dumpsys
dumpsys命令用来查询界面元素层级、系统服务运行状态、电池、网络等一些信息。
用法:1
2
3
4
5
6
7
8
9
10HWVTR:/ # dumpsys --help
usage: dumpsys
To dump all services.
or:
dumpsys [-t TIMEOUT] [--help | -l | --skip SERVICES | SERVICE [ARGS]]
--help: shows this help
-l: only list services, do not dump them
-t TIMEOUT: TIMEOUT to use in seconds instead of default 10 seconds
--skip SERVICES: dumps all services but SERVICES (comma-separated list)
SERVICE [ARGS]: dumps only service SERVICE, optionally passing ARGS to it
常用功能:
- “dumpsys activity activities | grep mResumedActivity” 或者“dumpsys window | grep mCurrentFocus” 获取顶层activity
- dumpsys -l 支持dumpsys服务的所有列表
- dumpsys wifiscanner 获取wifi信息
- dumpsys webviewupdate 获得webview版本等信息
- dumpsys usagestats|grep com.tencent.mm 某个APP的使用情况
- dumpsys shortcut 所有的shortcut
- dumpsys package -h 所有和package相关
- dumpsys ethernet 屏幕信息
- dumpsys battery 电池状态 dumpsys batterystats –help 电池使用数据
- dumpsys BastetService DNS信息
- dumpsys appops –package [PACKAGE] –op [OP] 获取应用权限记录
- dumpsys carrier_config sim卡槽信息状态
- dumpsys dbinfo com.ss.android.ugc.aweme 获取APP的数据库信息,可用于探测沙箱内文件
- dumpsys location 定位相关数据,包括GPS、网络、基站等信息
- dumpsys notification 通知信息
- dumpsys shortcut 快捷方式
- dumpsys user 用户信息
- dumpsys wifi wifi相关信息,包括ssid缓存,mac地址等
参考:https://developer.android.com/studio/command-line/dumpsys
lsof
lsof命令用于查看进程开打的文件,打开文件的进程,进程打开的端口(TCP、UDP)。lsof必须以root运行。1
2
3
4
5
6
7
8
9
10
11
12-a:列出打开文件存在的进程;
-c<进程名>:列出指定进程所打开的文件;
-g:列出GID号进程详情;
-d<文件号>:列出占用该文件号的进程;
+d<目录>:列出目录下被打开的文件;
+D<目录>:递归列出目录下被打开的文件;
-n<目录>:列出使用NFS的文件;
-i<条件>:列出符合条件的进程。(4、6、协议、:端口、 @ip )
-p<进程号>:列出指定进程号所打开的文件;
-u:列出UID号进程详情;
-h:显示帮助信息;
-v:显示版本信息。
Android 系统中的lsof不完全支持以上操作,需要安装busybox1
2
3
4
5
6
7
8
9OnePlus5T:/ # lsof --help
usage: lsof [-lt] [-p PID1,PID2,...] [NAME]...
Lists open files. If names are given on the command line, only
those files will be shown.
