SlideShare a Scribd company logo

Omfw 2013

Download as PPTX, PDF
504ensics
504ensics

A brief explanation of Dalvik memory analysis and a call to ARMS

Technology
1 of 24
Dalvik Memory Analysis and a Call to ARMs Joe T. Sylve, M.S. Managing Partner 504ENSICS Labs
Android Memory Analysis • Acquisition – LiME • LKM that can dump an image of physical memory over TCP or to disk • Developed by me starting in 2011 • http://code.google.com/p/lime-forensics • Kernel Level Analysis • Volatility support added in 2012 • Most of the hard work was done by Andrew Case • I contributed and rewrote the ARM address space • You’ve heard me talk about this stuff before www.504ensics.com
Dalvik Analysis • Dalvik is the Android Runtime for Userland Apps • Basically Google’s Custom JVM • That’s Why Oracle Sued Them • Android Applications Each Have Their Own Instance of a DVM • Kernel Level Analysis • • • • Running Processes Network Connections Loaded Kernel Modules Dump Process Heap • String and Grep • Not Optimal for Analyzing Userland Malware www.504ensics.com
Dalvik Analysis • 504ENSICS Labs Awarded Research Grant in Late 2012 • DARPA Cyber Fast Track Program -- RIP :-( • Application-Level Memory Forensics for Dalvik • Added Volatility Support for Parsing Objects & Instances from DVM • Created a GUI Application (Dalvik Inspector) • Easy Analysis of Android Apps • Search and Filter Class Names and Fields • Automatically Generate Simple Volatility Plugins www.504ensics.com
How it works from 10,000ft • Locate Dalvik in Memory • • • • libdvm.so Linux C Shared Library Loaded into Every Dalvik Process By performing analysis of its data structures in memory, we can recreate the entire state of an application at the time of the memory capture • Can access this with existing Volatility functionality www.504ensics.com
How it works from 10,000ft • Finding Loaded Classes • DvmGlobals gDvm • Global variable inside of libdvm.so • Declared in vm/init.c of source • Hold the members that are needed to located classes in memory • Enumerate the loadedClasses member • Type is HashTable • Elements are of type ClassObject • Static and Instance Fields & Methods www.504ensics.com
How it works from 10,000ft • Parsing Fields • ClassObject • • • • int sfieldCount StaticField sfields int ifieldCount InstField ifields www.504ensics.com
How it works from 10,000ft struct StaticField { Field field; /* MUST be first item */ JValue value; /* initially set from DEX for primitives */ }; struct Field { ClassObject* const char* const char* u4 }; Signature typedef union JValue { u1 z; s1 b; u2 c; s2 s; s4 i; s8 j; float f; double d; void* l; } JValue; struct InstField { Field field; int byteOffset; }; Type L Object Z Boolean C Char F Float D Double B Byte S Short I Integer J Long L Void (Pointer) [ clazz; name; signature; accessFlags; Array Offset of JValue for specific instance Relative to the ClassObject struct www.504ensics.com
How it works from 10,000ft • Strings, Arrays, Lists, Objects, etc • Slightly more complicated to parse • Not terribly difficult • I’m probably already running low on time though… www.504ensics.com
The Process • Infect Device or Emulator • Dump Memory with LiME • Run Volatility Plugin to Generate SQLiteDB • Analyze DB in Dalvik Inspector www.504ensics.com
Dalvik Inspector www.504ensics.com
Dalvik Inspector www.504ensics.com
C&C Address www.504ensics.com
Plugin Creation www.504ensics.com
Plugin Creation www.504ensics.com
Plugin Creation www.504ensics.com
Plugin Creation www.504ensics.com
Plugin Creation www.504ensics.com
Plugin Creation www.504ensics.com
Plugin Creation www.504ensics.com
Plugin Creation www.504ensics.com
Plugin Creation www.504ensics.com
Open Research Problems • Portable LiME LKM • Requires Kernel headers and recompiling for each kernel • Profile Generation • Kernel • Kernel Headers • Exact Config • System.map • libdvm.so • Work in progress • Radare Library • Solution? • Combination of static and dynamic analysis • Locate symbols • Infer config for “key” structures www.504ensics.com
Questions? • Dalvik Inspector will be released soon™ • Email for access to closed Beta • joe@504Labs.com www.504ensics.com

