ubuntu安装volatility3
RequirementsPython 3.5.3 or later. https://www.python.orgPefile 2017.8.1 or later. https://pypi.org/project/pefile/Optional Dependenciesyara-python 3.8.0 or later. https://github.com/VirusTotal/yara-p
·
Requirements
Python 3.5.3 or later. https://www.python.org
Pefile 2017.8.1 or later. https://pypi.org/project/pefile/
Optional Dependencies
yara-python 3.8.0 or later. https://github.com/VirusTotal/yara-python
capstone 3.0.0 or later. https://www.capstone-engine.org/download.html
安装
pip install pefile
pip install yara-python
git clone https://github.com/volatilityfoundation/volatility3.git
cd volatility3
python setup.py build
python setup.py install
验证
python3 vol.py —h
Volatility 3 Framework 1.0.0-beta.1
usage: volatility [-h] [-c CONFIG] [--parallelism [{processes,threads,off}]]
[-e EXTEND] [-p PLUGIN_DIRS] [-s SYMBOL_DIRS] [-v] [-l LOG]
[-o OUTPUT_DIR] [-q] [-r RENDERER] [-f FILE]
[--write-config] [--clear-cache]
[--single-swap-locations SINGLE_SWAP_LOCATIONS]
[--single-location SINGLE_LOCATION]
plugin ...
An open-source memory forensics framework
optional arguments:
-h, --help show this help message and exit
-c CONFIG, --config CONFIG
Load the configuration from a json file
--parallelism [{processes,threads,off}]
Enables parallelism (defaults to processes if no
argument given)
-e EXTEND, --extend EXTEND
Extend the configuration with a new (or changed)
setting
-p PLUGIN_DIRS, --plugin-dirs PLUGIN_DIRS
Semi-colon separated list of paths to find plugins
-s SYMBOL_DIRS, --symbol-dirs SYMBOL_DIRS
Semi-colon separated list of paths to find symbols
-v, --verbosity Increase output verbosity
-l LOG, --log LOG Log output to a file as well as the console
-o OUTPUT_DIR, --output-dir OUTPUT_DIR
Directory in which to output any generated files
-q, --quiet Remove progress feedback
-r RENDERER, --renderer RENDERER
Determines how to render the output (quick, csv,
pretty, json, jsonl)
-f FILE, --file FILE Shorthand for --single-location=file:// if single-
location is not defined
--write-config Write configuration JSON file out to config.json
--clear-cache Clears out all short-term cached items
--single-swap-locations SINGLE_SWAP_LOCATIONS
Specifies a list of swap layer URIs for use with
single-location
--single-location SINGLE_LOCATION
Specifies a base location on which to stack
Plugins:
plugin
configwriter.ConfigWriter
Runs the automagics and both prints and outputs
configuration in the output directory.
frameworkinfo.FrameworkInfo
Plugin to list the various modular components of
Volatility
layerwriter.LayerWriter
Runs the automagics and writes out the primary layer
produced by the stacker.
linux.bash.Bash Recovers bash command history from memory.
linux.check_afinfo.Check_afinfo
Verifies the operation function pointers of network
protocols.
linux.check_syscall.Check_syscall
Check system call table for hooks.
linux.elfs.Elfs Lists all memory mapped ELF files for all processes.
linux.lsmod.Lsmod Lists loaded kernel modules.
linux.lsof.Lsof Lists all memory maps for all processes.
linux.malfind.Malfind
Lists process memory ranges that potentially contain
injected code.
linux.proc.Maps Lists all memory maps for all processes.
linux.pslist.PsList
Lists the processes present in a particular linux
memory image.
linux.pstree.PsTree
Plugin for listing processes in a tree based on their
parent process ID.
mac.bash.Bash Recovers bash command history from memory.
mac.check_syscall.Check_syscall
Check system call table for hooks.
mac.check_sysctl.Check_sysctl
Check sysctl handlers for hooks.
mac.check_trap_table.Check_trap_table
Check mach trap table for hooks.
mac.ifconfig.Ifconfig
Lists loaded kernel modules
mac.lsmod.Lsmod Lists loaded kernel modules.
mac.lsof.lsof Lists all open file descriptors for all processes.
mac.malfind.Malfind
Lists process memory ranges that potentially contain
injected code.
#plugin包括
configwriter.ConfigWriter, frameworkinfo.FrameworkInfo, layerwriter.LayerWriter, linux.bash.Bash,
linux.check_afinfo.Check_afinfo, linux.check_syscall.Check_syscall, linux.elfs.Elfs, linux.lsmod.Lsmod,
linux.lsof.Lsof, linux.malfind.Malfind, linux.proc.Maps, linux.pslist.PsList, linux.pstree.PsTree,
mac.bash.Bash, mac.check_syscall.Check_syscall, mac.check_sysctl.Check_sysctl,
mac.check_trap_table.Check_trap_table, mac.ifconfig.Ifconfig, mac.lsmod.Lsmod, mac.lsof.lsof,
mac.malfind.Malfind, mac.netstat.Netstat, mac.proc_maps.Maps, mac.psaux.Psaux, mac.pslist.PsList,
mac.pstree.PsTree, mac.tasks.Tasks, mac.timers.Timers, mac.trustedbsd.trustedbsd, timeliner.Timeliner,
windows.callbacks.Callbacks, windows.cmdline.CmdLine, windows.dlldump.DllDump, windows.dlllist.DllList,
windows.driverirp.DriverIrp, windows.driverscan.DriverScan, windows.filescan.FileScan,
windows.handles.Handles, windows.info.Info, windows.malfind.Malfind, windows.moddump.ModDump,
windows.modscan.ModScan, windows.modules.Modules, windows.mutantscan.MutantScan,
windows.poolscanner.PoolScanner, windows.procdump.ProcDump, windows.pslist.PsList,
windows.psscan.PsScan, windows.pstree.PsTree, windows.registry.certificates.Certificates,
windows.registry.hivedump.HiveDump, windows.registry.hivelist.HiveList,
windows.registry.hivescan.HiveScan, windows.registry.printkey.PrintKey,
windows.registry.userassist.UserAssist, windows.ssdt.SSDT, windows.statistics.Statistics,
windows.strings.Strings, windows.svcscan.SvcScan, windows.symlinkscan.SymlinkScan,
windows.vaddump.VadDump, windows.vadinfo.VadInfo, windows.vadyarascan.VadYaraScan,
windows.verinfo.VerInfo, windows.virtmap.VirtMap, yarascan.YaraScan
如果报错:
OSError: /usr/lib/libyara.so: cannot open shared object file: No such file or directory
执行
ln -s /usr/local/lib/python3.6/dist-packages/usr/lib/libyara.so /usr/lib/libyara.so
#python3.6 为你的python版本
更多推荐
已为社区贡献3条内容
所有评论(0)