Several Plguins not loading on WIN10.

[RamlingBarba]

I am a noob student running a project for the close of my semester. My installation fails to load the plugins I need to use. I have searched and tried numerous "fixes" to no avail. Below is the output for my -vv command. I have run several install commands for various pycrypto, yara, etc and can not get anywhere. Any help would be awesome.

  C:\Users\missi\volatility3>python vol.py -vv

Volatility 3 Framework 1.0.1 INFO volatility3.cli: Volatility plugins path: ['C:\Users\missi\volatility3\volatility3\plugins', 'C:\Users\missi\volatility3\volatility3\framework\plugins'] INFO volatility3.cli: Volatility symbols path: ['C:\Users\missi\volatility3\volatility3\symbols', 'C:\Users\missi\volatility3\volatility3\framework\symbols'] INFO volatility3.plugins.yarascan: Python Yara module not found, plugin (and dependent plugins) not available DEBUG volatility3.framework: No module named 'yara' DEBUG volatility3.framework: Failed to import module volatility3.plugins.yarascan based on file: yarascan DEBUG volatility3.framework: No module named 'Crypto' DEBUG volatility3.framework: Failed to import module volatility3.plugins.windows.cachedump based on file: windows\cachedump INFO volatility3.plugins.yarascan: Python Yara module not found, plugin (and dependent plugins) not available DEBUG volatility3.framework: No module named 'yara' DEBUG volatility3.framework: Failed to import module volatility3.plugins.windows.callbacks based on file: windows\callbacks DEBUG volatility3.framework: No module named 'Crypto' DEBUG volatility3.framework: Failed to import module volatility3.plugins.windows.hashdump based on file: windows\hashdump DEBUG volatility3.framework: No module named 'Crypto' DEBUG volatility3.framework: Failed to import module volatility3.plugins.windows.lsadump based on file: windows\lsadump INFO volatility3.plugins.yarascan: Python Yara module not found, plugin (and dependent plugins) not available DEBUG volatility3.framework: No module named 'yara' DEBUG volatility3.framework: Failed to import module volatility3.plugins.windows.svcscan based on file: windows\svcscan INFO volatility3.plugins.yarascan: Python Yara module not found, plugin (and dependent plugins) not available DEBUG volatility3.framework: No module named 'yara' DEBUG volatility3.framework: Failed to import module volatility3.plugins.windows.vadyarascan based on file: windows\vadyarascan INFO volatility3.cli: The following plugins could not be loaded (use -vv to see why): volatility3.plugins.windows.cachedump, volatility3.plugins.windows.callbacks, volatility3.plugins.windows.hashdump, volatility3.plugins.windows.lsadump, volatility3.plugins.windows.svcscan, volatility3.plugins.windows.vadyarascan, volatility3.plugins.yarascan

I ran pip install yara and those plugins do not show as faile to load. I have tried pip install Crypto to satisfy the others. It runs but says the requirement is already satisfied. However, these plugins still fail to load...

volatility3.plugins.windows.cachedump, volatility3.plugins.windows.hashdump, volatility3.plugins.windows.lsadump

[ikelos]

Hiya, so for pycrypto, I think pycryptodome is the recommended package at the moment, but if you've installed other versions (such as PyCrypto) they may need uninstalling first. You can check whether they modules are available by simply running python and trying import yara or import Crypto and see if they return errrors. If they are those are the packages you need to look at getting working. I think sometimes windows installers only install for certain versions of python, if you have multiple versions installed, but these days I think pip might be the best route to go? So python -m pip install pycryptodome and python -m pip install yara-python. I'm using python directly rather than pip, to ensure the version of python matches. After that you should be able to do import yara or import Crypto and it should show no errors or anything else. If all that works then volatility should work. Please let us know how you get on (or feel free to join us on slack if you'd like more interactive support: https://www.volatilityfoundation.org/slack)... 5:)

[RamlingBarba]

When I run python -m pip install pycryptodome or pip install Crypto the message says the requirement is already satisfied. I'm not sure what comes next.

[ikelos]

So then I'd suggest testing it by running python and then doing import Crypto or import yara. Depending on the responses you get back will tell you whether volatility can access those modules or not. Once we have the answer to that we can figure out what to test next to see why it's not working...

