I have implemented system call hooking for `Android 2.6.29` kernel through
a `LKM module`. Also, I have one Android app against which I want to trace
system calls. I have only one button in the app and before clicking on
button, I insert module by `insmod trapcall.ko` which starts tracing down
called system calls from now. But interestingly, it returns different
results every time I get a list of system calls.
I have underlined the text where the difference starts.
For example,
first run:
our_sys_gettid ---> uid = 10028
our_sys_open ---> uid = 10028 with filename= /dev/cpuctl//tasks,
flags= 131073, mode=0
our_sys_write ---> uid = 10028 with fd= 30, buf = 230 and count=3
our_sys_close ---> uid = 10028 with fd= 30
our_sys_setpriority ---> uid = 10028 with which= 0, who=230 and
niceval=0
our_sys_futex ---> uid = 10028 with uadd=������, op=1, val=1,
utime=<NULL>, uaddr2=������ and val3=
* **our_sys_gettid ---> uid = 10028 *
* our_sys_open ---> uid = 10028 with filename= /dev/cpuctl//tasks,
flags= 131073, mode=0 *
* our_sys_clock_gettime ---> uid = 10028 with which_clock=<NULL>, tp =
*
* our_sys_clock_gettime ---> uid = 10028 with which_clock=<NULL>, tp =
*
* our_sys_ioctl ---> uid = 10028 with fd=21, cmd=3222823425 and
arg=3196467192 *
* our_sys_ioctl ---> uid = 10028 with fd=21, cmd=3222823425 and
arg=3196467192 ***
* our_sys_clock_gettime ---> uid = 10028 with which_clock=<NULL>, tp =
*
* our_sys_clock_gettime ---> uid = 10028 with which_clock=<NULL>, tp =
*
our_sys_ioctl ---> uid = 10028 with fd=21, cmd=3222823425 and
arg=3196466496
our_sys_ioctl ---> uid = 10028 with fd=21, cmd=3222823425 and
arg=3196466496
our_sys_dup ---> uid = 10028 with fildes=32
our_sys_close ---> uid = 10028 with fd= 32
.....................
Second run:
our_sys_gettid ---> uid = 10028
our_sys_open ---> uid = 10028 with filename= /dev/cpuctl//tasks,
flags= 131073, mode=0
our_sys_write ---> uid = 10028 with fd= 30, buf = 228 and count=3
our_sys_close ---> uid = 10028 with fd= 30
our_sys_setpriority ---> uid = 10028 with which= 0, who=228 and
niceval=0
our_sys_futex ---> uid = 10028 with uadd=������, op=1, val=1,
utime=<NULL>, uaddr2=������ and val3=
* **our_sys_gettid ---> uid = 10028 *
* our_sys_open ---> uid = 10028 with filename= /dev/cpuctl//tasks,
flags= 131073, mode=0 *
* our_sys_write ---> uid = 10028 with fd= 30, buf = 228 and count=3 *
* our_sys_clock_gettime ---> uid = 10028 with which_clock=<NULL>, tp =
*
* our_sys_clock_gettime ---> uid = 10028 with which_clock=<NULL>, tp =
*
* our_sys_ioctl ---> uid = 10028 with fd=21, cmd=3222823425 and
arg=3198662648 *
* our_sys_ioctl ---> uid = 10028 with fd=21, cmd=3222823425 and
arg=3198662648 *
* our_sys_clock_gettime ---> uid = 10028 with which_clock=<NULL>, tp =
*
* our_sys_clock_gettime ---> uid = 10028 with which_clock=<NULL>, tp =
*
our_sys_ioctl ---> uid = 10028 with fd=21, cmd=3222823425 and
arg=3198661952**
our_sys_close ---> uid = 10028 with fd= 30
our_sys_setpriority ---> uid = 10028 with which= 0, who=228 and
niceval=0
our_sys_ioctl ---> uid = 10028 with fd=21, cmd=3222823425 and
arg=1181359656
our_sys_ioctl ---> uid = 10028 with fd=21, cmd=3222823425 and
arg=3198661952
our_sys_dup ---> uid = 10028 with fildes=32
our_sys_close ---> uid = 10028 with fd= 32
....................
Third run:
our_sys_gettid ---> uid = 10028
our_sys_open ---> uid = 10028 with filename= /dev/cpuctl//tasks,
flags= 131073, mode=0
our_sys_write ---> uid = 10028 with fd= 31, buf = 228 and count=3
our_sys_close ---> uid = 10028 with fd= 31
our_sys_setpriority ---> uid = 10028 with which= 0, who=228 and
niceval=0
our_sys_futex ---> uid = 10028 with uadd=������, op=1, val=1,
utime=<NULL>, uaddr2=������ and val3=X{�D
* **our_sys_clock_gettime ---> uid = 10028 with which_clock=<NULL>, tp
= *
* our_sys_clock_gettime ---> uid = 10028 with which_clock=<NULL>, tp =
*
* our_sys_ioctl ---> uid = 10028 with fd=21, cmd=3222823425 and
arg=3198035960 *
* our_sys_ioctl ---> uid = 10028 with fd=21, cmd=3222823425 and
arg=3198035960 *
* our_sys_clock_gettime ---> uid = 10028 with which_clock=<NULL>, tp =
*
* our_sys_clock_gettime ---> uid = 10028 with which_clock=<NULL>, tp =
*
* our_sys_munmap ---> uid = 10028 with addr=1183178752 and len=770048 *
our_sys_close ---> uid = 10028 with fd= 32**
our_sys_ioctl ---> uid = 10028 with fd=21, cmd=3222823425 and
arg=3198035264
our_sys_ioctl ---> uid = 10028 with fd=21, cmd=3222823425 and
arg=3198035264
our_sys_dup ---> uid = 10028 with fildes=31
our_sys_close ---> uid = 10028 with fd= 31
........................
Any idea why it's producing different results every time?
Is there any other better tool to trace system calls? I heard of
`strace/ptrace`, `auditd` etc but not sure if they are usable for Android
or not.
--
unsubscribe: android-kernel+unsubscr...@googlegroups.com
website: http://groups.google.com/group/android-kernel
