[Vol-users] Android memory image

Mike Lambert dragonforen at hotmail.com
Mon Jan 28 20:55:07 CST 2013


Great! Profile and image is very helpful. 

Ah! I saw imageinfo had 'LimeAddressSpace' listed, hence I thought it already looked for Linux. I'm getting ahead of things. 
 
(BTW, Linux profiles are here http://code.google.com/p/volatility/wiki/LinuxProfiles )
 
Many thanks again, you are always very helpful, 
Mike
 

> Date: Mon, 28 Jan 2013 20:41:47 -0600
> Subject: Re: [Vol-users] Android memory image
> From: atcuno at gmail.com
> To: dragonforen at hotmail.com
> CC: vol-users at volatilityfoundation.org
> 
> Yes, I will send you links for the profile and mem image shortly.
> 
> We do not include linux profiles within the release, but they do exist
> on the wiki. With that said, we currently do not have any Android ones
> up, but will when 2.3 is officially released.
> 
> Also, imageinfo only supports Windows memory samples at the moment,
> which is why you did not get a valid suggestion back.
> 
> On Mon, Jan 28, 2013 at 8:37 PM, Mike Lambert <dragonforen at hotmail.com> wrote:
> > Hi Andrew,
> >
> > Thanks. Does your link include the profile? That would get me started using
> > Volatility.
> >
> > I have an image from an emulator now, but it isn't useful without a profile.
> > Or is there something I'm missing? (I don't see any Linux profiles.)
> > (see below, after your message for output from me)
> >
> > I am building a system to sport a testing emulator for acquisitions and
> > infecting. I'll use a memory image I get from it.
> > Making the profile, that will be interesting.
> >
> > I thought it would be nice to get out ahead of this (Android memory
> > analysis). I imagine the Android malware issue will heat up rather quickly
> > this year.
> >
> > Thanks,
> > Mike
> >
> >> Date: Mon, 28 Jan 2013 20:13:13 -0600
> >> Subject: Re: [Vol-users] Android memory image
> >> From: atcuno at gmail.com
> >> To: dragonforen at hotmail.com
> >> CC: vol-users at volatilityfoundation.org
> >
> >>
> >> Replying to the list in case others have the same question...
> >>
> >> As far as I know, there are not any published Android memory images.
> >> For our own testing, we generally use our own phones, which we won't
> >> be sharing the samples of obviously, or we pull mem dumps from the
> >> emulator..
> >>
> >> If you want to just test and use Volatility, then I can send you a
> >> link to an emulator memory capture, but if you want more control
> >> and/or are building your own plugins then I would suggest setting up
> >> the emulator yourself or rooting a real physical device and building a
> >> profile. The only downside to real devices is that you need to be able
> >> to build a profile, and sometimes vendors are slow to release the
> >> source code & config for a particular version...
> >>
> >> On Mon, Jan 28, 2013 at 1:02 PM, Mike Lambert <dragonforen at hotmail.com>
> >> wrote:
> >> > I am looking for an Android memory image to use Volatility on. Does
> >> > anyone
> >> > have (or know where I and get) a memory image I can look at?
> >> >
> >> > If you are imaging Androids, can you reply offlist?
> >> >
> >> > Thanks! Have a good week!
> > ================================cut-here==============================
> > ========from-mike================
> >
> > C:\Python27\volatility-2.2>vol.py imageinfo -f
> > \temp\Android_4-0-3_CLEAN_SDK_Emulator.mem
> > Volatile Systems Volatility Framework 2.2
> > Determining profile based on KDBG search...
> > Suggested Profile(s) : No suggestion (Instantiated with no
> > profile)
> > AS Layer1 : LimeAddressSpace (Unnamed AS)
> > AS Layer2 : FileAddressSpace
> > (C:\temp\Android_4-0-3_CLEAN_SDK_Emulator.mem)
> > PAE type : No PAE
> >
