[Vol-users] Need help with error when using dmp2raw

Adrian Sanabria adrian.sanabria at gmail.com
Wed Jan 13 08:58:43 CST 2010


When running dmp2raw on a small (256MB) Windows crash dump, I get the
following:

Traceback (most recent call
last):
| Time Remaining:  --:--:--
  File "volatility", line 219, in <module>
    main()
  File "volatility", line 212, in main
    modules[argv[1]].execute(argv[1], argv[2:])
  File "/root/memory_analysis/Volatility-1.3_Beta/vmodules.py", line 62, in
execute
    self.cmd_execute(module, args)
  File "/root/memory_analysis/Volatility-1.3_Beta/vmodules.py", line 1746,
in dmp2raw
    crash_to_dd(flat_address_space, types, opts.outfile)
  File
"/root/memory_analysis/Volatility-1.3_Beta/forensics/win32/crashdump.py",
line 721, in crash_to_dd
    for j in xrange(0, PageCount*0x1000, 0x1000):
OverflowError: long int too large to convert to int

dmpchk gives me the following info about this file:
DUMP_HEADER32:
MajorVersion            0x0000000f
MinorVersion            0x00001772
KdSecondaryVersion      0x00000041
DirectoryTableBase      0x00122000
PfnDataBase             0x83200000
PsLoadedModuleList      0x81f5fc70
PsActiveProcessHead     0x81f55990
MachineImageType        0x0000014c
NumberProcessors        0x00000002
BugCheckCode            0x0000007f
PaeEnabled              0x00000001
KdDebuggerDataBlock     0x81f3fc98
ProductType             0x00000001
SuiteMask               0x00000110
WriterStatus            0x45474150

Physical Memory Description:
Number of runs: 2
FileOffset      Start Address   Length
00001000        00001000        0009a000
0009b000        00100000        dcf4d000
dcfe7000        dd04c000

Any idea what the problem might be?
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.volatilityfoundation.org/pipermail/vol-users/attachments/20100113/1258f2b8/attachment.html


More information about the Vol-users mailing list