Failed to import volatility.plugins.malware.apihooks (NameError: name 'distorm3' is not defined)

转载地址：http://zambroid.blogspot.jp/2015/01/volatility-memory-dump-analysis.html

In this post I will share with you my first experiences working with Volatility 2.4.

As first use I installed it on a OS X machine, and in this case I hadn't to install Python. Yes, you read corectly, Python, but I'll install it soon on other OS to complete this post and give a complete installation and useage guide for everyone.

Volatility is a framework implemented in Python and it is used to extract digital artifacts from volatile memory.

With the latest version it supports Windows 8, 8.1, 2012 R2 and Mac OS X Mavericks (up to 10.9.4) memory dumps.

For any further information, you can have a look at official volatility web site: volatilityfoundation.org.

Now, let's start with the installation.

Installation

As I already mentioned, Python is required for volatility (2.6 or later, but not 3.0), so check that prerequisite:

    # python -V

Now check that pycrypto package is installed:

    # python  

    >>> help("modules")

In case your Python installation does't include pycrypto, install it as follows, after downloading it from www.dlitz.net:

    # tar zxf pycrypto-2.6.1.tar.gz

    # cd pycrypto-2.6.1 

    # sudo python setup.py build install

    # python

    >>> help("modules pycrypt")

    Here is a list of matching modules.  Enter any module name to get more help.

    

    Crypto.SelfTest.Cipher.common - Self-testing for PyCrypto hash modules

    Crypto.SelfTest.Hash.common - Self-testing for PyCrypto hash modules 

Now download the volatility source code package for Mac from the official repository with this link Volatility 2.4.

Open a shell and uncompress the package:

    # tar zxf /tmp/volatility-2.4.tar.gz

The installation of the software is really simple, you only need to run one command:

    # cd volatility-2.4

    # sudo python setup.py build install

It will take some time to install, and after check the installation with the following command:

    # python vol.py --info 

As you can see there is the following error:

    # python vol.py --info    Volatility Foundation Volatility Framework 2.4    *** Failed to import volatility.plugins.ssdt (NameError: name 'distorm3' is not defined)

    *** Failed to import volatility.plugins.mac.apihooks (ImportError: No module named distorm3)

    *** Failed to import volatility.plugins.linux.apihooks (ImportError: No module named distorm3)

    *** Failed to import volatility.plugins.malware.threads (NameError: name 'distorm3' is not defined)

    *** Failed to import volatility.plugins.mac.apihooks_kernel (ImportError: No module named distorm3)

    *** Failed to import volatility.plugins.malware.apihooks (NameError: name 'distorm3' is not defined)

    *** Failed to import volatility.plugins.mac.check_syscall_shadow (ImportError: No module named distorm3)

So, what is needed now is the distorm3 Python package (distorm3).

    # unzip distorm3-3.3.0.zip

    # cd distorm3-3.3.0

    # sudo python setup.py build install

Check again the installation:

    # cd ../distorm3-3.3.0

    # python vol.py --info

Now Volatility is ready to be used.

Usage

Volatility is structured in profiles and plugins:

Profiles are needed to analyse the memory dump. It is needed to specify from which OS the memory dump comes from

Plugins are the real analysis tools. There are a lot of plugins for various operations.

Plugins and profiles can be downloaded and added to volatility in an easy way: copy the needed files. 

Profiles are located in:

    volatility-2.4/volatility/plugins/overlays/<OS> 

Plugins are located in: 

    volatility-2.4/volatility/plugins/ 

Now that everything is ready, it is possible to analyse a memory dump with volatility:

    # python vol.py --profile=<OS_profile> -f <MemoryDumpFile> <plugin>  

The plugin list and description can be found
here.

Be patient, learn, share, and play with your memory dumps :-)