> >
> > C:\Python27\volatility-2.2>vol.py imageinfo --info
> > Volatile Systems Volatility Framework 2.2
> >
> > Profiles
> > --------
> > VistaSP0x64 - A Profile for Windows Vista SP0 x64
> > VistaSP0x86 - A Profile for Windows Vista SP0 x86
> > VistaSP1x64 - A Profile for Windows Vista SP1 x64
> > VistaSP1x86 - A Profile for Windows Vista SP1 x86
> > VistaSP2x64 - A Profile for Windows Vista SP2 x64
> > VistaSP2x86 - A Profile for Windows Vista SP2 x86
> > Win2003SP0x86 - A Profile for Windows 2003 SP0 x86
> > Win2003SP1x64 - A Profile for Windows 2003 SP1 x64
> > Win2003SP1x86 - A Profile for Windows 2003 SP1 x86
> > Win2003SP2x64 - A Profile for Windows 2003 SP2 x64
> > Win2003SP2x86 - A Profile for Windows 2003 SP2 x86
> > Win2008R2SP0x64 - A Profile for Windows 2008 R2 SP0 x64
> > Win2008R2SP1x64 - A Profile for Windows 2008 R2 SP1 x64
> > Win2008SP1x64 - A Profile for Windows 2008 SP1 x64
> > Win2008SP1x86 - A Profile for Windows 2008 SP1 x86
> > Win2008SP2x64 - A Profile for Windows 2008 SP2 x64
> > Win2008SP2x86 - A Profile for Windows 2008 SP2 x86
> > Win7SP0x64 - A Profile for Windows 7 SP0 x64
> > Win7SP0x86 - A Profile for Windows 7 SP0 x86
> > Win7SP1x64 - A Profile for Windows 7 SP1 x64
> > Win7SP1x86 - A Profile for Windows 7 SP1 x86
> > WinXPSP1x64 - A Profile for Windows XP SP1 x64
> > WinXPSP2x64 - A Profile for Windows XP SP2 x64
> > WinXPSP2x86 - A Profile for Windows XP SP2 x86
> > WinXPSP3x86 - A Profile for Windows XP SP3 x86
> >
> > Address Spaces
> > --------------
> > AMD64PagedMemory - Standard AMD 64-bit address space.
> > FileAddressSpace - This is a direct file AS.
> > IA32PagedMemory - Legacy x86 non PAE address space (to use specify
> > --use_old_as)
> > IA32PagedMemoryPae - Legacy x86 PAE address space (to use specify
> > --use_old_as)
> > JKIA32PagedMemory - Standard x86 32 bit non PAE address space.
> > JKIA32PagedMemoryPae - Standard x86 32 bit PAE address space.
> > LimeAddressSpace - Address space for Lime
> > WindowsCrashDumpSpace32 - This AS supports windows Crash Dump format
> > WindowsCrashDumpSpace64 - This AS supports windows Crash Dump format
> > WindowsHiberFileSpace32 - This is a hibernate address space for windows
> > hibernation files.
> >
> > Scanner Checks
> > --------------
> > CheckHiveSig - Check for a registry hive signature
> > CheckPoolIndex - Checks the pool index
> > CheckPoolSize - Check pool block size
> > CheckPoolType - Check the pool type
> > CheckProcess - Check sanity of _EPROCESS
> > CheckSocketCreateTime - Check that _ADDRESS_OBJECT.CreateTime makes sense
> > CheckThreads - Check sanity of _ETHREAD
> > KPCRScannerCheck - Checks the self referential pointers to find KPCRs
> > MultiPrefixFinderCheck - Checks for multiple strings per page, finishing at
> > theoffset
> > MultiStringFinderCheck - Checks for multiple strings per page
> > PoolTagCheck - This scanner checks for the occurance of a pool tag
> >
> > Plugins
> > -------
> > apihooks - Detect API hooks in process and kernel memory
> > atoms - Print session and window station atom tables
> > atomscan - Pool scanner for _RTL_ATOM_TABLE
> > bioskbd - Reads the keyboard buffer from Real Mode memory
> > callbacks - Print system-wide notification routines
> > clipboard - Extract the contents of the windows clipboard
> > cmdscan - Extract command history by scanning for
> > _COMMAND_HISTORY
> > connections - Print list of open connections [Windows XP and 2003
> > Only]
> > connscan - Scan Physical memory for _TCPT_OBJECT objects (tcp
> > connections)
> > consoles - Extract command history by scanning for
> > _CONSOLE_INFORMATION
> > crashinfo - Dump crash-dump information
> > deskscan - Poolscaner for tagDESKTOP (desktops)
> > devicetree - Show device tree
