Comments (12)
memoryforensics1
commented on May 18, 2024
Hi hope you are doing well!!
to use it that way, vol3xp must be inside of the windows plugin directory.
Also if you want to execute it afterwards from other locations, you can (as
long as there is a copy of vol3xp in the windows plugins directory and you
run afterwards setup.py install as well)
Sorry for the inconvenience, we can do a discord call if you like that or
need any explanation/assistant
Anyway, fill free to reach me out with any concern.
have an awesome day!
…On Tue, Feb 21, 2023, 4:08 PM Leonardo van de Weteringh < ***@***.***> wrote:
PS C:\volatility\V3Exp> python3 .\volexp.py
Traceback (most recent call last):
File "C:\volatility\V3Exp\volexp.py", line 16216, in
main()
File "C:\volatility\V3Exp\volexp.py", line 16101, in main
plugin = plugin_list[plugin_name]
~~~~~~~~~~~^^^^^^^^^^^^^
KeyError: 'windows.volexp.Vol3xp'
The plugin is not findable. Could you please fix this issue to make it
work?
~ LvdW
—
Reply to this email directly, view it on GitHub
<#2>, or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AOWFQPN7VGPLHKVHHQHHQCTWYTD4ZANCNFSM6AAAAAAVDC7GKE>
.
You are receiving this because you are subscribed to this thread.Message
ID: ***@***.***>
from vol3xp.
asterictnl-lvdw
commented on May 18, 2024
Hi hope you are doing well!! to use it that way, vol3xp must be inside of the windows plugin directory. Also if you want to execute it afterwards from other locations, you can (as long as there is a copy of vol3xp in the windows plugins directory and you run afterwards setup.py install as well) Sorry for the inconvenience, we can do a discord call if you like that or need any explanation/assistant Anyway, fill free to reach me out with any concern. have an awesome day!
That did work. I had to put it in the C:\volatility\V3Exp\volatility3\plugins\windows folder and run python3 setup.py install
But now I have a question. Does this work as well when I build an .exe? I want to build the volatility.exe executable instead of having a lot of files.
Also Volatility 2 has issues as well, maybe you could look at that issue as well (I will post it on VolExp Repo for you. :)
~ LvdW
from vol3xp.
memoryforensics1
commented on May 18, 2024
I never tried that actually
Only I talk about it a long time ago with ikelos..
Is it normal compilation with py2exe or there is some specific compiler for
volatility?
On Tue, Feb 21, 2023, 4:36 PM Leonardo van de Weteringh <
***@***.***> wrote:
… Hi hope you are doing well!! to use it that way, vol3xp must be inside of
the windows plugin directory. Also if you want to execute it afterwards
from other locations, you can (as long as there is a copy of vol3xp in the
windows plugins directory and you run afterwards setup.py install as well)
Sorry for the inconvenience, we can do a discord call if you like that or
need any explanation/assistant Anyway, fill free to reach me out with any
concern. have an awesome day!
… <#m_-480476933983748337_>
On Tue, Feb 21, 2023, 4:08 PM Leonardo van de Weteringh < *@*.*> wrote:
PS C:\volatility\V3Exp> python3 .\volexp.py Traceback (most recent call
last): File "C:\volatility\V3Exp\volexp.py", line 16216, in main() File
"C:\volatility\V3Exp\volexp.py", line 16101, in main plugin =
plugin_list[plugin_name] ~~~~~~~~~~~^^^^^^^^^^^^^ KeyError:
'windows.volexp.Vol3xp' The plugin is not findable. Could you please fix
this issue to make it work? ~ LvdW — Reply to this email directly, view it
on GitHub <#2 <#2>>, or
unsubscribe
https://github.com/notifications/unsubscribe-auth/AOWFQPN7VGPLHKVHHQHHQCTWYTD4ZANCNFSM6AAAAAAVDC7GKE
<https://github.com/notifications/unsubscribe-auth/AOWFQPN7VGPLHKVHHQHHQCTWYTD4ZANCNFSM6AAAAAAVDC7GKE>
. You are receiving this because you are subscribed to this thread.Message
ID: @.*>
That did work. I had to put it in the
C:\volatility\V3Exp\volatility3\plugins\windows folder and run python3
setup.py install
But now I have a question. Does this work as well when I build an .exe? I
want to build the volatility.exe executable instead of having a lot of
files.
Also Volatility 2 has issues as well, maybe you could look at that issue
as well (I will post it on VolExp Repo for you. :)
~ LvdW
—
Reply to this email directly, view it on GitHub
<#2 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AOWFQPOFGBRMECT7NLATCN3WYTHFFANCNFSM6AAAAAAVDC7GKE>
.
You are receiving this because you commented.Message ID:
***@***.***>
from vol3xp.
asterictnl-lvdw
commented on May 18, 2024
You can simply compile Volatility by running pyinstaller .\vol.spec
I do not see the plugin in the folder unfortunately. Even if I run the above procedure. Maybe you can look at it as well?
~ LvdW
from vol3xp.
memoryforensics1
commented on May 18, 2024
Let me take a look
…On Tue, Feb 21, 2023, 4:51 PM Leonardo van de Weteringh < ***@***.***> wrote:
You can simply compile Volatility by running pyinstaller .\vol.spec
I do not see the plugin in the folder unfortunately. Even if I run the
above procedure. Maybe you can look at it as well?
~ LvdW
—
Reply to this email directly, view it on GitHub
<#2 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AOWFQPKVCFBTJUQD2YMJSG3WYTI7LANCNFSM6AAAAAAVDC7GKE>
.
You are receiving this because you commented.Message ID:
***@***.***>
from vol3xp.
memoryforensics1
commented on May 18, 2024
Works for me as well. (I'm Using python 3.9)
What error do you getting?
On Tue, Feb 21, 2023, 5:04 PM memory forensics <
***@***.***> wrote:
… Let me take a look
On Tue, Feb 21, 2023, 4:51 PM Leonardo van de Weteringh <
***@***.***> wrote:
> You can simply compile Volatility by running pyinstaller .\vol.spec
>
> I do not see the plugin in the folder unfortunately. Even if I run the
> above procedure. Maybe you can look at it as well?
>
> ~ LvdW
>
> —
> Reply to this email directly, view it on GitHub
> <#2 (comment)>,
> or unsubscribe
> <https://github.com/notifications/unsubscribe-auth/AOWFQPKVCFBTJUQD2YMJSG3WYTI7LANCNFSM6AAAAAAVDC7GKE>
> .
> You are receiving this because you commented.Message ID:
> ***@***.***>
>
from vol3xp.
asterictnl-lvdw
commented on May 18, 2024
Can you give me the exact steps you did towards running Vol3exp with an executable?
I use python3.11, but that does not matter because it works with a normal .py.
I am curious about this.
from vol3xp.
asterictnl-lvdw
commented on May 18, 2024
Okay I have found out where to put the scripts to make it execute with the executable. There is only one problem in the code. When the config is saved it calls the non existing .py and since you have the .exe mapped as well to the commands the commands will fail resulting into a lot of garbage data. I will take a look at the script and see if I can get it to work. It would be much easier to directly implement it into the executable and then not having to look at it anymore except when you have a new version with additions or updates you can simply update Volatility and recompile. :)
I will let you know if I get it to work. The same problem I think is with the Volatility 2 script. Once I have version 3 done and both working I will release the instructions for you to properly test it.
~ LvdW
from vol3xp.
asterictnl-lvdw
commented on May 18, 2024
I have encountered the following things:
- There is no proper validation if the .exe is executed or the .py
- The sys.executable is a variable and checks the directory and executable that is running. This is why the .py is not recognized.
- I have removed the splash loading screen. It does not add anything. You could just add a print there to save up memory as it
does not work properly with vol.exe compiled as an executable it seems that the code points to a non-existing command
Because you will call python3 first which is saved somewhere in a Windows folder. What you could do to make that code more clean is to replace the sys.executable with python3 so the CLI will handle it properly:
This can be changed by creating a validation above 'self.default_plugin = r'"{}" "{}" -p "{}" -f "{}" {}'.format(sys.executable, vol_path, plugins_path, file_path, plugin_name)'
And appending the vol_path variable with python3 each time you try to run the plugin.
'vol_path' = ('python3 '+ vol_path)
Besides that the rendering to csv does not work properly, thus I have changed into the self.default_plugin to add '-r csv' to the command so the output would be rendered to CSV. I do not know if this causes problems with dump files:
self.default_plugin = r'"{}" -r csv -p "{}" -f "{}" {}'.format(sys.executable, plugins_path, file_path, plugin_name)
self.default_plugin = r'"{}" -r csv -p "{}" -f "{}" {}'.format(vol_path, plugins_path, file_path, plugin_name)
and if the .py is used in the configuration file you must use your default regular script, but add -r csv to it.
