volatility3
volatility3 copied to clipboard
linux.check_afinfo.Check_afinfo Plugin Throws AttributeError
Describe the bug When running the linux.check_afinfo.Check_afinfo plugin on a Linux memory dump using a custom Symbols Table, it throws an AttributeError. Other plugins work without problems
Context Volatility Version: Volatility 3 Framework 2.3.1 (latest from git as of today) Operating System: Ubuntu 20.04.2 LTS Python Version: 3.6.12 Suspected Operating System: Ubuntu 22.04 (memory of this machine was captured) Command:
$ python vol.py -f ~/volatility/mem/Linux64.mem linux.check_afinfo.Check_afinfo
Volatility 3 Framework 2.3.1
Progress: 100.00 Stacking attempts finished
Symbol Name Member Handler Address
Traceback (most recent call last):
File "vol.py", line 10, in <module>
volatility3.cli.main()
File "/home/ubuntu/vol3/volatility3/volatility3/cli/__init__.py", line 636, in main
CommandLine().run()
File "/home/ubuntu/vol3/volatility3/volatility3/cli/__init__.py", line 343, in run
renderers[args.renderer]().render(constructed.run())
File "/home/ubuntu/vol3/volatility3/volatility3/cli/text_renderer.py", line 177, in render
grid.populate(visitor, outfd)
File "/home/ubuntu/vol3/volatility3/volatility3/framework/renderers/__init__.py", line 212, in populate
for (level, item) in self._generator:
File "/home/ubuntu/vol3/volatility3/volatility3/framework/plugins/linux/check_afinfo.py", line 84, in _generator
for name, member, address in self._check_afinfo(global_var_name, global_var, op_members, seq_members):
File "/home/ubuntu/vol3/volatility3/volatility3/framework/plugins/linux/check_afinfo.py", line 51, in _check_afinfo
for hooked_member, hook_address in self._check_members(var.seq_fops, var_name, op_members):
File "/home/ubuntu/vol3/volatility3/volatility3/framework/objects/__init__.py", line 789, in __getattr__
raise AttributeError(f"{agg_name} has no attribute: {self.vol.type_name}.{attr}")
AttributeError: StructType has no attribute: symbol_table_name1!tcp_seq_afinfo.seq_fops
To Reproduce
See above
Expected behavior
The plugin should run successfully
Screenshots
Additional information
Here is the custom symbols table - vmlinux-5.15.0-33-generic.json.gz
I have the same situation, any luck from your side?
Hmmm, so it looks like this was a change made in 2018 (in this commit) and so any kernel after about 4.18 won't work with the current check_afinfo
plugin. @atcuno, any chance you could take a look into this please?
(Edited the comment to update the commit, originally posted the wrong one, sorry)
Same issue for version 4.18.0-425.10.1. Kindly have a look.
This issue is stale because it has been open for 200 days with no activity.
Did we ever get this resolved @atcuno ?
Haven't this plugin been replaced by : https://github.com/AsafEitani/rootkit_plugins/blob/main/plugins/check_seqops.py, at least for kernels after https://elixir.bootlin.com/linux/v4.17.19/source/include/net/tcp.h ?
Having the same issue, any update here ?