In file community/DatQuoc/LinuxFirefox.py:

class Linux_FFHis(linux_common.AbstractLinuxCommand):
"""Listing History of FireFox Browser"""

def __init__(self,config, *args, **kwargs):
	linux_common.AbstractLinuxCommand.__init__(self, config, *args, **kwargs)	
def calculate(self):
	address_space = utils.load_as(self._config, astype = 'physical')		
	row_avaiable = []	
	needles = ['\x06\x25\x08', '\x06\x25\x09', 
		'\x00\x25\x08', '\x00\x25\x09']	

In the code above, i have two questions.
(1)How is the value of the variable needles obtained?
(2)Does this string(needles) appear in memory when viewing firefox history?

It seems that this line isn't valid with the latest version of haystack installed.

https://github.com/volatilityfoundation/community/blob/master/Lo%C3%AFcJaquemet/vol_haystack.py#L10

*** Failed to import volatility.plugins.community.YingLi.python_strings (ImportError: No module named YingLi.python_strings)
*** Failed to import volatility.plugins.community.StanislasLejay.linux.get_profile (ImportError: No module named linux.get_profile)
*** Failed to import volatility.plugins.community.YingLi.ssh_agent_key (ImportError: No module named YingLi.ssh_agent_key)
*** Failed to import volatility.plugins.community.DatQuoc.LinuxFirefox (ImportError: No module named DatQuoc.LinuxFirefox)

I recently heard about some very cool volatility plugins like autoruns and mimikatz, just to name a couple. On my Kali Linux machine I put these plugins into the /usr/share/volatility/contrib/plugins folder, and then have tried running the pulgins with vol.py -f file --profile=profile --plugins=contrib/plugins autoruns
But it just gives me the line "You must specify something to do." I've tried listing the full path for --plugins=/usr/share/volatility/contrib/plugins. I've tried listing the .py in the plugin name (autoruns.py,) and I keep getting the same issue. I've googled around to see if I could find something about some Kali specific directory or oddity in the volatility install, but I haven't found any useful information.
Any advice on what to try or what I'm doing wrong will be greatly appreciated!
-Thanks

C:\Users\testaccount\distorm>python setup.py --verbose build
running build
running build_py
not copying python\distorm3_generated.py (output up-to-date)
not copying python\distorm3_init_.py (output up-to-date)
not copying python\distorm3_main_.py (output up-to-date)
running build_ext
Importing new compiler from distutils.msvc9compiler
building '_distorm3' extension
Calling 'vcvarsall.bat x86' (version=9.0)
C:\Users\testaccount\AppData\Local\Programs\Common\Microsoft\Visual C++ for Python\9.0\VC\Bin\cl.exe /c /nologo /Ox /MD /W3 /GS- /DNDEBUG -DSUPPORT_64BIT_OFFSET -DDISTORM_DYNAMIC -Isrc -Iinclude -IC:\Python27\include -IC:\Python27\PC /Tcsrc\decoder.c /Fobuild\temp.win32-2.7\Release\src\decoder.obj
decoder.c
C:\Users\testaccount\AppData\Local\Programs\Common\Microsoft\Visual C++ for Python\9.0\VC\Bin\cl.exe /c /nologo /Ox /MD /W3 /GS- /DNDEBUG -DSUPPORT_64BIT_OFFSET -DDISTORM_DYNAMIC -Isrc -Iinclude -IC:\Python27\include -IC:\Python27\PC /Tcsrc\distorm.c /Fobuild\temp.win32-2.7\Release\src\distorm.obj
distorm.c
src\distorm.c(320) : error C2143: syntax error : missing ';' before 'type'
src\distorm.c(321) : error C2275: '_OffsetType' : illegal use of this type as an expression
c:\users\testaccount\distorm\src../include/distorm.h(110) : see declaration of '_OffsetType'
src\distorm.c(321) : error C2146: syntax error : missing ';' before identifier 'offset'
src\distorm.c(321) : error C2065: 'offset' : undeclared identifier
src\distorm.c(321) : warning C4244: '=' : conversion from 'const _OffsetType' to 'int', possible loss of data
src\distorm.c(345) : error C2065: 'offset' : undeclared identifier
src\distorm.c(346) : error C2065: 'size' : undeclared identifier
error: command '"C:\Users\testaccount\AppData\Local\Programs\Common\Microsoft\Visual C++ for Python\9.0\VC\Bin\cl.exe"' failed with exit status 2

i copy your code import to volatility
But there seems to be a problem. Can you help me

