admin 管理员组

文章数量: 887021

官网下载地址:https://www.volatilityfoundation/releases

volatility3的官方文档:https://volatility3.readthedocs.io/en/latest/basics.html

下载

看清有两个版本,用法不一样


第一次我下载了Volatility 2.6 Windows Standalone Executable (x64)
结果执行Volatility.exe老是报出error
然后我果断删除了2.6
下载了3.0

版本差异

而volatility2的用法如下

volatility -f 'Windows 7-dde00fa9.vmem' imageinfo

volatility3插件功能

下面使用python vol.py -h看volatility3的插件都有哪些
下面插件只是简单罗列,准备再写一篇文章单独介绍

plugin
    banners.Banners     
    configwriter.ConfigWriter
    frameworkinfo.FrameworkInfo 
    isfinfo.IsfInfo   
    layerwriter.LayerWriter
    linux.bash.Bash     
    linux.check_afinfo.Check_afinfo
    linux.check_creds.Check_creds
    linux.check_idt.Check_idt
    linux.check_modules.Check_modules
    linux.check_syscall.Check_syscall  
    linux.elfs.Elfs  
    linux.keyboard_notifiers.Keyboard_notifiers 
    linux.lsmod.Lsmod 
    linux.lsof.Lsof    
    linux.malfind.Malfind
    linux.proc.Maps    
    linux.pslist.PsList
    linux.pstree.PsTree
    linux.tty_check.tty_check
    mac.bash.Bash      
    mac.check_syscall.Check_syscall
    mac.check_sysctl.Check_sysctl
    mac.check_trap_table.Check_trap_table
    mac.ifconfig.Ifconfig
    mac.kauth_listeners.Kauth_listeners
    mac.kauth_scopes.Kauth_scopes
    mac.kevents.Kevents
    mac.list_files.List_Files
    mac.lsmod.Lsmod     
    mac.lsof.Lsof       
    mac.malfind.Malfind
    mac.mount.Mount    
    macstat.Netstat
    mac.proc_maps.Maps  
    mac.psaux.Psaux     
    mac.pslist.PsList   
    mac.pstree.PsTree  
    mac.socket_filters.Socket_filters
    mac.timers.Timers   
    mac.trustedbsd.Trustedbsd
    mac.vfsevents.VFSevents
    timeliner.Timeliner
    windows.bigpools.BigPools
    windows.cmdline.CmdLine
    windows.dlllist.DllList
    windows.driverirp.DriverIrp
    windows.driverscan.DriverScan
    windows.dumpfiles.DumpFiles
    windows.envars.Envars
    windows.filescan.FileScan
    windows.getservicesids.GetServiceSIDs
    windows.getsids.GetSIDs
    windows.handles.Handles
    windows.info.Info   
    windows.malfind.Malfind
    windows.memmap.Memmap
    windows.modscan.ModScan
    windows.modules.Modules
    windows.mutantscan.MutantScan
    windowsscan.NetScan      
    windows.poolscanner.PoolScanner
    windows.privileges.Privs
    windows.pslist.PsList
    windows.psscan.PsScan
    windows.pstree.PsTree
    windows.registry.certificates.Certificates
    windows.registry.hivelist.HiveList
    windows.registry.hivescan.HiveScan
    windows.registry.printkey.PrintKey
    windows.registry.userassist.UserAssist
    windows.ssdt.SSDT   
    windows.statistics.Statistics
    windows.strings.Strings           
    windows.symlinkscan.SymlinkScan
    windows.vadinfo.VadInfo
    windows.verinfo.VerInfo
    windows.virtmap.VirtMap
                       

The following plugins could not be loaded (use -vv to see why):
volatility3.plugins.windows.cachedump, volatility3.plugins.windows.callbacks,
volatility3.plugins.windows.hashdump, volatility3.plugins.windows.lsadump,
volatility3.plugins.windows.svcscan, volatility3.plugins.windows.vadyarascan,
volatility3.plugins.yarascan

