### Install and Setup Stackplz on Android Source: https://context7.com/seeflowerx/stackplz/llms.txt This snippet demonstrates how to install and set up the stackplz binary on an Android device. It includes downloading the binary, pushing it to the device, granting execute permissions, preparing libraries (for older versions), verifying the kernel version, and checking for hardware breakpoint support. This is crucial for enabling dynamic analysis on Android. ```bash # Download precompiled binary from Releases or GitHub Actions # Push to Android device графииadb push stackplz /data/local/tmp графииadb shell su chmod +x /data/local/tmp/stackplz # For versions before v3.0.1, prepare libraries (not needed for v3.0.1+) cd /data/local/tmp && ./stackplz --prepare # Verify kernel version (must be 5.10+) uname -r # Check hardware breakpoint support (for 4.1x kernels) cat /proc/config.gz | gunzip | grep CONFIG_HAVE_HW_BREAKPOINT ``` -------------------------------- ### Install and Prepare stackplz on Android Source: https://github.com/seeflowerx/stackplz/blob/dev/README.md This snippet demonstrates how to push the stackplz binary to an Android device, grant execute permissions, and prepare it for use. For versions prior to v3.0.1, an additional preparation step is required. ```bash adb push stackplz /data/local/tmp adb shell su chmod +x /data/local/tmp/stackplz # For versions prior to v3.0.1: cd /data/local/tmp && ./stackplz --prepare ``` -------------------------------- ### Hooking System Calls Source: https://github.com/seeflowerx/stackplz/blob/dev/README.md Examples of how to hook system calls using stackplz. It shows how to specify individual syscalls, multiple syscalls separated by commas, and the special case of hooking all syscalls using `all`. ```bash --syscall openat ``` ```bash --syscall openat,recvfrom ``` ```bash --syscall all ``` -------------------------------- ### Example stackplz command for uprobe Source: https://github.com/seeflowerx/stackplz/blob/dev/docs/CONFIG.md This bash command demonstrates how to push test configurations to a device and then run stackplz to perform uprobe instrumentation on a specified package using a complex configuration file. It includes options for dumping hex output and enabling color. ```bash adb push tests /data/local/tmp ./stackplz -n com.coolapk.market -c tests/config_uprobe_test_complex.json --dumphex --color ``` -------------------------------- ### Configure stackplz RPC Server for Frida Integration Source: https://github.com/seeflowerx/stackplz/blob/dev/README.md This command starts the stackplz RPC server, which is necessary for remote hardware breakpoint functionality when used in conjunction with Frida. The `--stack` option is typically used here. ```bash ./stackplz --rpc --stack ``` -------------------------------- ### Stackplz Initialization: RPC Server Source: https://context7.com/seeflowerx/stackplz/llms.txt Commands to start the Stackplz tool in RPC mode. This enables remote procedure calls, allowing other applications like Frida to interact with Stackplz. It includes options for default and custom RPC endpoints. ```bash # Start stackplz in RPC mode (listens on 127.0.0.1:41718 by default) ./stackplz --rpc --stack # Custom RPC endpoint ./stackplz --rpc --rpc-path 127.0.0.1:12345 --stack --regs ``` -------------------------------- ### Basic uprobe configuration for __openat and strstr Source: https://github.com/seeflowerx/stackplz/blob/dev/docs/CONFIG.md A JSON configuration for stackplz to hook the `__openat` and `strstr` functions in `libc.so`. For `__openat`, it captures the second argument (`x1`) as a string, filtering for paths starting with `/data/data`. For `strstr`, it captures both arguments as strings, naming them 'haystack' and 'needle'. ```json { "type": "uprobe", "library": "libc.so", "points": [ { "name": "__openat", "params": [ {"type": "str", "reg": "x1", "filter": ["w:/data/data"]} ] }, { "name": "strstr", "params": [ {"name": "haystack", "type": "str"}, {"name": "needle", "type": "str"} ] } ] } ``` -------------------------------- ### Trace libc's open Function with Stackplz Source: https://github.com/seeflowerx/stackplz/blob/dev/README.md This example shows how to trace the 'open' function within libc.so, specifying argument types (string and integer) and optionally a custom library path. It uses '--point' to define the function and its arguments. ```bash ./stackplz -n com.starbucks.cn --point strstr[str,str] --point open[str,int] -o tmp.log ``` -------------------------------- ### Apply Application Filtering Rules (Whitelist/Blacklist) Source: https://github.com/seeflowerx/stackplz/blob/dev/README.md This example shows how to apply filtering rules for tracing the `com.starbucks.cn` application. It specifically targets the `openat` syscall and uses whitelist (`-f w:`) and blacklist (`-f b:`) rules to include and exclude certain system paths. The output is saved to `tmp.log`. ```bash ./stackplz -n com.starbucks.cn -s openat:f0.f1.f2 -f w:/system -f w:/dev -f b:/system/lib64 -o tmp.log ``` -------------------------------- ### Trace Function with Arguments and Address Source: https://github.com/seeflowerx/stackplz/blob/dev/README.md This example demonstrates tracing a function, `gettimeofday`, within the `com.termux` application. It specifies the expected arguments (`timeval`, `timezone`) and an exact memory address to hook. The output format is not explicitly defined but implies detailed tracing. ```bash ./stackplz -n com.termux -w gettimeofday[timeval,timezone]0x4B320 ``` -------------------------------- ### Hardware Breakpoints with Stackplz Source: https://github.com/seeflowerx/stackplz/blob/dev/README.md Examples of setting hardware breakpoints (read, write, or execute) on specific memory addresses or offsets within libraries. It covers setting breakpoints by absolute address, and by library offset, including for kernel functions (with a strong caution). ```bash ./stackplz --pid `pidof com.sfx.ebpf` --brk 0x70ddfd63f0:x --stack ``` ```bash ./stackplz --pid `pidof com.sfx.ebpf` --brk 0xf3a4:x --brk-lib libnative-lib.so --stack ``` ```bash echo 1 > /proc/sys/kernel/kptr_restrict ``` ```bash cat /proc/kallsyms | grep "T sys_" ``` ```bash ./stackplz --brk 0xffffff93c5beb634:x --pid `pidof com.sfx.ebpf` --stack ``` ```bash ./stackplz --brk 0xffffffc0003654dc:x --pid `pidof com.sfx.ebpf` --regs ``` -------------------------------- ### JSON Configuration for Uprobe Hooks in Stackplz Source: https://context7.com/seeflowerx/stackplz/llms.txt Provides an example of a JSON configuration file used with stackplz to define uprobe hooks. This configuration specifies the type of hook ('uprobe'), the target library, and the specific functions to hook, along with their parameters and optional filters. ```bash ./stackplz -n com.coolapk.market -c tests/config_uprobe_test.json --dumphex --color ``` ```json { "type": "uprobe", "library": "libc.so", "points": [ { "name": "__openat", "params": [ {"type": "str", "reg": "x1", "filter": ["w:/data/data"]} ] }, { "name": "strstr", "params": [ {"name": "haystack", "type": "str"}, {"name": "needle", "type": "str"} ] } ] } ``` -------------------------------- ### Hardware Breakpoint Tracing Source: https://context7.com/seeflowerx/stackplz/llms.txt This snippet demonstrates setting hardware breakpoints for debugging. It covers setting execution breakpoints at absolute addresses or library offsets, and configuring read, write, or read-write breakpoints. It also includes an example for setting breakpoints on kernel functions, with a warning about potential device instability. ```bash # Set execution breakpoint at absolute address ./stackplz --pid `pidof com.sfx.ebpf` --brk 0x70ddfd63f0:x --stack ``` ```bash # Set breakpoint at library offset ./stackplz --pid `pidof com.sfx.ebpf` --brk 0xf3a4:x --brk-lib libnative-lib.so --stack ``` ```bash # Set read/write/read-write breakpoints ./stackplz --pid `pidof