[Vol-dev] DalvikVM support for Volatility

Holger Macht holger at homac.de
Tue Oct 16 09:50:59 CDT 2012


Hi,

I've uploaded a tarball [1] containing a number of Volatility plugins which
provide support for the DalvikVM and Android. I didn't provide a
patch set, because there are only new files included. However, I can do
so or can open an issue, whatever would be most convenient.

The plugins are named:
 - dalvik_find_gdvm_offset
 - dalvik_vms
 - dalvik_loaded_classes
 - dalvik_class_information
 - dalvik_find_class_instance
 - dalvik_app_mirrored

Any comments would be appreciated. This is part of a research project I
need to have finished by the end of the year, so if someone suggests
fundamental changes, I most likely won't have the immediate time to look
at it. Just wanted to provide my code, because obviously there is some
interest (cf. vol-users@).

Ideally, I could get a branch in SVN to get this integrated into
upcoming Volatility releases.

I've attached a README.dalvik which gives some meta information about
the plugins and could become a corresponding wiki article.

Thanks to Joe Sylve and Andrew Case for providing me with some initial
guidelines.

Regards,
 Holger

[1] http://www.homac.de/files/Volatility-Dalvik-support-v1.tar.bz2
-------------- next part --------------
Dalvik Support for Volatility
=============================

The following plugins are provided:

 - dalvik_find_gdvm_offset
 - dalvik_vms
 - dalvik_loaded_classes
 - dalvik_class_information
 - dalvik_find_class_instance
 - dalvik_app_mirrored

All plugins are actually linux plugins, so they need a valid profile and
lime [1] memory dump.

The plugins have been successfully tested on two Android devices running
Ice Cream Sandwich (ICS): Huawei Honor (U8860) and Samsung Galaxy S2
(I9100).

The Volatility 2.3-devel branch is needed. Especially r2659 has been
verified to work properly with these plugins.


Detailed plugin description:
============================

dalvik_find_gdvm_offset
----------------------

The global struct DvmGlobals (gDvm) [2] is the foundation for all
provided plugins. To locate it in an actual memory dump, we need to know
where the data section (in which gDvm is mapped) of libdvm is mapped
within a specific process. This information can be taken from the
proc_maps plugin. For example (for zygote):

0x408f9000-0x409aa000 r-x          0 259: 1          915            2508 /system/lib/libdvm.so
0x409aa000-0x409b2000 rw-     724992 259: 1          915            2508 /system/lib/libdvm.so

So the data section starts at 0x409aa000. Within this range, gDvm can be
found. The dalvik_find_gdvm_offset scans this address space and tries to
locate gDvm and finally prints its offset. This offset can be given to
all further plugins via the '-o' switch in order to prevent rescanning,
which saves quite some time.

Optional argument: -p PID, --pid=PID
 Specify the PID of one process you know of runs in a DalvikVM. For
 instance, zygote. Speeds up offset calculation.


dalvik_vms
----------

Lists all Dalvik Virtual Maschines found in the memory dump and some
additional information such as heapStartingSize, number of loaded
Classes, etc.. Limit to specific VMs with the '-p PID' switch.

Optional argument: -o GDVM_OFFSET (in hex)
 Specify the gDvm offset to speed up calculations. See the
 dalvik_find_gdvm_offset plugin for more information

Optional argument: -p PID, --pid=PID
 Limit to specific VMs which correspond to the given PID.


dalvik_loaded_classes
---------------------

List all loadedClasses from a specific DalvikVM instance together with
some information. Most important is the 'Offset' column, which can be
used for listing specific class information with the
dalvik_class_information plugin.

Optional argument: -o GDVM_OFFSET (in hex)
 Specify the gDvm offset to speed up calculations. See the
 dalvik_find_gdvm_offset plugin for more information

Optional argument: -p PID, --pid=PID
 Limit to specific VM which correspond to the given PID.


dalvik_class_information
------------------------

List concrete information about a specific system class, such as number
of instance fields or method names.

Mandatory argument: -c CLASS_OFFSET, --class_offset=CLASS_OFFSET
 Offset of a class object within its process address space. Usually
 taken from the dalvik_loaded_classes plugin.

