Kali Linux下Volatility2.6常见问题疑难杂症-信息安全管理与评估
1.1 Python第三方库Crypto和distorm3报错
Volatility为开源项目,旧版本kali不集成此工具,此处用2.6为例,2.6版本是基于python2的环境。
GiitHub地址:https://github.com/volatilityfoundation/volatility
使用python2运行vol.py -f上镜像,发现一堆报错,但是有些功能还是可以正常使用
Volatility Foundation Volatility Framework 2.6.1 *** Failed to import volatility.plugins.registry.shutdown (ImportError: No module named Crypto.Hash) *** Failed to import volatility.plugins.getservicesids (ImportError: No module named Crypto.Hash) *** Failed to import volatility.plugins.timeliner (ImportError: No module named Crypto.Hash) *** Failed to import volatility.plugins.malware.apihooks (NameError: name 'distorm3' is not defined) *** Failed to import volatility.plugins.malware.servicediff (ImportError: No module named Crypto.Hash) *** Failed to import volatility.plugins.registry.userassist (ImportError: No module named Crypto.Hash) *** Failed to import volatility.plugins.getsids (ImportError: No module named Crypto.Hash) *** Failed to import volatility.plugins.registry.shellbags (ImportError: No module named Crypto.Hash) *** Failed to import volatility.plugins.evtlogs (ImportError: No module named Crypto.Hash) *** Failed to import volatility.plugins.registry.shimcache (ImportError: No module named Crypto.Hash) *** Failed to import volatility.plugins.tcaudit (ImportError: No module named Crypto.Hash) *** Failed to import volatility.plugins.registry.dumpregistry (ImportError: No module named Crypto.Hash) *** Failed to import volatility.plugins.registry.lsadump (ImportError: No module named Crypto.Hash) *** Failed to import volatility.plugins.malware.threads (NameError: name 'distorm3' is not defined) *** Failed to import volatility.plugins.mac.apihooks_kernel (ImportError: No module named distorm3) *** Failed to import volatility.plugins.registry.amcache (ImportError: No module named Crypto.Hash) *** Failed to import volatility.plugins.mac.check_syscall_shadow (ImportError: No module named distorm3) *** Failed to import volatility.plugins.malware.svcscan (ImportError: No module named Crypto.Hash) ^[^A*** Failed to import volatility.plugins.registry.auditpol (ImportError: No module named Crypto.Hash) *** Failed to import volatility.plugins.ssdt (NameError: name 'distorm3' is not defined) *** Failed to import volatility.plugins.registry.registryapi (ImportError: No module named Crypto.Hash) *** Failed to import volatility.plugins.mac.apihooks (ImportError: No module named distorm3) *** Failed to import volatility.plugins.envars (ImportError: No module named Crypto.Hash) INFO : volatility.debug : Determining profile based on KDBG search... Suggested Profile(s) : Win7SP1x64, Win7SP0x64, Win2008R2SP0x64, Win2008R2SP1x64_24000, Win2008R2SP1x64_23418, Win2008R2SP1x64, Win7SP1x64_24000, Win7SP1x64_23418
由于该kali版本的python2和python3是共存的,但是vol2.6又是基于python2的,所以会导致库有问题。
通过上面的报错分析
ImportError: No module named Crypto.Hash ImportError: No module named distorm3
可以得出我们的Crypto和distorm3有问题(防止小白看不懂我们一个个来分析
由于是python2,所以pip也要用pip2的版本
按正常逻辑一般什么库报错我们就安装什么库,于是小伙伴就pip2 install crypto,虽然库是装上了但是发现一样报错,网上查阅资料发现安装这个库pycrypto,发现一堆报错直接安装不上。
其实Crypto Pycrypto Pycryptodome这三个东西是同一个东西,Crypto 在Python上的名字是叫Pycrypto,是一个第三方库,而Pycrypto作者已经停更了所以会装不上,现在,他来了!!Pycryptodome是Pycrypto的延伸版本,语法都是一样的,所以我们直接
pip2 install pycryptodome
安装好后再次运行Vol发现已经减少了大部分报错了
接下来继续解决distorm3这个库的问题,尝试直接安装,一样安装不上,这里因为distorm3新版本都是基于Python3的,所以我们这边安装老版本的即可
pip2 install distorm3==3.3.4
已经没有报错了。
1.2 Python第三方库pillow报错
后来发现有些题目要求取证线索为当前镜像的截屏,使用screenshot也会报错,发现没有PIL这个库,于是尝试安装,也安装不上。
其实PIL这个库貌似也跑路了,被Pillow代替了,语法也都一样,直接pip2安装即可
pip2 install pillow
由于部分比赛环境限制,不得不采用的kali2021.3 以及 vol2.6的环境来做,本文给大家总结了踩到的坑。
