search

memoryforensics1 / Vol3xp

Volatility Explorer Suit
61 stars 12 forks source link

Volatility 3 2.4.0 Not Working! #2

Open asterictnl-lvdw opened 1 year ago

asterictnl-lvdw commented 1 year ago

PS C:\volatility\V3Exp> python3 .\volexp.py Traceback (most recent call last): File "C:\volatility\V3Exp\volexp.py", line 16216, in main() File "C:\volatility\V3Exp\volexp.py", line 16101, in main plugin = plugin_list[plugin_name]


KeyError: 'windows.volexp.Vol3xp'

The plugin is not findable. Could you please fix this issue to make it work?

~ LvdW
memoryforensics1 commented 1 year ago

Hi hope you are doing well!!

to use it that way, vol3xp must be inside of the windows plugin directory. Also if you want to execute it afterwards from other locations, you can (as long as there is a copy of vol3xp in the windows plugins directory and you run afterwards setup.py install as well)

Sorry for the inconvenience, we can do a discord call if you like that or need any explanation/assistant

Anyway, fill free to reach me out with any concern.

have an awesome day!

On Tue, Feb 21, 2023, 4:08 PM Leonardo van de Weteringh < @.***> wrote:

PS C:\volatility\V3Exp> python3 .\volexp.py Traceback (most recent call last): File "C:\volatility\V3Exp\volexp.py", line 16216, in main() File "C:\volatility\V3Exp\volexp.py", line 16101, in main plugin = plugin_list[plugin_name]


KeyError: 'windows.volexp.Vol3xp'

The plugin is not findable. Could you please fix this issue to make it
work?

~ LvdW

—
Reply to this email directly, view it on GitHub
<https://github.com/memoryforensics1/Vol3xp/issues/2>, or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AOWFQPN7VGPLHKVHHQHHQCTWYTD4ZANCNFSM6AAAAAAVDC7GKE>
.
You are receiving this because you are subscribed to this thread.Message
ID: ***@***.***>
asterictnl-lvdw commented 1 year ago

Hi hope you are doing well!! to use it that way, vol3xp must be inside of the windows plugin directory. Also if you want to execute it afterwards from other locations, you can (as long as there is a copy of vol3xp in the windows plugins directory and you run afterwards setup.py install as well) Sorry for the inconvenience, we can do a discord call if you like that or need any explanation/assistant Anyway, fill free to reach me out with any concern. have an awesome day!

That did work. I had to put it in the C:\volatility\V3Exp\volatility3\plugins\windows folder and run python3 setup.py install

But now I have a question. Does this work as well when I build an .exe? I want to build the volatility.exe executable instead of having a lot of files.

Also Volatility 2 has issues as well, maybe you could look at that issue as well (I will post it on VolExp Repo for you. :)

~ LvdW

memoryforensics1 commented 1 year ago

I never tried that actually Only I talk about it a long time ago with ikelos..

Is it normal compilation with py2exe or there is some specific compiler for volatility?

On Tue, Feb 21, 2023, 4:36 PM Leonardo van de Weteringh < @.***> wrote:

Hi hope you are doing well!! to use it that way, vol3xp must be inside of the windows plugin directory. Also if you want to execute it afterwards from other locations, you can (as long as there is a copy of vol3xp in the windows plugins directory and you run afterwards setup.py install as well) Sorry for the inconvenience, we can do a discord call if you like that or need any explanation/assistant Anyway, fill free to reach me out with any concern. have an awesome day! … <#m-480476933983748337> On Tue, Feb 21, 2023, 4:08 PM Leonardo van de Weteringh < @.> wrote: PS C:\volatility\V3Exp> python3 .\volexp.py Traceback (most recent call last): File "C:\volatility\V3Exp\volexp.py", line 16216, in main() File "C:\volatility\V3Exp\volexp.py", line 16101, in main plugin = plugin_list[plugin_name] ~~~^^^^^^^^^^^^^ KeyError: 'windows.volexp.Vol3xp' The plugin is not findable. Could you please fix this issue to make it work? ~ LvdW — Reply to this email directly, view it on GitHub <#2 https://github.com/memoryforensics1/Vol3xp/issues/2>, or unsubscribe https://github.com/notifications/unsubscribe-auth/AOWFQPN7VGPLHKVHHQHHQCTWYTD4ZANCNFSM6AAAAAAVDC7GKE https://github.com/notifications/unsubscribe-auth/AOWFQPN7VGPLHKVHHQHHQCTWYTD4ZANCNFSM6AAAAAAVDC7GKE . You are receiving this because you are subscribed to this thread.Message ID: @.>

That did work. I had to put it in the C:\volatility\V3Exp\volatility3\plugins\windows folder and run python3 setup.py install

But now I have a question. Does this work as well when I build an .exe? I want to build the volatility.exe executable instead of having a lot of files.

