Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Vol Community plugs not working - DPAPIck #27

Open
whiteknight21 opened this issue Apr 12, 2018 · 6 comments
Open

Vol Community plugs not working - DPAPIck #27

whiteknight21 opened this issue Apr 12, 2018 · 6 comments

Comments

@whiteknight21
Copy link

Hi
I am trying to get the modules used in SANS 508 to work on latest SIFT/Volatility build. Modules like malprocfind, processbl etc. I understand that these are in contrib and community builds and I have followed those instructions but I keep getting errors esp around:

vol.py -f test.raw --profile=Win7SP1x86 --plugins=contrib/plugins malprocfind
Volatility Foundation Volatility Framework 2.6
ERROR : volatility.debug : You must specify something to do (try -h)

also tried specifying specific folder :
vol.py --plugins=/usr/lib/python2.7/dist-packages/volatility/plugin-dir/community -- profile=Win7SP1x86 -f jofrey-vmimage.raw malprocfind
Volatility Foundation Volatility Framework 2.6
*** Failed to import volatility.plugins.MichaelBrown.analysis.create_test_db (ImportError: No module named analysis.create_test_db)
*** Failed to import volatility.plugins.FrankBlock.zsh (ImportError: No module named heap_analysis)
*** Failed to import volatility.plugins.JavierVallejo.symbolizemod (ImportError: No module named enumfunc)
ERROR : volatility.debug : Please install DPAPIck library: https://bitbucket.org/jmichel/dpapick

Various other hacks .. but in all cases I get that DPAPick failure :
ERROR : volatility.debug : Please install DPAPIck library: https://bitbucket.org/jmichel/dpapick

I have tried pip uninstall and reinstall dpapick - but no luck

Can you please tell me how to get these modules working as they do in the SAN 508 VM build ??

Thanks
@gleeda
Copy link
Member

gleeda commented Apr 13, 2018 via email

@whiteknight21
Copy link
Author

Thanks for response, but I am afraid that doesnt work :

$ vol.py —plugins=contrib/plugins -f test.raw --profile=Win7SP1x86 malprocfind
Volatility Foundation Volatility Framework 2.6
ERROR : volatility.debug : You must specify something to do (try -h)

@whiteknight21
Copy link
Author

I seem to have solved other problems but I still cant get vol.py to run due to thsi error:

$ vol.py -h
Volatility Foundation Volatility Framework 2.6
ERROR : volatility.debug : Please install DPAPIck library: https://bitbucket.org/jmichel/dpapick

as you can see module is installed

$ pip install dpapick
Requirement already satisfied: dpapick in /usr/local/lib/python2.7/dist-packages
Requirement already satisfied: pyasn1>=0.1.7 in /usr/local/lib/python2.7/dist-packages (from dpapick)
Requirement already satisfied: M2Crypto>=0.21.1 in /usr/local/lib/python2.7/dist-packages (from dpapick)
Requirement already satisfied: CFPropertyList in /usr/local/lib/python2.7/dist-packages (from dpapick)
Requirement already satisfied: python-registry>=1.0.4 in /usr/local/lib/python2.7/dist-packages (from dpapick)
Requirement already satisfied: typing in /usr/local/lib/python2.7/dist-packages (from M2Crypto>=0.21.1->dpapick)
Requirement already satisfied: enum34 in /usr/local/lib/python2.7/dist-packages (from python-registry>=1.0.4->dpapick)

@nov3mb3r
Copy link

Same error here

@gleeda
Copy link
Member

gleeda commented May 23, 2018
edited

Just in case, make sure that dpapick is installed for the correct python:

$ cat $(which pip)
#!/usr/bin/python
...

Look at vol.py to see how it calls python:

$ grep python vol.py 
#!/usr/bin/env python
#  -*- mode: python; -*-
...

(or $ grep python $(which vol.py) because I'm not sure how they set this up on sift)

See if you get the same path as what you saw in pip earlier:

$ /usr/bin/env python -c "import sys; print sys.executable"
/usr/bin/python

You can also verify that dpapick is installed. Run python the same way and then try to import like the plugin does:

$ /usr/bin/env python
Python 2.7.14 (default, Mar 22 2018, 14:43:05) 
[GCC 4.2.1 Compatible Apple LLVM 9.0.0 (clang-900.0.39.2)] on darwin
Type "help", "copyright", "credits" or "license" for more information.
>>> from DPAPI.Core import *
>>>

If you don't have the library installed for that python you will see the following instead:

>>> from DPAPI.Core import *
Traceback (most recent call last):
  File "<stdin>", line 1, in <module>
ImportError: No module named DPAPI.Core
>>>

So, one way that you can make sure that it gets installed for your version of python you can manually install it (without using pip), or you can change the first line of the pip script to point to the appropriate python binary.

@gleeda
Copy link
Member

gleeda commented May 23, 2018

For this issue:

Thanks for response, but I am afraid that doesnt work :

$ vol.py —plugins=contrib/plugins -f test.raw --profile=Win7SP1x86 malprocfind
Volatility Foundation Volatility Framework 2.6
ERROR : volatility.debug : You must specify something to do (try -h)

I'm not sure, but it might have happened if you copied and pasted my command. Notice that —plugins= looks different than --plugins= . Sometimes when you copy those modified dashes from pdfs, word docs, web pages etc, the commands don't work, because that combined double dash () is actually different than the regular double dash (--). Although it does seem like you managed to get past this issue, I thought I'd add that here in case someone else needs it.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@gleeda @nov3mb3r @whiteknight21