-l list uids numerically
-p for given comma-separated pids only (default all pids)
-t terse (pid only) output
lsof输出格式为:
常用到的命令:
- lsof -p [pid] 监控某个进程打开的文件
- lsof [filename] 查找某个文件被谁打开
- lsof -i似乎在android或busybox上不可用,配合grep使用,例如:lsof|grep “TCP :27042”
/proc
/proc是一种虚拟文件系统(/proc/xxx 文件本身的大小却会显示为0字节),存储的是当前内核运行状态的一系列特殊文件,可以通过这些文件查看有关系统硬件及当前正在运行进程的信息。
由于/proc目录下部分文件是可以被全局可读的,因此经常用来进行侧信道攻击。
如下为Android 7.1.1 OnePlus手机上的proc目录:1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71dr-xr-xr-x 9 root root 0 2018-08-06 13:55 998
... 略去大部分pid
dr-xr-xr-x 3 root root 0 2018-08-06 12:05 asound
dr-xr-xr-x 2 root root 0 2018-08-07 11:45 ath_pktlog
-r--r--r-- 1 root root 0 2018-08-07 11:45 bootloader_log
-r--r--r-- 1 root root 0 2018-08-07 11:45 buddyinfo
dr-xr-xr-x 4 root root 0 2018-08-07 11:45 bus
-r--r--r-- 1 root root 0 2018-08-07 11:45 cgroups
dr-xr-xr-x 2 root root 0 2018-08-07 11:45 cld
-r--r----- 1 root radio 0 2018-08-07 11:45 cmdline
-r--r--r-- 1 root root 0 2018-08-07 11:45 consoles
-r--r--r-- 1 root root 0 2018-08-07 11:45 cpuinfo
-r--r--r-- 1 root root 0 2018-08-07 11:45 crypto
dr-xr-xr-x 2 root root 0 2018-08-07 11:45 debug
dr-xr-xr-x 2 root root 0 2018-08-07 11:45 debugdriver
lrwxrwxrwx 1 root root 29 2018-08-07 11:45 device-tree -> /sys/firmware/devicetree/base
-r--r--r-- 1 root root 0 2018-08-07 11:45 devices
-r--r--r-- 1 root root 0 2018-08-07 11:45 diskstats
dr-xr-xr-x 2 root root 0 2018-08-07 11:45 driver
-r--r--r-- 1 root root 0 2018-08-07 11:45 execdomains
-r--r--r-- 1 root root 0 2018-08-07 11:45 fb
-r--r--r-- 1 root root 0 2018-08-07 11:45 filesystems
dr-xr-xr-x 5 root root 0 2018-08-07 11:45 fs
-r--r--r-- 1 root root 0 2018-08-07 11:45 interrupts
-r-------- 1 root root 0 2018-08-07 11:45 iomem
-r--r--r-- 1 root root 0 2018-08-07 11:45 ioports
dr-xr-xr-x 223 root root 0 2018-08-07 11:45 irq
-r--r--r-- 1 root root 0 2018-08-07 11:45 kallsyms
-r--r--r-- 1 root root 0 2018-08-07 11:45 key-users
-r--r--r-- 1 root root 0 2018-08-07 11:45 keys
-r--r----- 1 root system 0 1970-09-03 05:58 kmsg
-r-------- 1 root root 0 2018-08-07 11:45 kpagecount
-r-------- 1 root root 0 2018-08-07 11:45 kpageflags
-r--r--r-- 1 root root 0 2018-08-07 11:45 loadavg
-r--r--r-- 1 root root 0 2018-08-07 11:45 locks
-r--r--r-- 1 root root 0 2018-08-07 11:45 mdstat
-r--r--r-- 1 root root 0 2018-08-07 11:45 meminfo
-r--r--r-- 1 root root 0 2018-08-07 11:45 misc
-r--r--r-- 1 root root 0 2018-08-07 11:45 modules
lrwxrwxrwx 1 root root 11 2018-08-07 11:45 mounts -> self/mounts
lrwxrwxrwx 1 root root 8 2018-08-07 11:45 net -> self/net
-rw-rw-rw- 1 root root 0 2018-08-07 11:45 network_info
-rw-rw-rw- 1 root root 0 2018-08-07 11:45 otrace_on
-r--r--r-- 1 root root 0 2018-08-07 11:45 pagetypeinfo
-r--r--r-- 1 root root 0 2018-08-07 11:45 partitions
-r--r--r-- 1 root root 0 2018-08-07 11:45 proc_state
-r--r--r-- 1 root root 0 2018-08-07 11:45 proc_transaction_log
-r--r--r-- 1 root root 0 2018-08-07 11:45 proc_transactions
