101 lines
3.6 KiB
Plaintext
101 lines
3.6 KiB
Plaintext
Dex File Poisoning Access
|
|
=========================
|
|
|
|
These set of executables are useful for condensing large amounts of memory reads
|
|
of Dex Files into smaller, split pieces of information. Two kinds of information
|
|
are provided:
|
|
1. Visualizing what part of a Dex File is being accessed at what time
|
|
as a graph
|
|
2. Ordering stack traces by most commonly occurring
|
|
Both of these kinds of information can be split up further by providing category
|
|
names as arguments. A trace is put into a category if the category name is a
|
|
substring of the symbolized trace.
|
|
|
|
How:
|
|
======
|
|
These set of tools work in conjunction with the class
|
|
DexFileTrackingRegistrar, which marks sections of Dex Files as poisoned. As Dex
|
|
Files are marked for poisoning, their starting addresses are logged in logcat.
|
|
In addition, when poisoned sections of memory are accesses, their stack trace is
|
|
also outputted to logcat.
|
|
|
|
sanitizer_logcat_analysis.sh is the main executable that will use the other two
|
|
in order to give both types of information. The other two are used in some of
|
|
the intermediary steps which are described in sanitizer_logcat_analysis.sh,
|
|
though they can also be executed individually if provided the necessary input.
|
|
|
|
Why:
|
|
======
|
|
|
|
The main reason for splitting the functionality across multiple files is because
|
|
sanitizer_logcat_analysis.sh uses external executable development/scripts/stack.
|
|
This is necessary in order to get symbolized traces from the output given by
|
|
Address Sanitizer.
|
|
|
|
How to Use:
|
|
|
|
sanitizer_logcat_analysis.sh at minimum requires all logcat output in the form
|
|
of a file. Additional options specified below are useful for removing
|
|
unnecessary trace information.
|
|
|
|
===========================================================================
|
|
Usage: sanitizer_logcat_analysis.sh [options] [LOGCAT_FILE] [CATEGORIES...]
|
|
-a
|
|
Forces all pids associated with registered dex
|
|
files in the logcat to be processed.
|
|
default: only the last pid is processed
|
|
|
|
-b [DEX_FILE_NUMBER]
|
|
Outputs data for the specified baksmali
|
|
dump if -p is provided.
|
|
default: first baksmali dump in order of dex
|
|
file registration
|
|
|
|
-d OUT_DIRECTORY
|
|
Puts all output in specified directory.
|
|
If not given, output will be put in a local
|
|
temp folder which will be deleted after
|
|
execution.
|
|
|
|
-e
|
|
All traces will have exactly the same number
|
|
of categories which is specified by either
|
|
the -m argument or by prune_sanitizer_output.py
|
|
|
|
-f
|
|
Forces redo of all commands even if output
|
|
files exist. Steps are skipped if their output
|
|
exist already and this is not enabled.
|
|
|
|
-m [MINIMUM_CALLS_PER_TRACE]
|
|
Filters out all traces that do not have
|
|
at least MINIMUM_CALLS_PER_TRACE lines.
|
|
default: specified by prune_sanitizer_output.py
|
|
|
|
-o [OFFSET],[OFFSET]
|
|
Filters out all Dex File offsets outside the
|
|
range between provided offsets. 'inf' can be
|
|
provided for infinity.
|
|
default: 0,inf
|
|
|
|
-p [PACKAGE_NAME]
|
|
Using the package name, uses baksmali to get
|
|
a dump of the Dex File format for the package.
|
|
|
|
-t [TIME_OFFSET],[TIME_OFFSET]
|
|
Filters out all time offsets outside the
|
|
range between provided offsets. 'inf' can be
|
|
provided for infinity.
|
|
default: 0,inf
|
|
|
|
CATEGORIES are words that are expected to show in
|
|
a large subset of symbolized traces. Splits
|
|
output based on each word.
|
|
|
|
LOGCAT_FILE is the piped output from adb logcat.
|
|
===========================================================================
|
|
|
|
|
|
|
|
|