admin 管理员组文章数量: 887021
官网下载地址:https://www.volatilityfoundation/releases
volatility3的官方文档:https://volatility3.readthedocs.io/en/latest/basics.html
下载
看清有两个版本,用法不一样
第一次我下载了Volatility 2.6 Windows Standalone Executable (x64)
结果执行Volatility.exe老是报出error
然后我果断删除了2.6
下载了3.0
版本差异
而volatility2的用法如下
volatility -f 'Windows 7-dde00fa9.vmem' imageinfo
volatility3插件功能
下面使用python vol.py -h看volatility3的插件都有哪些
下面插件只是简单罗列,准备再写一篇文章单独介绍
plugin
banners.Banners
configwriter.ConfigWriter
frameworkinfo.FrameworkInfo
isfinfo.IsfInfo
layerwriter.LayerWriter
linux.bash.Bash
linux.check_afinfo.Check_afinfo
linux.check_creds.Check_creds
linux.check_idt.Check_idt
linux.check_modules.Check_modules
linux.check_syscall.Check_syscall
linux.elfs.Elfs
linux.keyboard_notifiers.Keyboard_notifiers
linux.lsmod.Lsmod
linux.lsof.Lsof
linux.malfind.Malfind
linux.proc.Maps
linux.pslist.PsList
linux.pstree.PsTree
linux.tty_check.tty_check
mac.bash.Bash
mac.check_syscall.Check_syscall
mac.check_sysctl.Check_sysctl
mac.check_trap_table.Check_trap_table
mac.ifconfig.Ifconfig
mac.kauth_listeners.Kauth_listeners
mac.kauth_scopes.Kauth_scopes
mac.kevents.Kevents
mac.list_files.List_Files
mac.lsmod.Lsmod
mac.lsof.Lsof
mac.malfind.Malfind
mac.mount.Mount
macstat.Netstat
mac.proc_maps.Maps
mac.psaux.Psaux
mac.pslist.PsList
mac.pstree.PsTree
mac.socket_filters.Socket_filters
mac.timers.Timers
mac.trustedbsd.Trustedbsd
mac.vfsevents.VFSevents
timeliner.Timeliner
windows.bigpools.BigPools
windows.cmdline.CmdLine
windows.dlllist.DllList
windows.driverirp.DriverIrp
windows.driverscan.DriverScan
windows.dumpfiles.DumpFiles
windows.envars.Envars
windows.filescan.FileScan
windows.getservicesids.GetServiceSIDs
windows.getsids.GetSIDs
windows.handles.Handles
windows.info.Info
windows.malfind.Malfind
windows.memmap.Memmap
windows.modscan.ModScan
windows.modules.Modules
windows.mutantscan.MutantScan
windowsscan.NetScan
windows.poolscanner.PoolScanner
windows.privileges.Privs
windows.pslist.PsList
windows.psscan.PsScan
windows.pstree.PsTree
windows.registry.certificates.Certificates
windows.registry.hivelist.HiveList
windows.registry.hivescan.HiveScan
windows.registry.printkey.PrintKey
windows.registry.userassist.UserAssist
windows.ssdt.SSDT
windows.statistics.Statistics
windows.strings.Strings
windows.symlinkscan.SymlinkScan
windows.vadinfo.VadInfo
windows.verinfo.VerInfo
windows.virtmap.VirtMap
The following plugins could not be loaded (use -vv to see why):
volatility3.plugins.windows.cachedump, volatility3.plugins.windows.callbacks,
volatility3.plugins.windows.hashdump, volatility3.plugins.windows.lsadump,
volatility3.plugins.windows.svcscan, volatility3.plugins.windows.vadyarascan,
volatility3.plugins.yarascan
注意最下面提示有一些插件不能加载
使用-vv查看原因
python vol.py -vv
Volatility 3 Framework 1.0.0
INFO root : Volatility plugins path: ['D:\\Tools\\volatility3-1.0.0\\volatility3\\plugins', 'D:\\Tools\\volatility3-1.0.0\\volatility3\\framework\\plugins']
