After scan file in vmem, it is hard to dump only one file, cause 'FileScan' display offset, but not virtuladdr. python3 vol.py -f test.vmem windows.filescan.FileScan

I suggest to add 'offset' to support it. python3 vol.py -f test.vmem windows.dumpfiles.DumpFiles --offset 0x7fe7fdd0

Sep 14 '21 13:09 wooyin

Hello @wooyin - the dumpfiles plugin already supports dumping files by virtual or physical offset. Is that not working properly?

% python3 vol.py windows.dumpfiles -h
Volatility 3 Framework 1.2.1
usage: volatility windows.dumpfiles.DumpFiles [-h] [--pid PID] [--virtaddr VIRTADDR] [--physaddr PHYSADDR]

optional arguments:
  -h, --help           show this help message and exit
  --pid PID            Process ID to include (all other processes are excluded)
  --virtaddr VIRTADDR  Dump a single _FILE_OBJECT at this virtual address
  --physaddr PHYSADDR  Dump a single _FILE_OBJECT at this physical address

Sep 15 '21 14:09 iMHLv2

I think this can be marked as closed? Feel free to reopen it if you believe your issue is a still a problem... 5:)

Sep 15 '21 21:09 ikelos

Doing --virtaddr gives me the error volatility: error: unrecognized arguments: ‑‑virtaddr

Jul 26 '23 20:07 ajmeese7

Hi @ajmeese7 - what is the full command line you use when you get that error?

Jul 26 '23 21:07 eve-mem

I don't remember now, it was something to the effect of ./vol.py -f memory.dmp -o ./dumped_files windows.dumpfiles.DumpFiles --virtaddr 0x3e1745d0 though. I think I ended up getting my problem resolved by using --physaddr, but in the process of debugging I saw this related issue and figured I'd mention that I ran into the same problem.

Aug 19 '23 13:08 ajmeese7

I don't remember now, it was something to the effect of ./vol.py -f memory.dmp -o ./dumped_files windows.dumpfiles.DumpFiles --virtaddr 0x3e1745d0 though. I think I ended up getting my problem resolved by using --physaddr, but in the process of debugging I saw this related issue and figured I'd mention that I ran into the same problem.

Yeap, as you mentioned,python3 vol.py -f path/to/my.mem -o output/dir/ windows.dumpfiles --physaddr 0x... works, but --virtaddr doesn't work

Feb 24 '24 16:02 Crane-Mocker

@ikelos seems this may still be an issue, would you consider reopening so it can be investigated further?

Feb 25 '24 18:02 ajmeese7

Sure, no problem, although I can't guarantee it'll get more attention than it managed to get in the last 260 days I'm afraid.

Feb 25 '24 18:02 ikelos

Doing --virtaddr gives me the error volatility: error: unrecognized arguments: ‑‑virtaddr

`virtaddr` and `physaddr`

According to the source code of windows.dumpfiles, for a physical address, it is needed to switch to a memory layer. vol 3 switches to a memory layer according to a flag is_virtual, which is set as True by --virtaddr or False by --physaddr.

if self.config.get("virtaddr", None) is not None:
	offsets.append((self.config["virtaddr"], True))
elif self.config.get("physaddr", None) is not None:
	offsets.append((self.config["physaddr"], False))

So theoretically, even if the user passes a physical address with --virtaddr, it should not raise the error unrecognized arguments: ‑‑virtaddr as mentioned.