Archive for April, 2013

How do debug the runtime behavior of Adobe Reader in Android?

First, use Adobe Reader to open up a PDF document. Next find out the process ID inside Android that is running the PDF document:

u0_a35 5457 126 645956 20744 ffffffff 400daee4 S com.android.musicfx
u0_a52 5480 126 661744 26604 ffffffff 400daee4 S com.google.android.googlequicksearchbox
u0_a85 5512 126 694584 87944 ffffffff 400daee4 S com.adobe.reader
root 5691 5192 1152 228 00000000 40176d78 R ps
u0_a42 11954 126 721972 62408 ffffffff 400daee4 S com.google.android.apps.p

From above, we can see that the PID=5512 is the process ID.

So go to /proc/5512 to take a look at all the process-specific information.

Looking into /proc/5512/maps:

40032000-40034000 r-xp 00000000 b3:03 151 /system/bin/app_process
40034000-40035000 r--p 00001000 b3:03 151 /system/bin/app_process
40035000-40036000 rw-p 00000000 00:00 0
40036000-4004c000 r-xp 00000000 b3:03 841 /system/lib/libz.so
4004c000-4004d000 r--p 00015000 b3:03 841 /system/lib/libz.so
4004d000-4004e000 rw-p 00016000 b3:03 841 /system/lib/libz.so
4004e000-4004f000 rw-p 00000000 00:00 0
4004f000-40050000 r--s 00000000 b3:03 931 /system/framework/telephony-common.jar
40050000-40051000 r--s 00000000 b3:03 894 /system/framework/mms-common.jar
40051000-40059000 rw-p 00000000 00:00 0
40059000-4005c000 rw-p 00000000 00:00 0
4005c000-40064000 rw-p 00000000 00:00 0
40064000-40067000 r-xp 00000000 b3:03 705 /system/lib/liblog.so
40067000-40068000 r--p 00002000 b3:03 705 /system/lib/liblog.so
40068000-40069000 rw-p 00003000 b3:03 705 /system/lib/liblog.so
40069000-4006a000 r--s 00000000 b3:03 580 /system/framework/services.jar
4006a000-40073000 r-xp 00000000 b3:03 826 /system/lib/libui.so
40073000-40074000 r--p 00008000 b3:03 826 /system/lib/libui.so
40074000-40075000 rw-p 00009000 b3:03 826 /system/lib/libui.so
40075000-40076000 r-xp 00000000 b3:03 1080 /system/lib/libsync.so
40076000-40077000 r--p 00000000 b3:03 1080 /system/lib/libsync.so
40077000-40078000 rw-p 00001000 b3:03 1080 /system/lib/libsync.so
40078000-40079000 rw-p 00000000 00:00 0
40079000-4007c000 rw-p 00000000 00:00 0
4007c000-4007e000 r-xp 00000000 b3:03 608 /system/lib/libETC1.so
4007e000-4007f000 r--p 00001000 b3:03 608 /system/lib/libETC1.so
4007f000-40080000 rw-p 00002000 b3:03 608 /system/lib/libETC1.so
40080000-40084000 rw-p 00000000 00:00 0
40084000-40092000 r-xp 00000000 b3:03 192 /system/bin/linker
40092000-40093000 rw-p 00000000 00:00 0
40093000-40094000 r--p 0000e000 b3:03 192 /system/bin/linker
40094000-40095000 rw-p 0000f000 b3:03 192 /system/bin/linker
40095000-4009f000 rw-p 00000000 00:00 0
4009f000-400a3000 rw-p 00000000 00:00 0
400a3000-400a4000 rw-s 00000000 00:04 151510 /dev/ashmem/nvgralloc-shared (deleted)
400a4000-400af000 r-xp 00000000 b3:03 798 /system/lib/libstagefright_foundation.so
400af000-400b0000 r--p 0000a000 b3:03 798 /system/lib/libstagefright_foundation.so
400b0000-400b1000 rw-p 0000b000 b3:03 798 /system/lib/libstagefright_foundation.so
400b1000-400b4000 r-xp 00000000 b3:03 789 /system/lib/libspeexresampler.so
400b4000-400b5000 r--p 00002000 b3:03 789 /system/lib/libspeexresampler.so
400b5000-400b6000 rw-p 00003000 b3:03 789 /system/lib/libspeexresampler.so
400b6000-400b8000 r-xp 00000000 b3:03 635 /system/lib/libaudioutils.so
400b8000-400b9000 r--p 00001000 b3:03 635 /system/lib/libaudioutils.so
400b9000-400ba000 rw-p 00002000 b3:03 635 /system/lib/libaudioutils.so
400ba000-400bb000 r--s 00000000 b3:03 557 /system/framework/core-junit.jar
400bb000-400c3000 rw-p 00000000 00:00 0
400c3000-40108000 r-xp 00000000 b3:03 641 /system/lib/libc.so
40108000-40109000 ---p 00000000 00:00 0
40109000-4010b000 r--p 00045000 b3:03 641 /system/lib/libc.so
4010b000-4010d000 rw-p 00047000 b3:03 641 /system/lib/libc.so
4010d000-40118000 rw-p 00000000 00:00 0
40118000-40119000 r-xp 00000000 b3:03 817 /system/lib/libstdc++.so
40119000-4011a000 r--p 00000000 b3:03 817 /system/lib/libstdc++.so
4011a000-4011b000 rw-p 00001000 b3:03 817 /system/lib/libstdc++.so
4011b000-40133000 r-xp 00000000 b3:03 828 /system/lib/libutils.so
40133000-40134000 ---p 00000000 00:00 0
40134000-40135000 r--p 00018000 b3:03 828 /system/lib/libutils.so
40135000-40136000 rw-p 00019000 b3:03 828 /system/lib/libutils.so
40136000-40139000 r-xp 00000000 b3:03 650 /system/lib/libcorkscrew.so
40139000-4013a000 r--p 00002000 b3:03 650 /system/lib/libcorkscrew.so
4013a000-4013b000 rw-p 00003000 b3:03 650 /system/lib/libcorkscrew.so
4013b000-40159000 r-xp 00000000 b3:03 638 /system/lib/libbinder.so
40159000-4015e000 r--p 0001d000 b3:03 638 /system/lib/libbinder.so
4015e000-4015f000 rw-p 00022000 b3:03 638 /system/lib/libbinder.so
4015f000-4018e000 r-xp 00000000 b3:03 631 /system/lib/libandroidfw.so
4018e000-4018f000 ---p 00000000 00:00 0
4018f000-40191000 r--p 0002f000 b3:03 631 /system/lib/libandroidfw.so
40191000-40192000 rw-p 00031000 b3:03 631 /system/lib/libandroidfw.so
40192000-40194000 r-xp 00000000 b3:03 666 /system/lib/libemoji.so
40194000-40195000 r--p 00001000 b3:03 666 /system/lib/libemoji.so
40195000-40196000 rw-p 00002000 b3:03 666 /system/lib/libemoji.so
40196000-40198000 r-xp 00000000 b3:03 714 /system/lib/libnativehelper.so
