0

my task is to analyze a memory dump. I've found the location of a PDF-File and I want to analyze it with virustotal. But I can't figure out how to "download" it from the memory dump.

I've already tried it with this command:

python vol.py -f img.vmem dumpfiles -r pdf$ -i --name -D dumpfiles/

But in my dumpfile-directory there is just a .vacb file which is not a valid pdf.

pichlbaer
  • 923
  • 1
  • 10
  • 18

2 Answers2

0

I think you may have missed a command line argumenet from your command:

python vol.py -f img.vmem dumpfiles -r pdf$ -i --name -D dumpfiles/

If you are not getting a .dat file in your output folder you can add -u:

-u, --unsafe Relax safety constraints for more data

Can't test this with out access to the dump but you should be able to rename the .dat file created to .pdf.

So it should look something like this:

python vol.py -f img.vmem dumpfiles -r pdf$ -i --name -D dumpfiles/ -u

You can check out the documentation on the commands here

Noelkd
  • 7,686
  • 2
  • 29
  • 43
-1

VACB is "virtual address control block". Your output type seems to be wrong. Try something like:

$ python vol.py -f img.vmem dumpfiles --output=pdf --output-file=bla.pdf --profile=[your profile] -D dumpfiles/

or check out the cheat sheet: here

Tobi
  • 1
  • 2
  • Thanks for your hint. But if I use the following command python vol.py -f img.vmem dumpfiles --output=pdf --output-file=dumpfile/bla.pdf --profile=[myProfile] -D dumpfiles/ this error message shows up: Supported formats are ['dot', 'greptext', 'html', 'json', 'sqlite', 'text', 'xlsx'] And without --output=pdf the created PDF is invalid. I will have a look at the cheatSheet :) – pichlbaer Jan 07 '16 at 15:30