search

wenluhu / gammaray-android

Distributed Streaming Virtual Machine Introspection
Apache License 2.0
6 stars 1 forks source link

Extract initial block device metadata as BSON. #9

Closed bamos closed 10 years ago

bamos commented 10 years ago

I've built gray-crawler to run on Android. Modifications still need to be made to stream the BSON across the network.

I'm currently only exporting the metadata of /dev/block/mmcblk0.

All of the mounts are on these devices, which isn't evident by the by-name paths output by the mount command:

127|root@maguro:/data/gray # mount
rootfs / rootfs ro,relatime 0 0
tmpfs /dev tmpfs rw,seclabel,nosuid,relatime,mode=755 0 0
devpts /dev/pts devpts rw,seclabel,relatime,mode=600 0 0
proc /proc proc rw,relatime 0 0
sysfs /sys sysfs rw,seclabel,relatime 0 0
selinuxfs /sys/fs/selinux selinuxfs rw,relatime 0 0
none /acct cgroup rw,relatime,cpuacct 0 0
tmpfs /mnt/secure tmpfs rw,seclabel,relatime,mode=700 0 0
tmpfs /mnt/asec tmpfs rw,seclabel,relatime,mode=755,gid=1000 0 0
tmpfs /mnt/obb tmpfs rw,seclabel,relatime,mode=755,gid=1000 0 0
none /dev/cpuctl cgroup rw,relatime,cpu 0 0
/dev/block/platform/omap/omap_hsmmc.0/by-name/system /system ext4 ro,seclabel,relatime,user_xattr,barrier=1,data=ordered 0 0
/dev/block/platform/omap/omap_hsmmc.0/by-name/efs /factory ext4 ro,seclabel,relatime,user_xattr,barrier=1,data=ordered 0 0
/dev/block/platform/omap/omap_hsmmc.0/by-name/cache /cache ext4 rw,seclabel,nosuid,nodev,noatime,errors=panic,user_xattr,barrier=1,nomblk_io_submit,data=ordered 0 0
/dev/block/platform/omap/omap_hsmmc.0/by-name/userdata /data ext4 rw,seclabel,nosuid,nodev,noatime,errors=panic,user_xattr,barrier=1,nomblk_io_submit,data=ordered 0 0
/sys/kernel/debug /sys/kernel/debug debugfs rw,relatime 0 0
/dev/fuse /mnt/shell/emulated fuse rw,nosuid,nodev,relatime,user_id=1023,group_id=1023,default_permissions,allow_other 0 0
/dev/nbd0 /data/nbdroid/nbd-mount ext4 rw,seclabel,relatime,user_xattr,barrier=1,data=ordered 0 0

The following command exports the block device metadata as BSON.

$ /data/gray/gray-crawler /dev/block/mmcblk0 /sdcard/gray/mmcblk0.bson

Raw Disk Crawler -- By: Wolfgang Richter <wolf@cs.cmu.edu>
Analyzing Disk: /dev/block/mmcblk0

Analyzing Boot Sector
Disk Signature [optional]: 0x00000000
Position 444 [0x0000]: 0x0000
Verifying MBR Signature [0x55 0xaa]: 0x55 0xaa

Checking partition table entry 0.
Status [0x80 bootable, 0x00 non-bootable]: 0x00
Partition Type: 0xee
Partition Type: GPT
Start Head: 0x00
Start Sector: 0x00
Start Cylinder: 0x000
End Head: 0x00
End Sector: 0x00
End Cylinder: 0x000
First Sector LBA: 0x00000001
Number of Sectors: 0x01d59fff (Inf TiB)

Checking partition table entry 1.
Status [0x80 bootable, 0x00 non-bootable]: 0x00
Partition Type: 0x00
Partition Type: Empty

Checking partition table entry 2.
Status [0x80 bootable, 0x00 non-bootable]: 0x00
Partition Type: 0x00
Partition Type: Empty

Checking partition table entry 3.
Status [0x80 bootable, 0x00 non-bootable]: 0x00
Partition Type: 0x00
Partition Type: Empty

mmcblk0.bson only consumes 83 bytes, so I'm not sure how representative it is of the block devices we're interested in on Android. I also expect all 13 partitions to show up in the metadata.

root@maguro:/data/gray # ls /dev/block/platform/omap/omap_hsmmc.0/
by-name
by-num
mmcblk0
mmcblk0boot0
mmcblk0boot1
mmcblk0p1
mmcblk0p10
mmcblk0p11
mmcblk0p12
mmcblk0p13
mmcblk0p2
mmcblk0p3
mmcblk0p4
mmcblk0p5
mmcblk0p6
mmcblk0p7
mmcblk0p8
mmcblk0p9
bamos commented 10 years ago

The mmcblk0.bson file contains the following:

src/gammaray [master] » ./bin/tools/bson-printer /tmp/mmcblk0.bson
BSON Printer -- By: Wolfgang Richter <wolf@cs.cmu.edu>
Analyzing BSON File: /tmp/mmcblk0.bson
{
    'type' : [BSON_STRING, 3] 'mbr'
    'gpt' : [BSON_BOOLEAN] true
    'sector' : [BSON_INT32] 0
}
{
    'type' : [BSON_STRING, 15] 'metadata_filter'
    'bitarray' : [BSON_BINARY, 0]
}
bamos commented 10 years ago

Great, I've modified gray-crawler to transmit the result over the network. On the server, run ncat -l 32000 > test.bson, and give gray-crawler an IP address.

./gray-crawler /dev/block/mmcblk0 192.168.1.3

test.bson now has the same contents as mmcblk0.bson from above. I'm still not sure if this is the right block device.

src/gammaray [master] » bin/tools/bson-printer /tmp/test.bson
BSON Printer -- By: Wolfgang Richter <wolf@cs.cmu.edu>
Analyzing BSON File: /tmp/test.bson
{
        'type' : [BSON_STRING, 3] 'mbr'
        'gpt' : [BSON_BOOLEAN] true
        'sector' : [BSON_INT32] 0
}
{
        'type' : [BSON_STRING, 15] 'metadata_filter'
        'bitarray' : [BSON_BINARY, 0]
}