Very quick post, mostly notes for myself. When using Volatility 3 you might noticed that some plugins cannot be loaded
# ./vol.py -h [...] The following plugins could not be loaded (use -vv to see why): volatility.plugins.windows.cachedump, volatility.plugins.windows.callbacks, volatility.plugins.windows.hashdump, volatility.plugins.windows.lsadump, volatility.plugins.windows.svcscan, volatility.plugins.windows.vadyarascan, volatility.plugins.windows.verinfo, volatility.plugins.yarascan
If you use -vv, you'll see a bunch of debug messages that are pretty clear, e.g.
No module named 'yara' Seems simple enough, but I had to do just a bit of hunting.
pip3 install yara caused errors, that's not the correct package. Turns out Volatility 3 is looking for
yara-python. Instead of
crypto, or even
crypto-python, it wants
pycrypto (of course). So then for
pefile it must be
pypefile right? Nope, that one actually is
pip3 install yara-python pip3 install pycrypto pip3 install pefile pip3 install capstone
All plugins should load now. Enjoy.
Update 22 July 2021
I noticed today, after updating Volatility3, that I was getting errors on every memory image. Below is a sample:
user@host:~/volatility3$ python3 vol.py -f /mnt/c/memdump.mem windows.info.Info Volatility 3 Framework 1.1.1 Progress: 85.95 Scanning primary using PdbSignatureScanner Progress: 85.95 Scanning primary using PdbSignatureScanner Progress: 100.00 PDB scanning finished Unsatisfied requirement plugins.Info.nt_symbols: Windows kernel symbols A symbol table requirement was not fulfilled. Please verify that: You have the correct symbol file for the requirement The symbol file is under the correct directory or zip file The symbol file is named appropriately or contains the correct banner Unable to validate the plugin requirements: ['plugins.Info.nt_symbols']
Turns out this is just something broken with Vol3. The git default branch is devlop. Check out the stable branch and everything seems to work fine:
git clone --branch stable https://github.com/volatilityfoundation/volatility3
I also figured it was worth making an update to add capstone, an optional dependency, to the above list, and to correct a typo in the initial post. I originally said this was Volatility 3 v2[...], it should have been v1[...]. My bad.