microvmi fails to initialize on Xen 4.20.1 (missing symbol xc_domain_getinfo)

[X-m7]

When I tried to use Volatility3 and the microvmi Python plugin to inspect a Windows 10 2004/20H1 VM, I see a volatility3.framework.exceptions.OfflineException error message, followed by some other errors. After enabling verbose output, I noticed that /lib/libxenctrl.so appears to be missing the xc_domain_getinfo symbol, and it appears that it was intentionally removed starting from Xen 4.18.0: https://gitlab.com/xen-project/xen/-/commit/31c65549746179e16cf3f82b694b4b1e0b7545ca

So, it seems like either libmicrovmi or one of its dependencies needs to be updated to avoid using that removed symbol?

In case it matters I am using version 0.2.15 of the microvmi PyPI package, Volatility3 2.26.2 as well as Xen 4.20.1 from the DRAKVUF automated build on Ubuntu 24.04, in a virtual machine hosted by QEMU/KVM (the nested virtualization setup was working with Ubuntu 20.04, Volatility3 2.0.1, microvmi 0.2.10 from PyPI and Xen 4.17.0 from the DRAKVUF 1.0 build, and I am currently trying to move that setup over to Ubuntu 24.04).

Below is the output I got from the command RUST_LOG=debug sudo -E ./vol.py -vvv --plugin-dirs /home/drak/analyser/deps/venv/lib/python3.12/site-packages/microvmi/volatility --single-location "vmi://Xen/?vm_name=test-w10" windows.pslist for reference:

Volatility 3 Framework 2.26.2
INFO     volatility3.cli: Volatility plugins path: ['/home/drak/analyser/deps/venv/lib/python3.12/site-packages/microvmi/volatility', '/home/drak/analyser/deps/volatility3-2.26.2/volatility3/plugins', '/home/drak/analyser/deps/volatility3-2.26.2/volatility3/framework/plugins']
INFO     volatility3.cli: Volatility symbols path: ['/home/drak/analyser/deps/volatility3-2.26.2/volatility3/symbols', '/home/drak/analyser/deps/volatility3-2.26.2/volatility3/framework/symbols']
DEBUG    volatility3.plugins.yarascan: Using yara-python module
INFO     volatility3.framework.automagic: Detected a windows category plugin
INFO     volatility3.framework.automagic: Running automagic: ConstructionMagic
DETAIL 1 volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.PsList.kernel.layer_name
DETAIL 1 volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.PsList.kernel.symbol_table_name
DETAIL 1 volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.PsList.kernel.layer_name
DETAIL 1 volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.PsList.kernel.symbol_table_name
DETAIL 1 volatility3.framework.automagic.construct_layers: Failed on requirement: plugins.PsList.kernel
DETAIL 1 volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.PsList.kernel.layer_name
DETAIL 1 volatility3.framework.automagic.construct_layers: Failed on requirement: plugins.PsList.kernel.layer_name
DETAIL 1 volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.PsList.kernel.layer_name
DETAIL 1 volatility3.framework.automagic.construct_layers: Failed on requirement: plugins.PsList.kernel
DETAIL 1 volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.PsList.kernel.symbol_table_name
DETAIL 1 volatility3.framework.automagic.construct_layers: Failed on requirement: plugins.PsList.kernel.symbol_table_name
DETAIL 1 volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.PsList.kernel.symbol_table_name
DETAIL 1 volatility3.framework.automagic.construct_layers: Failed on requirement: plugins.PsList.kernel
DETAIL 1 volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.PsList.kernel.layer_name
DETAIL 1 volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.PsList.kernel.symbol_table_name
DETAIL 1 volatility3.framework.automagic.construct_layers: Failed on requirement: plugins.PsList
INFO     volatility3.framework.automagic: Running automagic: SymbolCacheMagic
INFO     volatility3.framework.automagic: Running automagic: LayerStacker
DETAIL 1 volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.PsList.kernel.layer_name
DETAIL 1 volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.PsList.kernel.symbol_table_name
[2025-12-01T09:55:50Z INFO  pymicrovmi] Microvmi Python init
[2025-12-01T09:55:50Z DEBUG pymicrovmi] Microvmi Python init driver_type: Some(2), init_param: Some(DriverInitParamsPy { common: Some(CommonInitParamsPy { vm_name: "test-w10" }), kvm: None, memflow: None })
[2025-12-01T09:55:50Z INFO  microvmi] Microvmi init
[2025-12-01T09:55:50Z DEBUG microvmi] Microvmi init params: Some(
        DriverInitParams {
            common: Some(
                CommonInitParams {
                    vm_name: "test-w10",
                },
            ),
            xen: None,
            kvm: None,
            memflow: None,
            virtualbox: None,
        },
    )
[2025-12-01T09:55:50Z INFO  xenstore_rs::libxenstore] Loading libxenstore.so
[2025-12-01T09:55:50Z DEBUG microvmi::driver::xen] Xenstore entry: [0] Domain-0
[2025-12-01T09:55:50Z DEBUG microvmi::driver::xen] Xenstore entry: [9] test-w10
[2025-12-01T09:55:50Z INFO  xenctrl::libxenctrl] Loading libxenctrl.so
[2025-12-01T09:55:50Z DEBUG microvmi] Some(Xen) driver initialization failed: /lib/libxenctrl.so: undefined symbol: xc_domain_getinfo
INFO     volatility3.framework.layers.resources: Cannot access vmi://Xen/?vm_name=test-w10 due to /lib/libxenctrl.so: undefined symbol: xc_domain_getinfo - Setting OFFLINE
INFO     volatility3.framework.automagic: Running automagic: WinSwapLayers
INFO     volatility3.framework.automagic: Running automagic: KernelPDBScanner
DETAIL 1 volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.PsList.kernel.layer_name
DETAIL 1 volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.PsList.kernel.symbol_table_name
DETAIL 1 volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.PsList.kernel.symbol_table_name
DETAIL 1 volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.PsList.kernel.symbol_table_name
INFO     volatility3.framework.automagic.pdbscan: No suitable kernels found during pdbscan
INFO     volatility3.framework.automagic: Running automagic: SymbolFinder
INFO     volatility3.framework.automagic: Running automagic: KernelModule
DETAIL 1 volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.PsList.kernel.layer_name
DETAIL 1 volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.PsList.kernel.symbol_table_name
DETAIL 1 volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.PsList.kernel.layer_name
DETAIL 1 volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.PsList.kernel.layer_name
DETAIL 1 volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.PsList.kernel.symbol_table_name
WARNING  volatility3.framework.plugins: Automagic exception occurred: volatility3.framework.exceptions.OfflineException: Volatility 3 is offline: unable to access vmi://Xen/?vm_name=test-w10
DETAIL 1 volatility3.framework.plugins: Traceback (most recent call last):
  File "/home/drak/analyser/deps/volatility3-2.26.2/volatility3/framework/layers/resources.py", line 139, in open
    fp = urllib.request.urlopen(url, context=self._context)
         ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/lib/python3.12/urllib/request.py", line 215, in urlopen
    return opener.open(url, data, timeout)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/lib/python3.12/urllib/request.py", line 515, in open
    response = self._open(req, data)
               ^^^^^^^^^^^^^^^^^^^^^
  File "/usr/lib/python3.12/urllib/request.py", line 532, in _open
    result = self._call_chain(self.handle_open, protocol, protocol +
             ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/lib/python3.12/urllib/request.py", line 492, in _call_chain
    result = func(*args)
             ^^^^^^^^^^^
  File "/home/drak/analyser/deps/venv/lib/python3.12/site-packages/microvmi/volatility/vmi_handler.py", line 54, in vmi_open
    micro = Microvmi(driver_type, init_params)
            ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "//home/drak/analyser/deps/venv/lib/python3.12/site-packages/microvmi/microvmi.py", line 48, in __init__
    self._micro = MicrovmiExt(drv_type_ext, init_params)
                  ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
ValueError: /lib/libxenctrl.so: undefined symbol: xc_domain_getinfo

