Michael,
If the process you want to extract is unlinked from the PsActiveProcessHead
list, then you can't identify it by pid. Try identifying it by physical
offset:
$ python vol.py -f ../prolaco.vmem psscan
0x0113f648 1_doc_RCData_61 1336 1136 0x06cc0340 2010-08-11 16:50:20
python vol.py -f ../prolaco.vmem procexedump -o 0x0113f648 -D out/
************************************************************************
Dumping 1_doc_RCData_61, pid: 1336 output: executable.1336.exe
MHL
On Mon, Aug 15, 2011 at 5:57 AM, Michael Felber <MichaelFelber(a)gmx.net>wrote:
Hi,****
** **
I have tried to extract the process 1336 (1_doc_RCData_61) from the
prolaco-Image provided at
http://malwarecookbook.googlecode.com/svn-history/r26/trunk/15/6/prolaco.vm…
****
Neither procexedump nor procmemdump did work for this process but for any
other. ****
What went wrong?****
** **
Regards****
** **
Michael ****
_______________________________________________
Vol-users mailing list
Vol-users(a)volatilityfoundation.org
http://lists.volatilityfoundation.org/mailman/listinfo/vol-users