Very quick post, mostly notes for myself. When using Volatility 3 you might noticed that some plugins cannot be loaded
# ./vol.py -h
[...]
The following plugins could not be loaded (use -vv to see why): volatility.plugins.windows.cachedump, volatility.plugins.windows.callbacks, volatility.plugins.windows.hashdump,
volatility.plugins.windows.lsadump, volatility.plugins.windows.svcscan, volatility.plugins.windows.vadyarascan, volatility.plugins.windows.verinfo, volatility.plugins.yarascan
If you use -vv, you'll see a bunch of debug messages that are pretty clear, e.g. No module named 'yara'
Seems simple enough, but I had to do just a bit of hunting. pip3 install yara
caused errors, that's not the correct package. Turns out Volatility 3 is looking for yara-python
. Instead of crypto
, or even crypto-python
, it wants pycrypto
(of course). So then for pefile
it must be pefile-python
or pypefile
right? Nope, that one actually is pefile
...
pip3 install yara-python
pip3 install pycrypto
pip3 install pefile
All plugins should load now. Enjoy.