Recommended

Sanity on Rails
Sanity on RailsSanity on Rails
Sanity on RailsMichael Kohl
 
Java goes wild, lesson 1
Java goes wild, lesson 1Java goes wild, lesson 1
Java goes wild, lesson 1Thierry Wasylczenko
 
Building XWiki
Building XWikiBuilding XWiki
Building XWikiVincent Massol
 
Build your datatypes
Build your datatypesBuild your datatypes
Build your datatypesEdi Modrić
 
How to-node-core
How to-node-coreHow to-node-core
How to-node-coreIsaacSchlueter
 
Improve Return to work
Improve Return to work Improve Return to work
Improve Return to work Nelson Hendler
 
Diapositivas (Exposición)
Diapositivas (Exposición)Diapositivas (Exposición)
Diapositivas (Exposición)CESVER
 
DC & Baltimore Gas Meter
DC & Baltimore Gas MeterDC & Baltimore Gas Meter
DC & Baltimore Gas MeterTonya Johnson-Spratley
 

Recommended

Sanity on Rails
Sanity on RailsSanity on Rails
Sanity on RailsMichael Kohl
 
Java goes wild, lesson 1
Java goes wild, lesson 1Java goes wild, lesson 1
Java goes wild, lesson 1Thierry Wasylczenko
 
Building XWiki
Building XWikiBuilding XWiki
Building XWikiVincent Massol
 
Build your datatypes
Build your datatypesBuild your datatypes
Build your datatypesEdi Modrić
 
How to-node-core
How to-node-coreHow to-node-core
How to-node-coreIsaacSchlueter
 
Improve Return to work
Improve Return to work Improve Return to work
Improve Return to work Nelson Hendler
 
Diapositivas (Exposición)
Diapositivas (Exposición)Diapositivas (Exposición)
Diapositivas (Exposición)CESVER
 
DC & Baltimore Gas Meter
DC & Baltimore Gas MeterDC & Baltimore Gas Meter
DC & Baltimore Gas MeterTonya Johnson-Spratley
 
Toward dynamic analysis of obfuscated android malware
Toward dynamic analysis of obfuscated android malwareToward dynamic analysis of obfuscated android malware
Toward dynamic analysis of obfuscated android malwareZongXian Shen
 
Memory Analysis of the Dalvik (Android) Virtual Machine
Memory Analysis of the Dalvik (Android) Virtual MachineMemory Analysis of the Dalvik (Android) Virtual Machine
Memory Analysis of the Dalvik (Android) Virtual MachineAndrew Case
 
Containers 101
Containers 101Containers 101
Containers 101Black Duck by Synopsys
 
CNIT 126: 10: Kernel Debugging with WinDbg
CNIT 126: 10: Kernel Debugging with WinDbgCNIT 126: 10: Kernel Debugging with WinDbg
CNIT 126: 10: Kernel Debugging with WinDbgSam Bowne
 
Exploring Java Heap Dumps (Oracle Code One 2018)
Exploring Java Heap Dumps (Oracle Code One 2018)Exploring Java Heap Dumps (Oracle Code One 2018)
Exploring Java Heap Dumps (Oracle Code One 2018)Ryan Cuprak
 
Understanding container security
Understanding container securityUnderstanding container security
Understanding container securityJohn Kinsella
 
DanNotes 2013: OpenNTF Domino API
DanNotes 2013: OpenNTF Domino APIDanNotes 2013: OpenNTF Domino API
DanNotes 2013: OpenNTF Domino APIPaul Withers
 
Kasza smashing the_jars
Kasza smashing the_jarsKasza smashing the_jars
Kasza smashing the_jarsPacSecJP
 
CNIT 126: 10: Kernel Debugging with WinDbg
CNIT 126: 10: Kernel Debugging with WinDbgCNIT 126: 10: Kernel Debugging with WinDbg
CNIT 126: 10: Kernel Debugging with WinDbgSam Bowne
 
#MBLTdev: Уроки, которые мы выучили, создавая Realm
#MBLTdev: Уроки, которые мы выучили, создавая Realm#MBLTdev: Уроки, которые мы выучили, создавая Realm
#MBLTdev: Уроки, которые мы выучили, создавая Realme-Legion
 
Docker Security
Docker SecurityDocker Security
Docker Securityantitree
 
Preparing your dockerised application for production deployment
Preparing your dockerised application for production deploymentPreparing your dockerised application for production deployment
Preparing your dockerised application for production deploymentDave Ward
 
Windows container security
Windows container securityWindows container security
Windows container securityDocker, Inc.
 
Rapid Android Application Security Testing
Rapid Android Application Security TestingRapid Android Application Security Testing
Rapid Android Application Security TestingNutan Kumar Panda
 
Practical Malware Analysis: Ch 10: Kernel Debugging with WinDbg
Practical Malware Analysis: Ch 10: Kernel Debugging with WinDbgPractical Malware Analysis: Ch 10: Kernel Debugging with WinDbg
Practical Malware Analysis: Ch 10: Kernel Debugging with WinDbgSam Bowne
 
Introduction to React native
Introduction to React nativeIntroduction to React native
Introduction to React nativeDhaval Barot
 
CT Software Developers Meetup: Using Docker and Vagrant Within A GitHub Pull ...
CT Software Developers Meetup: Using Docker and Vagrant Within A GitHub Pull ...CT Software Developers Meetup: Using Docker and Vagrant Within A GitHub Pull ...
CT Software Developers Meetup: Using Docker and Vagrant Within A GitHub Pull ...E. Camden Fisher
 
CernVM-FS for Docker image distribution in Cloud Foundry
CernVM-FS for Docker image distribution in Cloud FoundryCernVM-FS for Docker image distribution in Cloud Foundry
CernVM-FS for Docker image distribution in Cloud FoundryGeorge Lestaris
 
Introduction to Android Development and Security
Introduction to Android Development and SecurityIntroduction to Android Development and Security
Introduction to Android Development and SecurityKelwin Yang
 
Everything You Need To Know About Persistent Storage in Kubernetes
Everything You Need To Know About Persistent Storage in KubernetesEverything You Need To Know About Persistent Storage in Kubernetes
Everything You Need To Know About Persistent Storage in KubernetesThe {code} Team
 
MS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectorsMS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectorsNanddeep Nachan
 
ICT role in 21st century education and its challenges
ICT role in 21st century education and its challengesICT role in 21st century education and its challenges
ICT role in 21st century education and its challengesrafiqahmad00786416
 

More Related Content

Similar to Omfw 2013

Toward dynamic analysis of obfuscated android malware
Toward dynamic analysis of obfuscated android malwareToward dynamic analysis of obfuscated android malware
Toward dynamic analysis of obfuscated android malwareZongXian Shen
 
Memory Analysis of the Dalvik (Android) Virtual Machine
Memory Analysis of the Dalvik (Android) Virtual MachineMemory Analysis of the Dalvik (Android) Virtual Machine
Memory Analysis of the Dalvik (Android) Virtual MachineAndrew Case
 
CNIT 126: 10: Kernel Debugging with WinDbg
CNIT 126: 10: Kernel Debugging with WinDbgCNIT 126: 10: Kernel Debugging with WinDbg
CNIT 126: 10: Kernel Debugging with WinDbgSam Bowne
 
Exploring Java Heap Dumps (Oracle Code One 2018)
Exploring Java Heap Dumps (Oracle Code One 2018)Exploring Java Heap Dumps (Oracle Code One 2018)
Exploring Java Heap Dumps (Oracle Code One 2018)Ryan Cuprak
 
Understanding container security
Understanding container securityUnderstanding container security
Understanding container securityJohn Kinsella
 
DanNotes 2013: OpenNTF Domino API
DanNotes 2013: OpenNTF Domino APIDanNotes 2013: OpenNTF Domino API
DanNotes 2013: OpenNTF Domino APIPaul Withers
 
Kasza smashing the_jars
Kasza smashing the_jarsKasza smashing the_jars
Kasza smashing the_jarsPacSecJP
 
CNIT 126: 10: Kernel Debugging with WinDbg
CNIT 126: 10: Kernel Debugging with WinDbgCNIT 126: 10: Kernel Debugging with WinDbg
CNIT 126: 10: Kernel Debugging with WinDbgSam Bowne
 
#MBLTdev: Уроки, которые мы выучили, создавая Realm
#MBLTdev: Уроки, которые мы выучили, создавая Realm#MBLTdev: Уроки, которые мы выучили, создавая Realm
#MBLTdev: Уроки, которые мы выучили, создавая Realme-Legion
 
Docker Security
Docker SecurityDocker Security
Docker Securityantitree
 
Preparing your dockerised application for production deployment
Preparing your dockerised application for production deploymentPreparing your dockerised application for production deployment
Preparing your dockerised application for production deploymentDave Ward
 
Windows container security
Windows container securityWindows container security
Windows container securityDocker, Inc.
 
Rapid Android Application Security Testing
Rapid Android Application Security TestingRapid Android Application Security Testing
Rapid Android Application Security TestingNutan Kumar Panda
 
Practical Malware Analysis: Ch 10: Kernel Debugging with WinDbg
Practical Malware Analysis: Ch 10: Kernel Debugging with WinDbgPractical Malware Analysis: Ch 10: Kernel Debugging with WinDbg
Practical Malware Analysis: Ch 10: Kernel Debugging with WinDbgSam Bowne
 
Introduction to React native
Introduction to React nativeIntroduction to React native
Introduction to React nativeDhaval Barot
 
CT Software Developers Meetup: Using Docker and Vagrant Within A GitHub Pull ...
CT Software Developers Meetup: Using Docker and Vagrant Within A GitHub Pull ...CT Software Developers Meetup: Using Docker and Vagrant Within A GitHub Pull ...
CT Software Developers Meetup: Using Docker and Vagrant Within A GitHub Pull ...E. Camden Fisher
 
CernVM-FS for Docker image distribution in Cloud Foundry
CernVM-FS for Docker image distribution in Cloud FoundryCernVM-FS for Docker image distribution in Cloud Foundry
CernVM-FS for Docker image distribution in Cloud FoundryGeorge Lestaris
 
Introduction to Android Development and Security
Introduction to Android Development and SecurityIntroduction to Android Development and Security
Introduction to Android Development and SecurityKelwin Yang
 
Everything You Need To Know About Persistent Storage in Kubernetes
Everything You Need To Know About Persistent Storage in KubernetesEverything You Need To Know About Persistent Storage in Kubernetes
Everything You Need To Know About Persistent Storage in KubernetesThe {code} Team
 

Similar to Omfw 2013 (20)

Toward dynamic analysis of obfuscated android malware
Toward dynamic analysis of obfuscated android malwareToward dynamic analysis of obfuscated android malware
Toward dynamic analysis of obfuscated android malware
 
Memory Analysis of the Dalvik (Android) Virtual Machine
Memory Analysis of the Dalvik (Android) Virtual MachineMemory Analysis of the Dalvik (Android) Virtual Machine
Memory Analysis of the Dalvik (Android) Virtual Machine
 
Containers 101
Containers 101Containers 101
Containers 101
 
CNIT 126: 10: Kernel Debugging with WinDbg
CNIT 126: 10: Kernel Debugging with WinDbgCNIT 126: 10: Kernel Debugging with WinDbg
CNIT 126: 10: Kernel Debugging with WinDbg
 
Exploring Java Heap Dumps (Oracle Code One 2018)
Exploring Java Heap Dumps (Oracle Code One 2018)Exploring Java Heap Dumps (Oracle Code One 2018)
Exploring Java Heap Dumps (Oracle Code One 2018)
 
Understanding container security
Understanding container securityUnderstanding container security
Understanding container security
 
DanNotes 2013: OpenNTF Domino API
DanNotes 2013: OpenNTF Domino APIDanNotes 2013: OpenNTF Domino API
DanNotes 2013: OpenNTF Domino API
 
