After you have identified the malicious process or DLL, you may want to dump it for further investigation (such as for extracting strings, running yara rules, disassembly, or scanning with Antivirus software). To dump a process executable from memory to disk, you can use the procdump plugin. To dump the process executable, you need to know either its process ID or its physical offset. In the following example of a memory image infected with Perseus malware (covered previously while discussing the pslist plugin), the procdump plugin is used to dump its malicious process executable svchost..exe (pid 3832). With the -D (--dump-dir) option, you specify the name of the directory in which to dump executable files. The dumped file is named based on the pid of a process such as executable.PID.exe:
$ python vol.py -f perseus.vmem --profile=Win7SP1x86 procdump -p 3832 -D dump/
Volatility Foundation Volatility Framework 2.6
Process(V) ImageBase Name Result
---------- ---------- ------------ -----------------------
0x8503f0e8 0x00b90000 svchost..exe OK: executable.3832.exe
$ cd dump
$ file executable.3832.exe
executable.3832.exe: PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
To dump a process with the physical offset, you can use the -o (--offset) option, which is useful if you want to dump a hidden process from memory. In the following example of a memory image infected with prolaco malware (covered previously while discussing the psscan plugin), the hidden process is dumped using its physical offset. The physical offset was determined from the psscan plugin. You can also get the physical offset from the psxview plugin. When using the procdump plugin, if you don't specify the -p (--pid) or -o (--offset) option, then it will dump the process executables of all the active processes running on the system:
$ python vol.py -f infected.vmem --profile=WinXPSP3x86 psscan
Volatility Foundation Volatility Framework 2.6
Offset(P) Name PID PPID PDB Time created
------------------ ------- ---- ---- ---------- --------------------
[REMOVED]
0x00000000016ba360 nvid.exe 1700 1660 0x08440320 2014-10-17 09:16:10
$ python vol.py -f infected.vmem --profile=WinXPSP3x86 procdump -o 0x00000000016ba360 -D dump/
Volatility Foundation Volatility Framework 2.6
Process(V) ImageBase Name Result
---------- ---------- -------- -----------------------
0x814ba360 0x00400000 nvid.exe OK: executable.1700.exe
Similar, to the process executable, you can dump a malicious DLL to disk using the dlldump plugin. To dump the DLL, you need to specify the process ID (-p option) of the process that loaded the DLL, and the base address of the DLL, using the -b (--base) option. You can get the base address of a DLL from the dlllist or ldrmodules output. In the following example of a memory image infected with Ghost RAT (which we covered while discussing the dlllist plugin), the malicious DLL loaded by the svchost.exe (pid 880) process is dumped using the dlldump plugin:
$ python vol.py -f ghost.vmem --profile=Win7SP1x86 dlllist -p 880
Volatility Foundation Volatility Framework 2.6
************************************************************************
svchost.exe pid: 880
Command line : C:Windowssystem32svchost.exe -k netsvcs
Base Size LoadCount Path
---------- ------ -------- ------
[REMOVED]
0x10000000 0x26000 0x1 c:users estapplication dataacd systemsacdseeimageik.ddf
$ python vol.py -f ghost.vmem --profile=Win7SP1x86 dlldump -p 880 -b 0x10000000 -D dump/
Volatility Foundation Volatility Framework 2.6
Name Module Base Module Name Result
---------- ------------ ---------------- --------------------------
svchost.exe 0x010000000 imageik.ddf module.880.ea13030.10000000.dll