Re: [Vol-users] moddump related

Thanks for the help and that was what I was looking for. Corey Harrell "Journey into Incident Response" http://journeyintoir.blogspot.com/ ________________________________ From: Michael Hale Ligh <michael.hale(a)gmail.com> To: Corey Harrell <corey_harrell(a)yahoo.com> Cc: "vol-users(a)volatilityfoundation.org" <vol-users(a)volatilityfoundation.org> Sent: Tuesday, March 12, 2013 3:29 PM Subject: Re: [Vol-users] moddump related Corey,  There are two ways to accomplish this: $ python vol.py moddump -h ..... -r REGEX, --regex=REGEX                         Dump modules matching REGEX -i, --ignore-case     Ignore case in pattern match -b BASE, --base=BASE  Dump driver with BASE address (in hex) --------------------------------- Module ModDump --------------------------------- Dump a kernel driver to an executable file sample The --offset parameter was renamed to --base so it doesn't conflict with other plugins that use --offset for different purposes.  So you can supply --base=BASEADDRESS or you can do --regex=REGEX (with or without --ignore-case).  MHL On Tue, Mar 12, 2013 at 1:01 PM, Corey Harrell <corey_harrell(a)yahoo.com> wrote: I apologize in advanced if I'm overlooking something. I'm using the Windows binary of Volatility 2.2 on a Windows 7 platform. Could someone tell me how I can extract a certain driver using the offset? _______________________________________________ Vol-users mailing list Vol-users(a)volatilesystems.com http://lists.volatilityfoundation.org/mailman/listinfo/vol-users