> > dlldump - Dump DLLs from a process address space
> > dlllist - Print list of loaded dlls for each process
> > driverirp - Driver IRP hook detection
> > driverscan - Scan for driver objects _DRIVER_OBJECT
> > envars - Display process environment variables
> > eventhooks - Print details on windows event hooks
> > evtlogs - Extract Windows Event Logs (XP/2003 only)
> > filescan - Scan Physical memory for _FILE_OBJECT pool allocations
> > gahti - Dump the USER handle type information
> > gditimers - Print installed GDI timers and callbacks
> > gdt - Display Global Descriptor Table
> > getservicesids - Get the names of services in the Registry and return
> > Calcu
> > lated SID
> > getsids - Print the SIDs owning each process
> > handles - Print list of open handles for each process
> > hashdump - Dumps passwords hashes (LM/NTLM) from memory
> > hibinfo - Dump hibernation file information
> > hivedump - Prints out a hive
> > hivelist - Print list of registry hives.
> > hivescan - Scan Physical memory for _CMHIVE objects (registry
> > hives)
> > idt - Display Interrupt Descriptor Table
> > imagecopy - Copies a physical address space out as a raw DD image
> > imageinfo - Identify information for the image
> > impscan - Scan for calls to imported functions
> > kdbgscan - Search for and dump potential KDBG values
> > kpcrscan - Search for and dump potential KPCR values
> > ldrmodules - Detect unlinked DLLs
> > linux_arp - Print the ARP table
> > linux_bash - Recover bash history from bash process memory
> > linux_check_afinfo - Verifies the operation function pointers of network
> > protocols
> > linux_check_creds - Checks if any processes are sharing credential
> > structures
> > linux_check_fop - Check file operation structures for rootkit
> > modifications
> > linux_check_idt - Checks if the IDT has been altered
> > linux_check_modules - Compares module list to sysfs info, if available
> > linux_check_syscall - Checks if the system call table has been altered
> > linux_cpuinfo - Prints info about each active processor
> > linux_dentry_cache - Gather files from the dentry cache
> > linux_dmesg - Gather dmesg buffer
> > linux_dump_map - Writes selected memory mappings to disk
> > linux_find_file - Recovers tmpfs filesystems from memory
> > linux_ifconfig - Gathers active interfaces
> > linux_iomem - Provides output similar to /proc/iomem
> > linux_lsmod - Gather loaded kernel modules
> > linux_lsof - Lists open files
> > linux_memmap - Dumps the memory map for linux tasks
> > linux_mount - Gather mounted fs/devices
> > linux_mount_cache - Gather mounted fs/devices from kmem_cache
> > linux_netstat - Lists open sockets
> > linux_pidhashtable - Enumerates processes through the PID hash table
> > linux_pkt_queues - Writes per-process packet queues out to disk
> > linux_proc_maps - Gathers process maps for linux
> > linux_psaux - Gathers processes along with full command line and
> > start t
> > ime
> > linux_pslist - Gather active tasks by walking the task_struct->task
> > list
> > linux_pslist_cache - Gather tasks from the kmem_cache
> > linux_pstree - Shows the parent/child relationship between processes
> > linux_psxview - Find hidden processes with various process listings
> > linux_route_cache - Recovers the routing cache from memory
> > linux_sk_buff_cache - Recovers packets from the sk_buff kmem_cache
> > linux_slabinfo - Mimics /proc/slabinfo on a running machine
> > linux_tmpfs - Recovers tmpfs filesystems from memory
> > linux_vma_cache - Gather VMAs from the vm_area_struct cache
> > lsadump - Dump (decrypted) LSA secrets from the registry
> > malfind - Find hidden and injected code
> > memdump - Dump the addressable memory for a process
