SlideShare a Scribd company logo

Omfw 2013

Download as PPTX, PDF
504ensics
504ensics

A brief explanation of Dalvik memory analysis and a call to ARMS

Technology
1 of 24
Dalvik Memory Analysis and a Call to ARMs Joe T. Sylve, M.S. Managing Partner 504ENSICS Labs
Android Memory Analysis • Acquisition – LiME • LKM that can dump an image of physical memory over TCP or to disk • Developed by me starting in 2011 • http://code.google.com/p/lime-forensics • Kernel Level Analysis • Volatility support added in 2012 • Most of the hard work was done by Andrew Case • I contributed and rewrote the ARM address space • You’ve heard me talk about this stuff before www.504ensics.com
Dalvik Analysis • Dalvik is the Android Runtime for Userland Apps • Basically Google’s Custom JVM • That’s Why Oracle Sued Them • Android Applications Each Have Their Own Instance of a DVM • Kernel Level Analysis • • • • Running Processes Network Connections Loaded Kernel Modules Dump Process Heap • String and Grep • Not Optimal for Analyzing Userland Malware www.504ensics.com
Dalvik Analysis • 504ENSICS Labs Awarded Research Grant in Late 2012 • DARPA Cyber Fast Track Program -- RIP :-( • Application-Level Memory Forensics for Dalvik • Added Volatility Support for Parsing Objects & Instances from DVM • Created a GUI Application (Dalvik Inspector) • Easy Analysis of Android Apps • Search and Filter Class Names and Fields • Automatically Generate Simple Volatility Plugins www.504ensics.com
How it works from 10,000ft • Locate Dalvik in Memory • • • • libdvm.so Linux C Shared Library Loaded into Every Dalvik Process By performing analysis of its data structures in memory, we can recreate the entire state of an application at the time of the memory capture • Can access this with existing Volatility functionality www.504ensics.com
How it works from 10,000ft • Finding Loaded Classes • DvmGlobals gDvm • Global variable inside of libdvm.so • Declared in vm/init.c of source • Hold the members that are needed to located classes in memory • Enumerate the loadedClasses member • Type is HashTable • Elements are of type ClassObject • Static and Instance Fields & Methods www.504ensics.com
How it works from 10,000ft • Parsing Fields • ClassObject • • • • int sfieldCount StaticField sfields int ifieldCount InstField ifields www.504ensics.com
How it works from 10,000ft struct StaticField { Field field; /* MUST be first item */ JValue value; /* initially set from DEX for primitives */ }; struct Field { ClassObject* const char* const char* u4 }; Signature typedef union JValue { u1 z; s1 b; u2 c; s2 s; s4 i; s8 j; float f; double d; void* l; } JValue; struct InstField { Field field; int byteOffset; }; Type L Object Z Boolean C Char F Float D Double B Byte S Short I Integer J Long L Void (Pointer) [ clazz; name; signature; accessFlags; Array Offset of JValue for specific instance Relative to the ClassObject struct www.504ensics.com
How it works from 10,000ft • Strings, Arrays, Lists, Objects, etc • Slightly more complicated to parse • Not terribly difficult • I’m probably already running low on time though… www.504ensics.com
The Process • Infect Device or Emulator • Dump Memory with LiME • Run Volatility Plugin to Generate SQLiteDB • Analyze DB in Dalvik Inspector www.504ensics.com
Dalvik Inspector www.504ensics.com
Dalvik Inspector www.504ensics.com
C&C Address www.504ensics.com
Plugin Creation www.504ensics.com
Plugin Creation www.504ensics.com
Plugin Creation www.504ensics.com
Plugin Creation www.504ensics.com
Plugin Creation www.504ensics.com
Plugin Creation www.504ensics.com
Plugin Creation www.504ensics.com
Plugin Creation www.504ensics.com
Plugin Creation www.504ensics.com
Open Research Problems • Portable LiME LKM • Requires Kernel headers and recompiling for each kernel • Profile Generation • Kernel • Kernel Headers • Exact Config • System.map • libdvm.so • Work in progress • Radare Library • Solution? • Combination of static and dynamic analysis • Locate symbols • Infer config for “key” structures www.504ensics.com
Questions? • Dalvik Inspector will be released soon™ • Email for access to closed Beta • joe@504Labs.com www.504ensics.com

