Fwd: [Vol-users] problem with linux_check_afinfo and others rootkit plugins

Andrew Case atcuno at gmail.com
Thu Sep 13 12:23:58 CDT 2012


Replying to the list this time ;)


---------- Forwarded message ----------
From: Andrew Case <atcuno at gmail.com>
Date: Thu, Sep 13, 2012 at 12:22 PM
Subject: Re: [Vol-users] problem with linux_check_afinfo and others
rootkit plugins
To: bellissimopython at email.it


Hello,

1) Where did you gert the Ubuntu profile? It says its missing the
tcp_seq_afino structure.

2) Yes, no output means nothing was detected

3) For check_idt and check_syscall, the output will say HOOKED instead
of the symbol name if an entry is hooked.

Write back if you have anymore questions.

Thanks,
Andrew

On Thu, Sep 13, 2012 at 12:13 PM,  <bellissimopython at email.it> wrote:
> Hi,
> I have the folloing problem:
>
> # python vol.py -f ../DUMP_ram/DUMP_130912.lime --profile=LinuxUbuntu1204x86
> linux_check_afinfo
> Volatile Systems Volatility Framework 2.2_rc1
> Symbol Name                                Member
> Address
> ------------------------------------------ ------------------------------
> ----------
> WARNING : volatility.obj      : Cant find object tcp_seq_afinfo in profile
> <volatility.plugins.overlays.linux.linux.LinuxUbuntu1204x86 object at
> 0x9bbc5ac>?
> Traceback (most recent call last):
>   File "vol.py", line 186, in <module>
>     main()
>   File "vol.py", line 177, in main
>     command.execute()
>   File
> "/home/luigi/SOURCES/volatilitux_new/volatility-2.2-rc1/volatility/plugins/linux/common.py",
> line 51, in execute
>     commands.Command.execute(self, *args, **kwargs)
>   File
> "/home/luigi/SOURCES/volatilitux_new/volatility-2.2-rc1/volatility/commands.py",
> line 111, in execute
>     func(outfd, data)
>   File
> "/home/luigi/SOURCES/volatilitux_new/volatility-2.2-rc1/volatility/plugins/linux/check_afinfo.py",
> line 82, in render_text
>     for (what, member, address) in data:
>   File
> "/home/luigi/SOURCES/volatilitux_new/volatility-2.2-rc1/volatility/plugins/linux/check_afinfo.py",
> line 73, in calculate
>     for (name, member, address) in self.check_afinfo(global_var_name,
> global_var, op_members, seq_members, modules):
>   File
> "/home/luigi/SOURCES/volatilitux_new/volatility-2.2-rc1/volatility/plugins/linux/check_afinfo.py",
> line 41, in check_afinfo
>     for (hooked_member, hook_address) in self.check_members(var.seq_fops,
> var_name, op_members,  modules):
> AttributeError: 'NoneType' object has no attribute 'seq_fops'
>
>
> Also I want report that the volatility-2.2-rc1 package does not have the
> tools/linux folder. So that it is not possible build dwarf module. Anyway I
> have copied it from the git/alpha release.
>
> And finally I want ask something about rootkit detection plugins. For
> example the following means that everything is ok ?
>
> # python vol.py -f ../DUMP_ram/DUMP_130912.lime --profile=LinuxUbuntu1204x86
> linux_check_creds
> Volatile Systems Volatility Framework 2.2_rc1
> PIDs
> --------
> #
>
>
> and the following:
>
> # python vol.py -f ../DUMP_ram/DUMP_130912.lime --profile=LinuxUbuntu1204x86
> linux_check_idt
> Volatile Systems Volatility Framework 2.2_rc1
>      Index Address    Symbol
> ---------- ---------- ------------------------------
>        0x0 0xc1575024 divide_error
>        0x1 0xc15750bc debug
>        0x2 0xc1575114 nmi
>        0x3 0xc1575234 int3
>        0x4 0xc1574fd4 overflow
>        0x5 0xc1574fe0 bounds
>        0x6 0xc1574fec invalid_op
>        0x7 0xc1574fc0 device_not_available
>        0x8 0x00000000 VDSO32_PRELINK
>        0x9 0xc1574ff8 coprocessor_segment_overrun
>        0xa 0xc1575004 invalid_TSS
>        0xb 0xc157500c segment_not_present
>        0xc 0xc1575014 stack_segment
>        0xd 0xc157526c general_protection
>        0xe 0xc1575048 page_fault
>        0xf 0xc157503c spurious_interrupt_bug
>       0x10 0xc1574fa8 coprocessor_error
>       0x11 0xc157501c alignment_check
>       0x12 0xc1575030 machine_check
>       0x13 0xc1574fb4 simd_coprocessor_error
>       0x80 0xc15749b8 system_call
> #
>
> Thanks very much
> luigi
>
>  --
>  Caselle da 1GB, trasmetti allegati fino a 3GB e in piu' IMAP, POP3 e SMTP
> autenticato? GRATIS solo con Email.it: http://www.email.it/f
>
>  Sponsor:
>  Speciale Settembre all'hotel Gigliola di Rimini, 7 giorni di pensione
> completa, 2 adulti Euro 420, all inclusive Euro 560
>  Clicca qui: http://adv.email.it/cgi-bin/foclick.cgi?mid=12638&d=20120913
>
>
>
>
>  --
>  Caselle da 1GB, trasmetti allegati fino a 3GB e in piu' IMAP, POP3 e SMTP autenticato? GRATIS solo con Email.it http://www.email.it/f
>
>  Sponsor:
>  Tour culturali nell'entroterra romagnolo con le proposte tutto compreso di Costahotels. Alla scoperta dei borghi medievali e delle tipicita' gastronomiche della zona
>  Clicca qui: http://adv.email.it/cgi-bin/foclick.cgi?mid=12622&d=13-9
> _______________________________________________
> Vol-users mailing list
> Vol-users at volatilityfoundation.org
> http://lists.volatilityfoundation.org/mailman/listinfo/vol-users


More information about the Vol-users mailing list