Add community plugins for Volatility 3

* Added community plugins for Volatility 3 in the `sk4la/volatility3` image (located in `/usr/local/share/volatility3/plugins`). These are not loaded by default. **Note that most community plugins are unmaintained and/or are simply links to the author's repository (which will most likely never be included in the image unless the Volatility Foundation adds it in the community repository).** * Changed the path to community modules for Volatility 2 in the `sk4la/volatility:edge` image to `/usr/local/share/volatility/plugins` for consistency between images.
sk4la · Dec 26, 2023 · 67017fc · 67017fc
1 parent ddb14f8
commit 67017fc
Show file tree

Hide file tree

Showing 7 changed files with 43 additions and 4 deletions.
diff --git a/.github/workflows/volatility-edge.yml b/.github/workflows/volatility-edge.yml
@@ -20,6 +20,8 @@ env:
   GIT_TAG_PYTHON_YARA: v4.4.0
   # No new tags/releases declared in the repository so we use the development branch.
   GIT_TAG_VOLATILITY: master
+  # No new tags/releases declared in the repository so we use the development branch.
+  GIT_TAG_VOLATILITY_COMMUNITY: master
 
 jobs:
   docker:
@@ -55,6 +57,7 @@ jobs:
             DOCKER_TAG_ALPINE=${{ env.DOCKER_TAG_ALPINE }}
             GIT_TAG_PYTHON_YARA=${{ env.GIT_TAG_PYTHON_YARA }}
             GIT_TAG_VOLATILITY=${{ env.GIT_TAG_VOLATILITY }}
+            GIT_TAG_VOLATILITY_COMMUNITY=${{ env.GIT_TAG_VOLATILITY_COMMUNITY }}
             PRODUCT_BUILD_COMMIT=${{ github.sha }}
             PRODUCT_BUILD_DATE=${{ steps.date.outputs.date }}
 

diff --git a/.github/workflows/volatility3-edge.yml b/.github/workflows/volatility3-edge.yml
@@ -21,6 +21,8 @@ env:
   GIT_TAG_JPCERT_SYMBOLS: main
   GIT_TAG_PYTHON_YARA: v4.4.0
   GIT_TAG_VOLATILITY3: develop
+  # No tags/releases declared in the repository so we use the development branch.
+  GIT_TAG_VOLATILITY3_COMMUNITY: master
 
 jobs:
   docker:
@@ -57,6 +59,7 @@ jobs:
             GIT_TAG_JPCERT_SYMBOLS=${{ env.GIT_TAG_JPCERT_SYMBOLS }}
             GIT_TAG_PYTHON_YARA=${{ env.GIT_TAG_PYTHON_YARA }}
             GIT_TAG_VOLATILITY3=${{ env.GIT_TAG_VOLATILITY3 }}
+            GIT_TAG_VOLATILITY3_COMMUNITY=${{ env.GIT_TAG_VOLATILITY3_COMMUNITY }}
             PRODUCT_BUILD_COMMIT=${{ github.sha }}
             PRODUCT_BUILD_DATE=${{ steps.date.outputs.date }}
 

diff --git a/.github/workflows/volatility3.yml b/.github/workflows/volatility3.yml
@@ -21,6 +21,8 @@ env:
   GIT_TAG_JPCERT_SYMBOLS: main
   GIT_TAG_PYTHON_YARA: v4.4.0
   GIT_TAG_VOLATILITY3: v2.5.0
+  # No tags/releases declared in the repository so we use the development branch.
+  GIT_TAG_VOLATILITY3_COMMUNITY: master
 
 jobs:
   docker:
@@ -60,6 +62,7 @@ jobs:
             GIT_TAG_JPCERT_SYMBOLS=${{ env.GIT_TAG_JPCERT_SYMBOLS }}
             GIT_TAG_PYTHON_YARA=${{ env.GIT_TAG_PYTHON_YARA }}
             GIT_TAG_VOLATILITY3=${{ env.GIT_TAG_VOLATILITY3 }}
+            GIT_TAG_VOLATILITY3_COMMUNITY=${{ env.GIT_TAG_VOLATILITY3_COMMUNITY }}
             PRODUCT_BUILD_COMMIT=${{ github.sha }}
             PRODUCT_BUILD_DATE=${{ steps.date.outputs.date }}
 

diff --git a/README.md b/README.md
@@ -216,20 +216,37 @@ Then, build the image by executing the `docker image build --tag volatility3-ove
 
 ### Example #5: Using community plugins with Volatility 2
 
-The `sk4la/volatility` image includes all community plugins listed in the [volatilityfoundation/community](https://github.com/volatilityfoundation/community) repository. By default, those are stored in `/usr/local/lib/volatility/contrib/plugins/community`.
+The `sk4la/volatility` image includes all community plugins from the official [volatilityfoundation/community](https://github.com/volatilityfoundation/community) repository. By default, those are stored in `/usr/local/share/volatility/plugins/community`.
 
-> You can list all included plugins using the `--help` or `--info` flags (e.g. `podman run sk4la/volatility:edge --plugins=/usr/local/lib/volatility/contrib/plugins --info`). The loading order is non-deterministic and some plugins fail to load because of missing dependencies (some are just not on PyPI anymore) or because their design is not quite suitable for distribution, so you may need to run it multiple times for it to load the plugin you are looking for. I advise instead using each module individually in order to avoid loading dysfunctional plugins.
+> You can list all included plugins using the `--help` or `--info` flags (e.g. `podman run sk4la/volatility:edge --plugins=/usr/local/share/volatility/plugins --info`). The loading order is non-deterministic and some plugins fail to load because of missing dependencies (some are just not on PyPI anymore) or because their design is not quite suitable for distribution, so you may need to run it multiple times for it to load the plugin you are looking for. I advise instead using each plugin individually in order to avoid loading dysfunctional plugins.
 
 To load a specific community plugin (example with JPCERT's APT17 plugin):
 
 ```sh
-docker container run sk4la/volatility:edge --plugins /usr/local/lib/volatility/contrib/plugins/community/JPCERT apt17scan --help
+docker container run sk4la/volatility:edge --plugins /usr/local/share/volatility/plugins/community/JPCERT apt17scan --help
 ```
 
 Please note that many plugins made for Volatility 2 have not been maintained for years and might be dysfunctional.
 
 </details>
 
+<details>
+  <summary>Example #6: Using community plugins with Volatility 3</summary>
+
+### Example #6: Using community plugins with Volatility 3
+
+The `sk4la/volatility3` and `sk4la/volatility3:edge` images include all community plugins from the official [volatilityfoundation/community3](https://github.com/volatilityfoundation/community3) repository. By default, those are stored in `/usr/local/share/volatility3/plugins/community3`.
+
+> You can list all included plugins using the `--help` flag (e.g. `podman run sk4la/volatility3:edge --plugin-dirs=/usr/local/share/volatility3/plugins --help`). Please note that many of these plugins have not been maintained a while and might be dysfunctional. I advise instead using each plugin individually in order to avoid loading dysfunctional plugins.
+
+To load a specific community plugin (example with the Multi YARA plugin):
+
+```sh
+docker container run sk4la/volatility3:edge --plugin-dirs /usr/local/share/volatility3/plugins/community3/Silva_Multi_Yara/ multiyara --help
+```
+
+</details>
+
 ## Support
 
 In case you encounter a problem or want to suggest a new feature relative to these Docker images, please [submit a ticket](https://github.com/sk4la/volatility3-docker/issues). [Pull requests](https://github.com/sk4la/volatility3-docker/pulls) are also greatly appreciated.

diff --git a/src/dwarf2json/Dockerfile b/src/dwarf2json/Dockerfile
@@ -33,6 +33,8 @@ ARG INSTALL_PREFIX="/usr/local"
 ENV LANG="C.UTF-8"
 ENV LC_ALL="C.UTF-8"
 
+VOLUME /tmp /var/tmp
+
 RUN apk add --no-cache \
         dumb-init
 

diff --git a/src/volatility/Dockerfile b/src/volatility/Dockerfile
@@ -41,6 +41,8 @@ ARG INSTALL_PREFIX="/usr/local"
 ENV LANG="C.UTF-8"
 ENV LC_ALL="C.UTF-8"
 
+VOLUME /tmp /var/tmp
+
 RUN addgroup -S "${INSTALL_GROUP}" && \
     adduser -DG -S "${INSTALL_USER}" -G "${INSTALL_GROUP}" -g "Unprivileged user,,,,"
 
@@ -124,7 +126,7 @@ RUN python2 setup.py install && \
 
 ENV PATH="${INSTALL_PREFIX}/bin:${PATH}"
 
-WORKDIR "${INSTALL_PREFIX}/lib/volatility/contrib/plugins"
+WORKDIR "${INSTALL_PREFIX}/share/volatility/plugins"
 
 RUN git clone --branch="${GIT_TAG_VOLATILITY_COMMUNITY}" --depth=1 --single-branch \
         https://github.com/volatilityfoundation/community.git

diff --git a/src/volatility3/Dockerfile b/src/volatility3/Dockerfile
@@ -52,6 +52,7 @@ RUN apk --purge del \
 FROM "alpine:${DOCKER_TAG_ALPINE}" AS production
 
 ARG GIT_TAG_VOLATILITY3="stable"
+ARG GIT_TAG_VOLATILITY3_COMMUNITY="master"
 
 ARG INSTALL_GROUP="ci"
 ARG INSTALL_USER="unprivileged"
@@ -60,6 +61,8 @@ ARG INSTALL_PREFIX="/usr/local"
 ENV LANG="C.UTF-8"
 ENV LC_ALL="C.UTF-8"
 
+VOLUME /tmp /var/tmp
+
 RUN addgroup -S "${INSTALL_GROUP}" && \
     adduser -DG -S "${INSTALL_USER}" -G "${INSTALL_GROUP}" -g "Unprivileged user,,,,"
 
@@ -71,6 +74,7 @@ RUN apk add --no-cache \
         py3-pefile \
         py3-pip \
         py3-pycryptodome \
+        py3-pygit2 \
         python3 && \
     apk add --no-cache --virtual=stage \
         gcc \
@@ -121,6 +125,11 @@ RUN python3 -m pip install --break-system-packages --requirement requirements.tx
 
 ENV PATH="${INSTALL_PREFIX}/bin:${PATH}"
 
+WORKDIR "${INSTALL_PREFIX}/share/volatility3/plugins"
+
+RUN git clone --branch="${GIT_TAG_VOLATILITY3_COMMUNITY}" --depth=1 --single-branch \
+        https://github.com/volatilityfoundation/community3.git
+
 RUN apk --purge del \
         stage