40198000-40199000 r--p 00001000 b3:03 714 /system/lib/libnativehelper.so
40199000-4019a000 rw-p 00002000 b3:03 714 /system/lib/libnativehelper.so
4019a000-4019f000 r-xp 00000000 b3:03 716 /system/lib/libnetutils.so
4019f000-401a0000 r--p 00004000 b3:03 716 /system/lib/libnetutils.so
401a0000-401a1000 rw-p 00005000 b3:03 716 /system/lib/libnetutils.so
401a1000-401a2000 r-xp 00000000 b3:03 681 /system/lib/libhardware.so
401a2000-401a3000 r--p 00000000 b3:03 681 /system/lib/libhardware.so
401a3000-401a4000 rw-p 00001000 b3:03 681 /system/lib/libhardware.so
401a4000-401a5000 r--p 00000000 00:00 0
401a5000-401ba000 r-xp 00000000 b3:03 706 /system/lib/libm.so
401ba000-401bb000 r--p 00014000 b3:03 706 /system/lib/libm.so
401bb000-401bc000 rw-p 00015000 b3:03 706 /system/lib/libm.so
401bc000-401c9000 r-xp 00000000 b3:03 653 /system/lib/libcutils.so
401c9000-401ca000 r--p 0000c000 b3:03 653 /system/lib/libcutils.so
401ca000-401cb000 rw-p 0000d000 b3:03 653 /system/lib/libcutils.so
401cb000-401d9000 rw-p 00000000 00:00 0
401d9000-401dd000 r-xp 00000000 b3:03 677 /system/lib/libgccdemangle.so
401dd000-401de000 ---p 00000000 00:00 0
401de000-401df000 r--p 00004000 b3:03 677 /system/lib/libgccdemangle.so
401df000-401e0000 rw-p 00005000 b3:03 677 /system/lib/libgccdemangle.so
401e0000-40277000 r-xp 00000000 b3:03 630 /system/lib/libandroid_runtime.so
40277000-4027b000 r--p 00096000 b3:03 630 /system/lib/libandroid_runtime.so
4027b000-40281000 rw-p 0009a000 b3:03 630 /system/lib/libandroid_runtime.so
40281000-40282000 rw-p 00000000 00:00 0
40282000-403d5000 r-xp 00000000 b3:03 786 /system/lib/libskia.so
403d5000-403da000 r--p 00152000 b3:03 786 /system/lib/libskia.so
403da000-403db000 rw-p 00157000 b3:03 786 /system/lib/libskia.so
403db000-403e1000 rw-p 00000000 00:00 0
403e1000-40411000 r-xp 00000000 b3:03 703 /system/lib/libjpeg.so
40411000-40412000 r--p 0002f000 b3:03 703 /system/lib/libjpeg.so
40412000-40413000 rw-p 00030000 b3:03 703 /system/lib/libjpeg.so
40413000-40427000 r-xp 00000000 b3:03 669 /system/lib/libexpat.so
40427000-40429000 r--p 00013000 b3:03 669 /system/lib/libexpat.so
40429000-4042a000 rw-p 00015000 b3:03 669 /system/lib/libexpat.so
4042a000-4045e000 r-xp 00000000 b3:03 818 /system/lib/libstlport.so
4045e000-4045f000 ---p 00000000 00:00 0
4045f000-40461000 r--p 00034000 b3:03 818 /system/lib/libstlport.so
40461000-40462000 rw-p 00036000 b3:03 818 /system/lib/libstlport.so
40462000-4048f000 r-xp 00000000 b3:03 680 /system/lib/libgui.so
4048f000-40490000 ---p 00000000 00:00 0
40490000-40497000 r--p 0002d000 b3:03 680 /system/lib/libgui.so
40497000-40498000 rw-p 00034000 b3:03 680 /system/lib/libgui.so
40498000-404d5000 r-xp 00000000 b3:03 607 /system/lib/libEGL.so
404d5000-404d7000 r--p 0003c000 b3:03 607 /system/lib/libEGL.so
404d7000-404db000 rw-p 0003e000 b3:03 607 /system/lib/libEGL.so
404db000-404dd000 rw-p 00000000 00:00 0
404dd000-4051d000 r-xp 00000000 b3:03 610 /system/lib/libGLES_trace.so
4051d000-4051e000 r--p 0003f000 b3:03 610 /system/lib/libGLES_trace.so
4051e000-4051f000 rw-p 00040000 b3:03 610 /system/lib/libGLES_trace.so
4051f000-40524000 r-xp 00000000 b3:03 616 /system/lib/libGLESv2.so
40524000-40525000 r--p 00004000 b3:03 616 /system/lib/libGLESv2.so
40525000-40526000 rw-p 00005000 b3:03 616 /system/lib/libGLESv2.so
40526000-4053c000 r-xp 00000000 b3:03 642 /system/lib/libcamera_client.so
4053c000-4053d000 ---p 00000000 00:00 0
4053d000-40542000 r--p 00016000 b3:03 642 /system/lib/libcamera_client.so
40542000-40543000 rw-p 0001b000 b3:03 642 /system/lib/libcamera_client.so
40543000-40595000 r-xp 00000000 b3:03 791 /system/lib/libsqlite.so
40595000-40596000 ---p 00000000 00:00 0
40596000-40597000 r--p 00052000 b3:03 791 /system/lib/libsqlite.so
40597000-40598000 rw-p 00053000 b3:03 791 /system/lib/libsqlite.so
40598000-40683000 r-xp 00000000 b3:03 686 /system/lib/libicuuc.so
40683000-4068c000 r--p 000ea000 b3:03 686 /system/lib/libicuuc.so
4068c000-4068d000 rw-p 000f3000 b3:03 686 /system/lib/libicuuc.so
4068d000-40691000 rw-p 00000000 00:00 0
40691000-40695000 r-xp 00000000 b3:03 676 /system/lib/libgabi++.so
40695000-40696000 r--p 00003000 b3:03 676 /system/lib/libgabi++.so
40696000-40697000 rw-p 00004000 b3:03 676 /system/lib/libgabi++.so
40697000-407a8000 r-xp 00000000 b3:03 685 /system/lib/libicui18n.so
407a8000-407a9000 ---p 00000000 00:00 0
407a9000-407af000 r--p 00111000 b3:03 685 /system/lib/libicui18n.so
407af000-407b0000 rw-p 00117000 b3:03 685 /system/lib/libicui18n.so
407b0000-40856000 r-xp 00000000 b3:03 663 /system/lib/libdvm.so
40856000-4085a000 r--p 000a5000 b3:03 663 /system/lib/libdvm.so
4085a000-4085f000 rw-p 000a9000 b3:03 663 /system/lib/libdvm.so
4085f000-40861000 rw-p 00000000 00:00 0
40861000-40866000 r-xp 00000000 b3:03 612 /system/lib/libGLESv1_CM.so
40866000-40867000 r--p 00004000 b3:03 612 /system/lib/libGLESv1_CM.so
40867000-40868000 rw-p 00005000 b3:03 612 /system/lib/libGLESv1_CM.so
40868000-4086c000 r-xp 00000000 b3:03 682 /system/lib/libhardware_legacy.so
4086c000-4086d000 r--p 00003000 b3:03 682 /system/lib/libhardware_legacy.so
4086d000-4086e000 rw-p 00004000 b3:03 682 /system/lib/libhardware_legacy.so
4086e000-40870000 r-xp 00000000 b3:03 840 /system/lib/libwpa_client.so
