Requirements

Python 3.5.3 or later. https://www.python.org
Pefile 2017.8.1 or later. https://pypi.org/project/pefile/

Optional Dependencies

yara-python 3.8.0 or later. https://github.com/VirusTotal/yara-python
capstone 3.0.0 or later. https://www.capstone-engine.org/download.html

安装

pip install pefile
pip install yara-python
git clone https://github.com/volatilityfoundation/volatility3.git
cd volatility3
python setup.py build
python setup.py install

验证

python3 vol.py —h

Volatility 3 Framework 1.0.0-beta.1
usage: volatility [-h] [-c CONFIG] [--parallelism [{processes,threads,off}]]
                  [-e EXTEND] [-p PLUGIN_DIRS] [-s SYMBOL_DIRS] [-v] [-l LOG]
                  [-o OUTPUT_DIR] [-q] [-r RENDERER] [-f FILE]
                  [--write-config] [--clear-cache]
                  [--single-swap-locations SINGLE_SWAP_LOCATIONS]
                  [--single-location SINGLE_LOCATION]
                  plugin ...

An open-source memory forensics framework

optional arguments:
  -h, --help            show this help message and exit
  -c CONFIG, --config CONFIG
                        Load the configuration from a json file
  --parallelism [{processes,threads,off}]
                        Enables parallelism (defaults to processes if no
                        argument given)
  -e EXTEND, --extend EXTEND
                        Extend the configuration with a new (or changed)
                        setting
  -p PLUGIN_DIRS, --plugin-dirs PLUGIN_DIRS
                        Semi-colon separated list of paths to find plugins
  -s SYMBOL_DIRS, --symbol-dirs SYMBOL_DIRS
                        Semi-colon separated list of paths to find symbols
  -v, --verbosity       Increase output verbosity
  -l LOG, --log LOG     Log output to a file as well as the console
  -o OUTPUT_DIR, --output-dir OUTPUT_DIR
                        Directory in which to output any generated files
  -q, --quiet           Remove progress feedback
  -r RENDERER, --renderer RENDERER
                        Determines how to render the output (quick, csv,
                        pretty, json, jsonl)
  -f FILE, --file FILE  Shorthand for --single-location=file:// if single-
                        location is not defined
  --write-config        Write configuration JSON file out to config.json
  --clear-cache         Clears out all short-term cached items
  --single-swap-locations SINGLE_SWAP_LOCATIONS
                        Specifies a list of swap layer URIs for use with
                        single-location
  --single-location SINGLE_LOCATION
                        Specifies a base location on which to stack

Plugins:
  plugin
    configwriter.ConfigWriter
                        Runs the automagics and both prints and outputs
                        configuration in the output directory.
    frameworkinfo.FrameworkInfo
                        Plugin to list the various modular components of
                        Volatility
    layerwriter.LayerWriter
                        Runs the automagics and writes out the primary layer
                        produced by the stacker.
    linux.bash.Bash     Recovers bash command history from memory.
    linux.check_afinfo.Check_afinfo
                        Verifies the operation function pointers of network
                        protocols.
    linux.check_syscall.Check_syscall
                        Check system call table for hooks.
    linux.elfs.Elfs     Lists all memory mapped ELF files for all processes.
    linux.lsmod.Lsmod   Lists loaded kernel modules.
    linux.lsof.Lsof     Lists all memory maps for all processes.
    linux.malfind.Malfind
                        Lists process memory ranges that potentially contain
                        injected code.
    linux.proc.Maps     Lists all memory maps for all processes.
    linux.pslist.PsList
                        Lists the processes present in a particular linux
                        memory image.
    linux.pstree.PsTree
                        Plugin for listing processes in a tree based on their
                        parent process ID.
    mac.bash.Bash       Recovers bash command history from memory.
    mac.check_syscall.Check_syscall
                        Check system call table for hooks.
    mac.check_sysctl.Check_sysctl
                        Check sysctl handlers for hooks.
    mac.check_trap_table.Check_trap_table
                        Check mach trap table for hooks.
    mac.ifconfig.Ifconfig
                        Lists loaded kernel modules
    mac.lsmod.Lsmod     Lists loaded kernel modules.
    mac.lsof.lsof       Lists all open file descriptors for all processes.
    mac.malfind.Malfind
                        Lists process memory ranges that potentially contain
                        injected code.
#plugin包括
configwriter.ConfigWriter, frameworkinfo.FrameworkInfo, layerwriter.LayerWriter, linux.bash.Bash, 
linux.check_afinfo.Check_afinfo, linux.check_syscall.Check_syscall, linux.elfs.Elfs, linux.lsmod.Lsmod,
 linux.lsof.Lsof, linux.malfind.Malfind, linux.proc.Maps, linux.pslist.PsList, linux.pstree.PsTree, 
mac.bash.Bash, mac.check_syscall.Check_syscall, mac.check_sysctl.Check_sysctl, 
mac.check_trap_table.Check_trap_table, mac.ifconfig.Ifconfig, mac.lsmod.Lsmod, mac.lsof.lsof, 
mac.malfind.Malfind, mac.netstat.Netstat, mac.proc_maps.Maps, mac.psaux.Psaux, mac.pslist.PsList, 
mac.pstree.PsTree, mac.tasks.Tasks, mac.timers.Timers, mac.trustedbsd.trustedbsd, timeliner.Timeliner, 
windows.callbacks.Callbacks, windows.cmdline.CmdLine, windows.dlldump.DllDump, windows.dlllist.DllList,
 windows.driverirp.DriverIrp, windows.driverscan.DriverScan, windows.filescan.FileScan, 
 windows.handles.Handles, windows.info.Info, windows.malfind.Malfind, windows.moddump.ModDump, 
 windows.modscan.ModScan, windows.modules.Modules, windows.mutantscan.MutantScan, 
 windows.poolscanner.PoolScanner, windows.procdump.ProcDump, windows.pslist.PsList, 
 windows.psscan.PsScan, windows.pstree.PsTree, windows.registry.certificates.Certificates, 
 windows.registry.hivedump.HiveDump, windows.registry.hivelist.HiveList, 
 windows.registry.hivescan.HiveScan, windows.registry.printkey.PrintKey, 
 windows.registry.userassist.UserAssist, windows.ssdt.SSDT, windows.statistics.Statistics, 
 windows.strings.Strings, windows.svcscan.SvcScan, windows.symlinkscan.SymlinkScan, 
 windows.vaddump.VadDump, windows.vadinfo.VadInfo, windows.vadyarascan.VadYaraScan, 
 windows.verinfo.VerInfo, windows.virtmap.VirtMap, yarascan.YaraScan

如果报错：

OSError: /usr/lib/libyara.so: cannot open shared object file: No such file or directory

执行

ln -s /usr/local/lib/python3.6/dist-packages/usr/lib/libyara.so /usr/lib/libyara.so
#python3.6 为你的python版本