RE: [Vol-users] Android memory image

Hi Andrew, Thanks. Does your link include the profile? That would get me started using Volatility. I have an image from an emulator now, but it isn't useful without a profile. Or is there something I'm missing? (I don't see any Linux profiles.) (see below, after your message for output from me) I am building a system to sport a testing emulator for acquisitions and infecting. I'll use a memory image I get from it. Making the profile, that will be interesting. I thought it would be nice to get out ahead of this (Android memory analysis). I imagine the Android malware issue will heat up rather quickly this year. Thanks, Mike ================================cut-here============================== ========from-mike================ C:\Python27\volatility-2.2>vol.py imageinfo -f \temp\Android_4-0-3_CLEAN_SDK_Emulator.mem Volatile Systems Volatility Framework 2.2 Determining profile based on KDBG search... Suggested Profile(s) : No suggestion (Instantiated with no profile) AS Layer1 : LimeAddressSpace (Unnamed AS) AS Layer2 : FileAddressSpace (C:\temp\Android_4-0-3_CLEAN_SDK_Emulator.mem) PAE type : No PAE C:\Python27\volatility-2.2>vol.py imageinfo --info Volatile Systems Volatility Framework 2.2 Profiles -------- VistaSP0x64 - A Profile for Windows Vista SP0 x64 VistaSP0x86 - A Profile for Windows Vista SP0 x86 VistaSP1x64 - A Profile for Windows Vista SP1 x64 VistaSP1x86 - A Profile for Windows Vista SP1 x86 VistaSP2x64 - A Profile for Windows Vista SP2 x64 VistaSP2x86 - A Profile for Windows Vista SP2 x86 Win2003SP0x86 - A Profile for Windows 2003 SP0 x86 Win2003SP1x64 - A Profile for Windows 2003 SP1 x64 Win2003SP1x86 - A Profile for Windows 2003 SP1 x86 Win2003SP2x64 - A Profile for Windows 2003 SP2 x64 Win2003SP2x86 - A Profile for Windows 2003 SP2 x86 Win2008R2SP0x64 - A Profile for Windows 2008 R2 SP0 x64 Win2008R2SP1x64 - A Profile for Windows 2008 R2 SP1 x64 Win2008SP1x64 - A Profile for Windows 2008 SP1 x64 Win2008SP1x86 - A Profile for Windows 2008 SP1 x86 Win2008SP2x64 - A Profile for Windows 2008 SP2 x64 Win2008SP2x86 - A Profile for Windows 2008 SP2 x86 Win7SP0x64 - A Profile for Windows 7 SP0 x64 Win7SP0x86 - A Profile for Windows 7 SP0 x86 Win7SP1x64 - A Profile for Windows 7 SP1 x64 Win7SP1x86 - A Profile for Windows 7 SP1 x86 WinXPSP1x64 - A Profile for Windows XP SP1 x64 WinXPSP2x64 - A Profile for Windows XP SP2 x64 WinXPSP2x86 - A Profile for Windows XP SP2 x86 WinXPSP3x86 - A Profile for Windows XP SP3 x86 Address Spaces -------------- AMD64PagedMemory - Standard AMD 64-bit address space. FileAddressSpace - This is a direct file AS. IA32PagedMemory - Legacy x86 non PAE address space (to use specify --use_old_as) IA32PagedMemoryPae - Legacy x86 PAE address space (to use specify --use_old_as) JKIA32PagedMemory - Standard x86 32 bit non PAE address space. JKIA32PagedMemoryPae - Standard x86 32 bit PAE address space. LimeAddressSpace - Address space for Lime WindowsCrashDumpSpace32 - This AS supports windows Crash Dump format WindowsCrashDumpSpace64 - This AS supports windows Crash Dump format WindowsHiberFileSpace32 - This is a hibernate address space for windows hibernation files. Scanner Checks -------------- CheckHiveSig - Check for a registry hive signature CheckPoolIndex - Checks the pool index CheckPoolSize - Check pool block size CheckPoolType - Check the pool type CheckProcess - Check sanity of _EPROCESS CheckSocketCreateTime - Check that _ADDRESS_OBJECT.CreateTime makes sense CheckThreads - Check sanity of _ETHREAD KPCRScannerCheck - Checks the self referential pointers to find KPCRs MultiPrefixFinderCheck - Checks for multiple strings per page, finishing at theoffset MultiStringFinderCheck - Checks for multiple