[go: up one dir, main page]

CN106648815B - A mobile phone dynamic memory extraction method based on similar kernel - Google Patents

A mobile phone dynamic memory extraction method based on similar kernel Download PDF

Info

Publication number
CN106648815B
CN106648815B CN201611021959.9A CN201611021959A CN106648815B CN 106648815 B CN106648815 B CN 106648815B CN 201611021959 A CN201611021959 A CN 201611021959A CN 106648815 B CN106648815 B CN 106648815B
Authority
CN
China
Prior art keywords
kernel
module
source code
information
similar
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201611021959.9A
Other languages
Chinese (zh)
Other versions
CN106648815A (en
Inventor
康艳荣
刘亚
范玮
郭丽莉
周冬林
尹春社
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Institute of Forensic Science Ministry of Public Security PRC
Original Assignee
Institute of Forensic Science Ministry of Public Security PRC
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Institute of Forensic Science Ministry of Public Security PRC filed Critical Institute of Forensic Science Ministry of Public Security PRC
Priority to CN201611021959.9A priority Critical patent/CN106648815B/en
Publication of CN106648815A publication Critical patent/CN106648815A/en
Application granted granted Critical
Publication of CN106648815B publication Critical patent/CN106648815B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F8/00Arrangements for software engineering
    • G06F8/40Transformation of program code
    • G06F8/41Compilation
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F9/00Arrangements for program control, e.g. control units
    • G06F9/06Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
    • G06F9/44Arrangements for executing specific programs
    • G06F9/445Program loading or initiating
    • G06F9/44505Configuring for program initiating, e.g. using registry, configuration files
    • G06F9/4451User profiles; Roaming

Landscapes

  • Engineering & Computer Science (AREA)
  • Software Systems (AREA)
  • Theoretical Computer Science (AREA)
  • General Engineering & Computer Science (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Stored Programmes (AREA)

Abstract

The mobile phone dynamic memory extracting method based on similar kernel that the present invention relates to a kind of, step: chooses similar kernel source code;Collect target system information;Compile kernel source code;.config file is generated under the root directory;Construct kernel module;It closes verification scheme and recompilates kernel;Cross compile is carried out to source code;External module is compiled using LiME tool;LiME module is uploaded in target mobile phones, insmod order loading module is used;It is found in similar kernel source code and the _ function of _ gnu_mcount_nc symbolic variable with dependency relationships;Outwardly it is derived _ _ gnu_mcount_nc symbol;Kernel setup is carried out in similar kernel code;Into LiME catalogue, external source code path is assigned to similar kernel code;Dump memory file is generated in the SD storage card of Android terminal, is operated in local terminal using pull and is got back to the memory file in mobile phone in local computer.

Description

A kind of mobile phone dynamic memory extracting method based on similar kernel
Technical field
The present invention relates to a kind of mobile phone dynamic memory extracting methods, dynamic especially with regard to a kind of mobile phone based on similar kernel State memory extracting method.
Background technique
Compared to traditional Mobile Phone Forensics direction, the dynamic memory evidence obtaining field emerging as one, therefore in dynamic The research of access card and analysis aspect is also fewer.At present at home there are no delivering relevant research achievement, correlative study at Fruit is concentrated mainly on external some numerical investigations research institutions.Up to the present, the research of mobile phone dynamic memory evidence obtaining is main It experienced three phases, i.e. the evidence obtaining mode based on order line, main representative is the kill order under Android terminal;It is based on The evidence obtaining mode of Android debugging tool, i.e. Android debugging tool DDMS;And the evidence obtaining mode based on collector, it is main It to be the forensic tools based on LiME.Domestic Mobile Phone Forensics research is concentrated mainly on SIM card, SD card and flash memory data It extracts, there is no the report in relation to such research.
Current research tendency is based on LiME and to be based on ReKall.(1) be based on LiME: one kind in the prior art is low It is remanent magnetism principle, the random access under low-temperature condition that the Method And Principle of android mobile phone random-access memory is extracted under temperature state The data of memory can also continue for some time in the event of a power failure.This article used samsung Galaxy Nexus mobile phone into Row test, even if bootstrap encryption in the case where, also can at low ambient temperatures directly from restored in RAM in disk plus The sensitive datas such as key, address list, the website that accessed.Wherein the realization of FROST technology is also based on LiME tool, but should Article does not do any analysis to the data of extraction, and the mobile phone model for test is also only limitted to samsung Galaxy Nexus.(2) it is based on ReKall: in the prior art by being mentioned using traditional physical memory based on two aspects of hardware or software Technology is taken, and carries out memory in the environment of having used anti-forensics technology and extracts test.Traditional physical memory extractive technique exists Using in the environment of anti-forensics technology, it cannot succeed or be only capable of extracting incomplete memory.There are also a kind of new in the prior art Physical memory extractive technique, principle be obtained by PTE (page table entry, page table entry) physical address sky Between.However the PMEM tool used is only capable of running in Windows, Linux, Mac OS X, cannot still extract Android phone Physical memory.The problem of extracting currently based on Linux physical memory, that is, need to compile corresponding kernel version respectively, increases Evidence obtaining work difficulty, therefore there are also a kind of new methods, can generate a generic kernel module suitable for a certain range Linux kernel version, principle is an effective kernel being injected into the memory extraction module of a very little in goal systems In module, and make to be executed the code segment for extracting memory by parasitic module by redirecting technique, experimental subjects be 2.6.38 extremely 3.10 Linux release, not tested on Android.It there are also a kind of scheme is completely increased income at one Dynamic memory is extracted and analysis, the support target of the series of tools have Windows, OSX and Linux.In newest hair in 2015 In the version of cloth, which can be analyzed the dynamic memory of Android, however can not yet extract the dynamic of Android State memory.Moreover, domestic Mobile Phone Forensics research is concentrated mainly on the extraction of SIM card, SD card and flash memory data, there is no Close the report of such research.
Evidence obtaining research for dynamic memory, only LiME tool is to be most suitable for extracting in Android phone dynamic at present It deposits, no matter in legal effect, technical characteristic and feasibility, LiME tool is all investigator's research trends memory so far Extraction unique selection.Soon due to LiME application time, and use process needs to obtain corresponding equipment source code, carries out Certain compiling lacks the extraction procedure of a set of mature system, significantly limits the work that investigator extracts dynamic memory Efficiency.
Summary of the invention
In view of the above-mentioned problems, the object of the present invention is to provide a kind of mobile phone dynamic memory extraction side based on similar kernel Method, ELF format of this method based on LiME tool and kernel symbol mechanism carry out kernel setup, are carried out using the similar kernel of mobile phone The method that mobile phone dynamic memory is extracted.
To achieve the above object, the present invention takes following technical scheme: a kind of mobile phone dynamic memory based on similar kernel Extracting method, it is characterised in that the following steps are included: 1) determine the basic details of target Android phone to be collected evidence, Choose similar kernel source code;2) target system information is collected, the information that needs are collected is learnt by the definition of vermagic, It is obtained in target mobile phones system using shell basic command;3) kernel source code is compiled, kernel is switched in Linux terminal Source code catalogue configures crossstool chain;Initialize kernel setup;4) .config is generated after compiling successfully under the root directory The correlation function for whether opening loadable module in configuration confirmed, edits .config file using gedit for file;5) according to The kernel setup information of goal systems constructs kernel module, construction in goal systems vermagic character string, by SMP, PREEMPT configuration information being collected into, further configure .config, and PREEMPT relevant configuration is closed, is made Module reaches consistent with the version control information in goal systems;6) for there are the modversions verification scheme feelings of module When condition, closes the verification scheme and recompilate kernel;7) cross compile is carried out to source code, needs to force to kernel when compiling Version information assignment;8) the kernel source code completed according to compiling compiles external module using LiME tool;9) it will use in similar The LiME module of core construction is uploaded in target mobile phones, uses insmod order loading module;10) it is sought in similar kernel source code It looks for and _ function of _ gnu_mcount_nc the symbolic variable with dependency relationships;11) when enabling CONFIG_ in kernel setup When FUNCTION_TRACER relevant options, dependence of the goal systems to the symbol will be triggered when compiling kernel, is opened in kernel The initial stage of ftrace function, all functions can all call the symbol, and the kernel after compiling is outwardly derived _ _ gnu_ Mcount_nc symbol;12) kernel setup is carried out in similar kernel code, and kernel compiling option related with ftrace is closed It closes, finds configure related with _ _ gnu_mcount_nc symbol and kernel code directory is traversed, analyze between the function call Relationship, find out all config options relevant to the symbol;13) enter LiME catalogue, external source code path is assigned to phase Like kernel code, by SD dump mode, dynamic memory is extracted with lime format;14) after the completion of extracting, in Android terminal SD storage card in generate dump memory file, operated in local terminal using pull and the memory file in mobile phone got back to this In ground computer.
Further, in the step 3), according to the configuration file that equipment is defaulted, input starts to match under terminal to order Set core functions: #make arch=arm m0duosctc_00_defconfig.
Further, in the step 5), construction kernel module is realized by forging the method for vermagic string value, It is the system kernel configuration information according to target terminal, when compiling source code using the config option the same with it, forges Loadable module with target information feature, and then fraud system is to the mechanism of vermagic information, around goal systems Kernel verification scheme loads object module.
Further, the kernel module construction process are as follows: 5.1) value for specifying UTS_RELEASE field, by source code root mesh Macro-variable KERNELRELEASE setting in Makefile under record carries out pressure tax to KERNELRELEASE variable in compiling It is worth, just comprising forcing specified kernel version information in the module information after compiling;5.2) other fields of module vermagic Information is related with kernel setup, obtains the corresponding kernel setup information of goal systems, specific functional configuration is specified before compiling, It can loadable module similar in conformation function;5.3) secondary editor is carried out to the .config file under root under terminal, So that the external module after compiling has the function of similar in goal systems;5.4) construction of vermagic character string, module are completed In vermagic information and the information in goal systems it is completely the same.
Further, in the step 6), detailed process are as follows: the .config file of editor's kernel source code, it will be in configuration file CONFIG_MODVERSIONS option close, then in the definition header file of vermagic forge modversions field Presence;By editor kernel source code catalogue under /include/linux/vermagic.h file, modify about CONFIG_ MODVERSIONS sections of code completes configuration after preservation.
Further, in the step 8), detailed process are as follows: 8.1) edited under LiME catalogue by gedit in the terminal Makefile file, specifies source code path and Android crossstool, and configuration is completed;8.2) in terminal input make life Compiling LiME is enabled, after success, generates the module that file is lime-android.ko under the root directory;8.3) it is ordered using modinfo Enable confirmation lime-android.ko module version control information, if the target system information with collection is inconsistent, again into The modification of row kernel setup repeats step 8.1) -8.3) LiME module is recompilated, when the vermagic value of the two exactly matches When, which is uploaded in target Android phone.
Further, in the step 10), determination _ _ gnu_mcount_nc symbolic variable be the operation due to ftrace and It generates, and ftrace is one of linux kernel trace debug tool, effect is to understand that developer dynamically The behavior of linux kernel, this definition are checked in ftrace.h.
Further, in the step 12), detailed process are as follows: 12.1) edited under source code root in terminal using gedit .config file, positioning to relevant options and closes, saves configuration file after the completion and compile kernel source code, and is right again Root carries out traversing operation, it is determined whether there are also the symbols of export _ _ gnu_mcount_nc;12.2) it is found after traversal Bottom data file/kernel/bounds.s and/arch/arm/kernel/asm-offsets.s under catalogue have the symbol Number information;12.3) bottom data file/kernel/bounds.s and/arch/arm/ are opened using gedit editing machine Kernel/asm-offsets.s, positioning to code segment where symbol are deleted to save after this section of code and be exited.
Further, in the step 12.3), kernel, directly progress next step LiME need not be recompilated after delete operation The compiling work of module.
The invention adopts the above technical scheme, which has the following advantages: 1, the present invention is directed to Androi d lowest version 2.2,2.3 and highest version 4.0,4.1 can successfully extract Android phone dynamic memory data.2, the present invention is directed to The inconsistence problems that Android lowest version 2.2,2.3 and highest version 4.0,4.1 can successfully solve interior nuclear symbol in module are led The problem of causing load failure, successfully loads similar version kernel.
Specific embodiment
The present invention is described in detail below with reference to embodiment.
The present invention provides a kind of mobile phone dynamic memory extracting method based on similar kernel, method includes the following steps:
1) the basic details for determining target Android phone to be collected evidence, choose similar kernel source code;
Into mobile phone setting in about mobile phone option, the detailed model for giving target mobile phones of the option, Android The system outlines such as system version, kernel version, running memory.Wherein, android system version and kernel version are the most key Information, the First Principles for choosing similar kernel source code are to guarantee the completely the same of Android version and kernel version, and then seek Look for mobile phone model similar in target device model, preferably with target device be with a series of model.Due to kernel version The difference that difference has essence to mobile phone itself shows as the difference of bottom architecture and coding in the level of kernel source code.
