0

I'm trying figure out how I can dump the memory associated with a process. So far, I've managed to identify the PID's of the processes I'm interested in (along with their offset). However, I can't pinpoint the exact Volatility plug-in/command I would need to run to actually extract the memory now.

The profile I'm currently working with is LinuxUbuntu160403-040400-89x64.

F_Infinity2
  • 1
  • this might be trivial, but have you tried `volatility memdmp -p PID -f YourImage` ? – Soufiane Tahiri Feb 27 '19 at 13:26
  • I hadn't! But when I tried it, it told me that I need to install Volatility. It's strange because, I definitely have it installed, and things like `sudo python vol.py -f /tmp/test.mem --profile=LinuxUbuntu160403-040400-89x64 linux_malfind` work for me. – F_Infinity2 Feb 27 '19 at 15:13
  • try sudo python vol.py memdemp -p PID -f /tmp/test.mem --profile=LinuxUbuntu160403-040400-89x64 linux_malfind – Soufiane Tahiri Feb 27 '19 at 15:14
  • It didn't give me an error, but it didn't return anything either. However, using that command and playing around with the different plug-ins has given me some interesting info, thanks! – F_Infinity2 Feb 27 '19 at 15:21

0 Answers0