OpenCoreAnalysisKit: Open‑Source Offline Memory Core File Analysis Suite for Android

The article presents the OpenCoreAnalysisKit project, an open‑source offline memory Core file analysis suite targeting Android 8‑15 on arm64, arm, x86_64, x86, and riscv64 architectures. It outlines the project's components—OpenCoreSDK for user‑mode Core capture, OpenCoreAnalysisKit for Core analysis, and OpenLinuxAnalysisKit for Linux vmcore parsing—along with related tools such as GDB, LLVM, crash‑utility, jadx, ghidra, and frida.

Project Overview

Project

Purpose

OpenCoreSDK

User‑mode component to capture a process Core file

OpenCoreAnalysisKit

Toolbox for analyzing Core memory files (AOSP core‑parser)

OpenLinuxAnalysisKit

Linux kernel plugin collection based on crash‑utility

Other referenced projects include GDB, LLVM, crash‑utility, jadx, ghidra, and frida, which can assist in debugging and reverse engineering.

Technical Architecture

Build Instructions

OpenCoreAnalysisKit cannot be built on Windows; it requires cmake (≥3.21.1), clang (≥12.0.0), and Android NDK (r22+). Example commands:

$ git clone https://github.com/Penguin38/OpenCoreAnalysisKit.git
$ cd OpenCoreAnalysisKit
$ export ANDROID_NDK=<NDK_DIR>
$ ./build.sh

Compiled artifacts are placed in the output directory, with subfolders for Android, emulator, and Linux targets.

OpenLinuxAnalysisKit is built with gcc and depends on crash‑utility ≥8.0.4:

$ git clone https://github.com/Penguin38/OpenLinuxAnalysisKit.git
$ cd OpenLinuxAnalysisKit
$ ./build.sh

Its output resides in output with arm64 and x86_64 subdirectories containing the linux-parser.so plugin.

Usage Guide – Kernel Mode

For ramdump or vmcore analysis, the crash‑utility tool and its plugins are used. Example commands:

$ crash vmcore vmlinux

Load the zram symbols, add the linux-parser plugin, and use commands such as lp core , lp binder , lp zram , and lp shmem to inspect memory, binder transactions, and swapped pages.

crash> mod -s zram zram.ko
crash> mod -s zsmalloc zsmalloc.ko
crash> extend /path/OpenLinuxAnalysisKit/output/arm64/linux-parser.so
crash> lp binder -a | grep out

Usage Guide – User Mode

For user‑mode Core extraction, commands like lp core -p <pid> --zram --shmem -f 0x18 generate Core files. These can be loaded with core-parser -c <core_file> or via GDB/LLDB after fixing missing sections (e.g., PHDR) using auxv and exec commands.

core-parser> map
core-parser> auxv | grep EXEC
core-parser> exec app_process64

After loading, shared libraries, .so, .dex, .odex, .apk, and .jar files can be mapped with sysroot , and classes inspected with class and p commands.

core-parser> class java.util.HashMap
core-parser> p 0x12c00098 -b -r 1

Method decompilation (DEX) is supported via method <addr> --dex-dump , while OAT code and thread information can be examined with frame , thread , and bt commands.

core-parser> method 0x7073dee8 --dex-dump
core-parser> frame 2 -j
core-parser> thread -a
core-parser> bt

Statistical analysis of heap objects is performed with top , and HPROF dumps can be generated using time hprof /tmp/1709.hprof .

core-parser> top 5 -d -n --app
core-parser> time hprof /tmp/1709.hprof

Dex files can be extracted and de‑obfuscated with dex and external tools like jadx :

core-parser> dex --app -d vdex
core-parser> sh jadx -Pdex-input.verify-checksum=no vdex/base.vdex_0x32b9f22b

Vendor Adaptation

The project is built on Android Stdio Google APIs emulator images and generally works across vendors with minor adjustments to type structures and offsets. Future support for symbol‑table parsing is planned.

Community

A technical discussion group is available for further questions on Android reverse engineering, stability analysis, and Core file debugging.