[Vol-users] problem with linux_check_afinfo and others rootkit plugins

bellissimopython at email.it bellissimopython at email.it
Thu Sep 13 12:13:31 CDT 2012

I have the folloing problem:

# python vol.py -f ../DUMP_ram/DUMP_130912.lime --profile=LinuxUbuntu1204x86
Volatile Systems Volatility Framework 2.2_rc1
Symbol Name                                Member                        
------------------------------------------ ------------------------------
WARNING : volatility.obj      : Cant find object tcp_seq_afinfo in profile
<volatility.plugins.overlays.linux.linux.LinuxUbuntu1204x86 object at
Traceback (most recent call last):
  File "vol.py", line 186, in <module>
  File "vol.py", line 177, in main
line 51, in execute
    commands.Command.execute(self, *args, **kwargs)
line 111, in execute
    func(outfd, data)
line 82, in render_text
    for (what, member, address) in data:
line 73, in calculate
    for (name, member, address) in self.check_afinfo(global_var_name,
global_var, op_members, seq_members, modules):
line 41, in check_afinfo
    for (hooked_member, hook_address) in self.check_members(var.seq_fops,
var_name, op_members,  modules):
AttributeError: 'NoneType' object has no attribute 'seq_fops'

Also I want report that the volatility-2.2-rc1 package does not have the
tools/linux folder. So that it is not possible build dwarf module. Anyway I
have copied it from the git/alpha release.

And finally I want ask something about rootkit detection plugins. For
example the following means that everything is ok ?

# python vol.py -f ../DUMP_ram/DUMP_130912.lime --profile=LinuxUbuntu1204x86
Volatile Systems Volatility Framework 2.2_rc1

and the following:

# python vol.py -f ../DUMP_ram/DUMP_130912.lime --profile=LinuxUbuntu1204x86
Volatile Systems Volatility Framework 2.2_rc1
     Index Address    Symbol                        
---------- ---------- ------------------------------
       0x0 0xc1575024 divide_error                  
       0x1 0xc15750bc debug                         
       0x2 0xc1575114 nmi                           
       0x3 0xc1575234 int3                          
       0x4 0xc1574fd4 overflow                      
       0x5 0xc1574fe0 bounds                        
       0x6 0xc1574fec invalid_op                    
       0x7 0xc1574fc0 device_not_available          
       0x8 0x00000000 VDSO32_PRELINK                
       0x9 0xc1574ff8 coprocessor_segment_overrun   
       0xa 0xc1575004 invalid_TSS                   
       0xb 0xc157500c segment_not_present           
       0xc 0xc1575014 stack_segment                 
       0xd 0xc157526c general_protection            
       0xe 0xc1575048 page_fault                    
       0xf 0xc157503c spurious_interrupt_bug        
      0x10 0xc1574fa8 coprocessor_error             
      0x11 0xc157501c alignment_check               
      0x12 0xc1575030 machine_check                 
      0x13 0xc1574fb4 simd_coprocessor_error        
      0x80 0xc15749b8 system_call                   

Thanks very much
 Caselle da 1GB, trasmetti allegati fino a 3GB e in piu' IMAP, POP3 e SMTP
autenticato? GRATIS solo con Email.it: http://www.email.it/f
 Speciale Settembre all'hotel Gigliola di Rimini, 7 giorni di pensione
completa, 2 adulti Euro 420, all inclusive Euro 560
 Clicca qui: http://adv.email.it/cgi-bin/foclick.cgi?mid=12638&d=20120913

 Caselle da 1GB, trasmetti allegati fino a 3GB e in piu' IMAP, POP3 e SMTP autenticato? GRATIS solo con Email.it http://www.email.it/f
 Tour culturali nell'entroterra romagnolo con le proposte tutto compreso di Costahotels. Alla scoperta dei borghi medievali e delle tipicita' gastronomiche della zona
 Clicca qui: http://adv.email.it/cgi-bin/foclick.cgi?mid=12622&d=13-9

More information about the Vol-users mailing list