Recommended

Sanity on Rails
Sanity on RailsSanity on Rails
Sanity on RailsMichael Kohl
 
Java goes wild, lesson 1
Java goes wild, lesson 1Java goes wild, lesson 1
Java goes wild, lesson 1Thierry Wasylczenko
 
Building XWiki
Building XWikiBuilding XWiki
Building XWikiVincent Massol
 
Build your datatypes
Build your datatypesBuild your datatypes
Build your datatypesEdi Modrić
 
How to-node-core
How to-node-coreHow to-node-core
How to-node-coreIsaacSchlueter
 
Improve Return to work
Improve Return to work Improve Return to work
Improve Return to work Nelson Hendler
 
Diapositivas (Exposición)
Diapositivas (Exposición)Diapositivas (Exposición)
Diapositivas (Exposición)CESVER
 
DC & Baltimore Gas Meter
DC & Baltimore Gas MeterDC & Baltimore Gas Meter
DC & Baltimore Gas MeterTonya Johnson-Spratley
 

Recommended

Sanity on Rails
Sanity on RailsSanity on Rails
Sanity on RailsMichael Kohl
 
Java goes wild, lesson 1
Java goes wild, lesson 1Java goes wild, lesson 1
Java goes wild, lesson 1Thierry Wasylczenko
 
Building XWiki
Building XWikiBuilding XWiki
Building XWikiVincent Massol
 
Build your datatypes
Build your datatypesBuild your datatypes
Build your datatypesEdi Modrić
 
How to-node-core
How to-node-coreHow to-node-core
How to-node-coreIsaacSchlueter
 
Improve Return to work
Improve Return to work Improve Return to work
Improve Return to work Nelson Hendler
 
Diapositivas (Exposición)
Diapositivas (Exposición)Diapositivas (Exposición)
Diapositivas (Exposición)CESVER
 
DC & Baltimore Gas Meter
DC & Baltimore Gas MeterDC & Baltimore Gas Meter
DC & Baltimore Gas MeterTonya Johnson-Spratley
 
Toward dynamic analysis of obfuscated android malware
Toward dynamic analysis of obfuscated android malwareToward dynamic analysis of obfuscated android malware
Toward dynamic analysis of obfuscated android malwareZongXian Shen
 
Memory Analysis of the Dalvik (Android) Virtual Machine
Memory Analysis of the Dalvik (Android) Virtual MachineMemory Analysis of the Dalvik (Android) Virtual Machine
Memory Analysis of the Dalvik (Android) Virtual MachineAndrew Case
 
Containers 101
Containers 101Containers 101
Containers 101Black Duck by Synopsys
 
CNIT 126: 10: Kernel Debugging with WinDbg
CNIT 126: 10: Kernel Debugging with WinDbgCNIT 126: 10: Kernel Debugging with WinDbg
CNIT 126: 10: Kernel Debugging with WinDbgSam Bowne
 
Exploring Java Heap Dumps (Oracle Code One 2018)
Exploring Java Heap Dumps (Oracle Code One 2018)Exploring Java Heap Dumps (Oracle Code One 2018)
Exploring Java Heap Dumps (Oracle Code One 2018)Ryan Cuprak
 
Understanding container security
Understanding container securityUnderstanding container security
Understanding container securityJohn Kinsella
 
DanNotes 2013: OpenNTF Domino API
DanNotes 2013: OpenNTF Domino APIDanNotes 2013: OpenNTF Domino API
DanNotes 2013: OpenNTF Domino APIPaul Withers
 
Kasza smashing the_jars
Kasza smashing the_jarsKasza smashing the_jars
Kasza smashing the_jarsPacSecJP
 
CNIT 126: 10: Kernel Debugging with WinDbg
CNIT 126: 10: Kernel Debugging with WinDbgCNIT 126: 10: Kernel Debugging with WinDbg
CNIT 126: 10: Kernel Debugging with WinDbgSam Bowne
 
#MBLTdev: Уроки, которые мы выучили, создавая Realm
#MBLTdev: Уроки, которые мы выучили, создавая Realm#MBLTdev: Уроки, которые мы выучили, создавая Realm
#MBLTdev: Уроки, которые мы выучили, создавая Realme-Legion
 
Docker Security
Docker SecurityDocker Security
Docker Securityantitree
 
Preparing your dockerised application for production deployment
Preparing your dockerised application for production deploymentPreparing your dockerised application for production deployment
Preparing your dockerised application for production deploymentDave Ward
 
Windows container security
Windows container securityWindows container security
Windows container securityDocker, Inc.
 
