static void loop_it(pid_t pid, int *toggle, long *syscall_id)
{
int status;
t_urs regs;
wait(&status);
if (WIFEXITED(status))
exit(0);
if (*toggle == 0)
{
ptrace(PTRACE_GETREGS, pid, NULL, ®s);
*syscall_id = regs.orig_eax;
if (*syscall_id >= 0)
{
print_syscall(pid, *syscall_id, ®s);
*toggle = 1;
}
}
else
*toggle = 0;
if (ptrace(PTRACE_SINGLESTEP, pid, NULL, NULL) == -1)
{
perror("singlestep: ptrace(PTRACE_SINGLESTEP, ...): Operation not permitted");
exit(-1);
}
}
void ret_strace(unsigned int retval)
{
#ifdef STRACE_RETWAIT
print_syscall(¤t->sc_info, retval);
#else
printk("[%d:%s/ret=%d]\n", current->pid, current->sc_info.s_name, retval);
#endif
}
void
print_openbsd_syscall(int num,
abi_long arg1, abi_long arg2, abi_long arg3,
abi_long arg4, abi_long arg5, abi_long arg6)
{
print_syscall(num, openbsd_scnames, ARRAY_SIZE(openbsd_scnames),
arg1, arg2, arg3, arg4, arg5, arg6);
}
void
print_syscall_ret(struct trussinfo *trussinfo, const char *name, int nargs, char **s_args, int errorp, int retval) {
print_syscall(trussinfo, name, nargs, s_args);
if (errorp) {
fprintf(trussinfo->outfile, " ERR#%d '%s'\n", retval, strerror(retval));
} else {
fprintf(trussinfo->outfile, " = %d (0x%x)\n", retval, retval);
}
}
int strace(struct syscall_params p)
{
/* set up cur_sys */
current->sc_info = p;
#ifndef STRACE_RETWAIT
print_syscall(¤t->sc_info, 0);
#endif
/* First we check the kernel stack magic */
if (current->t_kstackm != KSTACK_MAGIC)
panic("Process %d had kernel stack overflow before syscall\n",
current->pid);
return p.s_num;
}
int main(int argc, char **argv){
printf("The filename is %s\n",filename);
parse_system_call_name(filename);
int pid;
int i = 1;
i+=2;
pid = atoi(argv[1]);
//printf("Hello, world (i=%d)!\n", pid);
jint stat=0;
jint res=0;
long syscall;
printf("Attaching to a process %d",pid);
if ((ptrace(PTRACE_ATTACH, pid, NULL, NULL)) != 0) {
printf("Could not attach to process, errno is %d",errno);
}
res = waitpid(pid, &stat, WUNTRACED);
__android_log_print(ANDROID_LOG_INFO,LOG_TAG,"Status of the traced process %d\n",stat);
ptrace(PTRACE_SETOPTIONS, pid, 0, PTRACE_O_TRACESYSGOOD);
while(1){
if(trace_syscall(pid)!=0)
break;
#ifdef __arm__
print_syscall_arm(pid);
#else
print_syscall(pid);
if(trace_syscall(pid)!=0)
break;
get_return_value(pid);
#endif
}
cleanup_syscall_tabel();
return 0;
}
int do_trace(pid_t child) {
int status;
int retval;
waitpid(child, &status, 0);
assert(WIFSTOPPED(status));
ptrace(PTRACE_SETOPTIONS, child, 0, PTRACE_O_TRACESYSGOOD);
while(1) {
if (wait_for_syscall(child) != 0)
break;
print_syscall(child);
if (wait_for_syscall(child) != 0)
break;
retval = get_reg(child, eax);
assert(errno == 0);
fprintf(stderr, "%d\n", retval);
}
return 0;
}
/*
* This function prints 1 rule from the kernel reply
*/
static void print_rule(const struct audit_rule_data *r)
{
unsigned int i, count = 0, sc = 0;
size_t boffset = 0;
int mach = -1, watch = is_watch(r);
unsigned long long a0 = 0, a1 = 0;
if (!watch) { /* This is syscall auditing */
printf("-a %s,%s",
audit_action_to_name((int)r->action),
audit_flag_to_name(r->flags));
// Now find the arch and print it
for (i = 0; i < r->field_count; i++) {
int field = r->fields[i] & ~AUDIT_OPERATORS;
if (field == AUDIT_ARCH) {
int op = r->fieldflags[i] & AUDIT_OPERATORS;
mach = print_arch(r->values[i], op);
}
}
// And last do the syscalls
count = print_syscall(r, &sc);
}
// Now iterate over the fields
for (i = 0; i < r->field_count; i++) {
const char *name;
int op = r->fieldflags[i] & AUDIT_OPERATORS;
int field = r->fields[i] & ~AUDIT_OPERATORS;
if (field == AUDIT_ARCH)
continue; // already printed
name = audit_field_to_name(field);
if (name) {
// Special cases to print the different field types
// in a meaningful way.
if (field == AUDIT_MSGTYPE) {
if (!audit_msg_type_to_name(r->values[i]))
printf(" -F %s%s%d", name,
audit_operator_to_symbol(op),
r->values[i]);
else
printf(" -F %s%s%s", name,
audit_operator_to_symbol(op),
audit_msg_type_to_name(
r->values[i]));
} else if ((field >= AUDIT_SUBJ_USER &&
field <= AUDIT_OBJ_LEV_HIGH)
&& field != AUDIT_PPID) {
printf(" -F %s%s%.*s", name,
audit_operator_to_symbol(op),
r->values[i], &r->buf[boffset]);
boffset += r->values[i];
} else if (field == AUDIT_WATCH) {
if (watch)
printf("-w %.*s", r->values[i],
&r->buf[boffset]);
else
printf(" -F path=%.*s", r->values[i],
&r->buf[boffset]);
boffset += r->values[i];
} else if (field == AUDIT_DIR) {
if (watch)
printf("-w %.*s/", r->values[i],
&r->buf[boffset]);
else
printf(" -F dir=%.*s", r->values[i],
&r->buf[boffset]);
boffset += r->values[i];
} else if (field == AUDIT_FILTERKEY) {
char *rkey, *ptr, *saved;
if (asprintf(&rkey, "%.*s", r->values[i],
&r->buf[boffset]) < 0)
rkey = NULL;
boffset += r->values[i];
ptr = strtok_r(rkey, key_sep, &saved);
while (ptr) {
if (watch)
printf(" -k %s", ptr);
else
printf(" -F key=%s", ptr);
ptr = strtok_r(NULL, key_sep, &saved);
}
free(rkey);
} else if (field == AUDIT_PERM) {
char perms[5];
int val=r->values[i];
perms[0] = 0;
if (val & AUDIT_PERM_READ)
strcat(perms, "r");
if (val & AUDIT_PERM_WRITE)
strcat(perms, "w");
if (val & AUDIT_PERM_EXEC)
strcat(perms, "x");
if (val & AUDIT_PERM_ATTR)
strcat(perms, "a");
if (watch)
printf(" -p %s", perms);
else
printf(" -F perm=%s", perms);
} else if (field == AUDIT_INODE) {
// This is unsigned
printf(" -F %s%s%u", name,
audit_operator_to_symbol(op),
r->values[i]);
} else if (field == AUDIT_FIELD_COMPARE) {
print_field_cmp(r->values[i], op);
} else if (field >= AUDIT_ARG0 && field <= AUDIT_ARG3){
if (field == AUDIT_ARG0)
a0 = r->values[i];
else if (field == AUDIT_ARG1)
a1 = r->values[i];
// Show these as hex
if (count > 1 || interpret == 0)
printf(" -F %s%s0x%X", name,
audit_operator_to_symbol(op),
r->values[i]);
else { // Use ignore to mean interpret
const char *out;
idata id;
char val[32];
int type;
id.syscall = sc;
id.machine = mach;
id.a0 = a0;
id.a1 = a1;
id.name = name;
snprintf(val, 32, "%x", r->values[i]);
id.val = val;
type = auparse_interp_adjust_type(
AUDIT_SYSCALL, name, val);
out = auparse_do_interpretation(type,
&id);
printf(" -F %s%s%s", name,
audit_operator_to_symbol(op),
out);
free((void *)out);
}
} else if (field == AUDIT_EXIT) {
int e = abs((int)r->values[i]);
const char *err = audit_errno_to_name(e);
if (((int)r->values[i] < 0) && err)
printf(" -F %s%s-%s", name,
audit_operator_to_symbol(op),
err);
else
printf(" -F %s%s%d", name,
audit_operator_to_symbol(op),
(int)r->values[i]);
} else {
// The default is signed decimal
printf(" -F %s%s%d", name,
audit_operator_to_symbol(op),
r->values[i]);
}
} else {
// The field name is unknown
printf(" f%d%s%d", r->fields[i],
audit_operator_to_symbol(op),
r->values[i]);
}
}
printf("\n");
}
static void interpret(char *name, char *val, int comma, int rtype)
{
int type;
while (*name == ' '||*name == '(')
name++;
/* Do some fixups */
if (rtype == AUDIT_EXECVE && name[0] == 'a')
type = T_ESCAPED;
else if (rtype == AUDIT_AVC && strcmp(name, "saddr") == 0)
type = -1;
else if (strcmp(name, "acct") == 0) {
// Remove trailing punctuation
int len = strlen(val);
if (val[len-1] == ':')
val[len-1] = 0;
if (val[0] == '"')
type = T_ESCAPED;
else if (is_hex_string(val))
type = T_ESCAPED;
else
type = -1;
} else
type = audit_lookup_type(name);
switch(type) {
case T_UID:
print_uid(val);
break;
case T_GID:
print_gid(val);
break;
case T_SYSCALL:
print_syscall(val);
break;
case T_ARCH:
print_arch(val);
break;
case T_EXIT:
print_exit(val);
break;
case T_ESCAPED:
print_escaped(val);
break;
case T_PERM:
print_perm(val);
break;
case T_MODE:
print_mode(val);
break;
case T_SOCKADDR:
print_sockaddr(val);
break;
case T_FLAGS:
print_flags(val);
break;
case T_PROMISC:
print_promiscuous(val);
break;
case T_CAPABILITY:
print_capabilities(val);
break;
case T_SIGNAL:
print_signals(val);
break;
case T_KEY:
print_key(val);
break;
case T_LIST:
print_list(val);
break;
case T_TTY_DATA:
print_tty_data(val);
break;
default:
printf("%s%c", val, comma ? ',' : ' ');
}
}
