152
android Malware and analysis
(RAM). Its objective is to introduce people to the complex techniques
of extraction digital devices of volatility memory images (RAM), and
provide a platform for future work within the research area.
$ cd ~/android-volatility/
$ python vol.py— info | grep Linux
Volatile Systems Volatility Framework 2.3_alpha
LinuxGolfish-2_6_29x86 - A Profile for Linux Golfish-2.6.29
x86
$ python vol.py— profile=LinuxGolfish-2_6_29x86 -f ~/lime.
dump linux_pslist
Volatile Systems Volatility Framework 2.3_alpha
Offset Name Pid Uid Gid DTB Start Time
---------- ---------- --- --- --- ---------- ----------
0xf3812c00 init 1 0 0 0x33b04000 2013-02-25
16:42:16 UTC+0000
0xf3812800 kthreadd 2 0 0 ---------- 2013-02-25
16:42:16 UTC+0000
0xf3812400 ksoftirqd/0 3 0 0 ---------- 2013-02-25
16:42:16 UTC+0000
.....
Volatility is a unique and coherent framework that analyzes mem-
ory RAM dumps of 32 and 64 bits for Windows, Linux, Mac, and
now is also able to analyze a memory dump of Android.
e volatility modular design allows you to endure new operating
systems and architectures as soon as they are published. All devices
are targets for attacks; this is the reason it is not limited to Windows
computers.
Sandbox Lab (Codename AMA)
AMA (Android Malware Analyzer) is a Python-based script that
works in conjunction with dierent open source tools to automatically
collect, analyze, and report on runtime indicators of malware. In a
nutshell, it allows you to run your malware, hit a keypress, and get a
simple text or html report of the sample’s activities (Figure8.10).
AMA allows you to not only run malware similar to a sandbox
but to also log systemwide events while you manually run malware in
ways particular to making it run. For example, it can listen as you run
malware that requires varying command line options, or watch the
system as you step through malware in a debugger.