注意最下面提示有一些插件不能加载
使用-vv查看原因

python vol.py -vv

Volatility 3 Framework 1.0.0
INFO     root        : Volatility plugins path: ['D:\\Tools\\volatility3-1.0.0\\volatility3\\plugins', 'D:\\Tools\\volatility3-1.0.0\\volatility3\\framework\\plugins']
INFO     root        : Volatility symbols path: ['D:\\Tools\\volatility3-1.0.0\\volatility3\\symbols', 'D:\\Tools\\volatility3-1.0.0\\volatility3\\framework\\symbols']
INFO     volatility3.plugins.yarascan: Python Yara module not found, plugin (and dependent plugins) not available
DEBUG    volatility3.framework: No module named 'yara'
DEBUG    volatility3.framework: Failed to import module volatility3.plugins.yarascan based on file: yarascan
DEBUG    volatility3.framework: No module named 'Crypto'
DEBUG    volatility3.framework: Failed to import module volatility3.plugins.windows.cachedump based on file: windows\cachedump
INFO     volatility3.plugins.yarascan: Python Yara module not found, plugin (and dependent plugins) not available
DEBUG    volatility3.framework: No module named 'yara'
DEBUG    volatility3.framework: Failed to import module volatility3.plugins.windows.callbacks based on file: windows\callbacks
DEBUG    volatility3.framework: No module named 'Crypto'
DEBUG    volatility3.framework: Failed to import module volatility3.plugins.windows.hashdump based on file: windows\hashdump
DEBUG    volatility3.framework: No module named 'Crypto'
DEBUG    volatility3.framework: Failed to import module volatility3.plugins.windows.lsadump based on file: windows\lsadump
INFO     volatility3.plugins.yarascan: Python Yara module not found, plugin (and dependent plugins) not available
DEBUG    volatility3.framework: No module named 'yara'
DEBUG    volatility3.framework: Failed to import module volatility3.plugins.windows.svcscan based on file: windows\svcscan
INFO     volatility3.plugins.yarascan: Python Yara module not found, plugin (and dependent plugins) not available
DEBUG    volatility3.framework: No module named 'yara'
DEBUG    volatility3.framework: Failed to import module volatility3.plugins.windows.vadyarascan based on file: windows\vadyarascan
INFO     root        : The following plugins could not be loaded (use -vv to see why): volatility3.plugins.windows.cachedump, volatility3.plugins.windows.callbacks, volatility3.plugins.windows.hashdump, volatility3.plugins.windows.lsadump, volatility3.plugins.windows.svcscan, volatility3.plugins.windows.vadyarascan, volatility3.plugins.yarascan
usage: ....................
volatility: error: Please select a plugin to run

这些提示说缺少一些模块
下面就安装模块

安装依赖包


然后有提示我们pip该升级了。。。
并不是啰嗦,是想尽可能解决一些新手碰到不会处理的问题
然后再安装模块
装完模块再次查看插件发现报错了

查找问题

这是官方给出的依赖包

而我们之前安装的模块


因为版本相差太多,猜测我们安装错了
先卸载这两个模块

试试看有没有官网这个模块yara-python
发现有这个模块

然后运行volatility测试这个是不是它要求的模块

发现现在它只提示我们缺少Crypto模块
之前先卸载这个模块是为了控制变量
选择再安装Crypto模块
结果是安装成功,仍然提示缺少模块
根据官方的说法,它还需要一个依赖包capstone
那就安装它试试


说明这个模块不是我们想要的
经过搜索发现还有个模块叫pycrypto
然而安装的时候报错
说缺少Microsoft C++ Build Tools


接下去linux系统来验证我的猜想
安装模块成功,并且不再提示缺少模块
抱怨:所以最讨厌在windows上搞一些编程

总结

坑1,它提示我们缺少下面这两个模块

其实我们需要安装的是这两个模块
yara-python和pycrypto
坑2,windows编程老是出现各种各样的问题

本文标签: 我在 Windows 这档事 volatility