[Vol-users] moddump related

Michael Hale Ligh michael.hale at gmail.com
Tue Mar 12 14:29:32 CDT 2013


Corey,

There are two ways to accomplish this:

*$ python vol.py moddump -h*
*.....*
*  -r REGEX, --regex=REGEX*
*                        Dump modules matching REGEX*
*  -i, --ignore-case     Ignore case in pattern match*
*  -b BASE, --base=BASE  Dump driver with BASE address (in hex)*
*
*
*---------------------------------*
*Module ModDump*
*---------------------------------*
*Dump a kernel driver to an executable file sample*

The --offset parameter was renamed to --base so it doesn't conflict with
other plugins that use --offset for different purposes.

So you can supply --base=BASEADDRESS or you can do --regex=REGEX (with or
without --ignore-case).

MHL


On Tue, Mar 12, 2013 at 1:01 PM, Corey Harrell <corey_harrell at yahoo.com>wrote:

> I apologize in advanced if I'm overlooking something. I'm using the
> Windows binary of Volatility 2.2 on a Windows 7 platform. Could someone
> tell me how I can extract a certain driver using the offset?
>
> I looked at the moddump help and the offset option is not listed. I tried
> to use -o anyway and got an error saying there is no such option
> (--offset=offset didn't work either). The Volatility command wiki doesn't
> show the moddump help but it does link to this post which shows the offset
> as an option:
>
> http://moyix.blogspot.com/2008/10/plugin-post-moddump.html
>
> I'm not that familiar with Python so looking at the plugin code wasn't
> that helpful for me. What I am trying to do is to extract a specific driver
> from a memory image. The moddump command works for extracting all drivers
> but it would be nice to extract only the one I need.
>
> Thanks for any help
>
> Corey Harrell
> "Journey into Incident Response"
> http://journeyintoir.blogspot.com
> _______________________________________________
> Vol-users mailing list
> Vol-users at volatilityfoundation.org
> http://lists.volatilityfoundation.org/mailman/listinfo/vol-users
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.volatilityfoundation.org/pipermail/vol-users/attachments/20130312/817e0d6a/attachment.html


More information about the Vol-users mailing list