Social Icons

Monday, September 28, 2015

Volatility Framework Command : Using dlllist - dlldump to extricate DLLfile details

 This post will share an example to run the two volatility terminal commands including dllllist and dlldump  to display a process's loaded DLLs.

Before I proceed ahead,I would assume that you have installed volatility in your Linux system(in my case I am using UBUNTU, Installation explained at my earlier post at and you have a RAM dump of the OS u desire to analyse.In my case here I have taken the RAM dump of a Windows 7 OS as explained here at


dlllist is used to display a process's loaded DLLs.DLLs are automatically added to this list when a process calls LoadLibrary (or some derivative such as LdrLoadDll). --profile=Win7SP0x86 -f windows7_image.raw dlllist
To display the DLLs for a specific process instead of all processes, there is option to use the switch -p or --pid filter as shown below: --profile=Win7SP0x86 -f windows7_image.raw dlllist --pid=1892

To display the DLLs for a process that is hidden or unlinked by a rootkit, first use the psscan to get the physical offset of the EPROCESS object and then: --profile=Win7SP0x86 -f windows7_image.raw dlllist --offset=0x04a291a8
(Click on the image to ENLARGE)


dlldump command is used to extract a DLL from a process's memory space and dump it to disk for analysis.The syntax is nearly the same as what has been seen earlier with any command.This plugin provisions the following :

- Dump all DLLs from a hidden/unlinked process (with --offset=OFFSET)
- Dump all DLLs from a specific process (with --pid=PID)
- Dump all DLLs from all processes
- Dump a PE from anywhere in process memory (with --base=BASEADDR), this option is useful for extracting hidden DLLs

To specify an output directory, use --dump-dir=DIR or -d DIR. --profile=Win7SP0x86 -f windows7_image.raw dlldump --dump-dir output

where output is the name of directory where u get the dll dump

the output directory will be seen as seen below :

More at :


Post a Comment