40870000-40871000 r--p 00001000 b3:03 840 /system/lib/libwpa_client.so
40871000-40872000 rw-p 00002000 b3:03 840 /system/lib/libwpa_client.so
40872000-408c0000 r-xp 00000000 b3:03 787 /system/lib/libsonivox.so
408c0000-408c1000 r--p 0004d000 b3:03 787 /system/lib/libsonivox.so
408c1000-408c2000 rw-p 0004e000 b3:03 787 /system/lib/libsonivox.so
408c2000-408c7000 rw-p 00000000 00:00 0
408c7000-4098d000 r-xp 00000000 b3:03 651 /system/lib/libcrypto.so
4098d000-4098e000 ---p 00000000 00:00 0
4098e000-4099a000 r--p 000c6000 b3:03 651 /system/lib/libcrypto.so
4099a000-409a0000 rw-p 000d2000 b3:03 651 /system/lib/libcrypto.so
409a0000-409a2000 rw-p 00000000 00:00 0
409a2000-409d4000 r-xp 00000000 b3:03 793 /system/lib/libssl.so
409d4000-409d5000 ---p 00000000 00:00 0
409d5000-409d7000 r--p 00032000 b3:03 793 /system/lib/libssl.so
409d7000-409da000 rw-p 00034000 b3:03 793 /system/lib/libssl.so
409da000-40a41000 r-xp 00000000 b3:03 708 /system/lib/libmedia.so
40a41000-40a42000 ---p 00000000 00:00 0
40a42000-40a55000 r--p 00067000 b3:03 708 /system/lib/libmedia.so
40a55000-40a56000 rw-p 0007a000 b3:03 708 /system/lib/libmedia.so
40a56000-40a57000 r-xp 00000000 b3:03 710 /system/lib/libmedia_native.so
40a57000-40a58000 r--p 00000000 b3:03 710 /system/lib/libmedia_native.so
40a58000-40a59000 rw-p 00001000 b3:03 710 /system/lib/libmedia_native.so
40a59000-40a5b000 r-xp 00000000 b3:03 827 /system/lib/libusbhost.so
40a5b000-40a5c000 r--p 00001000 b3:03 827 /system/lib/libusbhost.so
40a5c000-40a5d000 rw-p 00002000 b3:03 827 /system/lib/libusbhost.so
40a5d000-40a90000 r-xp 00000000 b3:03 683 /system/lib/libharfbuzz.so
40a90000-40a91000 r--p 00032000 b3:03 683 /system/lib/libharfbuzz.so
40a91000-40a92000 rw-p 00033000 b3:03 683 /system/lib/libharfbuzz.so
40a92000-40abd000 r-xp 00000000 b3:03 684 /system/lib/libhwui.so
40abd000-40abf000 r--p 0002a000 b3:03 684 /system/lib/libhwui.so
40abf000-40ac0000 rw-p 0002c000 b3:03 684 /system/lib/libhwui.so
40ac0000-40ac8000 r--s 00000000 00:0c 3080 /dev/__properties__ (deleted)
40ac8000-410c8000 rw-p 00000000 00:04 6294 /dev/ashmem/dalvik-bitmap-1 (deleted)
410c8000-410ce000 rw-p 00000000 00:00 0
410ce000-410cf000 r--s 00000000 b3:03 559 /system/framework/core.jar
410cf000-41109000 rw-p 00000000 00:04 6304 /dev/ashmem/dalvik-aux-structure (deleted)
41109000-41110000 r--p 00000000 b3:03 558 /system/framework/core-junit.odex
41110000-41121000 rw-p 00000000 00:04 6317 /dev/ashmem/dalvik-aux-structure (deleted)
41121000-41132000 rw-p 00000000 00:00 0
41132000-4114e000 rw-p 00000000 00:04 6318 /dev/ashmem/dalvik-aux-structure (deleted)
4114e000-41165000 rw-p 00000000 00:04 6320 /dev/ashmem/dalvik-aux-structure (deleted)
41165000-41185000 r--p 00000000 b3:03 895 /system/framework/mms-common.odex
41185000-41193000 rw-p 00000000 00:04 6322 /dev/ashmem/dalvik-aux-structure (deleted)
41193000-41194000 r--s 00004000 b3:03 318 /system/framework/apache-xml.jar
41194000-411a1000 rw-p 00000000 00:00 0
411a1000-411a2000 r-xp 00000000 b3:03 797 /system/lib/libstagefright_enc_common.so
411a2000-411a3000 r--p 00000000 b3:03 797 /system/lib/libstagefright_enc_common.so
411a3000-411a4000 rw-p 00001000 b3:03 797 /system/lib/libstagefright_enc_common.so
411a4000-411a6000 rw-p 00000000 00:00 0
411a6000-411a7000 rw-p 00000000 00:04 6316 /dev/ashmem/dalvik-aux-structure (deleted)
411a7000-411bf000 rw-p 00000000 00:04 6324 /dev/ashmem/dalvik-aux-structure (deleted)
411bf000-411c3000 rw-p 00000000 00:00 0
411c3000-411c4000 rw-s 00000000 00:04 150191 /dev/ashmem/nvgralloc-shared (deleted)
411c4000-411c9000 rw-p 00000000 00:00 0
411c9000-411f6000 rw-p 00000000 00:04 6323 /dev/ashmem/dalvik-aux-structure (deleted)
411f6000-4120a000 r-xp 00000000 b3:03 661 /system/lib/libdrmframework.so
4120a000-4120d000 r--p 00013000 b3:03 661 /system/lib/libdrmframework.so
4120d000-4120e000 rw-p 00016000 b3:03 661 /system/lib/libdrmframework.so
4120e000-41213000 r-xp 00000000 b3:03 796 /system/lib/libstagefright_avc_common.so
41213000-41214000 r--p 00004000 b3:03 796 /system/lib/libstagefright_avc_common.so
41214000-41215000 rw-p 00005000 b3:03 796 /system/lib/libstagefright_avc_common.so
41215000-41216000 rw-p 00000000 00:00 0
41216000-41229000 r--s 0007a000 b3:03 561 /system/framework/ext.jar
41229000-4122b000 r--s 00003000 b3:03 564 /system/framework/framework.jar
4122b000-4122e000 rw-p 00000000 00:04 6321 /dev/ashmem/dalvik-aux-structure (deleted)
4122e000-41230000 rw-p 00000000 00:00 0
41230000-41236000 r-xp 00000000 b3:03 781 /system/lib/librs_jni.so
41236000-41237000 r--p 00005000 b3:03 781 /system/lib/librs_jni.so
41237000-41238000 rw-p 00006000 b3:03 781 /system/lib/librs_jni.so
41238000-4123f000 rw-p 00000000 00:00 0 [heap]
4123f000-419a1000 rw-p 00000000 00:04 6293 /dev/ashmem/dalvik-heap (deleted)
419a1000-44557000 rw-p 00762000 00:04 6293 /dev/ashmem/dalvik-heap (deleted)
44557000-4456e000 ---p 03318000 00:04 6293 /dev/ashmem/dalvik-heap (deleted)
4456e000-5923f000 ---p 0332f000 00:04 6293 /dev/ashmem/dalvik-heap (deleted)
5923f000-5983f000 rw-p 00000000 00:04 6295 /dev/ashmem/dalvik-bitmap-2 (deleted)
5983f000-59840000 rw-p 00000000 00:00 0
59840000-59841000 r--s 00000000 b3:03 310 /system/framework/android.policy.jar
59841000-59842000 rw-p 00000000 00:00 0
59842000-59856000 r--s 00000000 b3:03 542 /system/fonts/Roboto-Regular.ttf
59856000-59858000 r-xp 00000000 b3:03 815 /system/lib/libstagefright_yuv.so
59858000-59859000 r--p 00001000 b3:03 815 /system/lib/libstagefright_yuv.so
59859000-5985a000 rw-p 00002000 b3:03 815 /system/lib/libstagefright_yuv.so
5985a000-5985b000 rw-p 00000000 00:00 0
5985b000-59861000 r-xp 00000000 b3:03 662 /system/lib/libdrmframework_jni.so
59861000-59862000 ---p 00000000 00:00 0
59862000-59863000 r--p 00006000 b3:03 662 /system/lib/libdrmframework_jni.so
59863000-59864000 rw-p 00007000 b3:03 662 /system/lib/libdrmframework_jni.so
59864000-59865000 rw-p 00000000 00:00 0
59865000-59867000 rw-p 00000000 00:00 0
59867000-59868000 r--s 00000000 b3:03 334 /system/framework/bouncycastle.jar
59868000-598a0000 r-xp 00000000 b3:03 691 /system/lib/libjavacore.so
598a0000-598a1000 ---p 00000000 00:00 0
598a1000-598a2000 r--p 00038000 b3:03 691 /system/lib/libjavacore.so
598a2000-598a4000 rw-p 00039000 b3:03 691 /system/lib/libjavacore.so
598a4000-598b6000 r-xp 00000000 b3:03 799 /system/lib/libstagefright_omx.so
598b6000-598b8000 r--p 00011000 b3:03 799 /system/lib/libstagefright_omx.so
598b8000-598b9000 rw-p 00013000 b3:03 799 /system/lib/libstagefright_omx.so
598b9000-598ba000 rw-p 00000000 00:00 0
598ba000-598bd000 rw-p 00000000 00:00 0
598bd000-618bd000 rw-p 00000000 00:04 6296 /dev/ashmem/dalvik-mark-stack (deleted)
618bd000-61958000 r--p 00000000 b3:03 311 /system/framework/android.policy.odex
61958000-61959000 rw-p 00000000 00:00 0
61959000-61c5a000 rw-p 00000000 00:04 6297 /dev/ashmem/dalvik-card-table (deleted)
61c5a000-61c5b000 ---p 00000000 00:04 6298 /dev/ashmem/dalvik-LinearAlloc (deleted)
61c5b000-61f27000 rw-p 00001000 00:04 6298 /dev/ashmem/dalvik-LinearAlloc (deleted)
61f27000-61f62000 rw-p 002cd000 00:04 6298 /dev/ashmem/dalvik-LinearAlloc (deleted)
61f62000-62c5a000 ---p 00308000 00:04 6298 /dev/ashmem/dalvik-LinearAlloc (deleted)
62c5a000-62fab000 r--p 00000000 b3:03 560 /system/framework/core.odex
62fab000-630b4000 r--p 00000000 b3:03 356 /system/framework/bouncycastle.odex
630b4000-63224000 r--p 00000000 b3:03 562 /system/framework/ext.odex
63224000-63c14000 r--p 00000000 b3:03 565 /system/framework/framework.odex
63c14000-63c17000 rw-p 00000000 00:00 0
63c17000-63c2f000 r-xp 00000000 b3:03 838 /system/lib/libvorbisidec.so
63c2f000-63c30000 r--p 00017000 b3:03 838 /system/lib/libvorbisidec.so
63c30000-63c31000 rw-p 00018000 b3:03 838 /system/lib/libvorbisidec.so
63c31000-63c33000 rw-p 00000000 00:00 0
63c33000-63c38000 rw-p 00000000 00:00 0
63c38000-63c41000 r-xp 00000000 b3:03 667 /system/lib/libexif.so
63c41000-63c42000 r--p 00008000 b3:03 667 /system/lib/libexif.so
63c42000-63c43000 rw-p 00009000 b3:03 667 /system/lib/libexif.so
63c43000-63c44000 rw-p 00000000 00:00 0
63c44000-63d05000 rw-p 00000000 00:04 6319 /dev/ashmem/dalvik-aux-structure (deleted)
63d05000-63e27000 r--p 00000000 b3:03 933 /system/framework/telephony-common.odex
63e27000-640b5000 r--p 00000000 b3:03 581 /system/framework/services.odex
640b5000-64206000 r--p 00000000 b3:03 319 /system/framework/apache-xml.odex
64206000-64a37000 r--s 00000000 b3:03 850 /system/usr/icu/icudt48l.dat
64a37000-64a38000 ---p 00000000 00:00 0
64a38000-64b37000 rw-p 00000000 00:00 0
64b37000-64b63000 rw-p 00000000 00:00 0
64b63000-64b74000 r-xp 00000000 b3:03 713 /system/lib/libmtp.so
64b74000-64b76000 r--p 00010000 b3:03 713 /system/lib/libmtp.so
64b76000-64b77000 rw-p 00012000 b3:03 713 /system/lib/libmtp.so
64b77000-64b7a000 rw-p 00000000 00:00 0
64b7a000-64b82000 rw-p 00000000 00:00 0
64b82000-64bab000 r-xp 00000000 b3:03 709 /system/lib/libmedia_jni.so
64bab000-64bac000 ---p 00000000 00:00 0
64bac000-64bad000 r--p 00029000 b3:03 709 /system/lib/libmedia_jni.so
64bad000-64bae000 rw-p 0002a000 b3:03 709 /system/lib/libmedia_jni.so
64bae000-64bba000 r-xp 00000000 b3:03 795 /system/lib/libstagefright_amrnb_common.so
64bba000-64bbb000 r--p 0000b000 b3:03 795 /system/lib/libstagefright_amrnb_common.so
64bbb000-64bbc000 rw-p 0000c000 b3:03 795 /system/lib/libstagefright_amrnb_common.so
64bbc000-64bc9000 r-xp 00000000 b3:03 628 /system/lib/libandroid.so
64bc9000-64bcb000 r--p 0000c000 b3:03 628 /system/lib/libandroid.so
64bcb000-64bcc000 rw-p 0000e000 b3:03 628 /system/lib/libandroid.so
64d1b000-64d32000 r--s 0068b000 b3:09 1428023 /data/app/com.adobe.reader-1.apk
64d32000-64d49000 r--s 0068b000 b3:09 1428023 /data/app/com.adobe.reader-1.apk
64d49000-64d5f000 rw-p 00000000 00:00 0
64d5f000-64d61000 rw-p 00000000 00:00 0
64d61000-64d79000 rw-p 00000000 00:04 151466 /dev/ashmem/dalvik-aux-structure (deleted)
64d79000-64d88000 rw-p 00000000 00:00 0
64d88000-64d92000 r-xp 00000000 b3:03 754 /system/lib/libnvos.so
64d92000-64d93000 ---p 00000000 00:00 0
64d93000-64d94000 r--p 0000a000 b3:03 754 /system/lib/libnvos.so
69053000-69402000 r-xp 00000000 b3:09 824230 /data/app-lib/com.adobe.reader-1/libAdobeReader.so
69402000-69419000 r--p 003ae000 b3:09 824230 /data/app-lib/com.adobe.reader-1/libAdobeReader.so
69419000-6942f000 rw-p 003c5000 b3:09 824230 /data/app-lib/com.adobe.reader-1/libAdobeReader.so

