-
Notifications
You must be signed in to change notification settings - Fork 375
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Can't process a Windows 10 64bit Crash Dump #1112
Comments
A few extra comments:
|
Hi, volatility 3 doesn't read pdb files directly, they need converting into JSON, but volatility should have found a windows signature and generated it automatically if you were providing a raw memory file. Instead, you appear to have provided a Apparently we currently suppress Format exceptions, rather than reporting on them (which isn't right), but my guess would be that your crashdump file isn't the right format... |
I've just pushed a new commit ( |
Sorry, I guess the I will try the new version to see if it is clearer. Thanks. |
New (partial) log output: First, during processing I get lots of lines like this: With occasional lines like this: Below is the interesting part:
I guess the important parts are the Still, that isn't pertinent to this. I guess the "Invalid dump" supports your statement that this is a non-supported dump file, and I will have to use a different means to generate it. Thanks. |
Sorry, some of that was a slight mistake on my part, you should probably give it another go, the error above was likely from attempting to stack the 32-bit crash dump layer (which expects the start bytes to be |
Commit |
here is the latest results (cutting to after the JSON file parsing):
Where we see
|
Yep, this is just a partial crashdump, as indicated by |
Describe the bug
I am trying to analyze a memory DMP file generated from Microsoft's 'NotMyFault' tool, but it consistently fails with:
Context
Volatility Version: Volatility 3 Framework 2.7.0
Operating System: Windows 10 x64
Python Version: Python 3.12.0
Suspected Operating System: Windows 10 x64 (same computer)
Command:
vol.py windows.info
andvol.py windows.pslist
To Reproduce
Steps to reproduce the behavior:
warning This will actually cause a bluescreen / crash. Don't do it until you are ready!!
Generate a Windows Crash Dump with the Sysinternals NotMyFault tool (https://learn.microsoft.com/en-us/sysinternals/downloads/notmyfault). Then follow the below commands:
%py_cmd% vol.py -vvvvvvv -f C:\projects\aaaa\bbbbb\MEMORY.DMP windows.info
Expected behavior
For windows.info, I would expect a formatted output describing the memory dump file. For windows.pslist I would expect there to be a process list table.
Example output
The is the file type:
I know from other questions here that minidumps aren't supported. The website says crashdumps are: The FAQ
I also already have the symbols for Windows:
When I run the command I get this output:
Additional information
If I run the same command using a .raw file generated from
winpmem
I get appropriate outputs for both windows.info and windows.pslist.The text was updated successfully, but these errors were encountered: