1

So I am trying to extract data from a full memory dump (Made with either dumpit or a BSOD). WinDBG manages to extract some information from it, but Volatility is silent:


PS F:\> C:\Python27\python.exe C:\Python27\Scripts\vol.py -v -f .\DESKTOP-1NHUJ5K-20200115-133054.dmp imageinfo
Volatility Foundation Volatility Framework 2.6.1
*** Failed to import volatility.plugins.registry.shutdown (ImportError: No module named Crypto.Hash)
*** Failed to import volatility.plugins.getservicesids (ImportError: No module named Crypto.Hash)
(More unrelated import warnings)
*** Failed to import volatility.plugins.registry.shimcache (ImportError: No module named Crypto.Hash)
INFO    : volatility.debug    : Determining profile based on KDBG search...
WARNING : volatility.debug    : Alignment of WindowsCrashDumpSpace64 is too small, plugins will be extremely slow

WARNING : volatility.debug    : Alignment of WindowsCrashDumpSpace64 is too small, plugins will be extremely slow
(repeated a dozen times)
WARNING : volatility.debug    : Alignment of WindowsCrashDumpSpace64 is too small, plugins will be extremely slow
          Suggested Profile(s) : No suggestion (Instantiated with Win10x64_15063)
                     AS Layer1 : SkipDuplicatesAMD64PagedMemory (Kernel AS)
                     AS Layer2 : WindowsCrashDumpSpace64 (Unnamed AS)
                     AS Layer3 : FileAddressSpace (F:\DESKTOP-1NHUJ5K-20200115-133054.dmp)
                      PAE type : No PAE
                           DTB : 0x1aa002L
             KUSER_SHARED_DATA : 0xfffff78000000000L
           Image date and time : 2020-01-15 13:32:57 UTC+0000
     Image local date and time : 2020-01-15 14:32:57 +0100

PS F:\> C:\Python27\python.exe C:\Python27\Scripts\vol.py -v -f .\DESKTOP-1NHUJ5K-20200115-133054.dmp --profile=Win10x64_17763 pstree
Volatility Foundation Volatility Framework 2.6.1
*** Failed to import volatility.plugins.registry.shutdown (ImportError: No module named Crypto.Hash)
*** Failed to import volatility.plugins.getservicesids (ImportError: No module named Crypto.Hash)
(more irrelevant import errors)
...
Name                                                  Pid   PPid   Thds   Hnds Time
-------------------------------------------------- ------ ------ ------ ------ ----

Note that the pstree function prints no error and no garbled output: It just exits.

All the import errors are simply caused by the lack of the PyCrypto library but have no bearing on the functions I used.

I know for a fact I am using the correct profile since I made the dump myself on a VM running Windows 10 17763.

All of these seem to work perfectly on older versions of Windows. Is there a reason for Windows 10 to work differently with volatility?

My purpose is to extract a binary executable file from a full crash dump. Is there any tool other than volatility that can allow me to do that?

Adalcar
  • 111
  • 4
  • 1
    UPDATE: For now I use WinDbg to analyze the loaded code. – Adalcar Jan 21 '20 at 13:49
  • This seems more like a product troubleshooting question than a security question. A support forum might be a better place to ask. – schroeder Feb 13 '20 at 23:14
  • 1
    You can try [Rekall](https://github.com/google/rekall), which is another tool for doing memory analysis that offers a lot of the same capabilities as Volatility. – Oleksi Feb 13 '20 at 22:52

0 Answers0