Notice that there is no memory segment with “rw” and “x” both set at the same time, this is to prevent the memory content from being executed in-memory. Malware writer will have a harder time to setup some writeable and executeable memory, and copy their malware there before being executed.

Taking a look at the libAdobeReader.so (after transferring from the android device to /tmp directory):

/opt/android-ndk-r8c/toolchains/arm-linux-androideabi-4.4.3/prebuilt/linux-x86/bin/arm-linux-androideabi-objdump -T /tmp/libAdobeReader.so

0023406c g DF .text 000000c0 FT_Outline_Reverse
0023412c g DF .text 00000068 FT_Vector_Transform
00234194 g DF .text 00000048 FT_Outline_Transform
002341dc g DF .text 000003c8 FT_Outline_Get_Orientation
002345c4 g DF .text 00000028 FT_Get_Sfnt_Name_Count
002345ec g DF .text 00000018 FT_Stream_OpenMemory
00234604 g DF .text 00000028 FT_Stream_Close
0023462c g DF .text 00000054 FT_Stream_Seek
00234680 g DF .text 000000d4 FT_Raccess_Guess
00234754 g DF .text 0000001c FT_Stream_Skip
00234770 g DF .text 00000008 FT_Stream_Pos
00234778 g DF .text 00000024 FT_Stream_GetChar
0023479c g DF .text 00000030 FT_Stream_GetShort
002347cc g DF .text 00000030 FT_Stream_GetShortLE
002347fc g DF .text 00000038 FT_Stream_GetOffset
00234834 g DF .text 00000048 FT_Stream_GetLong
0023487c g DF .text 00000048 FT_Stream_GetLongLE
002348c4 g DF .text 00000084 FT_Stream_ReadChar
00234948 g DF .text 00000094 FT_Stream_ReadShort
002349dc g DF .text 00000094 FT_Stream_ReadShortLE
00234a70 g DF .text 0000009c FT_Stream_ReadOffset
00234b0c g DF .text 000000a8 FT_Stream_ReadLong
00234d2c g DF .text 000000a8 FT_Stream_ReadLongLE
00235088 g DF .text 00000048 FT_Cos
002350d0 g DF .text 00000008 FT_Sin
002350d8 g DF .text 0000003c FT_Tan
00235114 g DF .text 0000003c FT_Atan2
00235150 g DF .text 00000034 FT_Vector_Unit
00235184 g DF .text 000000ac FT_Vector_Rotate
00235230 g DF .text 00000080 FT_Vector_Length
002352b0 g DF .text 00000070 FT_Vector_Polarize
00235320 g DF .text 00000014 FT_Vector_From_Polar
00235334 g DF .text 00000040 FT_Angle_Diff
00235374 g DF .text 00000224 FT_Outline_Embolden
00235598 g DF .text 00000040 ft_mem_qalloc
002355d8 g DF .text 00000020 ft_mem_free
002355f8 g DF .text 00000038 FT_Stream_ExitFrame
00235630 g DF .text 00000110 FT_Stream_EnterFrame
00235740 g DF .text 00000030 FT_Stream_ExtractFrame
00235770 g DF .text 0000003c FT_Stream_ReleaseFrame
002357ac g DF .text 000000a0 FT_Outline_Done_Internal
0023584c g DF .text 00000018 FT_Outline_Done
00235998 g DF .text 00000058 ft_glyphslot_free_bitmap
002359f0 g DF .text 00000020 ft_glyphslot_set_bitmap
00235a10 g DF .text 00000030 FT_Stream_Free
00235a40 g DF .text 0000007c FT_GlyphLoader_Reset
00235abc g DF .text 00000034 FT_GlyphLoader_Done
00235b74 g DF .text 00000084 FT_Done_GlyphSlot
00235bf8 g DF .text 00000044 ft_mem_strcpyn
00235c3c g DF .text 00000038 FT_List_Find
00235c74 g DF .text 00000020 FT_List_Add
00235c94 g DF .text 00000024 FT_List_Insert
00235cb8 g DF .text 00000020 FT_List_Remove
00235cd8 g DF .text 000000b0 FT_Done_Size
00235d88 g DF .text 00000040 FT_List_Up
00235dc8 g DF .text 00000090 FT_Set_Renderer
00235e58 g DF .text 000000c4 FT_Outline_Render
00235f1c g DF .text 00000054 FT_Outline_Get_Bitmap
00235f70 g DF .text 000000ec FT_Render_Glyph_Internal
0023605c g DF .text 00000030 FT_Render_Glyph
0023608c g DF .text 00000040 FT_List_Iterate
002360cc g DF .text 0000006c FT_List_Finalize
00236138 g DF .text 000001dc FT_Remove_Module
00236484 g DF .text 00000020 ft_highpow2
002364a4 g DF .text 00000024 FT_QAlloc
002364c8 g DF .text 00000024 FT_Free
002364ec g DF .text 00000060 ft_mem_dup
0023654c g DF .text 00000038 ft_mem_strdup
00236584 g DF .text 00000240 FT_Stream_ReadFields
002367c4 g DF .text 0000007c FT_Stream_TryRead
00236840 g DF .text 0000008c FT_Stream_ReadAt
002368cc g DF .text 00000010 FT_Stream_Read
002368dc g DF .text 000001c4 FT_Raccess_Get_HeaderInfo
00236aa0 g DF .text 0000009c FT_Outline_Copy
00236b3c g DF .text 00000058 ft_mem_alloc
00236b94 g DF .text 00000024 FT_Alloc
00236bb8 g DF .text 000000d8 ft_mem_qrealloc
00236c90 g DF .text 0000003c FT_QRealloc
00236ccc g DF .text 0000007c ft_mem_realloc
00236d48 g DF .text 0000003c FT_Realloc
00236d84 g DF .text 00000148 FT_Get_Sfnt_Name
00236ecc g DF .text 00000128 FT_Outline_New_Internal
00236ff4 g DF .text 00000018 FT_Outline_New
0023700c g DF .text 00000100 FT_CMap_Done
0023710c g DF .text 0000008c FT_GlyphLoader_CheckSubGlyphs
00237198 g DF .text 00000070 FT_GlyphLoader_CreateExtra
002373e0 g DF .text 00000104 FT_CMap_New
002374e4 g DF .text 000000f8 FT_New_Size
00237754 g DF .text 00000068 ft_glyphslot_alloc_bitmap
002377bc g DF .text 00000038 FT_GlyphLoader_New
002377f4 g DF .text 00000138 FT_New_GlyphSlot
0023792c g DF .text 00000290 FT_Request_Metrics
00237bbc g DF .text 000000ac FT_Request_Size
00237c68 g DF .text 00000088 FT_Set_Pixel_Sizes
00237cf0 g DF .text 0000007c FT_Set_Char_Size
00237d6c g DF .text 000004d4 FT_Load_Glyph
00238240 g DF .text 0000004c FT_Load_Char
0023828c g DF .text 00000120 FT_Get_Advances
002383ac g DF .text 000000bc FT_Get_Advance
00000000 DF *UND* 00000000 strcat
002385c4 g DF .text 000002c0 FT_Raccess_Get_DataOffsets
00000000 DF *UND* 00000000 qsort
002389e0 g DF .text 00000074 FT_Get_Module
00238a54 g DF .text 00000054 FT_Get_TrueType_Engine_Type
00238aa8 g DF .text 00000020 FT_Get_Module_Interface
00238da0 g DF .text 00000060 ft_service_list_lookup
00238e00 g DF .text 000000f8 FT_Stream_New
0024ce68 g DF .text 000000a8 FT_Stream_Open
002390dc g DF .text 00000088 FT_Attach_Stream
00239164 g DF .text 00000038 FT_Attach_File
0023919c g DF .text 00000638 FT_Open_Face
0023a20c g DF .text 00000048 FT_New_Memory_Face
0023a28c g DF .text 00000018 ft_validator_error

