windows.svcscan plugin not working #954
Comments
|
Hiya, sorry about the delay in responding. The yara check happens here. Please could you start the same python that you'd run volatility with, and run |
|
I have the same issue in the last kali linux for virtualbox when I install volatility3 2.5.2. |
|
Yep, yara version 1.7.7 is not the right version. As you can see here the latest version of yara is 4.3.2. At the error message points out, you need at least yara 3.8.0 or above. The original python package for the old version of yara was just called yara. Rather than keeping the name they've left that on pypi and it causes a lot of confusion. The new python bindings are in the yara-python pip package, which cannot be installed at the same time of the old pip package of yara or the packages will conflict. The latest version of yara-python is 4.3.1. Please ensure you do NOT have the python pip package called yara (version 1.7.7) installed. |
|
I see. It happened that I had "yara" package installed in both volatility 2 and 3 (I need both versions of volatility for some reasons). |
|
Thanks for letting me know you got this working. I'm going to close off the issue, but please feel free to reopen it if you feel the issue is still present... |
i have my kali linux on aws cloud when i try to run windows.svcscan on cridex.vmem(which is a well known memory dump) using the
command: vol.py -f cridex.vmem windows.svcscan
iam getting the following error:
Volatility 3 Framework 2.4.2
usage: volatility [-h] [-c CONFIG] [--parallelism [{processes,threads,off}]] [-e EXTEND] [-p PLUGIN_DIRS] [-s SYMBOL_DIRS] [-v]
[-l LOG] [-o OUTPUT_DIR] [-q] [-r RENDERER] [-f FILE] [--write-config] [--save-config SAVE_CONFIG]
[--clear-cache] [--cache-path CACHE_PATH] [--offline] [--single-location SINGLE_LOCATION]
[--stackers [STACKERS ...]] [--single-swap-locations [SINGLE_SWAP_LOCATIONS ...]]
plugin ...
volatility: error: argument plugin: invalid choice windows.svcscan (choose from banners.Banners, configwriter.ConfigWriter, frameworkinfo.FrameworkInfo, isfinfo.IsfInfo, layerwriter.LayerWriter, linux.bash.Bash, linux.check_afinfo.Check_afinfo, linux.check_creds.Check_creds, linux.check_idt.Check_idt, linux.check_modules.Check_modules, linux.check_syscall.Check_syscall, linux.elfs.Elfs, linux.envars.Envars, linux.envvars.Envvars, linux.iomem.IOMem, linux.keyboard_notifiers.Keyboard_notifiers, linux.kmsg.Kmsg, linux.lsmod.Lsmod, linux.lsof.Lsof, linux.malfind.Malfind, linux.mountinfo.MountInfo, linux.proc.Maps, linux.psaux.PsAux, linux.pslist.PsList, linux.psscan.PsScan, linux.pstree.PsTree, linux.sockstat.Sockstat, linux.tty_check.tty_check, mac.bash.Bash, mac.check_syscall.Check_syscall, mac.check_sysctl.Check_sysctl, mac.check_trap_table.Check_trap_table, mac.ifconfig.Ifconfig, mac.kauth_listeners.Kauth_listeners, mac.kauth_scopes.Kauth_scopes, mac.kevents.Kevents, mac.list_files.List_Files, mac.lsmod.Lsmod, mac.lsof.Lsof, mac.malfind.Malfind, mac.mount.Mount, mac.netstat.Netstat, mac.proc_maps.Maps, mac.psaux.Psaux, mac.pslist.PsList, mac.pstree.PsTree, mac.socket_filters.Socket_filters, mac.timers.Timers, mac.trustedbsd.Trustedbsd, mac.vfsevents.VFSevents, timeliner.Timeliner, windows.bigpools.BigPools, windows.cachedump.Cachedump, windows.callbacks.Callbacks, windows.cmdline.CmdLine, windows.crashinfo.Crashinfo, windows.devicetree.DeviceTree, windows.dlllist.DllList, windows.driverirp.DriverIrp, windows.drivermodule.DriverModule, windows.driverscan.DriverScan, windows.dumpfiles.DumpFiles, windows.envars.Envars, windows.filescan.FileScan, windows.getservicesids.GetServiceSIDs, windows.getsids.GetSIDs, windows.handles.Handles, windows.hashdump.Hashdump, windows.info.Info, windows.joblinks.JobLinks, windows.ldrmodules.LdrModules, windows.lsadump.Lsadump, windows.malfind.Malfind, windows.mbrscan.MBRScan, windows.memmap.Memmap, windows.modscan.ModScan, windows.modules.Modules, windows.mutantscan.MutantScan, windows.netscan.NetScan, windows.netstat.NetStat, windows.poolscanner.PoolScanner, windows.privileges.Privs, windows.pslist.PsList, windows.psscan.PsScan, windows.pstree.PsTree, windows.registry.certificates.Certificates, windows.registry.hivelist.HiveList, windows.registry.hivescan.HiveScan, windows.registry.printkey.PrintKey, windows.registry.userassist.UserAssist, windows.sessions.Sessions, windows.skeleton_key_check.Skeleton_Key_Check, windows.ssdt.SSDT, windows.statistics.Statistics, windows.strings.Strings, windows.symlinkscan.SymlinkScan, windows.vadinfo.VadInfo, windows.vadwalk.VadWalk, windows.verinfo.VerInfo, windows.virtmap.VirtMap)
so i tried this command suggested by chatgpt to know if any plugins failed to load..
command: vol.py -vvv --help
i got the following plugins which could not be loaded:
The following plugins could not be loaded (use -vv to see why): volatility3.plugins.windows.mftscan,
volatility3.plugins.windows.svcscan, volatility3.plugins.windows.vadyarascan, volatility3.plugins.yarascan
to get a more verbose output on error i used -vv
command: vol.py -f cridex.vmem -vv
and got the following error:
Volatility 3 Framework 2.4.2
INFO volatility3.cli: Volatility plugins path: ['/home/kali/volatility3/volatility3/plugins', '/home/kali/volatility3/volatility3/framework/plugins']
INFO volatility3.cli: Volatility symbols path: ['/home/kali/volatility3/volatility3/symbols', '/home/kali/volatility3/volatility3/framework/symbols']
INFO volatility3.plugins.yarascan: Python Yara (>3.8.0) module not found, plugin (and dependent plugins) not available
DEBUG volatility3.framework: Traceback (most recent call last):
File "/home/kali/volatility3/volatility3/framework/init.py", line 185, in import_file
importlib.import_module(module)
File "/usr/lib/python3.11/importlib/init.py", line 126, in import_module
return _bootstrap._gcd_import(name[level:], package, level)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "", line 1206, in _gcd_import
File "", line 1178, in _find_and_load
File "", line 1149, in _find_and_load_unlocked
File "", line 690, in _load_unlocked
File "", line 940, in exec_module
File "", line 241, in _call_with_frames_removed
File "/home/kali/volatility3/volatility3/framework/plugins/yarascan.py", line 20, in
raise ImportError
ImportError
DEBUG volatility3.framework: Failed to import module volatility3.plugins.yarascan based on file: /home/kali/volatility3/volatility3/framework/plugins/yarascan.py
INFO volatility3.plugins.yarascan: Python Yara (>3.8.0) module not found, plugin (and dependent plugins) not available
DEBUG volatility3.framework: Traceback (most recent call last):
File "/home/kali/volatility3/volatility3/framework/init.py", line 185, in import_file
importlib.import_module(module)
File "/usr/lib/python3.11/importlib/init.py", line 126, in import_module
return _bootstrap._gcd_import(name[level:], package, level)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "", line 1206, in _gcd_import
File "", line 1178, in _find_and_load
File "", line 1149, in _find_and_load_unlocked
File "", line 690, in _load_unlocked
File "", line 940, in exec_module
File "", line 241, in _call_with_frames_removed
File "/home/kali/volatility3/volatility3/framework/plugins/windows/vadyarascan.py", line 11, in
from volatility3.plugins import yarascan
File "/home/kali/volatility3/volatility3/framework/plugins/yarascan.py", line 20, in
raise ImportError
ImportError
DEBUG volatility3.framework: Failed to import module volatility3.plugins.windows.vadyarascan based on file: /home/kali/volatility3/volatility3/framework/plugins/windows/vadyarascan.py
INFO volatility3.plugins.yarascan: Python Yara (>3.8.0) module not found, plugin (and dependent plugins) not available
DEBUG volatility3.framework: Traceback (most recent call last):
File "/home/kali/volatility3/volatility3/framework/init.py", line 185, in import_file
importlib.import_module(module)
File "/usr/lib/python3.11/importlib/init.py", line 126, in import_module
return _bootstrap._gcd_import(name[level:], package, level)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "", line 1206, in _gcd_import
File "", line 1178, in _find_and_load
File "", line 1149, in _find_and_load_unlocked
File "", line 690, in _load_unlocked
File "", line 940, in exec_module
File "", line 241, in _call_with_frames_removed
File "/home/kali/volatility3/volatility3/framework/plugins/windows/mftscan.py", line 13, in
from volatility3.plugins import timeliner, yarascan
File "/home/kali/volatility3/volatility3/framework/plugins/yarascan.py", line 20, in
raise ImportError
ImportError
DEBUG volatility3.framework: Failed to import module volatility3.plugins.windows.mftscan based on file: /home/kali/volatility3/volatility3/framework/plugins/windows/mftscan.py
INFO volatility3.plugins.yarascan: Python Yara (>3.8.0) module not found, plugin (and dependent plugins) not available
DEBUG volatility3.framework: Traceback (most recent call last):
File "/home/kali/volatility3/volatility3/framework/init.py", line 185, in import_file
importlib.import_module(module)
File "/usr/lib/python3.11/importlib/init.py", line 126, in import_module
return _bootstrap._gcd_import(name[level:], package, level)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "", line 1206, in _gcd_import
File "", line 1178, in _find_and_load
File "", line 1149, in _find_and_load_unlocked
File "", line 690, in _load_unlocked
File "", line 940, in exec_module
File "", line 241, in _call_with_frames_removed
File "/home/kali/volatility3/volatility3/framework/plugins/windows/svcscan.py", line 16, in
from volatility3.plugins.windows import poolscanner, vadyarascan, pslist
File "/home/kali/volatility3/volatility3/framework/plugins/windows/vadyarascan.py", line 11, in
from volatility3.plugins import yarascan
File "/home/kali/volatility3/volatility3/framework/plugins/yarascan.py", line 20, in
raise ImportError
ImportError
DEBUG volatility3.framework: Failed to import module volatility3.plugins.windows.svcscan based on file: /home/kali/volatility3/volatility3/framework/plugins/windows/svcscan.py
INFO volatility3.cli: The following plugins could not be loaded (use -vv to see why): volatility3.plugins.windows.mftscan, volatility3.plugins.windows.svcscan, volatility3.plugins.windows.vadyarascan, volatility3.plugins.yarascan
usage: volatility [-h] [-c CONFIG] [--parallelism [{processes,threads,off}]] [-e EXTEND] [-p PLUGIN_DIRS] [-s SYMBOL_DIRS] [-v]
[-l LOG] [-o OUTPUT_DIR] [-q] [-r RENDERER] [-f FILE] [--write-config] [--save-config SAVE_CONFIG]
[--clear-cache] [--cache-path CACHE_PATH] [--offline] [--single-location SINGLE_LOCATION]
[--stackers [STACKERS ...]] [--single-swap-locations [SINGLE_SWAP_LOCATIONS ...]]
plugin ...
volatility: error: argument plugin: invalid choice windows.svcscan (choose from banners.Banners, configwriter.ConfigWriter, frameworkinfo.FrameworkInfo, isfinfo.IsfInfo, layerwriter.LayerWriter, linux.bash.Bash, linux.check_afinfo.Check_afinfo, linux.check_creds.Check_creds, linux.check_idt.Check_idt, linux.check_modules.Check_modules, linux.check_syscall.Check_syscall, linux.elfs.Elfs, linux.envars.Envars, linux.envvars.Envvars, linux.iomem.IOMem, linux.keyboard_notifiers.Keyboard_notifiers, linux.kmsg.Kmsg, linux.lsmod.Lsmod, linux.lsof.Lsof, linux.malfind.Malfind, linux.mountinfo.MountInfo, linux.proc.Maps, linux.psaux.PsAux, linux.pslist.PsList, linux.psscan.PsScan, linux.pstree.PsTree, linux.sockstat.Sockstat, linux.tty_check.tty_check, mac.bash.Bash, mac.check_syscall.Check_syscall, mac.check_sysctl.Check_sysctl, mac.check_trap_table.Check_trap_table, mac.ifconfig.Ifconfig, mac.kauth_listeners.Kauth_listeners, mac.kauth_scopes.Kauth_scopes, mac.kevents.Kevents, mac.list_files.List_Files, mac.lsmod.Lsmod, mac.lsof.Lsof, mac.malfind.Malfind, mac.mount.Mount, mac.netstat.Netstat, mac.proc_maps.Maps, mac.psaux.Psaux, mac.pslist.PsList, mac.pstree.PsTree, mac.socket_filters.Socket_filters, mac.timers.Timers, mac.trustedbsd.Trustedbsd, mac.vfsevents.VFSevents, timeliner.Timeliner, windows.bigpools.BigPools, windows.cachedump.Cachedump, windows.callbacks.Callbacks, windows.cmdline.CmdLine, windows.crashinfo.Crashinfo, windows.devicetree.DeviceTree, windows.dlllist.DllList, windows.driverirp.DriverIrp, windows.drivermodule.DriverModule, windows.driverscan.DriverScan, windows.dumpfiles.DumpFiles, windows.envars.Envars, windows.filescan.FileScan, windows.getservicesids.GetServiceSIDs, windows.getsids.GetSIDs, windows.handles.Handles, windows.hashdump.Hashdump, windows.info.Info, windows.joblinks.JobLinks, windows.ldrmodules.LdrModules, windows.lsadump.Lsadump, windows.malfind.Malfind, windows.mbrscan.MBRScan, windows.memmap.Memmap, windows.modscan.ModScan, windows.modules.Modules, windows.mutantscan.MutantScan, windows.netscan.NetScan, windows.netstat.NetStat, windows.poolscanner.PoolScanner, windows.privileges.Privs, windows.pslist.PsList, windows.psscan.PsScan, windows.pstree.PsTree, windows.registry.certificates.Certificates, windows.registry.hivelist.HiveList, windows.registry.hivescan.HiveScan, windows.registry.printkey.PrintKey, windows.registry.userassist.UserAssist, windows.sessions.Sessions, windows.skeleton_key_check.Skeleton_Key_Check, windows.ssdt.SSDT, windows.statistics.Statistics, windows.strings.Strings, windows.symlinkscan.SymlinkScan, windows.vadinfo.VadInfo, windows.vadwalk.VadWalk, windows.verinfo.VerInfo, windows.virtmap.VirtMap)
mostly mentioned about python Yara (>3.8.0) module not found but yara-python is installed in my kali as iam getting the ffollwoing output while i run "pip show yara-python"
outptut:
Name: yara-python
Version: 4.3.0
Summary: Python interface for YARA
Home-page: https://github.com/VirusTotal/yara-python
Author: Victor M. Alvarez
Author-email: [email protected], [email protected]
License: Apache 2.0
Location: /usr/local/lib/python3.11/dist-packages/yara_python-4.3.0-py3.11-linux-x86_64.egg
Requires:
Required-by:
i even installed the requirements.txt using pip install -r reuirements.txt, but still could not resolve the error
and found all that all the requirements are installed using "pip list"
output:
Package Version
attrs 22.2.0
awscli 2.9.19
awscrt 1.0.0.dev0
blinker 1.5
boto 2.49.0
capstone 4.0.2
certifi 2022.9.24
chardet 5.1.0
charset-normalizer 3.0.1
cloud-init 22.4.2
colorama 0.4.6
configobj 5.0.8
cryptography 38.0.4
cupshelpers 1.0
dbus-python 1.3.2
distro 1.8.0
distro-info 1.5
docutils 0.19
httplib2 0.20.4
idna 3.3
Jinja2 3.0.3
jmespath 1.0.1
jsonpatch 1.32
jsonpointer 2.3
jsonschema 4.10.3
kali-tweaks 2023.1.5
lazr.restfulclient 0.14.5
lazr.uri 1.0.6
leechcorepyc 2.14.4
MarkupSafe 2.1.2
netifaces 0.11.0
oauthlib 3.2.2
pefile 2023.2.7
pip 23.0.1
prompt-toolkit 3.0.36
pyasn1 0.4.8
pycairo 1.20.1
pycryptodome 3.17
pycups 2.0.1
PyGObject 3.42.2
PyJWT 2.6.0
pyparsing 3.0.9
pyrsistent 0.18.1
pyserial 3.5
pysmbc 1.0.23
python-apt 2.5.3
python-dateutil 2.8.2
pyxdg 0.28
PyYAML 6.0
requests 2.28.1
roman 3.3
ruamel.yaml 0.17.21
ruamel.yaml.clib 0.2.7
setuptools 66.1.1
six 1.16.0
unattended-upgrades 0.1
urllib3 1.26.12
volatility3 2.4.1
wadllib 1.3.6
wcwidth 0.2.5
wheel 0.38.4
xdg 5
yara 1.7.7
yara-python 4.3.0
yara-python 4.3.0
The text was updated successfully, but these errors were encountered: