Plugins break volatility

[MrNonoss]

Hi,

I wanted to try this awesome plugin, but get issues.

1 - My volatility3 (Framework 2.3.0) install is working fine on my Ubuntu memory dump
2 - I copy over the plugins volatility3/volatility3/framework/plugins/linux as asked in the documentation.
3 - The volatility3 instance breaks and I can no longer use it at all. The error is:

user@ubuntu:~/volatility3$ python3 vol.py 
Volatility 3 Framework 2.3.0
Traceback (most recent call last):
  File "vol.py", line 10, in <module>
    volatility3.cli.main()
  File "/home/machiavel/volatility3/volatility3/cli/__init__.py", line 636, in main
    CommandLine().run()
  File "/home/machiavel/volatility3/volatility3/cli/__init__.py", line 232, in run
    failures = framework.import_files(volatility3.plugins,
  File "/home/machiavel/volatility3/volatility3/framework/__init__.py", line 125, in import_files
    failures += import_file(base_module.__name__ + '.' + submodule,
  File "/home/machiavel/volatility3/volatility3/framework/__init__.py", line 152, in import_file
    importlib.import_module(module)
  File "/usr/lib/python3.8/importlib/__init__.py", line 127, in import_module
    return _bootstrap._gcd_import(name[level:], package, level)
  File "<frozen importlib._bootstrap>", line 1014, in _gcd_import
  File "<frozen importlib._bootstrap>", line 991, in _find_and_load
  File "<frozen importlib._bootstrap>", line 975, in _find_and_load_unlocked
  File "<frozen importlib._bootstrap>", line 671, in _load_unlocked
  File "<frozen importlib._bootstrap_external>", line 848, in exec_module
  File "<frozen importlib._bootstrap>", line 219, in _call_with_frames_removed
  File "/home/machiavel/volatility3/volatility3/framework/plugins/linux/ifconfig.py", line 14, in <module>
    class Ifconfig(interfaces.plugins.PluginInterface):
  File "/home/machiavel/volatility3/volatility3/framework/plugins/linux/ifconfig.py", line 31, in Ifconfig
    vmlinux_module_name: str) -> Iterable[Tuple[int, symbols.linux.extensions.net_device]]:
AttributeError: module 'volatility3.framework.symbols.linux.extensions' has no attribute 'net_device'

4 - To fix the issue and retrieve a working volatility, i used git clean -xdf
5 - I tried again, without replacing the existing plugins (just copying new ones), with the same issue.

Any idea on what's going on?
Thanks a lot

[oshaked1]

Hi, have you copied the files under volatility3 changes as well? They contain some framework extensions that are required by the plugins.

[MrNonoss]

I forgot at first, but then I did and still have issues:

Volatility 3 Framework 2.3.0
Traceback (most recent call last):
  File "vol.py", line 10, in <module>
    volatility3.cli.main()
  File "/home/machiavel/volatility3/volatility3/cli/__init__.py", line 636, in main
    CommandLine().run()
  File "/home/machiavel/volatility3/volatility3/cli/__init__.py", line 232, in run
    failures = framework.import_files(volatility3.plugins,
  File "/home/machiavel/volatility3/volatility3/framework/__init__.py", line 125, in import_files
    failures += import_file(base_module.__name__ + '.' + submodule,
  File "/home/machiavel/volatility3/volatility3/framework/__init__.py", line 152, in import_file
    importlib.import_module(module)
  File "/usr/lib/python3.8/importlib/__init__.py", line 127, in import_module
    return _bootstrap._gcd_import(name[level:], package, level)
  File "<frozen importlib._bootstrap>", line 1014, in _gcd_import
  File "<frozen importlib._bootstrap>", line 991, in _find_and_load
  File "<frozen importlib._bootstrap>", line 975, in _find_and_load_unlocked
  File "<frozen importlib._bootstrap>", line 671, in _load_unlocked
  File "<frozen importlib._bootstrap_external>", line 848, in exec_module
  File "<frozen importlib._bootstrap>", line 219, in _call_with_frames_removed
  File "/home/machiavel/volatility3/volatility3/plugins/linux/mount.py", line 9, in <module>
    from volatility3.plugins.linux import pslist
  File "/home/machiavel/volatility3/volatility3/plugins/linux/pslist.py", line 59, in <module>
    class PsList(interfaces.plugins.PluginInterface):
  File "/home/machiavel/volatility3/volatility3/plugins/linux/pslist.py", line 111, in PsList
    task: symbols.linux.extensions.task_struct,
AttributeError: module 'volatility3.framework.symbols' has no attribute 'linux'

[oshaked1]

According to the last output you have placed the plugins in the volatility3/volatility3/plugins/linux directory. They need to be placed in the volatility3/volatility3/framework/plugins/linux directory together with the rest of the plugins.

[MrNonoss]

How, my deepest apologies.
You are right. No errors now.

Thank you so much for your help.