Volatility 3 2.4.0 Not Working! #2
Comments
|
Hi hope you are doing well!!
to use it that way, vol3xp must be inside of the windows plugin directory.
Also if you want to execute it afterwards from other locations, you can (as
long as there is a copy of vol3xp in the windows plugins directory and you
run afterwards setup.py install as well)
Sorry for the inconvenience, we can do a discord call if you like that or
need any explanation/assistant
Anyway, fill free to reach me out with any concern.
have an awesome day!
…On Tue, Feb 21, 2023, 4:08 PM Leonardo van de Weteringh < ***@***.***> wrote:
PS C:\volatility\V3Exp> python3 .\volexp.py
Traceback (most recent call last):
File "C:\volatility\V3Exp\volexp.py", line 16216, in
main()
File "C:\volatility\V3Exp\volexp.py", line 16101, in main
plugin = plugin_list[plugin_name]
~~~~~~~~~~~^^^^^^^^^^^^^
KeyError: 'windows.volexp.Vol3xp'
The plugin is not findable. Could you please fix this issue to make it
work?
~ LvdW
—
Reply to this email directly, view it on GitHub
<#2>, or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AOWFQPN7VGPLHKVHHQHHQCTWYTD4ZANCNFSM6AAAAAAVDC7GKE>
.
You are receiving this because you are subscribed to this thread.Message
ID: ***@***.***>
|
That did work. I had to put it in the C:\volatility\V3Exp\volatility3\plugins\windows folder and run python3 setup.py install But now I have a question. Does this work as well when I build an .exe? I want to build the volatility.exe executable instead of having a lot of files. Also Volatility 2 has issues as well, maybe you could look at that issue as well (I will post it on VolExp Repo for you. :) ~ LvdW |
|
I never tried that actually
Only I talk about it a long time ago with ikelos..
Is it normal compilation with py2exe or there is some specific compiler for
volatility?
On Tue, Feb 21, 2023, 4:36 PM Leonardo van de Weteringh <
***@***.***> wrote:
… Hi hope you are doing well!! to use it that way, vol3xp must be inside of
the windows plugin directory. Also if you want to execute it afterwards
from other locations, you can (as long as there is a copy of vol3xp in the
windows plugins directory and you run afterwards setup.py install as well)
Sorry for the inconvenience, we can do a discord call if you like that or
need any explanation/assistant Anyway, fill free to reach me out with any
concern. have an awesome day!
… <#m_-480476933983748337_>
On Tue, Feb 21, 2023, 4:08 PM Leonardo van de Weteringh < *@*.*> wrote:
PS C:\volatility\V3Exp> python3 .\volexp.py Traceback (most recent call
last): File "C:\volatility\V3Exp\volexp.py", line 16216, in main() File
"C:\volatility\V3Exp\volexp.py", line 16101, in main plugin =
plugin_list[plugin_name] ~~~~~~~~~~~^^^^^^^^^^^^^ KeyError:
'windows.volexp.Vol3xp' The plugin is not findable. Could you please fix
this issue to make it work? ~ LvdW — Reply to this email directly, view it
on GitHub <#2 <#2>>, or
unsubscribe
https://github.com/notifications/unsubscribe-auth/AOWFQPN7VGPLHKVHHQHHQCTWYTD4ZANCNFSM6AAAAAAVDC7GKE
<https://github.com/notifications/unsubscribe-auth/AOWFQPN7VGPLHKVHHQHHQCTWYTD4ZANCNFSM6AAAAAAVDC7GKE>
. You are receiving this because you are subscribed to this thread.Message
ID: @.*>
That did work. I had to put it in the
C:\volatility\V3Exp\volatility3\plugins\windows folder and run python3
setup.py install
But now I have a question. Does this work as well when I build an .exe? I
want to build the volatility.exe executable instead of having a lot of
files.
Also Volatility 2 has issues as well, maybe you could look at that issue
as well (I will post it on VolExp Repo for you. :)
~ LvdW
—
Reply to this email directly, view it on GitHub
<#2 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AOWFQPOFGBRMECT7NLATCN3WYTHFFANCNFSM6AAAAAAVDC7GKE>
.
You are receiving this because you commented.Message ID:
***@***.***>
|
|
You can simply compile Volatility by running pyinstaller .\vol.spec I do not see the plugin in the folder unfortunately. Even if I run the above procedure. Maybe you can look at it as well? ~ LvdW |
|
Let me take a look
…On Tue, Feb 21, 2023, 4:51 PM Leonardo van de Weteringh < ***@***.***> wrote:
You can simply compile Volatility by running pyinstaller .\vol.spec
I do not see the plugin in the folder unfortunately. Even if I run the
above procedure. Maybe you can look at it as well?
~ LvdW
—
Reply to this email directly, view it on GitHub
<#2 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AOWFQPKVCFBTJUQD2YMJSG3WYTI7LANCNFSM6AAAAAAVDC7GKE>
.
You are receiving this because you commented.Message ID:
***@***.***>
|
|
Works for me as well. (I'm Using python 3.9)
What error do you getting?
On Tue, Feb 21, 2023, 5:04 PM memory forensics <
***@***.***> wrote:
… Let me take a look
On Tue, Feb 21, 2023, 4:51 PM Leonardo van de Weteringh <
***@***.***> wrote:
> You can simply compile Volatility by running pyinstaller .\vol.spec
>
> I do not see the plugin in the folder unfortunately. Even if I run the
> above procedure. Maybe you can look at it as well?
>
> ~ LvdW
>
> —
> Reply to this email directly, view it on GitHub
> <#2 (comment)>,
> or unsubscribe
> <https://github.com/notifications/unsubscribe-auth/AOWFQPKVCFBTJUQD2YMJSG3WYTI7LANCNFSM6AAAAAAVDC7GKE>
> .
> You are receiving this because you commented.Message ID:
> ***@***.***>
>
|
|
Can you give me the exact steps you did towards running Vol3exp with an executable? I use python3.11, but that does not matter because it works with a normal .py. I am curious about this. |
|
Okay I have found out where to put the scripts to make it execute with the executable. There is only one problem in the code. When the config is saved it calls the non existing .py and since you have the .exe mapped as well to the commands the commands will fail resulting into a lot of garbage data. I will take a look at the script and see if I can get it to work. It would be much easier to directly implement it into the executable and then not having to look at it anymore except when you have a new version with additions or updates you can simply update Volatility and recompile. :) I will let you know if I get it to work. The same problem I think is with the Volatility 2 script. Once I have version 3 done and both working I will release the instructions for you to properly test it. ~ LvdW |
|
I have encountered the following things:
This can be changed by creating a validation above This also means that the if not '-r csv' in self.default_plugin is needed anymore unless you encounter issues you can define this at the self.default plugin by validating the plugin_name if it correspond with a plugin that does not support the formatting properly by removing it with The same applies for your I have used permanentdirectory for now which saves the sys.executable variable into a constant value. If you want I can send you an email with my Discord and send you the file I have tested with for Vol3xp. Please let me know if you have questions. :) ~ LvdW |
|
Hi
Thanks for your reply.
That's right, I haven't think about the vol executable while develop this
plugins.
So except for the issue you mentioned, did you execute the plugin and view
the results? Was it helpful to you?
Have a nice weekend.
…On Wed, Feb 22, 2023, 2:19 PM Leonardo van de Weteringh < ***@***.***> wrote:
I have encountered the following things:
- There is no proper validation if the .exe is executed or the .py
- The sys.executable is a variable and checks the directory and
executable that is running. This is why the .py is not recognized.
- I have removed the splash loading screen. It does not add anything.
You could just add a print there to save up memory as it
does not work properly with vol.exe compiled as an executable it seems
that the code points to a non-existing command
Because you will call python3 first which is saved somewhere in a
Windows folder. What you could do to make that code more clean is to
replace the sys.executable with python3 so the CLI will handle it properly:
This can be changed by creating a validation above 'self.default_plugin =
r'"{}" "{}" -p "{}" -f "{}" {}'.format(sys.executable, vol_path,
plugins_path, file_path, plugin_name)'
And appending the vol_path variable with python3 each time you try to run
the plugin.
'vol_path' == ('python3 '+ vol_path)
Besides that the rendering to csv does not work properly, thus I have
changed into the self.default_plugin to add '-r csv' to the command so the
output would be rendered to CSV. I do not know if this causes problems with
dump files:
self.default_plugin = r'"{}" -r csv -p "{}" -f "{}"
{}'.format(sys.executable, plugins_path, file_path, plugin_name)
self.default_plugin = r'"{}" -r csv -p "{}" -f "{}" {}'.format(vol_path,
plugins_path, file_path, plugin_name)
and if the .py is used in the configuration file you must use your default
regular script, but add -r csv to it.
This also means that the if not '-r csv' in self.default_plugin is needed
anymore unless you encounter issues you can define this at the self.default
plugin by validating the plugin_name if it correspond with a plugin that
does not support the formatting properly by removing it with .replace
The same applies for your command = r'"{}" -p "{}" -f "{}"
{}'.format(permanentdirectory, all_plugins[0], file_path, plugin_name)
and command_line = r'"{}" -f "{}" windows.volexp.WinObjGui --GET-DICT
"{}"'.format(permanentdirectory, file_path, file_name)
I have used permanentdirectory for now which saves the sys.executable
variable into a constant value.
I found this out by adding print ("number") to suspected commands within
your code.
If you want I can send you an email with my Discord and send you the file
I have tested with for Vol3xp.
Please let me know if you have questions. :)
~ LvdW
—
Reply to this email directly, view it on GitHub
<#2 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AOWFQPO2V6Q5XQISKIH4243WYX73VANCNFSM6AAAAAAVDC7GKE>
.
You are receiving this because you commented.Message ID:
***@***.***>
|
|
Yes I did. It seemed to work. I also created a standalone application variant that is able to work. As I said in order to make the plugin work with the .exe you have to modify some parts of the code. Especially when the .exe is run. For the python file you can just use the regular code. |
|
Awesome, hopefully that's will help you find interesting things in the
future (BTW don't forget to use the 4 diffrent plugin related screen In
coloration to find more interested abnormally)
…On Fri, Feb 24, 2023, 11:06 AM Leonardo van de Weteringh < ***@***.***> wrote:
Yes I did. It seemed to work. I also created a standalone application
variant that is able to work. As I said in order to make the plugin work
with the .exe you have to modify some parts of the code. Especially when
the .exe is run. For the python file you can just use the regular code.
@memoryforensics1 <https://github.com/memoryforensics1>
—
Reply to this email directly, view it on GitHub
<#2 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AOWFQPI6DMP7ZHVVSBHXFIDWZB2YBANCNFSM6AAAAAAVDC7GKE>
.
You are receiving this because you were mentioned.Message ID:
***@***.***>
|
PS C:\volatility\V3Exp> python3 .\volexp.py
Traceback (most recent call last):
File "C:\volatility\V3Exp\volexp.py", line 16216, in
main()
File "C:\volatility\V3Exp\volexp.py", line 16101, in main
plugin = plugin_list[plugin_name]
~~~~~~~~~~~^^^^^^^^^^^^^
KeyError: 'windows.volexp.Vol3xp'
The plugin is not findable. Could you please fix this issue to make it work?
~ LvdW
The text was updated successfully, but these errors were encountered: