am start
am startservice
am stopservice
am broadcast
am kill
am force-stop
am restart
am dumpheap <pid> <file> 將進程pid的堆信息輸出到file
pm list packages 列舉app包信息
pm install [options] <PATH> 安裝應用
pm uninstall [options]<package> 卸載應用
pm hide <package> 隱藏應用
pm unhide <package> 顯示應用
pm get-install-location 獲取安裝位置
pm clear <package> 清空App數據
pm force-dex-opt <package> dex優化
pm dump <package> dump信息
content [subcommand] [options]
content query --uri <URI> //content query --uri content://settings/secure
content read --uri <URI> //content read --uri content://settings/secure/default_input_method
dumpsys activity
dumpsys activity intents
dumpsys activity broadcasts
dumpsys activity providers
dumpsys activity services
dumpsys activity activities
dumpsys activity processes
dumpsys activity top
dumpsys window
dumpsys window windows
dumpsys window tokens
dumpsys window sessions
dumpsys window policy
dumpsys window input
pm grant com.pluscubed.matloglibre.debug android.permission.READ_LOGS //給予權限
taskset -p 3 13211 //進程放到cpu3執行,對於來說,cpu是大核,性能最好
//判斷剩餘內存,並且釋放內存
free -m | grep Mem | busybox awk '{print $4}' //獲取free後的內存大小
echo 3 > /proc/sys/vm/drop_caches
//設置cpu的頻率
echo 150000 > ./sys/devices/system/cpu/cpu3/cpufreq/cpuinfo_cur_freq
am start com.enlightment.voicerecorder/.MainActivity //打開錄音軟件
find /data/data/ -perm 777 使用 find 來搜索權限
SELECT * FROM 'users' where username='1' or '1' = '1' - - and password='mysecretpasswo
rd
Exploit-Me 實驗室
http://labs.securitycompass.com/exploit-me/
tcpdump
http://www.eecs.umich.edu/~timuralp/tcpdump-arm
./tcpdump -v -s 0 -w output.pcap
./tcpdump -i any -p -s 0 -w output.pcap
指定文件類型的頭部
multipart/form-data
NetworkMiner
http://www.netresec.com/?page=NetworkMiner
取證是使用不同的手動和自動方法從設備中提取和分析數據:
邏輯採集:
物理採集:
Android 文件系統分區:
# cat proc/mtd
# cat proc/partitions
major minor #blocks name
1 0 8192 ram0
1 1 8192 ram1
1 2 8192 ram2
1 3 8192 ram3
1 4 8192 ram4
1 5 8192 ram5
1 6 8192 ram6
1 7 8192 ram7
1 8 8192 ram8
1 9 8192 ram9
1 10 8192 ram10
1 11 8192 ram11
1 12 8192 ram12
1 13 8192 ram13
1 14 8192 ram14
1 15 8192 ram15
254 0 371028 zram0
179 0 7634944 mmcblk1
179 1 4096 mmcblk1p1
179 2 4096 mmcblk1p2
179 3 4096 mmcblk1p3
179 4 16384 mmcblk1p4
179 5 32768 mmcblk1p5
179 6 32768 mmcblk1p6
179 7 65536 mmcblk1p7
179 8 114688 mmcblk1p8
179 9 4096 mmcblk1p9
179 10 819200 mmcblk1p10
179 11 1355776 mmcblk1p11
179 12 16384 mmcblk1p12
179 13 256000 mmcblk1p13
179 14 51200 mmcblk1p14
179 15 512 mmcblk1p15
179 16 4096 mmcblk1p16
179 17 4845039 mmcblk1p17
179 96 512 mmcblk1rpmb
179 64 4096 mmcblk1boot1
179 32 4096 mmcblk1boot0
# mount
rootfs on / type rootfs (ro,seclabel,size=478920k,nr_inodes=119730)
tmpfs on /dev type tmpfs (rw,seclabel,nosuid,relatime,size=488196k,nr_inodes=122049,mode=755)
devpts on /dev/pts type devpts (rw,seclabel,relatime,mode=600)
proc on /proc type proc (rw,relatime,gid=3009,hidepid=2)
sysfs on /sys type sysfs (rw,seclabel,relatime)
selinuxfs on /sys/fs/selinux type selinuxfs (rw,relatime)
/dev/block/mmcblk1p11 on /system type ext4 (rw,seclabel,relatime,data=ordered,inode_readahead_blks=8)
/dev/block/mmcblk1p13 on /vendor type ext4 (ro,seclabel,relatime,data=ordered,inode_readahead_blks=8)
none on /acct type cgroup (rw,relatime,cpuacct)
none on /dev/memcg type cgroup (rw,relatime,memory)
/sys/kernel/debug on /sys/kernel/debug type debugfs (rw,seclabel,relatime,mode=755)
/sys/kernel/debug/tracing on /sys/kernel/debug/tracing type tracefs (rw,seclabel,relatime,mode=755)
none on /dev/stune type cgroup (rw,relatime,schedtune)
tmpfs on /mnt type tmpfs (rw,seclabel,relatime,size=488196k,nr_inodes=122049,mode=755,gid=1000)
none on /config type configfs (rw,relatime)
