[Vol-users] problem with linux_check_afinfo and others rootkit plugins

bellissimopython at email.it bellissimopython at email.it
Thu Sep 13 12:13:31 CDT 2012


Hi,
I have the folloing problem:

# python vol.py -f ../DUMP_ram/DUMP_130912.lime --profile=LinuxUbuntu1204x86
linux_check_afinfo
Volatile Systems Volatility Framework 2.2_rc1
Symbol Name                                Member                        
Address   
------------------------------------------ ------------------------------
----------
WARNING : volatility.obj      : Cant find object tcp_seq_afinfo in profile
<volatility.plugins.overlays.linux.linux.LinuxUbuntu1204x86 object at
0x9bbc5ac>?
Traceback (most recent call last):
  File "vol.py", line 186, in <module>
    main()
  File "vol.py", line 177, in main
    command.execute()
  File
"/home/luigi/SOURCES/volatilitux_new/volatility-2.2-rc1/volatility/plugins/linux/common.py",
line 51, in execute
    commands.Command.execute(self, *args, **kwargs)
  File
"/home/luigi/SOURCES/volatilitux_new/volatility-2.2-rc1/volatility/commands.py",
line 111, in execute
    func(outfd, data)
  File
"/home/luigi/SOURCES/volatilitux_new/volatility-2.2-rc1/volatility/plugins/linux/check_afinfo.py",
line 82, in render_text
    for (what, member, address) in data:
  File
"/home/luigi/SOURCES/volatilitux_new/volatility-2.2-rc1/volatility/plugins/linux/check_afinfo.py",
line 73, in calculate
    for (name, member, address) in self.check_afinfo(global_var_name,
global_var, op_members, seq_members, modules):
  File
"/home/luigi/SOURCES/volatilitux_new/volatility-2.2-rc1/volatility/plugins/linux/check_afinfo.py",
line 41, in check_afinfo
    for (hooked_member, hook_address) in self.check_members(var.seq_fops,
var_name, op_members,  modules):
AttributeError: 'NoneType' object has no attribute 'seq_fops'


Also I want report that the volatility-2.2-rc1 package does not have the
tools/linux folder. So that it is not possible build dwarf module. Anyway I
have copied it from the git/alpha release.

And finally I want ask something about rootkit detection plugins. For
example the following means that everything is ok ?

# python vol.py -f ../DUMP_ram/DUMP_130912.lime --profile=LinuxUbuntu1204x86
linux_check_creds
Volatile Systems Volatility Framework 2.2_rc1
PIDs    
--------
#


and the following:

# python vol.py -f ../DUMP_ram/DUMP_130912.lime --profile=LinuxUbuntu1204x86
linux_check_idt
Volatile Systems Volatility Framework 2.2_rc1
     Index Address    Symbol                        
---------- ---------- ------------------------------
       0x0 0xc1575024 divide_error                  
       0x1 0xc15750bc debug                         
       0x2 0xc1575114 nmi                           
       0x3 0xc1575234 int3                          
       0x4 0xc1574fd4 overflow                      
       0x5 0xc1574fe0 bounds                        
       0x6 0xc1574fec invalid_op                    
       0x7 0xc1574fc0 device_not_available          
       0x8 0x00000000 VDSO32_PRELINK                
       0x9 0xc1574ff8 coprocessor_segment_overrun   
       0xa 0xc1575004 invalid_TSS                   
       0xb 0xc157500c segment_not_present           
       0xc 0xc1575014 stack_segment                 
       0xd 0xc157526c general_protection            
       0xe 0xc1575048 page_fault                    
       0xf 0xc157503c spurious_interrupt_bug        
      0x10 0xc1574fa8 coprocessor_error             
      0x11 0xc157501c alignment_check               
      0x12 0xc1575030 machine_check                 
      0x13 0xc1574fb4 simd_coprocessor_error        
      0x80 0xc15749b8 system_call                   
# 

Thanks very much
luigi
 
 --
 Caselle da 1GB, trasmetti allegati fino a 3GB e in piu' IMAP, POP3 e SMTP
autenticato? GRATIS solo con Email.it: http://www.email.it/f
 
 Sponsor:
 Speciale Settembre all'hotel Gigliola di Rimini, 7 giorni di pensione
completa, 2 adulti Euro 420, all inclusive Euro 560
 Clicca qui: http://adv.email.it/cgi-bin/foclick.cgi?mid=12638&d=20120913


 
 
 --
 Caselle da 1GB, trasmetti allegati fino a 3GB e in piu' IMAP, POP3 e SMTP autenticato? GRATIS solo con Email.it http://www.email.it/f
 
 Sponsor:
 Tour culturali nell'entroterra romagnolo con le proposte tutto compreso di Costahotels. Alla scoperta dei borghi medievali e delle tipicita' gastronomiche della zona
 Clicca qui: http://adv.email.it/cgi-bin/foclick.cgi?mid=12622&d=13-9


More information about the Vol-users mailing list