Time to set some breakpoints and get some stacktrace.

Another way to generate lots of runtime information (for debugging) is to execute “/system/bin/debuggerd “, where presently is 5512, and then proceed to /data/tombstones to see the debugging information generated.

Here is a snapshot (it is very verbose):

*** *** *** *** *** *** *** *** *** *** *** *** *** *** *** ***
Build fingerprint: 'google/nakasi/grouper:4.2.1/JOP40D/533553:user/release-keys'
Revision: '0'
pid: 5512, tid: 5512, name: om.adobe.reader >>> com.adobe.reader <<<
signal 19 (SIGSTOP), code 0 (?), fault addr --------
r0 fffffffc r1 bea78520 r2 00000010 r3 ffffffff
r4 6864fbc8 r5 ffffffff r6 00000000 r7 000000fc
r8 00000000 r9 00000014 sl 6864fbdc fp bea78694
ip 40134ff4 sp bea784d8 lr 4012fb0d pc 400daee4 cpsr 20000010
d0 000004b54496b000 d1 4496b0004496b000
d2 3f00000044480000 d3 3f00000000000000
d4 0000000000000000 d5 0000000080000000
d6 4496a00044480000 d7 000004b53f000000
d8 0000000000000000 d9 4448000000000000
d10 000000004496a000 d11 0000000000000000
d12 0000000000000000 d13 0000000000000000
d14 0000000000000000 d15 0000000000000000
d16 7fffffffffffffff d17 7fffffffffffffff
d18 0000000000000000 d19 0000000000000000
d20 0000000000000000 d21 3ff0000000000000
d22 8000000000000000 d23 0000000000000000
d24 0000000000000000 d25 8000000000000000
d26 3ff0000000000000 d27 00fe00fe00fe00fe
d28 0100010001000100 d29 0100010001000100
d30 0000000100000001 d31 0000000100000001
scr 20000090

backtrace:
#00 pc 00017ee4 /system/lib/libc.so (epoll_wait+12)
#01 pc 00014b09 /system/lib/libutils.so (android::Looper::pollInner(int)+9
6)
#02 pc 00014d71 /system/lib/libutils.so (android::Looper::pollOnce(int, in
t*, int*, void**)+104)
#03 pc 0005ed53 /system/lib/libandroid_runtime.so (android::NativeMessageQ
ueue::pollOnce(_JNIEnv*, int)+22)
#04 pc 0001e290 /system/lib/libdvm.so (dvmPlatformInvoke+112)
#05 pc 0004d411 /system/lib/libdvm.so (dvmCallJNIMethod(unsigned int const
*, JValue*, Method const*, Thread*)+396)
#06 pc 000276a0 /system/lib/libdvm.so
#07 pc 0002b57c /system/lib/libdvm.so (dvmInterpret(Thread*, Method const*
, JValue*)+184)
#08 pc 0005ff07 /system/lib/libdvm.so (dvmInvokeMethod(Object*, Method con
st*, ArrayObject*, ArrayObject*, ClassObject*, bool)+374)
#09 pc 000677e1 /system/lib/libdvm.so
#10 pc 000276a0 /system/lib/libdvm.so
#11 pc 0002b57c /system/lib/libdvm.so (dvmInterpret(Thread*, Method const*
, JValue*)+184)
#12 pc 0005fc31 /system/lib/libdvm.so (dvmCallMethodV(Thread*, Method cons
t*, Object*, bool, JValue*, std::__va_list)+272)
#13 pc 000499fb /system/lib/libdvm.so
#14 pc 00046871 /system/lib/libandroid_runtime.so
#15 pc 00047533 /system/lib/libandroid_runtime.so (android::AndroidRuntime
::start(char const*, char const*)+390)
#16 pc 00000db7 /system/bin/app_process

