*** Failed to import volatility.plugins

[gohelravi99]

I am getting this error after running the volatility.

Volatility Foundation Volatility Framework 2.6
*** Failed to import volatility.plugins.linux.malfind (AttributeError: /usr/lib/libyara.so: undefined symbol: lookup_rule)
*** Failed to import volatility.plugins.malware.timers (AttributeError: /usr/lib/libyara.so: undefined symbol: lookup_rule)
*** Failed to import volatility.plugins.overlays.windows.win8 (AttributeError: /usr/lib/libyara.so: undefined symbol: lookup_rule)
*** Failed to import volatility.plugins.drivermodule (AttributeError: /usr/lib/libyara.so: undefined symbol: lookup_rule)
*** Failed to import volatility.plugins.overlays.mac.mac (AttributeError: /usr/lib/libyara.so: undefined symbol: lookup_rule)
*** Failed to import volatility.plugins.overlays.windows.win8_kdbg (AttributeError: /usr/lib/libyara.so: undefined symbol: lookup_rule)
*** Failed to import volatility.plugins.timeliner (AttributeError: /usr/lib/libyara.so: undefined symbol: lookup_rule)
*** Failed to import volatility.plugins.malware.apihooks (AttributeError: /usr/lib/libyara.so: undefined symbol: lookup_rule)
*** Failed to import volatility.plugins.multiscan (AttributeError: /usr/lib/libyara.so: undefined symbol: lookup_rule)
*** Failed to import volatility.plugins.tcaudit (AttributeError: /usr/lib/libyara.so: undefined symbol: lookup_rule)
*** Failed to import volatility.plugins.dumpcerts (AttributeError: /usr/lib/libyara.so: undefined symbol: lookup_rule)
*** Failed to import volatility.plugins.malware.devicetree (AttributeError: /usr/lib/libyara.so: undefined symbol: lookup_rule)
*** Failed to import volatility.plugins.overlays.windows.win10 (AttributeError: /usr/lib/libyara.so: undefined symbol: lookup_rule)
*** Failed to import volatility.plugins.malware.threads (AttributeError: /usr/lib/libyara.so: undefined symbol: lookup_rule)
*** Failed to import volatility.plugins.malware.idt (AttributeError: /usr/lib/libyara.so: undefined symbol: lookup_rule)
*** Failed to import volatility.plugins.mac.mac_yarascan (AttributeError: /usr/lib/libyara.so: undefined symbol: lookup_rule)
*** Failed to import volatility.plugins.linux.netscan (AttributeError: /usr/lib/libyara.so: undefined symbol: lookup_rule)
*** Failed to import volatility.plugins.linux.linux_truecrypt (AttributeError: /usr/lib/libyara.so: undefined symbol: lookup_rule)
*** Failed to import volatility.plugins.malware.malfind (AttributeError: /usr/lib/libyara.so: undefined symbol: lookup_rule)
*** Failed to import volatility.plugins.ssdt (AttributeError: /usr/lib/libyara.so: undefined symbol: lookup_rule)
*** Failed to import volatility.plugins.mac.malfind (AttributeError: /usr/lib/libyara.so: undefined symbol: lookup_rule)
*** Failed to import volatility.plugins.malware.callbacks (AttributeError: /usr/lib/libyara.so: undefined symbol: lookup_rule)
*** Failed to import volatility.plugins.linux.linux_yarascan (AttributeError: /usr/lib/libyara.so: undefined symbol: lookup_rule)

[cpuu]

sudo apt-get install yara

[cpuu]

if you use Ubuntu, try these command below.

$ sudo apt-get install git
$ git clone https://github.com/volatilityfoundation/volatility.git
$ cd volatility/
$ sudo python setup.py install
$ sudo apt-get install yara
$ sudo apt-get install python-pip
$ sudo -H pip install --upgrade pip
$ sudo -H pip install distorm3 pycrypto openpyxl Pillow

[mrpnkt]

this worked for me on kali:

ln -s /usr/local/lib/python2.7/dist-packages/usr/lib/libyara.so /usr/lib/libyara.so

[Kainpachi]

Hi, Thanks for the answers...All of the above commands worked for me except "sudo -H pip install distorm3 pycrypto openpyxl Pillow"

