[Vol-users] Android Plugin: Missing gDvm type definition

Hi We are trying to reproduce the steps to access application specific informations from Android phones as Andrew Case demonstrated here: http://digitalforensicssolutions.com/papers/android-memory-analysis.pdf (Page 17 and following) We already have a Android Profile for our Goldfish kernel and are able to run the existing plugins (e.g. linux_pslist) against the memory dump acquired from the emulator. Now we are writing our own Volatility Plugin according to Andrews presentation. But so far we could not instantiate a DvmGlobals object as Volatility does not know this specific type. A snippet from our plugin: gDvm = obj.Object("DvmGlobals", vm = self.addr_space, offset = gDvm_addr) When run, Volatility prints the following warning: WARNING : volatility.obj : Cant find object DvmGlobals in profile <volatility.plugins.overlays.linux.linux.LinuxAndroid_Goldfishx86 object at 0x3a57910>? How can we get Volatility to know this object type? We pulled libdvm.so from our emulator and disassembled it using arm-linux-androideabi-objdump and found the following: *000aa1a8 *<gDvm>: This lines up with the DWARF informations from libdvm.so we compiled ourselves: <1><0x12484><DW_TAG_variable> DW_AT_name<"gDvm"> DW_AT_decl_file<0x00000001 dalvik/vm/Init.cpp> DW_AT_decl_line<0x00000032> DW_AT_type<<0x0000c3b8>> DW_AT_external<yes(1)> DW_AT_location<DW_OP_addr *0x000aa1a8*> We aren't sure if this address actually is what we are looking for, that is the offset of gDvm in the memory dump. Can you confirm this? Thanks for any help Alex & Dario