Another backtrace:

#00 pc 00018104 /system/lib/libc.so (__futex_syscall3+8)
#01 pc 0000e41c /system/lib/libc.so (__pthread_cond_timedwait_relative+48)
#02 pc 0000e478 /system/lib/libc.so (__pthread_cond_timedwait+60)
#03 pc 000520bb /system/lib/libdvm.so
#04 pc 00066723 /system/lib/libdvm.so
#05 pc 000276a0 /system/lib/libdvm.so
#06 pc 0002b57c /system/lib/libdvm.so (dvmInterpret(Thread*, Method const*
, JValue*)+184)
#07 pc 0005fc31 /system/lib/libdvm.so (dvmCallMethodV(Thread*, Method cons
t*, Object*, bool, JValue*, std::__va_list)+272)
#08 pc 0005fc5b /system/lib/libdvm.so (dvmCallMethod(Thread*, Method const
*, Object*, JValue*, ...)+20)
#09 pc 000547d7 /system/lib/libdvm.so
#10 pc 0000e3d8 /system/lib/libc.so (__thread_entry+72)
#11 pc 0000dac4 /system/lib/libc.so (pthread_create+160)

Yet another backtrace:

backtrace:
#00 pc 00017ee4 /system/lib/libc.so (epoll_wait+12)
#01 pc 00014b09 /system/lib/libutils.so (android::Looper::pollInner(int)+96)
#02 pc 00014d71 /system/lib/libutils.so (android::Looper::pollOnce(int, int*, int*, void**)+104)
#03 pc 0005ed53 /system/lib/libandroid_runtime.so (android::NativeMessageQueue::pollOnce(_JNIEnv*, int)+22)
#04 pc 0001e290 /system/lib/libdvm.so (dvmPlatformInvoke+112)
#05 pc 0004d411 /system/lib/libdvm.so (dvmCallJNIMethod(unsigned int const*, JValue*, Method const*, Thread*)+396)
#06 pc 000276a0 /system/lib/libdvm.so
#07 pc 0002b57c /system/lib/libdvm.so (dvmInterpret(Thread*, Method const*, JValue*)+184)
#08 pc 0005fc31 /system/lib/libdvm.so (dvmCallMethodV(Thread*, Method const*, Object*, bool, JValue*, std::__va_list)+272)
#09 pc 0005fc5b /system/lib/libdvm.so (dvmCallMethod(Thread*, Method const*, Object*, JValue*, ...)+20)
#10 pc 000547d7 /system/lib/libdvm.so
#11 pc 0000e3d8 /system/lib/libc.so (__thread_entry+72)
#12 pc 0000dac4 /system/lib/libc.so (pthread_create+160)

Analysis of ptrace internals in linux kernel

First doing a “nm vmlinux|grep ptrace” gives (for 3.2.0-32 Ubuntu 12.04 kernel):

c1587edd t __ptrace_detach.part.5
c1064ff0 T __ptrace_link
c1065230 T __ptrace_may_access
c1065040 T __ptrace_unlink
c127a090 t apparmor_ptrace_access_check
c127a060 t apparmor_ptrace_traceme
c12447f0 T cap_ptrace_access_check
c1244870 T cap_ptrace_traceme
c1016e30 T flush_ptrace_hw_breakpoint
c1065990 T generic_ptrace_peekdata
c10659e0 T generic_ptrace_pokedata
c137c580 T proc_ptrace_connector
c1065130 T ptrace_check_attach
c101b540 T ptrace_disable
c106bc50 t ptrace_do_notify
c10660e0 T ptrace_get_breakpoints
c1065310 T ptrace_may_access
c101b0c0 t ptrace_modify_breakpoint.isra.16
c106c950 T ptrace_notify
c1066140 T ptrace_put_breakpoints
c1065490 T ptrace_readdata
c1065a20 T ptrace_request
c1064f40 t ptrace_resume
c1813448 d ptrace_scope
c101b2a0 T ptrace_set_debugreg
c106ba60 t ptrace_stop
c15880b5 t ptrace_trap_notify
c1064f20 t ptrace_trapping_sleep_fn
c101a870 t ptrace_triggered
c1065580 T ptrace_writedata
c1245e80 T security_ptrace_access_check
c1245ec0 T security_ptrace_traceme
c124bb50 t selinux_ptrace_access_check
c124c7f0 t selinux_ptrace_traceme
c1264410 t smack_ptrace_access_check
c1264390 t smack_ptrace_access_check.part.32
c1262e20 t smack_ptrace_traceme
c1262da0 t smack_ptrace_traceme.part.31
c127d6e0 T yama_ptrace_access_check

And then so focusing on the “ptrace_*” API above, I wrote the script:

#!/bin/bash
set -x
echo 0 >/debug/tracing/tracing_enabled
echo 'ptrace_*' > /debug/tracing/set_ftrace_filter
echo function >/debug/tracing/current_tracer
echo 1 >/debug/tracing/tracing_enabled

gdb /bin/ls <<EOF
run
EOF

echo 0 >/debug/tracing/tracing_enabled
cat /debug/tracing/trace

The result is (after lots of truncation):

+ cat /debug/tracing/trace
# tracer: function
#
# TASK-PID CPU# TIMESTAMP FUNCTION
# | | | | |
iconv-9761 [003] 15007.702161: ptrace_put_breakpoints <-do_exit
ls-9762 [001] 15007.743735: ptrace_signal.isra.26 <-get_signal_to_deliver
ls-9762 [001] 15007.743738: ptrace_stop <-ptrace_signal.isra.26
gdb-9760 [000] 15007.743778: ptrace_check_attach <-sys_ptrace
gdb-9760 [000] 15007.743781: ptrace_request <-arch_ptrace
gdb-9760 [000] 15007.743785: ptrace_check_attach <-sys_ptrace
gdb-9760 [000] 15007.743869: ptrace_may_access <-do_task_stat
gdb-9760 [000] 15007.743918: ptrace_check_attach <-sys_ptrace
gdb-9760 [000] 15007.743918: ptrace_request <-arch_ptrace
gdb-9760 [000] 15007.743918: ptrace_resume <-ptrace_request
ls-9762 [000] 15007.747867: ptrace_signal.isra.26 <-get_signal_to_deliver
ls-9762 [000] 15007.747868: ptrace_stop <-ptrace_signal.isra.26
gdb-9760 [001] 15007.747885: ptrace_check_attach <-sys_ptrace

gdb-9763 [000] 15007.748708: ptrace_notify <-do_fork
gdb-9763 [000] 15007.748708: ptrace_do_notify <-ptrace_notify
gdb-9763 [000] 15007.748709: ptrace_stop <-ptrace_do_notify
gdb-9764 [001] 15007.748712: ptrace_signal.isra.26 <-get_signal_to_deliver
gdb-9764 [001] 15007.748713: ptrace_stop <-ptrace_signal.isra.26
gdb-9760 [000] 15007.748715: ptrace_check_attach <-sys_ptrace
gdb-9760 [000] 15007.748715: ptrace_request <-arch_ptrace
gdb-9760 [000] 15007.748716: ptrace_check_attach <-sys_ptrace

