本项目已在以下环境中测试:
- Python 3.13.5
- Volatility 3 Framework 2.26.0
- pypykatz 0.6.11
将 vol_pypykatz.py 文件放置于 ./plugins 文件夹之后
vol -p .\plugin\ -f "example.vmem" pypykatz也可以直接将 vol_pypykatz.py 文件放置于 .\volatility3\framework\plugins 文件夹中
vol -f "example.vmem" pypykatz请注意,如果遇到以下报错
Traceback (most recent call last):B scanning finished
File "<frozen runpy>", line 198, in _run_module_as_main
File "<frozen runpy>", line 88, in _run_code
File "D:\_Code\Volatility3-pypykatz\env\Scripts\vol.exe\__main__.py", line 7, in <module>
sys.exit(main())
~~~~^^
File "D:\_Code\Volatility3-pypykatz\env\Lib\site-packages\volatility3\cli\__init__.py", line 924, in main
CommandLine().run()
~~~~~~~~~~~~~~~~~^^
File "D:\_Code\Volatility3-pypykatz\env\Lib\site-packages\volatility3\cli\__init__.py", line 508, in run
grid = constructed.run()
File "D:\_Code\Volatility3-pypykatz\plugin\vol_pypykatz.py", line 34, in run
return pparser.go_volatility3(self)
~~~~~~~~~~~~~~~~~~~~~~^^^^^^
File "D:\_Code\Volatility3-pypykatz\env\Lib\site-packages\pypykatz\pypykatz.py", line 227, in go_volatility3
reader = Vol3Reader(vol3_obj, framework_version)
File "D:\_Code\Volatility3-pypykatz\env\Lib\site-packages\pypykatz\commons\readers\volatility3\volreader.py", line 67, in __init__
self.setup()
~~~~~~~~~~^^
...<2 lines>...
filter_func = filter_func
^^^^^^^^^^^^^^^^^^^^^^^^^
):
^
TypeError: PsList.list_processes() got an unexpected keyword argument 'layer_name'请参考 Fix Volatility reader by the-rectifier · Pull Request #177 · skelsec/pypykatz 进行修复