Re: [Vol-users] Extracting a running dll from a process
7 Dec
2013
7 Dec
'13
5:33 p.m.
I am not sure I fully understand the question. So you see
strings/patterns in the procmemdump output that are not in the dlldump
output? If so that simply means the data is in another region of the
process's memory.
To find which region actually holds the strings, you have a few options:
1) You can use vaddump to write out individual files for each mapping
and then search over those files. The filename of the files written
from vaddump contain the starting and ending address of the region,
and you can use vadinfo to determine which file (if any) was mapped at
that region.
2) You can use yarascan with the -p flag set to scan memory of the
particular process looking for your pattern(s).
----
It is very possible that the domain names you mentioned seeing are
associated with code in the DLL but stored in dynamically allocated
memory. In that case they would not be in the same region as the DLL.
Also, if you are using strings from Linux, be sure to always use the
-a flag. If you run strings over a recognized file format (such as
.exe or .dll) and do not have the -a flag set then strings will only
look at sections it thinks holds 'strings'/data. Not using -a can lead
to discrepancies when analyzing raw blbos as from procmemdump vs a
structured file that dlldump gives you.
On Sat, Dec 7, 2013 at 6:47 AM, James Lay <jlay(a)slave-tothe-box.net> wrote:
Thanks Andrew,
I gave that a go…I have the DLL, but it’s not matching what I have from procmemdump…I’m
certain I’m not understanding something there, and not something to do with volatility.
Is there a different way to find out what else is going on from a single PID mem dump?
Thank you.
James
On Dec 6, 2013, at 10:56 PM, Andrew Case <atcuno(a)gmail.com> wrote:
You can use dlldump as:
python vol.py dlldump -p 3100 -b 0x10000000 -D dumpdir
On Fri, Dec 6, 2013 at 4:22 PM, James Lay <jlay(a)slave-tothe-box.net> wrote:
> So here's what I got...regsvr32.exe was run as soon below:
>
> Offset(V) Name PID PPID Thds Hnds Sess Wow64
> Start Exit
> ---------- -------------------- ------ ------ ------ -------- ------ ------
> ------------------------------ ------------------------------
> 0x893614e0 regsvr32.exe 3100 2564 5 97 0 0
> 2013-12-06 18:28:51 UTC+0000
>
> Offset(P) Name PID pslist psscan thrdproc pspcid csrss
> session deskthrd
> ---------- -------------------- ------ ------ ------ -------- ------ -----
> ------- --------
> 0x093614e0 regsvr32.exe 3100 True True False True True
> True False
>
>
> regsvr32.exe pid: 3100
> Command line : regsvr32.exe "C:\Documents and Settings\user\Local
> Settings\Application Data\YrqdPack\normalPaddlg.dll"
> Service Pack 3
>
> Base Size LoadCount Path
> ---------- ---------- ---------- ----
> 0x10000000 0x9000 0x1 C:\Documents and Settings\user\Local
> Settings\Application Data\YrqdPack\normalPaddlg.dll
>
> I'm dumped pid 3100 to a dmp file with procmemdump. I strings 3100.dmp and
> I see what I'm looking for (domain names that match a packet capture). I'm
> trying to extract that running dll from the 3100.dmp file, which is around
> 200 megs. Any help would be awesome..thank you.
>
> James
>
>
> _______________________________________________
> Vol-users mailing list
> Vol-users(a)volatilityfoundation.org
> http://lists.volatilityfoundation.org/mailman/listinfo/vol-users
_______________________________________________
Vol-users mailing list
Vol-users(a)volatilityfoundation.org
http://lists.volatilityfoundation.org/mailman/listinfo/vol-users