I ran this code
see below this line
The error im getting is
No Module Named YARA

#!/usr/bin/env python
"""
Requires Yara-python to be installed
"""
authors = "Max de Bruijn , Rolf Govers"
department = "Forensics and Incident Response"
company = "Fox-IT B.V."
year = "2019"
version = "1.0"
status = "Final Volatility Plugin contest submission"

import volatility.plugins.common as common
import volatility.plugins.malware.malfind as malfind
import volatility.utils as utils
import volatility.win32 as win32
import volatility.debug as debug
from volatility.renderers import TreeGrid
from volatility.renderers.basic import Address
import yara
import os

try:
import yara
has_yara = True
except ImportError:
has_yara = False

class toastPlugin(common.AbstractWindowsCommand):

def generator(self,data):
    for proc, address, hit, content in data:
        relevantContent = content.split('/toast>')[0]+'/toast>'
        yield(0,[Address(address),str(proc.ImageFileName),relevantContent])

def unified_output(self,data):
    tree = [("Address",Address),
            ("ProcessName",str),
            ("ToastXML",str)]
    return TreeGrid(tree,self.generator(data))


def calculate(self):
    if not has_yara:
        debug.error("Yara must be installed for this plugin")
    addr_space = utils.load_as(self._config)
    tasks = win32.tasks.pslist(addr_space)
    for proc in tasks:
        if str(proc.ImageFileName) == "explorer.exe":
            rules = yara.compile(sources = {
                'n':'rule toast {strings: $a=/<toast.*\/toast>/ condition: $a}'
                })
            scanner = malfind.VadYaraScanner(task=proc, rules=rules)
            for hit,address in scanner.scan(maxlen=0x40000000):
                yield (proc, address, hit, scanner.address_space.zread(address, 0x4000))

I couldn't find any "upstream" repo, so I create the issue here.

When trying to import this plugin, it gives an error:

*** Failed to import volatility.plugins.community.DimaPshoul.malthfind (ImportError: No module named callstacks)

Checking the code, it seems it tries to import a non existing module:

import volatility.plugins.malware.callstacks as callstacks

I think @papadp wants to import his own callstacks module (callstacks.py in the same directory).

Updated version of mimikatz plugin for new construct api

https://raw.githubusercontent.com/dfirfpi/hotoloti/master/volatility/mimikatz.py

Trying to run current volatility with community plugins on OSX and getting this error. Is it a conflict with one of the plugins?

Traceback (most recent call last): File "/usr/local/bin/vol.py", line 4, in <module> __import__('pkg_resources').run_script('volatility==2.6', 'vol.py') File "/usr/local/lib/python2.7/site-packages/pkg_resources/__init__.py", line 750, in run_script self.require(requires)[0].run_script(script_name, ns) File "/usr/local/lib/python2.7/site-packages/pkg_resources/__init__.py", line 1527, in run_script exec(code, namespace, namespace) File "/usr/local/lib/python2.7/site-packages/volatility-2.6-py2.7.egg/EGG-INFO/scripts/vol.py", line 192, in <module> main() File "/usr/local/lib/python2.7/site-packages/volatility-2.6-py2.7.egg/EGG-INFO/scripts/vol.py", line 162, in main cmds = registry.get_plugin_classes(commands.Command, lower = True) File "/usr/local/lib/python2.7/site-packages/volatility-2.6-py2.7.egg/volatility/registry.py", line 152, in get_plugin_classes raise Exception("Object {0} has already been defined by {1}".format(name, plugin)) Exception: Object bitlocker has already been defined by <class 'volatility.plugins.ThomasWhite.bitlocker.Bitlocker'>

hello everyone ,

• friends I'm facing one problem with volatility version 2.6 can you people please help me.
  • problem is : volatility come with default windows profiles but there is no any Linux profile to resolve this problem there is a already some prebuilt Linux profile is available https://github.com/volatilityfoundation/profiles i follow this instructions but still i'm not geting profile in profile list after performing "python vol.py image info -f /dump/victoria-v8.memdump.img"