Kasza smashing the_jars
Kasza smashing the_jarsKasza smashing the_jars
Kasza smashing the_jars
 
CNIT 126: 10: Kernel Debugging with WinDbg
CNIT 126: 10: Kernel Debugging with WinDbgCNIT 126: 10: Kernel Debugging with WinDbg
CNIT 126: 10: Kernel Debugging with WinDbg
 
#MBLTdev: Уроки, которые мы выучили, создавая Realm
#MBLTdev: Уроки, которые мы выучили, создавая Realm#MBLTdev: Уроки, которые мы выучили, создавая Realm
#MBLTdev: Уроки, которые мы выучили, создавая Realm
 
Docker Security
Docker SecurityDocker Security
Docker Security
 
Preparing your dockerised application for production deployment
Preparing your dockerised application for production deploymentPreparing your dockerised application for production deployment
Preparing your dockerised application for production deployment
 
Windows container security
Windows container securityWindows container security
Windows container security
 
Rapid Android Application Security Testing
Rapid Android Application Security TestingRapid Android Application Security Testing
Rapid Android Application Security Testing
 
Practical Malware Analysis: Ch 10: Kernel Debugging with WinDbg
Practical Malware Analysis: Ch 10: Kernel Debugging with WinDbgPractical Malware Analysis: Ch 10: Kernel Debugging with WinDbg
Practical Malware Analysis: Ch 10: Kernel Debugging with WinDbg
 
Introduction to React native
Introduction to React nativeIntroduction to React native
Introduction to React native
 
CT Software Developers Meetup: Using Docker and Vagrant Within A GitHub Pull ...
CT Software Developers Meetup: Using Docker and Vagrant Within A GitHub Pull ...CT Software Developers Meetup: Using Docker and Vagrant Within A GitHub Pull ...
CT Software Developers Meetup: Using Docker and Vagrant Within A GitHub Pull ...
 
CernVM-FS for Docker image distribution in Cloud Foundry
CernVM-FS for Docker image distribution in Cloud FoundryCernVM-FS for Docker image distribution in Cloud Foundry
CernVM-FS for Docker image distribution in Cloud Foundry
 
Introduction to Android Development and Security
Introduction to Android Development and SecurityIntroduction to Android Development and Security
Introduction to Android Development and Security
 
Everything You Need To Know About Persistent Storage in Kubernetes
Everything You Need To Know About Persistent Storage in KubernetesEverything You Need To Know About Persistent Storage in Kubernetes
Everything You Need To Know About Persistent Storage in Kubernetes
 

Recently uploaded

MS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectorsMS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectorsNanddeep Nachan
 
ICT role in 21st century education and its challenges
ICT role in 21st century education and its challengesICT role in 21st century education and its challenges
ICT role in 21st century education and its challengesrafiqahmad00786416
 
Ransomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdfRansomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdfOverkill Security
 
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024Victor Rentea
 
AXA XL - Insurer Innovation Award Americas 2024
AXA XL - Insurer Innovation Award Americas 2024AXA XL - Insurer Innovation Award Americas 2024
AXA XL - Insurer Innovation Award Americas 2024The Digital Insurer
 
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 AmsterdamDEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 AmsterdamUiPathCommunity
 
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Jeffrey Haguewood
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobeapidays
 
[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdf[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdfSandro Moreira
 
DBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor PresentationDBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor PresentationDropbox
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAndrey Devyatkin
 
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...apidays
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherRemote DBA Services
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...DianaGray10
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoffsammart93
 
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodPolkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodJuan lago vázquez
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businesspanagenda
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century educationjfdjdjcjdnsjd
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMESafe Software
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...apidays
 

Recently uploaded (20)

MS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectorsMS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectors
 
ICT role in 21st century education and its challenges
ICT role in 21st century education and its challengesICT role in 21st century education and its challenges
ICT role in 21st century education and its challenges
 
Ransomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdfRansomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdf
 
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
 
AXA XL - Insurer Innovation Award Americas 2024
AXA XL - Insurer Innovation Award Americas 2024AXA XL - Insurer Innovation Award Americas 2024
AXA XL - Insurer Innovation Award Americas 2024
 
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 AmsterdamDEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
 
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
 
[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdf[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdf
 
DBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor PresentationDBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor Presentation
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of Terraform
 
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
 
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodPolkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century education
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...
 

Omfw 2013

  • 1. Dalvik Memory Analysis and a Call to ARMs Joe T. Sylve, M.S. Managing Partner 504ENSICS Labs
  • 2. Android Memory Analysis • Acquisition – LiME • LKM that can dump an image of physical memory over TCP or to disk • Developed by me starting in 2011 • http://code.google.com/p/lime-forensics • Kernel Level Analysis • Volatility support added in 2012 • Most of the hard work was done by Andrew Case • I contributed and rewrote the ARM address space • You’ve heard me talk about this stuff before www.504ensics.com
  • 3. Dalvik Analysis • Dalvik is the Android Runtime for Userland Apps • Basically Google’s Custom JVM • That’s Why Oracle Sued Them • Android Applications Each Have Their Own Instance of a DVM • Kernel Level Analysis • • • • Running Processes Network Connections Loaded Kernel Modules Dump Process Heap • String and Grep • Not Optimal for Analyzing Userland Malware www.504ensics.com
  • 4. Dalvik Analysis • 504ENSICS Labs Awarded Research Grant in Late 2012 • DARPA Cyber Fast Track Program -- RIP :-( • Application-Level Memory Forensics for Dalvik • Added Volatility Support for Parsing Objects & Instances from DVM • Created a GUI Application (Dalvik Inspector) • Easy Analysis of Android Apps • Search and Filter Class Names and Fields • Automatically Generate Simple Volatility Plugins www.504ensics.com
  • 5. How it works from 10,000ft • Locate Dalvik in Memory • • • • libdvm.so Linux C Shared Library Loaded into Every Dalvik Process By performing analysis of its data structures in memory, we can recreate the entire state of an application at the time of the memory capture • Can access this with existing Volatility functionality www.504ensics.com
  • 6. How it works from 10,000ft • Finding Loaded Classes • DvmGlobals gDvm • Global variable inside of libdvm.so • Declared in vm/init.c of source • Hold the members that are needed to located classes in memory • Enumerate the loadedClasses member • Type is HashTable • Elements are of type ClassObject • Static and Instance Fields & Methods www.504ensics.com
  • 7. How it works from 10,000ft • Parsing Fields • ClassObject • • • • int sfieldCount StaticField sfields int ifieldCount InstField ifields www.504ensics.com
  • 8. How it works from 10,000ft struct StaticField { Field field; /* MUST be first item */ JValue value; /* initially set from DEX for primitives */ }; struct Field { ClassObject* const char* const char* u4 }; Signature typedef union JValue { u1 z; s1 b; u2 c; s2 s; s4 i; s8 j; float f; double d; void* l; } JValue; struct InstField { Field field; int byteOffset; }; Type L Object Z Boolean C Char F Float D Double B Byte S Short I Integer J Long L Void (Pointer) [ clazz; name; signature; accessFlags; Array Offset of JValue for specific instance Relative to the ClassObject struct www.504ensics.com
  • 9. How it works from 10,000ft • Strings, Arrays, Lists, Objects, etc • Slightly more complicated to parse • Not terribly difficult • I’m probably already running low on time though… www.504ensics.com
  • 10. The Process • Infect Device or Emulator • Dump Memory with LiME • Run Volatility Plugin to Generate SQLiteDB • Analyze DB in Dalvik Inspector www.504ensics.com
  • 23. Open Research Problems • Portable LiME LKM • Requires Kernel headers and recompiling for each kernel • Profile Generation • Kernel • Kernel Headers • Exact Config • System.map • libdvm.so • Work in progress • Radare Library • Solution? • Combination of static and dynamic analysis • Locate symbols • Infer config for “key” structures www.504ensics.com
  • 24. Questions? • Dalvik Inspector will be released soon™ • Email for access to closed Beta • joe@504Labs.com www.504ensics.com