ikelos
commented
11 months ago Hi there, the -o option must appear before the name of the plugin, so in your example, you'd use:
python3 vol.py -f file.vmem -o /tmp windows.malfindMalfind also won't dump any output by default, just as the volatility 2 version doesn't. Instead of -D for volatility 2, you can the use --dump option (after the plugin name, since it is a plugin option, not a global option) to extract the injected VADs. You can find more help about the plugin specific options, by using --help after the plugin name, or global options by using --help before the plugin name (or without a plugin name at all).
I hope this helps....
BABAgala00
Describe the bug Using "malfind" on version 2 and adding the "-D" flag and spesifing a path to save the .dmp files of the suspicious injected processes. Using Volatilivty version 3, the following commands didn't save the contents of the injected processes to the specified directory. Just saved the output to "mal.txt".
Context Volatility Version: Volatility 3 Framework 2.5.2 Operating System: Ubuntu (Remnux) Python Version: 3 Suspected Operating System: Ubuntu 20.04.6 LTS Command:
Expected behavior commands didn't save the contents of the injected processes to the specified directory. For example, file name that shouled been created under the spesified path - "/tmp/process.0xa9619c40.0x3e30000.dmp"
Example output
remnux@remnux:~/volatility3$ python3 vol.py -f file.vmem windows.malfind -o /tmp > mal.txt usage: volatility [-h] [-c CONFIG] [--parallelism [{processes,threads,off}]] [-e EXTEND] [-p PLUGIN_DIRS] [-s SYMBOL_DIRS] [-v] [-l LOG] [-o OUTPUT_DIR] [-q] [-r RENDERER] [-f FILE] [--write-config] [--save-config SAVE_CONFIG] [--clear-cache] [--cache-path CACHE_PATH] [--offline] [--single-location SINGLE_LOCATION] [--stackers [STACKERS [STACKERS ...]]] [--single-swap-locations [SINGLE_SWAP_LOCATIONS [SINGLE_SWAP_LOCATIONS ...]]] plugin ... volatility: error: unrecognized arguments: -o /tmp
Additional information