Re: [Vol-users] Extracting a running dll from a process

You can use dlldump as: python vol.py dlldump -p 3100 -b 0x10000000 -D dumpdir On Fri, Dec 6, 2013 at 4:22 PM, James Lay <jlay(a)slave-tothe-box.net> wrote: > So here's what I got...regsvr32.exe was run as soon below: > > Offset(V) Name PID PPID Thds Hnds Sess Wow64 > Start Exit > ---------- -------------------- ------ ------ ------ -------- ------ ------ > ------------------------------ ------------------------------ > 0x893614e0 regsvr32.exe 3100 2564 5 97 0 0 > 2013-12-06 18:28:51 UTC+0000 > > Offset(P) Name PID pslist psscan thrdproc pspcid csrss > session deskthrd > ---------- -------------------- ------ ------ ------ -------- ------ ----- > ------- -------- > 0x093614e0 regsvr32.exe 3100 True True False True True > True False > > > regsvr32.exe pid: 3100 > Command line : regsvr32.exe "C:\Documents and Settings\user\Local > Settings\Application Data\YrqdPack\normalPaddlg.dll" > Service Pack 3 > > Base Size LoadCount Path > ---------- ---------- ---------- ---- > 0x10000000 0x9000 0x1 C:\Documents and Settings\user\Local > Settings\Application Data\YrqdPack\normalPaddlg.dll > > I'm dumped pid 3100 to a dmp file with procmemdump. I strings 3100.dmp and > I see what I'm looking for (domain names that match a packet capture). I'm > trying to extract that running dll from the 3100.dmp file, which is around > 200 megs. Any help would be awesome..thank you. > > James > > > _______________________________________________ > Vol-users mailing list > Vol-users(a)volatilityfoundation.org > http://lists.volatilityfoundation.org/mailman/listinfo/vol-users