[Vol-users] Help to add new plugin

David eterno.comandante at gmail.com
Tue Nov 26 12:18:34 CST 2013


Hello Jamie

The good news are... problem solved!!
The bad news are… I don’t know the source of my problem

With a new installation of volatility 2.3.1 the problem was solved… ethscan plugin is analyzing successfully…. 

Thanks for Jamie’s support!!

El 14/11/2013, a las 16:16, David <eterno.comandante at gmail.com> escribió:

> Thanks for your support Jamie ;)
> 
> I’m going to install a new instance of volatility in a new VM…. and I will send to you and the list the results of this topic.
> 
> Kind regards.
> 
> 
> El 14/11/2013, a las 15:36, Jamie Levy <jamie.levy at gmail.com> escribió:
> 
>> hrmmm.... I don't know why it failed then.  I can see that you have the file in the correct folder.  Just to test, I pulled down ethscan [1] into my volatility/plugins folder, used a commandline similar to yours and it seems to be working for me:
>> 
>> $ python vol.py -v  ethscan -f Win2008R2SP1x64.raw --profile=Win2008R2SP1x64
>> Volatility Foundation Volatility Framework 2.3.1
>> Checking next buffer 0x768a1
>> Checking next buffer 0x57830
>> Checking next buffer 0xd990
>> Checking next buffer 0x513f
>> ...
>> 
>> Not sure.. You should keep playing around with it and see if you can run other plugins... then maybe you should contact the author.
>> 
>> All the best,
>> 
>> -gleeda
>> 
>> 
>> 
>> [1] https://jamaal-re-tools.googlecode.com/git/volplugins/ethscan.py
>> 
>> 
>> On Thu, Nov 14, 2013 at 9:17 AM, David <eterno.comandante at gmail.com> wrote:
>> The output:
>> 
>> addrspaces       connscan.pyc   dumpfiles.pyc  fileparam.pyc       handles.py     imagecopy.py   kpcrscan.py    mbrparser.pyc  modules.pyc     procdump.py   sockets.pyc   taskmods.pyc    vboxinfo.pyc
>> bioskbd.py       crashinfo.py   envars.py      filescan.py         handles.pyc    imagecopy.pyc  kpcrscan.pyc   mftparser.py   netscan.py      procdump.pyc  sockscan.py   timeliner.py    vmwareinfo.py
>> bioskbd.pyc      crashinfo.pyc  envars.pyc     filescan.pyc        hibinfo.py     imageinfo.py   linux          mftparser.pyc  netscan.pyc     pstree.py     sockscan.pyc  timeliner.pyc   vmwareinfo.pyc
>> common.py        dlldump.py     ethscan.py     getservicesids.py   hibinfo.pyc    imageinfo.pyc  mac            moddump.py     overlays        pstree.pyc    ssdt.py       userassist.py   volshell.py
>> common.pyc       dlldump.pyc    ethscan.pyc    getservicesids.pyc  hpakinfo.py    __init__.py    machoinfo.py   moddump.pyc    patcher.py      raw2dmp.py    ssdt.pyc      userassist.pyc  volshell.pyc
>> connections.py   dumpcerts.py   evtlogs.py     getsids.py          hpakinfo.pyc   __init__.pyc   machoinfo.pyc  modscan.py     patcher.pyc     raw2dmp.pyc   strings.py    vadinfo.py
>> connections.pyc  dumpcerts.pyc  evtlogs.pyc    getsids.pyc         iehistory.py   kdbgscan.py    malware        modscan.pyc    privileges.py   registry      strings.pyc   vadinfo.pyc
>> connscan.py      dumpfiles.py   fileparam.py   gui                 iehistory.pyc  kdbgscan.pyc   mbrparser.py   modules.py     privileges.pyc  sockets.py    taskmods.py   vboxinfo.py
>> 
>> Best regards!
>> 
>> El 14/11/2013, a las 14:52, Jamie Levy <jamie.levy at gmail.com> escribió:
>> 
>>> Please type the following and show me the output:
