[Vol-users] Android memory image

Andrew Case atcuno at gmail.com
Mon Jan 28 20:41:47 CST 2013


Yes, I will send you links for the profile and mem image shortly.

We do not include linux profiles within the release, but they do exist
on the wiki. With that said, we currently do not have any Android ones
up, but will when 2.3 is officially released.

Also, imageinfo only supports Windows memory samples at the moment,
which is why you did not get a valid suggestion back.

On Mon, Jan 28, 2013 at 8:37 PM, Mike Lambert <dragonforen at hotmail.com> wrote:
> Hi Andrew,
>
> Thanks. Does your link include the profile? That would get me started using
> Volatility.
>
> I have an image from an emulator now, but it isn't useful without a profile.
> Or is there something I'm missing? (I don't see any Linux profiles.)
> (see below, after your message for output from me)
>
> I am building a system to sport a testing emulator for acquisitions and
> infecting. I'll use a memory image I get from it.
> Making the profile, that will be interesting.
>
> I thought it would be nice to get out ahead of this (Android memory
> analysis). I imagine the Android malware issue will heat up rather quickly
> this year.
>
> Thanks,
> Mike
>
>> Date: Mon, 28 Jan 2013 20:13:13 -0600
>> Subject: Re: [Vol-users] Android memory image
>> From: atcuno at gmail.com
>> To: dragonforen at hotmail.com
>> CC: vol-users at volatilityfoundation.org
>
>>
>> Replying to the list in case others have the same question...
>>
>> As far as I know, there are not any published Android memory images.
>> For our own testing, we generally use our own phones, which we won't
>> be sharing the samples of obviously, or we pull mem dumps from the
>> emulator..
>>
>> If you want to just test and use Volatility, then I can send you a
>> link to an emulator memory capture, but if you want more control
>> and/or are building your own plugins then I would suggest setting up
>> the emulator yourself or rooting a real physical device and building a
>> profile. The only downside to real devices is that you need to be able
>> to build a profile, and sometimes vendors are slow to release the
>> source code & config for a particular version...
>>
>> On Mon, Jan 28, 2013 at 1:02 PM, Mike Lambert <dragonforen at hotmail.com>
>> wrote:
>> > I am looking for an Android memory image to use Volatility on. Does
>> > anyone
>> > have (or know where I and get) a memory image I can look at?
>> >
>> > If you are imaging Androids, can you reply offlist?
>> >
>> > Thanks! Have a good week!
> ================================cut-here==============================
> ========from-mike================
>
> C:\Python27\volatility-2.2>vol.py imageinfo -f
> \temp\Android_4-0-3_CLEAN_SDK_Emulator.mem
> Volatile Systems Volatility Framework 2.2
> Determining profile based on KDBG search...
>           Suggested Profile(s) : No suggestion (Instantiated with no
> profile)
>                      AS Layer1 : LimeAddressSpace (Unnamed AS)
>                      AS Layer2 : FileAddressSpace
> (C:\temp\Android_4-0-3_CLEAN_SDK_Emulator.mem)
>                       PAE type : No PAE
>
>
> C:\Python27\volatility-2.2>vol.py imageinfo --info
> Volatile Systems Volatility Framework 2.2
>
> Profiles
> --------
> VistaSP0x64     - A Profile for Windows Vista SP0 x64
> VistaSP0x86     - A Profile for Windows Vista SP0 x86
> VistaSP1x64     - A Profile for Windows Vista SP1 x64
> VistaSP1x86     - A Profile for Windows Vista SP1 x86
> VistaSP2x64     - A Profile for Windows Vista SP2 x64
> VistaSP2x86     - A Profile for Windows Vista SP2 x86
> Win2003SP0x86   - A Profile for Windows 2003 SP0 x86
> Win2003SP1x64   - A Profile for Windows 2003 SP1 x64
> Win2003SP1x86   - A Profile for Windows 2003 SP1 x86
> Win2003SP2x64   - A Profile for Windows 2003 SP2 x64
> Win2003SP2x86   - A Profile for Windows 2003 SP2 x86
> Win2008R2SP0x64 - A Profile for Windows 2008 R2 SP0 x64
> Win2008R2SP1x64 - A Profile for Windows 2008 R2 SP1 x64
> Win2008SP1x64   - A Profile for Windows 2008 SP1 x64
> Win2008SP1x86   - A Profile for Windows 2008 SP1 x86
> Win2008SP2x64   - A Profile for Windows 2008 SP2 x64
> Win2008SP2x86   - A Profile for Windows 2008 SP2 x86
> Win7SP0x64      - A Profile for Windows 7 SP0 x64
> Win7SP0x86      - A Profile for Windows 7 SP0 x86
> Win7SP1x64      - A Profile for Windows 7 SP1 x64
> Win7SP1x86      - A Profile for Windows 7 SP1 x86
> WinXPSP1x64     - A Profile for Windows XP SP1 x64
> WinXPSP2x64     - A Profile for Windows XP SP2 x64
> WinXPSP2x86     - A Profile for Windows XP SP2 x86
> WinXPSP3x86     - A Profile for Windows XP SP3 x86
>
> Address Spaces
> --------------
> AMD64PagedMemory        - Standard AMD 64-bit address space.
> FileAddressSpace        - This is a direct file AS.
> IA32PagedMemory         - Legacy x86 non PAE address space (to use specify
> --use_old_as)
> IA32PagedMemoryPae      - Legacy x86 PAE address space (to use specify
> --use_old_as)
> JKIA32PagedMemory       - Standard x86 32 bit non PAE address space.
