Memory address is not in process memory space

[yofbalibump]

Hi, I've got an LSASS memory dump that I'm unable to parse with pypykatz. The file is shared in the issue

Here is the message I get :
` % pypykatz lsa minidump ../lsass.DMP
INFO:pypykatz:Parsing file ../lsass.DMP
INFO:pypykatz:===== BASIC INFO. SUBMIT THIS IF THERE IS AN ISSUE =====
INFO:pypykatz:pypyKatz version: 0.6.3
INFO:pypykatz:CPU arch: X64
INFO:pypykatz:OS: Windows 10
INFO:pypykatz:BuildNumber: 22621
INFO:pypykatz:MajorVersion: 6
INFO:pypykatz:MSV timestamp: 42982603
INFO:pypykatz:===== BASIC INFO END =====
ERROR:pypykatz:Error while parsing file ../lsass.DMP
Traceback (most recent call last):
File "~/pypykatz/pypykatz/pypykatz.py", line 260, in get_lsa
lsa_dec = LsaDecryptor.choose(self.reader, lsa_dec_template, self.sysinfo)
File "~/pypykatz/pypykatz/lsadecryptor/lsa_decryptor.py", line 20, in choose
return LsaDecryptor_NT6(reader, decryptor_template, sysinfo)
File "~/pypykatz/pypykatz/lsadecryptor/lsa_decryptor_nt6.py", line 22, in init
self.acquire_crypto_material()
File "~/pypykatz/pypykatz/lsadecryptor/lsa_decryptor_nt6.py", line 30, in acquire_crypto_material
self.iv = self.get_IV(sigpos)
File "~/pypykatz/pypykatz/lsadecryptor/lsa_decryptor_nt6.py", line 66, in get_IV
self.reader.move(ptr_iv)
File "~/.local/lib/python3.9/site-packages/minidump/minidumpreader.py", line 136, in move
self._select_segment(address)
File "~/.local/lib/python3.9/site-packages/minidump/minidumpreader.py", line 104, in _select_segment
raise Exception('Memory address 0x%08x is not in process memory space' % requested_position)
Exception: Memory address 0x7ffd903728b8 is not in process memory space

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
File "~/pypykatz/pypykatz/lsadecryptor/cmdhelper.py", line 242, in run
mimi = pypykatz.parse_minidump_file(args.memoryfile, packages=args.packages)
File "~/pypykatz/pypykatz/pypykatz.py", line 150, in parse_minidump_file
raise e
File "~/pypykatz/pypykatz/pypykatz.py", line 146, in parse_minidump_file
mimi.start(packages)
File "~/pypykatz/pypykatz/pypykatz.py", line 349, in start
self.lsa_decryptor = self.get_lsa()
File "~/pypykatz/pypykatz/pypykatz.py", line 266, in get_lsa
raise Exception('All detection methods failed.')
Exception: All detection methods failed.
Traceback (most recent call last):
File "~/pypykatz/pypykatz/pypykatz.py", line 260, in get_lsa
lsa_dec = LsaDecryptor.choose(self.reader, lsa_dec_template, self.sysinfo)
File "~/pypykatz/pypykatz/lsadecryptor/lsa_decryptor.py", line 20, in choose
return LsaDecryptor_NT6(reader, decryptor_template, sysinfo)
File"~/pypykatz/pypykatz/lsadecryptor/lsa_decryptor_nt6.py", line 22, in init
self.acquire_crypto_material()
File "~/pypykatz/pypykatz/lsadecryptor/lsa_decryptor_nt6.py", line 30, in acquire_crypto_material
self.iv = self.get_IV(sigpos)
File "~/pypykatz/pypykatz/lsadecryptor/lsa_decryptor_nt6.py", line 66, in get_IV
self.reader.move(ptr_iv)
File "~/.local/lib/python3.9/site-packages/minidump/minidumpreader.py", line 136, in move
self._select_segment(address)
File "~/.local/lib/python3.9/site-packages/minidump/minidumpreader.py", line 104, in _select_segment
raise Exception('Memory address 0x%08x is not in process memory space' % requested_position)
Exception: Memory address 0x7ffd903728b8 is not in process memory space

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
File "~/pypykatz/pypykatz/lsadecryptor/cmdhelper.py", line 242, in run
mimi = pypykatz.parse_minidump_file(args.memoryfile, packages=args.packages)
File "~/pypykatz/pypykatz/pypykatz.py", line 150, in parse_minidump_file
raise e
File "~/pypykatz/pypykatz/pypykatz.py", line 146, in parse_minidump_file
mimi.start(packages)
File "~/pypykatz/pypykatz/pypykatz.py", line 349, in start
self.lsa_decryptor = self.get_lsa()
File "~/pypykatz/pypykatz/pypykatz.py", line 266, in get_lsa
raise Exception('All detection methods failed.')
Exception: All detection methods failed.
`

Here is the dump
lsass.zip

Thanks in advance

[jjsdub556]

Hey! Is there any chance this is a Windows 11 lsass dump? I've got the same issue with Win11 dump. BTH pypy identifies OS as Win10:
INFO:pypykatz:pypyKatz version: 0.6.3
INFO:pypykatz:CPU arch: X64
INFO:pypykatz:OS: Windows 10
INFO:pypykatz:BuildNumber: 22621

[skelsec]

Thank you for the comment, I actually fixed the parsing (not the OS detection) not long after the issue was created, however since this is a new feature only Porchetta Industries subscribers have access to it until March.
There is a quick-n-easy way to have access to this feature without subscription, and that is to use the WASM-based Octopwn tool.

[HatchiFr]

Hi, I have exactly the same issue with a dump from Windows 11.

[codekoala]

I had a similar Memory address ... is not in process memory space error coming out of pypykatz 0.6.6 today. The same dump parsed beautifully with Octopwn.

this is a new feature only Porchetta Industries subscribers have access to it until March.

Has the GA release of this update been postponed?

[skelsec]

A user from discord sent me a win11 dump that causes this issue. It has been resolved on the Prochetta repo.
This repo will get an update as soon as my time allows.
In the meantime, the new OctoPwn version can also parse the dumpfile.