am start
am startservice
am stopservice
am broadcast
am kill
am force-stop
am restart
am dumpheap <pid> <file> 将进程pid的堆信息输出到file
pm list packages 列举app包信息
pm install [options] <PATH> 安装应用
pm uninstall [options]<package> 卸载应用
pm hide <package> 隐藏应用
pm unhide <package> 显示应用
pm get-install-location 获取安装位置
pm clear <package> 清空App数据
pm force-dex-opt <package> dex优化
pm dump <package> dump信息
content [subcommand] [options]
content query --uri <URI> //content query --uri content://settings/secure
content read --uri <URI> //content read --uri content://settings/secure/default_input_method
dumpsys activity
dumpsys activity intents
dumpsys activity broadcasts
dumpsys activity providers
dumpsys activity services
dumpsys activity activities
dumpsys activity processes
dumpsys activity top
dumpsys window
dumpsys window windows
dumpsys window tokens
dumpsys window sessions
dumpsys window policy
dumpsys window input
pm grant com.pluscubed.matloglibre.debug android.permission.READ_LOGS //给予权限
taskset -p 3 13211 //进程放到cpu3执行,对于来说,cpu是大核,性能最好
//判断剩余内存,并且释放内存
free -m | grep Mem | busybox awk '{print $4}' //获取free后的内存大小
echo 3 > /proc/sys/vm/drop_caches
//设置cpu的频率
echo 150000 > ./sys/devices/system/cpu/cpu3/cpufreq/cpuinfo_cur_freq
am start com.enlightment.voicerecorder/.MainActivity //打开录音软件
find /data/data/ -perm 777 使用 find 来搜索权限
SELECT * FROM 'users' where username='1' or '1' = '1' - - and password='mysecretpasswo
rd
Exploit-Me 实验室
http://labs.securitycompass.com/exploit-me/
tcpdump
http://www.eecs.umich.edu/~timuralp/tcpdump-arm
./tcpdump -v -s 0 -w output.pcap
./tcpdump -i any -p -s 0 -w output.pcap
指定文件类型的头部
multipart/form-data
NetworkMiner
http://www.netresec.com/?page=NetworkMiner
取证是使用不同的手动和自动方法从设备中提取和分析数据:
逻辑采集:
物理采集:
Android 文件系统分区:
# cat proc/mtd
# cat proc/partitions
major minor #blocks name
1 0 8192 ram0
1 1 8192 ram1
1 2 8192 ram2
1 3 8192 ram3
1 4 8192 ram4
1 5 8192 ram5
1 6 8192 ram6
1 7 8192 ram7
1 8 8192 ram8
1 9 8192 ram9
1 10 8192 ram10
1 11 8192 ram11
1 12 8192 ram12
1 13 8192 ram13
1 14 8192 ram14
1 15 8192 ram15
254 0 371028 zram0
179 0 7634944 mmcblk1
179 1 4096 mmcblk1p1
179 2 4096 mmcblk1p2
179 3 4096 mmcblk1p3
179 4 16384 mmcblk1p4
179 5 32768 mmcblk1p5
179 6 32768 mmcblk1p6
179 7 65536 mmcblk1p7
179 8 114688 mmcblk1p8
179 9 4096 mmcblk1p9
179 10 819200 mmcblk1p10
179 11 1355776 mmcblk1p11
179 12 16384 mmcblk1p12
179 13 256000 mmcblk1p13
179 14 51200 mmcblk1p14
179 15 512 mmcblk1p15
179 16 4096 mmcblk1p16
179 17 4845039 mmcblk1p17
179 96 512 mmcblk1rpmb
179 64 4096 mmcblk1boot1
179 32 4096 mmcblk1boot0
# mount
rootfs on / type rootfs (ro,seclabel,size=478920k,nr_inodes=119730)
tmpfs on /dev type tmpfs (rw,seclabel,nosuid,relatime,size=488196k,nr_inodes=122049,mode=755)
devpts on /dev/pts type devpts (rw,seclabel,relatime,mode=600)
proc on /proc type proc (rw,relatime,gid=3009,hidepid=2)
sysfs on /sys type sysfs (rw,seclabel,relatime)
selinuxfs on /sys/fs/selinux type selinuxfs (rw,relatime)
/dev/block/mmcblk1p11 on /system type ext4 (rw,seclabel,relatime,data=ordered,inode_readahead_blks=8)
/dev/block/mmcblk1p13 on /vendor type ext4 (ro,seclabel,relatime,data=ordered,inode_readahead_blks=8)
none on /acct type cgroup (rw,relatime,cpuacct)
none on /dev/memcg type cgroup (rw,relatime,memory)
/sys/kernel/debug on /sys/kernel/debug type debugfs (rw,seclabel,relatime,mode=755)
/sys/kernel/debug/tracing on /sys/kernel/debug/tracing type tracefs (rw,seclabel,relatime,mode=755)
none on /dev/stune type cgroup (rw,relatime,schedtune)
tmpfs on /mnt type tmpfs (rw,seclabel,relatime,size=488196k,nr_inodes=122049,mode=755,gid=1000)
none on /config type configfs (rw,relatime)
