Third party plugins issue about community HOT 8 CLOSED

hrmmm I'm not sure what the problem is, it should work if you've done what you said here. Out of curiosity, did you try just copying the autoruns.py file into /usr/share/volatility/volatility/plugins and just running it without specifying --profile ? like:

vol.py -f file --profile=profile autoruns ?

from community.

oh wait, i see what the problem is, sorry! You have to specify --plugins= first! So you should type:

vol.py --plugins=/usr/share/volatility/contrib/plugins -f file --profile=profile

see https://github.com/volatilityfoundation/volatility/wiki/Volatility-Usage#specifying-additional-plugin-directories

from community.

Aha, thank you, I figured it might be user error, but I couldn't find
anything that would tell me so. Most people seem to load them into the main
plugin folder so they just run it like a usual plugin without the switch. I
actually don't have any folders in my volatility except contrib. There's no
volatility, no plugins, nada. So I don't know where it's actually stored on
Kali...

Now, however, when I try to run autoruns (not mimikatz, which is
interesting,) I get this line

*** Failed to import volatility.plugins.mimikatz (ImportError: No module
named construct)

On Mon, Mar 16, 2015 at 3:51 PM, gleeda [email protected] wrote:

oh wait, i see what the problem is, sorry! You have to specify --plugins=
first! So you should type:

vol.py --plugins=/usr/share/volatility/contrib/plugins -f file --profile=profile

see
https://github.com/volatilityfoundation/volatility/wiki/Volatility-Usage#specifying-additional-plugin-directories

—
Reply to this email directly or view it on GitHub
#1 (comment)
.

from community.

Yes, you need to install the construct library. It's mentioned in the dependencies here http://blog.digital-forensics.it/2014/03/mimikatz-offline-addendum_28.html

you can find info about it here: https://pypi.python.org/pypi/construct

(Edited for note: the autoruns plugin is not the one failing, you are getting that failure because there's an issue with the mimikatz plugin since it can't import the missing library)

from community.

Duh, I feel pretty dumb. Thank you so much for your help! Mimikatz is
working at least now, but autoruns is still giving me grief.

Volatility Foundation Volatility Framework 2.4
Traceback (most recent call last):
File "/usr/share/volatility/vol.py", line 192, in
main()
File "/usr/share/volatility/vol.py", line 174, in main
command = cmdsmodule
File "/usr/share/volatility/contrib/plugins/autoruns.py", line 133, in
init
hivelist.HiveList.init(self, config, _args, *_kwargs)
File "/usr/lib/python2.7/dist-packages/volatility/plugins/common.py",
line 50, in init
help = "Skip unallocated objects (e.g. 0xbad0b0b0)")
File "/usr/lib/python2.7/dist-packages/volatility/conf.py", line 363, in
add_option
self.optparser.add_option("-{0}".format(short_option),
"--{0}".format(option), **args)
File "/usr/lib/python2.7/optparse.py", line 1020, in add_option
self._check_conflict(option)
File "/usr/lib/python2.7/optparse.py", line 995, in _check_conflict
option)
optparse.OptionConflictError: option -W/--show-unallocated: conflicting
option string(s): -W

On Mon, Mar 16, 2015 at 4:27 PM, gleeda [email protected] wrote:

Yes, you need to install the construct library. It's mentioned in the
dependencies here
http://blog.digital-forensics.it/2014/03/mimikatz-offline-addendum_28.html

you can find info about it here: https://pypi.python.org/pypi/construct

—
Reply to this email directly or view it on GitHub
#1 (comment)
.

from community.

That's weird, I don't have that option and I just downloaded his plugin from github: https://github.com/tomchop/volatility-autoruns

Maybe you should redownload it and try again if you didn't get it from there. If you can't get it working, ask the author for help (you can add an issue on his github or he's pretty easy to catch on twitter https://twitter.com/tomchop_ ).

from community.

Alright, I'll play with it some more tomorrow =) Thanks again for all the
help!

On Mon, Mar 16, 2015 at 4:45 PM, gleeda [email protected] wrote:

That's weird, I don't have that option and I just downloaded his plugin
from github: https://github.com/tomchop/volatility-autoruns

Maybe you should redownload it and try again if you didn't get it from
there. If you can't get it working, ask the author for help (you can add an
issue on his github or he's pretty easy to catch on twitter
https://twitter.com/tomchop_ ).

—
Reply to this email directly or view it on GitHub
#1 (comment)
.

from community.

No problem! I'm going to close this issue out for now. Feel free to reopen as needed.

from community.