volatility安装插件(以mimikatz为例子)

你的volatility可能是系统自带的，也可能是自己安装的，无论如何，找到plugins目录即可

我的kali默认路径如下

/usr/lib/python2.7/dist-packages/volatility/plugins/

mimikatz.py自行下载

将下载好的 mimikatz.py 放到 plugins 目录下即可

此时运行volatility会报错 没有construct 模块

root@kali:~/ctf/forensic# volatility -f OtterCTF.vmem --profile=Win7SP1x64 mimikatz
Volatility Foundation Volatility Framework 2.6
*** Failed to import volatility.plugins.mimikatz (ImportError: No module named construct)
ERROR   : volatility.debug    : You must specify something to do (try -h)

只要 pip install construct 就可以了

root@kali:~/ctf/forensic# volatility -f OtterCTF.vmem --profile=Win7SP1x64 mimikatz
Volatility Foundation Volatility Framework 2.6
Module   User             Domain           Password                                
-------- ---------------- ---------------- ----------------------------------------
wdigest  Rick             WIN-LO6FAF3DTFE  MortyIsReallyAnOtter                    
wdigest  WIN-LO6FAF3DTFE$ WORKGROUP