Hi everyone,

I'm currently training myself in memory forensics using Volatility3, and I've hit a roadblock I'd love your help with. :)

A little bit of context :

I'm working inside a Windows 10 VirtualBox VM, where I captured a raw memory dump. Here's what I set up:

• I wrote a C++ program that starts a suspended process (notepad.exe, PID 4808).

• It injects shellcode at the EntryPoint of the main thread.

• Then, I developed a driver that unlinks this process from the doubly-linked PsActiveProcessHead list.

The goal of this lab is to locate and analyze the shellcode post-injection.

What i've done so far :

I used psscan to find the process (as expected, it's missing from pslist).

• Since the process is unlinked, most Volatility plugins fail to analyze it.

• malfind also doesn't detect the injection because my C++ program restores default memory page protections after injecting the shellcode.

• So, I moved to a manual inspection using volshell.

Volshell analysis :

I located the _EPROCESS address structure via psscan:

(layer_name) >>> dt("_EPROCESS", 0xab063a90e300)

symbol_table_name1!_EPROCESS (2624 bytes) @ 0xab063a90e300:

0x0 : Pcb symbol_table_name1!_KPROCESS offset: 0xab063a90e300

0x438 : ProcessLock symbol_table_name1!_EX_PUSH_LOCK offset: 0xab063a90e738

0x440 : UniqueProcessId *symbol_table_name1!void 0x12c8 (unreadable pointer)

Double-checking the PID:

(layer_name) >>> db(0xab063a90e300 + 0x440)

0xab063a90e740 c8 12 00 00 00 00 00 00 48 e7 90 3a 06 ab ff ff

# => 0x12C8, which confirms it's the process 4808

Then, I retrieved the Flink ptr from the ThreadListHead and casted it to _ETHREAD. Here's the _CLIENT_ID validation:

(layer_name) >>> dt("_CLIENT_ID", 0xab063a392568 - 1256 + 0x478)

symbol_table_name1!_CLIENT_ID (16 bytes) @ 0xab063a3924f8:

0x0 : UniqueProcess *symbol_table_name1!void 0x12c8 (unreadable pointer)

0x8 : UniqueThread *symbol_table_name1!void 0x2544 (unreadable pointer)

# => 0x12C8, which confirms it's the process 4808 thread

I’m trying to dump the memory at the address pointed to by StartAddress, but I can't access it:

0x450 : StartAddress *symbol_table_name1!void 0x7ffdc3e22680 (unreadable pointer)

I assume I need to translate this virtual address to a physical one, within the process's context. But since the process is not linked to the active process list, Volatility3 fails to switch context using standard methods.

Do you have any suggestions on how I can read the memory at the address in StartAddress? I'm trying to extract and analyze the injected shellcode, but I’m stuck without access to that memory.

Any advice would be hugely appreciated — thank you very much in advance!

PS : let me know if I am not in the correct sub reddit please :)