10:50 a.m.
Hi,
I've uploaded a tarball [1] containing a number of Volatility plugins which
provide support for the DalvikVM and Android. I didn't provide a
patch set, because there are only new files included. However, I can do
so or can open an issue, whatever would be most convenient.
The plugins are named:
- dalvik_find_gdvm_offset
- dalvik_vms
- dalvik_loaded_classes
- dalvik_class_information
- dalvik_find_class_instance
- dalvik_app_mirrored
Any comments would be appreciated. This is part of a research project I
need to have finished by the end of the year, so if someone suggests
fundamental changes, I most likely won't have the immediate time to look
at it. Just wanted to provide my code, because obviously there is some
interest (cf. vol-users@).
Ideally, I could get a branch in SVN to get this integrated into
upcoming Volatility releases.
I've attached a README.dalvik which gives some meta information about
the plugins and could become a corresponding wiki article.
Thanks to Joe Sylve and Andrew Case for providing me with some initial
guidelines.
Regards,
Holger
[1] http://www.homac.de/files/Volatility-Dalvik-support-v1.tar.bz2
1:05 a.m.
Hello,
Thanks for sending out the code, and sorry for taking so long to properly
reply...
I read through most of the code and its very well done, particularly for
someone not previously involved with the project.
It was my goal to have dalvik support into the 3.0 release of Volatility,
which is due early next year - see the Roadmap [1] for details. Your code
can definitely serve as a base for this support as it works with the latest
revision of Vol and my previous code is over a year old now, and you have
also implemented features that I did not get to..
Please send any updates as you get to them or message me if you need any
help. I will also send you notes soon on what I had planned to add myself
so that we can either collaborate or at least not duplicate effort.
Nice work!
[1] http://code.google.com/p/volatility/wiki/VolatilityRoadmap
On Tue, Oct 16, 2012 at 9:50 AM, Holger Macht <holger(a)homac.de> wrote:
Hi,
I've uploaded a tarball [1] containing a number of Volatility plugins which
provide support for the DalvikVM and Android. I didn't provide a
patch set, because there are only new files included. However, I can do
so or can open an issue, whatever would be most convenient.
The plugins are named:
- dalvik_find_gdvm_offset
- dalvik_vms
- dalvik_loaded_classes
- dalvik_class_information
- dalvik_find_class_instance
- dalvik_app_mirrored
Any comments would be appreciated. This is part of a research project I
need to have finished by the end of the year, so if someone suggests
fundamental changes, I most likely won't have the immediate time to look
at it. Just wanted to provide my code, because obviously there is some
interest (cf. vol-users@).
Ideally, I could get a branch in SVN to get this integrated into
upcoming Volatility releases.
I've attached a README.dalvik which gives some meta information about
the plugins and could become a corresponding wiki article.
Thanks to Joe Sylve and Andrew Case for providing me with some initial
guidelines.
Regards,
Holger
[1] http://www.homac.de/files/Volatility-Dalvik-support-v1.tar.bz2
3:29 p.m.
Hi,
an updated tarball can be found at [1]. There are some bug fixes and
minor enhancements. The biggest addition are some plugins parsing
K9Mail, WhatsApp, and the standard contacts application in ICS. They are
intended to illustrate how to write more application specific plugins. A
updated (no important content changes) README.dalvik is attached.
Regards Holger
[1] http://www.homac.de/files/Volatility-Dalvik-support-v2.tar.bz2
On Di 16. Okt - 16:50:59, Holger Macht wrote:
Hi,
I've uploaded a tarball [1] containing a number of Volatility plugins which
provide support for the DalvikVM and Android. I didn't provide a
patch set, because there are only new files included. However, I can do
so or can open an issue, whatever would be most convenient.