• i follow this solution but it's not work for me in volatility version 2.6

Hi
I am trying to get the modules used in SANS 508 to work on latest SIFT/Volatility build. Modules like malprocfind, processbl etc. I understand that these are in contrib and community builds and I have followed those instructions but I keep getting errors esp around:

vol.py -f test.raw --profile=Win7SP1x86 --plugins=contrib/plugins malprocfind
Volatility Foundation Volatility Framework 2.6
ERROR : volatility.debug : You must specify something to do (try -h)

also tried specifying specific folder :
vol.py --plugins=/usr/lib/python2.7/dist-packages/volatility/plugin-dir/community -- profile=Win7SP1x86 -f jofrey-vmimage.raw malprocfind
Volatility Foundation Volatility Framework 2.6
*** Failed to import volatility.plugins.MichaelBrown.analysis.create_test_db (ImportError: No module named analysis.create_test_db)
*** Failed to import volatility.plugins.FrankBlock.zsh (ImportError: No module named heap_analysis)
*** Failed to import volatility.plugins.JavierVallejo.symbolizemod (ImportError: No module named enumfunc)
ERROR : volatility.debug : Please install DPAPIck library: https://bitbucket.org/jmichel/dpapick

Various other hacks .. but in all cases I get that DPAPick failure :
ERROR : volatility.debug : Please install DPAPIck library: https://bitbucket.org/jmichel/dpapick

I have tried pip uninstall and reinstall dpapick - but no luck

Can you please tell me how to get these modules working as they do in the SAN 508 VM build ??

Thanks

If we convert the format to git submodules we won't have to update the repo every time someone updates their plugins

when I'm trying to run the following command on win 10:

volatility_2.6_win64_standalone.exe --plugins=myplugins --profile=Win10x64 -f 20170224.mem myplugin
I get this error:

Traceback (most recent call last):
File "vol.py", line 192, in
File "vol.py", line 183, in main
File "volatility\commands.py", line 147, in execute
File "volatility\commands.py", line 282, in render_text
File "volatility\commands.py", line 273, in _render
File "volatility\commands.py", line 270, in unified_output
NotImplementedError: Rendering using the unified output format has not been implemented for this plugin.
Failed to execute script vol

when i import mimikatz module in python i receive this error:

File "mimikatz.py", line 183, in LsaDecryptor
construct.ULInt32('cbSecret'),
AttributeError: 'module' object has no attribute 'ULInt32'

import module construct is OK.
but in construct module the definition of UnsignedLong 32 is: "Int32ul" and not "ULInt32" !!!

please could you correct this mistake in definition of object ? i think the other ULInt** as the same error .

thanks

Ps: python version is 2.7.6

My Issue is:

I am running volatility windows exe on windows 7 machine. Whenever I try matching multiple YARA rules with against a memory dump file by running following command:

>volatility_2.6_win64_standalone.exe -f GUESTWINDOWS-PC-20200131-113322.raw --profile=Win7SP1x64 yarascan -y "..\yara-rules\index.yar"

I get the following error:

Volatility Foundation Volatility Framework 2.6 Traceback (most recent call last): File "vol.py", line 192, in <module> File "vol.py", line 183, in main File "volatility\commands.py", line 147, in execute File "volatility\plugins\malware\malfind.py", line 342, in render_text File "volatility\plugins\malware\malfind.py", line 305, in calculate File "volatility\plugins\malware\malfind.py", line 246, in _scan_process_memor y File "volatility\plugins\malware\malfind.py", line 142, in scan File "volatility\plugins\malware\malfind.py", line 110, in scan yara.Error: internal error: 30 Failed to execute script vol

I am using default yara rules repository given here. If I use a yar file without any includes, volatility runs fine.

Please help me out with this issue.

Hi, im trying to use the AFF4 plugin to imageinfo a memory image. I've tried with a few others I have and the result is the same.

python vol.py --plugins=/fullpath/community/AFF4 -f /fullpath/image.aff4 imageinfo

DEBUG: volatility.debug : Trying <class 'volatility.plugins.aff4.AFF4AddressSpace'>
DEBUG: volatility.debug : Failed instantiating (exception): 'PreStdLogicalImageContainer' object has no attribute 'image'

Result is no suggested profile, and No PAE.

Using pyaff4==0.27 as 0.33 fails to install. Installed all requirements that the plugin was complaining about initially. Are there any known good test images I can use to confirm it's not the image causing the problem?
Running inside python2.7 virtualenv.