SlideShare a Scribd company logo

Omfw 2013

Download as PPTX, PDF
504ensics
504ensics

A brief explanation of Dalvik memory analysis and a call to ARMS

Technology
1 of 24
Dalvik Memory Analysis and a Call to ARMs Joe T. Sylve, M.S. Managing Partner 504ENSICS Labs
Android Memory Analysis • Acquisition – LiME • LKM that can dump an image of physical memory over TCP or to disk • Developed by me starting in 2011 • http://code.google.com/p/lime-forensics • Kernel Level Analysis • Volatility support added in 2012 • Most of the hard work was done by Andrew Case • I contributed and rewrote the ARM address space • You’ve heard me talk about this stuff before www.504ensics.com
Dalvik Analysis • Dalvik is the Android Runtime for Userland Apps • Basically Google’s Custom JVM • That’s Why Oracle Sued Them • Android Applications Each Have Their Own Instance of a DVM • Kernel Level Analysis • • • • Running Processes Network Connections Loaded Kernel Modules Dump Process Heap • String and Grep • Not Optimal for Analyzing Userland Malware www.504ensics.com
Dalvik Analysis • 504ENSICS Labs Awarded Research Grant in Late 2012 • DARPA Cyber Fast Track Program -- RIP :-( • Application-Level Memory Forensics for Dalvik • Added Volatility Support for Parsing Objects & Instances from DVM • Created a GUI Application (Dalvik Inspector) • Easy Analysis of Android Apps • Search and Filter Class Names and Fields • Automatically Generate Simple Volatility Plugins www.504ensics.com
How it works from 10,000ft • Locate Dalvik in Memory • • • • libdvm.so Linux C Shared Library Loaded into Every Dalvik Process By performing analysis of its data structures in memory, we can recreate the entire state of an application at the time of the memory capture • Can access this with existing Volatility functionality www.504ensics.com
How it works from 10,000ft • Finding Loaded Classes • DvmGlobals gDvm • Global variable inside of libdvm.so • Declared in vm/init.c of source • Hold the members that are needed to located classes in memory • Enumerate the loadedClasses member • Type is HashTable • Elements are of type ClassObject • Static and Instance Fields & Methods www.504ensics.com
How it works from 10,000ft • Parsing Fields • ClassObject • • • • int sfieldCount StaticField sfields int ifieldCount InstField ifields www.504ensics.com
How it works from 10,000ft struct StaticField { Field field; /* MUST be first item */ JValue value; /* initially set from DEX for primitives */ }; struct Field { ClassObject* const char* const char* u4 }; Signature typedef union JValue { u1 z; s1 b; u2 c; s2 s; s4 i; s8 j; float f; double d; void* l; } JValue; struct InstField { Field field; int byteOffset; }; Type L Object Z Boolean C Char F Float D Double B Byte S Short I Integer J Long L Void (Pointer) [ clazz; name; signature; accessFlags; Array Offset of JValue for specific instance Relative to the ClassObject struct www.504ensics.com
How it works from 10,000ft • Strings, Arrays, Lists, Objects, etc • Slightly more complicated to parse • Not terribly difficult • I’m probably already running low on time though… www.504ensics.com
The Process • Infect Device or Emulator • Dump Memory with LiME • Run Volatility Plugin to Generate SQLiteDB • Analyze DB in Dalvik Inspector www.504ensics.com
Dalvik Inspector www.504ensics.com
Dalvik Inspector www.504ensics.com
C&C Address www.504ensics.com
Plugin Creation www.504ensics.com
Plugin Creation www.504ensics.com
Plugin Creation www.504ensics.com
Plugin Creation www.504ensics.com
Plugin Creation www.504ensics.com
Plugin Creation www.504ensics.com
Plugin Creation www.504ensics.com
Plugin Creation www.504ensics.com
Plugin Creation www.504ensics.com
Open Research Problems • Portable LiME LKM • Requires Kernel headers and recompiling for each kernel • Profile Generation • Kernel • Kernel Headers • Exact Config • System.map • libdvm.so • Work in progress • Radare Library • Solution? • Combination of static and dynamic analysis • Locate symbols • Infer config for “key” structures www.504ensics.com
Questions? • Dalvik Inspector will be released soon™ • Email for access to closed Beta • joe@504Labs.com www.504ensics.com

