Thanks for the report. Any chance you could upload the full -vvv output as text for us to look into?

I am almost postive from the backtrace that this code is the issue:

https://github.com/volatilityfoundation/volatility3/blob/develop/volatility3/framework/symbols/windows/extensions/__init__.py#L271

There are a range of kernel versions where the CommitCharge member is stored as Core.CommitCharge which the code linked above does not handle.

@eve-mem do you have a moment to put a PR request handling the Core check to look for CommitCharge directly under it and then do the current way if its not there?

I can certainly have a look. It might be early next week rather than the weekend now. I don't have the biggest supply of windows machines to test on but hopefully one of them will be similar enough. Your explanation @atcuno is clear enough for me on what the issue is.

so will this issue get fixed next week?

If i can find a similar issue in a sample i have I'll fix it next week yes. Perhaps you are able to share your sample?

what do you mean by sample?

A memory dump that I can test with.

Hello @KQBTD - I couldn't find a memory dump to test with.

Are you able to check to see if the changes in #1407 fix your problem?

I'm not expecting it to work right away to be honest - if you still get an error could you please share you logs with me.

Thanks <3