> JKIA32PagedMemoryPae    - Standard x86 32 bit PAE address space.
> LimeAddressSpace        - Address space for Lime
> WindowsCrashDumpSpace32 - This AS supports windows Crash Dump format
> WindowsCrashDumpSpace64 - This AS supports windows Crash Dump format
> WindowsHiberFileSpace32 - This is a hibernate address space for windows
> hibernation files.
>
> Scanner Checks
> --------------
> CheckHiveSig           - Check for a registry hive signature
> CheckPoolIndex         - Checks the pool index
> CheckPoolSize          - Check pool block size
> CheckPoolType          - Check the pool type
> CheckProcess           - Check sanity of _EPROCESS
> CheckSocketCreateTime  - Check that _ADDRESS_OBJECT.CreateTime makes sense
> CheckThreads           - Check sanity of _ETHREAD
> KPCRScannerCheck       - Checks the self referential pointers to find KPCRs
> MultiPrefixFinderCheck - Checks for multiple strings per page, finishing at
> theoffset
> MultiStringFinderCheck - Checks for multiple strings per page
> PoolTagCheck           - This scanner checks for the occurance of a pool tag
>
> Plugins
> -------
> apihooks            - Detect API hooks in process and kernel memory
> atoms               - Print session and window station atom tables
> atomscan            - Pool scanner for _RTL_ATOM_TABLE
> bioskbd             - Reads the keyboard buffer from Real Mode memory
> callbacks           - Print system-wide notification routines
> clipboard           - Extract the contents of the windows clipboard
> cmdscan             - Extract command history by scanning for
> _COMMAND_HISTORY
> connections         - Print list of open connections [Windows XP and 2003
> Only]
> connscan            - Scan Physical memory for _TCPT_OBJECT objects (tcp
> connections)
> consoles            - Extract command history by scanning for
> _CONSOLE_INFORMATION
> crashinfo           - Dump crash-dump information
> deskscan            - Poolscaner for tagDESKTOP (desktops)
> devicetree          - Show device tree
> dlldump             - Dump DLLs from a process address space
> dlllist             - Print list of loaded dlls for each process
> driverirp           - Driver IRP hook detection
> driverscan          - Scan for driver objects _DRIVER_OBJECT
> envars              - Display process environment variables
> eventhooks          - Print details on windows event hooks
> evtlogs             - Extract Windows Event Logs (XP/2003 only)
> filescan            - Scan Physical memory for _FILE_OBJECT pool allocations
> gahti               - Dump the USER handle type information
> gditimers           - Print installed GDI timers and callbacks
> gdt                 - Display Global Descriptor Table
> getservicesids      - Get the names of services in the Registry and return
> Calcu
> lated SID
> getsids             - Print the SIDs owning each process
> handles             - Print list of open handles for each process
> hashdump            - Dumps passwords hashes (LM/NTLM) from memory
> hibinfo             - Dump hibernation file information
> hivedump            - Prints out a hive
> hivelist            - Print list of registry hives.
> hivescan            - Scan Physical memory for _CMHIVE objects (registry
> hives)
> idt                 - Display Interrupt Descriptor Table
> imagecopy           - Copies a physical address space out as a raw DD image
> imageinfo           - Identify information for the image
> impscan             - Scan for calls to imported functions
> kdbgscan            - Search for and dump potential KDBG values
> kpcrscan            - Search for and dump potential KPCR values
> ldrmodules          - Detect unlinked DLLs
> linux_arp           - Print the ARP table
> linux_bash          - Recover bash history from bash process memory
> linux_check_afinfo  - Verifies the operation function pointers of network
> protocols
> linux_check_creds   - Checks if any processes are sharing credential
> structures
> linux_check_fop     - Check file operation structures for rootkit
> modifications
> linux_check_idt     - Checks if the IDT has been altered
> linux_check_modules - Compares module list to sysfs info, if available
> linux_check_syscall - Checks if the system call table has been altered
> linux_cpuinfo       - Prints info about each active processor
> linux_dentry_cache  - Gather files from the dentry cache
> linux_dmesg         - Gather dmesg buffer
> linux_dump_map      - Writes selected memory mappings to disk
> linux_find_file     - Recovers tmpfs filesystems from memory
> linux_ifconfig      - Gathers active interfaces
> linux_iomem         - Provides output similar to /proc/iomem
> linux_lsmod         - Gather loaded kernel modules
> linux_lsof          - Lists open files
> linux_memmap        - Dumps the memory map for linux tasks
> linux_mount         - Gather mounted fs/devices
> linux_mount_cache   - Gather mounted fs/devices from kmem_cache
> linux_netstat       - Lists open sockets