none on /dev/cpuctl type cgroup (rw,relatime,cpu)
none on /dev/cpuset type cgroup (rw,relatime,cpuset,noprefix,release_agent=/sbin/cpuset_release_agent)
pstore on /sys/fs/pstore type pstore (rw,seclabel,relatime)
/dev/block/mmcblk1p14 on /oem type ext4 (ro,seclabel,noatime,nodiratime,noauto_da_alloc,data=ordered)
/dev/block/mmcblk1p10 on /cache type ext4 (rw,seclabel,nosuid,nodev,noatime,nodiratime,discard,noauto_da_alloc,data=ordered)
/dev/block/mmcblk1p12 on /metadata type ext4 (rw,seclabel,nosuid,nodev,noatime,nodiratime,discard,noauto_da_alloc,data=ordered)
/dev/block/mmcblk1p17 on /data type f2fs (rw,lazytime,seclabel,nosuid,nodev,noatime,nodiratime,background_gc=on,discard,no_heap,user_xattr,inline_xattr,inline_data,inline_dentry,flush_merge,extent_cache,mode=adaptive,active_logs=6,alloc_mode=reuse,fsync_mode=posix)
tmpfs on /storage type tmpfs (rw,seclabel,relatime,size=488196k,nr_inodes=122049,mode=755,gid=1000)
adb on /dev/usb-ffs/adb type functionfs (rw,relatime)
/data/media on /mnt/runtime/default/emulated type sdcardfs (rw,nosuid,nodev,noexec,noatime,fsuid=1023,fsgid=1023,gid=1015,multiuser,mask=6,derive_gid)
/data/media on /storage/emulated type sdcardfs (rw,nosuid,nodev,noexec,noatime,fsuid=1023,fsgid=1023,gid=1015,multiuser,mask=6,derive_gid)
/data/media on /mnt/runtime/read/emulated type sdcardfs (rw,nosuid,nodev,noexec,noatime,fsuid=1023,fsgid=1023,gid=9997,multiuser,mask=23,derive_gid)
/data/media on /mnt/runtime/write/emulated type sdcardfs (rw,nosuid,nodev,noexec,noatime,fsuid=1023,fsgid=1023,gid=9997,multiuser,mask=7,derive_gid)
使用 dd 提取數據
dd if = [source file which needs to be copied] of = [destination file to be created]
dd if=/dev/block/mmcblk1p17 of=/mnt/media_rw/17EC-1152/data.img
Netcat 工具將映像直接保存到遠程位置/系統
adb forward tcp:5566 tcp:5566 將端口從設備轉發到系統
nc 127.0.0.1 5566 > data.img 啓動 Netcat 工具,監聽端口 5566
nc -l -p 5566-e dd if=/dev/block/mmcblk1p17 啓動 dd 工具,並將輸出轉發到 Netcat
使用 Andriller 提取應用數據
Andriller 開源多平臺取證工具
http://android.saz.lt/cgi-bin/download.py
https://www.andriller.com/download/
python Andriller.py
使用 AFLogical 提取所有聯繫人、通話記錄和短信
https://github.com/viaforensics/android-forensics
查找所有 .db 文件
find . -name "*.db" -type f
find . -name "*.db" -type f -exec cp {} /mnt/sdcard/BackupDBS \;
pm list package | grep "xxx"
pm list package -f xxx
備份任何我們需要的應用程序
adb backup [package name] -f [destination file name]
dd if=xxx.ab bs=24 skip=1 | openssl zlib -d > xxx.tar
malware.smali
<service droid:name = "malware.java"/>
<receiver android:name="com.legitimate.application.service">
<intent-filter>
<action android:name="android.provider.Telephony.SMS_RECEIVED" />
</intent-filter>
</receiver>
ARM 總共有 16 個可見的通用寄存器,爲 R0-R15
R11: 幀指針 (FP)
R12: 過程內寄存器 (IP)
R13: 棧指針 (SP)
R14: 鏈接寄存器 (LR)
R15: 程序計數器 (PC)
QEMU:
//-append "console=ttyAMA0" 內核啓動參數
qemu-system-arm -M versatilepb -kernel vmlinuz-2.6.32-5-versatile -initrd initrd.img-2.6.32-5-versatile -hda debian_squeeze_armel_standard.qcow2 -append "root=/dev/sda1" -redir tcp:2222::22
//qemu-system-arm -M versatilepb -kernel vmlinuz-2.6.32-5-versatile -initrd initrd.img-2.6.32-5-versatile -hda debian_squeeze_armel_standard.qcow2 -append "root=/dev/sda1"
ssh root@[ip address of Qemu] -p 2222
如果/proc/sys/kernel/randomize_va_space爲0則表示,進程每次啓動運行時,其虛擬地址空間裏的值就是它在ELF文件裏所指定的值;
如果爲1,則每次啓動時只有棧的裝載地址做隨機保護;
如果爲2,表示進程每次啓動時,進程的裝載地址、brk和堆棧地址都會隨機變化.
echo 0 > /proc/sys/kernel/randomize_va_space
gcc -g buffer_overflow.c -o buffer_overflow
gdb -q buffer_overflow 將二進制文件加載到 GNU 調試器
disass ShouldNotBeCalled 反彙編特定的函數
b vulnerable
b *<address of the strcpy call> 在漏洞函數和 strcpy 調用的地址設置斷點
r AAAABBBBCCCC
r `printf "AAAABBBBCCCCDDDD\x38\x84"`
Android root: