top of page

#android | It's in your memory!

Memory forensics in Android


The numerous fascinating concepts I have learned in past several weeks, needed to be captured. One of them has been memory forensics.


From quick search on web:

Memory forensics refers to the analysis of volatile data in a computer's memory dump.

Think of it this way, when your computer runs, it has a lot going on in it's head i.e. in it's memory, precisely the RAM.

Each function performed by an operating system or application results in specific modifications to the computer’s memory (RAM).



By dumping the memory and analyzing it, we can find a bunch of valuable data such as which processes were running, open network connections, recently executed commands etc. Critical data often exists exclusively in memory, such as disk encryption keys, memory-resident injected code fragments, off-the-record chat messages, unencrypted e-mail messages, and non-cacheable Internet history records.

So the memory has much more than one can ponder!


In memory the code and strings are decrypted so capturing and dumping it can give you access to decrypted messages, passwords, code fragments and what not!


So, having a sense of what memory forensics is about, the immediate questions that follow are:

  1. How do I capture memory and dump it?

  2. How do I analyze the dumped memory?


Let's answer the first question in this post.


How do I capture memory and dump it?


It depends on the platform.


There are many ways to capture memory. One of my favorite ways is to use FRIDA to capture the process's memory.


Wait, what's FRIDA? If you have this question in mind, I recommend you to spend some time here: https://frida.re/docs/home/


So, FRIDA is basically a dynamic code instrumentation toolkit. It lets you inject snippets of JavaScript or your own library into native apps on Windows, macOS, GNU/Linux, iOS, Android etc.


Frida’s core is written in C and injects Google’s V8 engine into the target processes, where your JS gets executed with full access to memory, hooking functions and even calling native functions inside the process. There’s a bi-directional communication channel that is used to talk between your app and the JS running inside the target process.


So you see, our code injected through FRIDA will be having FULL ACCESS to process's memory, exactly what we need.

Once we have access, we need to read it and dump it. And thanks to the open source community, we already have a project called FRIDUMP that does exactly the same thing.



script = session.create_script(
    """'use strict';
    rpc.exports = {
      enumerateRanges: function (prot) {
        return Process.enumerateRangesSync(prot);
      },
      readMemory: function (address, size) {
        return Memory.readByteArray(ptr(address), size);
      }
    };
    """)



So, we can setup FRIDA and clone FRIDUMP to dump any process's memory!


 

Done with the talks, now, let's setup FRIDA for Android!




You'd need root access for that, so I'd suggest try it out on emulator instead.



Download the zipped FRIDA server (of the architecture if your emulator) from here:


Extract it and push it to the emulator


adb push frida-server-12.11.17-android-x86 /data/local/tmp


Now, adb shell to the emulator, give the server right to run and run it:


adb shell
cd /data/local/tmp
chmod 777 frida-server-12.11.17-android-x86
./frida-server-12.11.17-android-x86

Now, setup frida-tools on your system


pip install frida-tools

Once it's setup on system, run this command to check that we are able to connect to the server setup on the emulator. Do this by running this command.


frida-ps -U

This will list out all the running processes on the device.



Now, let's clone the FRIDUMP and run it.


python fridump.py -U -s <packageName>

This will start dumping the memory of the process in the dump folder which gets created consequently.


Hurray! You have successfully dumped the memory!


Dump memory of com.android.chrome (Chrome browser) and you'd be able to spot the saved passwords in your browsers be dumped in strings.xml file in the dump folder! Isn't it awesome!



So, now what do we do with the dump, how do we study it?

In order to do that, we'd need to get familiar with the memory maps for the process!

Now what are memory maps and how can they help us in analyzing this dump?


Stay tuned for the next blog post in order to learn that.

I'd be back soon to cover more intriguing concepts, till then take care and keep hacking!


 

Like and share with people who might find this useful!

Subscribe this website to get the posts delivered right in your inbox!


Sources:

  1. The Art of Memory Forensics [Book by Andrew Case; AAron Walters; Jamie Levy; Michael Hale Ligh]

  2. https://www.sans.org/reading-room/whitepapers/forensics/techniques-tools-recovering-analyzing-data-volatile-memory-33049

  3. frida.re

Comments


bottom of page