[android-kernel] Why system call hooking produces different result everytime in Linux/Android 2.6.29?

mohsin junaid Wed, 09 Jan 2013 02:32:10 -0800

I have implemented system call hooking for `Android 2.6.29` kernel through 
a `LKM module`. Also, I have one Android app against which I want to trace 
system calls. I have only one button in the app and before clicking on 
button, I insert module by `insmod trapcall.ko` which starts tracing down 
called system calls from now. But interestingly, it returns different 
results every time I get a list of system calls.


I have underlined the text where the difference starts.

For example, 

first run:

    our_sys_gettid ---> uid = 10028  
     our_sys_open ---> uid = 10028 with filename= /dev/cpuctl//tasks, 
flags= 131073, mode=0 
     our_sys_write ---> uid = 10028 with fd= 30, buf = 230 and count=3 
     our_sys_close ---> uid = 10028 with fd= 30  
     our_sys_setpriority ---> uid = 10028 with which= 0, who=230 and 
niceval=0 
     our_sys_futex ---> uid = 10028 with uadd=������, op=1, val=1, 
utime=<NULL>, uaddr2=������ and val3=  
 *    **our_sys_gettid ---> uid = 10028  *
*     our_sys_open ---> uid = 10028 with filename= /dev/cpuctl//tasks, 
flags= 131073, mode=0 *
*     our_sys_clock_gettime ---> uid = 10028 with which_clock=<NULL>, tp = 
  *
*     our_sys_clock_gettime ---> uid = 10028 with which_clock=<NULL>, tp = 
  *
*     our_sys_ioctl ---> uid = 10028 with fd=21, cmd=3222823425 and 
arg=3196467192 *
*     our_sys_ioctl ---> uid = 10028 with fd=21, cmd=3222823425 and 
arg=3196467192 ***
*     our_sys_clock_gettime ---> uid = 10028 with which_clock=<NULL>, tp = 
  *
*     our_sys_clock_gettime ---> uid = 10028 with which_clock=<NULL>, tp = 
  *
     our_sys_ioctl ---> uid = 10028 with fd=21, cmd=3222823425 and 
arg=3196466496 
     our_sys_ioctl ---> uid = 10028 with fd=21, cmd=3222823425 and 
arg=3196466496 
     our_sys_dup ---> uid = 10028 with fildes=32 
     our_sys_close ---> uid = 10028 with fd= 32  
     .....................

Second run: 

    our_sys_gettid ---> uid = 10028  
     our_sys_open ---> uid = 10028 with filename= /dev/cpuctl//tasks, 
flags= 131073, mode=0 
     our_sys_write ---> uid = 10028 with fd= 30, buf = 228 and count=3 
     our_sys_close ---> uid = 10028 with fd= 30  
     our_sys_setpriority ---> uid = 10028 with which= 0, who=228 and 
niceval=0 
     our_sys_futex ---> uid = 10028 with uadd=������, op=1, val=1, 
utime=<NULL>, uaddr2=������ and val3=  
  *   **our_sys_gettid ---> uid = 10028  *
*     our_sys_open ---> uid = 10028 with filename= /dev/cpuctl//tasks, 
flags= 131073, mode=0 *
*     our_sys_write ---> uid = 10028 with fd= 30, buf = 228 and count=3 *
*     our_sys_clock_gettime ---> uid = 10028 with which_clock=<NULL>, tp = 
  *
*     our_sys_clock_gettime ---> uid = 10028 with which_clock=<NULL>, tp = 
  *
*     our_sys_ioctl ---> uid = 10028 with fd=21, cmd=3222823425 and 
arg=3198662648 *
*     our_sys_ioctl ---> uid = 10028 with fd=21, cmd=3222823425 and 
arg=3198662648 *
*     our_sys_clock_gettime ---> uid = 10028 with which_clock=<NULL>, tp = 
  *
*     our_sys_clock_gettime ---> uid = 10028 with which_clock=<NULL>, tp = 
  *
     our_sys_ioctl ---> uid = 10028 with fd=21, cmd=3222823425 and 
arg=3198661952** 
     our_sys_close ---> uid = 10028 with fd= 30  
     our_sys_setpriority ---> uid = 10028 with which= 0, who=228 and 
niceval=0 
     our_sys_ioctl ---> uid = 10028 with fd=21, cmd=3222823425 and 
arg=1181359656 
     our_sys_ioctl ---> uid = 10028 with fd=21, cmd=3222823425 and 
arg=3198661952 
     our_sys_dup ---> uid = 10028 with fildes=32 
     our_sys_close ---> uid = 10028 with fd= 32  
     ....................

Third run:

    our_sys_gettid ---> uid = 10028  
     our_sys_open ---> uid = 10028 with filename= /dev/cpuctl//tasks, 
flags= 131073, mode=0 
     our_sys_write ---> uid = 10028 with fd= 31, buf = 228 and count=3 
     our_sys_close ---> uid = 10028 with fd= 31  
     our_sys_setpriority ---> uid = 10028 with which= 0, who=228 and 
niceval=0 
     our_sys_futex ---> uid = 10028 with uadd=������, op=1, val=1, 
utime=<NULL>, uaddr2=������ and val3=X{�D  
   *  **our_sys_clock_gettime ---> uid = 10028 with which_clock=<NULL>, tp 
=   *
*     our_sys_clock_gettime ---> uid = 10028 with which_clock=<NULL>, tp = 
  *
*     our_sys_ioctl ---> uid = 10028 with fd=21, cmd=3222823425 and 
arg=3198035960 *
*     our_sys_ioctl ---> uid = 10028 with fd=21, cmd=3222823425 and 
arg=3198035960 *
*     our_sys_clock_gettime ---> uid = 10028 with which_clock=<NULL>, tp = 
  *
*     our_sys_clock_gettime ---> uid = 10028 with which_clock=<NULL>, tp = 
  *
*     our_sys_munmap ---> uid = 10028 with addr=1183178752 and len=770048 *
     our_sys_close ---> uid = 10028 with fd= 32**  
     our_sys_ioctl ---> uid = 10028 with fd=21, cmd=3222823425 and 
arg=3198035264 
     our_sys_ioctl ---> uid = 10028 with fd=21, cmd=3222823425 and 
arg=3198035264 
     our_sys_dup ---> uid = 10028 with fildes=31 
     our_sys_close ---> uid = 10028 with fd= 31  
     ........................

Any idea why it's producing different results every time?

Is there any other better tool to trace system calls? I heard of 
`strace/ptrace`, `auditd` etc but not sure if they are usable for Android 
or not.

-- 
unsubscribe: [email protected]
website: http://groups.google.com/group/android-kernel

[android-kernel] Why system call hooking produces different result everytime in Linux/Android 2.6.29?

Reply via email to