-rw-r--r-- 1 root root 0 2018-08-07 11:45 restart_level_all
-rw-rw-rw- 1 root root 0 2018-08-07 11:45 rf_cable_config
-r--r--r-- 1 root root 0 2018-08-07 11:45 schedstat
dr-xr-xr-x 3 root root 0 2018-08-07 11:45 scsi
lrwxrwxrwx 1 root root 0 1970-01-01 08:00 self -> 15165
-rw-r--r-- 1 system system 0 2018-08-07 11:45 ship_mode
-r--r--r-- 1 root root 0 2018-08-07 11:45 softirqs
-r--r--r-- 1 root root 0 2018-08-07 11:45 stat
-r--r--r-- 1 root root 0 2018-08-07 11:45 swaps
dr-xr-xr-x 1 root root 0 1970-09-03 05:57 sys
--w--w---- 1 root system 0 2018-08-07 11:45 sysrq-trigger
lrwxrwxrwx 1 root root 0 1970-01-01 08:00 thread-self -> 15165/task/15165
-r--r--r-- 1 root root 0 2018-08-07 11:45 timer_list
-rw-r--r-- 1 root root 0 2018-08-07 11:45 timer_stats
dr-xr-xr-x 2 root root 0 2018-08-07 11:45 touchpanel
dr-xr-xr-x 4 root root 0 2018-08-07 11:45 tty
dr-xr-xr-x 2 root root 0 2018-08-07 11:45 tzdbg
dr-xr-xr-x 2 root root 0 2018-08-07 11:45 uid_cputime
-r--r--r-- 1 root root 0 2018-08-07 11:45 uptime
-r--r--r-- 1 root root 0 2018-08-07 11:45 version
-r--r----- 1 root log 0 2018-08-07 11:45 vmallocinfo
-r--r--r-- 1 root root 0 2018-08-07 11:45 vmstat
-r--r--r-- 1 root root 0 2018-08-07 11:45 zoneinfo
某个进程下的文件(/proc/[pid]/):1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45OnePlus5T:/proc/6537 # ls -l
total 0
dr-xr-xr-x 2 u0_a139 u0_a139 0 2018-08-06 12:08 attr
-rw-r--r-- 1 root root 0 2018-08-07 11:50 autogroup
-r-------- 1 root root 0 2018-08-07 11:50 auxv
-r--r--r-- 1 root root 0 2018-08-07 11:50 cgroup
--w------- 1 root root 0 2018-08-07 11:50 clear_refs
-r--r--r-- 1 root root 0 2018-08-07 11:03 cmdline
-rw-r--r-- 1 root root 0 2018-08-07 11:50 comm
-rw-r--r-- 1 root root 0 2018-08-07 11:50 coredump_filter
-r--r--r-- 1 root root 0 2018-08-07 11:50 cpuset
lrwxrwxrwx 1 root root 0 2018-08-07 11:03 cwd -> /
-r-------- 1 root root 0 2018-08-07 11:50 environ
lrwxrwxrwx 1 root root 0 2018-08-07 11:03 exe -> /system/bin/app_process32_xposed
dr-x------ 2 root root 0 2018-08-07 11:03 fd
dr-x------ 2 root root 0 2018-08-07 11:03 fdinfo
-r--r--r-- 1 root root 0 2018-08-07 11:50 limits
dr-x------ 2 root root 0 2018-08-07 11:50 map_files
-r--r--r-- 1 root root 0 2018-08-07 11:03 maps
-rw------- 1 root root 0 2018-08-07 11:50 mem
-r--r--r-- 1 root root 0 2018-08-07 11:50 mountinfo
-r--r--r-- 1 root root 0 2018-08-07 11:50 mounts
-r-------- 1 root root 0 2018-08-07 11:50 mountstats
dr-xr-xr-x 10 u0_a139 u0_a139 0 2018-08-06 12:08 net
dr-x--x--x 2 root root 0 2018-08-07 11:50 ns
-r-------- 1 root root 0 2018-08-07 11:50 oom_adj
-r--r--r-- 1 root root 0 2018-08-07 11:50 oom_score
-r--r--r-- 1 root root 0 2018-08-06 12:11 oom_score_adj
-r-------- 1 root root 0 2018-08-07 11:50 pagemap
-r-------- 1 root root 0 2018-08-07 11:50 personality
lrwxrwxrwx 1 root root 0 2018-08-07 11:03 root -> /
-rw-rw-rw- 1 root root 0 2018-08-07 11:50 sched_group_id