This also means that the if not '-r csv' in self.default_plugin is needed anymore unless you encounter issues you can define this at the self.default plugin by validating the plugin_name if it correspond with a plugin that does not support the formatting properly by removing it with .replace
The same applies for your command = r'"{}" -p "{}" -f "{}" {}'.format(permanentdirectory, all_plugins[0], file_path, plugin_name) and command_line = r'"{}" -f "{}" windows.volexp.WinObjGui --GET-DICT "{}"'.format(permanentdirectory, file_path, file_name)
I have used permanentdirectory for now which saves the sys.executable variable into a constant value.
I found this out by adding print ("number") to suspected commands within your code.
If you want I can send you an email with my Discord and send you the file I have tested with for Vol3xp.
Please let me know if you have questions. :)
~ LvdW
from vol3xp.
memoryforensics1
commented on May 18, 2024
Hi
Thanks for your reply.
That's right, I haven't think about the vol executable while develop this
plugins.
So except for the issue you mentioned, did you execute the plugin and view
the results? Was it helpful to you?
Have a nice weekend.
…On Wed, Feb 22, 2023, 2:19 PM Leonardo van de Weteringh < ***@***.***> wrote:
I have encountered the following things:
- There is no proper validation if the .exe is executed or the .py
- The sys.executable is a variable and checks the directory and
executable that is running. This is why the .py is not recognized.
- I have removed the splash loading screen. It does not add anything.
You could just add a print there to save up memory as it
does not work properly with vol.exe compiled as an executable it seems
that the code points to a non-existing command
Because you will call python3 first which is saved somewhere in a
Windows folder. What you could do to make that code more clean is to
replace the sys.executable with python3 so the CLI will handle it properly:
This can be changed by creating a validation above 'self.default_plugin =
r'"{}" "{}" -p "{}" -f "{}" {}'.format(sys.executable, vol_path,
plugins_path, file_path, plugin_name)'
And appending the vol_path variable with python3 each time you try to run
the plugin.
'vol_path' == ('python3 '+ vol_path)
Besides that the rendering to csv does not work properly, thus I have
changed into the self.default_plugin to add '-r csv' to the command so the
output would be rendered to CSV. I do not know if this causes problems with
dump files:
self.default_plugin = r'"{}" -r csv -p "{}" -f "{}"
{}'.format(sys.executable, plugins_path, file_path, plugin_name)
self.default_plugin = r'"{}" -r csv -p "{}" -f "{}" {}'.format(vol_path,
plugins_path, file_path, plugin_name)
and if the .py is used in the configuration file you must use your default
regular script, but add -r csv to it.
This also means that the if not '-r csv' in self.default_plugin is needed
anymore unless you encounter issues you can define this at the self.default
plugin by validating the plugin_name if it correspond with a plugin that
does not support the formatting properly by removing it with .replace
The same applies for your command = r'"{}" -p "{}" -f "{}"
{}'.format(permanentdirectory, all_plugins[0], file_path, plugin_name)
and command_line = r'"{}" -f "{}" windows.volexp.WinObjGui --GET-DICT
"{}"'.format(permanentdirectory, file_path, file_name)
I have used permanentdirectory for now which saves the sys.executable
variable into a constant value.
I found this out by adding print ("number") to suspected commands within
your code.
If you want I can send you an email with my Discord and send you the file
I have tested with for Vol3xp.
Please let me know if you have questions. :)
~ LvdW
—
Reply to this email directly, view it on GitHub
<#2 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AOWFQPO2V6Q5XQISKIH4243WYX73VANCNFSM6AAAAAAVDC7GKE>
.
You are receiving this because you commented.Message ID:
***@***.***>
from vol3xp.
asterictnl-lvdw
commented on May 18, 2024
Yes I did. It seemed to work. I also created a standalone application variant that is able to work. As I said in order to make the plugin work with the .exe you have to modify some parts of the code. Especially when the .exe is run. For the python file you can just use the regular code.
from vol3xp.
memoryforensics1
commented on May 18, 2024
Awesome, hopefully that's will help you find interesting things in the
future (BTW don't forget to use the 4 diffrent plugin related screen In
coloration to find more interested abnormally)
…On Fri, Feb 24, 2023, 11:06 AM Leonardo van de Weteringh < ***@***.***> wrote:
Yes I did. It seemed to work. I also created a standalone application
variant that is able to work. As I said in order to make the plugin work
with the .exe you have to modify some parts of the code. Especially when
the .exe is run. For the python file you can just use the regular code.
@memoryforensics1 <https://github.com/memoryforensics1>
—
Reply to this email directly, view it on GitHub
<#2 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AOWFQPI6DMP7ZHVVSBHXFIDWZB2YBANCNFSM6AAAAAAVDC7GKE>
.
You are receiving this because you were mentioned.Message ID:
***@***.***>
from vol3xp.
Related Issues (2)
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from vol3xp.