volatilityfoundation
Volatility3 linux.check_afinfo.Check_afinfo plugin error
Hi, I am having some troubles with the linux.check_afinfo.Check_afinfo plugin plugin while using volatility3. some useful info: Volatility 3 Framework 2.5.0 Operating System: Linux Python Version: Python 3.11.5 Suspected Operating System: Linux Command: python3 vol.py -f /mnt/test.lime linux.check_afinfo.Check_afinfo plugin kernel version: Linux version 6.2.0-1013-aws (buildd@bos03-amd64-006) (x86_64-linux-gnu-gcc-11 (Ubuntu 11.4.0-1ubuntu1~22.04) I am getting the following error: WARNING volatility3.plugins.linux.check_afinfo: This plugin was not able to check for hooks. This means you are either analyzing an unsupported kernel version or that your symbol table is corrupt.
Full output when running the command with -vvv:
Volatility 3 Framework 2.5.0
INFO volatility3.cli: Volatility plugins path: ['/home/nfsuper/volatility/volatility3/plugins', '/home/nfsuper/volatility/volatility3/framework/plugins']
INFO volatility3.cli: Volatility symbols path: ['/home/nfsuper/volatility/volatility3/symbols', '/home/nfsuper/volatility/volatility3/framework/symbols']
INFO volatility3.framework.automagic: Detected a linux category plugin
INFO volatility3.framework.automagic: Running automagic: ConstructionMagic
Level 9 volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.Check_afinfo.kernel.layer_name
Level 9 volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.Check_afinfo.kernel.symbol_table_name
Level 9 volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.Check_afinfo.kernel.layer_name
Level 9 volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.Check_afinfo.kernel.symbol_table_name
Level 9 volatility3.framework.automagic.construct_layers: Failed on requirement: plugins.Check_afinfo.kernel
Level 9 volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.Check_afinfo.kernel.layer_name
Level 9 volatility3.framework.automagic.construct_layers: Failed on requirement: plugins.Check_afinfo.kernel.layer_name
Level 9 volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.Check_afinfo.kernel.layer_name
Level 9 volatility3.framework.automagic.construct_layers: Failed on requirement: plugins.Check_afinfo.kernel
Level 9 volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.Check_afinfo.kernel.symbol_table_name
Level 9 volatility3.framework.automagic.construct_layers: Failed on requirement: plugins.Check_afinfo.kernel.symbol_table_name
Level 9 volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.Check_afinfo.kernel.symbol_table_name
Level 9 volatility3.framework.automagic.construct_layers: Failed on requirement: plugins.Check_afinfo.kernel
Level 9 volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.Check_afinfo.kernel.layer_name
Level 9 volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.Check_afinfo.kernel.symbol_table_name
Level 9 volatility3.framework.automagic.construct_layers: Failed on requirement: plugins.Check_afinfo
INFO volatility3.framework.automagic: Running automagic: SymbolCacheMagic
INFO volatility3.framework.automagic: Running automagic: LayerStacker
Level 9 volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.Check_afinfo.kernel.layer_name
Level 9 volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.Check_afinfo.kernel.symbol_table_name
DEBUG volatility3.framework.automagic.symbol_cache: Duplicate entry for identifier b'Linux version 6.2.0-1013-aws (buildd@bos03-amd64-006) (x86_64-linux-gnu-gcc-11 (Ubuntu 11.4.0-1ubuntu1~22.04) 11.4.0, GNU ld (GNU Binutils for Ubuntu) 2.38) #13~22.04.1-Ubuntu SMP Fri Sep 8 17:29:56 UTC 2023 (Ubuntu 6.2.0-1013.13~22.04.1-aws 6.2.16)\n\x00': file:///home/nfsuper/volatility/volatility3/symbols/linux-image-6.2.0-1013-aws.json and file:///home/nfsuper/volatility/volatility3/framework/symbols/linux/linux-image-6.2.0-1013-aws.json
