[Vol-users] Help to add new plugin

Jamie Levy jamie.levy at gmail.com
Thu Nov 14 08:36:42 CST 2013


hrmmm.... I don't know why it failed then.  I can see that you have the
file in the correct folder.  Just to test, I pulled down ethscan [1] into
my volatility/plugins folder, used a commandline similar to yours and it
seems to be working for me:

$ python vol.py -v  ethscan -f Win2008R2SP1x64.raw --profile=Win2008R2SP1x64
Volatility Foundation Volatility Framework 2.3.1
Checking next buffer 0x768a1
Checking next buffer 0x57830
Checking next buffer 0xd990
Checking next buffer 0x513f
...

Not sure.. You should keep playing around with it and see if you can run
other plugins... then maybe you should contact the author.

All the best,

-gleeda



[1] https://jamaal-re-tools.googlecode.com/git/volplugins/ethscan.py


On Thu, Nov 14, 2013 at 9:17 AM, David <eterno.comandante at gmail.com> wrote:

> The output:
>
> addrspaces       connscan.pyc   dumpfiles.pyc  fileparam.pyc
> handles.py     imagecopy.py   kpcrscan.py    mbrparser.pyc  modules.pyc
> procdump.py   sockets.pyc   taskmods.pyc    vboxinfo.pyc
> bioskbd.py       crashinfo.py   envars.py      filescan.py
> handles.pyc    imagecopy.pyc  kpcrscan.pyc   mftparser.py   netscan.py
> procdump.pyc  sockscan.py   timeliner.py    vmwareinfo.py
> bioskbd.pyc      crashinfo.pyc  envars.pyc     filescan.pyc
> hibinfo.py     imageinfo.py   linux          mftparser.pyc  netscan.pyc
>   pstree.py     sockscan.pyc  timeliner.pyc   vmwareinfo.pyc
> common.py        dlldump.py     ethscan.py     getservicesids.py
> hibinfo.pyc    imageinfo.pyc  mac            moddump.py     overlays
>   pstree.pyc    ssdt.py       userassist.py   volshell.py
> common.pyc       dlldump.pyc    ethscan.pyc    getservicesids.pyc
> hpakinfo.py    __init__.py    machoinfo.py   moddump.pyc    patcher.py
> raw2dmp.py    ssdt.pyc      userassist.pyc  volshell.pyc
> connections.py   dumpcerts.py   evtlogs.py     getsids.py
> hpakinfo.pyc   __init__.pyc   machoinfo.pyc  modscan.py     patcher.pyc
> raw2dmp.pyc   strings.py    vadinfo.py
> connections.pyc  dumpcerts.pyc  evtlogs.pyc    getsids.pyc
> iehistory.py   kdbgscan.py    malware        modscan.pyc    privileges.py
>   registry      strings.pyc   vadinfo.pyc
> connscan.py      dumpfiles.py   fileparam.py   gui
> iehistory.pyc  kdbgscan.pyc   mbrparser.py   modules.py     privileges.pyc
> sockets.py    taskmods.py   vboxinfo.py
>
> Best regards!
>
> El 14/11/2013, a las 14:52, Jamie Levy <jamie.levy at gmail.com> escribió:
>
> Please type the following and show me the output:
>
> ls volatility/plugins
>
>
>
>
> On Thu, Nov 14, 2013 at 8:32 AM, David <eterno.comandante at gmail.com>wrote:
>
>> Good afternoon Jamie
>>
>> I copied the file ethscan.py in volatility/plugins and….
>>
>> I executed:
>>
>> remnux at remnux:~/Desktop/volatility-2.3.1$ sudo make clean
>> rm -f `find . -name "*.pyc" -o -name "*~"`
>> rm -rf dist build
>> remnux at remnux:~/Desktop/volatility-2.3.1$ sudo vol.py -v  ethscan -f
>> /mnt/hgfs/E/ENSE/F/M/Audits/7523/200309/memory.img
>> ERROR   : __main__            : You must specify something to do (try -h)
>>
>> The same error :(
>>
>> El 14/11/2013, a las 14:05, Jamie Levy <jamie.levy at gmail.com> escribió:
>>
>> Oh, also if you copied the ethscan plugin to your volatility/plugins
>> directory, don't use the --plugins option
>>
>> ------------------------------
>> *From: * David <eterno.comandante at gmail.com>
>> *Date: *Thu, 14 Nov 2013 13:53:05 +0100
>> *To: *Jamie Levy<jamie.levy at gmail.com>
>> *Cc: *Volatility List<vol-users at volatilityfoundation.org>
>> *Subject: *Re: [Vol-users] Help to add new plugin
>>
>> Hi Jamie
>>
>> Thanks again...
>>
>> I executed   "sudo python vol.py
>> --plugins=../jamaal-re-tools-f427978461d4/volplugins -f
>> /mnt/hgfs/E/ENSE/F/M/Audits/7523/200309/memory.img
>> --profile=Win7SP1x64 ethscan”
>>
>> And i have new errors, (i use vol.py 2.3.1 non instalable version
>> volatility 2.3.1)
>>
>> Do you know if has anybody a similar problem with ethscan plugin?
>>
>>
>> Traceback (most recent call last):
>>   File "/usr/local/bin/vol.py", line 186, in <module>
>>     main()
>>   File "/usr/local/bin/vol.py", line 143, in main
>>     registry.register_global_options(config, commands.Command)
>>   File "/usr/local/lib/python2.7/dist-packages/volatility/registry.py",
>> line 157, in register_global_options
>>     for m in get_plugin_classes(cls, True).values():
>>   File "/usr/local/lib/python2.7/dist-packages/volatility/registry.py",
>> line 152, in get_plugin_classes
>>     raise Exception("Object {0} has already been defined by
>> {1}".format(name, plugin))
>> Exception: Object EthScan has already been defined by <class
>> 'volatility.plugins.ethscan_rc1.EthScan'>
>>
>>
>> Best regards
>>
>> El 14/11/2013, a las 12:45, Jamie Levy <jamie.levy at gmail.com> escribió:
>>
>> Try:
>>
>> sudo python vol.py --plugins=../jamaal-re-tools-f427978461d4/volplugins
>> -f /mnt/hgfs/E/ENSE/F/M/Audits/7523/200309/memory.img
>> --profile=Win7SP1x64 ethscan
>>
>> First: --plugins takes in either a directory or a zipfile, not a plugin
>>
>> Second: You didn't specify which plugin to run (ethscan)
>> ------------------------------
>> *From: * David <eterno.comandante at gmail.com>
>> *Date: *Thu, 14 Nov 2013 10:41:47 +0100
>> *To: *Jamie Levy<jamie.levy at gmail.com>
>> *Cc: *Volatility List<vol-users at volatilityfoundation.org>
>> *Subject: *Re: [Vol-users] Help to add new plugin
>>
>>
>> Sorry I had a typo i didn´t write --profile=Win7SP1x64
>>
>>
>> sudo python vol.py
>> --plugins=../jamaal-re-tools-f427978461d4/volplugins/ethscan.py -f
>> /mnt/hgfs/E/ENSE/F/M/Audits/7523/200309/memory.img --profile=Win7SP1x64
>>
>>
>>
>> I have the same error of ever :(
>>
>> Volatility Foundation Volatility Framework 2.3.1
>> ERROR   : __main__            : You must specify something to do (try -h)
>>
>>
>> Thanks!!
>>
>> El 14/11/2013, a las 09:36, David <eterno.comandante at gmail.com> escribió:
>>
>> Hi @Jamie and list
>>
>> Thanks very much for your support ;)
>>
>> I’ve same errors when i’m executing: :(
>>
>>  sudo python vol.py
>> --plugins=../jamaal-re-tools-f427978461d4/volplugins/ethscan.py -f
>> /mnt/hgfs/E/ENSE/F/M/Audits/7523/200309/memory.img
>>
>> The error:
>>
>> Volatility Foundation Volatility Framework 2.3.1
>> ERROR   : __main__            : You must specify something to do (try -h)
>>
>> Maybe the cause of this error can be that the new plugin “ethscan" isn't
>> compatible with non instalable version of volatility 2.3.1, what do you
>> think about?
>>
>> On the other hand, i found a brief tutorial about ethscan:
>>
>>
>> https://code.google.com/p/jamaal-re-tools/source/browse/volplugins/README.txt
>>
>>
>> vol.py ethscan -f be2.vmem -R --dump-dir outputfiles -C out.pcap -P -S
>>
>> The execution of the vol.py command is different……. :(
>>
>> He does not the flag —-plugin=
>>
>> Thanks for all!!
>>
>> Ps: My apologies for my level of english
>>
>>
>> El 13/11/2013, a las 16:43, Jamie Levy <jamie.levy at gmail.com> escribió:
>>
>> Hi David,
>>
>> I think you might have also asked this on the channel.  So yes, you
>> should use the `--plugins=/path/to/folder/with/ethscan` option, obviously
>> changing the path to a folder that has that plugin.  If you were the person
>> on the channel, the issue that you were having is because you must specify
>> `--plugins` first, BEFORE any other options to vol.py:
>>
>>
>> http://code.google.com/p/volatility/wiki/VolatilityUsage23#Specifying_Additional_Plugin_Directories
>>
>> Let me know if you have any other questions.
>>
>> All the best,
>>
>> -gleeda
>>
>>
>>
>>
>> On Tue, Nov 12, 2013 at 6:42 AM, David Martin <
>> eterno.comandante at gmail.com> wrote:
>>
>>> Hello list,
>>>
>>> Please, I need some help about for add/use new plugins in volatility
>>> 2.3.1.
>>>
>>> Can I use the flag "--plugins=contrib/plugins"? o is there any method?
>>>
>>> The plugin that I want for add/use is:
>>>
>>> https://code.google.com/p/jamaal-re-tools/source/checkout
>>>
>>> Thanks for your support!!
>>>
>>>
>>>
>>>
>>>
>>> _______________________________________________
>>> Vol-users mailing list
>>> Vol-users at volatilityfoundation.org
>>> http://lists.volatilityfoundation.org/mailman/listinfo/vol-users
>>>
>>>
>>
>>
>> --
>> PGP Fingerprint: 2E87 17A1 EC10 1E3E 11D3  64C2 196B 2AB5 27A4 AC92
>>
>>
>>
>>
>>
>>
>
>
> --
> PGP Fingerprint: 2E87 17A1 EC10 1E3E 11D3  64C2 196B 2AB5 27A4 AC92
>
>
>


-- 
PGP Fingerprint: 2E87 17A1 EC10 1E3E 11D3  64C2 196B 2AB5 27A4 AC92
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.volatilityfoundation.org/pipermail/vol-users/attachments/20131114/10f1464a/attachment-0001.html


More information about the Vol-users mailing list