├── README.md ├── handleSeccomp.js ├── img ├── 1.png ├── 2.JPG └── 3.JPG └── multi_frida_seccomp.py /README.md: -------------------------------------------------------------------------------- 1 | # 一个Android通用svc跟踪以及hook方案——Frida-Seccomp 2 | 3 | ## 效果 4 | ### openat 5 | ![图片描述](img/2.JPG) 6 | ### recvfrom 7 | ![图片描述](img/3.JPG) 8 | # 原理及其介绍 9 | https://bbs.pediy.com/thread-271815.htm 10 | # 如何使用 11 | ``` 12 | pip3 install frida 13 | python3 multi_frida_seccomp.py 14 | ``` 15 | log信息可以在logcat过滤“seccomp”查看 16 | 同时也自动保存到了「包名\_pid\_时间戳」文件夹内(支持多进程) 17 | ![图片描述](img/1.png) -------------------------------------------------------------------------------- /handleSeccomp.js: -------------------------------------------------------------------------------- 1 | let install_filter = null, syscall_thread_ptr, call_task, lock, unlock, findSoinfoByAddr, solist_get_head_ptr, get_soname, get_base, get_size, maps = []; 2 | const MAX_STACK_TRACE_DEPTH = 10; 3 | const Target_NR = 207; 4 | const prctl_ptr = Module.findExportByName(null, 'prctl') 5 | const strcpy_ptr = Module.findExportByName(null, 'strcpy') 6 | const fopen_ptr = Module.findExportByName(null, 'fopen') 7 | const fclose_ptr = Module.findExportByName(null, 'fclose') 8 | const fgets_ptr = Module.findExportByName(null, 'fgets') 9 | const strtoul_ptr = Module.findExportByName(null, 'strtoul') 10 | const strtok_ptr = Module.findExportByName(null, 'strtok') 11 | const malloc_ptr = Module.findExportByName(null, 'malloc') 12 | const __android_log_print_ptr = Module.findExportByName(null, '__android_log_print') 13 | const pthread_create_ptr = Module.findExportByName(null, 'pthread_create') 14 | const pthread_mutex_init_ptr = Module.findExportByName(null, 'pthread_mutex_init') 15 | const pthread_mutex_lock_ptr = Module.findExportByName(null, 'pthread_mutex_lock') 16 | const pthread_mutex_unlock_ptr = Module.findExportByName(null, 'pthread_mutex_unlock') 17 | const pthread_join_ptr = Module.findExportByName(null, 'pthread_join') 18 | const syscall_ptr = Module.findExportByName(null, 'syscall') 19 | const linker = Process.findModuleByName("linker64"); 20 | const linker_symbols = linker.enumerateSymbols() 21 | for (let index = 0; index < linker_symbols.length; index++) { 22 | const element = linker_symbols[index]; 23 | if (element.name == '__dl__Z15solist_get_headv') { 24 | solist_get_head_ptr = element.address 25 | } else if (element.name == '__dl__ZNK6soinfo10get_sonameEv') { 26 | get_soname = new NativeFunction(element.address, "pointer", ["pointer"]) 27 | } 28 | } 29 | 30 | function init() { 31 | //初始化,需要在主线程初始化且需要一个比较早的时机,frida脚本运行在它自己创建的一个线程,所以需要通过hook安装seccomp规则 32 | syscall_thread_ptr = new NativeFunction(cm.pthread_syscall_create, "pointer", [])() 33 | findSoinfoByAddr = new NativeFunction(cm.findSoinfoByAddr, "pointer", ["pointer"]) 34 | get_base = new NativeFunction(cm.get_base, "uint64", ["pointer"]) 35 | get_size = new NativeFunction(cm.get_size, "size_t", ["pointer"]) 36 | call_task = new NativeFunction(cm.call_task, "pointer", ["pointer", "pointer", "int"]) 37 | install_filter = new NativeFunction(cm.install_filter, "int", ['uint32']) 38 | lock = new NativeFunction(cm.lock, "int", ["pointer"]) 39 | unlock = new NativeFunction(cm.unlock, "int", ["pointer"]) 40 | // 异常处理 41 | Process.setExceptionHandler(function (details) { 42 | const current_off = details.context.pc - 4; 43 | // 判断是否是seccomp导致的异常 读取opcode 010000d4 == svc 0 44 | if (details.message == "system error" && details.type == "system" && hex(ptr(current_off).readByteArray(4)) == "010000d4") { 45 | // 上锁避免多线程问题 46 | lock(syscall_thread_ptr) 47 | // 获取x8寄存器中的调用号 48 | const nr = details.context.x8.toString(10); 49 | let loginfo = "\n==================" 50 | loginfo += `\nSVC[${syscalls[nr][1]}|${nr}] ==> PC:${addrToString(current_off)} P${Process.id}-T${Process.getCurrentThreadId()}` 51 | // 构造线程syscall调用参数 52 | const args = Memory.alloc(7 * 8) 53 | args.writePointer(details.context.x8) 54 | let args_reg_arr = {} 55 | for (let index = 0; index < 6; index++) { 56 | eval(`args.add(8 * (index + 1)).writePointer(details.context.x${index})`) 57 | eval(`args_reg_arr["arg${index}"] = details.context.x${index}`) 58 | } 59 | // 获取手动堆栈信息 60 | loginfo += "\n" + stacktrace(ptr(current_off), details.context.fp, details.context.sp).map(addrToString).join('\n') 61 | // 打印传参 62 | loginfo += "\nargs = " + JSON.stringify(args_reg_arr) 63 | // 调用线程syscall 赋值x0寄存器 64 | details.context.x0 = call_task(syscall_thread_ptr, args, 0) 65 | loginfo += "\nret = " + details.context.x0.toString() 66 | // 打印信息 67 | call_thread_log(loginfo) 68 | // 解锁 69 | unlock(syscall_thread_ptr) 70 | return true; 71 | } 72 | return false; 73 | }) 74 | // openat的调用号 75 | install_filter(Target_NR) 76 | } 77 | 78 | // CModule模块编写 79 | const cm = new CModule(` 80 | #include 81 | #include 82 | #define BPF_STMT(code,k) { (unsigned short) (code), 0, 0, k } 83 | #define BPF_JUMP(code,k,jt,jf) { (unsigned short) (code), jt, jf, k } 84 | #define BPF_LD 0x00 85 | #define BPF_W 0x00 86 | #define BPF_ABS 0x20 87 | #define BPF_JEQ 0x10 88 | #define BPF_JMP 0x05 89 | #define BPF_K 0x00 90 | #define BPF_RET 0x06 91 | 92 | #define PR_SET_SECCOMP 22 93 | #define PR_SET_NO_NEW_PRIVS 38 94 | #define SECCOMP_MODE_FILTER 2 95 | #define SECCOMP_RET_TRAP 0x00030000U 96 | #define SECCOMP_RET_ALLOW 0x7fff0000U 97 | 98 | #define SIGSYS 12 99 | #define SIG_UNBLOCK 2 100 | 101 | typedef unsigned char __u8; 102 | typedef unsigned short __u16; 103 | typedef unsigned int __u32; 104 | typedef unsigned long long __u64; 105 | typedef unsigned long sigset_t; 106 | typedef long pthread_t; 107 | 108 | typedef struct { 109 | uint32_t flags; 110 | void* stack_base; 111 | size_t stack_size; 112 | size_t guard_size; 113 | int32_t sched_policy; 114 | int32_t sched_priority; 115 | #ifdef __LP64__ 116 | char __reserved[16]; 117 | #endif 118 | } pthread_attr_t; 119 | 120 | typedef struct { 121 | #if defined(__LP64__) 122 | int32_t __private[10]; 123 | #else 124 | int32_t __private[1]; 125 | #endif 126 | } pthread_mutex_t; 127 | 128 | typedef struct { 129 | int type; 130 | int isTask; 131 | void *args; 132 | int isReturn; 133 | void *ret; 134 | pthread_t thread; 135 | pthread_mutex_t mutex; 136 | } thread_syscall_t; 137 | 138 | typedef struct{ 139 | const void *phdr; 140 | size_t phnum; 141 | uint64_t base; 142 | size_t size; 143 | void *dynamic; 144 | void *next; 145 | } soinfo; 146 | 147 | extern char* strcpy(char* __dst, const char* __src); 148 | extern void* fopen(const char* __path, const char* __mode); 149 | extern int fclose(void* __fp); 150 | extern char* fgets(char* __buf, int __size, void* __fp); 151 | extern unsigned long strtoul(const char* __s, char** __end_ptr, int __base); 152 | extern char* strtok(char* __s, const char* __delimiter); 153 | extern soinfo *solist_get_head(); 154 | extern int __android_log_print(int prio, const char* tag, const char* fmt, ...); 155 | extern void *malloc(size_t __byte_count); 156 | extern long syscall(long __number, ...); 157 | extern int pthread_create(pthread_t* __pthread_ptr, pthread_attr_t const* __attr, void* (*__start_routine)(void*), void*); 158 | extern int pthread_mutex_init(pthread_mutex_t* __mutex, const void* __attr); 159 | extern int pthread_mutex_lock(pthread_mutex_t* __mutex); 160 | extern int pthread_mutex_unlock(pthread_mutex_t* __mutex); 161 | extern int pthread_join(pthread_t __pthread, void** __return_value_ptr); 162 | extern void on_message(const gchar *message); 163 | extern int prctl(int __option, ...); 164 | 165 | uint64_t get_base(soinfo *si){ 166 | return si->base; 167 | } 168 | 169 | size_t get_size(soinfo *si){ 170 | return si->size; 171 | } 172 | 173 | soinfo *findSoinfoByAddr(void *addr_v) { 174 | uint64_t addr = (uint64_t) addr_v; 175 | for (soinfo *si = (soinfo *)solist_get_head(); si != NULL; si = si->next) { 176 | if (addr >= si->base && addr < (si->base + si->size)) { 177 | return si; 178 | } 179 | } 180 | return NULL; 181 | } 182 | 183 | static void log(const gchar *format, ...) 184 | { 185 | gchar *message; 186 | va_list args; 187 | va_start(args, format); 188 | message = g_strdup_vprintf(format, args); 189 | va_end(args); 190 | on_message(message); 191 | g_free(message); 192 | } 193 | 194 | int lock(thread_syscall_t *syscall_thread){ 195 | return pthread_mutex_lock(&syscall_thread->mutex); 196 | } 197 | 198 | int unlock(thread_syscall_t *syscall_thread){ 199 | return pthread_mutex_unlock(&syscall_thread->mutex); 200 | } 201 | 202 | void *call_syscall(void *args){ 203 | void **d_args = (void **)args; 204 | void *ret = (void *)syscall((long)d_args[0] ,d_args[1] ,d_args[2] ,d_args[3], d_args[4], d_args[5], d_args[6]); 205 | return ret; 206 | } 207 | 208 | void *call_log(void *args){ 209 | __android_log_print(3, "seccomp", (const char *)args); 210 | return NULL; 211 | } 212 | 213 | void *call_read_maps(void *args){ 214 | uint64_t addr = (uint64_t) args; 215 | FILE *fp = fopen("/proc/self/maps", "r"); 216 | char line[1024]; 217 | char _line[1024]; 218 | uint64_t start, end; 219 | while (fgets(line, sizeof(line), fp) != NULL) { 220 | strcpy(_line, line); 221 | start = (uint64_t) strtoul(strtok(line, "-"), NULL, 16); 222 | end = (uint64_t) strtoul(strtok(NULL, " "), NULL, 16); 223 | if (addr >= start && addr < end) { 224 | break; 225 | } 226 | } 227 | fclose(fp); 228 | return (void *)_line; 229 | } 230 | 231 | void *call_task(thread_syscall_t *syscall_thread,void *args,int type){ 232 | if(syscall_thread->isTask == 0){ 233 | syscall_thread->args = args; 234 | syscall_thread->type = type; 235 | syscall_thread->isTask = 1; 236 | } 237 | do{ 238 | if(syscall_thread->isReturn){ 239 | syscall_thread->isReturn = 0; 240 | return syscall_thread->ret; 241 | } 242 | }while(1); 243 | } 244 | 245 | void *pthread_syscall(void *args){ 246 | thread_syscall_t *syscall_thread = (thread_syscall_t *)args; 247 | while(1){ 248 | if(syscall_thread->isTask){ 249 | if(syscall_thread->type == 0){ 250 | syscall_thread->ret = call_syscall(syscall_thread->args); 251 | }else if(syscall_thread->type == 1){ 252 | syscall_thread->ret = call_log(syscall_thread->args); 253 | }else if(syscall_thread->type == 2){ 254 | syscall_thread->ret = call_read_maps(syscall_thread->args); 255 | } 256 | syscall_thread->args = NULL; 257 | syscall_thread->isReturn = 1; 258 | syscall_thread->isTask = 0; 259 | } 260 | } 261 | return NULL; 262 | } 263 | 264 | //syscall线程创建 265 | 266 | thread_syscall_t *pthread_syscall_create(){ 267 | thread_syscall_t *syscall_thread = (thread_syscall_t *)malloc(sizeof(thread_syscall_t)); 268 | syscall_thread->type = 0; 269 | syscall_thread->isTask = 0; 270 | syscall_thread->args = NULL; 271 | syscall_thread->ret = NULL; 272 | syscall_thread->isReturn = 0; 273 | pthread_mutex_init(&syscall_thread->mutex, NULL); 274 | pthread_t threadId; 275 | pthread_create(&threadId, NULL, &pthread_syscall, (void *)syscall_thread); 276 | syscall_thread->thread = threadId; 277 | return syscall_thread; 278 | } 279 | 280 | struct seccomp_data { 281 | int nr; 282 | __u32 arch; 283 | __u64 instruction_pointer; 284 | __u64 args[6]; 285 | }; 286 | 287 | struct sock_filter { 288 | __u16 code; 289 | __u8 jt; 290 | __u8 jf; 291 | __u32 k; 292 | }; 293 | 294 | struct sock_fprog { 295 | unsigned short len; 296 | struct sock_filter * filter; 297 | }; 298 | 299 | int install_filter(__u32 nr) { 300 | log("install_filter(%lu)",nr); 301 | struct sock_filter filter[] = { 302 | BPF_STMT(BPF_LD + BPF_W + BPF_ABS, 0), 303 | BPF_JUMP(BPF_JMP + BPF_JEQ + BPF_K, nr, 0, 1), 304 | BPF_STMT(BPF_RET + BPF_K, SECCOMP_RET_TRAP), 305 | BPF_STMT(BPF_RET + BPF_K, SECCOMP_RET_ALLOW), 306 | }; 307 | struct sock_fprog prog = { 308 | .len = (unsigned short) (sizeof(filter) / sizeof(filter[0])), 309 | .filter = filter, 310 | }; 311 | if (prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0)) { 312 | on_message("prctl(NO_NEW_PRIVS)"); 313 | return 1; 314 | } 315 | if (prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &prog)) { 316 | on_message("prctl(PR_SET_SECCOMP)"); 317 | return 1; 318 | } 319 | return 0; 320 | } 321 | `, { 322 | malloc: malloc_ptr, 323 | prctl: prctl_ptr, 324 | fopen: fopen_ptr, 325 | fclose: fclose_ptr, 326 | fgets: fgets_ptr, 327 | strtok: strtok_ptr, 328 | strcpy: strcpy_ptr, 329 | strtoul: strtoul_ptr, 330 | __android_log_print: __android_log_print_ptr, 331 | pthread_create: pthread_create_ptr, 332 | pthread_join: pthread_join_ptr, 333 | pthread_mutex_init: pthread_mutex_init_ptr, 334 | pthread_mutex_lock: pthread_mutex_lock_ptr, 335 | pthread_mutex_unlock: pthread_mutex_unlock_ptr, 336 | syscall: syscall_ptr, 337 | solist_get_head: solist_get_head_ptr, 338 | on_message: new NativeCallback(messagePtr => { 339 | const message = messagePtr.readUtf8String(); 340 | console.log(message) 341 | }, 'void', ['pointer']) 342 | }); 343 | 344 | Interceptor.attach(Module.findExportByName(null, "android_dlopen_ext"), { 345 | onEnter(args) { 346 | if (install_filter == null) { 347 | init() 348 | } 349 | } 350 | }) 351 | 352 | 353 | const byteToHex = []; 354 | 355 | for (let n = 0; n <= 0xff; ++n) { 356 | const hexOctet = n.toString(16).padStart(2, "0"); 357 | byteToHex.push(hexOctet); 358 | } 359 | 360 | function hex(arrayBuffer) { 361 | const buff = new Uint8Array(arrayBuffer); 362 | const hexOctets = []; 363 | for (let i = 0; i < buff.length; ++i) 364 | hexOctets.push(byteToHex[buff[i]]); 365 | return hexOctets.join(""); 366 | } 367 | 368 | function call_thread_log(str) { 369 | call_task(syscall_thread_ptr, Memory.allocUtf8String(str), 1) 370 | } 371 | 372 | function call_thread_read_maps(addr) { 373 | for (let index = 0; index < maps.length; index++) { 374 | const element = maps[index]; 375 | if (parseInt(addr.toString()) >= element[0] && parseInt(addr.toString()) < element[1]) { 376 | return { start: element[0], end: element[1], name: element[2] } 377 | } 378 | } 379 | const map_info = call_task(syscall_thread_ptr, ptr(addr), 2).readUtf8String() 380 | const start = parseInt("0x" + map_info.split("-")[0]) 381 | const end = parseInt("0x" + map_info.split("-")[1].split(" ")[0]) 382 | const name_arr = map_info.split(" ") 383 | const name = name_arr.length == 2 ? name_arr[2] : "" 384 | maps.push([start, end, name]) 385 | return { start, end, name } 386 | } 387 | 388 | function addrToString(addr) { 389 | const add_s = parseInt(addr.toString(10)) 390 | const addr_soinfo = findSoinfoByAddr(ptr(add_s)); 391 | if (addr_soinfo != 0) { 392 | return `0x${addr.toString(16)}[${get_soname(addr_soinfo).readUtf8String()}:0x${(addr - get_base(addr_soinfo)).toString(16)}]` 393 | } 394 | if (add_s >= linker.base && add_s < linker.base + linker.size) { 395 | return `0x${add_s.toString(16)}[${linker.name}:0x${(add_s - linker.base).toString(16)}]` 396 | } 397 | const mem_region = call_thread_read_maps(add_s); 398 | if (mem_region.name != "") { 399 | return `0x${add_s.toString(16)}[${mem_region.name}:0x${(add_s - mem_region.start).toString(16)}]` 400 | } 401 | return `0x${addr.toString(16)}[unkownmem:]` 402 | } 403 | 404 | function stacktrace(pc, fp, sp) { 405 | let n = 0, stack_arr = [], fp_c = fp; 406 | stack_arr[n++] = pc; 407 | const mem_region = call_thread_read_maps(sp); 408 | while (n < MAX_STACK_TRACE_DEPTH) { 409 | if (parseInt(fp_c.toString()) < parseInt(sp.toString()) || fp_c < mem_region.start || fp_c > mem_region.end) { 410 | break 411 | } 412 | let next_fp = fp_c.readPointer() 413 | let lr = fp_c.add(8).readPointer() 414 | fp_c = next_fp 415 | stack_arr[n++] = lr 416 | } 417 | return stack_arr; 418 | } 419 | 420 | const syscalls = [ 421 | [0, "io_setup", 0x00, "unsigned nr_reqs", "aio_context_t *ctx", "-", "-", "-"], 422 | [1, "io_destroy", 0x01, "aio_context_t ctx", "-", "-", "-", "-"], 423 | [2, "io_submit", 0x02, "aio_context_t", "long", "struct iocb * *", "-", "-"], 424 | [3, "io_cancel", 0x03, "aio_context_t ctx_id", "struct iocb *iocb", "struct io_event *result", "-", "-"], 425 | [4, "io_getevents", 0x04, "aio_context_t ctx_id", "long min_nr", "long nr", "struct io_event *events", "struct __kernel_timespec *timeout"], 426 | [5, "setxattr", 0x05, "const char *path", "const char *name", "const void *value", "size_t size", "int flags"], 427 | [6, "lsetxattr", 0x06, "const char *path", "const char *name", "const void *value", "size_t size", "int flags"], 428 | [7, "fsetxattr", 0x07, "int fd", "const char *name", "const void *value", "size_t size", "int flags"], 429 | [8, "getxattr", 0x08, "const char *path", "const char *name", "void *value", "size_t size", "-"], 430 | [9, "lgetxattr", 0x09, "const char *path", "const char *name", "void *value", "size_t size", "-"], 431 | [10, "fgetxattr", 0x0a, "int fd", "const char *name", "void *value", "size_t size"], 432 | [11, "listxattr", 0x0b, "const char *path", "char *list", "size_t size", "-"], 433 | [12, "llistxattr", 0x0c, "const char *path", "char *list", "size_t size", "-"], 434 | [13, "flistxattr", 0x0d, "int fd", "char *list", "size_t size", "-"], 435 | [14, "removexattr", 0x0e, "const char *path", "const char *name", "-", "-"], 436 | [15, "lremovexattr", 0x0f, "const char *path", "const char *name", "-", "-"], 437 | [16, "fremovexattr", 0x10, "int fd", "const char *name", "-", "-"], 438 | [17, "getcwd", 0x11, "char *buf", "unsigned long size", "-", "-"], 439 | [18, "lookup_dcookie", 0x12, "u64 cookie64", "char *buf", "size_t len", "-"], 440 | [19, "eventfd2", 0x13, "unsigned int count", "int flags", "-", "-"], 441 | [20, "epoll_create1", 0x14, "int flags"], 442 | [21, "epoll_ctl", 0x15, "int epfd", "int op", "int fd", "struct epoll_event *event"], 443 | [22, "epoll_pwait", 0x16, "int epfd", "struct epoll_event *events", "int maxevents", "int timeout", "const sigset_t *sigmask", "size_t sigsetsize"], 444 | [23, "dup", 0x17, "unsigned int fildes"], 445 | [24, "dup3", 0x18, "unsigned int oldfd", "unsigned int newfd", "int flags", "-"], 446 | [25, "fcntl", 0x19, "unsigned int fd", "unsigned int cmd", "unsigned long arg", "-"], 447 | [26, "inotify_init1", 0x1a, "int flags"], 448 | [27, "inotify_add_watch", 0x1b, "int fd", "const char *path", "u32 mask", "-"], 449 | [28, "inotify_rm_watch", 0x1c, "int fd", "__s32 wd", "-", "-"], 450 | [29, "ioctl", 0x1d, "unsigned int fd", "unsigned int cmd", "unsigned long arg", "-"], 451 | [30, "ioprio_set", 0x1e, "int which", "int who", "int ioprio", "-"], 452 | [31, "ioprio_get", 0x1f, "int which", "int who", "-", "-"], 453 | [32, "flock", 0x20, "unsigned int fd", "unsigned int cmd", "-", "-"], 454 | [33, "mknodat", 0x21, "int dfd", "const char * filename", "umode_t mode", "unsigned dev"], 455 | [34, "mkdirat", 0x22, "int dfd", "const char * pathname", "umode_t mode", "-"], 456 | [35, "unlinkat", 0x23, "int dfd", "const char * pathname", "int flag", "-"], 457 | [36, "symlinkat", 0x24, "const char * oldname", "int newdfd", "const char * newname", "-"], 458 | [37, "linkat", 0x25, "int olddfd", "const char *oldname", "int newdfd", "const char *newname", "int flag"], 459 | [38, "renameat", 0x26, "int olddfd", "const char * oldname", "int newdfd", "const char * newname"], 460 | [39, "umount2", 0x27, "?", "?", "?", "?", "?", "?["], 461 | [40, "mount", 0x28, "char *dev_name", "char *dir_name", "char *type", "unsigned long flags", "void *dat"], 462 | [41, "pivot_root", 0x29, "const char *new_root", "const char *put_old", "-", "-"], 463 | [42, "nfsservctl", 0x2a, "?", "?", "?", "?", "?", "?["], 464 | [43, "statfs", 0x2b, "const char * path", "struct statfs *buf", "-", "-"], 465 | [44, "fstatfs", 0x2c, "unsigned int fd", "struct statfs *buf", "-", "-"], 466 | [45, "truncate", 0x2d, "const char *path", "long length", "-", "-"], 467 | [46, "ftruncate", 0x2e, "unsigned int fd", "unsigned long length", "-", "-"], 468 | [47, "fallocate", 0x2f, "int fd", "int mode", "loff_t offset", "loff_t len"], 469 | [48, "faccessat", 0x30, "int dfd", "const char *filename", "int mode", "-"], 470 | [49, "chdir", 0x31, "const char *filename"], 471 | [50, "fchdir", 0x32, "unsigned int fd"], 472 | [51, "chroot", 0x33, "const char *filename"], 473 | [52, "fchmod", 0x34, "unsigned int fd", "umode_t mode", "-", "-"], 474 | [53, "fchmodat", 0x35, "int dfd", "const char * filename", "umode_t mode", "-"], 475 | [54, "fchownat", 0x36, "int dfd", "const char *filename", "uid_t user", "gid_t group", "int fla"], 476 | [55, "fchown", 0x37, "unsigned int fd", "uid_t user", "gid_t group", "-"], 477 | [56, "openat", 0x38, "int dfd", "const char *filename", "int flags", "umode_t mode"], 478 | [57, "close", 0x39, "unsigned int fd"], 479 | [58, "vhangup", 0x3a, "-"], 480 | [59, "pipe2", 0x3b, "int *fildes", "int flags", "-", "-"], 481 | [60, "quotactl", 0x3c, "unsigned int cmd", "const char *special", "qid_t id", "void *addr"], 482 | [61, "getdents64", 0x3d, "unsigned int fd", "struct linux_dirent64 *dirent", "unsigned int count", "-"], 483 | [62, "lseek", 0x3e, "unsigned int fd", "off_t offset", "unsigned int whence", "-"], 484 | [63, "read", 0x3f, "unsigned int fd", "char *buf", "size_t count", "-"], 485 | [64, "write", 0x40, "unsigned int fd", "const char *buf", "size_t count", "-"], 486 | [65, "readv", 0x41, "unsigned long fd", "const struct iovec *vec", "unsigned long vlen", "-"], 487 | [66, "writev", 0x42, "unsigned long fd", "const struct iovec *vec", "unsigned long vlen", "-"], 488 | [67, "pread64", 0x43, "unsigned int fd", "char *buf", "size_t count", "loff_t pos"], 489 | [68, "pwrite64", 0x44, "unsigned int fd", "const char *buf", "size_t count", "loff_t pos"], 490 | [69, "preadv", 0x45, "unsigned long fd", "const struct iovec *vec", "unsigned long vlen", "unsigned long pos_l", "unsigned long pos_"], 491 | [70, "pwritev", 0x46, "unsigned long fd", "const struct iovec *vec", "unsigned long vlen", "unsigned long pos_l", "unsigned long pos_"], 492 | [71, "sendfile", 0x47, "int out_fd", "int in_fd", "off_t *offset", "size_t count"], 493 | [72, "pselect6", 0x48, "int", "fd_set *", "fd_set *", "fd_set *", "struct __kernel_timespec *", "void *["], 494 | [73, "ppoll", 0x49, "struct pollfd *", "unsigned int", "struct __kernel_timespec *", "const sigset_t *", "size_"], 495 | [74, "signalfd4", 0x4a, "int ufd", "sigset_t *user_mask", "size_t sizemask", "int flags"], 496 | [75, "vmsplice", 0x4b, "int fd", "const struct iovec *iov", "unsigned long nr_segs", "unsigned int flags"], 497 | [76, "splice", 0x4c, "int fd_in", "loff_t *off_in", "int fd_out", "loff_t *off_out", "size_t len", "unsigned int flags["], 498 | [77, "tee", 0x4d, "int fdin", "int fdout", "size_t len", "unsigned int flags"], 499 | [78, "readlinkat", 0x4e, "int dfd", "const char *path", "char *buf", "int bufsiz"], 500 | [79, "newfstatat", 0x4f, "int dfd", "const char *filename", "struct stat *statbuf", "int flag"], 501 | [80, "fstat", 0x50, "unsigned int fd", "struct __old_kernel_stat *statbuf", "-", "-"], 502 | [81, "sync", 0x51, "-"], 503 | [82, "fsync", 0x52, "unsigned int fd"], 504 | [83, "fdatasync", 0x53, "unsigned int fd"], 505 | [84, "sync_file_range", 0x54, "int fd", "loff_t offset", "loff_t nbytes", "unsigned int flags"], 506 | [85, "timerfd_create", 0x55, "int clockid", "int flags", "-", "-"], 507 | [86, "timerfd_settime", 0x56, "int ufd", "int flags", "const struct __kernel_itimerspec *utmr", "struct __kernel_itimerspec *otmr"], 508 | [87, "timerfd_gettime", 0x57, "int ufd", "struct __kernel_itimerspec *otmr", "-", "-"], 509 | [88, "utimensat", 0x58, "int dfd", "const char *filename", "struct __kernel_timespec *utimes", "int flags"], 510 | [89, "acct", 0x59, "const char *name"], 511 | [90, "capget", 0x5a, "cap_user_header_t header", "cap_user_data_t dataptr", "-", "-"], 512 | [91, "capset", 0x5b, "cap_user_header_t header", "const cap_user_data_t data", "-", "-"], 513 | [92, "personality", 0x5c, "unsigned int personality"], 514 | [93, "exit", 0x5d, "int error_code"], 515 | [94, "exit_group", 0x5e, "int error_code"], 516 | [95, "waitid", 0x5f, "int which", "pid_t pid", "struct siginfo *infop", "int options", "struct rusage *r"], 517 | [96, "set_tid_address", 0x60, "int *tidptr"], 518 | [97, "unshare", 0x61, "unsigned long unshare_flags"], 519 | [98, "futex", 0x62, "u32 *uaddr", "int op", "u32 val", "struct __kernel_timespec *utime", "u32 *uaddr2", "u32 val3["], 520 | [99, "set_robust_list", 0x63, "struct robust_list_head *head", "size_t len", "-", "-"], 521 | [100, "get_robust_list", 0x64, "int pid", "struct robust_list_head * *head_ptr", "size_t *len_ptr", "-", "-", "-"], 522 | [101, "nanosleep", 0x65, "struct __kernel_timespec *rqtp", "struct __kernel_timespec *rmtp", "-", "-", "-", "-"], 523 | [102, "getitimer", 0x66, "int which", "struct itimerval *value", "-", "-", "-", "-"], 524 | [103, "setitimer", 0x67, "int which", "struct itimerval *value", "struct itimerval *ovalue", "-", "-", "-"], 525 | [104, "kexec_load", 0x68, "unsigned long entry", "unsigned long nr_segments", "struct kexec_segment *segments", "unsigned long flags", "-", "-"], 526 | [105, "init_module", 0x69, "void *umod", "unsigned long len", "const char *uargs", "-", "-", "-"], 527 | [106, "delete_module", 0x6a, "const char *name_user", "unsigned int flags", "-", "-", "-", "-"], 528 | [107, "timer_create", 0x6b, "clockid_t which_clock", "struct sigevent *timer_event_spec", "timer_t * created_timer_id", "-", "-", "-"], 529 | [108, "timer_gettime", 0x6c, "timer_t timer_id", "struct __kernel_itimerspec *setting", "-", "-", "-", "-"], 530 | [109, "timer_getoverrun", 0x6d, "timer_t timer_id", "-", "-", "-", "-", "-"], 531 | [110, "timer_settime", 0x6e, "timer_t timer_id", "int flags", "const struct __kernel_itimerspec *new_setting", "struct __kernel_itimerspec *old_setting", "-", "-"], 532 | [111, "timer_delete", 0x6f, "timer_t timer_id", "-", "-", "-", "-", "-"], 533 | [112, "clock_settime", 0x70, "clockid_t which_clock", "const struct __kernel_timespec *tp", "-", "-", "-", "-"], 534 | [113, "clock_gettime", 0x71, "clockid_t which_clock", "struct __kernel_timespec *tp", "-", "-", "-", "-"], 535 | [114, "clock_getres", 0x72, "clockid_t which_clock", "struct __kernel_timespec *tp", "-", "-", "-", "-"], 536 | [115, "clock_nanosleep", 0x73, "clockid_t which_clock", "int flags", "const struct __kernel_timespec *rqtp", "struct __kernel_timespec *rmtp", "-", "-"], 537 | [116, "syslog", 0x74, "int type", "char *buf", "int len", "-", "-", "-"], 538 | [117, "ptrace", 0x75, "long request", "long pid", "unsigned long addr", "unsigned long data", "-", "-"], 539 | [118, "sched_setparam", 0x76, "pid_t pid", "struct sched_param *param", "-", "-", "-", "-"], 540 | [119, "sched_setscheduler", 0x77, "pid_t pid", "int policy", "struct sched_param *param", "-", "-", "-"], 541 | [120, "sched_getscheduler", 0x78, "pid_t pid", "-", "-", "-", "-", "-"], 542 | [121, "sched_getparam", 0x79, "pid_t pid", "struct sched_param *param", "-", "-", "-", "-"], 543 | [122, "sched_setaffinity", 0x7a, "pid_t pid", "unsigned int len", "unsigned long *user_mask_ptr", "-", "-", "-"], 544 | [123, "sched_getaffinity", 0x7b, "pid_t pid", "unsigned int len", "unsigned long *user_mask_ptr", "-", "-", "-"], 545 | [124, "sched_yield", 0x7c, "-", "-", "-", "-", "-", "-"], 546 | [125, "sched_get_priority_max", 0x7d, "int policy", "-", "-", "-", "-", "-"], 547 | [126, "sched_get_priority_min", 0x7e, "int policy", "-", "-", "-", "-", "-"], 548 | [127, "sched_rr_get_interval", 0x7f, "pid_t pid", "struct __kernel_timespec *interval", "-", "-", "-", "-"], 549 | [128, "restart_syscall", 0x80, "-", "-", "-", "-", "-", "-"], 550 | [129, "kill", 0x81, "pid_t pid", "int sig", "-", "-", "-", "-"], 551 | [130, "tkill", 0x82, "pid_t pid", "int sig", "-", "-", "-", "-"], 552 | [131, "tgkill", 0x83, "pid_t tgid", "pid_t pid", "int sig", "-", "-", "-"], 553 | [132, "sigaltstack", 0x84, "const struct sigaltstack *uss", "struct sigaltstack *uoss", "-", "-", "-", "-"], 554 | [133, "rt_sigsuspend", 0x85, "sigset_t *unewset", "size_t sigsetsize", "-", "-", "-", "-"], 555 | [134, "rt_sigaction", 0x86, "int", "const struct sigaction *", "struct sigaction *", "size_t", "-", "-"], 556 | [135, "rt_sigprocmask", 0x87, "int how", "sigset_t *set", "sigset_t *oset", "size_t sigsetsize", "-", "-"], 557 | [136, "rt_sigpending", 0x88, "sigset_t *set", "size_t sigsetsize", "-", "-", "-", "-"], 558 | [137, "rt_sigtimedwait", 0x89, "const sigset_t *uthese", "siginfo_t *uinfo", "const struct __kernel_timespec *uts", "size_t sigsetsize", "-", "-"], 559 | [138, "rt_sigqueueinfo", 0x8a, "pid_t pid", "int sig", "siginfo_t *uinfo", "-", "-", "-"], 560 | [139, "rt_sigreturn", 0x8b, "?", "?", "?", "?", "?", "?"], 561 | [140, "setpriority", 0x8c, "int which", "int who", "int niceval", "-", "-", "-"], 562 | [141, "getpriority", 0x8d, "int which", "int who", "-", "-", "-", "-"], 563 | [142, "reboot", 0x8e, "int magic1", "int magic2", "unsigned int cmd", "void *arg", "-", "-"], 564 | [143, "setregid", 0x8f, "gid_t rgid", "gid_t egid", "-", "-", "-", "-"], 565 | [144, "setgid", 0x90, "gid_t gid", "-", "-", "-", "-", "-"], 566 | [145, "setreuid", 0x91, "uid_t ruid", "uid_t euid", "-", "-", "-", "-"], 567 | [146, "setuid", 0x92, "uid_t uid", "-", "-", "-", "-", "-"], 568 | [147, "setresuid", 0x93, "uid_t ruid", "uid_t euid", "uid_t suid", "-", "-", "-"], 569 | [148, "getresuid", 0x94, "uid_t *ruid", "uid_t *euid", "uid_t *suid", "-", "-", "-"], 570 | [149, "setresgid", 0x95, "gid_t rgid", "gid_t egid", "gid_t sgid", "-", "-", "-"], 571 | [150, "getresgid", 0x96, "gid_t *rgid", "gid_t *egid", "gid_t *sgid", "-", "-", "-"], 572 | [151, "setfsuid", 0x97, "uid_t uid", "-", "-", "-", "-", "-"], 573 | [152, "setfsgid", 0x98, "gid_t gid", "-", "-", "-", "-", "-"], 574 | [153, "times", 0x99, "struct tms *tbuf", "-", "-", "-", "-", "-"], 575 | [154, "setpgid", 0x9a, "pid_t pid", "pid_t pgid", "-", "-", "-", "-"], 576 | [155, "getpgid", 0x9b, "pid_t pid", "-", "-", "-", "-", "-"], 577 | [156, "getsid", 0x9c, "pid_t pid", "-", "-", "-", "-", "-"], 578 | [157, "setsid", 0x9d, "-", "-", "-", "-", "-", "-"], 579 | [158, "getgroups", 0x9e, "int gidsetsize", "gid_t *grouplist", "-", "-", "-", "-"], 580 | [159, "setgroups", 0x9f, "int gidsetsize", "gid_t *grouplist", "-", "-", "-", "-"], 581 | [160, "uname", 0xa0, "struct old_utsname *", "-", "-", "-", "-", "-"], 582 | [161, "sethostname", 0xa1, "char *name", "int len", "-", "-", "-", "-"], 583 | [162, "setdomainname", 0xa2, "char *name", "int len", "-", "-", "-", "-"], 584 | [163, "getrlimit", 0xa3, "unsigned int resource", "struct rlimit *rlim", "-", "-", "-", "-"], 585 | [164, "setrlimit", 0xa4, "unsigned int resource", "struct rlimit *rlim", "-", "-", "-", "-"], 586 | [165, "getrusage", 0xa5, "int who", "struct rusage *ru", "-", "-", "-", "-"], 587 | [166, "umask", 0xa6, "int mask", "-", "-", "-", "-", "-"], 588 | [167, "prctl", 0xa7, "int option", "unsigned long arg2", "unsigned long arg3", "unsigned long arg4", "unsigned long arg5", "-"], 589 | [168, "getcpu", 0xa8, "unsigned *cpu", "unsigned *node", "struct getcpu_cache *cache", "-", "-", "-"], 590 | [169, "gettimeofday", 0xa9, "struct timeval *tv", "struct timezone *tz", "-", "-", "-", "-"], 591 | [170, "settimeofday", 0xaa, "struct timeval *tv", "struct timezone *tz", "-", "-", "-", "-"], 592 | [171, "adjtimex", 0xab, "struct __kernel_timex *txc_p", "-", "-", "-", "-", "-"], 593 | [172, "getpid", 0xac, "-", "-", "-", "-", "-", "-"], 594 | [173, "getppid", 0xad, "-", "-", "-", "-", "-", "-"], 595 | [174, "getuid", 0xae, "-", "-", "-", "-", "-", "-"], 596 | [175, "geteuid", 0xaf, "-", "-", "-", "-", "-", "-"], 597 | [176, "getgid", 0xb0, "-", "-", "-", "-", "-", "-"], 598 | [177, "getegid", 0xb1, "-", "-", "-", "-", "-", "-"], 599 | [178, "gettid", 0xb2, "-", "-", "-", "-", "-", "-"], 600 | [179, "sysinfo", 0xb3, "struct sysinfo *info", "-", "-", "-", "-", "-"], 601 | [180, "mq_open", 0xb4, "const char *name", "int oflag", "umode_t mode", "struct mq_attr *attr", "-", "-"], 602 | [181, "mq_unlink", 0xb5, "const char *name", "-", "-", "-", "-", "-"], 603 | [182, "mq_timedsend", 0xb6, "mqd_t mqdes", "const char *msg_ptr", "size_t msg_len", "unsigned int msg_prio", "const struct __kernel_timespec *abs_timeout", "-"], 604 | [183, "mq_timedreceive", 0xb7, "mqd_t mqdes", "char *msg_ptr", "size_t msg_len", "unsigned int *msg_prio", "const struct __kernel_timespec *abs_timeout", "-"], 605 | [184, "mq_notify", 0xb8, "mqd_t mqdes", "const struct sigevent *notification", "-", "-", "-", "-"], 606 | [185, "mq_getsetattr", 0xb9, "mqd_t mqdes", "const struct mq_attr *mqstat", "struct mq_attr *omqstat", "-", "-", "-"], 607 | [186, "msgget", 0xba, "key_t key", "int msgflg", "-", "-", "-", "-"], 608 | [187, "msgctl", 0xbb, "int msqid", "int cmd", "struct msqid_ds *buf", "-", "-", "-"], 609 | [188, "msgrcv", 0xbc, "int msqid", "struct msgbuf *msgp", "size_t msgsz", "long msgtyp", "int msgflg", "-"], 610 | [189, "msgsnd", 0xbd, "int msqid", "struct msgbuf *msgp", "size_t msgsz", "int msgflg", "-", "-"], 611 | [190, "semget", 0xbe, "key_t key", "int nsems", "int semflg", "-", "-", "-"], 612 | [191, "semctl", 0xbf, "int semid", "int semnum", "int cmd", "unsigned long arg", "-", "-"], 613 | [192, "semtimedop", 0xc0, "int semid", "struct sembuf *sops", "unsigned nsops", "const struct __kernel_timespec *timeout", "-", "-"], 614 | [193, "semop", 0xc1, "int semid", "struct sembuf *sops", "unsigned nsops", "-", "-", "-"], 615 | [194, "shmget", 0xc2, "key_t key", "size_t size", "int flag", "-", "-", "-"], 616 | [195, "shmctl", 0xc3, "int shmid", "int cmd", "struct shmid_ds *buf", "-", "-", "-"], 617 | [196, "shmat", 0xc4, "int shmid", "char *shmaddr", "int shmflg", "-", "-", "-"], 618 | [197, "shmdt", 0xc5, "char *shmaddr", "-", "-", "-", "-", "-"], 619 | [198, "socket", 0xc6, "int", "int", "int", "-", "-", "-"], 620 | [199, "socketpair", 0xc7, "int", "int", "int", "int *", "-", "-"], 621 | [200, "bind", 0xc8, "int", "struct sockaddr *", "int", "-", "-", "-"], 622 | [201, "listen", 0xc9, "int", "int", "-", "-", "-", "-"], 623 | [202, "accept", 0xca, "int", "struct sockaddr *", "int *", "-", "-", "-"], 624 | [203, "connect", 0xcb, "int", "struct sockaddr *", "int", "-", "-", "-"], 625 | [204, "getsockname", 0xcc, "int", "struct sockaddr *", "int *", "-", "-", "-"], 626 | [205, "getpeername", 0xcd, "int", "struct sockaddr *", "int *", "-", "-", "-"], 627 | [206, "sendto", 0xce, "int", "void *", "size_t", "unsigned", "struct sockaddr *", "int"], 628 | [207, "recvfrom", 0xcf, "int", "void *", "size_t", "unsigned", "struct sockaddr *", "int *"], 629 | [208, "setsockopt", 0xd0, "int fd", "int level", "int optname", "char *optval", "int optlen", "-"], 630 | [209, "getsockopt", 0xd1, "int fd", "int level", "int optname", "char *optval", "int *optlen", "-"], 631 | [210, "shutdown", 0xd2, "int", "int", "-", "-", "-", "-"], 632 | [211, "sendmsg", 0xd3, "int fd", "struct user_msghdr *msg", "unsigned flags", "-", "-", "-"], 633 | [212, "recvmsg", 0xd4, "int fd", "struct user_msghdr *msg", "unsigned flags", "-", "-", "-"], 634 | [213, "readahead", 0xd5, "int fd", "loff_t offset", "size_t count", "-", "-", "-"], 635 | [214, "brk", 0xd6, "unsigned long brk", "-", "-", "-", "-", "-"], 636 | [215, "munmap", 0xd7, "unsigned long addr", "size_t len", "-", "-", "-", "-"], 637 | [216, "mremap", 0xd8, "unsigned long addr", "unsigned long old_len", "unsigned long new_len", "unsigned long flags", "unsigned long new_addr", "-"], 638 | [217, "add_key", 0xd9, "const char *_type", "const char *_description", "const void *_payload", "size_t plen", "key_serial_t destringid", "-"], 639 | [218, "request_key", 0xda, "const char *_type", "const char *_description", "const char *_callout_info", "key_serial_t destringid", "-", "-"], 640 | [219, "keyctl", 0xdb, "int cmd", "unsigned long arg2", "unsigned long arg3", "unsigned long arg4", "unsigned long arg5", "-"], 641 | [220, "clone", 0xdc, "unsigned long", "unsigned long", "int *", "int *", "unsigned long", "-"], 642 | [221, "execve", 0xdd, "const char *filename", "const char *const *argv", "const char *const *envp", "-", "-", "-"], 643 | [222, "mmap", 0xde, "?", "?", "?", "?", "?", "?"], 644 | [223, "fadvise64", 0xdf, "int fd", "loff_t offset", "size_t len", "int advice", "-", "-"], 645 | [224, "swapon", 0xe0, "const char *specialfile", "int swap_flags", "-", "-", "-", "-"], 646 | [225, "swapoff", 0xe1, "const char *specialfile", "-", "-", "-", "-", "-"], 647 | [226, "mprotect", 0xe2, "unsigned long start", "size_t len", "unsigned long prot", "-", "-", "-"], 648 | [227, "msync", 0xe3, "unsigned long start", "size_t len", "int flags", "-", "-", "-"], 649 | [228, "mlock", 0xe4, "unsigned long start", "size_t len", "-", "-", "-", "-"], 650 | [229, "munlock", 0xe5, "unsigned long start", "size_t len", "-", "-", "-", "-"], 651 | [230, "mlockall", 0xe6, "int flags", "-", "-", "-", "-", "-"], 652 | [231, "munlockall", 0xe7, "-", "-", "-", "-", "-", "-"], 653 | [232, "mincore", 0xe8, "unsigned long start", "size_t len", "unsigned char * vec", "-", "-", "-"], 654 | [233, "madvise", 0xe9, "unsigned long start", "size_t len", "int behavior", "-", "-", "-"], 655 | [234, "remap_file_pages", 0xea, "unsigned long start", "unsigned long size", "unsigned long prot", "unsigned long pgoff", "unsigned long flags", "-"], 656 | [235, "mbind", 0xeb, "unsigned long start", "unsigned long len", "unsigned long mode", "const unsigned long *nmask", "unsigned long maxnode", "unsigned flags"], 657 | [236, "get_mempolicy", 0xec, "int *policy", "unsigned long *nmask", "unsigned long maxnode", "unsigned long addr", "unsigned long flags", "-"], 658 | [237, "set_mempolicy", 0xed, "int mode", "const unsigned long *nmask", "unsigned long maxnode", "-", "-", "-"], 659 | [238, "migrate_pages", 0xee, "pid_t pid", "unsigned long maxnode", "const unsigned long *from", "const unsigned long *to", "-", "-"], 660 | [239, "move_pages", 0xef, "pid_t pid", "unsigned long nr_pages", "const void * *pages", "const int *nodes", "int *status", "int flags"], 661 | [240, "rt_tgsigqueueinfo", 0xf0, "pid_t tgid", "pid_t pid", "int sig", "siginfo_t *uinfo", "-", "-"], 662 | [241, "perf_event_open", 0xf1, "struct perf_event_attr *attr_uptr", "pid_t pid", "int cpu", "int group_fd", "unsigned long flags", "-"], 663 | [242, "accept4", 0xf2, "int", "struct sockaddr *", "int *", "int", "-", "-"], 664 | [243, "recvmmsg", 0xf3, "int fd", "struct mmsghdr *msg", "unsigned int vlen", "unsigned flags", "struct __kernel_timespec *timeout", "-"], 665 | [244, "not implemented", 0xf4], 666 | [245, "not implemented", 0xf5], 667 | [246, "not implemented", 0xf6], 668 | [247, "not implemented", 0xf7], 669 | [248, "not implemented", 0xf8], 670 | [249, "not implemented", 0xf9], 671 | [250, "not implemented", 0xfa], 672 | [251, "not implemented", 0xfb], 673 | [252, "not implemented", 0xfc], 674 | [253, "not implemented", 0xfd], 675 | [254, "not implemented", 0xfe], 676 | [255, "not implemented", 0xff], 677 | [256, "not implemented", 0x100], 678 | [257, "not implemented", 0x101], 679 | [258, "not implemented", 0x102], 680 | [259, "not implemented", 0x103], 681 | [260, "wait4", 0x104, "pid_t pid", "int *stat_addr", "int options", "struct rusage *ru", "-", "-"], 682 | [261, "prlimit64", 0x105, "pid_t pid", "unsigned int resource", "const struct rlimit64 *new_rlim", "struct rlimit64 *old_rlim", "-", "-"], 683 | [262, "fanotify_init", 0x106, "unsigned int flags", "unsigned int event_f_flags", "-", "-", "-", "-"], 684 | [263, "fanotify_mark", 0x107, "int fanotify_fd", "unsigned int flags", "u64 mask", "int fd", "const char *pathname", "-"], 685 | [264, "name_to_handle_at", 0x108, "int dfd", "const char *name", "struct file_handle *handle", "int *mnt_id", "int flag", "-"], 686 | [265, "open_by_handle_at", 0x109, "int mountdirfd", "struct file_handle *handle", "int flags", "-", "-", "-"], 687 | [266, "clock_adjtime", 0x10a, "clockid_t which_clock", "struct __kernel_timex *tx", "-", "-", "-", "-"], 688 | [267, "syncfs", 0x10b, "int fd", "-", "-", "-", "-", "-"], 689 | [268, "setns", 0x10c, "int fd", "int nstype", "-", "-", "-", "-"], 690 | [269, "sendmmsg", 0x10d, "int fd", "struct mmsghdr *msg", "unsigned int vlen", "unsigned flags", "-", "-"], 691 | [270, "process_vm_readv", 0x10e, "pid_t pid", "const struct iovec *lvec", "unsigned long liovcnt", "const struct iovec *rvec", "unsigned long riovcnt", "unsigned long flags"], 692 | [271, "process_vm_writev", 0x10f, "pid_t pid", "const struct iovec *lvec", "unsigned long liovcnt", "const struct iovec *rvec", "unsigned long riovcnt", "unsigned long flags"], 693 | [272, "kcmp", 0x110, "pid_t pid1", "pid_t pid2", "int type", "unsigned long idx1", "unsigned long idx2", "-"], 694 | [273, "finit_module", 0x111, "int fd", "const char *uargs", "int flags", "-", "-", "-"], 695 | [274, "sched_setattr", 0x112, "pid_t pid", "struct sched_attr *attr", "unsigned int flags", "-", "-", "-"], 696 | [275, "sched_getattr", 0x113, "pid_t pid", "struct sched_attr *attr", "unsigned int size", "unsigned int flags", "-", "-"], 697 | [276, "renameat2", 0x114, "int olddfd", "const char *oldname", "int newdfd", "const char *newname", "unsigned int flags", "-"], 698 | [277, "seccomp", 0x115, "unsigned int op", "unsigned int flags", "void *uargs", "-", "-", "-"], 699 | [278, "getrandom", 0x116, "char *buf", "size_t count", "unsigned int flags", "-", "-", "-"], 700 | [279, "memfd_create", 0x117, "const char *uname_ptr", "unsigned int flags", "-", "-", "-", "-"], 701 | [280, "bpf", 0x118, "int cmd", "union bpf_attr *attr", "unsigned int size", "-", "-", "-"], 702 | [281, "execveat", 0x119, "int dfd", "const char *filename", "const char *const *argv", "const char *const *envp", "int flags", "-"], 703 | [282, "userfaultfd", 0x11a, "int flags", "-", "-", "-", "-", "-"], 704 | [283, "membarrier", 0x11b, "int cmd", "int flags", "-", "-", "-", "-"], 705 | [284, "mlock2", 0x11c, "unsigned long start", "size_t len", "int flags", "-", "-", "-"], 706 | [285, "copy_file_range", 0x11d, "int fd_in", "loff_t *off_in", "int fd_out", "loff_t *off_out", "size_t len", "unsigned int flags"], 707 | [286, "preadv2", 0x11e, "unsigned long fd", "const struct iovec *vec", "unsigned long vlen", "unsigned long pos_l", "unsigned long pos_h", "rwf_t flags"], 708 | [287, "pwritev2", 0x11f, "unsigned long fd", "const struct iovec *vec", "unsigned long vlen", "unsigned long pos_l", "unsigned long pos_h", "rwf_t flags"], 709 | [288, "pkey_mprotect", 0x120, "unsigned long start", "size_t len", "unsigned long prot", "int pkey", "-", "-"], 710 | [289, "pkey_alloc", 0x121, "unsigned long flags", "unsigned long init_val", "-", "-", "-", "-"], 711 | [290, "pkey_free", 0x122, "int pkey", "-", "-", "-", "-", "-"], 712 | [291, "statx", 0x123, "int dfd", "const char *path", "unsigned flags", "unsigned mask", "struct statx *buffer", "-"] 713 | ]; 714 | -------------------------------------------------------------------------------- /img/1.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Abbbbbi/Frida-Seccomp/ba13797ddb1cbd0ffac79f40765484812583fdb7/img/1.png -------------------------------------------------------------------------------- /img/2.JPG: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Abbbbbi/Frida-Seccomp/ba13797ddb1cbd0ffac79f40765484812583fdb7/img/2.JPG -------------------------------------------------------------------------------- /img/3.JPG: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Abbbbbi/Frida-Seccomp/ba13797ddb1cbd0ffac79f40765484812583fdb7/img/3.JPG -------------------------------------------------------------------------------- /multi_frida_seccomp.py: -------------------------------------------------------------------------------- 1 | # -*- coding: utf-8 -*- 2 | import codecs 3 | import frida 4 | import sys 5 | import os 6 | import time 7 | import subprocess 8 | import threading 9 | 10 | package_name = sys.argv[1] 11 | jscode = open("./handleSeccomp.js").read() 12 | dir_path = "" 13 | 14 | device = frida.get_device_manager().enumerate_devices()[-1] 15 | print(device) 16 | 17 | pending = [] 18 | sessions = [] 19 | scripts = [] 20 | event = threading.Event() 21 | 22 | def on_spawned(spawn): 23 | print('on_spawned:', spawn) 24 | pending.append(spawn) 25 | event.set() 26 | 27 | def spawn_added(spawn): 28 | event.set() 29 | if(spawn.identifier.startswith(package_name)): 30 | print('spawn_added:', spawn) 31 | session = device.attach(spawn.pid) 32 | subprocess.Popen(args="adb logcat --pid={} | grep seccomp > {}/{}_{}.log".format(spawn.pid, dir_path, package_name, spawn.pid), stdin=None, stdout=None,stderr=None, shell=True) 33 | script = session.create_script(jscode) 34 | script.on('message', on_message) 35 | script.load() 36 | device.resume(spawn.pid) 37 | 38 | def spawn_removed(spawn): 39 | print('spawn_added:', spawn) 40 | event.set() 41 | 42 | def on_message(spawn, message, data): 43 | print('on_message:', spawn, message, data) 44 | 45 | def on_message(message, data): 46 | if message['type'] == 'send': 47 | print("[*] {0}".format(message['payload'])) 48 | else: 49 | print(message) 50 | 51 | device.on('spawn-added', spawn_added) 52 | device.on('spawn-removed', spawn_removed) 53 | device.on('child-added', on_spawned) 54 | device.on('child-removed', on_spawned) 55 | device.on('process-crashed', on_spawned) 56 | device.on('output', on_spawned) 57 | device.on('uninjected', on_spawned) 58 | device.on('lost', on_spawned) 59 | device.enable_spawn_gating() 60 | event = threading.Event() 61 | print('Enabled spawn gating') 62 | 63 | pid = device.spawn([package_name]) 64 | dir_path = "{}_{}_{}".format(package_name ,pid,time.time()) 65 | os.makedirs(dir_path) 66 | session = device.attach(pid) 67 | print("[*] Attach Application {} pid:".format(package_name),pid) 68 | subprocess.Popen(args="adb logcat --pid={} | grep seccomp > {}/{}_{}.log".format(pid, dir_path, package_name, pid), stdin=None, stdout=None,stderr=None, shell=True) 69 | print("[*] Application onResume") 70 | script = session.create_script(jscode) 71 | script.on('message', on_message) 72 | print('[*] Running Frida-Seccomp') 73 | script.load() 74 | device.resume(pid) 75 | sys.stdin.read() --------------------------------------------------------------------------------