Recommended

Sanity on Rails
Sanity on RailsSanity on Rails
Sanity on RailsMichael Kohl
 
Java goes wild, lesson 1
Java goes wild, lesson 1Java goes wild, lesson 1
Java goes wild, lesson 1Thierry Wasylczenko
 
Building XWiki
Building XWikiBuilding XWiki
Building XWikiVincent Massol
 
Build your datatypes
Build your datatypesBuild your datatypes
Build your datatypesEdi Modrić
 
How to-node-core
How to-node-coreHow to-node-core
How to-node-coreIsaacSchlueter
 
Improve Return to work
Improve Return to work Improve Return to work
Improve Return to work Nelson Hendler
 
Diapositivas (Exposición)
Diapositivas (Exposición)Diapositivas (Exposición)
Diapositivas (Exposición)CESVER
 
DC & Baltimore Gas Meter
DC & Baltimore Gas MeterDC & Baltimore Gas Meter
DC & Baltimore Gas MeterTonya Johnson-Spratley
 

Recommended

Sanity on Rails
Sanity on RailsSanity on Rails
Sanity on RailsMichael Kohl
 
Java goes wild, lesson 1
Java goes wild, lesson 1Java goes wild, lesson 1
Java goes wild, lesson 1Thierry Wasylczenko
 
Building XWiki
Building XWikiBuilding XWiki
Building XWikiVincent Massol
 
Build your datatypes
Build your datatypesBuild your datatypes
Build your datatypesEdi Modrić
 
How to-node-core
How to-node-coreHow to-node-core
How to-node-coreIsaacSchlueter
 
Improve Return to work
Improve Return to work Improve Return to work
Improve Return to work Nelson Hendler
 
Diapositivas (Exposición)
Diapositivas (Exposición)Diapositivas (Exposición)
Diapositivas (Exposición)CESVER
 
DC & Baltimore Gas Meter
DC & Baltimore Gas MeterDC & Baltimore Gas Meter
DC & Baltimore Gas MeterTonya Johnson-Spratley
 
Toward dynamic analysis of obfuscated android malware
Toward dynamic analysis of obfuscated android malwareToward dynamic analysis of obfuscated android malware
Toward dynamic analysis of obfuscated android malwareZongXian Shen
 
Memory Analysis of the Dalvik (Android) Virtual Machine
Memory Analysis of the Dalvik (Android) Virtual MachineMemory Analysis of the Dalvik (Android) Virtual Machine
Memory Analysis of the Dalvik (Android) Virtual MachineAndrew Case
 
Containers 101
Containers 101Containers 101
Containers 101Black Duck by Synopsys
 
CNIT 126: 10: Kernel Debugging with WinDbg
CNIT 126: 10: Kernel Debugging with WinDbgCNIT 126: 10: Kernel Debugging with WinDbg
CNIT 126: 10: Kernel Debugging with WinDbgSam Bowne
 
Exploring Java Heap Dumps (Oracle Code One 2018)
Exploring Java Heap Dumps (Oracle Code One 2018)Exploring Java Heap Dumps (Oracle Code One 2018)
Exploring Java Heap Dumps (Oracle Code One 2018)Ryan Cuprak
 
Understanding container security
Understanding container securityUnderstanding container security
Understanding container securityJohn Kinsella
 
DanNotes 2013: OpenNTF Domino API
DanNotes 2013: OpenNTF Domino APIDanNotes 2013: OpenNTF Domino API
DanNotes 2013: OpenNTF Domino APIPaul Withers
 
Kasza smashing the_jars
Kasza smashing the_jarsKasza smashing the_jars
Kasza smashing the_jarsPacSecJP
 
CNIT 126: 10: Kernel Debugging with WinDbg
CNIT 126: 10: Kernel Debugging with WinDbgCNIT 126: 10: Kernel Debugging with WinDbg
CNIT 126: 10: Kernel Debugging with WinDbgSam Bowne
 
#MBLTdev: Уроки, которые мы выучили, создавая Realm
#MBLTdev: Уроки, которые мы выучили, создавая Realm#MBLTdev: Уроки, которые мы выучили, создавая Realm
#MBLTdev: Уроки, которые мы выучили, создавая Realme-Legion
 
Docker Security
Docker SecurityDocker Security
Docker Securityantitree
 
Preparing your dockerised application for production deployment
Preparing your dockerised application for production deploymentPreparing your dockerised application for production deployment
Preparing your dockerised application for production deploymentDave Ward
 
Windows container security
Windows container securityWindows container security
Windows container securityDocker, Inc.
 