The plugins are named:
- dalvik_find_gdvm_offset
- dalvik_vms
- dalvik_loaded_classes
- dalvik_class_information
- dalvik_find_class_instance
- dalvik_app_mirrored
Any comments would be appreciated. This is part of a research project I
need to have finished by the end of the year, so if someone suggests
fundamental changes, I most likely won't have the immediate time to look
at it. Just wanted to provide my code, because obviously there is some
interest (cf. vol-users@).
Ideally, I could get a branch in SVN to get this integrated into
upcoming Volatility releases.
I've attached a README.dalvik which gives some meta information about
the plugins and could become a corresponding wiki article.
Thanks to Joe Sylve and Andrew Case for providing me with some initial
guidelines.
Regards,
Holger
[1] http://www.homac.de/files/Volatility-Dalvik-support-v1.tar.bz2
Dalvik Support for Volatility
=============================
The following plugins are provided:
- dalvik_find_gdvm_offset
- dalvik_vms
- dalvik_loaded_classes
- dalvik_class_information
- dalvik_find_class_instance
- dalvik_app_mirrored
All plugins are actually linux plugins, so they need a valid profile and
lime [1] memory dump.
The plugins have been successfully tested on two Android devices running
Ice Cream Sandwich (ICS): Huawei Honor (U8860) and Samsung Galaxy S2
(I9100).
The Volatility 2.3-devel branch is needed. Especially r2659 has been
verified to work properly with these plugins.
Detailed plugin description:
============================
dalvik_find_gdvm_offset
----------------------
The global struct DvmGlobals (gDvm) [2] is the foundation for all
provided plugins. To locate it in an actual memory dump, we need to know
where the data section (in which gDvm is mapped) of libdvm is mapped
within a specific process. This information can be taken from the
proc_maps plugin. For example (for zygote):
0x408f9000-0x409aa000 r-x 0 259: 1 915 2508
/system/lib/libdvm.so
0x409aa000-0x409b2000 rw- 724992 259: 1 915 2508
/system/lib/libdvm.so
So the data section starts at 0x409aa000. Within this range, gDvm can be
found. The dalvik_find_gdvm_offset scans this address space and tries to
locate gDvm and finally prints its offset. This offset can be given to
all further plugins via the '-o' switch in order to prevent rescanning,
which saves quite some time.
Optional argument: -p PID, --pid=PID
Specify the PID of one process you know of runs in a DalvikVM. For
instance, zygote. Speeds up offset calculation.
dalvik_vms
----------
Lists all Dalvik Virtual Maschines found in the memory dump and some
additional information such as heapStartingSize, number of loaded
Classes, etc.. Limit to specific VMs with the '-p PID' switch.
Optional argument: -o GDVM_OFFSET (in hex)
Specify the gDvm offset to speed up calculations. See the
dalvik_find_gdvm_offset plugin for more information
Optional argument: -p PID, --pid=PID
Limit to specific VMs which correspond to the given PID.
dalvik_loaded_classes
---------------------
List all loadedClasses from a specific DalvikVM instance together with
some information. Most important is the 'Offset' column, which can be
used for listing specific class information with the
dalvik_class_information plugin.
Optional argument: -o GDVM_OFFSET (in hex)
Specify the gDvm offset to speed up calculations. See the
dalvik_find_gdvm_offset plugin for more information
Optional argument: -p PID, --pid=PID
Limit to specific VM which correspond to the given PID.
dalvik_class_information
------------------------
List concrete information about a specific system class, such as number
of instance fields or method names.
Mandatory argument: -c CLASS_OFFSET, --class_offset=CLASS_OFFSET
Offset of a class object within its process address space. Usually
taken from the dalvik_loaded_classes plugin.
Mandatory argument: -p PID, --pid=PID
This needs to match the process in which the class object of interest
is defined. Specifically, this is the PID printed on the same row as
the CLASS_OFFSET argument from the dalvik_loaded_classes plugin.
