LiME

转载地址：http://sgros-students.blogspot.jp/2014/04/lime.html

From their site: "LiME is a Loadable Kernel Module (LKM), which allows the acquisition of volatile memory from Linux and Linux-based devices, such as those powered by Android."

I tried to follow the instructions for LiME from youtube video, and extract memory from my SE Xperia 8, but I ran on some errors and failed. Here is what I did.

Phone has to be rooted and have debugging mode enabled. LiME also requires Java JDK 6 or 7, Android SDK and arme-eabi tool (I downloaded ARM eCross EABI Toolchain for Linux). Then, the source of the kernel running on the phone we want to examine is necessary. That's because LiME is a kernel module and it has to be compiled for the kernel running on the mobile phone in order to be possible to insert and run it. I lost some time until I found mine here, but that is the site only for Xperia phones. You need to download and unpack it. There should be a kernel directory which will be used later. You have to add arme-eCross-eabi and adb to the path with these commands in terminal, but change <path to arm-eCross-eabi> and <path to SDK> into exact directories you've unpacked the SDK and arm-sCross-eabi:

export PATH=$PATH:<path to arm-eCross-eabi>/arm-eCross-eabi/bin

export PATH=$PATH:<path to SDK>/SDK/platform-tools/adb

Next, download LiME and unpack it. Then connect your phone to the computer and pull the kernel config from the phone with:

adb pull /proc/config.gz

If there is no file like that in proc directory on your phone, as was in my case, you can try to find it in source code directory in kernel/arch/arm/configs, but with .defconfig extension. You have to rename that directory, no metter where you found it, into .config and move it in kernel directory. Next, like tutorial says, type:

make ARCH=arm CROSS_COMPILE=arm-eCross-eabi- modules_prepare

I got a few errors reported:

"/home/osaf/Android/arm-eCross-eabi/bin/../libexec/gcc/arm-eCross-eabi/4.5.2/cc1: error while loading shared libraries: libgmp.so.3: cannot open shared object file: No such file or directory".

If you get message like that, you may find solution on this link. It says that you have to install some packages, so just copy command they wrote:

sudo apt-get install libgmp3c2 freeglut3 freeglut3-dev -y

and that problem is solved. Then run make command again. If you get this message:

"make: *** No rule to make target `modules_prepare'. Stop."

That is resolved with some modification in make command:

make ARCH=arm CROSS_COMPILE=arm-eCross-eabi- modules

Another problem that can arise:

"make:/<path to>/arm-eCross-eabi/bin/arm-eabi-gcc: Command not found ... make[1]: *** [kernel/bounds.s] Error 127 make:*** [prepareO] Error 2"

It should continue past that error when "ARCH=arm" is removed from the command line. So, open Makefile in kernel directory and find this line:

ARCH                       ?=$(SUBARCH)

CROSS_COMPILE    ?=

Where you replace $(SUBARCH) with arm, and write in terminal:

make CROSS_COMPILE=arm-eCross-eabi- modules

You can also got this message:

"The present kernel configuration has modules disabled. Type 'make config' and enable loadable module support. Then build a kernel with module support enabled
make: *** [modules] Error 1"

So, the .config file has to be modified as well. Just write:

CONFIG_MODULES=y   

CONFIG_MODULE_UNLOAD=y

in it and cross compile command should make the rest of the needed changes.
When cross compiling is finished, it's time to prepare the module for compilation. You have to position in lime/srcdirectory and make new Makefile.1 with the content from tutorial, but with changed KDIR, placed tabs where they are needed and manually entered address to the arm-eCross-eabi-. There is Makefile.sample, where you can see example of makefile with correct tabs. Then write in terminal:

make -f Makefile.1

You can get this error:

"strip: Unable to recognise the format of the input file ˘lime.ko"

But, tutorial says that it is ok. Next, you have to move kernel module - lime.ko to your phone:

adb push lime.ko /sdcard/lime.ko

set up the port:

adb forward tcp:4444 tcp:4444

open a shell on the Android device:

adb shell

then install kernel module and redirect output to TCP port:

cd /sdcard

insmod lime.ko path=tcp:4444 format=lime

and in new terminal on PC, connect to the port on the device with netcat and redirect output to memory.lime:

nc 127.0.0.1 4444 > memory.lime

After that, you need to get your memory extracted. For me, it didn't work. I just got message:

"Bad adress"

and I didn't know how to resolve that problem.

I can't say anything about this tool, because I couldn't run it and I don't know where is the problem. It returned too many error messages, for which I had to google solutions, and I can't guarantee that they are all good. Although I didn't manage to get positive outcome, I hope it will help you. 

----------------------------------------------------------------------------------------

参看文献：Forensic Analysis of Email on Android Volatile Memory