准备工作

python 3.7 以上
https://github.com/volatilityfoundation/volatility3

#安装
pip install volatility3

#使用
vol.exe -vvv -f test-Snapshot1.vmem hashdump

-vvv 显示详细的报错信息
-f 指定内存镜像
hashdump 获取账号密码hash

生成Linux下的standalone文件

在Linux下使用pyinstaller生成standalone文件

获取volatility3源码

pyinstaller对多个py文件生成可执行文件，命令如下：
pyinstaller vol.spec

无法使用某些插件

pip install -r requirements.txt

安装volatility3时不会自动安装requirements中的库，需手动安装

volatility3处理虚拟机内存快照报错

报错如下

Unsatisfied requirement plugins.Hashdump.kernel.layer_name:
Unsatisfied requirement plugins.Hashdump.kernel.symbol_table_name:

A translation layer requirement was not fulfilled.  Please verify that:
        A file was provided to create this layer (by -f, --single-location or by config)
        The file exists and is readable
        The file is a valid memory image and was acquired cleanly

A symbol table requirement was not fulfilled.  Please verify that:
        The associated translation layer requirement was fulfilled
        You have the correct symbol file for the requirement
        The symbol file is under the correct directory or zip file
        The symbol file is named appropriately or contains the correct banner

将test-Snapshot1.vmsn放到与test-Snapshot1.vmem同一目录下即可正常运行

vol.exe -vvv -f test-Snapshot1.vmem hashdump

vmsn与vmem