On Wed, Jan 9, 2013 at 6:32 PM, mohsin junaid <mohsinj...@gmail.com> wrote:
> I have implemented system call hooking for `Android 2.6.29` kernel through > a `LKM module`. Also, I have one Android app against which I want to trace > system calls. I have only one button in the app and before clicking on > button, I insert module by `insmod trapcall.ko` which starts tracing down > called system calls from now. But interestingly, it returns different > results every time I get a list of system calls. > Interesting. Other references to building kernel module are: http://www.phrack.com/issues.html?issue=68&id=6&mode=txt which detail syscall hooking via kernel module in Android, and here is just a kernel module development for a physical phone (without syscall hooking): http://developer.sonymobile.com/2011/05/06/how-to-build-a-linux-kernel/ http://tthtlc.wordpress.com/2011/12/29/how-to-write-a-kernel-module-on-android-sony-ericsson-xperia-arc-s/ And for an explanation of the difference, most likely it goes like this: You see, when u execute "insmod" u are modifying the system call API while it MAY be in use. And definitely "insmod" command itself is using the API, and so obviously immediately after interception, the first symptom is that it will start to display all the syscall made by itself into the kernel. but as the "insmod" operation (which is a userspace operation, and thus are among the program that will call syscall. kernel component in general don't call syscall) is a short one, and soon it ended, and thus u will see the deterministic pattern ending very fast. after that are the different processes making the same syscall - which is random in nature. make sense? > I have underlined the text where the difference starts. > > For example, > > first run: > > our_sys_gettid ---> uid = 10028 > our_sys_open ---> uid = 10028 with filename= /dev/cpuctl//tasks, > flags= 131073, mode=0 > our_sys_write ---> uid = 10028 with fd= 30, buf = 230 and count=3 > our_sys_close ---> uid = 10028 with fd= 30 > our_sys_setpriority ---> uid = 10028 with which= 0, who=230 and > niceval=0 > our_sys_futex ---> uid = 10028 with uadd=������, op=1, val=1, > utime=<NULL>, uaddr2=������ and val3= > * **our_sys_gettid ---> uid = 10028 * > * our_sys_open ---> uid = 10028 with filename= /dev/cpuctl//tasks, > flags= 131073, mode=0 * > * our_sys_clock_gettime ---> uid = 10028 with which_clock=<NULL>, tp > = * > * our_sys_clock_gettime ---> uid = 10028 with which_clock=<NULL>, tp > = * > * our_sys_ioctl ---> uid = 10028 with fd=21, cmd=3222823425 and > arg=3196467192 * > * our_sys_ioctl ---> uid = 10028 with fd=21, cmd=3222823425 and > arg=3196467192 *** > * our_sys_clock_gettime ---> uid = 10028 with which_clock=<NULL>, tp > = * > * our_sys_clock_gettime ---> uid = 10028 with which_clock=<NULL>, tp > = * > our_sys_ioctl ---> uid = 10028 with fd=21, cmd=3222823425 and > arg=3196466496 > our_sys_ioctl ---> uid = 10028 with fd=21, cmd=3222823425 and > arg=3196466496 > our_sys_dup ---> uid = 10028 with fildes=32 > our_sys_close ---> uid = 10028 with fd= 32 > ..................... > > Second run: > > our_sys_gettid ---> uid = 10028 > our_sys_open ---> uid = 10028 with filename= /dev/cpuctl//tasks, > flags= 131073, mode=0 > our_sys_write ---> uid = 10028 with fd= 30, buf = 228 and count=3 > our_sys_close ---> uid = 10028 with fd= 30 > our_sys_setpriority ---> uid = 10028 with which= 0, who=228 and > niceval=0 > our_sys_futex ---> uid = 10028 with uadd=������, op=1, val=1, > utime=<NULL>, uaddr2=������ and val3= > * **our_sys_gettid ---> uid = 10028 * > * our_sys_open ---> uid = 10028 with filename= /dev/cpuctl//tasks, > flags= 131073, mode=0 * > * our_sys_write ---> uid = 10028 with fd= 30, buf = 228 and count=3 * > * our_sys_clock_gettime ---> uid = 10028 with which_clock=<NULL>, tp > = * > * our_sys_clock_gettime ---> uid = 10028 with which_clock=<NULL>, tp > = * > * our_sys_ioctl ---> uid = 10028 with fd=21, cmd=3222823425 and > arg=3198662648 * > * our_sys_ioctl ---> uid = 10028 with fd=21, cmd=3222823425 and > arg=3198662648 * > * our_sys_clock_gettime ---> uid = 10028 with which_clock=<NULL>, tp > = * > * our_sys_clock_gettime ---> uid = 10028 with which_clock=<NULL>, tp > = * > our_sys_ioctl ---> uid = 10028 with fd=21, cmd=3222823425 and > arg=3198661952** > our_sys_close ---> uid = 10028 with fd= 30 > our_sys_setpriority ---> uid = 10028 with which= 0, who=228 and > niceval=0 > our_sys_ioctl ---> uid = 10028 with fd=21, cmd=3222823425 and > arg=1181359656 > our_sys_ioctl ---> uid = 10028 with fd=21, cmd=3222823425 and > arg=3198661952 > our_sys_dup ---> uid = 10028 with fildes=32 > our_sys_close ---> uid = 10028 with fd= 32 > .................... > > Third run: > > our_sys_gettid ---> uid = 10028 > our_sys_open ---> uid = 10028 with filename= /dev/cpuctl//tasks, > flags= 131073, mode=0 > our_sys_write ---> uid = 10028 with fd= 31, buf = 228 and count=3 > our_sys_close ---> uid = 10028 with fd= 31 > our_sys_setpriority ---> uid = 10028 with which= 0, who=228 and > niceval=0 > our_sys_futex ---> uid = 10028 with uadd=������, op=1, val=1, > utime=<NULL>, uaddr2=������ and val3=X{�D > * **our_sys_clock_gettime ---> uid = 10028 with which_clock=<NULL>, > tp = * > * our_sys_clock_gettime ---> uid = 10028 with which_clock=<NULL>, tp > = * > * our_sys_ioctl ---> uid = 10028 with fd=21, cmd=3222823425 and > arg=3198035960 * > * our_sys_ioctl ---> uid = 10028 with fd=21, cmd=3222823425 and > arg=3198035960 * > * our_sys_clock_gettime ---> uid = 10028 with which_clock=<NULL>, tp > = * > * our_sys_clock_gettime ---> uid = 10028 with which_clock=<NULL>, tp > = * > * our_sys_munmap ---> uid = 10028 with addr=1183178752 and len=770048 > * > our_sys_close ---> uid = 10028 with fd= 32** > our_sys_ioctl ---> uid = 10028 with fd=21, cmd=3222823425 and > arg=3198035264 > our_sys_ioctl ---> uid = 10028 with fd=21, cmd=3222823425 and > arg=3198035264 > our_sys_dup ---> uid = 10028 with fildes=31 > our_sys_close ---> uid = 10028 with fd= 31 > ........................ > > Any idea why it's producing different results every time? > > Is there any other better tool to trace system calls? I heard of > `strace/ptrace`, `auditd` etc but not sure if they are usable for Android > or not. > > -- > unsubscribe: android-kernel+unsubscr...@googlegroups.com > website: http://groups.google.com/group/android-kernel -- Regards, Peter Teoh -- unsubscribe: android-kernel+unsubscr...@googlegroups.com website: http://groups.google.com/group/android-kernel
