[Vol-users] Android memory image

Mike Lambert dragonforen at hotmail.com
Mon Jan 28 20:37:24 CST 2013


Hi Andrew,
 
Thanks. Does your link include the profile? That would get me started using Volatility. 
 
I have an image from an emulator now, but it isn't useful without a profile. Or is there something I'm missing? (I don't see any Linux profiles.)
(see below, after your message for output from me)
 
I am building a system to sport a testing emulator for acquisitions and infecting. I'll use a memory image I get from it. 
Making the profile, that will be interesting. 
 
I thought it would be nice to get out ahead of this (Android memory analysis). I imagine the Android malware issue will heat up rather quickly this year.
 
Thanks,
Mike
 

> Date: Mon, 28 Jan 2013 20:13:13 -0600
> Subject: Re: [Vol-users] Android memory image
> From: atcuno at gmail.com
> To: dragonforen at hotmail.com
> CC: vol-users at volatilityfoundation.org
> 
> Replying to the list in case others have the same question...
> 
> As far as I know, there are not any published Android memory images.
> For our own testing, we generally use our own phones, which we won't
> be sharing the samples of obviously, or we pull mem dumps from the
> emulator..
> 
> If you want to just test and use Volatility, then I can send you a
> link to an emulator memory capture, but if you want more control
> and/or are building your own plugins then I would suggest setting up
> the emulator yourself or rooting a real physical device and building a
> profile. The only downside to real devices is that you need to be able
> to build a profile, and sometimes vendors are slow to release the
> source code & config for a particular version...
> 
> On Mon, Jan 28, 2013 at 1:02 PM, Mike Lambert <dragonforen at hotmail.com> wrote:
> > I am looking for an Android memory image to use Volatility on. Does anyone
> > have (or know where I and get) a memory image I can look at?
> >
> > If you are imaging Androids, can you reply offlist?
> >
> > Thanks! Have a good week!
================================cut-here==============================
========from-mike================
 
C:\Python27\volatility-2.2>vol.py imageinfo -f \temp\Android_4-0-3_CLEAN_SDK_Emulator.mem
Volatile Systems Volatility Framework 2.2
Determining profile based on KDBG search...
          Suggested Profile(s) : No suggestion (Instantiated with no profile)
                     AS Layer1 : LimeAddressSpace (Unnamed AS)
                     AS Layer2 : FileAddressSpace (C:\temp\Android_4-0-3_CLEAN_SDK_Emulator.mem)
                      PAE type : No PAE
 
 
C:\Python27\volatility-2.2>vol.py imageinfo --info
Volatile Systems Volatility Framework 2.2

Profiles
--------
VistaSP0x64     - A Profile for Windows Vista SP0 x64
VistaSP0x86     - A Profile for Windows Vista SP0 x86
VistaSP1x64     - A Profile for Windows Vista SP1 x64
VistaSP1x86     - A Profile for Windows Vista SP1 x86
VistaSP2x64     - A Profile for Windows Vista SP2 x64
VistaSP2x86     - A Profile for Windows Vista SP2 x86
Win2003SP0x86   - A Profile for Windows 2003 SP0 x86
Win2003SP1x64   - A Profile for Windows 2003 SP1 x64
Win2003SP1x86   - A Profile for Windows 2003 SP1 x86
Win2003SP2x64   - A Profile for Windows 2003 SP2 x64
Win2003SP2x86   - A Profile for Windows 2003 SP2 x86
Win2008R2SP0x64 - A Profile for Windows 2008 R2 SP0 x64
Win2008R2SP1x64 - A Profile for Windows 2008 R2 SP1 x64
Win2008SP1x64   - A Profile for Windows 2008 SP1 x64
Win2008SP1x86   - A Profile for Windows 2008 SP1 x86
Win2008SP2x64   - A Profile for Windows 2008 SP2 x64
Win2008SP2x86   - A Profile for Windows 2008 SP2 x86
Win7SP0x64      - A Profile for Windows 7 SP0 x64
Win7SP0x86      - A Profile for Windows 7 SP0 x86
Win7SP1x64      - A Profile for Windows 7 SP1 x64
Win7SP1x86      - A Profile for Windows 7 SP1 x86
WinXPSP1x64     - A Profile for Windows XP SP1 x64
WinXPSP2x64     - A Profile for Windows XP SP2 x64
WinXPSP2x86     - A Profile for Windows XP SP2 x86
WinXPSP3x86     - A Profile for Windows XP SP3 x86

Address Spaces
--------------
AMD64PagedMemory        - Standard AMD 64-bit address space.
FileAddressSpace        - This is a direct file AS.
IA32PagedMemory         - Legacy x86 non PAE address space (to use specify --use_old_as)
IA32PagedMemoryPae      - Legacy x86 PAE address space (to use specify --use_old_as)
JKIA32PagedMemory       - Standard x86 32 bit non PAE address space.
JKIA32PagedMemoryPae    - Standard x86 32 bit PAE address space.
LimeAddressSpace        - Address space for Lime
WindowsCrashDumpSpace32 - This AS supports windows Crash Dump format
WindowsCrashDumpSpace64 - This AS supports windows Crash Dump format
WindowsHiberFileSpace32 - This is a hibernate address space for windows hibernation files.