-rw-r--r-- 1 root root 0 2018-08-07 11:50 sched_init_task_load
-rw-r--r-- 1 root root 0 2018-08-07 11:50 sched_wake_up_idle
-r--r--r-- 1 root root 0 2018-08-07 11:50 schedstat
-r--r--r-- 1 root root 0 2018-08-06 12:10 smaps
-r-------- 1 root root 0 2018-08-07 11:50 stack
-r--r--r-- 1 root root 0 2018-08-06 12:08 stat
-r--r--r-- 1 root root 0 2018-08-07 11:50 statm
-r--r--r-- 1 root root 0 2018-08-07 11:50 status
-r-------- 1 root root 0 2018-08-07 11:50 syscall
dr-xr-xr-x 155 u0_a139 u0_a139 0 2018-08-06 12:11 task
-rw-rw-rw- 1 root root 0 2018-08-07 11:50 timerslack_ns
-r--r--r-- 1 root root 0 2018-08-07 11:50 wakeup
-r--r--r-- 1 root root 0 2018-08-07 11:03 wchan
研究中常用到的文件:
- /proc/pid/maps 文件、内存映射信息,配合dd使用
/proc/6537/map_files/ 目录下保存maps中所有文件的软连接
/proc/pid/mem 文件io,配合dd使用,也可用open打开,例如:
1
dd if=/proc/$pid/mem of=output_file ibs=1 offset=1234
/proc/pid/status 进程状态信息,可用于查看进程是否被调试
1
2
3
4
5
6
7
8
9
10OnePlus5T:/proc/6537 # cat status
Name: com.tencent.mm
State: S (sleeping)
Tgid: 6537
Pid: 6537
PPid: 883
TracerPid: 0 (非零表示被调试)
Uid: 10139 10139 10139 10139
Gid: 10139 10139 10139 10139
……/proc/[pid]/cwd 当前工作目录的符号链接
- /proc/[pid]/task 每个线程一个子目录,目录名为线程ID(付款码侧信道攻击)
参考:
深入解析Linux proc文件系统 https://blog.csdn.net/ieearth/article/details/72849990
Monkey
monkey是android系统自带的一款测试工具
例如启动com.tencent.mm应用,并随机发送500个事件1
adb shell monkey -p com.tencent.mm -v 500
busybox
BusyBox 是一个集成了三百多个最常用Linux命令和工具的软件, Android中部分命令为linux的阉割版,像awk、wget这些命令,Android中都不提供,因此需要使用busybox完成
下载地址:http://www.busybox.net/downloads/binaries 选择合适的架构即可
screencap和screenrecord
截屏:adb shell screencap -p /sdcard/tmp.png
录像:adb shell screenrecord /sdcard/demo.mp4
adb shell input
- adb shell input text “hello,world” 获得焦点后输入文字
- adb shell keyevent [–longpress]
按键
例如:adb shell keyevent 26 或 input keyevent “KEYCODE_POWER” 两个都可以锁屏
所有的keycode参考:https://developer.android.com/reference/android/view/KeyEvent.html - adb shell tap
点击屏幕
例如:adb shell input tap 50 250 点击x=50 y=250的位置 - adb shell swipe
[duration(ms)] 滑动屏幕
例如:adb shell input swipe 50 250 250 250 500 最后一位为滑动时间
adb logcat
- ”-s”选项 : 设置输出日志的标签, 只显示该标签的日志;
例如:adb logcat -s System.out - ”-f”选项 : 将日志输出到文件, -f 参数执行不成功 默认输出到标准输出流中;
例如:adb logcat -f /tmp/log.txt - ”-c”选项 : 清空所有的日志缓存信息;
- “-e”选项 :正则匹配
例如:logcat -e “.*wifi” - “–pid=
” :根据pid筛选log
例如: adb logcat –pid=1234 - 配合grep
例如: adb logcat | grep -i Wifi [:priority] tag为标签或,priority为以下几种:
– V : Verbose (明细);
– D : Debug (调试);
– I : Info (信息);
– W : Warn (警告);
– E : Error (错误);
– F: Fatal (严重错误);
– S : Silent(Super all output) (最高的优先级, 可能不会记载东西);
例如: “adb logcat :E” 输出所有的Error日志
am命令
- am start
am start -n 包名/activity -d data
am start -n 包名/activity -e extra (–es–ei )
am start -a android.intent.action.VIEW -d http://www.google.cn/ - am startservice
am startservice -n 包名/服务名 - am broadcast
am broadcast -a com.android.test (–es test_string “this is test string” –ei test_int 100 –ez test_boolean true)
netstat
查看设备的端口号信息,(warmwhole检测)
-r Display routing table.