I'm getting this error:
/usr/local/lib/python2.7/dist-packages/pip/_vendor/requests/init.py:83: RequestsDependencyWarning: Old version of cryptography ([1, 2, 3]) may cause slowdown.
warnings.warn(warning, RequestsDependencyWarning)
Collecting distorm3
Using cached https://files.pythonhosted.org/packages/28/f9/8ff25a8f3edb581b5bc0efbed6382dcca22e5e7eff39464346c629105739/distorm3-3.3.4.zip
Requirement already satisfied: pycrypto in /usr/lib/python2.7/dist-packages (2.6.1)
Collecting openpyxl
Downloading https://files.pythonhosted.org/packages/04/18/64737cc6c5233e15374d21b4958a5600be52359e71063b4d4e7a604a1387/openpyxl-2.5.9.tar.gz (1.9MB)
100% |████████████████████████████████| 1.9MB 2.7MB/s
Requirement already satisfied: Pillow in /usr/lib/python2.7/dist-packages (3.1.2)
Collecting jdcal (from openpyxl)
Downloading https://files.pythonhosted.org/packages/a0/38/dcf83532480f25284f3ef13f8ed63e03c58a65c9d3ba2a6a894ed9497207/jdcal-1.4-py2.py3-none-any.whl
Collecting et_xmlfile (from openpyxl)
Downloading https://files.pythonhosted.org/packages/22/28/a99c42aea746e18382ad9fb36f64c1c1f04216f41797f2f0fa567da11388/et_xmlfile-1.0.1.tar.gz
Building wheels for collected packages: distorm3, openpyxl, et-xmlfile
Running setup.py bdist_wheel for distorm3 ... error
Complete output from command /usr/bin/python -u -c "import setuptools, tokenize;file='/tmp/pip-install-EGwkUD/distorm3/setup.py';f=getattr(tokenize, 'open', open)(file);code=f.read().replace('\r\n', '\n');f.close();exec(compile(code, file, 'exec'))" bdist_wheel -d /tmp/pip-wheel-mbWdWM --python-tag cp27:
running bdist_wheel
The [wheel] section is deprecated. Use [bdist_wheel] instead.
running build
running custom_build
running build_py
creating build
creating build/lib.linux-x86_64-2.7
creating build/lib.linux-x86_64-2.7/distorm3
copying python/distorm3/sample.py -> build/lib.linux-x86_64-2.7/distorm3
copying python/distorm3/init.py -> build/lib.linux-x86_64-2.7/distorm3
running build_clib
running custom_build_clib
building 'distorm3' library
creating build/temp.linux-x86_64-2.7
creating build/temp.linux-x86_64-2.7/src
x86_64-linux-gnu-gcc -pthread -DNDEBUG -g -fwrapv -O2 -Wall -Wstrict-prototypes -fno-strict-aliasing -Wdate-time -D_FORTIFY_SOURCE=2 -g -fstack-protector-strong -Wformat -Werror=format-security -fPIC -Isrc -Iinclude -c src/instructions.c -o build/temp.linux-x86_64-2.7/src/instructions.o -fPIC -O2 -Wall -DSUPPORT_64BIT_OFFSET -DDISTORM_STATIC
In file included from src/instructions.h:15:0,
from src/instructions.c:12:
src/config.h:18:97: fatal error: string.h: No such file or directory
#include <string.h> /* memset, memcpy - can be easily self implemented for libc independency. */
^
compilation terminated.
error: command 'x86_64-linux-gnu-gcc' failed with exit status 1

---

Failed building wheel for distorm3
Running setup.py clean for distorm3
Running setup.py bdist_wheel for openpyxl ... done
Stored in directory: /root/.cache/pip/wheels/57/41/b9/3765af8bda4a8d4b6aaf4957d7214984c3332348713e85cf36
Running setup.py bdist_wheel for et-xmlfile ... done
Stored in directory: /root/.cache/pip/wheels/2a/77/35/0da0965a057698121fc7d8c5a7a9955cdbfb3cc4e2423cad39
Successfully built openpyxl et-xmlfile
Failed to build distorm3
Installing collected packages: distorm3, jdcal, et-xmlfile, openpyxl
Running setup.py install for distorm3 ... error
Complete output from command /usr/bin/python -u -c "import setuptools, tokenize;file='/tmp/pip-install-EGwkUD/distorm3/setup.py';f=getattr(tokenize, 'open', open)(file);code=f.read().replace('\r\n', '\n');f.close();exec(compile(code, file, 'exec'))" install --record /tmp/pip-record-zA15BI/install-record.txt --single-version-externally-managed --compile:
running install
running build
running custom_build
running build_py
creating build
creating build/lib.linux-x86_64-2.7
creating build/lib.linux-x86_64-2.7/distorm3
copying python/distorm3/sample.py -> build/lib.linux-x86_64-2.7/distorm3
copying python/distorm3/init.py -> build/lib.linux-x86_64-2.7/distorm3
running build_clib
running custom_build_clib
building 'distorm3' library
creating build/temp.linux-x86_64-2.7
creating build/temp.linux-x86_64-2.7/src
x86_64-linux-gnu-gcc -pthread -DNDEBUG -g -fwrapv -O2 -Wall -Wstrict-prototypes -fno-strict-aliasing -Wdate-time -D_FORTIFY_SOURCE=2 -g -fstack-protector-strong -Wformat -Werror=format-security -fPIC -Isrc -Iinclude -c src/instructions.c -o build/temp.linux-x86_64-2.7/src/instructions.o -fPIC -O2 -Wall -DSUPPORT_64BIT_OFFSET -DDISTORM_STATIC
In file included from src/instructions.h:15:0,
from src/instructions.c:12:
src/config.h:18:97: fatal error: string.h: No such file or directory
#include <string.h> /* memset, memcpy - can be easily self implemented for libc independency. */
^
compilation terminated.
error: command 'x86_64-linux-gnu-gcc' failed with exit status 1

----------------------------------------

Command "/usr/bin/python -u -c "import setuptools, tokenize;file='/tmp/pip-install-EGwkUD/distorm3/setup.py';f=getattr(tokenize, 'open', open)(file);code=f.read().replace('\r\n', '\n');f.close();exec(compile(code, file, 'exec'))" install --record /tmp/pip-record-zA15BI/install-record.txt --single-version-externally-managed --compile" failed with error code 1 in /tmp/pip-install-EGwkUD/distorm3/

Please Help. Thanks

[themaddoctor]

I am getting the same errors you are getting (/usr/lib64/libyara.so: undefined symbol: lookup_rule). I believe it is due to changes in libyara that have not found their way to volatility yet. I do not have a solution at this time.

[atcuno]

This issue seems to crop up from time to time depending on how you install Yara:

VirusTotal/yara#326

Its not really a Volatility issue, but hopefully that link will help.

[Joelops]

this worked for me on kali:
ln -s /usr/local/lib/python2.7/dist-packages/usr/lib/libyara.so /usr/lib/libyara.so

am getting this error in my kali ln: failed to create symbolic link '/usr/lib/libyara.so': File exists
please help me!

[blitztide]

Libyara stopped exporting lookup_rule in version 2.0, python2 yara is linked to libyara version 1.6

[spicy-bear]

Ran fresh and this is still happening