atcuno
commented
4 months ago Closing this and will make a new one against the latest code
Closed atcuno closed 4 months ago
atcuno
commented
4 months ago Closing this and will make a new one against the latest code
This PR adds the PEDump plugin, which provides the ability for an analyst to fully reconstruct an executable from any address within any process or the kernel.
Currently, Volatility 3 provides the
--dumpoption for various plugins, but they are based upon the related executables being referenced from a well known data structure (kernel module list, process list, dlllist, etc.). In investigations involving reflectively loaded (memory only) DLLs and kernel drivers, Volatility 3 currently provides no method to reconstruct these.Volatility 2 provided separate plugins for this capability (dlldump and moddump), but they are a bit awkward as they would either enumerate all of the DLLs or kernel modules by default, but otherwise have specialized, single purpose use if
--basewas set. It was also extra strange as dlldump was really geared towards DLLs tracked with a LDR_DATA_TABLE_ENTRY structure, which reflectively loaded ones don't get since they load themselves as opposed to using LoadLibary.For these reasons, I broke the functionality out into its own plugin so people investigating a variety of code injection techniques can quickly get the malicious executables of out process or kernel memory.