Well. I was very focused on System call hooking in Android, I am not sure, if I would be able to answer all of your questions.
1) What I did was compiled Android source code, download goldfish source code and used cross-compiler to run Emulator. And then inserted LKM to trace system calls. Here is my post ( http://mohsin-junaid.blogspot.com/2013/01/android-system-calls-hooking-to-trace.html) which may help you. Thanks,* Mohsin Junaid* On Fri, Jan 18, 2013 at 3:15 AM, kariyachan <sintotp.foresi...@gmail.com>wrote: > Hi mohsin, > > Glad to hear you implemented system call hooking. > > Basically I just application developer I am trying to > implement something which has requirement similiar to yours. > > I have some doubts > > 1)can I able to use LKM from the application in rooted phone. > 2)Compile the kernel module using NDK > 3)Can I run this tests on emulator. > > I am stuck in the middle please help me > > Thanks. > Sinto Paulose > > > > > > On Wednesday, January 9, 2013 4:02:07 PM UTC+5:30, mohsin junaid wrote: >> >> I have implemented system call hooking for `Android 2.6.29` kernel >> through a `LKM module`. Also, I have one Android app against which I want >> to trace system calls. I have only one button in the app and before >> clicking on button, I insert module by `insmod trapcall.ko` which starts >> tracing down called system calls from now. But interestingly, it returns >> different results every time I get a list of system calls. >> >> I have underlined the text where the difference starts. >> >> For example, >> >> first run: >> >> our_sys_gettid ---> uid = 10028 >> our_sys_open ---> uid = 10028 with filename= /dev/cpuctl//tasks, >> flags= 131073, mode=0 >> our_sys_write ---> uid = 10028 with fd= 30, buf = 230 and count=3 >> our_sys_close ---> uid = 10028 with fd= 30 >> our_sys_setpriority ---> uid = 10028 with which= 0, who=230 and >> niceval=0 >> our_sys_futex ---> uid = 10028 with uadd=������, op=1, val=1, >> utime=<NULL>, uaddr2=������ and val3= >> * **our_sys_gettid ---> uid = 10028 * >> * our_sys_open ---> uid = 10028 with filename= /dev/cpuctl//tasks, >> flags= 131073, mode=0 * >> * our_sys_clock_gettime ---> uid = 10028 with which_clock=<NULL>, tp >> = * >> * our_sys_clock_gettime ---> uid = 10028 with which_clock=<NULL>, tp >> = * >> * our_sys_ioctl ---> uid = 10028 with fd=21, cmd=3222823425 and >> arg=3196467192 * >> * our_sys_ioctl ---> uid = 10028 with fd=21, cmd=3222823425 and >> arg=3196467192 *** >> * our_sys_clock_gettime ---> uid = 10028 with which_clock=<NULL>, tp >> = * >> * our_sys_clock_gettime ---> uid = 10028 with which_clock=<NULL>, tp >> = * >> our_sys_ioctl ---> uid = 10028 with fd=21, cmd=3222823425 and >> arg=3196466496 >> our_sys_ioctl ---> uid = 10028 with fd=21, cmd=3222823425 and >> arg=3196466496 >> our_sys_dup ---> uid = 10028 with fildes=32 >> our_sys_close ---> uid = 10028 with fd= 32 >> ..................... >> >> Second run: >> >> our_sys_gettid ---> uid = 10028 >> our_sys_open ---> uid = 10028 with filename= /dev/cpuctl//tasks, >> flags= 131073, mode=0 >> our_sys_write ---> uid = 10028 with fd= 30, buf = 228 and count=3 >> our_sys_close ---> uid = 10028 with fd= 30 >> our_sys_setpriority ---> uid = 10028 with which= 0, who=228 and >> niceval=0 >> our_sys_futex ---> uid = 10028 with uadd=������, op=1, val=1, >> utime=<NULL>, uaddr2=������ and val3= >> * **our_sys_gettid ---> uid = 10028 * >> * our_sys_open ---> uid = 10028 with filename= /dev/cpuctl//tasks, >> flags= 131073, mode=0 * >> * our_sys_write ---> uid = 10028 with fd= 30, buf = 228 and count=3 * >> * our_sys_clock_gettime ---> uid = 10028 with which_clock=<NULL>, tp >> = * >> * our_sys_clock_gettime ---> uid = 10028 with which_clock=<NULL>, tp >> = * >> * our_sys_ioctl ---> uid = 10028 with fd=21, cmd=3222823425 and >> arg=3198662648 * >> * our_sys_ioctl ---> uid = 10028 with fd=21, cmd=3222823425 and >> arg=3198662648 * >> * our_sys_clock_gettime ---> uid = 10028 with which_clock=<NULL>, tp >> = * >> * our_sys_clock_gettime ---> uid = 10028 with which_clock=<NULL>, tp >> = * >> our_sys_ioctl ---> uid = 10028 with fd=21, cmd=3222823425 and >> arg=3198661952** >> our_sys_close ---> uid = 10028 with fd= 30 >> our_sys_setpriority ---> uid = 10028 with which= 0, who=228 and >> niceval=0 >> our_sys_ioctl ---> uid = 10028 with fd=21, cmd=3222823425 and >> arg=1181359656 >> our_sys_ioctl ---> uid = 10028 with fd=21, cmd=3222823425 and >> arg=3198661952 >> our_sys_dup ---> uid = 10028 with fildes=32 >> our_sys_close ---> uid = 10028 with fd= 32 >> .................... >> >> Third run: >> >> our_sys_gettid ---> uid = 10028 >> our_sys_open ---> uid = 10028 with filename= /dev/cpuctl//tasks, >> flags= 131073, mode=0 >> our_sys_write ---> uid = 10028 with fd= 31, buf = 228 and count=3 >> our_sys_close ---> uid = 10028 with fd= 31 >> our_sys_setpriority ---> uid = 10028 with which= 0, who=228 and >> niceval=0 >> our_sys_futex ---> uid = 10028 with uadd=������, op=1, val=1, >> utime=<NULL>, uaddr2=������ and val3=X{�D >> * **our_sys_clock_gettime ---> uid = 10028 with which_clock=<NULL>, >> tp = * >> * our_sys_clock_gettime ---> uid = 10028 with which_clock=<NULL>, tp >> = * >> * our_sys_ioctl ---> uid = 10028 with fd=21, cmd=3222823425 and >> arg=3198035960 * >> * our_sys_ioctl ---> uid = 10028 with fd=21, cmd=3222823425 and >> arg=3198035960 * >> * our_sys_clock_gettime ---> uid = 10028 with which_clock=<NULL>, tp >> = * >> * our_sys_clock_gettime ---> uid = 10028 with which_clock=<NULL>, tp >> = * >> * our_sys_munmap ---> uid = 10028 with addr=1183178752 and >> len=770048 * >> our_sys_close ---> uid = 10028 with fd= 32** >> our_sys_ioctl ---> uid = 10028 with fd=21, cmd=3222823425 and >> arg=3198035264 >> our_sys_ioctl ---> uid = 10028 with fd=21, cmd=3222823425 and >> arg=3198035264 >> our_sys_dup ---> uid = 10028 with fildes=31 >> our_sys_close ---> uid = 10028 with fd= 31 >> ........................ >> >> Any idea why it's producing different results every time? >> >> Is there any other better tool to trace system calls? I heard of >> `strace/ptrace`, `auditd` etc but not sure if they are usable for Android >> or not. >> > -- > unsubscribe: android-kernel+unsubscr...@googlegroups.com > website: http://groups.google.com/group/android-kernel > -- unsubscribe: android-kernel+unsubscr...@googlegroups.com website: http://groups.google.com/group/android-kernel
