本文共 6614 字,大约阅读时间需要 22 分钟。
Requirements
Python 3.5.3 or later. https://www.python.orgPefile 2017.8.1 or later. https://pypi.org/project/pefile/
Optional Dependencies
yara-python 3.8.0 or later. https://github.com/VirusTotal/yara-pythoncapstone 3.0.0 or later. https://www.capstone-engine.org/download.html
安装
pip install pefilepip install yara-pythongit clone https://github.com/volatilityfoundation/volatility3.gitcd volatility3python setup.py buildpython setup.py install
验证
python3 vol.py —h
Volatility 3 Framework 1.0.0-beta.1usage: volatility [-h] [-c CONFIG] [--parallelism [{ processes,threads,off}]] [-e EXTEND] [-p PLUGIN_DIRS] [-s SYMBOL_DIRS] [-v] [-l LOG] [-o OUTPUT_DIR] [-q] [-r RENDERER] [-f FILE] [--write-config] [--clear-cache] [--single-swap-locations SINGLE_SWAP_LOCATIONS] [--single-location SINGLE_LOCATION] plugin ...An open-source memory forensics frameworkoptional arguments: -h, --help show this help message and exit -c CONFIG, --config CONFIG Load the configuration from a json file --parallelism [{ processes,threads,off}] Enables parallelism (defaults to processes if no argument given) -e EXTEND, --extend EXTEND Extend the configuration with a new (or changed) setting -p PLUGIN_DIRS, --plugin-dirs PLUGIN_DIRS Semi-colon separated list of paths to find plugins -s SYMBOL_DIRS, --symbol-dirs SYMBOL_DIRS Semi-colon separated list of paths to find symbols -v, --verbosity Increase output verbosity -l LOG, --log LOG Log output to a file as well as the console -o OUTPUT_DIR, --output-dir OUTPUT_DIR Directory in which to output any generated files -q, --quiet Remove progress feedback -r RENDERER, --renderer RENDERER Determines how to render the output (quick, csv, pretty, json, jsonl) -f FILE, --file FILE Shorthand for --single-location=file:// if single- location is not defined --write-config Write configuration JSON file out to config.json --clear-cache Clears out all short-term cached items --single-swap-locations SINGLE_SWAP_LOCATIONS Specifies a list of swap layer URIs for use with single-location --single-location SINGLE_LOCATION Specifies a base location on which to stackPlugins: plugin configwriter.ConfigWriter Runs the automagics and both prints and outputs configuration in the output directory. frameworkinfo.FrameworkInfo Plugin to list the various modular components of Volatility layerwriter.LayerWriter Runs the automagics and writes out the primary layer produced by the stacker. linux.bash.Bash Recovers bash command history from memory. linux.check_afinfo.Check_afinfo Verifies the operation function pointers of network protocols. linux.check_syscall.Check_syscall Check system call table for hooks. linux.elfs.Elfs Lists all memory mapped ELF files for all processes. linux.lsmod.Lsmod Lists loaded kernel modules. linux.lsof.Lsof Lists all memory maps for all processes. linux.malfind.Malfind Lists process memory ranges that potentially contain injected code. linux.proc.Maps Lists all memory maps for all processes. linux.pslist.PsList Lists the processes present in a particular linux memory image. linux.pstree.PsTree Plugin for listing processes in a tree based on their parent process ID. mac.bash.Bash Recovers bash command history from memory. mac.check_syscall.Check_syscall Check system call table for hooks. mac.check_sysctl.Check_sysctl Check sysctl handlers for hooks. mac.check_trap_table.Check_trap_table Check mach trap table for hooks. mac.ifconfig.Ifconfig Lists loaded kernel modules mac.lsmod.Lsmod Lists loaded kernel modules. mac.lsof.lsof Lists all open file descriptors for all processes. mac.malfind.Malfind Lists process memory ranges that potentially contain injected code.#plugin包括configwriter.ConfigWriter, frameworkinfo.FrameworkInfo, layerwriter.LayerWriter, linux.bash.Bash, linux.check_afinfo.Check_afinfo, linux.check_syscall.Check_syscall, linux.elfs.Elfs, linux.lsmod.Lsmod, linux.lsof.Lsof, linux.malfind.Malfind, linux.proc.Maps, linux.pslist.PsList, linux.pstree.PsTree, mac.bash.Bash, mac.check_syscall.Check_syscall, mac.check_sysctl.Check_sysctl, mac.check_trap_table.Check_trap_table, mac.ifconfig.Ifconfig, mac.lsmod.Lsmod, mac.lsof.lsof, mac.malfind.Malfind, mac.netstat.Netstat, mac.proc_maps.Maps, mac.psaux.Psaux, mac.pslist.PsList, mac.pstree.PsTree, mac.tasks.Tasks, mac.timers.Timers, mac.trustedbsd.trustedbsd, timeliner.Timeliner, windows.callbacks.Callbacks, windows.cmdline.CmdLine, windows.dlldump.DllDump, windows.dlllist.DllList, windows.driverirp.DriverIrp, windows.driverscan.DriverScan, windows.filescan.FileScan, windows.handles.Handles, windows.info.Info, windows.malfind.Malfind, windows.moddump.ModDump, windows.modscan.ModScan, windows.modules.Modules, windows.mutantscan.MutantScan, windows.poolscanner.PoolScanner, windows.procdump.ProcDump, windows.pslist.PsList, windows.psscan.PsScan, windows.pstree.PsTree, windows.registry.certificates.Certificates, windows.registry.hivedump.HiveDump, windows.registry.hivelist.HiveList, windows.registry.hivescan.HiveScan, windows.registry.printkey.PrintKey, windows.registry.userassist.UserAssist, windows.ssdt.SSDT, windows.statistics.Statistics, windows.strings.Strings, windows.svcscan.SvcScan, windows.symlinkscan.SymlinkScan, windows.vaddump.VadDump, windows.vadinfo.VadInfo, windows.vadyarascan.VadYaraScan, windows.verinfo.VerInfo, windows.virtmap.VirtMap, yarascan.YaraScan 如果报错:
OSError: /usr/lib/libyara.so: cannot open shared object file: No such file or directory
执行
ln -s /usr/local/lib/python3.6/dist-packages/usr/lib/libyara.so /usr/lib/libyara.so#python3.6 为你的python版本
转载地址:http://roben.baihongyu.com/