gdb-9760 [000] 15007.749644: ptrace_request <-arch_ptrace
gdb-9760 [000] 15007.749645: ptrace_regset <-ptrace_request
gdb-9760 [000] 15007.749849: ptrace_check_attach <-sys_ptrace
gdb-9760 [000] 15007.749885: ptrace_may_access <-mm_access.part.6
gdb-9760 [000] 15007.749894: ptrace_may_access <-mm_access.part.6
gdb-9760 [000] 15007.749907: ptrace_may_access <-mm_access.part.6
gdb-9760 [000] 15007.749919: ptrace_may_access <-mm_access.part.6

gdb-9760 [002] 15007.764082: ptrace_request <-arch_ptrace
gdb-9760 [002] 15007.764084: ptrace_check_attach <-sys_ptrace
gdb-9760 [002] 15007.764100: ptrace_may_access <-do_task_stat
gdb-9760 [002] 15007.764121: ptrace_check_attach <-sys_ptrace
gdb-9760 [002] 15007.764185: ptrace_request <-arch_ptrace
gdb-9760 [002] 15007.764185: ptrace_resume <-ptrace_request
ls-9762 [001] 15007.766752: ptrace_put_breakpoints <-do_exit
gdb-9760 [002] 15007.767883: ptrace_put_breakpoints <-do_exit

From above, “ftrace” clearly showed us who the caller and callee are, when “gdb /bin/ls” is used to trigger ptrace_*() API. Analysing through the source code:

From userspace level, the syscall ptrace() directly mapped to kernel/ptrace.c:sys_ptrace() as shown below:

SYSCALL_DEFINE4(ptrace, long, request, long, pid, unsigned long, addr,
unsigned long, data)
{
struct task_struct *child;
long ret;

if (request == PTRACE_TRACEME) {
ret = ptrace_traceme();
if (!ret)
arch_ptrace_attach(current);
goto out;
}

From here onwards, the APIs delved into architecture specific APIs, eg, in x86 it is inside arch/x86/kernel/ptrace.c, the API to set the architecture-specific x86 hardware debug register:

/*
* Handle ptrace writes to debug register 7.
*/
static int ptrace_write_dr7(struct task_struct *tsk, unsigned long data)
{
struct thread_struct *thread = &(tsk->thread);
unsigned long old_dr7;
int i, orig_ret = 0, rc = 0;
int enabled, second_pass = 0;
unsigned len, type;
struct perf_event *bp;

A list of other hardware related APIs are:

int regs_query_register_offset(const char *name)
const char *regs_query_register_name(unsigned int offset)
static inline bool invalid_selector(u16 value)
static unsigned long *pt_regs_access(struct pt_regs *regs, unsigned long regno)
static u16 get_segment_reg(struct task_struct *task, unsigned long offset)
static int set_segment_reg(struct task_struct *task,
static unsigned long *pt_regs_access(struct pt_regs *regs, unsigned long offset)
static u16 get_segment_reg(struct task_struct *task, unsigned long offset)
static int set_segment_reg(struct task_struct *task,
static unsigned long get_flags(struct task_struct *task)
static int set_flags(struct task_struct *task, unsigned long value)
static int putreg(struct task_struct *child,
static unsigned long getreg(struct task_struct *task, unsigned long offset)
static int genregs_get(struct task_struct *target,
static int genregs_set(struct task_struct *target,
static void ptrace_triggered(struct perf_event *bp,
static unsigned long ptrace_get_dr7(struct perf_event *bp[])
ptrace_modify_breakpoint(struct perf_event *bp, int len, int type,
static int ptrace_write_dr7(struct task_struct *tsk, unsigned long data)
static unsigned long ptrace_get_debugreg(struct task_struct *tsk, int n)
static int ptrace_set_breakpoint_addr(struct task_struct *tsk, int nr,
int ptrace_set_debugreg(struct task_struct *tsk, int n, unsigned long val)
static int ioperm_active(struct task_struct *target,
static int ioperm_get(struct task_struct *target,
void ptrace_disable(struct task_struct *child)
long arch_ptrace(struct task_struct *child, long request,
static int putreg32(struct task_struct *child, unsigned regno, u32 value)
static int getreg32(struct task_struct *child, unsigned regno, u32 *val)
static int genregs32_get(struct task_struct *target,
static int genregs32_set(struct task_struct *target,
long compat_arch_ptrace(struct task_struct *child, compat_long_t request,
void update_regset_xstate_info(unsigned int size, u64 xstate_mask)
const struct user_regset_view *task_user_regset_view(struct task_struct *task)
static void fill_sigtrap_info(struct task_struct *tsk,
void user_single_step_siginfo(struct task_struct *tsk,
void send_sigtrap(struct task_struct *tsk, struct pt_regs *regs,

Essentially the hardware feature of singlestepping, and debug registers to register the different types of breakpoints is needed. Debug registers also provide additional information after the the breakpoints are reached during execution.

It is also inside arch/x86/kernel/ptrace.c that ptrace_request() is called, located inside kernel/ptrace.c, and this is where put_xxxx() are used to put data into userspace, before returning back to userspace.

To re-summarize, the entire ptrace operation inside the kernel starts here inside kernel/ptrace.c:

SYSCALL_DEFINE4(ptrace, long, request, long, pid, unsigned long, addr,
unsigned long, data)
{
struct task_struct *child;
long ret;

And inside the “ptrace_attach()” is called to setup all the architecture-independent kernel information, and then arch_ptrace_attach() (and arch_ptrace()) to setup the architecture-dependent information.

if (request == PTRACE_ATTACH || request == PTRACE_SEIZE) {
ret = ptrace_attach(child, request, data);
/*
* Some architectures need to do book-keeping after
* a ptrace attach.
*/
if (!ret)
arch_ptrace_attach(child);
goto out_put_task_struct;
}

ret = ptrace_check_attach(child, request == PTRACE_KILL ||
request == PTRACE_INTERRUPT);
if (ret < 0)
goto out_put_task_struct;

ret = arch_ptrace(child, request, addr, data);

out_put_task_struct:
put_task_struct(child);

And finally put_xxxx() APIs are used to directly copy the results into userspace memory. Through security checks are done inside ptrace_check_attach(), ptrace_may_access(), security_ptrace_access_check etc.

And looking into this:

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0729

is an example where security has been violated in the kernel, by missing the checks occasionally.

There are other good documentation sources on ptrace:

http://lwn.net/Articles/446593/

http://lwn.net/Articles/371501/

http://lwn.net/Articles/432114/

%d bloggers like this: