Volatility 3 2.4.0 Not Working!
asterictnl-lvdw opened this issue · 12 comments
PS C:\volatility\V3Exp> python3 .\volexp.py
Traceback (most recent call last):
File "C:\volatility\V3Exp\volexp.py", line 16216, in
main()
File "C:\volatility\V3Exp\volexp.py", line 16101, in main
plugin = plugin_list[plugin_name]
~~~~~~~~~~~^^^^^^^^^^^^^
KeyError: 'windows.volexp.Vol3xp'
The plugin is not findable. Could you please fix this issue to make it work?
~ LvdW
Hi hope you are doing well!! to use it that way, vol3xp must be inside of the windows plugin directory. Also if you want to execute it afterwards from other locations, you can (as long as there is a copy of vol3xp in the windows plugins directory and you run afterwards setup.py install as well) Sorry for the inconvenience, we can do a discord call if you like that or need any explanation/assistant Anyway, fill free to reach me out with any concern. have an awesome day!
That did work. I had to put it in the C:\volatility\V3Exp\volatility3\plugins\windows folder and run python3 setup.py install
But now I have a question. Does this work as well when I build an .exe? I want to build the volatility.exe executable instead of having a lot of files.
Also Volatility 2 has issues as well, maybe you could look at that issue as well (I will post it on VolExp Repo for you. :)
~ LvdW
You can simply compile Volatility by running pyinstaller .\vol.spec
I do not see the plugin in the folder unfortunately. Even if I run the above procedure. Maybe you can look at it as well?
~ LvdW
Can you give me the exact steps you did towards running Vol3exp with an executable?
I use python3.11, but that does not matter because it works with a normal .py.
I am curious about this.
Okay I have found out where to put the scripts to make it execute with the executable. There is only one problem in the code. When the config is saved it calls the non existing .py and since you have the .exe mapped as well to the commands the commands will fail resulting into a lot of garbage data. I will take a look at the script and see if I can get it to work. It would be much easier to directly implement it into the executable and then not having to look at it anymore except when you have a new version with additions or updates you can simply update Volatility and recompile. :)
I will let you know if I get it to work. The same problem I think is with the Volatility 2 script. Once I have version 3 done and both working I will release the instructions for you to properly test it.
~ LvdW
I have encountered the following things:
- There is no proper validation if the .exe is executed or the .py
- The sys.executable is a variable and checks the directory and executable that is running. This is why the .py is not recognized.
- I have removed the splash loading screen. It does not add anything. You could just add a print there to save up memory as it
does not work properly with vol.exe compiled as an executable it seems that the code points to a non-existing command
Because you will call python3 first which is saved somewhere in a Windows folder. What you could do to make that code more clean is to replace the sys.executable with python3 so the CLI will handle it properly:
This can be changed by creating a validation above 'self.default_plugin = r'"{}" "{}" -p "{}" -f "{}" {}'.format(sys.executable, vol_path, plugins_path, file_path, plugin_name)'
And appending the vol_path variable with python3 each time you try to run the plugin.
'vol_path' = ('python3 '+ vol_path)
Besides that the rendering to csv does not work properly, thus I have changed into the self.default_plugin to add '-r csv' to the command so the output would be rendered to CSV. I do not know if this causes problems with dump files:
self.default_plugin = r'"{}" -r csv -p "{}" -f "{}" {}'.format(sys.executable, plugins_path, file_path, plugin_name)
self.default_plugin = r'"{}" -r csv -p "{}" -f "{}" {}'.format(vol_path, plugins_path, file_path, plugin_name)
and if the .py is used in the configuration file you must use your default regular script, but add -r csv to it.
This also means that the if not '-r csv' in self.default_plugin is needed anymore unless you encounter issues you can define this at the self.default plugin by validating the plugin_name if it correspond with a plugin that does not support the formatting properly by removing it with .replace
The same applies for your command = r'"{}" -p "{}" -f "{}" {}'.format(permanentdirectory, all_plugins[0], file_path, plugin_name) and command_line = r'"{}" -f "{}" windows.volexp.WinObjGui --GET-DICT "{}"'.format(permanentdirectory, file_path, file_name)
I have used permanentdirectory for now which saves the sys.executable variable into a constant value.
I found this out by adding print ("number") to suspected commands within your code.
If you want I can send you an email with my Discord and send you the file I have tested with for Vol3xp.
Please let me know if you have questions. :)
~ LvdW
Yes I did. It seemed to work. I also created a standalone application variant that is able to work. As I said in order to make the plugin work with the .exe you have to modify some parts of the code. Especially when the .exe is run. For the python file you can just use the regular code.