Closed Arvandor closed 9 years ago
gleeda
commented
9 years ago hrmmm I'm not sure what the problem is, it should work if you've done what you said here. Out of curiosity, did you try just copying the autoruns.py file into /usr/share/volatility/volatility/plugins and just running it without specifying --profile ? like:
vol.py -f file --profile=profile autoruns ?oh wait, i see what the problem is, sorry! You have to specify --plugins= first! So you should type:
vol.py --plugins=/usr/share/volatility/contrib/plugins -f file --profile=profile
Arvandor
commented
9 years ago Aha, thank you, I figured it might be user error, but I couldn't find anything that would tell me so. Most people seem to load them into the main plugin folder so they just run it like a usual plugin without the switch. I actually don't have any folders in my volatility except contrib. There's no volatility, no plugins, nada. So I don't know where it's actually stored on Kali...
Now, however, when I try to run autoruns (not mimikatz, which is interesting,) I get this line
*\ Failed to import volatility.plugins.mimikatz (ImportError: No module named construct)
On Mon, Mar 16, 2015 at 3:51 PM, gleeda notifications@github.com wrote:
oh wait, i see what the problem is, sorry! You have to specify --plugins= first! So you should type:
vol.py --plugins=/usr/share/volatility/contrib/plugins -f file --profile=profile
— Reply to this email directly or view it on GitHub https://github.com/volatilityfoundation/community/issues/1#issuecomment-81957490 .
gleeda
commented
9 years ago Yes, you need to install the construct library. It's mentioned in the dependencies here http://blog.digital-forensics.it/2014/03/mimikatz-offline-addendum_28.html
you can find info about it here: https://pypi.python.org/pypi/construct
(Edited for note: the autoruns plugin is not the one failing, you are getting that failure because there's an issue with the mimikatz plugin since it can't import the missing library)
Arvandor
commented
9 years ago Duh, I feel pretty dumb. Thank you so much for your help! Mimikatz is working at least now, but autoruns is still giving me grief.
Volatility Foundation Volatility Framework 2.4
Traceback (most recent call last):
File "/usr/share/volatility/vol.py", line 192, in
On Mon, Mar 16, 2015 at 4:27 PM, gleeda notifications@github.com wrote:
Yes, you need to install the construct library. It's mentioned in the dependencies here http://blog.digital-forensics.it/2014/03/mimikatz-offline-addendum_28.html
you can find info about it here: https://pypi.python.org/pypi/construct
— Reply to this email directly or view it on GitHub https://github.com/volatilityfoundation/community/issues/1#issuecomment-81966549 .
gleeda
commented
9 years ago That's weird, I don't have that option and I just downloaded his plugin from github: https://github.com/tomchop/volatility-autoruns
Maybe you should redownload it and try again if you didn't get it from there. If you can't get it working, ask the author for help (you can add an issue on his github or he's pretty easy to catch on twitter https://twitter.com/tomchop_ ).
Arvandor
commented
9 years ago Alright, I'll play with it some more tomorrow =) Thanks again for all the help!
On Mon, Mar 16, 2015 at 4:45 PM, gleeda notifications@github.com wrote:
That's weird, I don't have that option and I just downloaded his plugin from github: https://github.com/tomchop/volatility-autoruns
Maybe you should redownload it and try again if you didn't get it from there. If you can't get it working, ask the author for help (you can add an issue on his github or he's pretty easy to catch on twitter https://twitter.com/tomchop_ ).
— Reply to this email directly or view it on GitHub https://github.com/volatilityfoundation/community/issues/1#issuecomment-81972012 .
gleeda
commented
9 years ago No problem! I'm going to close this issue out for now. Feel free to reopen as needed.
I recently heard about some very cool volatility plugins like autoruns and mimikatz, just to name a couple. On my Kali Linux machine I put these plugins into the /usr/share/volatility/contrib/plugins folder, and then have tried running the pulgins with vol.py -f file --profile=profile --plugins=contrib/plugins autoruns But it just gives me the line "You must specify something to do." I've tried listing the full path for --plugins=/usr/share/volatility/contrib/plugins. I've tried listing the .py in the plugin name (autoruns.py,) and I keep getting the same issue. I've googled around to see if I could find something about some Kali specific directory or oddity in the volatility install, but I haven't found any useful information. Any advice on what to try or what I'm doing wrong will be greatly appreciated! -Thanks