Re: [Vol-users] Process unable to be extracted
17 Dec
2014
17 Dec
'14
4:36 p.m.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
First I'd make sure the process hasn't exited (look at its ExitTime,
the number of threads should be >= 1, and handle count should be
non-zero).
If the PEB is unreadable, you need to find the process exe's base
address another way. Use vadinfo and look for the exe's path and get
the base address from there. Then pass it to dlldump --base=BASEADDR.
MHL
On 12/9/14 9:34 AM, Dave Nardoni wrote:
I have some processes listed in pslist and psscan that
are unable
to be dumped using procdump by either the pid or the offset.
Are there other approaches that can be used to dump these
processes? Not in front of computer right now but error was
something like unable to parse the peb.
I can get the exact error message later if it helps. All other
plugins work just find so memory image is not in question.
Sent from my iPhone
Dnardoni(a)gmail.com_______________________________________________
Vol-users mailing list Vol-users(a)volatilityfoundation.org
http://lists.volatilityfoundation.org/mailman/listinfo/vol-users
-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.22 (Darwin)
Comment: GPGTools - https://gpgtools.org
iF4EAREKAAYFAlSR93kACgkQXnt9v1O0LIv63gD+LYQ7TUuKjSPyHTX+OlhBxaUW
jyMLopqeSx9BhrE2N3kBAIYF8rnP5ZL6r4tnql4sa1ChWg9WyJB3mcTp+BOZ4T2G
=3gl/
-----END PGP SIGNATURE-----