Michael,

If the process you want to extract is unlinked from the PsActiveProcessHead list, then you can't identify it by pid. Try identifying it by physical offset:

$ python vol.py -f ../prolaco.vmem psscan
0x0113f648 1_doc_RCData_61    1336   1136 0x06cc0340 2010-08-11 16:50:20

 python vol.py -f ../prolaco.vmem procexedump -o 0x0113f648 -D out/
************************************************************************
Dumping 1_doc_RCData_61, pid:   1336 output: executable.1336.exe

MHL

On Mon, Aug 15, 2011 at 5:57 AM, Michael Felber <MichaelFelber@gmx.net> wrote:

Hi,

 

I have tried to extract the process 1336 (1_doc_RCData_61) from the prolaco-Image provided at  http://malwarecookbook.googlecode.com/svn-history/r26/trunk/15/6/prolaco.vmem.zip

Neither procexedump nor procmemdump did work for this process but for any other.

What went wrong?

 

Regards

 

Michael


_______________________________________________
Vol-users mailing list
Vol-users@volatilesystems.com
http://lists.volatilityfoundation.org/mailman/listinfo/vol-users