[RamlingBarba]

I think the yara issue is sorted. Those plugins no longer show in the failed to load list. The Crypto issue persists. Running import Crypto yields the following: Python 3.8.6 (tags/v3.8.6:db45529, Sep 23 2020, 15:52:53) [MSC v.1927 64 bit (AMD64)] on win32 Type "help", "copyright", "credits" or "license" for more information.

import Crypto Traceback (most recent call last): File "", line 1, in ModuleNotFoundError: No module named 'Crypto'

I apologize for my inexperience. I am in school to learn. I really appreciate the help. _

[RamlingBarba]

I think I have started to fix my issue. I uninstalled everything and started over. I got the same error messages about the plugins not being loaded. I then went to C:\\AppData\Local\Programs\Python\Python38\Lib\site-packages\crypto and changed the "c" to upper case. That allowed the plugin to load. However, windows.hashdump.Hashdump still doesn't dump any hashes. I get the following output.

volatility3>python vol.py -f PC-20210604-213931.dmp windows.hashdump.Hashdump Volatility 3 Framework 1.0.1 Progress: 100.00 PDB scanning finished User rid lmhash nthash Traceback (most recent call last): File "vol.py", line 10, in volatility3.cli.main() File "C:\Users\missi\volatility3\volatility3\cli__init.py", line 618, in main CommandLine().run() File "C:\Users\missi\volatility3\volatility3\cli__init__.py", line 326, in run renderers[args.renderer]().render(constructed.run()) File "C:\Users\missi\volatility3\volatility3\cli\text_renderer.py", line 178, in render grid.populate(visitor, outfd) File "C:\Users\missi\volatility3\volatility3\framework\renderers\init__.py", line 211, in populate for (level, item) in self._generator: File "C:\Users\missi\volatility3\volatility3\framework\plugins\windows\hashdump.py", line 253, in _generator hbootkey = self.get_hbootkey(samhive, bootkey) File "C:\Users\missi\volatility3\volatility3\framework\plugins\windows\hashdump.py", line 105, in get_hbootkey sam_account_key = samhive.get_key(sam_account_path) File "C:\Users\missi\volatility3\volatility3\framework\layers\registry.py", line 157, in get_key raise KeyError("Key {} not found under {}".format(key_array[0], '\'.join(found_key))) KeyError: 'Key Domains not found under SAM'

[ikelos]

I'm glad you got your dependencies sorted (I'm surprised it installed with a lowercase c, but good spot!). As to the hash error, that's how the plugin lets you know that it couldn't succeed. The necessary keys couldn't be found in the registry in memory, I'm afraid. 5:S

[RamlingBarba]

Really? This is a designed question for this project. I get the same output for several of the Windows plugins(cachedump, lsadump etc) Basically I can only get a pslist. Thank you so much for the help.

[ikelos]

That last particular error you mentioned ('Key Domains not found under SAM') is that plugin attempting to read a key in the registry called "Domains" which just isn't present in the sample (you can try using the printkey plugin to look around the registry and see if you can find it?). Sometimes the necessary components to get the hashes from memory simply aren't in memory, and there's not a great deal we can do about that unfortunately. If you think there may be a problem in the plugin, you can compare it to the volatility 2 plugins which have been around for several years, but I suspect they'll have the same issue. You could also try a different memory image to see if they give results (in which case, it's more likely the image that you're trying)...

[ikelos]

Hi there, hopefully we've improved error handling a bit in f873ced0. Please let us know if that's improved matters or not...

[ikelos]

No further response, so closing this issue. If there's more to add, feel free to reopen it...

[itguruzcyber]

I'm installing Volatility3 for DFIR lab pc and getting this error. Would appreciate some insight on what its telling me to do. It sounds like I need to change some files/inputs but I'm not sure where to make the changes and what cli to use to repair/rerun the install.

PS C:\Users\Admin\Desktop\volatility3> python -m pip install yara-python Collecting yara-python Using cached yara-python-4.2.3.tar.gz (457 kB) Preparing metadata (setup.py) ... done Installing collected packages: yara-python DEPRECATION: yara-python is being installed using the legacy 'setup.py install' method, because it does not have a 'pyproject.toml' and the 'wheel' package is not installed. pip 23.1 will enforce this behaviour change. A possible replacement is to enable the '--use-pep517' option. Discussion can be found at https://github.com/pypa/pip/issues/8559 Running setup.py install for yara-python ... error error: subprocess-exited-with-error

× Running setup.py install for yara-python did not run successfully. │ exit code: 1 ╰─> [8 lines of output] E:\Program Files\Python311\Lib\site-packages\setuptools\config\setupcfg.py:508: SetuptoolsDeprecationWarning: The license_file parameter is deprecated, use license_files instead. warnings.warn(msg, warning_class) running install E:\Program Files\Python311\Lib\site-packages\setuptools\command\install.py:34: SetuptoolsDeprecationWarning: setup.py install is deprecated. Use build and pip and other standards-based tools. warnings.warn( running build running build_ext error: Microsoft Visual C++ 14.0 or greater is required. Get it with "Microsoft C++ Build Tools": https://visualstudio.microsoft.com/visual-cpp-build-tools/ [end of output]

note: This error originates from a subprocess, and is likely not a problem with pip. error: legacy-install-failure

× Encountered error while trying to install package. ╰─> yara-python

note: This is an issue with the package mentioned above, not pip. hint: See above for output from the failure.

[eve-mem]

Hello from the error message it looks like you need to install the C++ build tools from Microsoft.

error: Microsoft Visual C++ 14.0 or greater is required. Get it with "Microsoft C++ Build Tools": https://visualstudio.microsoft.com/visual-cpp-build-tools/
[end of output]