[Vol-dev] New On this list

[Jesse Kornblum]

Hi Jason,

Welcome to the fun!

I think a --verbose/-v flag is a good idea for most modules. It's also  
a good way to get started working with the code too. Go for it!

Volatility already has PE extraction using the procdump module. For  
example:

$ python volatility procdump -f xp-laptop-2005-07-04-1430.img

will attempt to copy out all of the executables from the xp-laptop  
memory image. Those files can then be imported into IDA Pro and friends.

Here are the other command line options for procdump:

Usage: procdump [options] (see --help)

Options:
   -h, --help            show this help message and exit
   -f FILENAME, --file=FILENAME
                         (required) XP SP2 Image file
   -b BASE, --base=BASE  (optional, otherwise best guess is made)  
Physical
                         offset (in hex) of directory table base
   -t TYPE, --type=TYPE  (optional, default="auto") Identify the image  
type
                         (pae, nopae, auto)
   -H OUTPUT, --output=OUTPUT
                         (optional, default="text") Output format  
(xml, html,
                         sql)
   -O OUT_FILE, --out_file=OUT_FILE
                         (output filename to write results onto -  
default
                         stdout)
   -o OFFSET, --offset=OFFSET
                         EPROCESS Offset (in hex) in physcial address  
space
   -p PID, --pid=PID     Dump the process with this Pid
   -m MODE, --mode=MODE  strategy to use when saving executable. Use  
"disk" to
                         save using disk-based section sizes, "mem"  
for memory-
                         based sections. (default: "mem")
   -u, --unsafe          do not perform sanity checks on sections when  
dumping

-- 
Jesse
research at jessekornblum.com