In this post i'll quickly show you how to build your own python egg distribution package for your Android phone and PY4A. Volatility will be our example distribution package we will use. You can use the steps below to build your own python egg files for other modules like Pycrypto for example.
Android with sl4a = Best mobile phone OS + Python!
Please read my past posts on getting python running on your android.
1) Get the android-ndk, uncompress it and setup exports like this:
ff@shoryuken:~$ wget http://dl.google.com/android/ndk/android-ndk-r7-linux-x86.tar.bz2
ff@shoryuken:~$ tar xjvf android-ndk-r7-linux-x86.tar.bz2
ff@shoryuken:~$ mkdir android-toolchain
ff@shoryuken:~$ export ANDROID_NDK=~/android-ndk-r7
ff@shoryuken:~$ export ANDROID_NDK_TOOLCHAIN_ROOT=~/android-toolchain
ff@shoryuken:~$ $ANDROID_NDK/build/tools/make-standalone-toolchain.sh --platform=android-14 --install-dir=$ANDROID_NDK_TOOLCHAIN_ROOT
Auto-config: --toolchain=arm-linux-androideabi-4.4.3
Copying prebuilt binaries...
Copying sysroot headers and libraries...
Copying libstdc++ headers and libraries...
Copying files to: /home/ff/android-toolchain
Cleaning up...
Done.
2) Grab the Standalone library for compiling modules from http://code.google.com/p/python-for-android/downloads/list in this case we're getting http://python-for-android.googlecode.com/files/python-lib_r16.zip
From your $HOME directory
--> ff@shoryuken:~$ wget http://python-for-android.googlecode.com/files/python-lib_r16.zip
Unzip python-lib_r16.zip
ff@shoryuken:~$ unzip python-lib_r16.zip
Archive: python-lib_r16.zip
inflating: setup.sh
inflating: python.sh
---------snip-------------------------------------
3) Make sure python-setuptools is installed and grab volatility and uncompress
ff@shoryuken:~$ sudo apt-get install python-setuptools
ff@shoryuken:~$ wget https://www.volatilesystems.com/volatility/2.0/volatility-2.0.tar.gz
ff@shoryuken:~$ tar zxvf volatility-2.0.tar.gz
volatility-2.0/
volatility-2.0/contrib/
volatility-2.0/contrib/plugins/
volatility-2.0/contrib/plugins/disablewarnings.py
volatility-2.0/contrib/plugins/example.py
volatility-2.0/contrib/plugins/verinfo.py
volatility-2.0/contrib/plugins/psdispscan.py
---------snip-------------------------------------
4) Building the volatility egg,...
Change into the volatility directory
ff@shoryuken:~$ cd volatility-2.0/
We need to update setup.py and setup.cfg. Add the following to the top of the setup.py file in the volatility-2.0 directory.
We need to update setup.py and setup.cfg. Add the following to the top of the setup.py file in the volatility-2.0 directory.
from py4a import patch_distutils patch_distutils()
So the setup.py file should look like this....
ff@shoryuken:~/volatility-2.0$ cat setup.py | less
---------snip-------------------------------------
# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
#
from py4a import patch_distutils #Add these 2 lines to the top of the setp.py file
patch_distutils()
try:
from setuptools import setup
except ImportError:
---------snip-------------------------------------
Edit your setup.cfg file to it looks like this:
ff@shoryuken:~/volatility-2.0$ cat setup.cfg
[egg_info]
tag_build =
tag_date = 0
tag_svn_revision = 0
[bdist_egg]
plat-name=linux-armv
Source the python-lib setup.sh file from the volatility and build the egg..
ff@shoryuken:~/volatility-2.0$ source ../python-lib/setup.sh
ff@shoryuken:~/volatility-2.0$ source ../python-lib/setup.sh
Build the egg file...
