volatilityfoundation
Cannot detect Win10x64_18362 crash dump
I generated a crash dump on Windows 10 OS build 18362.900, and Volatility does not recognize the profile.
This is the output for imageinfo:
Volatility Foundation Volatility Framework 2.6.1
INFO : volatility.debug : Determining profile based on KDBG search...
No suitable address space mapping found
Tried to open image as:
MachOAddressSpace: mac: need base
LimeAddressSpace: lime: need base
WindowsHiberFileSpace32: No base Address Space
WindowsCrashDumpSpace64BitMap: No base Address Space
WindowsCrashDumpSpace64: No base Address Space
HPAKAddressSpace: No base Address Space
VMWareMetaAddressSpace: No base Address Space
VirtualBoxCoreDumpElf64: No base Address Space
VMWareAddressSpace: No base Address Space
QemuCoreDumpElf: No base Address Space
WindowsCrashDumpSpace32: No base Address Space
SkipDuplicatesAMD64PagedMemory: No base Address Space
WindowsAMD64PagedMemory: No base Address Space
LinuxAMD64PagedMemory: No base Address Space
AMD64PagedMemory: No base Address Space
IA32PagedMemoryPae: No base Address Space
IA32PagedMemory: No base Address Space
OSXPmemELF: No base Address Space
FileAddressSpace - EXCEPTION: [Errno 13] Permission denied: 'C:\\Users\\...\\volatility\\MEMORY.DMP'
ArmAddressSpace: No base Address Space
kdbgscan returns the same thing. Can anyone help me with this?
It looks like you don't have permission to read the file:
FileAddressSpace - EXCEPTION: [Errno 13] Permission denied: 'C:\\Users\\...\\volatility\\MEMORY.DMP'
Oh right. I edited the privilege, and tried to pslist with the correct profile (--profile=Win10x64_18362). Now it returns this:
Volatility Foundation Volatility Framework 2.6.1
No suitable address space mapping found
Tried to open image as:
MachOAddressSpace: mac: need base
LimeAddressSpace: lime: need base
WindowsHiberFileSpace32: No base Address Space
WindowsCrashDumpSpace64BitMap: No base Address Space
WindowsCrashDumpSpace64: No base Address Space
HPAKAddressSpace: No base Address Space
VirtualBoxCoreDumpElf64: No base Address Space
VMWareMetaAddressSpace: No base Address Space
VMWareAddressSpace: No base Address Space
QemuCoreDumpElf: No base Address Space
WindowsCrashDumpSpace32: No base Address Space
SkipDuplicatesAMD64PagedMemory: No base Address Space
WindowsAMD64PagedMemory: No base Address Space
LinuxAMD64PagedMemory: No base Address Space
AMD64PagedMemory: No base Address Space
IA32PagedMemoryPae: No base Address Space
IA32PagedMemory: No base Address Space
OSXPmemELF: No base Address Space
MachOAddressSpace: MachO Header signature invalid
LimeAddressSpace: Invalid Lime header signature
WindowsHiberFileSpace32: No xpress signature found
WindowsCrashDumpSpace64BitMap: Header signature invalid
WindowsCrashDumpSpace64: Header signature invalid
HPAKAddressSpace: Invalid magic found
VirtualBoxCoreDumpElf64: ELF Header signature invalid
VMWareMetaAddressSpace: VMware metadata file is not available
VMWareAddressSpace: Invalid VMware signature: 0x4034b50
QemuCoreDumpElf: ELF Header signature invalid
WindowsCrashDumpSpace32: Header signature invalid
SkipDuplicatesAMD64PagedMemory: Failed valid Address Space check
WindowsAMD64PagedMemory: Failed valid Address Space check
LinuxAMD64PagedMemory: Incompatible profile Win10x64_18362 selected
AMD64PagedMemory: Failed valid Address Space check
IA32PagedMemoryPae: Incompatible profile Win10x64_18362 selected
IA32PagedMemory: Incompatible profile Win10x64_18362 selected
OSXPmemELF: ELF Header signature invalid
FileAddressSpace: Must be first Address Space
ArmAddressSpace: Profile does not have valid Address Space check
The crash dump is 14GB and I think Windows automatically configures it. I just followed the directions here to generate the crash dump: https://nvidia.custhelp.com/app/answers/detail/a_id/4755/~/manually-forcing-a-system-crash-using-a-keyboard
Could you please do a git pull from master and then:
git checkout -b bitmap_crashdumps
and then re-run analysis. Please let me know the results while running on this branch.