Hey Brian,

You can use volshell to extract an arbitrary region of memory from any address space (in this case kernel memory if you're trying to acquire a kernel module). However, what do you mean "reference a file in user's AppData"? Is that the driver's path on disk (i.e. C:\Users\Bob\ApplicationData\dumpme.sys)?

You would use volshell like this:

>>> data = self.addrspace.zread(assumed_base_address, assumed_module_size)

>>> with open('file.dmp', 'wb') as f:

...... f.write(data)

>>>

Cheers,

MHL

On Thu, Mar 21, 2013 at 5:32 PM, Brian Keefer <chort@effu.se> wrote:

Working with a ransomware infection, trying to dump one of the modules that looks suspicious (the only one to reference a file in user's AppData). I'm trying to dump it via the base address found through modscan, but getting:
moddump Error: e_magic 8D4C is not a valid DOS signature.

I tried -u. Is there any other way to dump it?

--
chort

_______________________________________________
Vol-users mailing list
Vol-users@volatilesystems.com
http://lists.volatilityfoundation.org/mailman/listinfo/vol-users