Vol Community plugs not working - DPAPIck

[whiteknight21]

Hi
I am trying to get the modules used in SANS 508 to work on latest SIFT/Volatility build. Modules like malprocfind, processbl etc. I understand that these are in contrib and community builds and I have followed those instructions but I keep getting errors esp around:

vol.py -f test.raw --profile=Win7SP1x86 --plugins=contrib/plugins malprocfind
Volatility Foundation Volatility Framework 2.6
ERROR : volatility.debug : You must specify something to do (try -h)

also tried specifying specific folder :
vol.py --plugins=/usr/lib/python2.7/dist-packages/volatility/plugin-dir/community -- profile=Win7SP1x86 -f jofrey-vmimage.raw malprocfind
Volatility Foundation Volatility Framework 2.6
*** Failed to import volatility.plugins.MichaelBrown.analysis.create_test_db (ImportError: No module named analysis.create_test_db)
*** Failed to import volatility.plugins.FrankBlock.zsh (ImportError: No module named heap_analysis)
*** Failed to import volatility.plugins.JavierVallejo.symbolizemod (ImportError: No module named enumfunc)
ERROR : volatility.debug : Please install DPAPIck library: https://bitbucket.org/jmichel/dpapick

Various other hacks .. but in all cases I get that DPAPick failure :
ERROR : volatility.debug : Please install DPAPIck library: https://bitbucket.org/jmichel/dpapick

I have tried pip uninstall and reinstall dpapick - but no luck

Can you please tell me how to get these modules working as they do in the SAN 508 VM build ??

Thanks

[gleeda]

You have to specify the —plugins option first: vol.py —plugins=contrib/plugins -f test.raw --profile=Win7SP1x86 malprocfind

[whiteknight21]

Thanks for response, but I am afraid that doesnt work :

$ vol.py —plugins=contrib/plugins -f test.raw --profile=Win7SP1x86 malprocfind
Volatility Foundation Volatility Framework 2.6
ERROR : volatility.debug : You must specify something to do (try -h)

[whiteknight21]

I seem to have solved other problems but I still cant get vol.py to run due to thsi error:

$ vol.py -h
Volatility Foundation Volatility Framework 2.6
ERROR : volatility.debug : Please install DPAPIck library: https://bitbucket.org/jmichel/dpapick

as you can see module is installed

$ pip install dpapick
Requirement already satisfied: dpapick in /usr/local/lib/python2.7/dist-packages
Requirement already satisfied: pyasn1>=0.1.7 in /usr/local/lib/python2.7/dist-packages (from dpapick)
Requirement already satisfied: M2Crypto>=0.21.1 in /usr/local/lib/python2.7/dist-packages (from dpapick)
Requirement already satisfied: CFPropertyList in /usr/local/lib/python2.7/dist-packages (from dpapick)
Requirement already satisfied: python-registry>=1.0.4 in /usr/local/lib/python2.7/dist-packages (from dpapick)
Requirement already satisfied: typing in /usr/local/lib/python2.7/dist-packages (from M2Crypto>=0.21.1->dpapick)
Requirement already satisfied: enum34 in /usr/local/lib/python2.7/dist-packages (from python-registry>=1.0.4->dpapick)

[nov3mb3r]

Same error here

[gleeda]

Just in case, make sure that dpapick is installed for the correct python:

$ cat $(which pip)
#!/usr/bin/python
...

Look at vol.py to see how it calls python:

$ grep python vol.py 
#!/usr/bin/env python
#  -*- mode: python; -*-
...

(or $ grep python $(which vol.py) because I'm not sure how they set this up on sift)

See if you get the same path as what you saw in pip earlier:

$ /usr/bin/env python -c "import sys; print sys.executable"
/usr/bin/python

You can also verify that dpapick is installed. Run python the same way and then try to import like the plugin does:

$ /usr/bin/env python
Python 2.7.14 (default, Mar 22 2018, 14:43:05) 
[GCC 4.2.1 Compatible Apple LLVM 9.0.0 (clang-900.0.39.2)] on darwin
Type "help", "copyright", "credits" or "license" for more information.
>>> from DPAPI.Core import *
>>>

If you don't have the library installed for that python you will see the following instead:

>>> from DPAPI.Core import *
Traceback (most recent call last):
  File "<stdin>", line 1, in <module>
ImportError: No module named DPAPI.Core
>>> 

So, one way that you can make sure that it gets installed for your version of python you can manually install it (without using pip), or you can change the first line of the pip script to point to the appropriate python binary.

[gleeda]

For this issue:

Thanks for response, but I am afraid that doesnt work :

$ vol.py —plugins=contrib/plugins -f test.raw --profile=Win7SP1x86 malprocfind
Volatility Foundation Volatility Framework 2.6
ERROR : volatility.debug : You must specify something to do (try -h)

I'm not sure, but it might have happened if you copied and pasted my command. Notice that —plugins= looks different than --plugins= . Sometimes when you copy those modified dashes from pdfs, word docs, web pages etc, the commands don't work, because that combined double dash (—) is actually different than the regular double dash (--). Although it does seem like you managed to get past this issue, I thought I'd add that here in case someone else needs it.