Re: [Vol-users] Extracting a running dll from a process

So here's what I got...regsvr32.exe was run as soon below: Offset(V) Name PID PPID Thds Hnds Sess Wow64 Start Exit ---------- -------------------- ------ ------ ------ -------- ------ ------ ------------------------------ ------------------------------ 0x893614e0 regsvr32.exe 3100 2564 5 97 0 0 2013-12-06 18:28:51 UTC+0000 Offset(P) Name PID pslist psscan thrdproc pspcid csrss session deskthrd ---------- -------------------- ------ ------ ------ -------- ------ ----- ------- -------- 0x093614e0 regsvr32.exe 3100 True True False True True True False regsvr32.exe pid: 3100 Command line : regsvr32.exe "C:\Documents and Settings\user\Local Settings\Application Data\YrqdPack\normalPaddlg.dll" Service Pack 3 Base Size LoadCount Path ---------- ---------- ---------- ---- 0x10000000 0x9000 0x1 C:\Documents and Settings\user\Local Settings\Application Data\YrqdPack\normalPaddlg.dll I'm dumped pid 3100 to a dmp file with procmemdump. I strings 3100.dmp and I see what I'm looking for (domain names that match a packet capture). I'm trying to extract that running dll from the 3100.dmp file, which is around 200 megs. Any help would be awesome..thank you. James _______________________________________________ Vol-users mailing list Vol-users(a)volatilityfoundation.org http://lists.volatilityfoundation.org/mailman/listinfo/vol-users