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "/home/drak/analyser/deps/volatility3-2.26.2/volatility3/framework/automagic/__init__.py", line 138, in run
    automagic(context, config_path, requirement, progress_callback)
  File "/home/drak/analyser/deps/volatility3-2.26.2/volatility3/framework/automagic/stacker.py", line 74, in __call__
    self.stack(context, config_path, requirement, progress_callback)
  File "/home/drak/analyser/deps/volatility3-2.26.2/volatility3/framework/automagic/stacker.py", line 122, in stack
    physical_layer = physical.FileLayer(
                     ^^^^^^^^^^^^^^^^^^^
  File "/home/drak/analyser/deps/volatility3-2.26.2/volatility3/framework/layers/physical.py", line 111, in __init__
    _ = self._file
        ^^^^^^^^^^
  File "/home/drak/analyser/deps/volatility3-2.26.2/volatility3/framework/layers/physical.py", line 124, in _file
    self._file_ = self._file_ or self._accessor.open(self._location, mode)
                                 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/home/drak/analyser/deps/volatility3-2.26.2/volatility3/framework/layers/resources.py", line 159, in open
    raise exceptions.OfflineException(url)
volatility3.framework.exceptions.OfflineException: Volatility 3 is offline: unable to access vmi://Xen/?vm_name=test-w10


Unsatisfied requirement plugins.PsList.kernel.layer_name: 
Unsatisfied requirement plugins.PsList.kernel.symbol_table_name: 

A translation layer requirement was not fulfilled.  Please verify that:
	A file was provided to create this layer (by -f, --single-location or by config)
	The file exists and is readable
	The file is a valid memory image and was acquired cleanly

A symbol table requirement was not fulfilled.  Please verify that:
	The associated translation layer requirement was fulfilled
	You have the correct symbol file for the requirement
	The symbol file is under the correct directory or zip file
	The symbol file is named appropriately or contains the correct banner

Unable to validate the plugin requirements: ['plugins.PsList.kernel.layer_name', 'plugins.PsList.kernel.symbol_table_name']

[Wenzel]

Thanks for the detailed report and for digging into the Xen changes !

Root cause

On Xen ≥ 4.18, the legacy xc_domain_getinfo() symbol has been removed from libxenctrl.so, which is exactly what your error shows:

/lib/libxenctrl.so: undefined symbol: xc_domain_getinfo

libmicrovmi’s Xen backend still calls that function (via the xenctrl wrapper), so when the Python extension is loaded, the dynamic linker can’t resolve xc_domain_getinfo and the import fails.

Proposed fix

The modern and compatible way forward is to switch to xc_domain_getinfolist(), which has been available for a long time and is what LibVMI uses as well.

Concretely:

1. Stop using the removed API

   • Drop any use of:
     • xc_domain_getinfo()
     • xc_dominfo_t

2. Use xc_domain_getinfolist() instead

   • Bind to xc_domain_getinfolist() and the newer xc_domaininfo_t type.

   • Re-implement the current domain_getinfo(domid: u32) logic in the xenctrl wrapper as:

     int n = xc_domain_getinfolist(xch, domid, 1, &info);
     if (n == 1 && info.domain == domid) {
         // found -> return info
     } else {
         // not found
     }

   • This preserves the existing Rust API (domain_getinfo -> Option<…>) while internally switching to the supported Xen API.

3. Keep the public Rust API stable

   • The change should be entirely internal to the xenctrl FFI layer:
     • same Rust function signature
     • different underlying Xen call

This should:

• Restore compatibility with Xen 4.18+ (no more undefined symbol: xc_domain_getinfo)
• Still work on older Xen versions, since xc_domain_getinfolist() has been available for a long time.

If you’d like to implement it

If you’re up for submitting a PR, the main steps are:

• Update the xenctrl bindings to:
  • remove references to xc_domain_getinfo / xc_dominfo_t
  • add/use xc_domain_getinfolist / xc_domaininfo_t

I’m happy to review a PR implementing this approach and help iterate if anything is unclear.

[Wenzel]

Hi @X-m7,
I made the necessary changes in xenctrl and libmicrovmi.

the PyPI package microvmi v0.2.16 just got published, can you retry with this version and tell me if this works as expected ?

Thanks !

[X-m7]

I can confirm that updating to microvmi 0.2.16 from PyPI makes the Volatility3 plugin work again, thanks for the fix!