> > memmap - Print the memory map
> > messagehooks - List desktop and thread window message hooks
> > moddump - Dump a kernel driver to an executable file sample
> > modscan - Scan Physical memory for _LDR_DATA_TABLE_ENTRY objects
> > modules - Print list of loaded modules
> > mutantscan - Scan for mutant objects _KMUTANT
> > netscan - Scan a Vista, 2008 or Windows 7 image for connections
> > and
> > sockets
> > patcher - Patches memory based on page scans
> > printkey - Print a registry key, and its subkeys and values
> > procexedump - Dump a process to an executable file sample
> > procmemdump - Dump a process to an executable memory sample
> > pslist - Print all running processes by following the EPROCESS
> > lists
> > psscan - Scan Physical memory for _EPROCESS pool allocations
> > pstree - Print process list as a tree
> > psxview - Find hidden processes with various process listings
> > raw2dmp - Converts a physical memory sample to a windbg crash
> > dump
> > screenshot - Save a pseudo-screenshot based on GDI windows
> > sessions - List details on _MM_SESSION_SPACE (user logon
> > sessions)
> > shimcache - Parses the Application Compatibility Shim Cache
> > registry key
> > sockets - Print list of open sockets
> > sockscan - Scan Physical memory for _ADDRESS_OBJECT objects (tcp
> > sockets)
> > ssdt - Display SSDT entries
> > strings - Match physical offsets to virtual addresses (may take
> > a while, VERY verbose)
> > svcscan - Scan for Windows services
> > symlinkscan - Scan for symbolic link objects
> > thrdscan - Scan physical memory for _ETHREAD objects
> > threads - Investigate _ETHREAD and _KTHREADs
> > timers - Print kernel timers and associated module DPCs
> > userassist - Print userassist registry keys and information
> > userhandles - Dump the USER handle tables
> > vaddump - Dumps out the vad sections to a file
> > vadinfo - Dump the VAD info
> > vadtree - Walk the VAD tree and display in tree format
> > vadwalk - Walk the VAD tree
> > volshell - Shell in the memory image
> > windows - Print Desktop Windows (verbose details)
> > wintree - Print Z-Order Desktop Windows Tree
> > wndscan - Pool scanner for tagWINDOWSTATION (window stations)
> > yarascan - Scan process or kernel memory with Yara signatures
> >
> >
> > C:\Python27\volatility-2.2>vol.py linux_pslist -f
> > \temp\Android_4-0-3_CLEAN_SDK_Emulator.mem
> > Volatile Systems Volatility Framework 2.2
> > Offset Name Pid Uid Start Time
> > ---------- -------------------- --------------- --------------- ----------
> > No suitable address space mapping found
> > Tried to open image as:
> > LimeAddressSpace: lime: need base
> > WindowsHiberFileSpace32: No base Address Space
> > WindowsCrashDumpSpace64: No base Address Space
> > WindowsCrashDumpSpace32: No base Address Space
> > AMD64PagedMemory: No base Address Space
> > JKIA32PagedMemory: No base Address Space
> > JKIA32PagedMemoryPae: No base Address Space
> > IA32PagedMemoryPae: Module disabled
> > IA32PagedMemory: Module disabled
> > LimeAddressSpace: Invalid Lime header signature
> > WindowsHiberFileSpace32: No xpress signature found
> > WindowsCrashDumpSpace64: Header signature invalid
> > WindowsCrashDumpSpace32: Header signature invalid
> > AMD64PagedMemory: Incompatible profile WinXPSP2x86 selected
> > JKIA32PagedMemory: No valid DTB found
> > JKIA32PagedMemoryPae: No valid DTB found
> > IA32PagedMemoryPae: Module disabled
> > IA32PagedMemory: Module disabled
> > FileAddressSpace: Must be first Address Space
> >
> > C:\Python27\volatility-2.2>
 		 	   		  
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.volatilityfoundation.org/pipermail/vol-users/attachments/20130128/30b7d305/attachment-0001.html


More information about the Vol-users mailing list