[Vol-users] moddump related
corey_harrell at yahoo.com
Tue Mar 12 14:56:52 CDT 2013
Thanks for the help and that was what I was looking for.
"Journey into Incident Response"
From: Michael Hale Ligh <michael.hale at gmail.com>
To: Corey Harrell <corey_harrell at yahoo.com>
Cc: "vol-users at volatilityfoundation.org" <vol-users at volatilityfoundation.org>
Sent: Tuesday, March 12, 2013 3:29 PM
Subject: Re: [Vol-users] moddump related
There are two ways to accomplish this:
$ python vol.py moddump -h
-r REGEX, --regex=REGEX
Dump modules matching REGEX
-i, --ignore-case Ignore case in pattern match
-b BASE, --base=BASE Dump driver with BASE address (in hex)
Dump a kernel driver to an executable file sample
The --offset parameter was renamed to --base so it doesn't conflict with other plugins that use --offset for different purposes.
So you can supply --base=BASEADDRESS or you can do --regex=REGEX (with or without --ignore-case).
On Tue, Mar 12, 2013 at 1:01 PM, Corey Harrell <corey_harrell at yahoo.com> wrote:
I apologize in advanced if I'm overlooking something. I'm using the Windows binary of Volatility 2.2 on a Windows 7 platform. Could someone tell me how I can extract a certain driver using the offset?
>I looked at the moddump help and the offset option is not listed. I tried to use -o anyway and got an error saying there is no such option (--offset=offset didn't work either). The Volatility command wiki doesn't show the moddump help but it does link to this post which shows the offset as an option:
>I'm not that familiar with Python so looking at the plugin code wasn't that helpful for me. What I am trying to do is to extract a specific driver from a memory image. The moddump command works for extracting all drivers but it would be nice to extract only the one I need.
>Thanks for any help
>"Journey into Incident Response"
>Vol-users mailing list
>Vol-users at volatilityfoundation.org
Vol-users mailing list
Vol-users at volatilityfoundation.org
More information about the Vol-users