March.
Has the GA release of this update been postponed?