问题
I have implemented system call hooking for Android 2.6.29 kernel through a LKM module. I am tracing down one Android app for system calls. But interestingly, it returns different results every time I get a list of system calls.
I am not able to make bold text in the code section, so I have put ** to show where the difference starts.
For example,
first run:
our_sys_gettid ---> uid = 10028
our_sys_open ---> uid = 10028 with filename= /dev/cpuctl//tasks, flags= 131073, mode=0
our_sys_write ---> uid = 10028 with fd= 30, buf = 230 and count=3
our_sys_close ---> uid = 10028 with fd= 30
our_sys_setpriority ---> uid = 10028 with which= 0, who=230 and niceval=0
our_sys_futex ---> uid = 10028 with uadd=������, op=1, val=1, utime=<NULL>, uaddr2=������ and val3=
**our_sys_gettid ---> uid = 10028
our_sys_open ---> uid = 10028 with filename= /dev/cpuctl//tasks, flags= 131073, mode=0
our_sys_clock_gettime ---> uid = 10028 with which_clock=<NULL>, tp =
our_sys_clock_gettime ---> uid = 10028 with which_clock=<NULL>, tp =
our_sys_ioctl ---> uid = 10028 with fd=21, cmd=3222823425 and arg=3196467192
our_sys_ioctl ---> uid = 10028 with fd=21, cmd=3222823425 and arg=3196467192 **
our_sys_clock_gettime ---> uid = 10028 with which_clock=<NULL>, tp =
our_sys_clock_gettime ---> uid = 10028 with which_clock=<NULL>, tp =
our_sys_ioctl ---> uid = 10028 with fd=21, cmd=3222823425 and arg=3196466496
our_sys_ioctl ---> uid = 10028 with fd=21, cmd=3222823425 and arg=3196466496
our_sys_dup ---> uid = 10028 with fildes=32
our_sys_close ---> uid = 10028 with fd= 32
.....................
Second run:
our_sys_gettid ---> uid = 10028
our_sys_open ---> uid = 10028 with filename= /dev/cpuctl//tasks, flags= 131073, mode=0
our_sys_write ---> uid = 10028 with fd= 30, buf = 228 and count=3
our_sys_close ---> uid = 10028 with fd= 30
our_sys_setpriority ---> uid = 10028 with which= 0, who=228 and niceval=0
our_sys_futex ---> uid = 10028 with uadd=������, op=1, val=1, utime=<NULL>, uaddr2=������ and val3=
**our_sys_gettid ---> uid = 10028
our_sys_open ---> uid = 10028 with filename= /dev/cpuctl//tasks, flags= 131073, mode=0
our_sys_write ---> uid = 10028 with fd= 30, buf = 228 and count=3
our_sys_clock_gettime ---> uid = 10028 with which_clock=<NULL>, tp =
our_sys_clock_gettime ---> uid = 10028 with which_clock=<NULL>, tp =
our_sys_ioctl ---> uid = 10028 with fd=21, cmd=3222823425 and arg=3198662648
our_sys_ioctl ---> uid = 10028 with fd=21, cmd=3222823425 and arg=3198662648
our_sys_clock_gettime ---> uid = 10028 with which_clock=<NULL>, tp =
our_sys_clock_gettime ---> uid = 10028 with which_clock=<NULL>, tp =
our_sys_ioctl ---> uid = 10028 with fd=21, cmd=3222823425 and arg=3198661952**
our_sys_close ---> uid = 10028 with fd= 30
our_sys_setpriority ---> uid = 10028 with which= 0, who=228 and niceval=0
our_sys_ioctl ---> uid = 10028 with fd=21, cmd=3222823425 and arg=1181359656
our_sys_ioctl ---> uid = 10028 with fd=21, cmd=3222823425 and arg=3198661952
our_sys_dup ---> uid = 10028 with fildes=32
our_sys_close ---> uid = 10028 with fd= 32
....................
Third run:
our_sys_gettid ---> uid = 10028
our_sys_open ---> uid = 10028 with filename= /dev/cpuctl//tasks, flags= 131073, mode=0
our_sys_write ---> uid = 10028 with fd= 31, buf = 228 and count=3
our_sys_close ---> uid = 10028 with fd= 31
our_sys_setpriority ---> uid = 10028 with which= 0, who=228 and niceval=0
our_sys_futex ---> uid = 10028 with uadd=������, op=1, val=1, utime=<NULL>, uaddr2=������ and val3=X{�D
**our_sys_clock_gettime ---> uid = 10028 with which_clock=<NULL>, tp =
our_sys_clock_gettime ---> uid = 10028 with which_clock=<NULL>, tp =
our_sys_ioctl ---> uid = 10028 with fd=21, cmd=3222823425 and arg=3198035960
our_sys_ioctl ---> uid = 10028 with fd=21, cmd=3222823425 and arg=3198035960
our_sys_clock_gettime ---> uid = 10028 with which_clock=<NULL>, tp =
our_sys_clock_gettime ---> uid = 10028 with which_clock=<NULL>, tp =
our_sys_munmap ---> uid = 10028 with addr=1183178752 and len=770048
our_sys_close ---> uid = 10028 with fd= 32**
our_sys_ioctl ---> uid = 10028 with fd=21, cmd=3222823425 and arg=3198035264
our_sys_ioctl ---> uid = 10028 with fd=21, cmd=3222823425 and arg=3198035264
our_sys_dup ---> uid = 10028 with fildes=31
our_sys_close ---> uid = 10028 with fd= 31
........................
Any idea why it's producing different results every time?
Is there any other better tool to trace system calls? I heard of strace/ptrace, auditd etc but not sure if they are usable for Android or not.
来源:https://stackoverflow.com/questions/14230509/why-system-call-hooking-produces-different-result-everytime-in-linux-android-2-6