[Vol-users] Malfind and impscan questions

I have a memory dump of a Windows XP box with a piece of malware running in it. In the course of running malfind on the image, there are eight responses, two of which are below (A and B). After the malfind command, I run the impscan command to look at the imports: python vol.py impscan -p 820 -b 0x1f00000 python vol.py impscan -p 820 -b 0x01f50010 The response to the first impscan command is what I expected (see C below). The response to the second impscan command (see D below) is not what I expected at all - no imports? I also ran impscan on the address 0x01f50012 based on the results from the malfind command (see D below) as I figured that I wanted to dump the dll starting on the beginning of the MZ header. But neither address produced any imports - I'm not sure where to go from here. I'm very new at this; any help would be greatly appreciated. My end goal is to take this piece of malware, which looks to have injected several dll's into a process, dump out each dll, then have them reverse engineered. Thanks- A. Process: xxxxxx.exe Pid: 820 Address: 0x1f00000 Vad Tag: VadS Protection: PAGE_EXECUTE_READWRITE Flags: CommitCharge: 9, PrivateMemory: 1, Protection: 6 0x01f00000 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 MZ.............. 0x01f00010 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 ........@....... 0x01f00020 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 0x01f00030 00 00 00 00 00 00 00 00 00 00 00 00 c8 00 00 00 ................ 0x1f00000 4d DEC EBP 0x1f00001 5a POP EDX 0x1f00002 90 NOP 0x1f00003 0003 ADD [EBX], AL 0x1f00005 0000 ADD [EAX], AL 0x1f00007 000400 ADD [EAX+EAX], AL 0x1f0000a 0000 ADD [EAX], AL 0x1f0000c ff DB 0xff 0x1f0000d ff00 INC DWORD [EAX] 0x1f0000f 00b800000000 ADD [EAX+0x0], BH 0x1f00015 0000 ADD [EAX], AL 0x1f00017 004000 ADD [EAX+0x0], AL 0x1f0001a 0000 ADD [EAX], AL 0x1f0001c 0000 ADD [EAX], AL 0x1f0001e 0000 ADD [EAX], AL 0x1f00020 0000 ADD [EAX], AL 0x1f00022 0000 ADD [EAX], AL 0x1f00024 0000 ADD [EAX], AL 0x1f00026 0000 ADD [EAX], AL 0x1f00028 0000 ADD [EAX], AL 0x1f0002a 0000 ADD [EAX], AL 0x1f0002c 0000 ADD [EAX], AL 0x1f0002e 0000 ADD [EAX], AL 0x1f00030 0000 ADD [EAX], AL 0x1f00032 0000 ADD [EAX], AL 0x1f00034 0000 ADD [EAX], AL 0x1f00036 0000 ADD [EAX], AL 0x1f00038 0000 ADD [EAX], AL 0x1f0003a 0000 ADD [EAX], AL 0x1f0003c c8000000 ENTER 0x0, 0x0 B. Process: XXXXXX.exe Pid: 820 Address: 0x1f50000 Vad Tag: VadS Protection: PAGE_EXECUTE_READWRITE Flags: CommitCharge: 59, MemCommit: 1, PrivateMemory: 1, Protection: 6 0x01f50000 4c 1b cd 25 00 00 09 e8 16 4f 9e 7e cd 25 00 00 L..%.....O.~.%.. 0x01f50010 00 00 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff ..MZ............ 0x01f50020 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 ..........@..... 0x01f50030 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 0x1f50000 4c DEC ESP 0x1f50001 1bcd SBB ECX, EBP 0x1f50003 25000009e8 AND EAX, 0xe8090000 0x1f50008 16 PUSH SS 0x1f50009 4f DEC EDI 0x1f5000a 9e SAHF 0x1f5000b 7ecd JLE 0x1f4ffda 0x1f5000d 2500000000 AND EAX, 0x0 *0x1f50012 4d DEC EBP0x1f50013 5a POP EDX* 0x1f50014 90 NOP 0x1f50015 0003 ADD [EBX], AL 0x1f50017 0000 ADD [EAX], AL 0x1f50019 000400 ADD [EAX+EAX], AL 0x1f5001c 0000 ADD [EAX], AL 0x1f5001e ff DB 0xff 0x1f5001f ff00 INC DWORD [EAX] 0x1f50021 00b800000000 ADD [EAX+0x0], BH 0x1f50027 0000 ADD [EAX], AL 0x1f50029 004000 ADD [EAX+0x0], AL 0x1f5002c 0000 ADD [EAX], AL ................. ................ C. python vol.py impscan -p 9820 -b 0x01f00000 Volatility Foundation Volatility Framework 2.3.1 IAT Call Module Function ------------------ ------------------ -------------------- -------- 0x0000000001f07d10 0x0000000076cf2c70 kernel32.dll HeapFree 0x0000000001f07d18 0x0000000076cf2d60 kernel32.dll GetProcessHeap 0x0000000001f07d20 0x0000000076e41b70 kernel32.dll HeapAlloc D. python vol.py impscan -p 820 -b 0x01f50010 Volatility Foundation Volatility Framework 2.3.1 IAT Call Module Function ------------------ ------------------ -------------------- -------- E. python vol.py impscan -p 820 -b 0x01f50012 Volatility Foundation Volatility Framework 2.3.1 IAT Call Module Function ------------------ ------------------ -------------------- --------