Scanner Checks
--------------
CheckHiveSig           - Check for a registry hive signature
CheckPoolIndex         - Checks the pool index
CheckPoolSize          - Check pool block size
CheckPoolType          - Check the pool type
CheckProcess           - Check sanity of _EPROCESS
CheckSocketCreateTime  - Check that _ADDRESS_OBJECT.CreateTime makes sense
CheckThreads           - Check sanity of _ETHREAD
KPCRScannerCheck       - Checks the self referential pointers to find KPCRs
MultiPrefixFinderCheck - Checks for multiple strings per page, finishing at theoffset
MultiStringFinderCheck - Checks for multiple strings per page
PoolTagCheck           - This scanner checks for the occurance of a pool tag

Plugins
-------
apihooks            - Detect API hooks in process and kernel memory
atoms               - Print session and window station atom tables
atomscan            - Pool scanner for _RTL_ATOM_TABLE
bioskbd             - Reads the keyboard buffer from Real Mode memory
callbacks           - Print system-wide notification routines
clipboard           - Extract the contents of the windows clipboard
cmdscan             - Extract command history by scanning for _COMMAND_HISTORY
connections         - Print list of open connections [Windows XP and 2003 Only]
connscan            - Scan Physical memory for _TCPT_OBJECT objects (tcp connections)
consoles            - Extract command history by scanning for _CONSOLE_INFORMATION
crashinfo           - Dump crash-dump information
deskscan            - Poolscaner for tagDESKTOP (desktops)
devicetree          - Show device tree
dlldump             - Dump DLLs from a process address space
dlllist             - Print list of loaded dlls for each process
driverirp           - Driver IRP hook detection
driverscan          - Scan for driver objects _DRIVER_OBJECT
envars              - Display process environment variables
eventhooks          - Print details on windows event hooks
evtlogs             - Extract Windows Event Logs (XP/2003 only)
filescan            - Scan Physical memory for _FILE_OBJECT pool allocations
gahti               - Dump the USER handle type information
gditimers           - Print installed GDI timers and callbacks
gdt                 - Display Global Descriptor Table
getservicesids      - Get the names of services in the Registry and return Calcu
lated SID
getsids             - Print the SIDs owning each process
handles             - Print list of open handles for each process
hashdump            - Dumps passwords hashes (LM/NTLM) from memory
hibinfo             - Dump hibernation file information
hivedump            - Prints out a hive
hivelist            - Print list of registry hives.
hivescan            - Scan Physical memory for _CMHIVE objects (registry hives)
idt                 - Display Interrupt Descriptor Table
imagecopy           - Copies a physical address space out as a raw DD image
imageinfo           - Identify information for the image
impscan             - Scan for calls to imported functions
kdbgscan            - Search for and dump potential KDBG values
kpcrscan            - Search for and dump potential KPCR values
ldrmodules          - Detect unlinked DLLs
linux_arp           - Print the ARP table
linux_bash          - Recover bash history from bash process memory
linux_check_afinfo  - Verifies the operation function pointers of network protocols
linux_check_creds   - Checks if any processes are sharing credential structures
linux_check_fop     - Check file operation structures for rootkit modifications
linux_check_idt     - Checks if the IDT has been altered
linux_check_modules - Compares module list to sysfs info, if available
linux_check_syscall - Checks if the system call table has been altered
linux_cpuinfo       - Prints info about each active processor
linux_dentry_cache  - Gather files from the dentry cache
linux_dmesg         - Gather dmesg buffer
linux_dump_map      - Writes selected memory mappings to disk
linux_find_file     - Recovers tmpfs filesystems from memory
linux_ifconfig      - Gathers active interfaces
linux_iomem         - Provides output similar to /proc/iomem
linux_lsmod         - Gather loaded kernel modules
linux_lsof          - Lists open files
linux_memmap        - Dumps the memory map for linux tasks
linux_mount         - Gather mounted fs/devices
linux_mount_cache   - Gather mounted fs/devices from kmem_cache
linux_netstat       - Lists open sockets
linux_pidhashtable  - Enumerates processes through the PID hash table
linux_pkt_queues    - Writes per-process packet queues out to disk
linux_proc_maps     - Gathers process maps for linux
linux_psaux         - Gathers processes along with full command line and start t
ime
linux_pslist        - Gather active tasks by walking the task_struct->task list
linux_pslist_cache  - Gather tasks from the kmem_cache
linux_pstree        - Shows the parent/child relationship between processes
linux_psxview       - Find hidden processes with various process listings
linux_route_cache   - Recovers the routing cache from memory
linux_sk_buff_cache - Recovers packets from the sk_buff kmem_cache
linux_slabinfo      - Mimics /proc/slabinfo on a running machine
linux_tmpfs         - Recovers tmpfs filesystems from memory
linux_vma_cache     - Gather VMAs from the vm_area_struct cache
lsadump             - Dump (decrypted) LSA secrets from the registry
malfind             - Find hidden and injected code
memdump             - Dump the addressable memory for a process
memmap              - Print the memory map
messagehooks        - List desktop and thread window message hooks
moddump             - Dump a kernel driver to an executable file sample
modscan             - Scan Physical memory for _LDR_DATA_TABLE_ENTRY objects
modules             - Print list of loaded modules
mutantscan          - Scan for mutant objects _KMUTANT
netscan             - Scan a Vista, 2008 or Windows 7 image for connections and
sockets
patcher             - Patches memory based on page scans
printkey            - Print a registry key, and its subkeys and values
procexedump         - Dump a process to an executable file sample
procmemdump         - Dump a process to an executable memory sample
pslist              - Print all running processes by following the EPROCESS lists
psscan              - Scan Physical memory for _EPROCESS pool allocations
pstree              - Print process list as a tree
psxview             - Find hidden processes with various process listings
raw2dmp             - Converts a physical memory sample to a windbg crash dump
screenshot          - Save a pseudo-screenshot based on GDI windows
sessions            - List details on _MM_SESSION_SPACE (user logon sessions)
shimcache           - Parses the Application Compatibility Shim Cache registry key
sockets             - Print list of open sockets
sockscan            - Scan Physical memory for _ADDRESS_OBJECT objects (tcp sockets)
ssdt                - Display SSDT entries
strings             - Match physical offsets to virtual addresses (may take a while, VERY verbose)
svcscan             - Scan for Windows services
symlinkscan         - Scan for symbolic link objects
thrdscan            - Scan physical memory for _ETHREAD objects
threads             - Investigate _ETHREAD and _KTHREADs
timers              - Print kernel timers and associated module DPCs
userassist          - Print userassist registry keys and information
userhandles         - Dump the USER handle tables
vaddump             - Dumps out the vad sections to a file
vadinfo             - Dump the VAD info
vadtree             - Walk the VAD tree and display in tree format
vadwalk             - Walk the VAD tree
volshell            - Shell in the memory image
windows             - Print Desktop Windows (verbose details)
wintree             - Print Z-Order Desktop Windows Tree
wndscan             - Pool scanner for tagWINDOWSTATION (window stations)
yarascan            - Scan process or kernel memory with Yara signatures
 
 
C:\Python27\volatility-2.2>vol.py linux_pslist -f \temp\Android_4-0-3_CLEAN_SDK_Emulator.mem
Volatile Systems Volatility Framework 2.2
Offset     Name                 Pid             Uid             Start Time
---------- -------------------- --------------- --------------- ----------
No suitable address space mapping found
Tried to open image as:
 LimeAddressSpace: lime: need base
 WindowsHiberFileSpace32: No base Address Space
 WindowsCrashDumpSpace64: No base Address Space
 WindowsCrashDumpSpace32: No base Address Space
 AMD64PagedMemory: No base Address Space
 JKIA32PagedMemory: No base Address Space
 JKIA32PagedMemoryPae: No base Address Space
 IA32PagedMemoryPae: Module disabled
 IA32PagedMemory: Module disabled
 LimeAddressSpace: Invalid Lime header signature
 WindowsHiberFileSpace32: No xpress signature found
 WindowsCrashDumpSpace64: Header signature invalid
 WindowsCrashDumpSpace32: Header signature invalid
 AMD64PagedMemory: Incompatible profile WinXPSP2x86 selected
 JKIA32PagedMemory: No valid DTB found
 JKIA32PagedMemoryPae: No valid DTB found
 IA32PagedMemoryPae: Module disabled
 IA32PagedMemory: Module disabled
 FileAddressSpace: Must be first Address Space

C:\Python27\volatility-2.2> 		 	   		  
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.volatilityfoundation.org/pipermail/vol-users/attachments/20130128/1b5a9605/attachment-0001.html


More information about the Vol-users mailing list