volatility3 icon indicating copy to clipboard operation
volatility3 copied to clipboard

Published 20 hours ago verified publisher icon volatilityfoundation

linux.check_afinfo.Check_afinfo Plugin Throws AttributeError

Open mthbrown opened this issue 1 year ago • 7 comments

Describe the bug When running the linux.check_afinfo.Check_afinfo plugin on a Linux memory dump using a custom Symbols Table, it throws an AttributeError. Other plugins work without problems

Context Volatility Version: Volatility 3 Framework 2.3.1 (latest from git as of today) Operating System: Ubuntu 20.04.2 LTS Python Version: 3.6.12 Suspected Operating System: Ubuntu 22.04 (memory of this machine was captured) Command:

$ python vol.py -f ~/volatility/mem/Linux64.mem linux.check_afinfo.Check_afinfo
Volatility 3 Framework 2.3.1
Progress:  100.00               Stacking attempts finished                 
Symbol Name     Member  Handler Address
Traceback (most recent call last):
  File "vol.py", line 10, in <module>
    volatility3.cli.main()
  File "/home/ubuntu/vol3/volatility3/volatility3/cli/__init__.py", line 636, in main
    CommandLine().run()
  File "/home/ubuntu/vol3/volatility3/volatility3/cli/__init__.py", line 343, in run
    renderers[args.renderer]().render(constructed.run())
  File "/home/ubuntu/vol3/volatility3/volatility3/cli/text_renderer.py", line 177, in render
    grid.populate(visitor, outfd)
  File "/home/ubuntu/vol3/volatility3/volatility3/framework/renderers/__init__.py", line 212, in populate
    for (level, item) in self._generator:
  File "/home/ubuntu/vol3/volatility3/volatility3/framework/plugins/linux/check_afinfo.py", line 84, in _generator
    for name, member, address in self._check_afinfo(global_var_name, global_var, op_members, seq_members):
  File "/home/ubuntu/vol3/volatility3/volatility3/framework/plugins/linux/check_afinfo.py", line 51, in _check_afinfo
    for hooked_member, hook_address in self._check_members(var.seq_fops, var_name, op_members):
  File "/home/ubuntu/vol3/volatility3/volatility3/framework/objects/__init__.py", line 789, in __getattr__
    raise AttributeError(f"{agg_name} has no attribute: {self.vol.type_name}.{attr}")
AttributeError: StructType has no attribute: symbol_table_name1!tcp_seq_afinfo.seq_fops

To Reproduce

See above

Expected behavior

The plugin should run successfully

Screenshots

Additional information

Here is the custom symbols table - vmlinux-5.15.0-33-generic.json.gz

mthbrown avatar Sep 09 '22 07:09 mthbrown

I have the same situation, any luck from your side?

dsever avatar Jan 10 '23 12:01 dsever

Hmmm, so it looks like this was a change made in 2018 (in this commit) and so any kernel after about 4.18 won't work with the current check_afinfo plugin. @atcuno, any chance you could take a look into this please?

(Edited the comment to update the commit, originally posted the wrong one, sorry)

ikelos avatar Jan 11 '23 16:01 ikelos

Same issue for version 4.18.0-425.10.1. Kindly have a look.

herootx avatar Jan 30 '23 00:01 herootx

This issue is stale because it has been open for 200 days with no activity.

github-actions[bot] avatar Aug 18 '23 01:08 github-actions[bot]

Did we ever get this resolved @atcuno ?

ikelos avatar Aug 19 '23 16:08 ikelos

Haven't this plugin been replaced by : https://github.com/AsafEitani/rootkit_plugins/blob/main/plugins/check_seqops.py, at least for kernels after https://elixir.bootlin.com/linux/v4.17.19/source/include/net/tcp.h ?

Abyss-W4tcher avatar Nov 10 '23 15:11 Abyss-W4tcher

Having the same issue, any update here ?

4n6-fl avatar Nov 12 '23 08:11 4n6-fl