MemProcFS.exe加载报错,DTB
gongyu0217 opened this issue · 2 comments
MemProcFS.exe -device "I:\AnQuan\Tools\1 Misc\内存取证\volatility_2.6_win64_standalone\memdump-win10x64.dmp" -forensic 1
[CORE] Initialization Failed. Unable to locate valid DTB. #2
VmmProc: Unable to auto-identify operating system.
Specify PageDirectoryBase (DTB/CR3) in -dtb option if value if known.
If arm64 dump, specify architecture: -arch arm64
[CORE] Failed to initialize.
It's hard to know what is causing the issue.
The most likely reason would be that the memory dump is corrupt and faulty for some reason.
If the memory dump works with volatility the memory dump is probably OK and there would be an issue with MemProcFS. In that case I would have to take a look at the memory dump file to understand what is causing this issue.
Please let me know if you're able to share this memory dump. If you are not able to share it I completely understand as well but I would not be able to look into this issue.
Since I have not heard back about this I assume the issue was resolved or that you're not able to share the dump file.
I'm closing this issue.
But if the issue remains and you're able to share the dump file feel free to post about it and I'll take a look.