Dump RAM from Vbox-based Android emulators?

Discussions about using non Windows and Linux guests such as FreeBSD, DOS, OS/2, OpenBSD, etc.
Post Reply
changenickname
Posts: 12
Joined: 18. Nov 2016, 18:52

Dump RAM from Vbox-based Android emulators?

Post by changenickname »

I use Android emulator to analyze malcious apps and fake apps that stealing data, doing malcious, mining, rooting etc.
I usally dump RAM using GDB and GameGuardian in order to recover decrypted content dumped from RAM but problem is some devs used other 3rd party service to encrypt and add anti-dumping and anti-attach so that the app crashes itself if any app tries to attach the process.

I had an idea about dumping RAM from Vbox-based Android emulation. I used Task Manager, Cheat Engine and Microsoft tool (something called "proc"... i forgot it) to dump but it doesn't dump emulated RAM unfortunately.

Is there any tools that can dump any Vbox-based emulators, Bluestacks, Nox, Memu, LDPlayer etc?
mpack
Site Moderator
Posts: 39156
Joined: 4. Sep 2008, 17:09
Primary OS: MS Windows 10
VBox Version: PUEL
Guest OSses: Mostly XP

Re: Dump RAM from Vbox-based Android emulators?

Post by mpack »

Saving state will dump RAM to a file, along with hardware registers. The source code has the file format.
changenickname
Posts: 12
Joined: 18. Nov 2016, 18:52

Re: Dump RAM from Vbox-based Android emulators?

Post by changenickname »

mpack wrote:Saving state will dump RAM to a file, along with hardware registers. The source code has the file format.
Is there more infomation about it?
Are files plain inside dumped file and can it be extracted/recovered using Winhex, 010 editor?
mpack
Site Moderator
Posts: 39156
Joined: 4. Sep 2008, 17:09
Primary OS: MS Windows 10
VBox Version: PUEL
Guest OSses: Mostly XP

Re: Dump RAM from Vbox-based Android emulators?

Post by mpack »

No there is nothing else. The source code is the only source of data for implementation details, if for no other reason that it can be changed at any time.
changenickname
Posts: 12
Joined: 18. Nov 2016, 18:52

Re: Dump RAM from Vbox-based Android emulators?

Post by changenickname »

mpack wrote:No there is nothing else. The source code is the only source of data about for implementation details, if for no other reason that it can be changed at any time.
Well too bad, i'll do bypass way then.
Post Reply