Dalvik Support for Volatility ============================= The following plugins are provided: - dalvik_find_gdvm_offset - dalvik_vms - dalvik_loaded_classes - dalvik_class_information - dalvik_find_class_instance - dalvik_app_k9mail_accounts - dalvik_app_k9mail_listmails - dalvik_app_k9mail_mail - dalvik_app_whatsapp_conversations - dalvik_app_whatsapp_conversation - dalvik_app_contacts - dalvik_app_mirrored All plugins are actually linux plugins, so they need a valid profile and lime [1] memory dump. The plugins have been successfully tested on two Android devices running Ice Cream Sandwich (ICS): Huawei Honor (U8860) and Samsung Galaxy S2 (I9100). The Volatility 2.3-devel branch, or any later version, is needed. Especially revision r2659 has been verified to work properly with these plugins. Detailed plugin description: ============================ dalvik_find_gdvm_offset ---------------------- The global struct DvmGlobals (gDvm) [2] is the foundation for all provided plugins. To locate it in an actual memory dump, we need to know where the data section (in which gDvm is mapped) of libdvm is mapped within a specific process. This information can be taken from the proc_maps plugin. For example (for zygote): 0x408f9000-0x409aa000 r-x 0 259: 1 915 2508 /system/lib/libdvm.so 0x409aa000-0x409b2000 rw- 724992 259: 1 915 2508 /system/lib/libdvm.so So the data section starts at 0x409aa000. Within this range, gDvm can be found. The dalvik_find_gdvm_offset scans this address space and tries to locate gDvm and finally prints its offset. This offset can be given to all further plugins via the '-o' switch in order to prevent rescanning, which saves quite some time. Optional argument: -p PID, --pid=PID Specify the PID of one process you know of to run in a DalvikVM. For instance, zygote. Speeds up offset calculation. dalvik_vms ---------- Lists all Dalvik Virtual Maschines found in the memory dump and some additional information such as heapStartingSize, number of loaded classes, etc.. Limit to specific VMs with the '-p PID' switch. Optional argument: -o GDVM_OFFSET (in hex) Specify the gDvm offset to speed up calculations. See the dalvik_find_gdvm_offset plugin for more information Optional argument: -p PID, --pid=PID Limit to specific VMs which correspond to the given PID. dalvik_loaded_classes --------------------- List all loadedClasses from a specific DalvikVM instance together with some information. Most important is the 'Offset' column, which can be used for listing specific class information with the dalvik_class_information plugin. Optional argument: -o GDVM_OFFSET (in hex) Specify the gDvm offset to speed up calculations. See the dalvik_find_gdvm_offset plugin for more information Optional argument: -p PID, --pid=PID Limit to specific VM which correspond to the given PID. dalvik_class_information ------------------------ List concrete information about a specific system class, such as number of instance fields or method names. Mandatory argument: -c CLASS_OFFSET, --class_offset=CLASS_OFFSET Offset of a class object within its process address space. Usually taken from the dalvik_loaded_classes plugin. Mandatory argument: -p PID, --pid=PID This needs to match the process in which the class object of interest is defined. Specifically, this is the PID printed on the same row as the CLASS_OFFSET argument from the dalvik_loaded_classes plugin. Optional argument: -o GDVM_OFFSET (in hex) Specify the gDvm offset to speed up calculations. See the dalvik_find_gdvm_offset plugin for more information dalvik_app_* ------------ Concrete instance objects (in contrast to preloaded system classes) are allocated in the dalvik-heap of each process. So in order to analyze specific applications together with there instance data, we need a concrete instance object pointer. This pointer can be aquired manually, for instance via hprof heap dumps (cf. Eclipse MAT) or via methods of scanning. For the latter, the dalvik_find_class_instance (see below) is provided. It takes a pointer to a system class (got via the dalvik_loaded_classes plugin) and scans te dalvik heap for possibly matching instance objects. The aquired pointer can then be passed to the corresponding app plugins. Please note: The dalvik_find_class_instance plugin might require quite some time (>5m) to find an appropriate pointer. Example plugin for reading app information: dalvik_app_mirrored Given an instance object ('-c'), it lists the current active article titles shown by the application called 'Mirrored', a news reader. Of course, this requires an appropriate memory dump. Mandatory argument: -c CLASS_OFFSET, --class_offset=CLASS_OFFSET Offset of a concrete class instance object. The dalvik_find_class_instance plugin can help to find one. Mandatory argument: -p PID, --pid=PID This needs to match the process in which the class object of interest is defined. dalvik_find_class_instance -------------------------- Takes a process ID and a system class offset and tries to locate instance objects of the system class within the processes address space. Mandatory argument: -c CLASS_OFFSET, --class_offset=CLASS_OFFSET Offset of a class object within its process address space. Usually taken from the dalvik_loaded_classes plugin. Mandatory argument: -p PID, --pid=PID This needs to match the process in which the class object of interest is defined. Specifically, this is the PID printed on the same row as the CLASS_OFFSET argument from the dalvik_loaded_classes plugin. Helper modules: =============== dalvik.py --------- Helper functions for parsing DalvikVM objects such as java/lang/String or array lists. dalvik_vtypes.py (volatility/plugins/overlays/linux/) ----------------------------------------------------- Data structure definitions and extending helper functions. Explanatory Volatility session ============================== [...] = --profile=Linuxx86 -f $ ./vol.py [...] dalvik_find_gdvm_offset DvmGlobals offset ----------------- 0x7c58 $ ./vol.py [...] linux_pslist | grep Mirrored 0xe0684960 .homac.Mirrored 1547 10066 Tue, 04 Sep 2012 18:24:44 +0000 $ ./vol.py [...] dalvik_loaded_classes -o 0x7c58 -p 1547 | grep 'ArticlesList;' PID Offset Descriptor sourceFile ----- ---------- --------------------------------- ----------------- 1547 0x415059d0 Lde/homac/Mirrored/ArticlesList; ArticlesList.java $ ./vol.py [...] dalvik_find_class_instance -p 1547 -c 0x415059d0 SystemClass Instance -------------------------------------------------- ----------------- 0x415059d0 0x415060c8 [...] $ ./vol.py [...] dalvik_app_mirrored -p 1547 -c 0x415060c8 Nr Title --- -------------------------------------------------- 1 Paralympics-Teilnehmerin Wyludda: Zweite Karriere nach Olympia-Gold 2 Antarktis: Tourismus nicht Schuld an Pinguin-Schwund 3 Installation in Rio: Guck mal, wer da traeumt [...] [1] http://code.google.com/p/lime-forensics/ [2] cf. dalvik/vm/Globals.h in ICS's source tree