Rapid Android Application Security Testing
Rapid Android Application Security TestingRapid Android Application Security Testing
Rapid Android Application Security TestingNutan Kumar Panda
 
Practical Malware Analysis: Ch 10: Kernel Debugging with WinDbg
Practical Malware Analysis: Ch 10: Kernel Debugging with WinDbgPractical Malware Analysis: Ch 10: Kernel Debugging with WinDbg
Practical Malware Analysis: Ch 10: Kernel Debugging with WinDbgSam Bowne
 
Introduction to React native
Introduction to React nativeIntroduction to React native
Introduction to React nativeDhaval Barot
 
CT Software Developers Meetup: Using Docker and Vagrant Within A GitHub Pull ...
CT Software Developers Meetup: Using Docker and Vagrant Within A GitHub Pull ...CT Software Developers Meetup: Using Docker and Vagrant Within A GitHub Pull ...
CT Software Developers Meetup: Using Docker and Vagrant Within A GitHub Pull ...E. Camden Fisher
 
CernVM-FS for Docker image distribution in Cloud Foundry
CernVM-FS for Docker image distribution in Cloud FoundryCernVM-FS for Docker image distribution in Cloud Foundry
CernVM-FS for Docker image distribution in Cloud FoundryGeorge Lestaris
 
Introduction to Android Development and Security
Introduction to Android Development and SecurityIntroduction to Android Development and Security
Introduction to Android Development and SecurityKelwin Yang
 
Everything You Need To Know About Persistent Storage in Kubernetes
Everything You Need To Know About Persistent Storage in KubernetesEverything You Need To Know About Persistent Storage in Kubernetes
Everything You Need To Know About Persistent Storage in KubernetesThe {code} Team
 
Exploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with MilvusExploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with MilvusZilliz
 
WSO2's API Vision: Unifying Control, Empowering Developers
WSO2's API Vision: Unifying Control, Empowering DevelopersWSO2's API Vision: Unifying Control, Empowering Developers
WSO2's API Vision: Unifying Control, Empowering DevelopersWSO2
 

More Related Content

Similar to Omfw 2013

Toward dynamic analysis of obfuscated android malware
Toward dynamic analysis of obfuscated android malwareToward dynamic analysis of obfuscated android malware
Toward dynamic analysis of obfuscated android malwareZongXian Shen
 
Memory Analysis of the Dalvik (Android) Virtual Machine
Memory Analysis of the Dalvik (Android) Virtual MachineMemory Analysis of the Dalvik (Android) Virtual Machine
Memory Analysis of the Dalvik (Android) Virtual MachineAndrew Case
 
CNIT 126: 10: Kernel Debugging with WinDbg
CNIT 126: 10: Kernel Debugging with WinDbgCNIT 126: 10: Kernel Debugging with WinDbg
CNIT 126: 10: Kernel Debugging with WinDbgSam Bowne
 
Exploring Java Heap Dumps (Oracle Code One 2018)
Exploring Java Heap Dumps (Oracle Code One 2018)Exploring Java Heap Dumps (Oracle Code One 2018)
Exploring Java Heap Dumps (Oracle Code One 2018)Ryan Cuprak
 
Understanding container security
Understanding container securityUnderstanding container security
Understanding container securityJohn Kinsella
 
DanNotes 2013: OpenNTF Domino API
DanNotes 2013: OpenNTF Domino APIDanNotes 2013: OpenNTF Domino API
DanNotes 2013: OpenNTF Domino APIPaul Withers
 
Kasza smashing the_jars
Kasza smashing the_jarsKasza smashing the_jars
Kasza smashing the_jarsPacSecJP
 
CNIT 126: 10: Kernel Debugging with WinDbg
CNIT 126: 10: Kernel Debugging with WinDbgCNIT 126: 10: Kernel Debugging with WinDbg
CNIT 126: 10: Kernel Debugging with WinDbgSam Bowne
 
