Volatility3: AttributeError: function/symbol 'ARC4_stream_init' not found in library

Question

I am attempting to get hashes from a memory dump using volatility3's hashdump.Hashdump module, and I keep running into this error:

AttributeError: function/symbol 'ARC4_stream_init' not found in library '/home/cyber/.local/lib/python3.9/site-packages/Crypto/Util/../Cipher/_ARC4.cpython-39-x86_64-linux-gnu.so': /home/cyber/.local/lib/python3.9/site-packages/Crypto/Util/../Cipher/_ARC4.cpython-39-x86_64-linux-gnu.so: undefined symbol: ARC4_stream_init

I tried googling it and the only thing I could find was something similar with pdfs here. I also tried reinstalling the requirements from volatility and I reinstalled pycrypto crypto and cryptodome as I thought they might be causing issues. Any help would be greatly appreciated.

$python3 vol.py -f /home/cyber/Downloads/memdump.mem windows.hashdump.Hashdump
Volatility 3 Framework 2.5.2
Progress:  100.00        PDB scanning finished                       
User    rid    lmhash    nthash
Traceback (most recent call last):
  File "/home/cyber/Downloads/volatility3/vol.py", line 10, in <module>
    volatility3.cli.main()
  File "/home/cyber/Downloads/volatility3/volatility3/cli/__init__.py", line 790, in main
    CommandLine().run()
  File "/home/cyber/Downloads/volatility3/volatility3/cli/__init__.py", line 447, in run
    renderers[args.renderer]().render(constructed.run())
  File "/home/cyber/Downloads/volatility3/volatility3/cli/text_renderer.py", line 193, in render
    grid.populate(visitor, outfd)
  File "/home/cyber/Downloads/volatility3/volatility3/framework/renderers/__init__.py", line 245, in populate
    for level, item in self._generator:
  File "/home/cyber/Downloads/volatility3/volatility3/framework/plugins/windows/hashdump.py", line 571, in _generator
    hbootkey = self.get_hbootkey(samhive, bootkey)
  File "/home/cyber/Downloads/volatility3/volatility3/framework/plugins/windows/hashdump.py", line 409, in get_hbootkey
    rc4 = ARC4.new(rc4_key)
  File "/home/cyber/.local/lib/python3.9/site-packages/Crypto/Cipher/ARC4.py", line 130, in new
    return ARC4Cipher(key, *args, **kwargs)
  File "/home/cyber/.local/lib/python3.9/site-packages/Crypto/Cipher/ARC4.py", line 58, in __init__
    result = _raw_arc4_lib.ARC4_stream_init(c_uint8_ptr(key),
  File "/usr/lib/python3/dist-packages/cffi/api.py", line 912, in __getattr__
    make_accessor(name)
  File "/usr/lib/python3/dist-packages/cffi/api.py", line 908, in make_accessor
    accessors[name](name)
  File "/usr/lib/python3/dist-packages/cffi/api.py", line 838, in accessor_function
    value = backendlib.load_function(BType, name)
AttributeError: function/symbol 'ARC4_stream_init' not found in library '/home/cyber/.local/lib/python3.9/site-packages/Crypto/Util/../Cipher/_ARC4.cpython-39-x86_64-linux-gnu.so': /home/cyber/.local/lib/python3.9/site-packages/Crypto/Util/../Cipher/_ARC4.cpython-39-x86_64-linux-gnu.so: undefined symbol: ARC4_stream_init

Answer 1

Create a fresh and new virtual environment:

python3 -m venv .venv

Activate the created environment:

source .venv/bin/activate

Install the arc4 package to use the encryption/decryption:

pip install arc4

The content of the main.py file:

from arc4 import ARC4


arc4 = ARC4(b'key')
cipher = arc4.encrypt(b'some plain text to encrypt')

arc4 = ARC4(b'key')
decrypted_text = arc4.decrypt(cipher)

print(decrypted_text)

You must initialize the RC4 object at the beginning of each operation because RC4 is a stream cipher. By initializing a new object, the stream pointer will point to the beginning of the stream, hence decrypting accordingly.

Run the program with:

python3 main.py
b'some plain text to encrypt'