>>> 
>>> ls volatility/plugins
>>> 
>>> 
>>> 
>>> 
>>> On Thu, Nov 14, 2013 at 8:32 AM, David <eterno.comandante at gmail.com> wrote:
>>> Good afternoon Jamie
>>> 
>>> I copied the file ethscan.py in volatility/plugins and….
>>> 
>>> I executed: 
>>> 
>>> remnux at remnux:~/Desktop/volatility-2.3.1$ sudo make clean
>>> rm -f `find . -name "*.pyc" -o -name "*~"`
>>> rm -rf dist build
>>> remnux at remnux:~/Desktop/volatility-2.3.1$ sudo vol.py -v  ethscan -f /mnt/hgfs/E/ENSE/F/M/Audits/7523/200309/memory.img 
>>> ERROR   : __main__            : You must specify something to do (try -h)
>>> 
>>> The same error :( 
>>> 
>>> El 14/11/2013, a las 14:05, Jamie Levy <jamie.levy at gmail.com> escribió:
>>> 
>>>> Oh, also if you copied the ethscan plugin to your volatility/plugins directory, don't use the --plugins option
>>>> 
>>>> From: David <eterno.comandante at gmail.com>
>>>> Date: Thu, 14 Nov 2013 13:53:05 +0100
>>>> To: Jamie Levy<jamie.levy at gmail.com>
>>>> Cc: Volatility List<vol-users at volatilityfoundation.org>
>>>> Subject: Re: [Vol-users] Help to add new plugin
>>>> 
>>>> Hi Jamie
>>>> 
>>>> Thanks again...
>>>> 
>>>> I executed   "sudo python vol.py --plugins=../jamaal-re-tools-f427978461d4/volplugins -f /mnt/hgfs/E/ENSE/F/M/Audits/7523/200309/memory.img --profile=Win7SP1x64 ethscan” 
>>>> 
>>>> And i have new errors, (i use vol.py 2.3.1 non instalable version volatility 2.3.1)
>>>> 
>>>> Do you know if has anybody a similar problem with ethscan plugin?
>>>> 
>>>> 
>>>> Traceback (most recent call last):
>>>>   File "/usr/local/bin/vol.py", line 186, in <module>
>>>>     main()
>>>>   File "/usr/local/bin/vol.py", line 143, in main
>>>>     registry.register_global_options(config, commands.Command)
>>>>   File "/usr/local/lib/python2.7/dist-packages/volatility/registry.py", line 157, in register_global_options
>>>>     for m in get_plugin_classes(cls, True).values():
>>>>   File "/usr/local/lib/python2.7/dist-packages/volatility/registry.py", line 152, in get_plugin_classes
>>>>     raise Exception("Object {0} has already been defined by {1}".format(name, plugin))
>>>> Exception: Object EthScan has already been defined by <class 'volatility.plugins.ethscan_rc1.EthScan'>
>>>> 
>>>> 
>>>> Best regards
>>>> 
>>>> El 14/11/2013, a las 12:45, Jamie Levy <jamie.levy at gmail.com> escribió:
>>>> 
>>>>> Try:
>>>>> 
>>>>> sudo python vol.py --plugins=../jamaal-re-tools-f427978461d4/volplugins -f /mnt/hgfs/E/ENSE/F/M/Audits/7523/200309/memory.img --profile=Win7SP1x64 ethscan
>>>>> 
>>>>> First: --plugins takes in either a directory or a zipfile, not a plugin
>>>>> 
>>>>> Second: You didn't specify which plugin to run (ethscan)
>>>>> From: David <eterno.comandante at gmail.com>
>>>>> Date: Thu, 14 Nov 2013 10:41:47 +0100
>>>>> To: Jamie Levy<jamie.levy at gmail.com>
>>>>> Cc: Volatility List<vol-users at volatilityfoundation.org>
>>>>> Subject: Re: [Vol-users] Help to add new plugin
>>>>> 
>>>>> 
>>>>> Sorry I had a typo i didn´t write --profile=Win7SP1x64
>>>>> 
>>>>> 
>>>>>> sudo python vol.py --plugins=../jamaal-re-tools-f427978461d4/volplugins/ethscan.py -f /mnt/hgfs/E/ENSE/F/M/Audits/7523/200309/memory.img --profile=Win7SP1x64 
>>>>> 
>>>>> 
>>>>> 
>>>>> I have the same error of ever :( 
>>>>> 
>>>>>> Volatility Foundation Volatility Framework 2.3.1
