I am trying to analyse Android malware on an emulator with Android 2.1. I want to analyze the files permissions and fingerprints after the execution of the suspicious app. I know, I can use the adb shell
to get this information, but I think I can't trust the information after the execution of e.g. a rootkit.
I think the only way to prevent rootkits from hiding is by mounting the images directly or? I have the following files:
ramdisk.img snapshots.img userdata-qemu.img cache.img system.img userdata.img zImage
How can they be mounted/extracted on Ubuntu (read access is enough)?
With unyaffs I can extract the system.img
and userdata.img
file. simg2img returns "bad magic" for all files.
Thanks Alex
Edit: userdata-qemu.img
works unyaffs2
You've already answered your own question but I'll expand a bit. The Android sdk comes with system images, for example:
$ cd android-sdk-linux/system-images/android-15/armeabi-v7a/
$ ls *.img
ramdisk.img system.img userdata.img
$ cd ~/.android/avd/<img name>.avd/
$ ls *.img
cache.img sdcard.img userdata.img userdata-qemu.img
Though, not all images are of the same type:
$ file *.img
cache.img: VMS Alpha executable
sdcard.img: x86 boot sector, code offset 0x5a, OEM-ID "MSWIN4.1", sectors/cluster 4, Media descriptor 0xf8, sectors 2048000 (volumes > 32 MB) , FAT (32 bit), sectors/FAT 3993, reserved3 0x800000, serial number 0x17de3f04, label: " SDCARD"
userdata.img: VMS Alpha executable
userdata-qemu.img: VMS Alpha executable
Since sdcard.img
contains no extra partitions, it can be mounted directly without an offset parameter (like -o loop,offset=32256
):
$ fdisk -l sdcard.img
You must set cylinders.
You can do this from the extra functions menu.
Disk sdcard.img: 0 MB, 0 bytes
255 heads, 63 sectors/track, 0 cylinders
Units = cylinders of 16065 * 512 = 8225280 bytes
Disk identifier: 0x00000000
Device Boot Start End Blocks Id System
$ sudo mount -o loop sdcard.img /mnt/
The other image files which are described as VMS Alpha executable
are in fact yaffs2 files. As far as I'm aware they can't be mounted directly but can be extracted using the two utilities unyaffs or unyaffs2.
$ mkdir extract
$ cd extract
$ unyaffs ../userdata.img
or
$ unyaffs2 --yaffs-ecclayout ../userdata.img .
Note, there's another utility called simg2img
which can be found in the android source tree under ./android_src/system/extras/ext4_utils/
which is used on compressed ext4 img files. However, if wrongly applied to yaffs2
images it complains with Bad magic
.