Re: [Vol-dev] New On this list

Hi Jason, Welcome to the fun! I think a --verbose/-v flag is a good idea for most modules. It's also a good way to get started working with the code too. Go for it! Volatility already has PE extraction using the procdump module. For example: $ python volatility procdump -f xp-laptop-2005-07-04-1430.img will attempt to copy out all of the executables from the xp-laptop memory image. Those files can then be imported into IDA Pro and friends. Here are the other command line options for procdump: Usage: procdump [options] (see --help) Options: -h, --help show this help message and exit -f FILENAME, --file=FILENAME (required) XP SP2 Image file -b BASE, --base=BASE (optional, otherwise best guess is made) Physical offset (in hex) of directory table base -t TYPE, --type=TYPE (optional, default="auto") Identify the image type (pae, nopae, auto) -H OUTPUT, --output=OUTPUT (optional, default="text") Output format (xml, html, sql) -O OUT_FILE, --out_file=OUT_FILE (output filename to write results onto - default stdout) -o OFFSET, --offset=OFFSET EPROCESS Offset (in hex) in physcial address space -p PID, --pid=PID Dump the process with this Pid -m MODE, --mode=MODE strategy to use when saving executable. Use "disk" to save using disk-based section sizes, "mem" for memory- based sections. (default: "mem") -u, --unsafe do not perform sanity checks on sections when dumping -- Jesse research(a)jessekornblum.com