Tuesday, March 22, 2011

Volatility 1.4 get_plugins Script

For those who can't wait for the official release of 1.4: I've updated the Volatility Full Dev Installation Wiki to include installation on Linux.

In case you want to automate installation you can use the new get_plugins script. I've only tested it on Mac OSX and Ubuntu, but it should still install dependencies and Volatility 1.4 on other Linux distributions (provided that you have your supporting libraries like libpcre installed already). Feel free to look at the code before running however :-)

Caveat: There is still an issue with the Distorm3 library on Mac OSX and you'll have to compile and install that one manually.


Anonymous said...


For the Linux install, shouldn't it read:
$ wget http://distorm.googlecode.com/files/distorm3.zip
$ unzip distorm3.zip
$ cd distorm3/Python <--
$ python setup.py build
# sudo python setup.py build install

Not, cd distorm3?

Also, distorm3 doesn't want to build on x64.
Error: unsupported platform (linux-x86_64)



JL said...

Actually this should be correct. Once you unzip the distorm3.zip file, you should have everything contained in a distorm3 folder.

All that is in the the distorm3/python directory is:

$ unzip distorm3.zip
$ tree distorm3

├── python
│   └── distorm3
│   ├── __init__.py
│   └── sample.py

The setup script is just in the root level of distorm3 after you download it.

Interesting that it doesn't want to build on x64 though. I had forgotten to test that. Thanks for letting me know.

JL said...

What I meant, is the instructions for the Linux install is correct as is...

Anonymous said...

Cool. Apparently my version from a few months ago is different. And, it compiles on x64 now. Thanks.

Curious, on Ubuntu do you find issues with Yara not being found by Volatility? I do.


JL said...

If you look at Yara's readme you will see a couple of extra steps (also included in the script) that you have to do to get Yara to be recognized:

# echo "/usr/local/lib" >> /etc/ld.so.conf
# ldconfig

Anonymous said...

I probably should have elaborated a bit. I didn't mean to suggest that
my yara-python installation was flawed. At times I find that generic
Linux installation instructions differ widely from distro to distro,
package management not-withstanding.

For example, with yara and yara-python installed, and /usr/local/lib
in /etc/ld.so.conf, I got an error message from volatility 1.4_RC1 (from
svn) indicating yara could not be found. Only after correctly installing
distorm3 did volatility recognize that yara was installed. I hadn't seen
that behavior before, and I've installed volatility a number of times,
and on various systems. Though, until reading your post -- and the
Volatility Full Dev Installation Wiki -- I hadn't tried installing the
malware plugins from malwarecookbook.googlecode.com. That's a really
nice touch.

I have volatility 1.4_RC1 (from svn) running well on my main system,
openSUSE 11.4 x64, my test Ubuntu 10.04 x86 system, and a Windows 7
Pro x64 system. Though, I didn't try the malware plugins on the Windows
system yet. Volatility is addictive.

In any case, I greatly appreciate your posts and your contributions to