Skip to content

Instantly share code, notes, and snippets.

@nbeguier

nbeguier/volatility_gimp_helper.sh

Created March 8, 2021 13:06
Show Gist options
  • Save nbeguier/81e727385a3d69b7aa9d897bb2205963 to your computer and use it in GitHub Desktop.
Save nbeguier/81e727385a3d69b7aa9d897bb2205963 to your computer and use it in GitHub Desktop.
Download ZIP
volatility_gimp_helper.sh
Raw
volatility_gimp_helper.sh
# Observe process memory dump
function volatility_screenshot {
OS=$1
PID=$2
if ! [ -f "/tmp/${PID}.memdump/${PID}.data" ]; then
mkdir -p "/tmp/${PID}.memdump/"
if [ "$OS" == "windows" ]; then
volatility -f dump.raw --profile=Win7SP1x86_23418 memdump -p "${PID}" --dump-dir "/tmp/${PID}.memdump/"
mv "/tmp/${PID}.memdump/${PID}.dmp" "/tmp/${PID}.memdump/${PID}.data"
elif [ "$OS" == "mac" ]; then
volatility -f dump.raw --profile=MacMountainLion_10_8_1_AMDx64 mac_memdump -p "${PID}" --dump-dir "/tmp/${PID}.memdump/"
mv "/tmp/${PID}.memdump/"*.dmp "/tmp/${PID}.memdump/${PID}.data"
else
echo "Not implemented"
return
fi
fi
if ! [ -f "/tmp/${PID}.memdump/${PID}.data" ]; then
echo "No data for Gimp... :("
return
fi
gimp "/tmp/${PID}.memdump/${PID}.data"
}
# Usage
$ volatility_screenshot windows PID
$ volatility_screenshot mac PID
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment