volatilityfoundation / community Goto Github PK
View Code? Open in Web Editor NEWVolatility plugins developed and maintained by the community
Volatility plugins developed and maintained by the community
I recently heard about some very cool volatility plugins like autoruns and mimikatz, just to name a couple. On my Kali Linux machine I put these plugins into the /usr/share/volatility/contrib/plugins folder, and then have tried running the pulgins with vol.py -f file --profile=profile --plugins=contrib/plugins autoruns
But it just gives me the line "You must specify something to do." I've tried listing the full path for --plugins=/usr/share/volatility/contrib/plugins. I've tried listing the .py in the plugin name (autoruns.py,) and I keep getting the same issue. I've googled around to see if I could find something about some Kali specific directory or oddity in the volatility install, but I haven't found any useful information.
Any advice on what to try or what I'm doing wrong will be greatly appreciated!
-Thanks
In file community/DatQuoc/LinuxFirefox.py:
class Linux_FFHis(linux_common.AbstractLinuxCommand):
"""Listing History of FireFox Browser"""
def __init__(self,config, *args, **kwargs):
linux_common.AbstractLinuxCommand.__init__(self, config, *args, **kwargs)
def calculate(self):
address_space = utils.load_as(self._config, astype = 'physical')
row_avaiable = []
needles = ['\x06\x25\x08', '\x06\x25\x09',
'\x00\x25\x08', '\x00\x25\x09']
In the code above, i have two questions.
(1)How is the value of the variable needles obtained?
(2)Does this string(needles) appear in memory when viewing firefox history?
If we convert the format to git submodules we won't have to update the repo every time someone updates their plugins
Hi
I am trying to get the modules used in SANS 508 to work on latest SIFT/Volatility build. Modules like malprocfind, processbl etc. I understand that these are in contrib and community builds and I have followed those instructions but I keep getting errors esp around:
vol.py -f test.raw --profile=Win7SP1x86 --plugins=contrib/plugins malprocfind
Volatility Foundation Volatility Framework 2.6
ERROR : volatility.debug : You must specify something to do (try -h)
also tried specifying specific folder :
vol.py --plugins=/usr/lib/python2.7/dist-packages/volatility/plugin-dir/community -- profile=Win7SP1x86 -f jofrey-vmimage.raw malprocfind
Volatility Foundation Volatility Framework 2.6
*** Failed to import volatility.plugins.MichaelBrown.analysis.create_test_db (ImportError: No module named analysis.create_test_db)
*** Failed to import volatility.plugins.FrankBlock.zsh (ImportError: No module named heap_analysis)
*** Failed to import volatility.plugins.JavierVallejo.symbolizemod (ImportError: No module named enumfunc)
ERROR : volatility.debug : Please install DPAPIck library: https://bitbucket.org/jmichel/dpapick
Various other hacks .. but in all cases I get that DPAPick failure :
ERROR : volatility.debug : Please install DPAPIck library: https://bitbucket.org/jmichel/dpapick
I have tried pip uninstall and reinstall dpapick - but no luck
Can you please tell me how to get these modules working as they do in the SAN 508 VM build ??
Thanks
when i import mimikatz module in python i receive this error:
File "mimikatz.py", line 183, in LsaDecryptor
construct.ULInt32('cbSecret'),
AttributeError: 'module' object has no attribute 'ULInt32'
import module construct is OK.
but in construct module the definition of UnsignedLong 32 is: "Int32ul" and not "ULInt32" !!!
please could you correct this mistake in definition of object ? i think the other ULInt** as the same error .
thanks
Ps: python version is 2.7.6
when I'm trying to run the following command on win 10:
volatility_2.6_win64_standalone.exe --plugins=myplugins --profile=Win10x64 -f 20170224.mem myplugin
I get this error:
Traceback (most recent call last):
File "vol.py", line 192, in
File "vol.py", line 183, in main
File "volatility\commands.py", line 147, in execute
File "volatility\commands.py", line 282, in render_text
File "volatility\commands.py", line 273, in _render
File "volatility\commands.py", line 270, in unified_output
NotImplementedError: Rendering using the unified output format has not been implemented for this plugin.
Failed to execute script vol
Updated version of mimikatz plugin for new construct api
https://raw.githubusercontent.com/dfirfpi/hotoloti/master/volatility/mimikatz.py
Trying to run current volatility with community plugins on OSX and getting this error. Is it a conflict with one of the plugins?
Traceback (most recent call last): File "/usr/local/bin/vol.py", line 4, in <module> __import__('pkg_resources').run_script('volatility==2.6', 'vol.py') File "/usr/local/lib/python2.7/site-packages/pkg_resources/__init__.py", line 750, in run_script self.require(requires)[0].run_script(script_name, ns) File "/usr/local/lib/python2.7/site-packages/pkg_resources/__init__.py", line 1527, in run_script exec(code, namespace, namespace) File "/usr/local/lib/python2.7/site-packages/volatility-2.6-py2.7.egg/EGG-INFO/scripts/vol.py", line 192, in <module> main() File "/usr/local/lib/python2.7/site-packages/volatility-2.6-py2.7.egg/EGG-INFO/scripts/vol.py", line 162, in main cmds = registry.get_plugin_classes(commands.Command, lower = True) File "/usr/local/lib/python2.7/site-packages/volatility-2.6-py2.7.egg/volatility/registry.py", line 152, in get_plugin_classes raise Exception("Object {0} has already been defined by {1}".format(name, plugin)) Exception: Object bitlocker has already been defined by <class 'volatility.plugins.ThomasWhite.bitlocker.Bitlocker'>
#!/usr/bin/env python
"""
Requires Yara-python to be installed
"""
authors = "Max de Bruijn , Rolf Govers"
department = "Forensics and Incident Response"
company = "Fox-IT B.V."
year = "2019"
version = "1.0"
status = "Final Volatility Plugin contest submission"
import volatility.plugins.common as common
import volatility.plugins.malware.malfind as malfind
import volatility.utils as utils
import volatility.win32 as win32
import volatility.debug as debug
from volatility.renderers import TreeGrid
from volatility.renderers.basic import Address
import yara
import os
try:
import yara
has_yara = True
except ImportError:
has_yara = False
class toastPlugin(common.AbstractWindowsCommand):
def generator(self,data):
for proc, address, hit, content in data:
relevantContent = content.split('/toast>')[0]+'/toast>'
yield(0,[Address(address),str(proc.ImageFileName),relevantContent])
def unified_output(self,data):
tree = [("Address",Address),
("ProcessName",str),
("ToastXML",str)]
return TreeGrid(tree,self.generator(data))
def calculate(self):
if not has_yara:
debug.error("Yara must be installed for this plugin")
addr_space = utils.load_as(self._config)
tasks = win32.tasks.pslist(addr_space)
for proc in tasks:
if str(proc.ImageFileName) == "explorer.exe":
rules = yara.compile(sources = {
'n':'rule toast {strings: $a=/<toast.*\/toast>/ condition: $a}'
})
scanner = malfind.VadYaraScanner(task=proc, rules=rules)
for hit,address in scanner.scan(maxlen=0x40000000):
yield (proc, address, hit, scanner.address_space.zread(address, 0x4000))
Hi, im trying to use the AFF4 plugin to imageinfo a memory image. I've tried with a few others I have and the result is the same.
python vol.py --plugins=/fullpath/community/AFF4 -f /fullpath/image.aff4 imageinfo
DEBUG: volatility.debug : Trying <class 'volatility.plugins.aff4.AFF4AddressSpace'>
DEBUG: volatility.debug : Failed instantiating (exception): 'PreStdLogicalImageContainer' object has no attribute 'image'
Result is no suggested profile, and No PAE.
Using pyaff4==0.27 as 0.33 fails to install. Installed all requirements that the plugin was complaining about initially. Are there any known good test images I can use to confirm it's not the image causing the problem?
Running inside python2.7 virtualenv.
I am running volatility windows exe on windows 7 machine. Whenever I try matching multiple YARA rules with against a memory dump file by running following command:
>volatility_2.6_win64_standalone.exe -f GUESTWINDOWS-PC-20200131-113322.raw --profile=Win7SP1x64 yarascan -y "..\yara-rules\index.yar"
I get the following error:
Volatility Foundation Volatility Framework 2.6 Traceback (most recent call last): File "vol.py", line 192, in <module> File "vol.py", line 183, in main File "volatility\commands.py", line 147, in execute File "volatility\plugins\malware\malfind.py", line 342, in render_text File "volatility\plugins\malware\malfind.py", line 305, in calculate File "volatility\plugins\malware\malfind.py", line 246, in _scan_process_memor y File "volatility\plugins\malware\malfind.py", line 142, in scan File "volatility\plugins\malware\malfind.py", line 110, in scan yara.Error: internal error: 30 Failed to execute script vol
I am using default yara rules repository given here. If I use a yar file without any includes, volatility runs fine.
Please help me out with this issue.
hello everyone ,
I couldn't find any "upstream" repo, so I create the issue here.
When trying to import this plugin, it gives an error:
*** Failed to import volatility.plugins.community.DimaPshoul.malthfind (ImportError: No module named callstacks)
Checking the code, it seems it tries to import a non existing module:
import volatility.plugins.malware.callstacks as callstacks
I think @papadp wants to import his own callstacks module (callstacks.py
in the same directory).
It seems that this line isn't valid with the latest version of haystack installed.
https://github.com/volatilityfoundation/community/blob/master/Lo%C3%AFcJaquemet/vol_haystack.py#L10
C:\Users\testaccount\distorm>python setup.py --verbose build
running build
running build_py
not copying python\distorm3_generated.py (output up-to-date)
not copying python\distorm3_init_.py (output up-to-date)
not copying python\distorm3_main_.py (output up-to-date)
running build_ext
Importing new compiler from distutils.msvc9compiler
building '_distorm3' extension
Calling 'vcvarsall.bat x86' (version=9.0)
C:\Users\testaccount\AppData\Local\Programs\Common\Microsoft\Visual C++ for Python\9.0\VC\Bin\cl.exe /c /nologo /Ox /MD /W3 /GS- /DNDEBUG -DSUPPORT_64BIT_OFFSET -DDISTORM_DYNAMIC -Isrc -Iinclude -IC:\Python27\include -IC:\Python27\PC /Tcsrc\decoder.c /Fobuild\temp.win32-2.7\Release\src\decoder.obj
decoder.c
C:\Users\testaccount\AppData\Local\Programs\Common\Microsoft\Visual C++ for Python\9.0\VC\Bin\cl.exe /c /nologo /Ox /MD /W3 /GS- /DNDEBUG -DSUPPORT_64BIT_OFFSET -DDISTORM_DYNAMIC -Isrc -Iinclude -IC:\Python27\include -IC:\Python27\PC /Tcsrc\distorm.c /Fobuild\temp.win32-2.7\Release\src\distorm.obj
distorm.c
src\distorm.c(320) : error C2143: syntax error : missing ';' before 'type'
src\distorm.c(321) : error C2275: '_OffsetType' : illegal use of this type as an expression
c:\users\testaccount\distorm\src../include/distorm.h(110) : see declaration of '_OffsetType'
src\distorm.c(321) : error C2146: syntax error : missing ';' before identifier 'offset'
src\distorm.c(321) : error C2065: 'offset' : undeclared identifier
src\distorm.c(321) : warning C4244: '=' : conversion from 'const _OffsetType' to 'int', possible loss of data
src\distorm.c(345) : error C2065: 'offset' : undeclared identifier
src\distorm.c(346) : error C2065: 'size' : undeclared identifier
error: command '"C:\Users\testaccount\AppData\Local\Programs\Common\Microsoft\Visual C++ for Python\9.0\VC\Bin\cl.exe"' failed with exit status 2
*** Failed to import volatility.plugins.community.YingLi.python_strings (ImportError: No module named YingLi.python_strings)
*** Failed to import volatility.plugins.community.StanislasLejay.linux.get_profile (ImportError: No module named linux.get_profile)
*** Failed to import volatility.plugins.community.YingLi.ssh_agent_key (ImportError: No module named YingLi.ssh_agent_key)
*** Failed to import volatility.plugins.community.DatQuoc.LinuxFirefox (ImportError: No module named DatQuoc.LinuxFirefox)
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.