#MBLTdev: Уроки, которые мы выучили, создавая Realm
#MBLTdev: Уроки, которые мы выучили, создавая Realm#MBLTdev: Уроки, которые мы выучили, создавая Realm
#MBLTdev: Уроки, которые мы выучили, создавая Realme-Legion
 
Docker Security
Docker SecurityDocker Security
Docker Securityantitree
 
Preparing your dockerised application for production deployment
Preparing your dockerised application for production deploymentPreparing your dockerised application for production deployment
Preparing your dockerised application for production deploymentDave Ward
 
Windows container security
Windows container securityWindows container security
Windows container securityDocker, Inc.
 
Rapid Android Application Security Testing
Rapid Android Application Security TestingRapid Android Application Security Testing
Rapid Android Application Security TestingNutan Kumar Panda
 
Practical Malware Analysis: Ch 10: Kernel Debugging with WinDbg
Practical Malware Analysis: Ch 10: Kernel Debugging with WinDbgPractical Malware Analysis: Ch 10: Kernel Debugging with WinDbg
Practical Malware Analysis: Ch 10: Kernel Debugging with WinDbgSam Bowne
 
Introduction to React native
Introduction to React nativeIntroduction to React native
Introduction to React nativeDhaval Barot
 
CT Software Developers Meetup: Using Docker and Vagrant Within A GitHub Pull ...
CT Software Developers Meetup: Using Docker and Vagrant Within A GitHub Pull ...CT Software Developers Meetup: Using Docker and Vagrant Within A GitHub Pull ...
CT Software Developers Meetup: Using Docker and Vagrant Within A GitHub Pull ...E. Camden Fisher
 
CernVM-FS for Docker image distribution in Cloud Foundry
CernVM-FS for Docker image distribution in Cloud FoundryCernVM-FS for Docker image distribution in Cloud Foundry
CernVM-FS for Docker image distribution in Cloud FoundryGeorge Lestaris
 
Introduction to Android Development and Security
Introduction to Android Development and SecurityIntroduction to Android Development and Security
Introduction to Android Development and SecurityKelwin Yang
 
Everything You Need To Know About Persistent Storage in Kubernetes
Everything You Need To Know About Persistent Storage in KubernetesEverything You Need To Know About Persistent Storage in Kubernetes
Everything You Need To Know About Persistent Storage in KubernetesThe {code} Team
 

Similar to Omfw 2013 (20)

Toward dynamic analysis of obfuscated android malware
Toward dynamic analysis of obfuscated android malwareToward dynamic analysis of obfuscated android malware
Toward dynamic analysis of obfuscated android malware
 
Memory Analysis of the Dalvik (Android) Virtual Machine
Memory Analysis of the Dalvik (Android) Virtual MachineMemory Analysis of the Dalvik (Android) Virtual Machine
Memory Analysis of the Dalvik (Android) Virtual Machine
 
Containers 101
Containers 101Containers 101
Containers 101
 
CNIT 126: 10: Kernel Debugging with WinDbg
CNIT 126: 10: Kernel Debugging with WinDbgCNIT 126: 10: Kernel Debugging with WinDbg
CNIT 126: 10: Kernel Debugging with WinDbg
 
Exploring Java Heap Dumps (Oracle Code One 2018)
Exploring Java Heap Dumps (Oracle Code One 2018)Exploring Java Heap Dumps (Oracle Code One 2018)
Exploring Java Heap Dumps (Oracle Code One 2018)
 
Understanding container security
Understanding container securityUnderstanding container security
Understanding container security
 
DanNotes 2013: OpenNTF Domino API
DanNotes 2013: OpenNTF Domino APIDanNotes 2013: OpenNTF Domino API
DanNotes 2013: OpenNTF Domino API
 
Kasza smashing the_jars
Kasza smashing the_jarsKasza smashing the_jars
Kasza smashing the_jars
 
CNIT 126: 10: Kernel Debugging with WinDbg
CNIT 126: 10: Kernel Debugging with WinDbgCNIT 126: 10: Kernel Debugging with WinDbg
CNIT 126: 10: Kernel Debugging with WinDbg
 
#MBLTdev: Уроки, которые мы выучили, создавая Realm
#MBLTdev: Уроки, которые мы выучили, создавая Realm#MBLTdev: Уроки, которые мы выучили, создавая Realm
#MBLTdev: Уроки, которые мы выучили, создавая Realm
 
Docker Security
Docker SecurityDocker Security
Docker Security
 
Preparing your dockerised application for production deployment
Preparing your dockerised application for production deploymentPreparing your dockerised application for production deployment
Preparing your dockerised application for production deployment
 
Windows container security
Windows container securityWindows container security
Windows container security
 
Rapid Android Application Security Testing
Rapid Android Application Security TestingRapid Android Application Security Testing
Rapid Android Application Security Testing
 
Practical Malware Analysis: Ch 10: Kernel Debugging with WinDbg
Practical Malware Analysis: Ch 10: Kernel Debugging with WinDbgPractical Malware Analysis: Ch 10: Kernel Debugging with WinDbg
Practical Malware Analysis: Ch 10: Kernel Debugging with WinDbg
 
Introduction to React native
Introduction to React nativeIntroduction to React native
Introduction to React native
 
CT Software Developers Meetup: Using Docker and Vagrant Within A GitHub Pull ...
CT Software Developers Meetup: Using Docker and Vagrant Within A GitHub Pull ...CT Software Developers Meetup: Using Docker and Vagrant Within A GitHub Pull ...
CT Software Developers Meetup: Using Docker and Vagrant Within A GitHub Pull ...
 
CernVM-FS for Docker image distribution in Cloud Foundry
CernVM-FS for Docker image distribution in Cloud FoundryCernVM-FS for Docker image distribution in Cloud Foundry
CernVM-FS for Docker image distribution in Cloud Foundry
 
Introduction to Android Development and Security
Introduction to Android Development and SecurityIntroduction to Android Development and Security
Introduction to Android Development and Security
 
Everything You Need To Know About Persistent Storage in Kubernetes
Everything You Need To Know About Persistent Storage in KubernetesEverything You Need To Know About Persistent Storage in Kubernetes
Everything You Need To Know About Persistent Storage in Kubernetes
 

Recently uploaded

Exploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with MilvusExploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with MilvusZilliz
 
WSO2's API Vision: Unifying Control, Empowering Developers
WSO2's API Vision: Unifying Control, Empowering DevelopersWSO2's API Vision: Unifying Control, Empowering Developers
WSO2's API Vision: Unifying Control, Empowering DevelopersWSO2
 
Corporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptxCorporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptxRustici Software
 
Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyKhushali Kathiriya
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMESafe Software
 
Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot ModelMcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot ModelDeepika Singh
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native ApplicationsWSO2
 
DBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor PresentationDBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor PresentationDropbox
 
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ..."I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...Zilliz
 
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodPolkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodJuan lago vázquez
 
MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MIND CTI
 
Platformless Horizons for Digital Adaptability
Platformless Horizons for Digital AdaptabilityPlatformless Horizons for Digital Adaptability
Platformless Horizons for Digital AdaptabilityWSO2
 
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...Orbitshub
 
CNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In PakistanCNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In Pakistandanishmna97
 
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingEdi Saputra
 
Six Myths about Ontologies: The Basics of Formal Ontology
Six Myths about Ontologies: The Basics of Formal OntologySix Myths about Ontologies: The Basics of Formal Ontology
Six Myths about Ontologies: The Basics of Formal Ontologyjohnbeverley2021
 
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 AmsterdamDEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 AmsterdamUiPathCommunity
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoffsammart93
 
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...apidays
 

Recently uploaded (20)

Exploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with MilvusExploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with Milvus
 
WSO2's API Vision: Unifying Control, Empowering Developers
WSO2's API Vision: Unifying Control, Empowering DevelopersWSO2's API Vision: Unifying Control, Empowering Developers
WSO2's API Vision: Unifying Control, Empowering Developers
 
Corporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptxCorporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptx
 
Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : Uncertainty
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 
Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot ModelMcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot Model
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native Applications
 
DBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor PresentationDBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor Presentation
 
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ..."I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
 
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodPolkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
 
MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024
 
Platformless Horizons for Digital Adaptability
Platformless Horizons for Digital AdaptabilityPlatformless Horizons for Digital Adaptability
Platformless Horizons for Digital Adaptability
 
