Hi mohsin,
Glad to hear you implemented system call hooking.
Basically I just application developer I am trying to
implement something which has requirement similiar to yours.
I have some doubts
1)can I able to use LKM from the application in rooted phone.
2)Compile the kernel module using NDK
3)Can I run this tests on emulator.
I am stuck in the middle please help me
Thanks.
Sinto Paulose
On Wednesday, January 9, 2013 4:02:07 PM UTC+5:30, mohsin junaid wrote:
>
> I have implemented system call hooking for `Android 2.6.29` kernel through
> a `LKM module`. Also, I have one Android app against which I want to trace
> system calls. I have only one button in the app and before clicking on
> button, I insert module by `insmod trapcall.ko` which starts tracing down
> called system calls from now. But interestingly, it returns different
> results every time I get a list of system calls.
>
> I have underlined the text where the difference starts.
>
> For example,
>
> first run:
>
> our_sys_gettid ---> uid = 10028
> our_sys_open ---> uid = 10028 with filename= /dev/cpuctl//tasks,
> flags= 131073, mode=0
> our_sys_write ---> uid = 10028 with fd= 30, buf = 230 and count=3
> our_sys_close ---> uid = 10028 with fd= 30
> our_sys_setpriority ---> uid = 10028 with which= 0, who=230 and
> niceval=0
> our_sys_futex ---> uid = 10028 with uadd=������, op=1, val=1,
> utime=<NULL>, uaddr2=������ and val3=
> * **our_sys_gettid ---> uid = 10028 *
> * our_sys_open ---> uid = 10028 with filename= /dev/cpuctl//tasks,
> flags= 131073, mode=0 *
> * our_sys_clock_gettime ---> uid = 10028 with which_clock=<NULL>, tp
> = *
> * our_sys_clock_gettime ---> uid = 10028 with which_clock=<NULL>, tp
> = *
> * our_sys_ioctl ---> uid = 10028 with fd=21, cmd=3222823425 and
> arg=3196467192 *
> * our_sys_ioctl ---> uid = 10028 with fd=21, cmd=3222823425 and
> arg=3196467192 ***
> * our_sys_clock_gettime ---> uid = 10028 with which_clock=<NULL>, tp
> = *
> * our_sys_clock_gettime ---> uid = 10028 with which_clock=<NULL>, tp
> = *
> our_sys_ioctl ---> uid = 10028 with fd=21, cmd=3222823425 and
> arg=3196466496
> our_sys_ioctl ---> uid = 10028 with fd=21, cmd=3222823425 and
> arg=3196466496
> our_sys_dup ---> uid = 10028 with fildes=32
> our_sys_close ---> uid = 10028 with fd= 32
> .....................
>
> Second run:
>
> our_sys_gettid ---> uid = 10028
> our_sys_open ---> uid = 10028 with filename= /dev/cpuctl//tasks,
> flags= 131073, mode=0
> our_sys_write ---> uid = 10028 with fd= 30, buf = 228 and count=3
> our_sys_close ---> uid = 10028 with fd= 30
> our_sys_setpriority ---> uid = 10028 with which= 0, who=228 and
> niceval=0
> our_sys_futex ---> uid = 10028 with uadd=������, op=1, val=1,
> utime=<NULL>, uaddr2=������ and val3=
> * **our_sys_gettid ---> uid = 10028 *
> * our_sys_open ---> uid = 10028 with filename= /dev/cpuctl//tasks,
> flags= 131073, mode=0 *
> * our_sys_write ---> uid = 10028 with fd= 30, buf = 228 and count=3 *
> * our_sys_clock_gettime ---> uid = 10028 with which_clock=<NULL>, tp
> = *
> * our_sys_clock_gettime ---> uid = 10028 with which_clock=<NULL>, tp
> = *
> * our_sys_ioctl ---> uid = 10028 with fd=21, cmd=3222823425 and
> arg=3198662648 *
> * our_sys_ioctl ---> uid = 10028 with fd=21, cmd=3222823425 and
> arg=3198662648 *
> * our_sys_clock_gettime ---> uid = 10028 with which_clock=<NULL>, tp
> = *
> * our_sys_clock_gettime ---> uid = 10028 with which_clock=<NULL>, tp
> = *
> our_sys_ioctl ---> uid = 10028 with fd=21, cmd=3222823425 and
> arg=3198661952**
> our_sys_close ---> uid = 10028 with fd= 30
> our_sys_setpriority ---> uid = 10028 with which= 0, who=228 and
> niceval=0
> our_sys_ioctl ---> uid = 10028 with fd=21, cmd=3222823425 and
> arg=1181359656
> our_sys_ioctl ---> uid = 10028 with fd=21, cmd=3222823425 and
> arg=3198661952
> our_sys_dup ---> uid = 10028 with fildes=32
> our_sys_close ---> uid = 10028 with fd= 32
> ....................
>
> Third run:
>
> our_sys_gettid ---> uid = 10028
> our_sys_open ---> uid = 10028 with filename= /dev/cpuctl//tasks,
> flags= 131073, mode=0
> our_sys_write ---> uid = 10028 with fd= 31, buf = 228 and count=3
> our_sys_close ---> uid = 10028 with fd= 31
> our_sys_setpriority ---> uid = 10028 with which= 0, who=228 and
> niceval=0
> our_sys_futex ---> uid = 10028 with uadd=������, op=1, val=1,
> utime=<NULL>, uaddr2=������ and val3=X{�D
> * **our_sys_clock_gettime ---> uid = 10028 with which_clock=<NULL>,
> tp = *
> * our_sys_clock_gettime ---> uid = 10028 with which_clock=<NULL>, tp
> = *
> * our_sys_ioctl ---> uid = 10028 with fd=21, cmd=3222823425 and
> arg=3198035960 *
> * our_sys_ioctl ---> uid = 10028 with fd=21, cmd=3222823425 and
> arg=3198035960 *
> * our_sys_clock_gettime ---> uid = 10028 with which_clock=<NULL>, tp
> = *
> * our_sys_clock_gettime ---> uid = 10028 with which_clock=<NULL>, tp
> = *
> * our_sys_munmap ---> uid = 10028 with addr=1183178752 and len=770048
> *
> our_sys_close ---> uid = 10028 with fd= 32**
> our_sys_ioctl ---> uid = 10028 with fd=21, cmd=3222823425 and
> arg=3198035264
> our_sys_ioctl ---> uid = 10028 with fd=21, cmd=3222823425 and
> arg=3198035264
> our_sys_dup ---> uid = 10028 with fildes=31
> our_sys_close ---> uid = 10028 with fd= 31
> ........................
>
> Any idea why it's producing different results every time?
>
> Is there any other better tool to trace system calls? I heard of
> `strace/ptrace`, `auditd` etc but not sure if they are usable for Android
> or not.
>
--
unsubscribe: [email protected]
website: http://groups.google.com/group/android-kernel
