Python 3.12 - IMP repreciated - hashdump plugin fails to load

[vikas891]

Describe the bug Failed to import module volatility3.plugins.windows.lsadump based on file: /usr/local/lib/python3.12/dist-packages/volatility3-2.7.2-py3.12.egg/volatility3/framework/plugins/windows/lsadump.py

Context Volatility Version: Volatility 3 Framework 2.7.2 Operating System: Windows 11 + WSL Ubuntu-24.04 Python Version: Python 3.12.3 Suspected Operating System:
Command: vol -vv

To Reproduce Just the command

vol -vv

Expected behavior It's failing to load the plugin volatility3.plugins.windows.hashdump because imp seems to be depreciated in the latest Python 3.12

[ikelos]

Thanks for your bug report, but you really haven't included enough information here to act upon it? We ask all people filing bugs to include the results of running vol.py -vvv with their normal plugin parameters. You're suggesting that volatility will fail immediately with python 3.12, but we're unable to recreate the problem you've encountered. You also mention imp, but lsadump doesn't import a module called imp, so it's very difficult to help you given the scant information you've provided.

[vikas891]

Thanks for looking into this @ikelos - I should have included a set of error messages. I had reverted on 3.11 to solve the issue but I installed a brand new instance to replicate the error and here goes:

DEBUG volatility3.framework: Traceback (most recent call last): File "/usr/local/lib/python3.12/dist-packages/volatility3-2.7.2-py3.12.egg/volatility3/framework/__init__.py", line 185, in import_file importlib.import_module(module) File "/usr/lib/python3.12/importlib/__init__.py", line 90, in import_module return _bootstrap._gcd_import(name[level:], package, level) ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ File "<frozen importlib._bootstrap>", line 1387, in _gcd_import File "<frozen importlib._bootstrap>", line 1360, in _find_and_load File "<frozen importlib._bootstrap>", line 1331, in _find_and_load_unlocked File "<frozen importlib._bootstrap>", line 935, in _load_unlocked File "<frozen importlib._bootstrap_external>", line 995, in exec_module File "<frozen importlib._bootstrap>", line 488, in _call_with_frames_removed File "/usr/local/lib/python3.12/dist-packages/volatility3-2.7.2-py3.12.egg/volatility3/framework/plugins/windows/hashdump.py", line 10, in <module> from Crypto.Cipher import AES, ARC4, DES File "/home/osboxes/.local/lib/python3.12/site-packages/Crypto/Cipher/__init__.py", line 78, in <module> from Crypto.Cipher._mode_ecb import _create_ecb_cipher File "/home/osboxes/.local/lib/python3.12/site-packages/Crypto/Cipher/_mode_ecb.py", line 29, in <module> from Crypto.Util._raw_api import (load_pycryptodome_raw_lib, File "/home/osboxes/.local/lib/python3.12/site-packages/Crypto/Util/_raw_api.py", line 31, in <module> import imp ModuleNotFoundError: No module named 'imp'

[vikas891]

Errors.txt

[ikelos]

Thanks, this appears to be an issue in the pycryptodome package:

File "/home/osboxes/.local/lib/python3.12/site-packages/Crypto/Util/_raw_api.py", line 31, in <module> import imp ModuleNotFoundError: No module named 'imp'

I'm also a little concerned that your python packages are spread across /usr/local/lib and /home/osboxes/.local/lib.

Pycryptodome is only required for certain windows plugins (hashdump, lsadump, etc) so you should still be able to use volatility with out.

It seems the imp module was deprecated in python 3.11 and removed in 3.12 in favour of importlib, but it looks as though the version of pycryptodome on your system was from before they'd made the change. Please ensure you are using pycryptodome >3.4.7 (released 26 August 2017), the latest version is 3.20. Much older versions will not work under python 3.12.