INFO root : Volatility symbols path: ['D:\\Tools\\volatility3-1.0.0\\volatility3\\symbols', 'D:\\Tools\\volatility3-1.0.0\\volatility3\\framework\\symbols']
INFO volatility3.plugins.yarascan: Python Yara module not found, plugin (and dependent plugins) not available
DEBUG volatility3.framework: No module named 'yara'
DEBUG volatility3.framework: Failed to import module volatility3.plugins.yarascan based on file: yarascan
DEBUG volatility3.framework: No module named 'Crypto'
DEBUG volatility3.framework: Failed to import module volatility3.plugins.windows.cachedump based on file: windows\cachedump
INFO volatility3.plugins.yarascan: Python Yara module not found, plugin (and dependent plugins) not available
DEBUG volatility3.framework: No module named 'yara'
DEBUG volatility3.framework: Failed to import module volatility3.plugins.windows.callbacks based on file: windows\callbacks
DEBUG volatility3.framework: No module named 'Crypto'
DEBUG volatility3.framework: Failed to import module volatility3.plugins.windows.hashdump based on file: windows\hashdump
DEBUG volatility3.framework: No module named 'Crypto'
DEBUG volatility3.framework: Failed to import module volatility3.plugins.windows.lsadump based on file: windows\lsadump
INFO volatility3.plugins.yarascan: Python Yara module not found, plugin (and dependent plugins) not available
DEBUG volatility3.framework: No module named 'yara'
DEBUG volatility3.framework: Failed to import module volatility3.plugins.windows.svcscan based on file: windows\svcscan
INFO volatility3.plugins.yarascan: Python Yara module not found, plugin (and dependent plugins) not available
DEBUG volatility3.framework: No module named 'yara'
DEBUG volatility3.framework: Failed to import module volatility3.plugins.windows.vadyarascan based on file: windows\vadyarascan
INFO root : The following plugins could not be loaded (use -vv to see why): volatility3.plugins.windows.cachedump, volatility3.plugins.windows.callbacks, volatility3.plugins.windows.hashdump, volatility3.plugins.windows.lsadump, volatility3.plugins.windows.svcscan, volatility3.plugins.windows.vadyarascan, volatility3.plugins.yarascan
usage: ....................
volatility: error: Please select a plugin to run
这些提示说缺少一些模块
下面就安装模块
安装依赖包
然后有提示我们pip该升级了。。。
并不是啰嗦,是想尽可能解决一些新手碰到不会处理的问题
然后再安装模块
装完模块再次查看插件发现报错了
查找问题
这是官方给出的依赖包
而我们之前安装的模块
因为版本相差太多,猜测我们安装错了
先卸载这两个模块
试试看有没有官网这个模块yara-python
发现有这个模块
然后运行volatility测试这个是不是它要求的模块
发现现在它只提示我们缺少Crypto模块
之前先卸载这个模块是为了控制变量
选择再安装Crypto模块
结果是安装成功,仍然提示缺少模块
根据官方的说法,它还需要一个依赖包capstone
那就安装它试试
说明这个模块不是我们想要的
经过搜索发现还有个模块叫pycrypto
然而安装的时候报错
说缺少Microsoft C++ Build Tools
接下去linux系统来验证我的猜想
安装模块成功,并且不再提示缺少模块
抱怨:所以最讨厌在windows上搞一些编程
总结
坑1,它提示我们缺少下面这两个模块
其实我们需要安装的是这两个模块
yara-python和pycrypto
坑2,windows编程老是出现各种各样的问题
本文标签: 我在 Windows 这档事 volatility
版权声明:本文标题:关于我在windows使用volatility取证这档事 内容由网友自发贡献,该文观点仅代表作者本人, 转载请联系作者并注明出处:http://www.freenas.com.cn/jishu/1716033777h663267.html, 本站仅提供信息存储空间服务,不拥有所有权,不承担相关法律责任。如发现本站有涉嫌抄袭侵权/违法违规的内容,一经查实,本站将立刻删除。
发表评论