Hey Michael, thank you for your help. I wasn't aware, that a process must be linked in the PSActiveProcessHead List to be dumped with the procexedump-plugin. 1_doc_RCdata_61 has a PID 1336 detected with psscan but Volatility takes no farther use of it, right? The dumping with the offset specified works well. Interestingly Kaspersky did not nag while the file was written. Regards Michael Von: Michael Hale Ligh [mailto:michael.hale@gmail.com] Gesendet: Montag, 15. August 2011 14:35 An: Michael Felber Cc: vol-users(a)volatilityfoundation.org Betreff: Re: [Vol-users] unable to extract process 1336 from prolaco-image Michael, If the process you want to extract is unlinked from the PsActiveProcessHead list, then you can't identify it by pid. Try identifying it by physical offset: $ python vol.py -f ../prolaco.vmem psscan 0x0113f648 1_doc_RCData_61 1336 1136 0x06cc0340 2010-08-11 16:50:20 python vol.py -f ../prolaco.vmem procexedump -o 0x0113f648 -D out/ ************************************************************************ Dumping 1_doc_RCData_61, pid: 1336 output: executable.1336.exe MHL On Mon, Aug 15, 2011 at 5:57 AM, Michael Felber <MichaelFelber(a)gmx.net> wrote: Hi, I have tried to extract the process 1336 (1_doc_RCData_61) from the prolaco-Image provided at http://malwarecookbook.googlecode.com/svn-history/r26/trunk/15/6/prolaco.vme m.zip Neither procexedump nor procmemdump did work for this process but for any other. What went wrong? Regards Michael _______________________________________________ Vol-users mailing list Vol-users(a)volatilityfoundation.org http://lists.volatilityfoundation.org/mailman/listinfo/vol-users