-a Display all sockets (Default: Connected).
-l Display listening server sockets.
-t Display TCP sockets.
-u Display UDP sockets.
-w Display Raw sockets.
-x Display Unix sockets.
-e Display other/more information.
-n Don’t resolve names.
-p Display PID/Program name for sockets.
例如:netstat -lp 显示所有监听的socket以及对应的pid
getprop和setprop
- getprop默认获得所有的参数,常用参数如下:
getprop ro.debuggable
getprop ro.build.product
getprop ro.build.fingerprint
getprop ro.serialno - setprop [key] [value],有些需要特殊权限
svc
命令行下控制数据、wifi等开关
- svc data enable 打开数据流量
1
2
3
4
5
6
7
8
9OnePlus5T:/ # svc
Available commands:
help Show information about the subcommands
power Control the power manager
data Control mobile data connectivity
wifi Control the Wi-Fi manager
usb Control Usb state
nfc Control NFC functions
bluetooth Control Bluetooth service
service
- service list 列出所有的服务
- service call 调用服务
用法:service call CODE [i32 N | i64 N | f N | d N | s16 STR ]
例如:service call phone 1 s16 “10086” 打电话
settings
- adb shell settings list system 系统设置
- adb shell settings list secure 安全相关的设置
- settings get secure android_id 获取Android_id
- settings get secure bluetooth_address 蓝牙mac
- adb shell settings list global 全局设置
content query
content query –uri content://media/external/file –projection _id –projection _data 查看SD卡文件
adb shell content query –uri content://com.android.calendar/calendar_entities
adb shell content query –uri content://com.android.calendar/calendars
adb shell content query –uri content://com.android.calendar/attendees
adb shell content query –uri content://com.android.calendar/event_entities
adb shell content query –uri content://com.android.calendar/events
adb shell content query –uri content://com.android.calendar/properties
adb shell content query –uri content://com.android.calendar/reminders
adb shell content query –uri content://com.android.calendar/calendar_alerts
adb shell content query –uri content://com.android.calendar/colors
adb shell content query –uri content://com.android.calendar/extendedproperties
adb shell content query –uri content://com.android.calendar/syncstate
adb shell content query –uri content://com.android.contacts/raw_contacts
adb shell content query –uri content://com.android.contacts/directories
adb shell content query –uri content://com.android.contacts/syncstate
adb shell content query –uri content://com.android.contacts/profile/syncstate
adb shell content query –uri content://com.android.contacts/contacts
adb shell content query –uri content://com.android.contacts/profile/raw_contacts
adb shell content query –uri content://com.android.contacts/profile
adb shell content query –uri content://com.android.contacts/profile/as_vcard
adb shell content query –uri content://com.android.contacts/stream_items
adb shell content query –uri content://com.android.contacts/stream_items/photo
adb shell content query –uri content://com.android.contacts/stream_items_limit
adb shell content query –uri content://com.android.contacts/data
adb shell content query –uri content://com.android.contacts/raw_contact_entities
adb shell content query –uri content://com.android.contacts/profile/raw_contact_entities
adb shell content query –uri content://com.android.contacts/status_updates
adb shell content query –uri content://com.android.contacts/data/phones
adb shell content query –uri content://com.android.contacts/data/phones/filter
adb shell content query –uri content://com.android.contacts/data/emails/lookup
adb shell content query –uri content://com.android.contacts/data/emails/filter
adb shell content query –uri content://com.android.contacts/data/emails
adb shell content query –uri content://com.android.contacts/data/postals
adb shell content query –uri content://com.android.contacts/groups
adb shell content query –uri content://com.android.contacts/groups_summary
adb shell content query –uri content://com.android.contacts/aggregation_exceptions
