Giters

hello009-commits / BPFroid

Trace Android framework API, native libraries, system calls and other events using eBPF

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

BPFroid

Trace Android framework API, native libraries, system calls and other events using eBPF. Based on Tracee: https://github.com/aquasecurity/tracee

For more information about this work also see: https://arxiv.org/abs/2105.14344

Requirements

  • Android linux kernel that provides BPF capabilities: BPF, Kprobes and Uprobes
  • kernel headers (used for BPF program compilation)
  • clang

Building BPFroid for arm64

  • Prepare compilation environment with docker: docker run -it --rm --privileged multiarch/qemu-user-static --credential yes --persistent yes
  • Use the Dockerfile in builder directory to build an image of the build environment
  • Run builder container with BPFroid sources mounted and kernel headers as well, e.g: docker run -it --rm -v /path/to/tracee:/tracee -v /path/to/android-kernel:/headers bpfroid_builder
  • Set KERN_HEADERS variable in the Makefile to point to the correct location, then make, e.g: KERN_HEADERS=/headers make

Building for android emulator

  • KERN_HEADERS=/path/to/android-goldfish-kernel make

Running BPFroid

  • Clone and build BPFroid
  • Copy bpfroid binary and bpf object file to target device (built into "dist" by default)
  • Configure required hooks in hooks.json
  • Run

Notes

  • System updates that change oat framework files requires deleting hooks.cache file!

About

Trace Android framework API, native libraries, system calls and other events using eBPF

License:Apache License 2.0

Languages

Language:Go 77.5%Language:C 15.7%Language:Python 4.6%Language:Makefile 1.6%Language:Shell 0.3%Language:Dockerfile 0.3%Language:Ruby 0.1%