Re: [Vol-users] Option 2 for injected malware extraction
24 Jun
2012
24 Jun
'12
5:18 p.m.
There is also the thrdscan command and you can dt("_ETHREAD", ADDRESS)
in volshell. If you need help figuring out how the code is injected,
feel free to post a zip of the Pilleuz sample.
MHL
On Sun, Jun 24, 2012 at 4:54 PM, Michael Hale Ligh
<michael.hale(a)gmail.com> wrote:
On Sun, Jun 24, 2012 at 4:46 PM, Mike Lambert
<dragonforen(a)hotmail.com> wrote:
I am looking at a sample of the Pilleuz worm that
infects USB.
I ran malfind and was not successful extracting a sample
Is there another option for extracting injected code?
It depends. How is the code injected?
Is there a way to dump threads?
You mean like the threads command?
> Thanks,
> Mike
>
>
> _______________________________________________
> Vol-users mailing list
> Vol-users(a)volatilityfoundation.org
> http://lists.volatilityfoundation.org/mailman/listinfo/vol-users
>