Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Additional forensic artifacts, custom crash handler, and stack/register snapshots with reports? #5

Open
agnosticlines opened this issue Jan 18, 2024 · 0 comments

Comments

@agnosticlines
Copy link

This is a super exciting proposal and very excited to see the implementation.

Just wondering have you thought about any additional artifacts being logged? such as process execution? I very much doubt most Android exploits would deploy a rootkit to hide the process exec, might be useful to log execs and ship them with the logcat data to a central server for analysis/review? It would be very noisy and probably shouldn't be enabled by default but for very paranoid people would be a huge win.

Compared to on iOS where you have to trigger a sysdiagnose to get information about processes, having Graphene just log and export them for review would be very useful https://github.com/KasperskyLab/iShutdown. Obviously if you suspected compromise you could connect with adb and poke around but having the log manager/system keep track I think would be much better.

In addition to the failed MTE reports are you saving any other data about the crash? I haven't looked in detail at the implementation here but can you load your own custom crash handler? If so logging registers and maybe, 2048 bytes before and after the program counter, as well as maybe 2048 bytes before and after whatever registers are pointing at would be extremely useful, by the time you see the MTE failed log you lose the ability to do much about it, having some data from a frozen point in time would allow you to see if this crash is something to be concerned about, or if it's just a buggy app.

Just some ideas :)

@agnosticlines agnosticlines changed the title Additional forensic artifacts, custom crash handler, and stack data with reports? Additional forensic artifacts, custom crash handler, and stack/register snapshots with reports? Jan 18, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

1 participant