Operator On The Wire
Join
← Back to Knowledge Base
BLUE TEAM / DFI / MEMORY / DUMP / VOLATILITY / Files

dumpfiles

Dumps file objects from memory

Usage

  • Extract injected PE
  • Extract staged payload

Commands

# Dump file objects from memory (Vol2)  
vol.py -f <mem> --profile=<profile> dumpfiles -Q <offset> -D <output_dir>  
  
# Dump file objects from memory (Vol3)  
python3 vol.py -f <target> windows.dumpfiles --virtaddr <offset>

python3 vol.py -f <target> windows.dumpfiles --pid <pid>

vol.exe -f <target> windows.dumpfiles --filter History