> linux_pidhashtable  - Enumerates processes through the PID hash table
> linux_pkt_queues    - Writes per-process packet queues out to disk
> linux_proc_maps     - Gathers process maps for linux
> linux_psaux         - Gathers processes along with full command line and
> start t
> ime
> linux_pslist        - Gather active tasks by walking the task_struct->task
> list
> linux_pslist_cache  - Gather tasks from the kmem_cache
> linux_pstree        - Shows the parent/child relationship between processes
> linux_psxview       - Find hidden processes with various process listings
> linux_route_cache   - Recovers the routing cache from memory
> linux_sk_buff_cache - Recovers packets from the sk_buff kmem_cache
> linux_slabinfo      - Mimics /proc/slabinfo on a running machine
> linux_tmpfs         - Recovers tmpfs filesystems from memory
> linux_vma_cache     - Gather VMAs from the vm_area_struct cache
> lsadump             - Dump (decrypted) LSA secrets from the registry
> malfind             - Find hidden and injected code
> memdump             - Dump the addressable memory for a process
> memmap              - Print the memory map
> messagehooks        - List desktop and thread window message hooks
> moddump             - Dump a kernel driver to an executable file sample
> modscan             - Scan Physical memory for _LDR_DATA_TABLE_ENTRY objects
> modules             - Print list of loaded modules
> mutantscan          - Scan for mutant objects _KMUTANT
> netscan             - Scan a Vista, 2008 or Windows 7 image for connections
> and
> sockets
> patcher             - Patches memory based on page scans
> printkey            - Print a registry key, and its subkeys and values
> procexedump         - Dump a process to an executable file sample
> procmemdump         - Dump a process to an executable memory sample
> pslist              - Print all running processes by following the EPROCESS
> lists
> psscan              - Scan Physical memory for _EPROCESS pool allocations
> pstree              - Print process list as a tree
> psxview             - Find hidden processes with various process listings
> raw2dmp             - Converts a physical memory sample to a windbg crash
> dump
> screenshot          - Save a pseudo-screenshot based on GDI windows
> sessions            - List details on _MM_SESSION_SPACE (user logon
> sessions)
> shimcache           - Parses the Application Compatibility Shim Cache
> registry key
> sockets             - Print list of open sockets
> sockscan            - Scan Physical memory for _ADDRESS_OBJECT objects (tcp
> sockets)
> ssdt                - Display SSDT entries
> strings             - Match physical offsets to virtual addresses (may take
> a while, VERY verbose)
> svcscan             - Scan for Windows services
> symlinkscan         - Scan for symbolic link objects
> thrdscan            - Scan physical memory for _ETHREAD objects
> threads             - Investigate _ETHREAD and _KTHREADs
> timers              - Print kernel timers and associated module DPCs
> userassist          - Print userassist registry keys and information
> userhandles         - Dump the USER handle tables
> vaddump             - Dumps out the vad sections to a file
> vadinfo             - Dump the VAD info
> vadtree             - Walk the VAD tree and display in tree format
> vadwalk             - Walk the VAD tree
> volshell            - Shell in the memory image
> windows             - Print Desktop Windows (verbose details)
> wintree             - Print Z-Order Desktop Windows Tree
> wndscan             - Pool scanner for tagWINDOWSTATION (window stations)
> yarascan            - Scan process or kernel memory with Yara signatures
>
>
> C:\Python27\volatility-2.2>vol.py linux_pslist -f
> \temp\Android_4-0-3_CLEAN_SDK_Emulator.mem
> Volatile Systems Volatility Framework 2.2
> Offset     Name                 Pid             Uid             Start Time
> ---------- -------------------- --------------- --------------- ----------
> No suitable address space mapping found
> Tried to open image as:
>  LimeAddressSpace: lime: need base
>  WindowsHiberFileSpace32: No base Address Space
>  WindowsCrashDumpSpace64: No base Address Space
>  WindowsCrashDumpSpace32: No base Address Space
>  AMD64PagedMemory: No base Address Space
>  JKIA32PagedMemory: No base Address Space
>  JKIA32PagedMemoryPae: No base Address Space
>  IA32PagedMemoryPae: Module disabled
>  IA32PagedMemory: Module disabled
>  LimeAddressSpace: Invalid Lime header signature
>  WindowsHiberFileSpace32: No xpress signature found
>  WindowsCrashDumpSpace64: Header signature invalid
>  WindowsCrashDumpSpace32: Header signature invalid
>  AMD64PagedMemory: Incompatible profile WinXPSP2x86 selected
>  JKIA32PagedMemory: No valid DTB found
>  JKIA32PagedMemoryPae: No valid DTB found
>  IA32PagedMemoryPae: Module disabled
>  IA32PagedMemory: Module disabled
>  FileAddressSpace: Must be first Address Space
>
> C:\Python27\volatility-2.2>


More information about the Vol-users mailing list