Failed to import volatility.plugins.malware.apihooks (NameError: name 'distorm3' is not defined)

转载地址：http://zambroid.blogspot.jp/2015/01/volatility-memory-dump-analysis.html

In this post I will share with you my first experiences working with Volatility 2.4.

As first use I installed it on a OS X machine, and in this case I hadn't to install Python. Yes, you read corectly, Python, but I'll install it soon on other OS to complete this post and give a complete installation and useage guide for everyone.
Volatility is a framework implemented in Python and it is used to extract digital artifacts from volatile memory.

With the latest version it supports Windows 8, 8.1, 2012 R2 and Mac OS X Mavericks (up to 10.9.4) memory dumps.

For any further information, you can have a look at official volatility web site: volatilityfoundation.org.

Now, let's start with the installation.
Installation
As I already mentioned, Python is required for volatility (2.6 or later, but not 3.0), so check that prerequisite:
    # python -V

Now check that pycrypto package is installed:
    # python  
    >>> help("modules")
In case your Python installation does't include pycrypto, install it as follows, after downloading it from www.dlitz.net:
    # tar zxf pycrypto-2.6.1.tar.gz
    # cd pycrypto-2.6.1 
    # sudo python setup.py build install
    # python
    >>> help("modules pycrypt")

    Here is a list of matching modules.  Enter any module name to get more help.
    
    Crypto.SelfTest.Cipher.common - Self-testing for PyCrypto hash modules
    Crypto.SelfTest.Hash.common - Self-testing for PyCrypto hash modules 

Now download the volatility source code package for Mac from the official repository with this link Volatility 2.4.
Open a shell and uncompress the package:
    # tar zxf /tmp/volatility-2.4.tar.gz

The installation of the software is really simple, you only need to run one command:
    # cd volatility-2.4
    # sudo python setup.py build install

It will take some time to install, and after check the installation with the following command:
    # python vol.py --info 

As you can see there is the following error:
    # python vol.py --info    Volatility Foundation Volatility Framework 2.4    *** Failed to import volatility.plugins.ssdt (NameError: name 'distorm3' is not defined)

    *** Failed to import volatility.plugins.mac.apihooks (ImportError: No module named distorm3)

    *** Failed to import volatility.plugins.linux.apihooks (ImportError: No module named distorm3)

    *** Failed to import volatility.plugins.malware.threads (NameError: name 'distorm3' is not defined)

    *** Failed to import volatility.plugins.mac.apihooks_kernel (ImportError: No module named distorm3)

    *** Failed to import volatility.plugins.malware.apihooks (NameError: name 'distorm3' is not defined)

    *** Failed to import volatility.plugins.mac.check_syscall_shadow (ImportError: No module named distorm3)
So, what is needed now is the distorm3 Python package (distorm3).
    # unzip distorm3-3.3.0.zip
    # cd distorm3-3.3.0
    # sudo python setup.py build install

Check again the installation:
    # cd ../distorm3-3.3.0
    # python vol.py --info

Now Volatility is ready to be used.

Usage
Volatility is structured in profiles and plugins:
Profiles are needed to analyse the memory dump. It is needed to specify from which OS the memory dump comes from
Plugins are the real analysis tools. There are a lot of plugins for various operations.
Plugins and profiles can be downloaded and added to volatility in an easy way: copy the needed files. 
Profiles are located in:
    volatility-2.4/volatility/plugins/overlays/<OS> 

Plugins are located in: 
    volatility-2.4/volatility/plugins/ 

Now that everything is ready, it is possible to analyse a memory dump with volatility:
    # python vol.py --profile=<OS_profile> -f <MemoryDumpFile> <plugin>  

The plugin list and description can be found here.

Be patient, learn, share, and play with your memory dumps :-)