Didier Stevens

Sunday 13 August 2017

Reading Memory Of 64-bit Processes

Filed under: Hacking — Didier Stevens @ 23:21

When you read the memory of a 64-bit process, you have to make sure to read it from a 64-bit process. A 32-bit process can not use the documented Windows API to read the memory of a 64-bit process.

Here is an example using Metasploit with Meterpreter’s mimikatz module:

When using 32-bit meterpreter/mimikatz command msv to extract hashes from 64-bit Windows, we get an error: “0x0000012b Only part of a ReadProcessMemory or WriteProcessMemory request was completed”. This error occurs when a 32-bit process wants to read or write memory from a 64-bit process.

If we take a second look at the result of command “load mimikatz”, we see a warning: [!] Loaded x86 Mimikatz on a x64 architecture.

We need to run Meterpreter in a 64-bit process to access memory of a 64-bit process (like LSA):

Here we have no Windows API error anymore, but still no hashes. This is because Meterpreter’s mimikatz module is an older version (1.0) that can not extract hashes from the latest versions of Windows. Here we are using a 64-bit fully patched Windows 7 machine.

Command “mimikatz_command -f version” confirms module mimikatz’s version:

When we use this version on an 64-bit unpatched Windows 7 SP1 machine, we get hashes:

Maybe you recognize the LM and NTLM hashes of the empty string (AAD3B435B51404EEAAD3B435B51404EE and 31D6CFE0D16AE931B73C59D7E0C089C0).

2 Comments »

  1. […] my previous post “Reading Memory Of 64-bit Processes” I used the Windows version of Metasploit so that I could do all tests with a single machine: […]

    Pingback by Using Metasploit On Windows | Didier Stevens — Monday 14 August 2017 @ 10:17

  2. […] Reading Memory Of 64-bit Processes […]

    Pingback by Overview of Content Published In August | Didier Stevens — Wednesday 6 September 2017 @ 19:54


RSS feed for comments on this post. TrackBack URI

Leave a Reply (comments are moderated)

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Blog at WordPress.com.