[Vol-users] moddump Error: e_magic 8D4C is not a valid DOS
Michael Hale Ligh
michael.hale at gmail.com
Thu Mar 21 22:53:56 CDT 2013
You can use volshell to extract an arbitrary region of memory from any
address space (in this case kernel memory if you're trying to acquire a
kernel module). However, what do you mean "reference a file in user's
AppData"? Is that the driver's path on disk (i.e.
You would use volshell like this:
>>> data = self.addrspace.zread(assumed_base_address, assumed_module_size)
>>> with open('file.dmp', 'wb') as f:
On Thu, Mar 21, 2013 at 5:32 PM, Brian Keefer <chort at effu.se> wrote:
> Working with a ransomware infection, trying to dump one of the modules
> that looks suspicious (the only one to reference a file in user's AppData).
> I'm trying to dump it via the base address found through modscan, but
> moddump Error: e_magic 8D4C is not a valid DOS signature.
> I tried -u. Is there any other way to dump it?
> Vol-users mailing list
> Vol-users at volatilityfoundation.org
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Vol-users