correct way to dump the memory of a process with volatility 3 ?

[mprevot]

From andreafortuna/process memory (or at https://github.com/volatilityfoundation/volatility/wiki/Command-Reference#memdump) I see:

To extract all memory resident pages in a process (see memmap for details) into an individual file, use the memdump command. Supply the output directory with -D or — dump-dir=DIR.

$ vol.py -f ~/Desktop/win7_trial_64bit.raw --profile=Win7SP0x64 memdump -p 4 -D dump/

From https://github.com/volatilityfoundation/volatility3/issues/227 I read that I should use memmap --dump instead

$ volatility -f dump.vmem windows.memmap --dump -p 2380 --dump-dir=procdump/

which gives:

Volatility 3 Framework 1.2.1-beta.1 usage: volatility [-h] [-c CONFIG] [--parallelism [{processes,threads,off}]] [-e EXTEND] [-p PLUGIN_DIRS] [-s SYMBOL_DIRS] [-v] [-l LOG] [-o OUTPUT_DIR] [-q] [-r RENDERER] [-f FILE] [--write-config] [--clear-cache] [--single-location SINGLE_LOCATION] [--stackers [STACKERS [STACKERS ...]]] [--single-swap-locations [SINGLE_SWAP_LOCATIONS [SINGLE_SWAP_LOCATIONS ...]]] plugin ... volatility: error: unrecognized arguments: -p 2380 --dump-dir=procdump/

What is the correct way to dump the memory of a process and its opened files with volatility 3 ?

[ikelos]

The reference you're referring to is for a completely different version of volatility. Please note that volatility 3 has been completely rewritten and does not attempt to precisely match every previous command line option. For volatility 3, there's a difference between global options (like --output-dir) and plugin specific options (like --pid). Global options need to be provided before the plugin name is provided. You can find out what options a plugin accepts by running volatility <pluginname> --help and what global options are available with just volatility --help.

In this instance, the command you're looking for would be:

$ volatility -f dump.vmem --output-dir=procdump/ windows.memmap --pid 2380 --dump

Hopefully this answers your question. If you have more questions like this you might get a more interactive/quicker answer by joining our slack channel by going to https://www.volatilityfoundation.org/slack. Marking this as closed, but please feel free to reopen it if you don't feel it answered your question completely... 5:)

[KsZh30]

Where can I see templates for such commands? It would be very convenient. Because in the --help command it would be difficult for a beginner to put everything together and there is no mention of --pid at all.

[ikelos]

So the vol.py --help will list you all the available plugins, and then each specific plugin has its own parameters, that can be seen using vol.py <plugin-name> --help. The --help must be after the plugin name to get the plugin specific details. I hope this is what you meant?

This was mentioned in my initial response. If you're still discussing volatility 2, this is not the right location for those questions, they belong in the https://github.com/volatilityfoundation/volatility/ repository.

You can find out what options a plugin accepts by running volatility --help and what global options are available with just volatility --help.