Third party plugins issue

[Arvandor]

I recently heard about some very cool volatility plugins like autoruns and mimikatz, just to name a couple. On my Kali Linux machine I put these plugins into the /usr/share/volatility/contrib/plugins folder, and then have tried running the pulgins with vol.py -f file --profile=profile --plugins=contrib/plugins autoruns
But it just gives me the line "You must specify something to do." I've tried listing the full path for --plugins=/usr/share/volatility/contrib/plugins. I've tried listing the .py in the plugin name (autoruns.py,) and I keep getting the same issue. I've googled around to see if I could find something about some Kali specific directory or oddity in the volatility install, but I haven't found any useful information.
Any advice on what to try or what I'm doing wrong will be greatly appreciated!
-Thanks

[gleeda]

hrmmm I'm not sure what the problem is, it should work if you've done what you said here. Out of curiosity, did you try just copying the autoruns.py file into /usr/share/volatility/volatility/plugins and just running it without specifying --profile ? like:

vol.py -f file --profile=profile autoruns ?

[gleeda]

oh wait, i see what the problem is, sorry! You have to specify --plugins= first! So you should type:

vol.py --plugins=/usr/share/volatility/contrib/plugins -f file --profile=profile

see https://github.com/volatilityfoundation/volatility/wiki/Volatility-Usage#specifying-additional-plugin-directories

[Arvandor]

Aha, thank you, I figured it might be user error, but I couldn't find
anything that would tell me so. Most people seem to load them into the main
plugin folder so they just run it like a usual plugin without the switch. I
actually don't have any folders in my volatility except contrib. There's no
volatility, no plugins, nada. So I don't know where it's actually stored on
Kali...

Now, however, when I try to run autoruns (not mimikatz, which is
interesting,) I get this line

*** Failed to import volatility.plugins.mimikatz (ImportError: No module
named construct)

On Mon, Mar 16, 2015 at 3:51 PM, gleeda notifications@github.com wrote:

oh wait, i see what the problem is, sorry! You have to specify --plugins=
first! So you should type:

vol.py --plugins=/usr/share/volatility/contrib/plugins -f file --profile=profile

see
https://github.com/volatilityfoundation/volatility/wiki/Volatility-Usage#specifying-additional-plugin-directories

—
Reply to this email directly or view it on GitHub
#1 (comment)
.

[gleeda]

Yes, you need to install the construct library. It's mentioned in the dependencies here http://blog.digital-forensics.it/2014/03/mimikatz-offline-addendum_28.html

you can find info about it here: https://pypi.python.org/pypi/construct

(Edited for note: the autoruns plugin is not the one failing, you are getting that failure because there's an issue with the mimikatz plugin since it can't import the missing library)

[Arvandor]

Duh, I feel pretty dumb. Thank you so much for your help! Mimikatz is
working at least now, but autoruns is still giving me grief.

Volatility Foundation Volatility Framework 2.4
Traceback (most recent call last):
File "/usr/share/volatility/vol.py", line 192, in
main()
File "/usr/share/volatility/vol.py", line 174, in main
command = cmdsmodule
File "/usr/share/volatility/contrib/plugins/autoruns.py", line 133, in
init
hivelist.HiveList.init(self, config, _args, *_kwargs)
File "/usr/lib/python2.7/dist-packages/volatility/plugins/common.py",
line 50, in init
help = "Skip unallocated objects (e.g. 0xbad0b0b0)")
File "/usr/lib/python2.7/dist-packages/volatility/conf.py", line 363, in
add_option
self.optparser.add_option("-{0}".format(short_option),
"--{0}".format(option), **args)
File "/usr/lib/python2.7/optparse.py", line 1020, in add_option
self._check_conflict(option)
File "/usr/lib/python2.7/optparse.py", line 995, in _check_conflict
option)
optparse.OptionConflictError: option -W/--show-unallocated: conflicting
option string(s): -W

On Mon, Mar 16, 2015 at 4:27 PM, gleeda notifications@github.com wrote:

Yes, you need to install the construct library. It's mentioned in the
dependencies here
http://blog.digital-forensics.it/2014/03/mimikatz-offline-addendum_28.html

you can find info about it here: https://pypi.python.org/pypi/construct

—
Reply to this email directly or view it on GitHub
#1 (comment)
.

[gleeda]

That's weird, I don't have that option and I just downloaded his plugin from github: https://github.com/tomchop/volatility-autoruns

Maybe you should redownload it and try again if you didn't get it from there. If you can't get it working, ask the author for help (you can add an issue on his github or he's pretty easy to catch on twitter https://twitter.com/tomchop_ ).

[Arvandor]

Alright, I'll play with it some more tomorrow =) Thanks again for all the
help!

On Mon, Mar 16, 2015 at 4:45 PM, gleeda notifications@github.com wrote:

That's weird, I don't have that option and I just downloaded his plugin
from github: https://github.com/tomchop/volatility-autoruns

Maybe you should redownload it and try again if you didn't get it from
there. If you can't get it working, ask the author for help (you can add an
issue on his github or he's pretty easy to catch on twitter
https://twitter.com/tomchop_ ).

—
Reply to this email directly or view it on GitHub
#1 (comment)
.

[gleeda]

No problem! I'm going to close this issue out for now. Feel free to reopen as needed.