Skip to content

Trace Android framework API, native libraries, system calls and other events using eBPF

License

Notifications You must be signed in to change notification settings

yanivagman/BPFroid

Repository files navigation

No Maintenance Intended

BPFroid

Trace Android framework API, native libraries, system calls and other events using eBPF. Based on Tracee: https://github.com/aquasecurity/tracee

For more information about this work also see: https://arxiv.org/abs/2105.14344

Requirements

  • Android linux kernel that provides BPF capabilities: BPF, Kprobes and Uprobes
  • kernel headers (used for BPF program compilation)
  • clang

Building BPFroid for arm64

  • Prepare compilation environment with docker: docker run -it --rm --privileged multiarch/qemu-user-static --credential yes --persistent yes
  • Use the Dockerfile in builder directory to build an image of the build environment
  • Run builder container with BPFroid sources mounted and kernel headers as well, e.g: docker run -it --rm -v /path/to/tracee:/tracee -v /path/to/android-kernel:/headers bpfroid_builder
  • Set KERN_HEADERS variable in the Makefile to point to the correct location, then make, e.g: KERN_HEADERS=/headers make

Building for android emulator

  • KERN_HEADERS=/path/to/android-goldfish-kernel make

Running BPFroid

  • Clone and build BPFroid
  • Copy bpfroid binary and bpf object file to target device (built into "dist" by default)
  • Configure required hooks in hooks.json
  • Run

Notes

  • System updates that change oat framework files requires deleting hooks.cache file!

About

Trace Android framework API, native libraries, system calls and other events using eBPF

Topics

Resources

License

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published