static void loop_it(pid_t pid, int *toggle, long *syscall_id) { int status; t_urs regs; wait(&status); if (WIFEXITED(status)) exit(0); if (*toggle == 0) { ptrace(PTRACE_GETREGS, pid, NULL, ®s); *syscall_id = regs.orig_eax; if (*syscall_id >= 0) { print_syscall(pid, *syscall_id, ®s); *toggle = 1; } } else *toggle = 0; if (ptrace(PTRACE_SINGLESTEP, pid, NULL, NULL) == -1) { perror("singlestep: ptrace(PTRACE_SINGLESTEP, ...): Operation not permitted"); exit(-1); } }
void ret_strace(unsigned int retval) { #ifdef STRACE_RETWAIT print_syscall(¤t->sc_info, retval); #else printk("[%d:%s/ret=%d]\n", current->pid, current->sc_info.s_name, retval); #endif }
void print_openbsd_syscall(int num, abi_long arg1, abi_long arg2, abi_long arg3, abi_long arg4, abi_long arg5, abi_long arg6) { print_syscall(num, openbsd_scnames, ARRAY_SIZE(openbsd_scnames), arg1, arg2, arg3, arg4, arg5, arg6); }
void print_syscall_ret(struct trussinfo *trussinfo, const char *name, int nargs, char **s_args, int errorp, int retval) { print_syscall(trussinfo, name, nargs, s_args); if (errorp) { fprintf(trussinfo->outfile, " ERR#%d '%s'\n", retval, strerror(retval)); } else { fprintf(trussinfo->outfile, " = %d (0x%x)\n", retval, retval); } }
int strace(struct syscall_params p) { /* set up cur_sys */ current->sc_info = p; #ifndef STRACE_RETWAIT print_syscall(¤t->sc_info, 0); #endif /* First we check the kernel stack magic */ if (current->t_kstackm != KSTACK_MAGIC) panic("Process %d had kernel stack overflow before syscall\n", current->pid); return p.s_num; }
int main(int argc, char **argv){ printf("The filename is %s\n",filename); parse_system_call_name(filename); int pid; int i = 1; i+=2; pid = atoi(argv[1]); //printf("Hello, world (i=%d)!\n", pid); jint stat=0; jint res=0; long syscall; printf("Attaching to a process %d",pid); if ((ptrace(PTRACE_ATTACH, pid, NULL, NULL)) != 0) { printf("Could not attach to process, errno is %d",errno); } res = waitpid(pid, &stat, WUNTRACED); __android_log_print(ANDROID_LOG_INFO,LOG_TAG,"Status of the traced process %d\n",stat); ptrace(PTRACE_SETOPTIONS, pid, 0, PTRACE_O_TRACESYSGOOD); while(1){ if(trace_syscall(pid)!=0) break; #ifdef __arm__ print_syscall_arm(pid); #else print_syscall(pid); if(trace_syscall(pid)!=0) break; get_return_value(pid); #endif } cleanup_syscall_tabel(); return 0; }
int do_trace(pid_t child) { int status; int retval; waitpid(child, &status, 0); assert(WIFSTOPPED(status)); ptrace(PTRACE_SETOPTIONS, child, 0, PTRACE_O_TRACESYSGOOD); while(1) { if (wait_for_syscall(child) != 0) break; print_syscall(child); if (wait_for_syscall(child) != 0) break; retval = get_reg(child, eax); assert(errno == 0); fprintf(stderr, "%d\n", retval); } return 0; }
/* * This function prints 1 rule from the kernel reply */ static void print_rule(const struct audit_rule_data *r) { unsigned int i, count = 0, sc = 0; size_t boffset = 0; int mach = -1, watch = is_watch(r); unsigned long long a0 = 0, a1 = 0; if (!watch) { /* This is syscall auditing */ printf("-a %s,%s", audit_action_to_name((int)r->action), audit_flag_to_name(r->flags)); // Now find the arch and print it for (i = 0; i < r->field_count; i++) { int field = r->fields[i] & ~AUDIT_OPERATORS; if (field == AUDIT_ARCH) { int op = r->fieldflags[i] & AUDIT_OPERATORS; mach = print_arch(r->values[i], op); } } // And last do the syscalls count = print_syscall(r, &sc); } // Now iterate over the fields for (i = 0; i < r->field_count; i++) { const char *name; int op = r->fieldflags[i] & AUDIT_OPERATORS; int field = r->fields[i] & ~AUDIT_OPERATORS; if (field == AUDIT_ARCH) continue; // already printed name = audit_field_to_name(field); if (name) { // Special cases to print the different field types // in a meaningful way. if (field == AUDIT_MSGTYPE) { if (!audit_msg_type_to_name(r->values[i])) printf(" -F %s%s%d", name, audit_operator_to_symbol(op), r->values[i]); else printf(" -F %s%s%s", name, audit_operator_to_symbol(op), audit_msg_type_to_name( r->values[i])); } else if ((field >= AUDIT_SUBJ_USER && field <= AUDIT_OBJ_LEV_HIGH) && field != AUDIT_PPID) { printf(" -F %s%s%.*s", name, audit_operator_to_symbol(op), r->values[i], &r->buf[boffset]); boffset += r->values[i]; } else if (field == AUDIT_WATCH) { if (watch) printf("-w %.*s", r->values[i], &r->buf[boffset]); else printf(" -F path=%.*s", r->values[i], &r->buf[boffset]); boffset += r->values[i]; } else if (field == AUDIT_DIR) { if (watch) printf("-w %.*s/", r->values[i], &r->buf[boffset]); else printf(" -F dir=%.*s", r->values[i], &r->buf[boffset]); boffset += r->values[i]; } else if (field == AUDIT_FILTERKEY) { char *rkey, *ptr, *saved; if (asprintf(&rkey, "%.*s", r->values[i], &r->buf[boffset]) < 0) rkey = NULL; boffset += r->values[i]; ptr = strtok_r(rkey, key_sep, &saved); while (ptr) { if (watch) printf(" -k %s", ptr); else printf(" -F key=%s", ptr); ptr = strtok_r(NULL, key_sep, &saved); } free(rkey); } else if (field == AUDIT_PERM) { char perms[5]; int val=r->values[i]; perms[0] = 0; if (val & AUDIT_PERM_READ) strcat(perms, "r"); if (val & AUDIT_PERM_WRITE) strcat(perms, "w"); if (val & AUDIT_PERM_EXEC) strcat(perms, "x"); if (val & AUDIT_PERM_ATTR) strcat(perms, "a"); if (watch) printf(" -p %s", perms); else printf(" -F perm=%s", perms); } else if (field == AUDIT_INODE) { // This is unsigned printf(" -F %s%s%u", name, audit_operator_to_symbol(op), r->values[i]); } else if (field == AUDIT_FIELD_COMPARE) { print_field_cmp(r->values[i], op); } else if (field >= AUDIT_ARG0 && field <= AUDIT_ARG3){ if (field == AUDIT_ARG0) a0 = r->values[i]; else if (field == AUDIT_ARG1) a1 = r->values[i]; // Show these as hex if (count > 1 || interpret == 0) printf(" -F %s%s0x%X", name, audit_operator_to_symbol(op), r->values[i]); else { // Use ignore to mean interpret const char *out; idata id; char val[32]; int type; id.syscall = sc; id.machine = mach; id.a0 = a0; id.a1 = a1; id.name = name; snprintf(val, 32, "%x", r->values[i]); id.val = val; type = auparse_interp_adjust_type( AUDIT_SYSCALL, name, val); out = auparse_do_interpretation(type, &id); printf(" -F %s%s%s", name, audit_operator_to_symbol(op), out); free((void *)out); } } else if (field == AUDIT_EXIT) { int e = abs((int)r->values[i]); const char *err = audit_errno_to_name(e); if (((int)r->values[i] < 0) && err) printf(" -F %s%s-%s", name, audit_operator_to_symbol(op), err); else printf(" -F %s%s%d", name, audit_operator_to_symbol(op), (int)r->values[i]); } else { // The default is signed decimal printf(" -F %s%s%d", name, audit_operator_to_symbol(op), r->values[i]); } } else { // The field name is unknown printf(" f%d%s%d", r->fields[i], audit_operator_to_symbol(op), r->values[i]); } } printf("\n"); }
static void interpret(char *name, char *val, int comma, int rtype) { int type; while (*name == ' '||*name == '(') name++; /* Do some fixups */ if (rtype == AUDIT_EXECVE && name[0] == 'a') type = T_ESCAPED; else if (rtype == AUDIT_AVC && strcmp(name, "saddr") == 0) type = -1; else if (strcmp(name, "acct") == 0) { // Remove trailing punctuation int len = strlen(val); if (val[len-1] == ':') val[len-1] = 0; if (val[0] == '"') type = T_ESCAPED; else if (is_hex_string(val)) type = T_ESCAPED; else type = -1; } else type = audit_lookup_type(name); switch(type) { case T_UID: print_uid(val); break; case T_GID: print_gid(val); break; case T_SYSCALL: print_syscall(val); break; case T_ARCH: print_arch(val); break; case T_EXIT: print_exit(val); break; case T_ESCAPED: print_escaped(val); break; case T_PERM: print_perm(val); break; case T_MODE: print_mode(val); break; case T_SOCKADDR: print_sockaddr(val); break; case T_FLAGS: print_flags(val); break; case T_PROMISC: print_promiscuous(val); break; case T_CAPABILITY: print_capabilities(val); break; case T_SIGNAL: print_signals(val); break; case T_KEY: print_key(val); break; case T_LIST: print_list(val); break; case T_TTY_DATA: print_tty_data(val); break; default: printf("%s%c", val, comma ? ',' : ' '); } }