ff@shoryuken:~/volatility-2.0$ python2.6 setup.py bdist_egg
running bdist_egg
running egg_info
writing volatility.egg-info/PKG-INFO
writing top-level names to volatility.egg-info/top_level.txt
writing dependency_links to volatility.egg-info/dependency_links.txt
reading manifest file 'volatility.egg-info/SOURCES.txt'
reading manifest template 'MANIFEST.in'
---------snip-------------------------------------
In ~/volatility-2.0/dist you should see the file "volatility-2.0-py2.6.egg"
ff@shoryuken:~/volatility-2.0/dist$ ls
ff@shoryuken:~/volatility-2.0/dist$ ls
volatility-2.0-py2.6.egg
5) Running Volatility on your android phone
Push the egg to your phone. We place the file into the /sdcard/Download directory like so..
ff@shoryuken:~$ ~/android-sdks/platform-tools/adb push ~/volatility-2.0/dist/volatility-2.0-py2.6.egg /sdcard/Download
Open Python for Android on your phone and click Import Modules
Under the Import Module menu select volatility-2.0-py2.6.egg file.
You should get a message letting you know the module imported correctly.
Copy the main vol.py script to your phone
ff@shoryuken:~/volatility-2.0/dist$~/android-sdks/platform-tools/adb push ~/volatility-2.0/vol.py /sdcard/sl4a/scripts/
Save the following script into a file called runvol.py:
ff@shoryuken:~/volatility-2.0/dist$ cat runvol.py
import android
import os
import sys
droid = android.Android()
cmd = "vol.py -h"
#print os.path.realpath(os.path.dirname(sys.argv[0]))
os.system("/data/data/com.googlecode.pythonforandroid/files/python/bin/python /mnt/sdcard/sl4a/scripts/vol.py -f /mnt/sdcard/Download/xp.dmp pslist")
#os.system("/mnt/sdcard/sl4a/scripts/vol.py -h")
#print sys.executable
Dumping Memory with Qemu
In this example I've made an memory image from Windows XP running on Qemu using pmemsave from the Qemu monitor. I saved the memory image file to xp.dmp. The script will run pslist against the xp.dmp file. For more information on getting a memory image using QEMU read http://web.cs.du.edu/~mitchell/forensics/projects/memory/Setup.pdf
To help you out some in order to get the image size we take the windows XP memory image SIZE times (1024^2) = mem_size. So for example if we have a windows image running in qemu thats using 128megs of memory, from the Qemu Monitor we would type: (CTRL-ALT-2 to enter Qemus monitor, CTRL-ALT-1 to switch back to the OS)
(qemu) pmemsave 0 134217728 xp.dmp
How did we get the number 134217728? 128 * (1024^2) = 134217728
Above the command "pmemsave 0 134217728 xp.dmp" breaks down like this
-> pmemsave - the command to save memory
-> 0 is the first offset in memory to start from
-> 134217728 (basically 128M)
-> xp.dmp (output file)
Next we need to copy this memory image to your phone....
Coping the memory image to your phones Download directory
ff@shoryuken:~$ ~/android-sdks/platform-tools/adb push xp.dmp /sdcard/Download/xp.dmp
Copy the runvol.py script (above) to /sdcard/sl4a/scripts/
ff@shoryuken:~$ ~/android-sdks/platform-tools/adb push runvol.py /sdcard/sl4a/scripts/
Open sl4a and click runvol.py
When you click on runvol.py select the black terminal box to the left and you should be reward with something like this!
Ignore the Traceback error for now, however if you've gotten this far you've installed Volatility on your phone! We can update the script to run "volshell"
In the runvol.py script change:
os.system("/data/data/com.googlecode.pythonforandroid/files/python/bin/python /mnt/sdcard/sl4a/scripts/vol.py -f /mnt/sdcard/Download/xp.dmp pslist")
To..
os.system("/data/data/com.googlecode.pythonforandroid/files/python/bin/python /mnt/sdcard/sl4a/scripts/vol.py -f /mnt/sdcard/Download/xp.dmp volshell")
And repush the script to your phone
ff@shoryuken:~/android-sdks/platform-tools$ ./adb push runvol.py /sdcard/sl4a/scripts/
On your phone rerun the runvol.py script and type hh() and ps() for example like so
On your phone rerun the runvol.py script and type hh() and ps() for example like so
This post showed you how to build and import a python egg file for The Volatility Framework running on your android phone with python 4 android. Now you can do memory forensics from anywhere!
No comments:
Post a Comment