Wednesday, October 21, 2009

Volatility Get Plugins Bash Script

Earlier I had written about all of the known Volatility plugins and how to go about installing them. Now I've decided to make things even easier for some, by including a bash script that will download and install all of these plugins. It will also install pefile, pycrypto and pydasm. I have tested it on a linux box as well as a cygwin installation.

Make sure you are running this as root (or with sudo) if you are doing this under Linux. Also make sure you have subversion installed.

Prereqs for Cygwin:

Obviously you must have Cygwin installed. In addition to what I have listed in a previous post, you will also need to install:

* wget
* unzip
* svn (subversion)

Hopefully I haven't forgotten anything... let me know if I have.

Simply unzip the bash script into the directory where you want Volatility installed. Then run the script:


$ ./get_plugins.bsh



This bash script removes one of the example files (memory_plugins/example3.py) since it has a conflicting _EPROCESS definition, so if you want that file - simply comment out that remove statement.

You will have to install Inline::Python yourself until I figure out a way to get it installed in a general fashion.

Let me know if you encounter errors.

6 comments:

johnmccash said...

Jamie,
When running your script under cygwin, I get the following two errors repeated a number of times at different points. Is this significant? (It looks OK...)

error: Unable to find vcvarsall.bat
warning: GMP library not found; Not building Crypto.PublicKey._fastmath.

Thanks
John

JL said...

Hi John,

Thanks for giving it a test.

I think it might have something to do with the gcc compiler you have installed. Which one(s) do you have installed there?

-Jamie

johnmccash said...

$ gcc --version
gcc (GCC) 3.4.4 (cygming special, gdc 0.12, using dmd 0.125)

Also, I notice that the version of Volatility that the script installs is 1.3, rather than the new 1.3.2...

John

JL said...

Hi John,

Do you have Mingw32 installed also? Check out this screen shot of the compilers I have installed.

As for the version of Volatility, you are downloading from the trunk and 1.3.2 has not yet been committed to it. After talking to AAron, I've learned that the next version will actually be 1.3.3 and it will be released soon.

You can check out branch 1.3.2 by changing

http://volatility.googlecode.com/svn/trunk/

to

http://volatility.googlecode.com/svn/branches/Volatility-1.3.2/

in the script

lorgor said...

Working with a fresh Ubuntu 10.10 install. You also need python-dev to be able to install Inline::Python. Also pydasm not installed by script + had to do this manually. Msg on volatility startup was:
*** Unable to load module usermode_hooks2: No module named pydasm
*** Unable to load module malfind2: No module named pydasm

Regards,

lorgor

JL said...

Thanks for the comment @lorgor. I need to update this script anyway. There was a moment when libdasm wasn't available at the link in the script. I believe a more updated version is available on Google code now: http://code.google.com/p/libdasm/