>>>>>> ERROR   : __main__            : You must specify something to do (try -h)
>>>>> 
>>>>> 
>>>>> Thanks!!
>>>>> 
>>>>> El 14/11/2013, a las 09:36, David <eterno.comandante at gmail.com> escribió:
>>>>> 
>>>>>> Hi @Jamie and list
>>>>>> 
>>>>>> Thanks very much for your support ;) 
>>>>>> 
>>>>>> I’ve same errors when i’m executing: :( 
>>>>>> 
>>>>>>  sudo python vol.py --plugins=../jamaal-re-tools-f427978461d4/volplugins/ethscan.py -f /mnt/hgfs/E/ENSE/F/M/Audits/7523/200309/memory.img 
>>>>>> 
>>>>>> The error:
>>>>>> 
>>>>>> Volatility Foundation Volatility Framework 2.3.1
>>>>>> ERROR   : __main__            : You must specify something to do (try -h)
>>>>>> 
>>>>>> Maybe the cause of this error can be that the new plugin “ethscan" isn't compatible with non instalable version of volatility 2.3.1, what do you think about? 
>>>>>> 
>>>>>> On the other hand, i found a brief tutorial about ethscan:
>>>>>> 
>>>>>> https://code.google.com/p/jamaal-re-tools/source/browse/volplugins/README.txt 
>>>>>> 
>>>>>> vol.py ethscan -f be2.vmem -R --dump-dir outputfiles -C out.pcap -P -S
>>>>>> 
>>>>>> The execution of the vol.py command is different……. :( 
>>>>>> 
>>>>>> He does not the flag —-plugin= 
>>>>>> 
>>>>>> Thanks for all!!
>>>>>> 
>>>>>> Ps: My apologies for my level of english 
>>>>>> 
>>>>>> 
>>>>>> El 13/11/2013, a las 16:43, Jamie Levy <jamie.levy at gmail.com> escribió:
>>>>>> 
>>>>>>> Hi David,
>>>>>>> 
>>>>>>> I think you might have also asked this on the channel.  So yes, you should use the `--plugins=/path/to/folder/with/ethscan` option, obviously changing the path to a folder that has that plugin.  If you were the person on the channel, the issue that you were having is because you must specify `--plugins` first, BEFORE any other options to vol.py:
>>>>>>> 
>>>>>>> http://code.google.com/p/volatility/wiki/VolatilityUsage23#Specifying_Additional_Plugin_Directories
>>>>>>> 
>>>>>>> Let me know if you have any other questions.
>>>>>>> 
>>>>>>> All the best,
>>>>>>> 
>>>>>>> -gleeda
>>>>>>> 
>>>>>>> 
>>>>>>> 
>>>>>>> 
>>>>>>> On Tue, Nov 12, 2013 at 6:42 AM, David Martin <eterno.comandante at gmail.com> wrote:
>>>>>>> Hello list,
>>>>>>> 
>>>>>>> Please, I need some help about for add/use new plugins in volatility 2.3.1.
>>>>>>> 
>>>>>>> Can I use the flag "--plugins=contrib/plugins"? o is there any method?
>>>>>>> 
>>>>>>> The plugin that I want for add/use is:
>>>>>>> 
>>>>>>> https://code.google.com/p/jamaal-re-tools/source/checkout 
>>>>>>> 
>>>>>>> Thanks for your support!!
>>>>>>> 
>>>>>>> 
>>>>>>> 
>>>>>>> 
>>>>>>> 
>>>>>>> _______________________________________________
>>>>>>> Vol-users mailing list
>>>>>>> Vol-users at volatilityfoundation.org
>>>>>>> http://lists.volatilityfoundation.org/mailman/listinfo/vol-users
>>>>>>> 
>>>>>>> 
>>>>>>> 
>>>>>>> 
>>>>>>> -- 
>>>>>>> PGP Fingerprint: 2E87 17A1 EC10 1E3E 11D3  64C2 196B 2AB5 27A4 AC92
>>>>>> 
>>>>> 
>>>> 
>>> 
>>> 
>>> 
>>> 
>>> -- 
>>> PGP Fingerprint: 2E87 17A1 EC10 1E3E 11D3  64C2 196B 2AB5 27A4 AC92
>> 
>> 
>> 
>> 
>> -- 
>> PGP Fingerprint: 2E87 17A1 EC10 1E3E 11D3  64C2 196B 2AB5 27A4 AC92
> 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.volatilityfoundation.org/pipermail/vol-users/attachments/20131126/678b4064/attachment-0001.html


More information about the Vol-users mailing list