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
 
CNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In PakistanCNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In Pakistan
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
 
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
 
Six Myths about Ontologies: The Basics of Formal Ontology
Six Myths about Ontologies: The Basics of Formal OntologySix Myths about Ontologies: The Basics of Formal Ontology
Six Myths about Ontologies: The Basics of Formal Ontology
 
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 AmsterdamDEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
 
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
 

Omfw 2013

  • 1. Dalvik Memory Analysis and a Call to ARMs Joe T. Sylve, M.S. Managing Partner 504ENSICS Labs
  • 2. Android Memory Analysis • Acquisition – LiME • LKM that can dump an image of physical memory over TCP or to disk • Developed by me starting in 2011 • http://code.google.com/p/lime-forensics • Kernel Level Analysis • Volatility support added in 2012 • Most of the hard work was done by Andrew Case • I contributed and rewrote the ARM address space • You’ve heard me talk about this stuff before www.504ensics.com
  • 3. Dalvik Analysis • Dalvik is the Android Runtime for Userland Apps • Basically Google’s Custom JVM • That’s Why Oracle Sued Them • Android Applications Each Have Their Own Instance of a DVM • Kernel Level Analysis • • • • Running Processes Network Connections Loaded Kernel Modules Dump Process Heap • String and Grep • Not Optimal for Analyzing Userland Malware www.504ensics.com
  • 4. Dalvik Analysis • 504ENSICS Labs Awarded Research Grant in Late 2012 • DARPA Cyber Fast Track Program -- RIP :-( • Application-Level Memory Forensics for Dalvik • Added Volatility Support for Parsing Objects & Instances from DVM • Created a GUI Application (Dalvik Inspector) • Easy Analysis of Android Apps • Search and Filter Class Names and Fields • Automatically Generate Simple Volatility Plugins www.504ensics.com
  • 5. How it works from 10,000ft • Locate Dalvik in Memory • • • • libdvm.so Linux C Shared Library Loaded into Every Dalvik Process By performing analysis of its data structures in memory, we can recreate the entire state of an application at the time of the memory capture • Can access this with existing Volatility functionality www.504ensics.com
  • 6. How it works from 10,000ft • Finding Loaded Classes • DvmGlobals gDvm • Global variable inside of libdvm.so • Declared in vm/init.c of source • Hold the members that are needed to located classes in memory • Enumerate the loadedClasses member • Type is HashTable • Elements are of type ClassObject • Static and Instance Fields & Methods www.504ensics.com
  • 7. How it works from 10,000ft • Parsing Fields • ClassObject • • • • int sfieldCount StaticField sfields int ifieldCount InstField ifields www.504ensics.com
  • 8. How it works from 10,000ft struct StaticField { Field field; /* MUST be first item */ JValue value; /* initially set from DEX for primitives */ }; struct Field { ClassObject* const char* const char* u4 }; Signature typedef union JValue { u1 z; s1 b; u2 c; s2 s; s4 i; s8 j; float f; double d; void* l; } JValue; struct InstField { Field field; int byteOffset; }; Type L Object Z Boolean C Char F Float D Double B Byte S Short I Integer J Long L Void (Pointer) [ clazz; name; signature; accessFlags; Array Offset of JValue for specific instance Relative to the ClassObject struct www.504ensics.com
  • 9. How it works from 10,000ft • Strings, Arrays, Lists, Objects, etc • Slightly more complicated to parse • Not terribly difficult • I’m probably already running low on time though… www.504ensics.com
  • 10. The Process • Infect Device or Emulator • Dump Memory with LiME • Run Volatility Plugin to Generate SQLiteDB • Analyze DB in Dalvik Inspector www.504ensics.com
  • 23. Open Research Problems • Portable LiME LKM • Requires Kernel headers and recompiling for each kernel • Profile Generation • Kernel • Kernel Headers • Exact Config • System.map • libdvm.so • Work in progress • Radare Library • Solution? • Combination of static and dynamic analysis • Locate symbols • Infer config for “key” structures www.504ensics.com
  • 24. Questions? • Dalvik Inspector will be released soon™ • Email for access to closed Beta • joe@504Labs.com www.504ensics.com