For example, mobile phone model used is the S710d of HTC, into the system information page in target mobile phones it is found that the hand The android system version of machine is that Android 2.2, kernel version 2.6.35 are obtained after making further understanding to the mobile phone Know that S710d belongs to the S series of HTC mobile phone.Into official's open source website of HTC manufacturer, which is supported to device core source code Screening search, Android2.2, i.e., exportable all hands based on Android 2.2 are selected in Android version option Type number selects kernel version for the kernel source code of 2.6.35 in the result, and source code code name selected by this experiment is flyer-hc- mr-2.6.35-f4a346d。
2) target system information is collected, by the definition of vermagic it can be seen that needing the information that is collected, and these are believed After breath can be by connection mobile phone, obtained in target mobile phones system using shell basic command.
The essential information of android system can check that/proc file system contains system in/proc file system In a large amount of read-only data, kernel and many device drivers all use the system outwardly derived information.Many crucial letters Breath can be read from system entry, and such as/memory service condition of proc/meminfo output equipment ,/proc/cpuinfo are defeated The CPU situation of equipment out, and the version information situation of/proc/versions output equipment, this is for constructing trusted module most Valuable data.In local terminal, input adb shell-command enters the terminal in Android phone, inputs cat/proc/ The information can be read after versions, wherein 3.0.31-1005594 is the kernel version information of this mobile phone, latter half SMP, PREEMPT mark then illustrate that mobile phone enables SMP, PREEMPT function, then before compiling kernel source code, it is necessary to will CONFIG_SMP_ and CONFIG_PREEMPT_ relevant options group are added in kernel setup.If you need to obtain complete letter in more detail Breath can refer to the system module information having by oneself in target terminal.
3) start to compile kernel source code.Kernel source code catalogue is switched in Linux terminal, configures crossstool Chain.Kernel setup is initialized, due to the config option for illustrating to have default in document under the source code, therefore is without the use of make Menuconfig carries out manual configuration.
According to the configuration file that equipment is defaulted, input is initially configured core functions to order under terminal:
#make arch=arm m0duosctc_00_defconfig.
4) .config file is generated after compiling successfully under the root directory, due to using equipment default configuration, it is also necessary to confirm Whether the correlation function of loadable module is opened in configuration..config file is edited using gedit, it is ensured that CONFIG_ The options such as MODULE_ have already turned on.
5) information based on early period is collected, it is necessary to kernel module is constructed according to the kernel setup information of goal systems, with Around the verification scheme in kernel.Vermagic character string in construction and goal systems, therefore the SMP by being collected into, The configuration informations such as PREEMPT further configure the relevant function in .config, as in goal systems there are SMP and Do not have PREEMPT, then needs to open SMP relevant configuration in configuration file, PREEMPT relevant configuration is closed Module is set to reach consistent with the version control information in goal systems.
Wherein, construction kernel module is realized by forging the method for vermagic string value, is according to target terminal System kernel configuration information, when compiling source code using the config option the same with it, forging has target information special The loadable module of sign, and then fraud system adds the mechanism of vermagic information around the kernel verification scheme of goal systems Object module is carried, realizes that memory extracts.Its process is as follows:
5.1) for the construction of kernel version information, i.e., the value of specified UTS_RELEASE field, by under source code root Macro-variable KERNELRELEASE is arranged in Makefile, carries out pressure assignment to KERNELRELEASE variable in compiling, compiles Just comprising forcing specified kernel version information in module information after translating.
By the definition of vermagic it is found that the character string has constituted kernel version information, match with corresponding functions of modules It sets.Therefore, before compiling, the version information of goal systems kernel is obtained first, the information is reused and carries out in collector by force Assignment processed, so that the version information with goal systems is completely the same.
5.2) other field informations of module vermagic are related with kernel setup, goal systems relevant kernel setup generation Table system certain function necessarily, therefore obtain goal systems corresponding kernel setup information (such as SMP function, PREEMPT Function), specific functional configuration is specified before compiling, it can loadable module similar in conformation function.
5.3) after completing the preceding basic kernel setup of compiling, the .config file under root can be carried out under terminal Secondary editor, so that the external module after compiling has the function of similar in goal systems.
5.4) construction of vermagic character string is completed, the vermagic information in module and the information in goal systems are complete It is complete consistent, it can just will be considered that the module is trusted module in system by the verification scheme in kernel, system, be loaded into In kernel, it can be achieved with subsequent dynamic memory and extract work.
6) it when for there is the modversions verification scheme situation of module, closes in the verification scheme and recompility Core.Detailed process are as follows:
The .config file for editing kernel source code closes the CONFIG_MODVERSIONS option in configuration file, so Afterwards in the presence for defining forgery modversions field in header file of vermagic.By editor kernel source code catalogue under/ Include/linux/vermagic.h file, will be as follows about CONFIG_MODVERSIONS sections of code revision, after preservation Complete configuration.
#ifdef CONFIG_MODVERSIONS
#define MODULE_VERMAGIC_MODVERSIONS“modversions“
#else
#define MODULE_VERMAGIC_MODVERSIONS“modversions“
#endif
Since the android system of highest version kernel also has second layer modversions module verification scheme, the inspection Mechanism is the crc value verification based on module, and configuration CONFIG_MODVERSIONS option opens this checking mechanism when compiling kernel. The mechanism by cycle calculations kernel module _ crc value of versions, due to the source document number of packages under Android source code catalogue Measure huge, the mutually calling between function is extremely complex, and it is broken that the checking algorithm and relevant information defined based on source code carries out violence Solution does not have feasibility, therefore can only verify around the crc value of kernel module.
7) complete core functions with postponing, start to carry out source code cross compile, when compiling needs to force to kernel Version information assignment, to reach the vermagic checking mechanism for bypassing kernel;Such as in the present embodiment target mobile phones kernel version This information is 3.0.31-1005594, then inputs in the terminal to issue orders and be compiled, wherein kernel version information variable is KERNELRELEASE:
#make KERNELRELEASE=3.0.31-1005594 modules_prepare.
8) the kernel source code completed according to compiling compiles external module using LiME tool.
8.1) the Makefile file under LiME catalogue is edited by gedit in the terminal first, specify source code path and Android crossstool, configuration are completed.
8.2) LiME is compiled in terminal input make order, after success, generating file under the root directory is lime- The module of android.ko.
8.3) using the version control information of modinfo order confirmation lime-android.ko module, if the mesh with collection Mark system information is inconsistent, then carries out the modification of kernel setup again, repeats step 8.1) -8.3) LiME module is recompilated, When the exact matching of the vermagic value of the two, which can be uploaded in target Android phone, carry out dynamic memory It extracts.
9) the LiME module for using similar kernel to construct is uploaded in target mobile phones, loads mould using insmod order Block;Due to the non-mobile phone of kernel source code itself used, loading error can be generated, but in the construction work of the module of early period, It can make module around kernel verification scheme, so the reason of load error is not version verification scheme, but module In interior nuclear symbol misquotation.
10) it is found in similar kernel source code and the _ function of _ gnu_mcount_nc symbolic variable with dependency relationships;
Excluded by the analysis to source code, determination _ _ gnu_mcount_nc symbolic variable be the operation due to ftrace and It generates.And ftrace is one of linux kernel trace debug tool, main function is to keep developer dynamic The behavior of linux kernel is solved, this definition can be checked in ftrace.h, as follows:
#ifdef CONFIG_FUNCTION_TRACER
#define MCOUNT_ADDR((unsigned long)(__gnu_mcount_nc))
#define MCOUNT_INSN_SIZE 4/*sizeof mcount call*/
#ifndef__ASSEMBLY__
extern void mcount(void);
extern void__gnu_mcount_nc(void)。
11) it when enabling CONFIG_FUNCTION_TRACER relevant options in kernel setup, will be touched when compiling kernel Dependence of the goal systems to the symbol is sent out, opens the initial stage of ftrace function in kernel, all functions can all call the symbol Number, the kernel after compiling is outwardly derived _ _ gnu_mcount_nc symbol.If therefore should without export in goal systems kernel Function, will lead to the module cannot load.
12) kernel setup is carried out in similar kernel code, and kernel compiling option related with ftrace is closed.It finds Configuration related with _ _ gnu_mcount_nc symbol can traverse kernel code directory, analyze the pass between the function call System, it is ensured that find out it is all with this _ the relevant config option of _ gnu_mcount_nc symbol.Detailed process are as follows:
12.1) the .config file under source code root is edited using gedit in terminal, positioning is to relevant options and closes It closes, save configuration file after the completion and compiles kernel source code, and traversing operation is carried out to root again, it is determined whether also lead Out _ _ gnu_mcount_nc symbol.
12.2) the bottom data file/kernel/bounds.s and/arch/arm/ under catalogue is found after traversal Kernel/asm-offsets.s has the symbolic information, analyzes both of these documents it is found that both of these documents are based on ARM Assembly code section needs to rely on these bottom codes when constructing external module, can also introduce these when then compiling LiME module Symbol needs to carry out delete operation to these assemble datas manually.
12.3) above-mentioned two file is opened using gedit editing machine, code segment where positioning to symbol deletes this section of generation It saves and exits after code.Kernel need not be recompilated after delete operation, can directly carry out the compiling work of next step LiME module, it is real Verify bright delete operation not and influence the compiling to subsequent module.
13) enter LiME catalogue, external source code path is assigned to similar kernel code, by SD dump mode, with Lime format extracts dynamic memory, and after the loading module that succeeds, system starts to carry out the extraction operation of dynamic memory on backstage.
14) after the completion of extracting, dump memory file is generated in the SD storage card of Android terminal, is made in local terminal It is operated with pull and gets back to the memory file in mobile phone in local computer.
Above-mentioned steps 12) in, when there are other unknown symbols, analysis debugging is carried out according to the method in step 12).? In the present embodiment in addition to _ _ gnu_mcount_nc unknown symbols, also there are following unknown symbols:
Mem_section: it is related with the compiling option of memory management in kernel through analyzing, relate generally to the spy of high memory Different mapping is related to the CONFIG_SPARSEMEM_ group in kernel setup.
_ _ pv_phys_offset:, corresponding interior caryogamy related with virtual address, the management of physical address in kernel through analyzing CONFIG_ARM_PATCH_PHYS_ dependent compilation option in setting.
_ _ aeabi_unwind_cpp_: related with unwind function in kernel through analyzing, corresponding kernel setup compiles option For CONFIG_ARM_UNWIND.
For the unknown symbols of above-mentioned appearance, after kernel is recompilated in debugging, the LiME module of final compiling generation It all can successfully load on the target device, and the dynamic memory of the cell phone apparatus can be extracted.
The various embodiments described above are merely to illustrate the present invention, and structure and size, setting position and the shape of each component are all can be with It is varied, based on the technical solution of the present invention, the improvement and wait that all principles according to the present invention carry out individual part With transformation, should not exclude except protection scope of the present invention.

