Hi
We already have a Android Profile for our Goldfish kernel and are able to run the existing plugins (e.g. linux_pslist) against the memory dump acquired from the emulator.
Now we are writing our own Volatility Plugin according to Andrews presentation. But so far we could not instantiate a DvmGlobals object as Volatility does not know this specific type.
A snippet from our plugin:
gDvm = obj.Object("DvmGlobals", vm = self.addr_space, offset = gDvm_addr)
When run, Volatility prints the following warning:
WARNING : volatility.obj : Cant find object DvmGlobals in profile <volatility.plugins.overlays.linux.linux.LinuxAndroid_Goldfishx86 object at 0x3a57910>?
How can we get Volatility to know this object type?
We pulled libdvm.so from our emulator and disassembled it using arm-linux-androideabi-objdump and found the following:
000aa1a8 <gDvm>:
This lines up with the DWARF informations from libdvm.so we compiled ourselves:
<1><0x12484><DW_TAG_variable> DW_AT_name<"gDvm"> DW_AT_decl_file<0x00000001 dalvik/vm/Init.cpp> DW_AT_decl_line<0x00000032> DW_AT_type<<0x0000c3b8>> DW_AT_external<yes(1)> DW_AT_location<DW_OP_addr 0x000aa1a8>
We aren't sure if this address actually is what we are looking for, that is the offset of gDvm in the memory dump. Can you confirm this?
Thanks for any help
Alex & Dario