volatility
volatility copied to clipboard
Published
20 hours ago •
volatilityfoundation
volatilityfoundation
Alignment of WindowsCrashDumpSpace64 is too small, plugins will be extremely slow
I am using volatility 2.6 (win standalone version) and getting the same error - Alignment of WindowsCrashDumpSpace64 is too small, plugins will be extremely slow.
I created the dump using Dumpit.
How to fix it?
I am also seeing that error, looks like volatility doesn't support analyzes of latest Windows machine
Adding the stack-trace here should someone need it for fixing:
(venv) PS C:\REDACTED\venv\volatility> python.exe .\vol.py -f C:\REDACTED\dump.dmp imageinfo
Volatility Foundation Volatility Framework 2.6.1
INFO : volatility.debug : Determining profile based on KDBG search...
WARNING : volatility.debug : Alignment of WindowsCrashDumpSpace64 is too small, plugins will be extremely slow
WARNING : volatility.debug : Alignment of WindowsCrashDumpSpace64 is too small, plugins will be extremely slow
WARNING : volatility.debug : Alignment of WindowsCrashDumpSpace64 is too small, plugins will be extremely slow
WARNING : volatility.debug : Alignment of WindowsCrashDumpSpace64 is too small, plugins will be extremely slow
WARNING : volatility.debug : Alignment of WindowsCrashDumpSpace64 is too small, plugins will be extremely slow
WARNING : volatility.debug : Alignment of WindowsCrashDumpSpace64 is too small, plugins will be extremely slow
WARNING : volatility.debug : Alignment of WindowsCrashDumpSpace64 is too small, plugins will be extremely slow
WARNING : volatility.debug : Alignment of WindowsCrashDumpSpace64 is too small, plugins will be extremely slow
WARNING : volatility.debug : Alignment of WindowsCrashDumpSpace64 is too small, plugins will be extremely slow
WARNING : volatility.debug : Alignment of WindowsCrashDumpSpace64 is too small, plugins will be extremely slow
WARNING : volatility.debug : Alignment of WindowsCrashDumpSpace64 is too small, plugins will be extremely slow
WARNING : volatility.debug : Alignment of WindowsCrashDumpSpace64 is too small, plugins will be extremely slow
WARNING : volatility.debug : Alignment of WindowsCrashDumpSpace64 is too small, plugins will be extremely slow
WARNING : volatility.debug : Alignment of WindowsCrashDumpSpace64 is too small, plugins will be extremely slow
WARNING : volatility.debug : Alignment of WindowsCrashDumpSpace64 is too small, plugins will be extremely slow
WARNING : volatility.debug : Alignment of WindowsCrashDumpSpace64 is too small, plugins will be extremely slow
WARNING : volatility.debug : Alignment of WindowsCrashDumpSpace64 is too small, plugins will be extremely slow
WARNING : volatility.debug : Alignment of WindowsCrashDumpSpace64 is too small, plugins will be extremely slow
Traceback (most recent call last):
File ".\vol.py", line 192, in <module>
main()
File ".\vol.py", line 183, in main
command.execute()
File "C:\REDACTED\venv\volatility\volatility\commands.py", line 147, in execute
func(outfd, data)
File "C:\REDACTED\venv\volatility\volatility\plugins\imageinfo.py", line 45, in render_text
for k, t, v in data:
File "C:\REDACTED\venv\volatility\volatility\plugins\imageinfo.py", line 55, in calculate
suglist = [ s for s, _ in kdbgscan.KDBGScan.calculate(self)]
File "C:\REDACTED\venv\volatility\volatility\plugins\kdbgscan.py", line 164, in calculate
for kdbg in obj.VolMagic(aspace).KDBG.generate_suggestions():
File "C:\REDACTED\venv\volatility\volatility\plugins\overlays\windows\win8_kdbg.py", line 273, in generate_suggestions
addresses = sorted(addr_space.get_available_addresses())
File "C:\REDACTED\venv\volatility\volatility\plugins\addrspaces\paged.py", line 133, in get_available_addresses
for (offset, size) in self.get_available_pages():
File "C:\REDACTED\venv\volatility\volatility\plugins\addrspaces\amd64.py", line 260, in get_available_pages
pdpt_entries = struct.unpack('<512Q', pdpt)
struct.error: unpack requires a string argument of length 4096
And a proof of latest version:
(venv) PS C:\REDACTED\venv\volatility> git rev-parse HEAD
a438e768194a9e05eb4d9ee9338b881c0fa25937