strings per page PoolTagCheck - This scanner checks for the occurance of a pool tag Plugins ------- apihooks - Detect API hooks in process and kernel memory atoms - Print session and window station atom tables atomscan - Pool scanner for _RTL_ATOM_TABLE bioskbd - Reads the keyboard buffer from Real Mode memory callbacks - Print system-wide notification routines clipboard - Extract the contents of the windows clipboard cmdscan - Extract command history by scanning for _COMMAND_HISTORY connections - Print list of open connections [Windows XP and 2003 Only] connscan - Scan Physical memory for _TCPT_OBJECT objects (tcp connections) consoles - Extract command history by scanning for _CONSOLE_INFORMATION crashinfo - Dump crash-dump information deskscan - Poolscaner for tagDESKTOP (desktops) devicetree - Show device tree dlldump - Dump DLLs from a process address space dlllist - Print list of loaded dlls for each process driverirp - Driver IRP hook detection driverscan - Scan for driver objects _DRIVER_OBJECT envars - Display process environment variables eventhooks - Print details on windows event hooks evtlogs - Extract Windows Event Logs (XP/2003 only) filescan - Scan Physical memory for _FILE_OBJECT pool allocations gahti - Dump the USER handle type information gditimers - Print installed GDI timers and callbacks gdt - Display Global Descriptor Table getservicesids - Get the names of services in the Registry and return Calcu lated SID getsids - Print the SIDs owning each process handles - Print list of open handles for each process hashdump - Dumps passwords hashes (LM/NTLM) from memory hibinfo - Dump hibernation file information hivedump - Prints out a hive hivelist - Print list of registry hives. hivescan - Scan Physical memory for _CMHIVE objects (registry hives) idt - Display Interrupt Descriptor Table imagecopy - Copies a physical address space out as a raw DD image imageinfo - Identify information for the image impscan - Scan for calls to imported functions kdbgscan - Search for and dump potential KDBG values kpcrscan - Search for and dump potential KPCR values ldrmodules - Detect unlinked DLLs linux_arp - Print the ARP table linux_bash - Recover bash history from bash process memory linux_check_afinfo - Verifies the operation function pointers of network protocols linux_check_creds - Checks if any processes are sharing credential structures linux_check_fop - Check file operation structures for rootkit modifications linux_check_idt - Checks if the IDT has been altered linux_check_modules - Compares module list to sysfs info, if available linux_check_syscall - Checks if the system call table has been altered linux_cpuinfo - Prints info about each active processor linux_dentry_cache - Gather files from the dentry cache linux_dmesg - Gather dmesg buffer linux_dump_map - Writes selected memory mappings to disk linux_find_file - Recovers tmpfs filesystems from memory linux_ifconfig - Gathers active interfaces linux_iomem - Provides output similar to /proc/iomem linux_lsmod - Gather loaded kernel modules linux_lsof - Lists open files linux_memmap - Dumps the memory map for linux tasks linux_mount - Gather mounted fs/devices linux_mount_cache - Gather mounted fs/devices from kmem_cache linux_netstat - Lists open sockets linux_pidhashtable - Enumerates processes through the PID hash table linux_pkt_queues - Writes per-process packet queues out to disk linux_proc_maps - Gathers process maps for linux linux_psaux - Gathers processes along with full command line and start t ime linux_pslist - Gather active tasks by walking the task_struct->task list linux_pslist_cache - Gather tasks from the kmem_cache linux_pstree - Shows the parent/child relationship between processes