This post will share an example to run the two volatility terminal commands including dllllist and dlldump to display a process's loaded DLLs.
Before I proceed ahead,I would assume that you have installed volatility in your Linux system(in my case I am using UBUNTU, Installation explained at my earlier post at http://anupriti.blogspot.in/2015/09/volatility-advanced-memory-forensics.html) and you have a RAM dump of the OS u desire to analyse.In my case here I have taken the RAM dump of a Windows 7 OS as explained here at http://anupriti.blogspot.in/2015/09/volatility-command-using-imageinfo-to.html
dlllistdlllist is used to display a process's loaded DLLs.DLLs are automatically added to this list when a process calls LoadLibrary (or some derivative such as LdrLoadDll).
vol.py --profile=Win7SP0x86 -f windows7_image.raw dlllist
vol.py --profile=Win7SP0x86 -f windows7_image.raw dlllist --pid=1892
To display the DLLs for a process that is hidden or unlinked by a rootkit, first use the psscan to get the physical offset of the EPROCESS object and then:
vol.py --profile=Win7SP0x86 -f windows7_image.raw dlllist --offset=0x04a291a8
|(Click on the image to ENLARGE)|
dlldumpdlldump command is used to extract a DLL from a process's memory space and dump it to disk for analysis.The syntax is nearly the same as what has been seen earlier with any command.This plugin provisions the following :
- Dump all DLLs from a hidden/unlinked process (with --offset=OFFSET)
- Dump all DLLs from a specific process (with --pid=PID)
- Dump all DLLs from all processes
- Dump a PE from anywhere in process memory (with --base=BASEADDR), this option is useful for extracting hidden DLLs
To specify an output directory, use --dump-dir=DIR or -d DIR.
vol.py --profile=Win7SP0x86 -f windows7_image.raw dlldump --dump-dir output
where output is the name of directory where u get the dll dump
the output directory will be seen as seen below :
More at : https://code.google.com/p/volatility/wiki/CommandReference#dlllist