none on /dev/cpuctl type cgroup (rw,relatime,cpu)
none on /dev/cpuset type cgroup (rw,relatime,cpuset,noprefix,release_agent=/sbin/cpuset_release_agent)
pstore on /sys/fs/pstore type pstore (rw,seclabel,relatime)
/dev/block/mmcblk1p14 on /oem type ext4 (ro,seclabel,noatime,nodiratime,noauto_da_alloc,data=ordered)
/dev/block/mmcblk1p10 on /cache type ext4 (rw,seclabel,nosuid,nodev,noatime,nodiratime,discard,noauto_da_alloc,data=ordered)
/dev/block/mmcblk1p12 on /metadata type ext4 (rw,seclabel,nosuid,nodev,noatime,nodiratime,discard,noauto_da_alloc,data=ordered)
/dev/block/mmcblk1p17 on /data type f2fs (rw,lazytime,seclabel,nosuid,nodev,noatime,nodiratime,background_gc=on,discard,no_heap,user_xattr,inline_xattr,inline_data,inline_dentry,flush_merge,extent_cache,mode=adaptive,active_logs=6,alloc_mode=reuse,fsync_mode=posix)
tmpfs on /storage type tmpfs (rw,seclabel,relatime,size=488196k,nr_inodes=122049,mode=755,gid=1000)
adb on /dev/usb-ffs/adb type functionfs (rw,relatime)
/data/media on /mnt/runtime/default/emulated type sdcardfs (rw,nosuid,nodev,noexec,noatime,fsuid=1023,fsgid=1023,gid=1015,multiuser,mask=6,derive_gid)
/data/media on /storage/emulated type sdcardfs (rw,nosuid,nodev,noexec,noatime,fsuid=1023,fsgid=1023,gid=1015,multiuser,mask=6,derive_gid)
/data/media on /mnt/runtime/read/emulated type sdcardfs (rw,nosuid,nodev,noexec,noatime,fsuid=1023,fsgid=1023,gid=9997,multiuser,mask=23,derive_gid)
/data/media on /mnt/runtime/write/emulated type sdcardfs (rw,nosuid,nodev,noexec,noatime,fsuid=1023,fsgid=1023,gid=9997,multiuser,mask=7,derive_gid)
使用 dd 提取数据
dd if = [source file which needs to be copied] of = [destination file to be created]
dd if=/dev/block/mmcblk1p17 of=/mnt/media_rw/17EC-1152/data.img
Netcat 工具将映像直接保存到远程位置/系统
adb forward tcp:5566 tcp:5566 将端口从设备转发到系统
nc 127.0.0.1 5566 > data.img 启动 Netcat 工具,监听端口 5566
nc -l -p 5566-e dd if=/dev/block/mmcblk1p17 启动 dd 工具,并将输出转发到 Netcat
使用 Andriller 提取应用数据
Andriller 开源多平台取证工具
http://android.saz.lt/cgi-bin/download.py
https://www.andriller.com/download/
python Andriller.py
使用 AFLogical 提取所有联系人、通话记录和短信
https://github.com/viaforensics/android-forensics
查找所有 .db 文件
find . -name "*.db" -type f
find . -name "*.db" -type f -exec cp {} /mnt/sdcard/BackupDBS \;
pm list package | grep "xxx"
pm list package -f xxx
备份任何我们需要的应用程序
adb backup [package name] -f [destination file name]
dd if=xxx.ab bs=24 skip=1 | openssl zlib -d > xxx.tar
malware.smali
<service droid:name = "malware.java"/>
<receiver android:name="com.legitimate.application.service">
<intent-filter>
<action android:name="android.provider.Telephony.SMS_RECEIVED" />
</intent-filter>
</receiver>
ARM 总共有 16 个可见的通用寄存器,为 R0-R15
R11: 帧指针 (FP)
R12: 过程内寄存器 (IP)
R13: 栈指针 (SP)
R14: 链接寄存器 (LR)
R15: 程序计数器 (PC)
QEMU:
//-append "console=ttyAMA0" 内核启动参数
qemu-system-arm -M versatilepb -kernel vmlinuz-2.6.32-5-versatile -initrd initrd.img-2.6.32-5-versatile -hda debian_squeeze_armel_standard.qcow2 -append "root=/dev/sda1" -redir tcp:2222::22
//qemu-system-arm -M versatilepb -kernel vmlinuz-2.6.32-5-versatile -initrd initrd.img-2.6.32-5-versatile -hda debian_squeeze_armel_standard.qcow2 -append "root=/dev/sda1"
ssh root@[ip address of Qemu] -p 2222
如果/proc/sys/kernel/randomize_va_space为0则表示,进程每次启动运行时,其虚拟地址空间里的值就是它在ELF文件里所指定的值;
如果为1,则每次启动时只有栈的装载地址做随机保护;
如果为2,表示进程每次启动时,进程的装载地址、brk和堆栈地址都会随机变化.
echo 0 > /proc/sys/kernel/randomize_va_space
gcc -g buffer_overflow.c -o buffer_overflow
gdb -q buffer_overflow 将二进制文件加载到 GNU 调试器
disass ShouldNotBeCalled 反汇编特定的函数
b vulnerable
b *<address of the strcpy call> 在漏洞函数和 strcpy 调用的地址设置断点
r AAAABBBBCCCC
r `printf "AAAABBBBCCCCDDDD\x38\x84"`
Android root: