How to use the plugin？

Question

How to use the plugin？

Closed this issue 10 months ago · 5 comments

wumingzhilian commented 10 months ago

Hello, I see that in your project, volatility supports the use of plugins, but I can't use mimikatz

sudo docker run --rm -v ~/Downloads/:/quzheng -it sk4la/volatility -f /quzheng/mem.raw --plugins=/usr/local/lib/volatility/contrib/plugins/ mimikatz

Volatility Foundation Volatility Framework 2.6.1
ERROR : volatility.debug : You must specify something to do (try -h)

Answer 1 · 2023-12-23T11:06:47.000Z

The community plugins included are those listed in the volatilityfoundation/community repository.

You can list all included plugins using the --help or --info flags (e.g. podman run sk4la/volatility:edge --plugins=/usr/local/lib/volatility/contrib/plugins --info). The loading order is non-deterministic and some plugins fail to load because of missing dependencies (some are just not on PyPI anymore) or because their design is not quite suitable for distribution, so you may need to run it multiple times for it to load the plugin you are looking for. I advise instead using each module individually in order to avoid loading dysfunctional plugins.

I am not sure which mimikatz plugin you are referring to, but for Francesco Picasso's plugin the image was indeed missing a dependency:

$ podman run --rm sk4la/volatility --plugins=/usr/local/lib/volatility/contrib/plugins/community/FrancescoPicasso
Volatility Foundation Volatility Framework 2.6.1
*** Failed to import volatility.plugins.mimikatz (ImportError: No module named construct)
ERROR   : volatility.debug    : You must specify something to do (try -h)

Although I have updated the build, the plugin still cannot seem to load:

$ podman run sk4la/volatility --plugins=/usr/local/lib/volatility/contrib/plugins/community/FrancescoPicasso
Volatility Foundation Volatility Framework 2.6.1
*** Failed to import volatility.plugins.mimikatz (AttributeError: 'module' object has no attribute 'ULInt32')
ERROR   : volatility.debug    : You must specify something to do (try -h)

Most of these plugins have been unmaintained for years so you may need to look into it if you want to get it to work.

Answer 2 · 2023-12-23T11:11:53.000Z

Thank you, I solved the problem, I need to specify the correct profile, and the correct order of parameters, then mimikatz can be used!

Answer 3 · 2023-12-24T08:52:49.000Z

Interesting, I still cannot load the plugin. It might be due to the specific Alpine Linux environment. Did you use the Docker image?

Answer 4 · 2023-12-24T11:29:12.000Z

Yes, I'm using a docker build.，im search from dockerhub,and. pull it

pip install construct==2.5.5-reupload --user
2.volatility --plugins=/usr/local/lib/volatility/contrib/plugins/community/FrancescoPicasso/ mimikatz --profile=Win7SP1x64 -f mem.raw

Next, you'll get the mimikatz results.

Answer 5 · 2023-12-24T15:29:59.000Z

The version I picked was too recent. I have just updated the build, it should work out of the box with the latest sk4la/volatility:edge image.

Thank you for the heads up!