Memory Analysis using Volatility - ldrmodules

Volatility is a tool used for extraction of digital artifacts from volatile memory(RAM) samples. Volatility uses a set of plugins that can be used to extract these artifacts in a time efficient and quick manner.

ldrmodules – a volatility plugin that is used detect unlinked DLLs.

From an incident response perspective, the volatile data residing inside the system’s memory contains rich information such as passwords, credentials, network connections, malware intrusions, registry hives, and etc. that can be a valuable source of evidence and is not typically stored on the local hard disk. This is one of the investigator’s favorite data sources to perform digital forensics on, and knowing the right tool to dump memory is a must.

When analyzing a malware sample, some sample have the ability to unlink themselves from other modules, and if the sample has this capability when you run dlllist plugin, that module won’t appear on the  result.


That is why, during an investigation, it is a good practice to compare both dlllist and ldrmodules results to see if there is any unlinking between the process loaded modules.


When a module is found between tables it has a boolean value of True and if not, False.

Our syntax will be like: vol.exe -f <memory_dump> –profile=<OS_version> ldrmodules -p <PID>