Writeup by naacbin for Ordiphone 1

forensics memory android

November 7, 2023

Table of contents

Ordiphone 1

Resolution

Android build profile

To build a profile for Android, we first need to find the kernel version :

strings lime.dump | grep -i 'Linux version'
Kernel: Linux version 3.18.91+ (android-build@wphr1.hot.corp.google.com) (gcc version 4.9 20140827 (prerelease) (GCC) ) #1 SMP PREEMPT Tue Jan 9 20:30:51 UTC 2018
Linux version 4.4.124+ (forensics@fcsc2021) (gcc version 4.9.x 20150123 (prerelease) (GCC) ) #3 SMP PREEMPT Sun Mar 21 19:15:33 CET 2021
strings lime.dump | grep -i 'Android SDK built'
Dalvik/2.1.0 (Linux; U; Android 8.0.0; Android SDK built for x86_64 Build/OSR1.180418.026)

Then I followed this tutorial to run a custom kernel into Android. Followed by this one in order to create the profile.

git clone https://android.googlesource.com/platform/prebuilts/gcc/linux-x86/x86/x86_64-linux-android-4.9 -b android-security-8.0.0_r54 # branch master doesn't have x86_64-linux-android-4.9-gcc
export PATH=$PATH:~/x86_64-linux-android-4.9/bin
export ARCH=x86_64
export CROSS_COMPILE=x86_64-linux-android-

git clone https://android.googlesource.com/kernel/goldfish/ -b android-goldfish-4.4-dev
cd ~/goldfish
make x86_64_ranchu_defconfig
# Check CONFIG_MODULES=y in .config
make -j16

git clone https://github.com/volatilityfoundation/volatility.git ~/android-volatility
cd ~/android-volatility/tools/linux

Edit the Makefile as follow :

obj-m += module.o
KDIR ?= ~/goldfish
CCPATH := ~/x86_64-linux-android-4.9/bin
DWARFDUMP := dwarfdump
KVER ?= $(shell uname -r)

-include version.mk

all: dwarf

dwarf: module.c
	$(MAKE) ARCH=x86_64 CROSS_COMPILE=$(CCPATH)/x86_64-linux-android- -C $(KDIR) CONFIG_DEBUG_INFO=y M=$(PWD) modules
	$(DWARFDUMP) -di module.ko > module.dwarf

clean:
	rm -f module.dwarf
EOF

Finally build the profile

make
zip ~/android-volatility/volatility/plugins/overlays/linux/Golfish-4.4.zip module.dwarf ~/goldfish/System.map

Get the flag

On this reddit post we read that real_start_time is part of a task_struct.

By looking on a MISC article about volatility, we learn that commands related to process use task_struct. The article give an example of the plugins pslist :

init_task_addr = self.addr_space.profile.get_symbol("init_task")
init_task = obj.Object("task_struct", vm = self.addr_space, offset = init_task_addr)
for task in init_task.tasks:
	yield task

After looking at the code two ideas came to me. The first one was to write a plugins and the second one was to look at volshell to see if it can interact with task_struct. I found a very nice documentation about volshell, the fifth slide explain that we can explore a structure with volshell.

$ volatility --profile=LinuxGolfishx64 -f ./lime.dump linux_volshell
> ps()
insmod           4752   0xffff880011da12c0
> dt("task_struct", 0xffff880011da12c0)
0x8d0 : real_start_time                63951047224

Flag

FCSC{63951047224}

Bonus

If you want to simulate an android device run following code :

# https://stackoverflow.com/questions/60440509/android-command-line-tools-sdkmanager-always-shows-warning-could-not-create-se
mkdir ~/android-sdk && cd ~/android-sdk
mv cmdline-tools tools/ && mkdir cmdline-tools && mv tools/ cmdline-tools
ANDROID_SDK_ROOT=~/android-sdk
export PATH=$PATH:$ANDROID_SDK_ROOT/cmdline-tools/latest/bin:$ANDROID_SDK_ROOT/cmdline-tools/tools/bin:~/android-sdk/platform-tools
adb --version
sdkmanager --update
sdkmanager --list
sdkmanager "platforms;android-26"
sdkmanager "system-images;android-26;google_apis;x86_64"
sdkmanager "build-tools;26.0.0"
avdmanager create avd -n fcsc -k "system-images;android-26;google_apis;x86_64" # Google service permit root
avdmanager list avd
~/android-sdk/emulator/emulator -avd fcsc -kernel ~/goldfish/arch/x86/boot/bzImage -show-kernel -verbose

Build your kernel version and bump it to android device:

git clone https://github.com/504ensicsLabs/LiME.git ~/LiME
cd ~/LiME/src

Edit the Makefile :

obj-m := lime.o
lime-objs := tcp.o disk.o main.o hash.o deflate.o

KVER ?= $(shell uname -r)
KDIR_GOLDFISH ?= ~/goldfish
CCPATH := ~/x86_64-linux-android-4.9/bin
PWD := $(shell pwd)

.PHONY: modules modules_install clean distclean debug

default:
        $(MAKE) ARCH=x86_64 CROSS_COMPILE=$(CCPATH)/x86_64-linux-android- -C $(KDIR_GOLDFISH) EXTRA_CFLAGS=-fno-pic M=$(PWD) modules
        mv lime.ko lime-goldfish.ko

debug:
	KCFLAGS="-DLIME_DEBUG" $(MAKE) CONFIG_DEBUG_SG=y -C $(KDIR) M="$(PWD)" modules
	strip --strip-unneeded lime.ko
	mv lime.ko lime-$(KVER).ko

symbols:
	$(MAKE) -C $(KDIR) M="$(PWD)" modules
	mv lime.ko lime-$(KVER).ko

modules:    main.c disk.c tcp.c hash.c lime.h
	$(MAKE) -C /lib/modules/$(KVER)/build M="$(PWD)" $@
	strip --strip-unneeded lime.ko

modules_install:    modules
	$(MAKE) -C $(KDIR) M="$(PWD)" $@

clean:
	rm -f *.o *.mod.c Module.symvers Module.markers modules.order \.*.o.cmd \.*.ko.cmd \.*.o.d
	rm -rf \.tmp_versions

distclean: mrproper
mrproper:    clean
	rm -f *.ko

Build and clean :

make
make clean

Push the module and dump the memory :

adb push ~/LiME/src/lime-goldfish.ko /sdcard/lime.ko
adb shell
su
insmod /sdcard/lime.ko "path=/sdcard/lime.dump format=lime"