Claims (9)

1.一种基于相似内核的手机动态内存提取方法,其特征在于包括以下步骤:1. a mobile phone dynamic memory extraction method based on similar kernel is characterized in that comprising the following steps: 1)确定待取证的目标Android手机的基本详细信息,选取相似内核源码;1) Determine the basic details of the target Android phone to be evidenced, and select similar kernel source code; 2)收集目标系统信息,由vermagic的定义得知需要进行收集的信息,在目标手机系统中使用shell基本命令获取;2) Collect the target system information, know the information that needs to be collected from the definition of vermagic, and use the basic shell command to obtain it in the target mobile phone system; 3)编译内核源代码,在Linux终端中切换至内核源码目录,配置交叉编译工具链;初始化内核配置;3) Compile the kernel source code, switch to the kernel source code directory in the Linux terminal, configure the cross-compilation toolchain; initialize the kernel configuration; 4)编译成功后在根目录下生成.config文件,确认配置中是否开启了可装载模块的相关功能,使用gedit编辑.config文件;4) After the compilation is successful, generate a .config file in the root directory, confirm whether the relevant functions of loadable modules are enabled in the configuration, and use gedit to edit the .config file; 5)按照目标系统的内核配置信息来构造内核模块,构造与目标系统中一样的vermagic字符串,由收集到的SMP、PREEMPT配置信息,进一步对.config进行配置,将PREEMPT相关配置关闭,使模块与目标系统中的版本控制信息达到一致;5) Construct the kernel module according to the kernel configuration information of the target system, construct the same vermagic string as in the target system, further configure the .config from the collected SMP and PREEMPT configuration information, close the PREEMPT related configuration, and make the module Be consistent with the version control information in the target system; 6)对于出现模块的modversions校验机制情况时,关闭该校验机制并重新编译内核;6) When the modversions verification mechanism of the module occurs, close the verification mechanism and recompile the kernel; 7)对源代码进行交叉编译,编译时需要强制对内核版本信息赋值;7) Cross-compile the source code, and you need to force the assignment of the kernel version information when compiling; 8)根据编译完成的内核源码,使用LiME工具编译外部模块;8) According to the compiled kernel source code, use the LiME tool to compile external modules; 9)将使用相似内核构造的LiME模块上传至目标手机中,使用insmod命令加载模块;9) Upload the LiME module constructed with a similar kernel to the target phone, and use the insmod command to load the module; 10)在相似内核源码中寻找与__gnu_mcount_nc符号变量具有依赖性关系的函数;10) Find functions that have dependencies on the __gnu_mcount_nc symbol variable in similar kernel source code; 11)当内核配置中启用CONFIG_FUNCTION_TRACER相关选项时,编译内核时就会触发目标系统对该符号的依赖,在内核开启ftrace功能的初始阶段,所有函数都会调用该符号,编译后的内核向外界导出了__gnu_mcount_nc符号;11) When the CONFIG_FUNCTION_TRACER related option is enabled in the kernel configuration, the dependency of the target system on the symbol will be triggered when the kernel is compiled. In the initial stage of the kernel opening the ftrace function, all functions will call this symbol, and the compiled kernel is exported to the outside world __gnu_mcount_nc symbol; 12)在相似内核代码中进行内核配置,将与ftrace有关的内核编译选项关闭,寻找与__gnu_mcount_nc符号有关的配置对内核代码目录进行遍历,分析该函数调用间的关系,找出所有与该符号相关的配置选项;12) Perform kernel configuration in similar kernel code, turn off the kernel compilation options related to ftrace, look for the configuration related to the __gnu_mcount_nc symbol, traverse the kernel code directory, analyze the relationship between the function calls, and find all the symbols related to this symbol related configuration options; 13)进入LiME目录,将外部源码路径指定给相似内核代码,通过SD转储方式,以lime格式提取动态内存;13) Enter the LiME directory, assign the external source code path to the similar kernel code, and extract the dynamic memory in the lime format through the SD dump method; 14)提取完成后,在Android终端的SD存储卡内生成dump内存文件,在本地终端使用pull操作将手机中的内存文件取回至本地计算机中。14) After the extraction is completed, generate a dump memory file in the SD memory card of the Android terminal, and use the pull operation in the local terminal to retrieve the memory file in the mobile phone to the local computer. 2.如权利要求1所述的一种基于相似内核的手机动态内存提取方法,其特征在于:所述步骤3)中,根据设备默认的配置文件,在终端下输入以下命令开始配置内核功能:#makearch=arm m0duosctc_00_defconfig。2. a kind of mobile phone dynamic memory extraction method based on similar kernel as claimed in claim 1, it is characterized in that: in described step 3), according to the configuration file of equipment default, input following command under terminal and begin to configure kernel function: #makearch=arm m0duosctc_00_defconfig. 3.如权利要求1所述的一种基于相似内核的手机动态内存提取方法,其特征在于:所述步骤5)中,构造内核模块是通过伪造vermagic字符串值的方法实现,是根据目标终端的系统内核配置信息,在编译源码时使用与其一模一样的配置选项,伪造具有目标信息特征的可装载模块,进而欺骗系统对vermagic信息的机制,绕过目标系统的内核校验机制加载目标模块。3. a kind of mobile phone dynamic memory extraction method based on similar kernel as claimed in claim 1, is characterized in that: in described step 5), construct kernel module is to realize by the method for forging vermagic string value, is according to target terminal When compiling the source code, use the same configuration options as the system kernel configuration information, forge a loadable module with the characteristics of the target information, and then deceive the system's mechanism of vermagic information, bypassing the kernel verification mechanism of the target system to load the target module. 4.如权利要求3所述的一种基于相似内核的手机动态内存提取方法,其特征在于:所述内核模块构造过程为:4. a kind of mobile phone dynamic memory extraction method based on similar kernel as claimed in claim 3, is characterized in that: described kernel module construction process is: 5.1)指定UTS_RELEASE字段的值,由源码根目录下的Makefile中宏变量KERNELRELEASE设置,在编译时对KERNELRELEASE变量进行强制赋值,编译后的模块信息中就包含强制指定的内核版本信息;5.1) Specify the value of the UTS_RELEASE field, which is set by the macro variable KERNELRELEASE in the Makefile under the source code root directory, and the KERNELRELEASE variable is forcibly assigned during compilation, and the compiled module information contains the mandatory specified kernel version information; 5.2)模块vermagic的其他字段信息与内核配置有关,获取目标系统对应的内核配置信息,在编译前指定具体的功能配置,即能构造功能相近的可装载模块;5.2) Other field information of the module vermagic is related to the kernel configuration, obtain the kernel configuration information corresponding to the target system, and specify the specific function configuration before compiling, that is, a loadable module with similar functions can be constructed; 5.3)在终端下对根目录下的.config文件进行二次编辑,使得编译后的外部模块具有目标系统相近的功能;5.3) Under the terminal, perform secondary editing on the .config file in the root directory, so that the compiled external module has similar functions to the target system; 5.4)完成vermagic字符串的构造,模块中的vermagic信息与目标系统中的信息完全一致。5.4) Complete the construction of the vermagic string, and the vermagic information in the module is completely consistent with the information in the target system. 5.如权利要求1所述的一种基于相似内核的手机动态内存提取方法,其特征在于:所述步骤6)中,具体过程为:5. a kind of mobile phone dynamic memory extraction method based on similar kernel as claimed in claim 1, is characterized in that: in described step 6), concrete process is: 编辑内核源码的.config文件,将配置文件中的CONFIG_MODVERSIONS选项关闭,然后在vermagic的定义头文件中伪造modversions字段的存在;通过编辑内核源码目录下的/include/linux/vermagic.h文件,修改关于CONFIG_MODVERSIONS段的代码,保存后即完成配置。Edit the .config file of the kernel source code, turn off the CONFIG_MODVERSIONS option in the configuration file, and then forge the existence of the modversions field in the vermagic definition header file; by editing the /include/linux/vermagic.h file in the kernel source code directory, modify the The code of the CONFIG_MODVERSIONS segment is configured after saving. 6.如权利要求1所述的一种基于相似内核的手机动态内存提取方法,其特征在于:所述步骤8)中,具体过程为:6. a kind of mobile phone dynamic memory extraction method based on similar kernel as claimed in claim 1, is characterized in that: in described step 8), concrete process is: 8.1)在终端中通过gedit编辑LiME目录下的Makefile文件,指定源码路径和Android交叉编译工具,配置完成;8.1) Edit the Makefile in the LiME directory through gedit in the terminal, specify the source code path and the Android cross-compilation tool, and the configuration is complete; 8.2)在终端输入make命令编译LiME,成功后,在根目录下生成文件为lime-android.ko的模块;8.2) Enter the make command in the terminal to compile LiME. After success, a module with the file lime-android.ko is generated in the root directory; 8.3)使用modinfo命令确认lime-android.ko模块的版本控制信息,若与收集的目标系统信息不一致,则再次进行内核配置的修改,重复步骤8.1)-8.3)重新编译LiME模块,当两者的vermagic值完全匹配时,将该模块上传至目标Android手机中。8.3) Use the modinfo command to confirm the version control information of the lime-android.ko module. If it is inconsistent with the collected target system information, modify the kernel configuration again and repeat steps 8.1)-8.3) to recompile the LiME module. When the vermagic values match exactly, upload the module to the target Android phone. 7.如权利要求1所述的一种基于相似内核的手机动态内存提取方法,其特征在于:所述步骤10)中,确定__gnu_mcount_nc符号变量是由于ftrace的操作而产生的,而ftrace是Linux内核中的一种跟踪调试工具,其作用是为了使开发者动态的了解Linux内核的行为,该定义在ftrace.h查看。7. a kind of mobile phone dynamic memory extraction method based on similar kernel as claimed in claim 1, is characterized in that: in described step 10), it is determined that __gnu_mcount_nc symbol variable is produced due to the operation of ftrace, and ftrace is Linux A tracing and debugging tool in the kernel, its role is to enable developers to dynamically understand the behavior of the Linux kernel, which is defined in ftrace.h. 8.如权利要求1所述的一种基于相似内核的手机动态内存提取方法,其特征在于:所述步骤12)中,具体过程为:8. a kind of mobile phone dynamic memory extraction method based on similar kernel as claimed in claim 1, is characterized in that: in described step 12), concrete process is: 12.1)在终端使用gedit编辑源码根目录下的.config文件,定位至相关选项并关闭,完成后保存配置文件并编译内核源码,并再次对根目录进行遍历操作,确定是否还有导出__gnu_mcount_nc的符号;12.1) Use gedit in the terminal to edit the .config file in the root directory of the source code, locate the relevant options and close, save the configuration file and compile the kernel source code after completion, and traverse the root directory again to determine whether there is any export of __gnu_mcount_nc symbol; 12.2)经过遍历后发现目录下的底层数据文件/kernel/bounds.s与/arch/arm/kernel/asm-offsets.s具有该符号信息;12.2) After traversing, it is found that the underlying data files /kernel/bounds.s and /arch/arm/kernel/asm-offsets.s in the directory have this symbol information; 12.3)使用gedit编辑器打开底层数据文件/kernel/bounds.s和/arch/arm/kernel/asm-offsets.s,定位至符号所在代码段,删除该段代码后保存退出。12.3) Use the gedit editor to open the underlying data files /kernel/bounds.s and /arch/arm/kernel/asm-offsets.s, locate the code segment where the symbol is located, delete this segment of code, save and exit. 9.如权利要求8所述的一种基于相似内核的手机动态内存提取方法,其特征在于:所述步骤12.3)中,删除操作后无须重新编译内核,直接进行下一步LiME模块的编译工作。9. a kind of mobile phone dynamic memory extraction method based on similar kernel as claimed in claim 8, is characterized in that: in described step 12.3), do not need to recompile kernel after delete operation, directly carry out the compilation work of next step LiME module.
CN201611021959.9A 2016-11-16 2016-11-16 A mobile phone dynamic memory extraction method based on similar kernel Active CN106648815B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201611021959.9A CN106648815B (en) 2016-11-16 2016-11-16 A mobile phone dynamic memory extraction method based on similar kernel

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201611021959.9A CN106648815B (en) 2016-11-16 2016-11-16 A mobile phone dynamic memory extraction method based on similar kernel

Publications (2)

Publication Number Publication Date
CN106648815A CN106648815A (en) 2017-05-10
CN106648815B true CN106648815B (en) 2019-05-21

Family

ID=58808190

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201611021959.9A Active CN106648815B (en) 2016-11-16 2016-11-16 A mobile phone dynamic memory extraction method based on similar kernel

Country Status (1)

Country Link
CN (1) CN106648815B (en)

Families Citing this family (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110597755B (en) * 2019-08-02 2024-01-09 北京多思安全芯片科技有限公司 Recombination configuration method of safety processor
CN114462026B (en) * 2021-12-31 2022-11-18 北京亿赛通科技发展有限责任公司 Ciphertext process monitoring method, device and equipment and computer readable storage medium

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP2368203A1 (en) * 2008-12-15 2011-09-28 Sony Ericsson Mobile Communications AB Method, computer program&electronic device
CN104182269A (en) * 2014-08-12 2014-12-03 山东省计算中心(国家超级计算济南中心) Physical memory forensic method for KVM (Kernel-based Virtual Machine)

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP2368203A1 (en) * 2008-12-15 2011-09-28 Sony Ericsson Mobile Communications AB Method, computer program&electronic device
CN104182269A (en) * 2014-08-12 2014-12-03 山东省计算中心(国家超级计算济南中心) Physical memory forensic method for KVM (Kernel-based Virtual Machine)

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
"基于LiME工具的Android手机动态内存提取";刘亚,康艳荣,赵露,于文浩,张国臣;《刑事技术》;20151202;第40卷(第6期);全文 *

Also Published As

Publication number Publication date
CN106648815A (en) 2017-05-10

Similar Documents

Publication Publication Date Title
Sun et al. Hybrid firmware analysis for known mobile and iot security vulnerabilities
CN114610640B (en) A fuzz testing method and system for trusted execution environment of Internet of Things
CN102200911B (en) variable closure
CN116318861B (en) Ether-mill intelligent contract return value non-testing method based on dynamic transaction information
CN107346284B (en) Application program detection method and detection device
CN109902487A (en) Android application malicious detection method based on application behavior
WO2016026328A1 (en) Information processing method and device and computer storage medium
CN113127283B (en) Chip repair system, method, apparatus, computer device, and storage medium
CN106547706A (en) A kind of mobile phone Dram extracting method based on source kernel
CN106648815B (en) A mobile phone dynamic memory extraction method based on similar kernel
CN112631704A (en) Interface element identification method and device, storage medium and electronic equipment
CN101388055B (en) A Method of Program Operation Feature Extraction for Vulnerability Model Detection
Jiang et al. Aem: Facilitating cross-version exploitability assessment of linux kernel vulnerabilities
CN116069635A (en) SOC system testing method and device, computer equipment and storage medium
CN108132881A (en) A kind of automated testing method and system
CN113868648A (en) An automatic shelling engine implementation method for malicious files
CN115080978B (en) Runtime vulnerability detection method and system based on fuzzy test
Lei et al. A model-driven testing framework based on requirement for embedded software
CN112860316B (en) Kernel and BSP transplantation method of openEular open source system
CN112347464B (en) Android intelligent device root method based on case matching and tool dynamic calling
Wächter et al. Practicability study of android volatile memory forensic research
Zhang et al. Automated test generation for smart contracts via on-chain test case augmentation and migration
CN114297664A (en) Open source component vulnerability detection method based on Gradle
CN114090011A (en) Software development method convenient for developer to use
CN114282226A (en) Single-time multi-bug code detection method and system

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant