Re: [Vol-users] moddump Error: e_magic 8D4C is not a valid DOS signature.
21 Mar
2013
21 Mar
'13
11:53 p.m.
Hey Brian,
You can use volshell to extract an arbitrary region of memory from any
address space (in this case kernel memory if you're trying to acquire a
kernel module). However, what do you mean "reference a file in user's
AppData"? Is that the driver's path on disk (i.e.
C:\Users\Bob\ApplicationData\dumpme.sys)?
You would use volshell like this:
>> data =
self.addrspace.zread(assumed_base_address, assumed_module_size)
>> with open('file.dmp', 'wb') as f:
......
f.write(data)
>>
Cheers,
MHL
On Thu, Mar 21, 2013 at 5:32 PM, Brian Keefer <chort(a)effu.se> wrote:
Working with a ransomware infection, trying to dump
one of the modules
that looks suspicious (the only one to reference a file in user's AppData).
I'm trying to dump it via the base address found through modscan, but
getting:
moddump Error: e_magic 8D4C is not a valid DOS signature.
I tried -u. Is there any other way to dump it?
--
chort
_______________________________________________
Vol-users mailing list
Vol-users(a)volatilityfoundation.org
http://lists.volatilityfoundation.org/mailman/listinfo/vol-users
Attachments:
- attachment.html (text/html — 1.8 KB)