Social Icons

Monday, September 28, 2015

Volatility Framework Command : Using dlllist - dlldump to extricate DLLfile details

 This post will share an example to run the two volatility terminal commands including dllllist and dlldump  to display a process's loaded DLLs.

Before I proceed ahead,I would assume that you have installed volatility in your Linux system(in my case I am using UBUNTU, Installation explained at my earlier post at http://anupriti.blogspot.in/2015/09/volatility-advanced-memory-forensics.html) and you have a RAM dump of the OS u desire to analyse.In my case here I have taken the RAM dump of a Windows 7 OS as explained here at http://anupriti.blogspot.in/2015/09/volatility-command-using-imageinfo-to.html

dlllist

dlllist is used to display a process's loaded DLLs.DLLs are automatically added to this list when a process calls LoadLibrary (or some derivative such as LdrLoadDll).

vol.py --profile=Win7SP0x86 -f windows7_image.raw dlllist
To display the DLLs for a specific process instead of all processes, there is option to use the switch -p or --pid filter as shown below:

vol.py --profile=Win7SP0x86 -f windows7_image.raw dlllist --pid=1892

To display the DLLs for a process that is hidden or unlinked by a rootkit, first use the psscan to get the physical offset of the EPROCESS object and then:

vol.py --profile=Win7SP0x86 -f windows7_image.raw dlllist --offset=0x04a291a8
(Click on the image to ENLARGE)

dlldump

dlldump command is used to extract a DLL from a process's memory space and dump it to disk for analysis.The syntax is nearly the same as what has been seen earlier with any command.This plugin provisions the following :

- Dump all DLLs from a hidden/unlinked process (with --offset=OFFSET)
- Dump all DLLs from a specific process (with --pid=PID)
- Dump all DLLs from all processes
- Dump a PE from anywhere in process memory (with --base=BASEADDR), this option is useful for extracting hidden DLLs

To specify an output directory, use --dump-dir=DIR or -d DIR.

vol.py --profile=Win7SP0x86 -f windows7_image.raw dlldump --dump-dir output

where output is the name of directory where u get the dll dump


the output directory will be seen as seen below :


More at : https://code.google.com/p/volatility/wiki/CommandReference#dlllist

0 comments:

Post a Comment