I want to know who called *sys_reboot* when the phone(android) reboot unexpectly.
Is there a way to dump the call stack in syscall(android kernel)?
If all you want it a kernel call trace, you can get that via dump_stack(). panic() calls that, amongst other things. The BUG() / BUG_ON() wrappers give it a more descriptive message and an optional conditional test.
A userland stacktrace, particularly a symbolic one, though, cannot reliably be obtained from within the kernel directly. It's possible to copy the stack memory into kernel space and log the contents, or even heuristically walk SP/FP linkage if framepointers aren't optimized out, but to resolve symbols, it'd need to access and parse ELF information. I'm unsure anyone has done that as pure kernel-side implementation; an easier solution there would be to stop the program from your syscall hook, spawn a userspace debugger attaching to it, extracting a stacktrace, continuing the program when done.
See this SO posting, call_usermodehelper / call_usermodehelperpipe usage for how to do this.
See also this SO posting: How to print the userspace stack trace in linux kernelspace for another reference to the same question.
Related
Assume we have a process that may dlopen() some third-party library. This library may perform open("write_only_logfile", O_WRONLY) on some file to which user has only write access. We need to have an ability to be notified if this library attempts to open a file, so later we may dup() returned descriptor and redirect output.
There are few restrictions that make interception harder:
LD_PRELOAD is forbidden - no way to hook open()
inotify(7) doesn't help because user has no read permissions on "write_only_logfile" and it is owned by admin
we have no access to library sources and therefore cannot modify it
"write_only_logfile" is hardcoded inside the library, so we cannot pass another name to perform redirecting
I'm wondering if Linux has an efficient way to help in such situation.
Especially taking in account the fact that process may open() miscellaneous files pretty often.
P.S. To avoid confusion and understand better - it is a regular Android application with loaded JVM. If app hangs (so called ANR) - system sends SIGQUIT to it. Signal is received via dedicated thread that open()s /data/anr/traces.txt and writes JVM state to it. These data extremely useful for debugging. But app cannot read that file directly because of security reasons (All applications write to it, so there may be somewhat sensitive). Anyway I believe that it is absolutely fair to intercept content that my process would write to it.
P.S.S. In the worst case it is possible to find JVM library image (libart.so) and manually patch jump slot for open(). But it doesn't sound well.
Sounds like you are in troublesome situation. Most solutions briefly mentioned below are guaranteed to interfere with SELinux, so don't take my word for any of that.
Debugging your own process with strace to intercept open is one of usual solutions on normal Linux. I am not sure if it would work in Android; it certainly might become off-limit for non-debuggable apps starting in some new versions (if it is has not been banned yet).
seccomp-bpf is another possibility. Might not be available on older Android versions, but since Android O seccomp is going to be a guaranteed part of Android security getup. Intercept open in warn-only mode and give control back to yourself when something interesting happen (via debugging or signals).
If /data/anr/traces.txt is opened on-demand, you should be able to observe that by watching contents of /proc/self/fd/ with inotify or via polling. You might be able to reduce impact of races by setting io niceness of the opening thread…
All of above are only partial solutions, you still might need to decode actual open syscall that happened (strace source code might be helpful there for strace/seccomp solutions, readlink for /proc/self/fd/) and act upon it (dup2, as you already mentioned).
"write_only_logfile" is hardcoded inside the library
Is it possible to modify the memory of data segment of the library/executable? Afaik mprotect and PROTECT_EXEC in particular have been heavily restricted, but at least mmap is certainly permitted (to support JIT compilers etc). It might be possible to cook something up to edit the string constant in place (as long as doing so is possible and allowed, I am not sure myself about that).
If this is just about redirecting writes (and reads) to a single file, you could run the application in a mount namespace with a suitable bind mount for that particular file. Setting things up in this way probably requires a small SUID binary.
A more general solution quickly approaches a union file system, and getting it right is quite hard. Even the in-kernel union file system, overlayfs, does not manage to provide full POSIX semantics.
You need LD_PRELOAD to hook an application. To hook a third-party library, just load your hook normally before the library (or have it in your executable).
Assuming the library calls open from libc and not the corresponding syscall directly, and that it is linked in a normal way, you just have a function named open somewhere in your code. Make it call open from libc (RTLD_NEXT or whatever). The third-party library (and all other libraries of course) will resolve its open symbol to your function.
I'd like to get some numerical data from an app, but they are not stored as files like db. I know there are some memory hack apps for changing in game values although I do not know how they work.
I am looking for similar features but I don't need to change anything.
The app I am trying to write just reads some data from a specific app and do some background calculation based on that. If this is not possible, I would need to get information by reading the screen(for example get pixel color), but this seems to be very cumbersome task for getting many data.
Is there a way of achieving this?
Thanks.
EDIT: I'd assume I would need a root permission for this?
Yes, you would need root permission. Additionally your users must have fully rooted device with e.g. SuperSU or other modern Su app, that can lift most SELinux restrictions. There may also be conflicts with KNOX and other similar systems, but I am not really knowledgeable about those.
You would need to attach your process as debugger to the target application and locate the necessary data by scanning it's memory. This can be done in multiple ways, the best reference implementation to look at can be found in scanmem.
The code, performing the actual deed, which requires root rights, — reading/writing target process memory — would reside in a native executable, being run via su. You'd have to write some code to communicate with that executable (probably via it's stdin/stdout or something like that).
You will also have to write additional code to parse the memory layout of target application yourself.
Alternatively, you may prefer to inject a small module in memory of target application and/or have the app itself load a Dex file of you making (especially handy, if your target data is stored in Java memory). This approach have a benefit of minimizing interaction with memory layout of virtual machine, but you still have to initiate loading of initial Dex file. Once Dex file is loaded, you can do the rest in Java code, using good-old reflection API. If you go with this route, a (decently supported!) code for injecting executable snippets in memory of Linux process can be found in compel library, being developed as part of CRIU project[1].
Two Android processes cannot share memory and communicate with each other directly. So to communicate, objects have to be decomposed into primitives (marshalling) and transfered across process boundaries.
To do this marshalling, one has to write a lot of complicated code, hence Android handles it for us with AIDL (Android Interface Definition Language).
From the OP, as no more details can be found, I would recommend you reading/searching with the keyword "AIDL" and you will be redirected to the concrete solutions.
I want to modify some system calls for tracing purposes. To be specific, whenever a system call open is made, I want to print some messages.
I have been looking into the internet and the code and I found open.c in kernel/goldfish/fs/ directory. And there are many functions in this file. How would I know which function is being called exactly. I could have written some printk call in all these functions to find it but I have to do it for other system calls also.
So, I have a few questions,
1) What is the best way to find implementation details of system calls?
2) I am using Kernel 2.6.29 (goldfish-Android). Are system calls implementation different in different kernel versions?
3) strace tells me that msgget ,msgrecv and 'SYS_24' system calls are being made. I look into Android/bionic/libc/SYSCALLS.txt file and msgget is not there.
But when I look into android/bionic/libc/kernel/arch-arm/asm/unistd.h file, I can find msgget there. I can't understand what's going on and then how can I find implementation for msgget ?
Thanks.
This link mentions almost all the system calls, their arguments and locations in respective files. It helped me finding system call details.
and answer for strace is given in above comments by Chris, thanks to him again.
How can I get the trace of dalvik bytecode that is being executed while the device is running an app (like logcat does)?
There is no existing tool to do what you want, but it might be possible to implement such a tool without too much work.
The general idea is that you want to connect to dalvik's vm as a debugger, using the jdwp protocol, and single step the virtual machine, inspecting the state between each step and printing out the instruction. You should be able to get the... instruction index. Or maybe the instruction offset, via JDWP.
Additionally, you will need to read the dex file, and look up the exact instruction being executed, based on the instruction index/offset you get from JDWP.
You should be able to use AndBug to implement the first part of the above solution, and then use dexlib to access the dex file, in order to get the instruction.
You might want to check out traceview
It is realy too slow to trace the method not to speak the byte code,when you want to know what the app is doing the best way is to trace method first,then trace the byte code in it.
I started my emulator with ./emulator -trace profile -avd emulator_15. I then tracked down the trace files to ~/.android/avd/rodgers_emulator_15.avd/traces/profile, where there are six files: qtrace.bb, qtrace.exc, qtrace.insn, qtrace.method, qtrace.pid, qtrace.static. I can't figure out what to do with these files. I've tried both dmtracedump and traceview on all of the files, but none seem to generate any output I can do anything with.
How can I view the proportion of time taken by native method calls on Android?
You need to use tracedmdump to convert the output. This is a shell function defined in build/envsetup.sh in the full Android sources. If you're using the SDK, rather than building from a full tree, I'm not sure this will work.
(If you don't have the sources and want to take a peek at the tracedmdump function, you can see it here.)
If you used emulator -trace profile, you'd run tracedmdump profile. This will dig through various binaries to retrieve symbolic information and associate it with the trace data, generating an HTML summary and a traceview-compatible trace file.
It's worth noting that the VM will execute more slowly with profiling enabled (the interpreter has overhead on every method call and return, and it's running in the slower "debug" interpreter), while native code continues to run at full speed, so you have to be careful when drawing conclusions.
General comment: don't forget to use F9 or one of the method calls to start/stop the tracing -- the -trace flag just enables the feature.
In order to use those six files, there are other scripts in the same directory as that of dmtracedump such as read_pid, read_trace, profile_trace etc. U should first run post_trace on the trace directory containing the six files, then you can use any one of them to get profile info such as how often each basic block executes, the pids they belong to etc.