Rapid Android Application Security Testing
Rapid Android Application Security TestingRapid Android Application Security Testing
Rapid Android Application Security TestingNutan Kumar Panda
 
Practical Malware Analysis: Ch 10: Kernel Debugging with WinDbg
Practical Malware Analysis: Ch 10: Kernel Debugging with WinDbgPractical Malware Analysis: Ch 10: Kernel Debugging with WinDbg
Practical Malware Analysis: Ch 10: Kernel Debugging with WinDbgSam Bowne
 
Introduction to React native
Introduction to React nativeIntroduction to React native
Introduction to React nativeDhaval Barot
 
CT Software Developers Meetup: Using Docker and Vagrant Within A GitHub Pull ...
CT Software Developers Meetup: Using Docker and Vagrant Within A GitHub Pull ...CT Software Developers Meetup: Using Docker and Vagrant Within A GitHub Pull ...
CT Software Developers Meetup: Using Docker and Vagrant Within A GitHub Pull ...E. Camden Fisher
 
CernVM-FS for Docker image distribution in Cloud Foundry
CernVM-FS for Docker image distribution in Cloud FoundryCernVM-FS for Docker image distribution in Cloud Foundry
CernVM-FS for Docker image distribution in Cloud FoundryGeorge Lestaris
 
Introduction to Android Development and Security
Introduction to Android Development and SecurityIntroduction to Android Development and Security
Introduction to Android Development and SecurityKelwin Yang
 
Everything You Need To Know About Persistent Storage in Kubernetes
Everything You Need To Know About Persistent Storage in KubernetesEverything You Need To Know About Persistent Storage in Kubernetes
Everything You Need To Know About Persistent Storage in KubernetesThe {code} Team
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Mark Simos
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationRidwan Fadjar
 

More Related Content

Similar to Omfw 2013

Toward dynamic analysis of obfuscated android malware
Toward dynamic analysis of obfuscated android malwareToward dynamic analysis of obfuscated android malware
Toward dynamic analysis of obfuscated android malwareZongXian Shen
 
Memory Analysis of the Dalvik (Android) Virtual Machine
Memory Analysis of the Dalvik (Android) Virtual MachineMemory Analysis of the Dalvik (Android) Virtual Machine
Memory Analysis of the Dalvik (Android) Virtual MachineAndrew Case
 
CNIT 126: 10: Kernel Debugging with WinDbg
CNIT 126: 10: Kernel Debugging with WinDbgCNIT 126: 10: Kernel Debugging with WinDbg
CNIT 126: 10: Kernel Debugging with WinDbgSam Bowne
 
Exploring Java Heap Dumps (Oracle Code One 2018)
Exploring Java Heap Dumps (Oracle Code One 2018)Exploring Java Heap Dumps (Oracle Code One 2018)
Exploring Java Heap Dumps (Oracle Code One 2018)Ryan Cuprak
 
Understanding container security
Understanding container securityUnderstanding container security
Understanding container securityJohn Kinsella
 
DanNotes 2013: OpenNTF Domino API
DanNotes 2013: OpenNTF Domino APIDanNotes 2013: OpenNTF Domino API
DanNotes 2013: OpenNTF Domino APIPaul Withers
 
Kasza smashing the_jars
Kasza smashing the_jarsKasza smashing the_jars
Kasza smashing the_jarsPacSecJP
 
CNIT 126: 10: Kernel Debugging with WinDbg
CNIT 126: 10: Kernel Debugging with WinDbgCNIT 126: 10: Kernel Debugging with WinDbg
CNIT 126: 10: Kernel Debugging with WinDbgSam Bowne
 
#MBLTdev: Уроки, которые мы выучили, создавая Realm
#MBLTdev: Уроки, которые мы выучили, создавая Realm#MBLTdev: Уроки, которые мы выучили, создавая Realm
#MBLTdev: Уроки, которые мы выучили, создавая Realme-Legion
 
Docker Security
Docker SecurityDocker Security
Docker Securityantitree
 
Preparing your dockerised application for production deployment
Preparing your dockerised application for production deploymentPreparing your dockerised application for production deployment
Preparing your dockerised application for production deploymentDave Ward
 
Windows container security
Windows container securityWindows container security
Windows container securityDocker, Inc.
 
Rapid Android Application Security Testing
Rapid Android Application Security TestingRapid Android Application Security Testing
Rapid Android Application Security TestingNutan Kumar Panda
 
Practical Malware Analysis: Ch 10: Kernel Debugging with WinDbg
Practical Malware Analysis: Ch 10: Kernel Debugging with WinDbgPractical Malware Analysis: Ch 10: Kernel Debugging with WinDbg
Practical Malware Analysis: Ch 10: Kernel Debugging with WinDbgSam Bowne
 
Introduction to React native
Introduction to React nativeIntroduction to React native
Introduction to React nativeDhaval Barot
 
CT Software Developers Meetup: Using Docker and Vagrant Within A GitHub Pull ...
CT Software Developers Meetup: Using Docker and Vagrant Within A GitHub Pull ...CT Software Developers Meetup: Using Docker and Vagrant Within A GitHub Pull ...
CT Software Developers Meetup: Using Docker and Vagrant Within A GitHub Pull ...E. Camden Fisher
 
CernVM-FS for Docker image distribution in Cloud Foundry
CernVM-FS for Docker image distribution in Cloud FoundryCernVM-FS for Docker image distribution in Cloud Foundry
CernVM-FS for Docker image distribution in Cloud FoundryGeorge Lestaris
 
Introduction to Android Development and Security
Introduction to Android Development and SecurityIntroduction to Android Development and Security
Introduction to Android Development and SecurityKelwin Yang
 
Everything You Need To Know About Persistent Storage in Kubernetes
Everything You Need To Know About Persistent Storage in KubernetesEverything You Need To Know About Persistent Storage in Kubernetes
Everything You Need To Know About Persistent Storage in KubernetesThe {code} Team
 

Similar to Omfw 2013 (20)

Toward dynamic analysis of obfuscated android malware
Toward dynamic analysis of obfuscated android malwareToward dynamic analysis of obfuscated android malware
Toward dynamic analysis of obfuscated android malware
 
Memory Analysis of the Dalvik (Android) Virtual Machine
Memory Analysis of the Dalvik (Android) Virtual MachineMemory Analysis of the Dalvik (Android) Virtual Machine
Memory Analysis of the Dalvik (Android) Virtual Machine
 
Containers 101
Containers 101Containers 101
Containers 101
 
CNIT 126: 10: Kernel Debugging with WinDbg
CNIT 126: 10: Kernel Debugging with WinDbgCNIT 126: 10: Kernel Debugging with WinDbg
CNIT 126: 10: Kernel Debugging with WinDbg
 
Exploring Java Heap Dumps (Oracle Code One 2018)
Exploring Java Heap Dumps (Oracle Code One 2018)Exploring Java Heap Dumps (Oracle Code One 2018)
Exploring Java Heap Dumps (Oracle Code One 2018)
 
Understanding container security
Understanding container securityUnderstanding container security
Understanding container security
 
DanNotes 2013: OpenNTF Domino API
DanNotes 2013: OpenNTF Domino APIDanNotes 2013: OpenNTF Domino API
DanNotes 2013: OpenNTF Domino API
 
Kasza smashing the_jars
Kasza smashing the_jarsKasza smashing the_jars
Kasza smashing the_jars
 
CNIT 126: 10: Kernel Debugging with WinDbg
CNIT 126: 10: Kernel Debugging with WinDbgCNIT 126: 10: Kernel Debugging with WinDbg
CNIT 126: 10: Kernel Debugging with WinDbg
 
#MBLTdev: Уроки, которые мы выучили, создавая Realm
#MBLTdev: Уроки, которые мы выучили, создавая Realm#MBLTdev: Уроки, которые мы выучили, создавая Realm
#MBLTdev: Уроки, которые мы выучили, создавая Realm
 
Docker Security
Docker SecurityDocker Security
Docker Security
 
Preparing your dockerised application for production deployment
Preparing your dockerised application for production deploymentPreparing your dockerised application for production deployment
Preparing your dockerised application for production deployment
 
Windows container security
Windows container securityWindows container security
Windows container security
 
Rapid Android Application Security Testing
Rapid Android Application Security TestingRapid Android Application Security Testing
Rapid Android Application Security Testing
 
Practical Malware Analysis: Ch 10: Kernel Debugging with WinDbg
Practical Malware Analysis: Ch 10: Kernel Debugging with WinDbgPractical Malware Analysis: Ch 10: Kernel Debugging with WinDbg
Practical Malware Analysis: Ch 10: Kernel Debugging with WinDbg
 
Introduction to React native
Introduction to React nativeIntroduction to React native
Introduction to React native
 
CT Software Developers Meetup: Using Docker and Vagrant Within A GitHub Pull ...
CT Software Developers Meetup: Using Docker and Vagrant Within A GitHub Pull ...CT Software Developers Meetup: Using Docker and Vagrant Within A GitHub Pull ...
CT Software Developers Meetup: Using Docker and Vagrant Within A GitHub Pull ...
 
CernVM-FS for Docker image distribution in Cloud Foundry
CernVM-FS for Docker image distribution in Cloud FoundryCernVM-FS for Docker image distribution in Cloud Foundry
CernVM-FS for Docker image distribution in Cloud Foundry
 
Introduction to Android Development and Security
Introduction to Android Development and SecurityIntroduction to Android Development and Security
Introduction to Android Development and Security
 
Everything You Need To Know About Persistent Storage in Kubernetes
Everything You Need To Know About Persistent Storage in KubernetesEverything You Need To Know About Persistent Storage in Kubernetes
Everything You Need To Know About Persistent Storage in Kubernetes
 

Recently uploaded

Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Mark Simos
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationRidwan Fadjar
 
The Future of Software Development - Devin AI Innovative Approach.pdf
The Future of Software Development - Devin AI Innovative Approach.pdfThe Future of Software Development - Devin AI Innovative Approach.pdf
The Future of Software Development - Devin AI Innovative Approach.pdfSeasiaInfotech2
 
Commit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyCommit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyAlfredo García Lavilla
 
Vector Databases 101 - An introduction to the world of Vector Databases
Vector Databases 101 - An introduction to the world of Vector DatabasesVector Databases 101 - An introduction to the world of Vector Databases
Vector Databases 101 - An introduction to the world of Vector DatabasesZilliz
 
Training state-of-the-art general text embedding
Training state-of-the-art general text embeddingTraining state-of-the-art general text embedding
Training state-of-the-art general text embeddingZilliz
 
My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024The Digital Insurer
 
Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Enterprise Knowledge
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsMark Billinghurst
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsSergiu Bodiu
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 3652toLead Limited
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfAlex Barbosa Coqueiro
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebUiPathCommunity
 
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks..."LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...Fwdays
 
What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024Stephanie Beckett
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machinePadma Pradeep
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Scott Keck-Warren
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr BaganFwdays
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Mattias Andersson
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationSlibray Presentation
 

Recently uploaded (20)

Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 Presentation
 
The Future of Software Development - Devin AI Innovative Approach.pdf
The Future of Software Development - Devin AI Innovative Approach.pdfThe Future of Software Development - Devin AI Innovative Approach.pdf
The Future of Software Development - Devin AI Innovative Approach.pdf
 
Commit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyCommit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easy
 
Vector Databases 101 - An introduction to the world of Vector Databases
Vector Databases 101 - An introduction to the world of Vector DatabasesVector Databases 101 - An introduction to the world of Vector Databases
Vector Databases 101 - An introduction to the world of Vector Databases
 
