Usage
| Method | Source |
|---|---|
| InLoad | PEB loader list |
| InInit | Initialization list |
| InMem | Memory order list |
If module:
- Exists in memory
- But not in loader list
→ Manual mapping likely.
Commands
# Detect unlinked DLLs (Vol2)
vol.py -f <mem> --profile=<profile> ldrmodules -p <PID>
# Detect unlinked DLLs (Vol3)
python3 vol.py -f <mem> windows.ldrmodules --pid <PID>