Mandatory argument: -p PID, --pid=PID
 This needs to match the process in which the class object of interest
 is defined. Specifically, this is the PID printed on the same row as
 the CLASS_OFFSET argument from the dalvik_loaded_classes plugin.

Optional argument: -o GDVM_OFFSET (in hex)
 Specify the gDvm offset to speed up calculations. See the
 dalvik_find_gdvm_offset plugin for more information


dalvik_app_*
------------

Concrete instance objects (in contrast to preloaded system classes) are
allocated in the dalvik-heap of each process. So in order to analyze
specific applications together with there instance data, we need a
concrete instance object pointer. This pointer can be aquired manually,
for instance via hprof heap dumps (cf. Eclipse MAT) or via methods of
scanning. For the latter, the dalvik_find_class_instance (see below) is
provided. It takes a pointer to a system class (got via the
dalvik_loaded_classes plugin) and scans te dalvik heap for possibly
matching instance objects. The aquired pointer can then be passed to the
corresponding app plugins. Please note: The dalvik_find_class_instance
plugin might require quite some time (>5m) to find an appropriate
pointer.

Example plugin for reading app information: dalvik_app_mirrored

 Given an instance object ('-c'), it lists the current active article
 titles shown by the application called 'Mirrored', a news reader. Of
 course, this requires an appropriate memory dump.

Mandatory argument: -c CLASS_OFFSET, --class_offset=CLASS_OFFSET
 Offset of a concrete class instance object. The
 dalvik_find_class_instance plugin can help to find one.

Mandatory argument: -p PID, --pid=PID
 This needs to match the process in which the class object of interest
 is defined.


dalvik_find_class_instance
--------------------------

Takes a process ID and a system class offset and tries to locate
instance objects of the system class within the processes address space.

Mandatory argument: -c CLASS_OFFSET, --class_offset=CLASS_OFFSET
 Offset of a class object within its process address space. Usually
 taken from the dalvik_loaded_classes plugin.

Mandatory argument: -p PID, --pid=PID
 This needs to match the process in which the class object of interest
 is defined. Specifically, this is the PID printed on the same row as
 the CLASS_OFFSET argument from the dalvik_loaded_classes plugin.


Helper modules:
===============

dalvik.py
---------

Helper functions for parsing DalvikVM objects such as java/lang/String
or array lists.


dalvik_vtypes.py (volatility/plugins/overlays/linux/)
-----------------------------------------------------

Data structure definitions and extending helper functions.

Explanatory Volatility session
==============================

 [...] = --profile=Linux<insert your profile here>x86 -f <insert lime memory dump here>

 $ ./vol.py [...] dalvik_find_gdvm_offset
 DvmGlobals offset
 -----------------
 0x7c58

 $ ./vol.py [...] linux_pslist | grep Mirrored
 0xe0684960 .homac.Mirrored      1547            10066           Tue, 04 Sep 2012 18:24:44 +0000

 $ ./vol.py [...] dalvik_loaded_classes -o 0x7c58 -p 1547 | grep 'ArticlesList;'
 PID   Offset     Descriptor                                                             sourceFile
 ----- ---------- ---------------------------------------------------------------------- ------------------------------
  1547 0x415059d0 Lde/homac/Mirrored/ArticlesList;                                       ArticlesList.java

 $ ./vol.py [...] dalvik_find_class_instance -p 1547 -c 0x415059d0
 SystemClass                                        Instance
 -------------------------------------------------- --------------------------------------------------
 0x415059d0                                         0x415060c8
 [...]

 $ ./vol.py [...] dalvik_app_mirrored -p 1547 -c 0x415060c8

 Nr  Title
 --- --------------------------------------------------
   1 Paralympics-Teilnehmerin Wyludda: Zweite Karriere nach Olympia-Gold
   2 Antarktis: Tourismus nicht Schuld an Pinguin-Schwund
   3 Installation in Rio: Guck mal, wer da tr?umt
   [...]


[1] http://code.google.com/p/lime-forensics/
[2] cf. dalvik/vm/Globals.h in ICS's source tree


More information about the Vol-dev mailing list