Also Volatility 2 has issues as well, maybe you could look at that issue as well (I will post it on VolExp Repo for you. :)

~ LvdW

— Reply to this email directly, view it on GitHub https://github.com/memoryforensics1/Vol3xp/issues/2#issuecomment-1438596802, or unsubscribe https://github.com/notifications/unsubscribe-auth/AOWFQPOFGBRMECT7NLATCN3WYTHFFANCNFSM6AAAAAAVDC7GKE . You are receiving this because you commented.Message ID: @.***>

asterictnl-lvdw commented 1 year ago

You can simply compile Volatility by running pyinstaller .\vol.spec

I do not see the plugin in the folder unfortunately. Even if I run the above procedure. Maybe you can look at it as well?

~ LvdW

memoryforensics1 commented 1 year ago

Let me take a look

On Tue, Feb 21, 2023, 4:51 PM Leonardo van de Weteringh < @.***> wrote:

You can simply compile Volatility by running pyinstaller .\vol.spec

I do not see the plugin in the folder unfortunately. Even if I run the above procedure. Maybe you can look at it as well?

~ LvdW

— Reply to this email directly, view it on GitHub https://github.com/memoryforensics1/Vol3xp/issues/2#issuecomment-1438619011, or unsubscribe https://github.com/notifications/unsubscribe-auth/AOWFQPKVCFBTJUQD2YMJSG3WYTI7LANCNFSM6AAAAAAVDC7GKE . You are receiving this because you commented.Message ID: @.***>

memoryforensics1 commented 1 year ago

Works for me as well. (I'm Using python 3.9) What error do you getting?

On Tue, Feb 21, 2023, 5:04 PM memory forensics < @.***> wrote:

Let me take a look

On Tue, Feb 21, 2023, 4:51 PM Leonardo van de Weteringh < @.***> wrote:

You can simply compile Volatility by running pyinstaller .\vol.spec

I do not see the plugin in the folder unfortunately. Even if I run the above procedure. Maybe you can look at it as well?

~ LvdW

— Reply to this email directly, view it on GitHub https://github.com/memoryforensics1/Vol3xp/issues/2#issuecomment-1438619011, or unsubscribe https://github.com/notifications/unsubscribe-auth/AOWFQPKVCFBTJUQD2YMJSG3WYTI7LANCNFSM6AAAAAAVDC7GKE . You are receiving this because you commented.Message ID: @.***>

asterictnl-lvdw commented 1 year ago

Can you give me the exact steps you did towards running Vol3exp with an executable?

I use python3.11, but that does not matter because it works with a normal .py.

I am curious about this.

asterictnl-lvdw commented 1 year ago

Okay I have found out where to put the scripts to make it execute with the executable. There is only one problem in the code. When the config is saved it calls the non existing .py and since you have the .exe mapped as well to the commands the commands will fail resulting into a lot of garbage data. I will take a look at the script and see if I can get it to work. It would be much easier to directly implement it into the executable and then not having to look at it anymore except when you have a new version with additions or updates you can simply update Volatility and recompile. :)

I will let you know if I get it to work. The same problem I think is with the Volatility 2 script. Once I have version 3 done and both working I will release the instructions for you to properly test it.

~ LvdW

asterictnl-lvdw commented 1 year ago

I have encountered the following things:

This can be changed by creating a validation above 'self.default_plugin = r'"{}" "{}" -p "{}" -f "{}" {}'.format(sys.executable, vol_path, plugins_path, file_path, plugin_name)' And appending the vol_path variable with python3 each time you try to run the plugin. 'vol_path' = ('python3 '+ vol_path) Besides that the rendering to csv does not work properly, thus I have changed into the self.default_plugin to add '-r csv' to the command so the output would be rendered to CSV. I do not know if this causes problems with dump files: self.default_plugin = r'"{}" -r csv -p "{}" -f "{}" {}'.format(sys.executable, plugins_path, file_path, plugin_name) self.default_plugin = r'"{}" -r csv -p "{}" -f "{}" {}'.format(vol_path, plugins_path, file_path, plugin_name) and if the .py is used in the configuration file you must use your default regular script, but add -r csv to it.