Training state-of-the-art general text embedding
Training state-of-the-art general text embeddingTraining state-of-the-art general text embedding
Training state-of-the-art general text embedding
 
My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024
 
Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR Systems
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platforms
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdf
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio Web
 
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks..."LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
 
What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machine
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck Presentation
 

Omfw 2013

  • 1. Dalvik Memory Analysis and a Call to ARMs Joe T. Sylve, M.S. Managing Partner 504ENSICS Labs
  • 2. Android Memory Analysis • Acquisition – LiME • LKM that can dump an image of physical memory over TCP or to disk • Developed by me starting in 2011 • http://code.google.com/p/lime-forensics • Kernel Level Analysis • Volatility support added in 2012 • Most of the hard work was done by Andrew Case • I contributed and rewrote the ARM address space • You’ve heard me talk about this stuff before www.504ensics.com
  • 3. Dalvik Analysis • Dalvik is the Android Runtime for Userland Apps • Basically Google’s Custom JVM • That’s Why Oracle Sued Them • Android Applications Each Have Their Own Instance of a DVM • Kernel Level Analysis • • • • Running Processes Network Connections Loaded Kernel Modules Dump Process Heap • String and Grep • Not Optimal for Analyzing Userland Malware www.504ensics.com
  • 4. Dalvik Analysis • 504ENSICS Labs Awarded Research Grant in Late 2012 • DARPA Cyber Fast Track Program -- RIP :-( • Application-Level Memory Forensics for Dalvik • Added Volatility Support for Parsing Objects & Instances from DVM • Created a GUI Application (Dalvik Inspector) • Easy Analysis of Android Apps • Search and Filter Class Names and Fields • Automatically Generate Simple Volatility Plugins www.504ensics.com
  • 5. How it works from 10,000ft • Locate Dalvik in Memory • • • • libdvm.so Linux C Shared Library Loaded into Every Dalvik Process By performing analysis of its data structures in memory, we can recreate the entire state of an application at the time of the memory capture • Can access this with existing Volatility functionality www.504ensics.com
  • 6. How it works from 10,000ft • Finding Loaded Classes • DvmGlobals gDvm • Global variable inside of libdvm.so • Declared in vm/init.c of source • Hold the members that are needed to located classes in memory • Enumerate the loadedClasses member • Type is HashTable • Elements are of type ClassObject • Static and Instance Fields & Methods www.504ensics.com
  • 7. How it works from 10,000ft • Parsing Fields • ClassObject • • • • int sfieldCount StaticField sfields int ifieldCount InstField ifields www.504ensics.com
  • 8. How it works from 10,000ft struct StaticField { Field field; /* MUST be first item */ JValue value; /* initially set from DEX for primitives */ }; struct Field { ClassObject* const char* const char* u4 }; Signature typedef union JValue { u1 z; s1 b; u2 c; s2 s; s4 i; s8 j; float f; double d; void* l; } JValue; struct InstField { Field field; int byteOffset; }; Type L Object Z Boolean C Char F Float D Double B Byte S Short I Integer J Long L Void (Pointer) [ clazz; name; signature; accessFlags; Array Offset of JValue for specific instance Relative to the ClassObject struct www.504ensics.com
  • 9. How it works from 10,000ft • Strings, Arrays, Lists, Objects, etc • Slightly more complicated to parse • Not terribly difficult • I’m probably already running low on time though… www.504ensics.com
  • 10. The Process • Infect Device or Emulator • Dump Memory with LiME • Run Volatility Plugin to Generate SQLiteDB • Analyze DB in Dalvik Inspector www.504ensics.com
  • 23. Open Research Problems • Portable LiME LKM • Requires Kernel headers and recompiling for each kernel • Profile Generation • Kernel • Kernel Headers • Exact Config • System.map • libdvm.so • Work in progress • Radare Library • Solution? • Combination of static and dynamic analysis • Locate symbols • Infer config for “key” structures www.504ensics.com
  • 24. Questions? • Dalvik Inspector will be released soon™ • Email for access to closed Beta • joe@504Labs.com www.504ensics.com