Hello,
I am working on the analysis of a RAM image acquired by mdd.exe
My OS is Windows XP SP2
I run ptfinder_xpsp2.pl and volatility psscan and I obtained the PDB of every process.
Then I run memdump on a specific process to map the process memory.
My problem is that memdump generate the following error message PDB must be aligned on 4K page.
my PDB for cmd.exe for example is 0x06b60220
my PDB for alg.exe for example is 0x06b60260
Could you help me please?
Thanks
I'm not sure what offsets those are, but they aren't valid PDB locations. The page directory always starts at the beginning of a page, and two processes' PDBs should be more than 64 bytes apart.
To be honest, I'm not sure what you're trying to do…it seems that Volatility is working fine for you, why are you trying to run a Perl script against the memory dump? Where did the Perl script come from?
What I am trying to do with memdump.pl is to mapp the memory of a specific process.
I obtain the same PDB offset for cmd.exe with volatility and ptfinder_xpsp2.pl
Does it mean that my results obtained by ptfinder and volatility are wrong?
what can I do?
First off, where did you get memdump.pl?
Second, why don't you use the inherent tools within Volatility to dump process memory?
Hi,
I downloaded memdump.pl from http//
Second, I am analyzing the detection of malware from memory dump. Some processes that seem to be from the malware have the same PID. Because Volatility relies on a unique PID to reference processes, it cannot be used to dump the memory of these two suspicious processes. But tools like memdump.pl and lspm.pl don't rely on PID so they can be used to dump memory of any process.
The problem is that lspm.pl is developped for Windows 2000 so I cannot run it for Windows XP. memdump.pl is supposed to be working with XP but I still have to resovle the cause of the error message.
Volatility is able to dump a process knowing the offset on the image file …
Sorry for my poor english oops
Like Neofito said, just use Volatility's built-in capability to dump memory…