This also means that the if not '-r csv' in self.default_plugin is needed anymore unless you encounter issues you can define this at the self.default plugin by validating the plugin_name if it correspond with a plugin that does not support the formatting properly by removing it with .replace

The same applies for your command = r'"{}" -p "{}" -f "{}" {}'.format(permanentdirectory, all_plugins[0], file_path, plugin_name) and command_line = r'"{}" -f "{}" windows.volexp.WinObjGui --GET-DICT "{}"'.format(permanentdirectory, file_path, file_name)

I have used permanentdirectory for now which saves the sys.executable variable into a constant value. I found this out by adding print ("number") to suspected commands within your code.

If you want I can send you an email with my Discord and send you the file I have tested with for Vol3xp.

Please let me know if you have questions. :)

~ LvdW

memoryforensics1 commented 1 year ago

Hi

Thanks for your reply. That's right, I haven't think about the vol executable while develop this plugins. So except for the issue you mentioned, did you execute the plugin and view the results? Was it helpful to you?

Have a nice weekend.

On Wed, Feb 22, 2023, 2:19 PM Leonardo van de Weteringh < @.***> wrote:

I have encountered the following things:

  • There is no proper validation if the .exe is executed or the .py
  • The sys.executable is a variable and checks the directory and executable that is running. This is why the .py is not recognized.
  • I have removed the splash loading screen. It does not add anything. You could just add a print there to save up memory as it does not work properly with vol.exe compiled as an executable it seems that the code points to a non-existing command Because you will call python3 first which is saved somewhere in a Windows folder. What you could do to make that code more clean is to replace the sys.executable with python3 so the CLI will handle it properly:

This can be changed by creating a validation above 'self.default_plugin = r'"{}" "{}" -p "{}" -f "{}" {}'.format(sys.executable, vol_path, plugins_path, file_path, plugin_name)' And appending the vol_path variable with python3 each time you try to run the plugin. 'vol_path' == ('python3 '+ vol_path) Besides that the rendering to csv does not work properly, thus I have changed into the self.default_plugin to add '-r csv' to the command so the output would be rendered to CSV. I do not know if this causes problems with dump files: self.default_plugin = r'"{}" -r csv -p "{}" -f "{}" {}'.format(sys.executable, plugins_path, file_path, plugin_name) self.default_plugin = r'"{}" -r csv -p "{}" -f "{}" {}'.format(vol_path, plugins_path, file_path, plugin_name) and if the .py is used in the configuration file you must use your default regular script, but add -r csv to it.

This also means that the if not '-r csv' in self.default_plugin is needed anymore unless you encounter issues you can define this at the self.default plugin by validating the plugin_name if it correspond with a plugin that does not support the formatting properly by removing it with .replace

The same applies for your command = r'"{}" -p "{}" -f "{}" {}'.format(permanentdirectory, all_plugins[0], file_path, plugin_name) and command_line = r'"{}" -f "{}" windows.volexp.WinObjGui --GET-DICT "{}"'.format(permanentdirectory, file_path, file_name)

I have used permanentdirectory for now which saves the sys.executable variable into a constant value. I found this out by adding print ("number") to suspected commands within your code.

If you want I can send you an email with my Discord and send you the file I have tested with for Vol3xp.

Please let me know if you have questions. :)

~ LvdW

— Reply to this email directly, view it on GitHub https://github.com/memoryforensics1/Vol3xp/issues/2#issuecomment-1439927719, or unsubscribe https://github.com/notifications/unsubscribe-auth/AOWFQPO2V6Q5XQISKIH4243WYX73VANCNFSM6AAAAAAVDC7GKE . You are receiving this because you commented.Message ID: @.***>

asterictnl-lvdw commented 1 year ago

Yes I did. It seemed to work. I also created a standalone application variant that is able to work. As I said in order to make the plugin work with the .exe you have to modify some parts of the code. Especially when the .exe is run. For the python file you can just use the regular code.

@memoryforensics1

memoryforensics1 commented 1 year ago

Awesome, hopefully that's will help you find interesting things in the future (BTW don't forget to use the 4 diffrent plugin related screen In coloration to find more interested abnormally)

On Fri, Feb 24, 2023, 11:06 AM Leonardo van de Weteringh < @.***> wrote:

Yes I did. It seemed to work. I also created a standalone application variant that is able to work. As I said in order to make the plugin work with the .exe you have to modify some parts of the code. Especially when the .exe is run. For the python file you can just use the regular code.

@memoryforensics1 https://github.com/memoryforensics1

— Reply to this email directly, view it on GitHub https://github.com/memoryforensics1/Vol3xp/issues/2#issuecomment-1443244476, or unsubscribe https://github.com/notifications/unsubscribe-auth/AOWFQPI6DMP7ZHVVSBHXFIDWZB2YBANCNFSM6AAAAAAVDC7GKE . You are receiving this because you were mentioned.Message ID: @.***>