[Vol-users] Android Analysis

Andrew Case atcuno at gmail.com
Mon Oct 13 14:57:51 CDT 2014


A few questions to see how we can diagnose this.

1) Can you share the sample publicly or at least privately with us (the
Volatility developers)? This would be the quickest way for us to diagnose.

2) If you cannot, could you provide the output of dd() and also some
more background on how you found the array address?

3) Is the kernel module available publicly (e.g. open source project or
a rootkit that has been shared)?

Andrew (@attrc)

On 10/08/2014 12:01 PM, felipecboeira . wrote:
> Hi all,
> I have acquired an android RAM image by using Lime and now I am using
> volatility to analyze it. I have created a profile and can now list
> processes, etc. What I need to do is inspect an integer array of a
> kernel module, which I have the address. I tried using volshell's dd()
> but I believe it is not showing the correct values. How can I certify
> that the virtual address is being calculated correctly by volatility?
> Thanks in advance,
> Felipe
> _______________________________________________
> Vol-users mailing list
> Vol-users at volatilityfoundation.org
> http://lists.volatilityfoundation.org/mailman/listinfo/vol-users

More information about the Vol-users mailing list