adb shell content query –uri content://com.android.contacts/settings
adb shell content query –uri content://com.android.contacts/provider_status
adb shell content query –uri content://com.android.contacts/photo_dimensions
adb shell content query –uri content://com.android.contacts/deleted_contacts
adb shell content query –uri content://downloads/my_downloads
adb shell content query –uri content://downloads/download
adb shell content query –uri content://media/external/file
adb shell content query –uri content://media/external/images/media
adb shell content query –uri content://media/external/images/thumbnails
adb shell content query –uri content://media/external/audio/media
adb shell content query –uri content://media/external/audio/genres
adb shell content query –uri content://media/external/audio/playlists
adb shell content query –uri content://media/external/audio/artists
adb shell content query –uri content://media/external/audio/albums
adb shell content query –uri content://media/external/video/media
adb shell content query –uri content://media/external/video/thumbnails
adb shell content query –uri content://media/internal/file
adb shell content query –uri content://media/internal/images/media
adb shell content query –uri content://media/internal/images/thumbnails
adb shell content query –uri content://media/internal/audio/media
adb shell content query –uri content://media/internal/audio/genres
adb shell content query –uri content://media/internal/audio/playlists
adb shell content query –uri content://media/internal/audio/artists
adb shell content query –uri content://media/internal/audio/albums
adb shell content query –uri content://media/internal/video/media
adb shell content query –uri content://media/internal/video/thumbnails
adb shell content query –uri content://settings/system
adb shell content query –uri content://settings/system/ringtone
adb shell content query –uri content://settings/system/alarm_alert
adb shell content query –uri content://settings/system/notification_sound
adb shell content query –uri content://settings/secure
adb shell content query –uri content://settings/global
adb shell content query –uri content://settings/bookmarks
adb shell content query –uri content://com.google.settings/partner
adb shell content query –uri content://nwkinfo/nwkinfo/carriers
adb shell content query –uri content://com.android.settings.personalvibration.PersonalVibrationProvider/
adb shell content query –uri content://settings/system/bluetooth_devices
adb shell content query –uri content://settings/system/powersavings_appsettings
adb shell content query –uri content://user_dictionary/words
adb shell content query –uri content://browser/bookmarks
adb shell content query –uri content://browser/searches
adb shell content query –uri content://com.android.browser
adb shell content query –uri content://com.android.browser/accounts
adb shell content query –uri content://com.android.browser/accounts/account_name
adb shell content query –uri content://com.android.browser/accounts/account_type
adb shell content query –uri content://com.android.browser/accounts/sourceid
adb shell content query –uri content://com.android.browser/settings
adb shell content query –uri content://com.android.browser/syncstate
adb shell content query –uri content://com.android.browser/images
adb shell content query –uri content://com.android.browser/image_mappings
adb shell content query –uri content://com.android.browser/bookmarks
adb shell content query –uri content://com.android.browser/bookmarks/folder
adb shell content query –uri content://com.android.browser/history
adb shell content query –uri content://com.android.browser/bookmarks/search_suggest_query
adb shell content query –uri content://com.android.browser/searches
adb shell content query –uri content://com.android.browser/combined
参考:https://blog.digital-forensics.it/2021/03/triaging-modern-android-devices-aka.html