DEBUG volatility3.framework.automagic.linux: Identified banner: b'Linux version 6.2.0-1013-aws (buildd@bos03-amd64-006) (x86_64-linux-gnu-gcc-11 (Ubuntu 11.4.0-1ubuntu1~22.04) 11.4.0, GNU ld (GNU Binutils for Ubuntu) 2.38) #13~22.04.1-Ubuntu SMP Fri Sep 8 17:29:56 UTC 2023 (Ubuntu 6.2.0-1013.13~22.04.1-aws 6.2.16)\n\x00'
DEBUG volatility3.framework.symbols: Unresolved reference: LintelStacker1!assoc_array_ptr
DEBUG volatility3.framework.symbols: Unresolved reference: LintelStacker1!netns_ipvs
DEBUG volatility3.framework.symbols: Unresolved reference: LintelStacker1!mtd_info
DEBUG volatility3.framework.symbols: Unresolved reference: LintelStacker1!can_pkg_stats
DEBUG volatility3.framework.symbols: Unresolved reference: LintelStacker1!can_rcv_lists_stats
DEBUG volatility3.framework.symbols: Unresolved reference: LintelStacker1!can_dev_rcv_lists
DEBUG volatility3.framework.symbols: Unresolved reference: LintelStacker1!mpls_route
DEBUG volatility3.framework.symbols: Unresolved reference: LintelStacker1!sctp_mib
DEBUG volatility3.framework.symbols: Unresolved reference: LintelStacker1!smc_stats_rsn
DEBUG volatility3.framework.symbols: Unresolved reference: LintelStacker1!smc_stats
DEBUG volatility3.framework.symbols: Unresolved reference: LintelStacker1!garp_port
DEBUG volatility3.framework.symbols: Unresolved reference: LintelStacker1!mpls_dev
DEBUG volatility3.framework.symbols: Unresolved reference: LintelStacker1!mrp_port
DEBUG volatility3.framework.symbols: Unresolved reference: LintelStacker1!tipc_bearer
DEBUG volatility3.framework.symbols: Unresolved reference: LintelStacker1!udp_tunnel_nic
DEBUG volatility3.framework.symbols: Unresolved reference: LintelStacker1!pcpu_dstats
DEBUG volatility3.framework.symbols: Unresolved reference: LintelStacker1!phylink
DEBUG volatility3.framework.symbols: Unresolved reference: LintelStacker1!cfg80211_conn
DEBUG volatility3.framework.symbols: Unresolved reference: LintelStacker1!cfg80211_cached_keys
DEBUG volatility3.framework.symbols: Unresolved reference: LintelStacker1!cfg80211_cqm_config
DEBUG volatility3.framework.symbols: Unresolved reference: LintelStacker1!sfp
DEBUG volatility3.framework.symbols: Unresolved reference: LintelStacker1!libipw_device
DEBUG volatility3.framework.symbols: Unresolved reference: LintelStacker1!smc_hashinfo
DEBUG volatility3.framework.symbols: Unresolved reference: LintelStacker1!dsa_8021q_context
DEBUG volatility3.framework.symbols: Unresolved reference: LintelStacker1!uapi_definition
DEBUG volatility3.framework.symbols: Unresolved reference: LintelStacker1!hw_stats_device_data
DEBUG volatility3.framework.symbols: Unresolved reference: LintelStacker1!rdma_restrack_root
DEBUG volatility3.framework.symbols: Unresolved reference: LintelStacker1!cfg80211_internal_bss
DEBUG volatility3.framework.symbols: Unresolved reference: LintelStacker1!ib_port
DEBUG volatility3.framework.symbols: Unresolved reference: LintelStacker1!ib_gid_table
DEBUG volatility3.framework.symbols: Unresolved reference: LintelStacker1!ib_pkey_cache
DEBUG volatility3.framework.automagic.linux: Linux ASLR shift values determined: physical 94400000 virtual 2b800000
DEBUG volatility3.framework.automagic.linux: DTB was found at: 0x97610000
Level 9 volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.Check_afinfo.kernel.layer_name
Level 9 volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.Check_afinfo.kernel.layer_name
Level 9 volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.Check_afinfo.kernel.symbol_table_name
Level 9 volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.Check_afinfo.kernel.layer_name
Level 9 volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.Check_afinfo.kernel.symbol_table_name
Level 9 volatility3.framework.automagic.construct_layers: Failed on requirement: plugins.Check_afinfo.kernel
Level 9 volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.Check_afinfo.kernel.layer_name
Level 9 volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.Check_afinfo.kernel.layer_name.memory_layer
Level 9 volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.Check_afinfo.kernel.layer_name.memory_layer.base_layer
Level 9 volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.Check_afinfo.kernel.symbol_table_name
Level 9 volatility3.framework.automagic.construct_layers: Failed on requirement: plugins.Check_afinfo.kernel.symbol_table_name
Level 9 volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.Check_afinfo.kernel.symbol_table_name
Level 9 volatility3.framework.automagic.construct_layers: Failed on requirement: plugins.Check_afinfo.kernel
Level 9 volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.Check_afinfo.kernel.symbol_table_name
Level 9 volatility3.framework.automagic.construct_layers: Failed on requirement: plugins.Check_afinfo
DEBUG volatility3.framework.automagic.stacker: Stacked layers: ['IntelLayer', 'LimeLayer', 'FileLayer']
INFO volatility3.framework.automagic: Running automagic: SymbolFinder
INFO volatility3.framework.automagic: Running automagic: LinuxSymbolFinder
Level 9 volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.Check_afinfo.kernel.symbol_table_name
DEBUG volatility3.framework.automagic.symbol_cache: Duplicate entry for identifier b'Linux version 6.2.0-1013-aws (buildd@bos03-amd64-006) (x86_64-linux-gnu-gcc-11 (Ubuntu 11.4.0-1ubuntu1~22.04) 11.4.0, GNU ld (GNU Binutils for Ubuntu) 2.38) #13~22.04.1-Ubuntu SMP Fri Sep 8 17:29:56 UTC 2023 (Ubuntu 6.2.0-1013.13~22.04.1-aws 6.2.16)\n\x00': file:///home/nfsuper/volatility/volatility3/symbols/linux-image-6.2.0-1013-aws.json and file:///home/nfsuper/volatility/volatility3/framework/symbols/linux/linux-image-6.2.0-1013-aws.json
DEBUG volatility3.framework.automagic.symbol_finder: Identified banner: b'Linux version 6.2.0-1013-aws (buildd@bos03-amd64-006) (x86_64-linux-gnu-gcc-11 (Ubuntu 11.4.0-1ubuntu1~22.04) 11.4.0, GNU ld (GNU Binutils for Ubuntu) 2.38) #13~22.04.1-Ubuntu SMP Fri Sep 8 17:29:56 UTC 2023 (Ubuntu 6.2.0-1013.13~22.04.1-aws 6.2.16)\n\x00'
DEBUG volatility3.framework.automagic.symbol_finder: Using symbol library: file:///home/nfsuper/volatility/volatility3/symbols/linux-image-6.2.0-1013-aws.json
INFO volatility3.framework.automagic: Running automagic: KernelModule
Symbol Name Member Handler Address DEBUG volatility3.framework.symbols: Unresolved reference: symbol_table_name1!assoc_array_ptr DEBUG volatility3.framework.symbols: Unresolved reference: symbol_table_name1!netns_ipvs DEBUG volatility3.framework.symbols: Unresolved reference: symbol_table_name1!garp_port DEBUG volatility3.framework.symbols: Unresolved reference: symbol_table_name1!mpls_dev DEBUG volatility3.framework.symbols: Unresolved reference: symbol_table_name1!mrp_port DEBUG volatility3.framework.symbols: Unresolved reference: symbol_table_name1!tipc_bearer DEBUG volatility3.framework.symbols: Unresolved reference: symbol_table_name1!udp_tunnel_nic DEBUG volatility3.framework.symbols: Unresolved reference: symbol_table_name1!pcpu_dstats DEBUG volatility3.framework.symbols: Unresolved reference: symbol_table_name1!mtd_info DEBUG volatility3.framework.symbols: Unresolved reference: symbol_table_name1!can_pkg_stats DEBUG volatility3.framework.symbols: Unresolved reference: symbol_table_name1!can_rcv_lists_stats DEBUG volatility3.framework.symbols: Unresolved reference: symbol_table_name1!can_dev_rcv_lists DEBUG volatility3.framework.symbols: Unresolved reference: symbol_table_name1!mpls_route DEBUG volatility3.framework.symbols: Unresolved reference: symbol_table_name1!sctp_mib DEBUG volatility3.framework.symbols: Unresolved reference: symbol_table_name1!smc_stats_rsn DEBUG volatility3.framework.symbols: Unresolved reference: symbol_table_name1!smc_stats DEBUG volatility3.framework.symbols: Unresolved reference: symbol_table_name1!phylink DEBUG volatility3.framework.symbols: Unresolved reference: symbol_table_name1!cfg80211_conn DEBUG volatility3.framework.symbols: Unresolved reference: symbol_table_name1!cfg80211_cached_keys DEBUG volatility3.framework.symbols: Unresolved reference: symbol_table_name1!cfg80211_cqm_config DEBUG volatility3.framework.symbols: Unresolved reference: symbol_table_name1!sfp DEBUG volatility3.framework.symbols: Unresolved reference: symbol_table_name1!libipw_device DEBUG volatility3.framework.symbols: Unresolved reference: symbol_table_name1!dsa_8021q_context DEBUG volatility3.framework.symbols: Unresolved reference: symbol_table_name1!smc_hashinfo DEBUG volatility3.framework.symbols: Unresolved reference: symbol_table_name1!uapi_definition DEBUG volatility3.framework.symbols: Unresolved reference: symbol_table_name1!hw_stats_device_data DEBUG volatility3.framework.symbols: Unresolved reference: symbol_table_name1!rdma_restrack_root DEBUG volatility3.framework.symbols: Unresolved reference: symbol_table_name1!cfg80211_internal_bss DEBUG volatility3.framework.symbols: Unresolved reference: symbol_table_name1!ib_port DEBUG volatility3.framework.symbols: Unresolved reference: symbol_table_name1!ib_gid_table DEBUG volatility3.framework.symbols: Unresolved reference: symbol_table_name1!ib_pkey_cache DEBUG volatility3.plugins.linux.check_afinfo: tcp6_seq_afinfo object at 0xffffaed94e68 had none of the required members: seq_fops, seq_ops, seq_show DEBUG volatility3.plugins.linux.check_afinfo: tcp4_seq_afinfo object at 0xffffaed85ae0 had none of the required members: seq_fops, seq_ops, seq_show DEBUG volatility3.plugins.linux.check_afinfo: udplite6_seq_afinfo object at 0xffffaed93d20 had none of the required members: seq_fops, seq_ops, seq_show DEBUG volatility3.plugins.linux.check_afinfo: udp6_seq_afinfo object at 0xffffaed93c90 had none of the required members: seq_fops, seq_ops, seq_show DEBUG volatility3.plugins.linux.check_afinfo: udplite4_seq_afinfo object at 0xffffaed870c0 had none of the required members: seq_fops, seq_ops, seq_show DEBUG volatility3.plugins.linux.check_afinfo: udp4_seq_afinfo object at 0xffffaed86d80 had none of the required members: seq_fops, seq_ops, seq_show WARNING volatility3.plugins.linux.check_afinfo: This plugin was not able to check for hooks. This means you are either analyzing an unsupported kernel version or that your symbol table is corrupt.
any chance the plugin is not supported for the kernel version ?
Yep, it absolutely looks like this isn't a supported kernel (the various structures don't have any of the required members). Since it determined the various offsets of things, and loaded up an IntelLayer, it looks as though the symbol table is functioning correctly. I didn't think the 6.2 kernel introduced/changed anything, but perhaps AWS monkeys with the tcp stuff for efficiency?
Could you please verify that other linux plugins work correctly (such as pslist) so we can tell that the symbol table as a whole works, and it's just the afinfo that doesn't?
Hello @4n6-fl - I think that essentially the kernel changed enough in 2018 to mean that the current method of checks used in check_afinfo can't work. So it won't work on your sample as it's too new. It looks likely that your symbols are correct, and that this is therefore an unsupported kernel.
The main issue is being tracked here - https://github.com/volatilityfoundation/volatility3/issues/832
It was only two weeks ago that the warning around this was added - https://github.com/volatilityfoundation/volatility3/pull/1038 - before that it would have just crashed. So I'm glad that those warnings at least pointed you in the right direction of the problem. (The note from @Abyss-W4tcher about a community plugin might be of interest to you...!)
I understand that @atcuno is looking into options, but right now I don't think you'll be able to use this plugin on your sample.
🦊 just a random internet vol user