linux_psxview - Find hidden processes with various process listings linux_route_cache - Recovers the routing cache from memory linux_sk_buff_cache - Recovers packets from the sk_buff kmem_cache linux_slabinfo - Mimics /proc/slabinfo on a running machine linux_tmpfs - Recovers tmpfs filesystems from memory linux_vma_cache - Gather VMAs from the vm_area_struct cache lsadump - Dump (decrypted) LSA secrets from the registry malfind - Find hidden and injected code memdump - Dump the addressable memory for a process memmap - Print the memory map messagehooks - List desktop and thread window message hooks moddump - Dump a kernel driver to an executable file sample modscan - Scan Physical memory for _LDR_DATA_TABLE_ENTRY objects modules - Print list of loaded modules mutantscan - Scan for mutant objects _KMUTANT netscan - Scan a Vista, 2008 or Windows 7 image for connections and sockets patcher - Patches memory based on page scans printkey - Print a registry key, and its subkeys and values procexedump - Dump a process to an executable file sample procmemdump - Dump a process to an executable memory sample pslist - Print all running processes by following the EPROCESS lists psscan - Scan Physical memory for _EPROCESS pool allocations pstree - Print process list as a tree psxview - Find hidden processes with various process listings raw2dmp - Converts a physical memory sample to a windbg crash dump screenshot - Save a pseudo-screenshot based on GDI windows sessions - List details on _MM_SESSION_SPACE (user logon sessions) shimcache - Parses the Application Compatibility Shim Cache registry key sockets - Print list of open sockets sockscan - Scan Physical memory for _ADDRESS_OBJECT objects (tcp sockets) ssdt - Display SSDT entries strings - Match physical offsets to virtual addresses (may take a while, VERY verbose) svcscan - Scan for Windows services symlinkscan - Scan for symbolic link objects thrdscan - Scan physical memory for _ETHREAD objects threads - Investigate _ETHREAD and _KTHREADs timers - Print kernel timers and associated module DPCs userassist - Print userassist registry keys and information userhandles - Dump the USER handle tables vaddump - Dumps out the vad sections to a file vadinfo - Dump the VAD info vadtree - Walk the VAD tree and display in tree format vadwalk - Walk the VAD tree volshell - Shell in the memory image windows - Print Desktop Windows (verbose details) wintree - Print Z-Order Desktop Windows Tree wndscan - Pool scanner for tagWINDOWSTATION (window stations) yarascan - Scan process or kernel memory with Yara signatures C:\Python27\volatility-2.2>vol.py linux_pslist -f \temp\Android_4-0-3_CLEAN_SDK_Emulator.mem Volatile Systems Volatility Framework 2.2 Offset Name Pid Uid Start Time ---------- -------------------- --------------- --------------- ---------- No suitable address space mapping found Tried to open image as: LimeAddressSpace: lime: need base WindowsHiberFileSpace32: No base Address Space WindowsCrashDumpSpace64: No base Address Space WindowsCrashDumpSpace32: No base Address Space AMD64PagedMemory: No base Address Space JKIA32PagedMemory: No base Address Space JKIA32PagedMemoryPae: No base Address Space IA32PagedMemoryPae: Module disabled IA32PagedMemory: Module disabled LimeAddressSpace: Invalid Lime header signature WindowsHiberFileSpace32: No xpress signature found WindowsCrashDumpSpace64: Header signature invalid WindowsCrashDumpSpace32: Header signature invalid AMD64PagedMemory: Incompatible profile WinXPSP2x86 selected JKIA32PagedMemory: No valid DTB found JKIA32PagedMemoryPae: No valid DTB found IA32PagedMemoryPae: Module disabled IA32PagedMemory: Module disabled FileAddressSpace: Must be first Address Space C:\Python27\volatility-2.2>