Optional argument: -o GDVM_OFFSET (in hex)
Specify the gDvm offset to speed up calculations. See the
dalvik_find_gdvm_offset plugin for more information
dalvik_app_*
------------
Concrete instance objects (in contrast to preloaded system classes) are
allocated in the dalvik-heap of each process. So in order to analyze
specific applications together with there instance data, we need a
concrete instance object pointer. This pointer can be aquired manually,
for instance via hprof heap dumps (cf. Eclipse MAT) or via methods of
scanning. For the latter, the dalvik_find_class_instance (see below) is
provided. It takes a pointer to a system class (got via the
dalvik_loaded_classes plugin) and scans te dalvik heap for possibly
matching instance objects. The aquired pointer can then be passed to the
corresponding app plugins. Please note: The dalvik_find_class_instance
plugin might require quite some time (>5m) to find an appropriate
pointer.
Example plugin for reading app information: dalvik_app_mirrored
Given an instance object ('-c'), it lists the current active article
titles shown by the application called 'Mirrored', a news reader. Of
course, this requires an appropriate memory dump.
Mandatory argument: -c CLASS_OFFSET, --class_offset=CLASS_OFFSET
Offset of a concrete class instance object. The
dalvik_find_class_instance plugin can help to find one.
Mandatory argument: -p PID, --pid=PID
This needs to match the process in which the class object of interest
is defined.
dalvik_find_class_instance
--------------------------
Takes a process ID and a system class offset and tries to locate
instance objects of the system class within the processes address space.
Mandatory argument: -c CLASS_OFFSET, --class_offset=CLASS_OFFSET
Offset of a class object within its process address space. Usually
taken from the dalvik_loaded_classes plugin.
Mandatory argument: -p PID, --pid=PID
This needs to match the process in which the class object of interest
is defined. Specifically, this is the PID printed on the same row as
the CLASS_OFFSET argument from the dalvik_loaded_classes plugin.
Helper modules:
===============
dalvik.py
---------
Helper functions for parsing DalvikVM objects such as java/lang/String
or array lists.
dalvik_vtypes.py (volatility/plugins/overlays/linux/)
-----------------------------------------------------
Data structure definitions and extending helper functions.
Explanatory Volatility session
==============================
[...] = --profile=Linux<insert your profile here>x86 -f <insert lime memory
dump here>
$ ./vol.py [...] dalvik_find_gdvm_offset
DvmGlobals offset
-----------------
0x7c58
$ ./vol.py [...] linux_pslist | grep Mirrored
0xe0684960 .homac.Mirrored 1547 10066 Tue, 04 Sep 2012
18:24:44 +0000
$ ./vol.py [...] dalvik_loaded_classes -o 0x7c58 -p 1547 | grep 'ArticlesList;'
PID Offset Descriptor
sourceFile
----- ---------- ----------------------------------------------------------------------
------------------------------
1547 0x415059d0 Lde/homac/Mirrored/ArticlesList;
ArticlesList.java
$ ./vol.py [...] dalvik_find_class_instance -p 1547 -c 0x415059d0
SystemClass Instance
--------------------------------------------------
--------------------------------------------------
0x415059d0 0x415060c8
[...]
$ ./vol.py [...] dalvik_app_mirrored -p 1547 -c 0x415060c8
Nr Title
--- --------------------------------------------------
1 Paralympics-Teilnehmerin Wyludda: Zweite Karriere nach Olympia-Gold
2 Antarktis: Tourismus nicht Schuld an Pinguin-Schwund
3 Installation in Rio: Guck mal, wer da träumt
[...]
[1] http://code.google.com/p/lime-forensics/
[2] cf. dalvik/vm/Globals.h in ICS's source tree
_______________________________________________
Vol-dev mailing list
Vol-dev(a)volatilityfoundation.org
http://lists.volatilityfoundation.org/mailman/listinfo/vol-dev
4330
days inactive
4412
days old
vol-dev@lists.volatilityfoundation.org
2 comments
2 participants
participants (2)
-
Andrew Case -
Holger Macht