Failed to import volatility.plugins.malware.apihooks (NameError: name 'distorm3' is not defined)
2016-06-07 15:24
3019 查看
转载地址:http://zambroid.blogspot.jp/2015/01/volatility-memory-dump-analysis.html
In this post I will share with you my first experiences working with Volatility 2.4.
As first use I installed it on a OS X machine, and in this case I hadn't to install Python. Yes, you read corectly, Python, but I'll install it soon on other OS to complete this post and give a complete installation and useage guide for everyone.
Volatility is a framework implemented in Python and it is used to extract digital artifacts from volatile memory.
With the latest version it supports Windows 8, 8.1, 2012 R2 and Mac OS X Mavericks (up to 10.9.4) memory dumps.
For any further information, you can have a look at official volatility web site: volatilityfoundation.org.
Now, let's start with the installation.
Installation
As I already mentioned, Python is required for volatility (2.6 or later, but not 3.0), so check that prerequisite:
# python -V
Now check that pycrypto package is installed:
# python
>>> help("modules")
In case your Python installation does't include pycrypto, install it as follows, after downloading it from www.dlitz.net:
# tar zxf pycrypto-2.6.1.tar.gz
# cd pycrypto-2.6.1
# sudo python setup.py build install
# python
>>> help("modules pycrypt")
Here is a list of matching modules. Enter any module name to get more help.
Crypto.SelfTest.Cipher.common - Self-testing for PyCrypto hash modules
Crypto.SelfTest.Hash.common - Self-testing for PyCrypto hash modules
Now download the volatility source code package for Mac from the official repository with this link Volatility 2.4.
Open a shell and uncompress the package:
# tar zxf /tmp/volatility-2.4.tar.gz
The installation of the software is really simple, you only need to run one command:
# cd volatility-2.4
# sudo python setup.py build install
It will take some time to install, and after check the installation with the following command:
# python vol.py --info
As you can see there is the following error:
# python vol.py --info Volatility Foundation Volatility Framework 2.4 *** Failed to import volatility.plugins.ssdt (NameError: name 'distorm3' is not defined)
*** Failed to import volatility.plugins.mac.apihooks (ImportError: No module named distorm3)
*** Failed to import volatility.plugins.linux.apihooks (ImportError: No module named distorm3)
*** Failed to import volatility.plugins.malware.threads (NameError: name 'distorm3' is not defined)
*** Failed to import volatility.plugins.mac.apihooks_kernel (ImportError: No module named distorm3)
*** Failed to import volatility.plugins.malware.apihooks (NameError: name 'distorm3' is not defined)
*** Failed to import volatility.plugins.mac.check_syscall_shadow (ImportError: No module named distorm3)
So, what is needed now is the distorm3 Python package (distorm3).
# unzip distorm3-3.3.0.zip
# cd distorm3-3.3.0
# sudo python setup.py build install
Check again the installation:
# cd ../distorm3-3.3.0
# python vol.py --info
Now Volatility is ready to be used.
Usage
Volatility is structured in profiles and plugins:
Profiles are needed to analyse the memory dump. It is needed to specify from which OS the memory dump comes from
Plugins are the real analysis tools. There are a lot of plugins for various operations.
Plugins and profiles can be downloaded and added to volatility in an easy way: copy the needed files.
Profiles are located in:
volatility-2.4/volatility/plugins/overlays/<OS>
Plugins are located in:
volatility-2.4/volatility/plugins/
Now that everything is ready, it is possible to analyse a memory dump with volatility:
# python vol.py --profile=<OS_profile> -f <MemoryDumpFile> <plugin>
The plugin list and description can be found
here.
Be patient, learn, share, and play with your memory dumps :-)
In this post I will share with you my first experiences working with Volatility 2.4.
As first use I installed it on a OS X machine, and in this case I hadn't to install Python. Yes, you read corectly, Python, but I'll install it soon on other OS to complete this post and give a complete installation and useage guide for everyone.
Volatility is a framework implemented in Python and it is used to extract digital artifacts from volatile memory.
With the latest version it supports Windows 8, 8.1, 2012 R2 and Mac OS X Mavericks (up to 10.9.4) memory dumps.
For any further information, you can have a look at official volatility web site: volatilityfoundation.org.
Now, let's start with the installation.
Installation
As I already mentioned, Python is required for volatility (2.6 or later, but not 3.0), so check that prerequisite:
# python -V
Now check that pycrypto package is installed:
# python
>>> help("modules")
In case your Python installation does't include pycrypto, install it as follows, after downloading it from www.dlitz.net:
# tar zxf pycrypto-2.6.1.tar.gz
# cd pycrypto-2.6.1
# sudo python setup.py build install
# python
>>> help("modules pycrypt")
Here is a list of matching modules. Enter any module name to get more help.
Crypto.SelfTest.Cipher.common - Self-testing for PyCrypto hash modules
Crypto.SelfTest.Hash.common - Self-testing for PyCrypto hash modules
Now download the volatility source code package for Mac from the official repository with this link Volatility 2.4.
Open a shell and uncompress the package:
# tar zxf /tmp/volatility-2.4.tar.gz
The installation of the software is really simple, you only need to run one command:
# cd volatility-2.4
# sudo python setup.py build install
It will take some time to install, and after check the installation with the following command:
# python vol.py --info
As you can see there is the following error:
# python vol.py --info Volatility Foundation Volatility Framework 2.4 *** Failed to import volatility.plugins.ssdt (NameError: name 'distorm3' is not defined)
*** Failed to import volatility.plugins.mac.apihooks (ImportError: No module named distorm3)
*** Failed to import volatility.plugins.linux.apihooks (ImportError: No module named distorm3)
*** Failed to import volatility.plugins.malware.threads (NameError: name 'distorm3' is not defined)
*** Failed to import volatility.plugins.mac.apihooks_kernel (ImportError: No module named distorm3)
*** Failed to import volatility.plugins.malware.apihooks (NameError: name 'distorm3' is not defined)
*** Failed to import volatility.plugins.mac.check_syscall_shadow (ImportError: No module named distorm3)
So, what is needed now is the distorm3 Python package (distorm3).
# unzip distorm3-3.3.0.zip
# cd distorm3-3.3.0
# sudo python setup.py build install
Check again the installation:
# cd ../distorm3-3.3.0
# python vol.py --info
Now Volatility is ready to be used.
Usage
Volatility is structured in profiles and plugins:
Profiles are needed to analyse the memory dump. It is needed to specify from which OS the memory dump comes from
Plugins are the real analysis tools. There are a lot of plugins for various operations.
Plugins and profiles can be downloaded and added to volatility in an easy way: copy the needed files.
Profiles are located in:
volatility-2.4/volatility/plugins/overlays/<OS>
Plugins are located in:
volatility-2.4/volatility/plugins/
Now that everything is ready, it is possible to analyse a memory dump with volatility:
# python vol.py --profile=<OS_profile> -f <MemoryDumpFile> <plugin>
The plugin list and description can be found
here.
Be patient, learn, share, and play with your memory dumps :-)
相关文章推荐
- AIDL使用方法总结
- 将保护清理不良资产的银行家:Arun Jaitley在评审会议
- kafka消费者报错:Failed to add leader for partitions
- 从0开始学习blockchain
- (RHCA436)8 Constraint策略
- __main__.py 和 __init__.py
- aix内存管理实践
- [转] IAR contains unknow tools 解决方法
- Mybaits多数据源配置
- 一个非常好用的data pipeline管理工具 airflow
- 使用Airbnb的Airflow来管理数据工作流
- error: linker command failed with exit code 1 (us
- CodeForces 651B Beautiful Paintings
- Windows Server 2008配置Jmail发送邮件
- 336. Palindrome Pairs
- container-with-most-water
- Contains方法,查看序列中是否包含某个元素
- maildir 邮件文件名 记录
- 国外十大高校人工智能实验室及其代表性人物一览
- 安卓"failed: dlopen failed: could not load library "libpthread.so.0" needed by ***"的个人了解