Hi All,<br><br>i&#39;m new to Volatility, i was trying to analyze a spyeye sample, and while running apihooks i got the below output, it looks like there is inline api hook and i see jump into this 0xba.....location.... i would like to know the DLL that is associated with a JMP, in this case it shows unknown............how can i determine the dll? and how can dump the dll from the memory?.....any information would be helpful, sorry this could be a stupid question.<br>
<br><br>VMwareUser.exe[636]              inline   wininet.dll!InternetReadFile[0x7806abb4] 0x7806abb4 JMP 0xbaf140c (UNKNOWN)<br>VMwareUser.exe[636]              inline   wininet.dll!InternetReadFileExA[0x78082ae2] 0x78082ae2 JMP 0xbaf1526 (UNKNOWN)<br>
VMwareUser.exe[636]              inline   wininet.dll!InternetWriteFile[0x78073645] 0x78073645 JMP 0xbaf2d4b (UNKNOWN)<br>VMwareUser.exe[636]              inline   ntdll.dll!NtEnumerateValueKey[0x7c90d2d0] 0x7c90d2d0 JMP 0xbadac6c (UNKNOWN)<br>
VMwareUser.exe[636]              inline   ntdll.dll!NtQueryDirectoryFile[0x7c90d750] 0x7c90d750 JMP 0xbae4f20 (UNKNOWN)<br>VMwareUser.exe[636]              inline   ntdll.dll!NtResumeThread[0x7c90db20]     0x7c90db20 JMP 0xbaf625c (UNKNOWN)<br>
VMwareUser.exe[636]              inline   ntdll.dll!NtSetInformationFile[0x7c90dc40] 0x7c90dc40 JMP 0xbada9b6 (UNKNOWN)<br>VMwareUser.exe[636]              inline   ntdll.dll!NtVdmControl[0x7c90df00]       0x7c90df00 JMP 0xbae4fd6 (UNKNOWN)<br>
VMwareUser.exe[636]              inline   ntdll.dll!ZwEnumerateValueKey[0x7c90d2d0] 0x7c90d2d0 JMP 0xbadac6c (UNKNOWN)<br>VMwareUser.exe[636]              inline   ntdll.dll!ZwQueryDirectoryFile[0x7c90d750] 0x7c90d750 JMP 0xbae4f20 (UNKNOWN)<br>
VMwareUser.exe[636]              inline   ntdll.dll!ZwResumeThread[0x7c90db20]     0x7c90db20 JMP 0xbaf625c (UNKNOWN)<br>VMwareUser.exe[636]              inline   ntdll.dll!ZwSetInformationFile[0x7c90dc40] 0x7c90dc40 JMP 0xbada9b6 (UNKNOWN)<br>
VMwareUser.exe[636]              inline   ntdll.dll!ZwVdmControl[0x7c90df00]       0x7c90df00 JMP 0xbae4fd6 (UNKNOWN)<br>VMwareUser.exe[636]              inline   crypt32.dll!PFXImportCertStore[0x77aeff8f] 0x77aeff8f JMP 0xbae0b02 (UNKNOWN)<br>
VMwareUser.exe[636]              inline   user32.dll!TranslateMessage[0x7e418bf6]  0x7e418bf6 JMP 0xbadc47f (UNKNOWN)<br>VMwareUser.exe[636]              inline   advapi32.dll!CryptEncrypt[0x77dee340]    0x77dee340 JMP 0xbaeda23 (UNKNOWN)<br>
VMwareUser.exe[636]              inline   ws2_32.dll!send[0x71ab4c27]              0x71ab4c27 JMP 0xbaee35d (UNKNOWN)<br>ctfmon.exe[768]                  inline   ntdll.dll!NtClose[0x7c90cfd0]            0x7c90cfd0 JMP 0xa003b2 (UNKNOWN)<br>
ctfmon.exe[768]                  inline   ntdll.dll!ZwClose[0x7c90cfd0]            0x7c90cfd0 JMP 0xa003b2 (UNKNOWN)<br>wmiprvse.exe[1876]               inline   ntdll.dll!NtEnumerateValueKey[0x7c90d2d0] 0x7c90d2d0 JMP 0xbadac6c (UNKNOWN)<br>
wmiprvse.exe[1876]               inline   ntdll.dll!NtQueryDirectoryFile[0x7c90d750] 0x7c90d750 JMP 0xbae4f20 (UNKNOWN)<br>wmiprvse.exe[1876]               inline   ntdll.dll!NtResumeThread[0x7c90db20]     0x7c90db20 JMP 0xbaf625c (UNKNOWN)<br>
wmiprvse.exe[1876]               inline   ntdll.dll!NtSetInformationFile[0x7c90dc40] 0x7c90dc40 JMP 0xbada9b6 (UNKNOWN)<br>wmiprvse.exe[1876]               inline   ntdll.dll!NtVdmControl[0x7c90df00]       0x7c90df00 JMP 0xbae4fd6 (UNKNOWN)<br>
wmiprvse.exe[1876]               inline   ntdll.dll!ZwEnumerateValueKey[0x7c90d2d0] 0x7c90d2d0 JMP 0xbadac6c (UNKNOWN)<br><br>Thanks<br><span class="gI"><span class="ik"></span></span><br>