Hey Michael,

thank you for your help.

I wasn’t aware, that a process must be linked in the PSActiveProcessHead List to be dumped with the procexedump-plugin.

1_doc_RCdata_61 has a PID 1336 detected with psscan but Volatility takes no farther use of it, right?

The dumping with the offset specified works well. Interestingly Kaspersky did not nag while the file was written…

Regards

Michael

Von: Michael Hale Ligh [mailto:michael.hale@gmail.com]
Gesendet: Montag, 15. August 2011 14:35
An: Michael Felber
Cc: vol-users@volatilityfoundation.org
Betreff: Re: [Vol-users] unable to extract process 1336 from prolaco-image

Michael,

If the process you want to extract is unlinked from the PsActiveProcessHead list, then you can't identify it by pid. Try identifying it by physical offset:

$ python vol.py -f ../prolaco.vmem psscan
0x0113f648 1_doc_RCData_61 1336 1136 0x06cc0340 2010-08-11 16:50:20

python vol.py -f ../prolaco.vmem procexedump -o 0x0113f648 -D out/
************************************************************************
Dumping 1_doc_RCData_61, pid: 1336 output: executable.1336.exe

MHL

On Mon, Aug 15, 2011 at 5:57 AM, Michael Felber <MichaelFelber@gmx.net> wrote:

Hi,

I have tried to extract the process 1336 (1_doc_RCData_61) from the prolaco-Image provided at http://malwarecookbook.googlecode.com/svn-history/r26/trunk/15/6/prolaco.vmem.zip

Neither procexedump nor procmemdump did work for this process but for any other.

What went wrong?

Regards

Michael

_______________________________________________
Vol-users mailing list
Vol-users@volatilesystems.com
http://lists.volatilityfoundation.org/mailman/listinfo/vol-users