Giter Club home page Giter Club logo

estrace's Introduction

estrace

estrace是一款基于eBPF的syscall追踪工具,适用于安卓平台

特性:

  • 对字符串参数进行读取输出
  • 支持计算syscall调用时的lr

部分命令说明:

  • --syscall 支持同时追踪多个syscall,请使用,分隔
  • --no-syscall 即syscall黑名单,在不指定--syscall时可以使用
  • --no-tid 即线程id黑名单,在部分线程疯狂输出时建议使用,也支持多个,请使用,分隔
  • --no-uid-filter 使用该选项后不对uid进行过滤,用于某些APP使用isolatedProcess的情况

要求

  • 手机有root权限
  • 手机内核版本大于等于5.10(目前仅在5.10测试过)

真机推荐:Redmi Note 11T Pro

使用

首先将estrace推送到手机,并添加可执行权限

adb push estrace /data/local/tmp
adb shell chmod +x /data/local/tmp/estrace

进入adb shell在root用户下执行命令,案例如下:

  1. 追踪定位execve调用
/data/local/tmp/estrace --name com.starbucks.cn --syscall execve --getlr -o trace.log

  1. 尝试过root检查

项目提供了一个--bypass选项,你可以使用该选项测试过掉root检查,当然这里只是进行简单演示

对应eBPF程序的关键代码请查看raw_syscalls.csend_data函数

原理是比较可读字符串参数,命中预设的字符串时,将其内容改写,参考命令如下:

./estrace --name io.github.vvb2060.mahoshojo -o tmp.log --quiet --bypass

可以实现过momo的root检测,演示效果可查看:

  1. 定位文件重定向检查
./estrace --name com.ysh.hookapkverify --syscall openat,readlinkat --getpc -o tmp.log

这是一个典型的内联svc检查文件是否被重定向的操作,借助estrace可实现快速定位

更多命令,请执行./estrace --help查看

编译

本项目在linux x86_64下使用Go + NDK交叉编译

  1. 首先请下载解压好NDK r25,并安装Go 1.18

  2. 然后同步好必要的源代码

git clone https://github.com/SeeFlowerX/ebpf
git clone https://github.com/SeeFlowerX/ebpfmanager
git clone https://github.com/SeeFlowerX/estrace
  1. 进入代码目录,同步外部库
cd estrace
mkdir -p external && cd external

git clone https://android.googlesource.com/platform/bionic --depth=1
mkdir system && cd system

git clone https://android.googlesource.com/platform/system/core --depth=1
cd ..

git clone https://android.googlesource.com/platform/external/libbpf --depth=1
cd ..
  1. 设置Go环境变量
go env -w GO111MODULE=on
go env -w GOPROXY=https://goproxy.cn,direct
  1. 设置NDK环境变量,请修改NDK_ROOT为自己的NDK解压路径
export NDK_ROOT=/home/kali/Desktop/android-ndk-r25b
export PATH=$NDK_ROOT/toolchains/llvm/prebuilt/linux-x86_64/bin:$PATH
  1. 编译,产物在bin/estrace
make clean && make

也可以直接把编译涉及的命令整合到脚本中,编译后立刻推送到手机,示例:

export NDK_ROOT=/home/kali/Desktop/android-ndk-r25b
export PATH=$NDK_ROOT/toolchains/llvm/prebuilt/linux-x86_64/bin:$PATH

make clean && make

adb push bin/estrace /data/local/tmp
adb shell chmod +x /data/local/tmp/estrace

TODO

  • 更详细的信息输出

Thanks

交流群

estrace's People

Contributors

seeflowerx avatar

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.