[Vol-users] moddump Error: e_magic 8D4C is not a valid DOS signature.

Michael Hale Ligh michael.hale at gmail.com
Thu Mar 21 22:53:56 CDT 2013


Hey Brian,

You can use volshell to extract an arbitrary region of memory from any
address space (in this case kernel memory if you're trying to acquire a
kernel module). However, what do you mean "reference a file in user's
AppData"? Is that the driver's path on disk (i.e.
C:\Users\Bob\ApplicationData\dumpme.sys)?

You would use volshell like this:

>>> data = self.addrspace.zread(assumed_base_address, assumed_module_size)
>>> with open('file.dmp', 'wb') as f:
......        f.write(data)
>>>

Cheers,
MHL


On Thu, Mar 21, 2013 at 5:32 PM, Brian Keefer <chort at effu.se> wrote:

> Working with a ransomware infection, trying to dump one of the modules
> that looks suspicious (the only one to reference a file in user's AppData).
> I'm trying to dump it via the base address found through modscan, but
> getting:
> moddump Error: e_magic 8D4C is not a valid DOS signature.
>
> I tried -u. Is there any other way to dump it?
>
> --
> chort
>
>
>
> _______________________________________________
> Vol-users mailing list
> Vol-users at volatilityfoundation.org
> http://lists.volatilityfoundation.org/mailman/listinfo/vol-users
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.volatilityfoundation.org/pipermail/vol-users/attachments/20130321/eb4829b0/attachment.html


More information about the Vol-users mailing list