com.sfx.ebpf` --brk 0xf3a4:r --brk-lib libnative-lib.so --regs ./stackplz --pid `pidof com.sfx.ebpf` --brk 0xf3a4:w --brk-lib libnative-lib.so --regs ./stackplz --pid `pidof com.sfx.ebpf` --brk 0xf3a4:rw --brk-lib libnative-lib.so --regs ``` ```bash # Set breakpoint on kernel function (WARNING: may cause device reboot) echo 1 > /proc/sys/kernel/kptr_restrict cat /proc/kallsyms | grep "T sys_" ./stackplz --brk 0xffffff93c5beb634:x --pid `pidof com.sfx.ebpf` --stack ``` -------------------------------- ### Hooking Functions with Argument Types Source: https://github.com/seeflowerx/stackplz/blob/dev/README.md This section provides examples of how to hook functions using stackplz. It shows how to specify function names, memory offsets, and argument types (e.g., `str`, `int`, `buf:64`). It also demonstrates hooking multiple functions and functions with specific offsets relative to a symbol. ```bash --point _Z5func1v ``` ```bash --point strstr[str,str] --point open[str,int] ``` ```bash --point write[int,buf:64] ``` ```bash --point 0x9542c[str,str] ``` ```bash --point strstr+0x4[str,str] ``` -------------------------------- ### Complex Configuration with Struct Parsing in Stackplz Source: https://context7.com/seeflowerx/stackplz/llms.txt Illustrates a complex JSON configuration for stackplz that involves struct parsing. This example shows how to define uprobe hooks for functions within the 'linker64' library and specifies intricate parameter parsing using read operations and filters. ```json { "type": "uprobe", "library": "linker64", "points": [ { "name": "__dl__ZN6soinfo17call_constructorsEv", "params": [ {"type": "ptr"}, {"type": "std", "read_op": "x0+408", "filter": ["w:libjiagu"]}, {"type": "*int", "read_op": "x0+160"}, {"type": "ptr_arr", "size": "6", "read_op": "x0+152."} ] } ] } ``` -------------------------------- ### Wbstack Usage for Breakpoint Debugging (ARM64) Source: https://github.com/seeflowerx/stackplz/blob/dev/README.md These examples demonstrate how to use `wbstack_arm64` to set breakpoints, inspect memory, and manage process behavior on ARM64 systems. They cover basic breakpointing, conditional breakpoints with memory inspection, and advanced options like stack tracing and process killing. ```bash ./wbstack_arm64 -p `pidof com.sfx.ebpf` --brk 0x6dd9d563a4:x --stack ``` ```bash ./wbstack_arm64 -p `pidof com.sfx.ebpf` --brk 0x6dd9d563a4:x -w 0x0[str,ptr,buf:32:x0] --color --dumphex ``` ```bash ./wbstack_arm64 -p `pidof com.sfx.ebpf` --brk 0xF3A4:x --brk-lib libnative-lib.so -w 0x0[str,ptr,buf:32:x0] --color --dumphex --stack ``` ```bash ./wbstack_arm64 -p `pidof com.sfx.ebpf` --brk 0xF3A4:x --brk-lib libnative-lib.so -w 0x0[str,ptr,buf:32:x0] --color --dumphex --stack --jstack --kill SIGSTOP ``` -------------------------------- ### Specifying Symbols for Hooking in Stackplz Source: https://github.com/seeflowerx/stackplz/blob/dev/README.md If a hook does not produce output, it may be due to multiple symbol implementations or relocations. In such cases, explicitly specify the exact symbol or its offset. For example, instead of hooking 'strchr', hook '__strchr_aarch64' if that's the actual implementation being used. ```bash readelf -s /apex/com.android.runtime/lib64/bionic/libc.so | grep strchr ``` -------------------------------- ### View stackplz Help Information Source: https://github.com/seeflowerx/stackplz/blob/dev/README.md This command displays all available options and their descriptions for the stackplz tool, allowing users to understand its full capabilities and how to configure it. ```bash ./stackplz --help ``` -------------------------------- ### Compilation Workflow Reference Source: https://github.com/seeflowerx/stackplz/blob/dev/README.md This entry points to the GitHub Actions workflow file for compiling the stackplz tool. It suggests that users can refer to this file for build instructions or consult the dedicated build documentation. ```N/A See [.github/workflows/build.yml](.github/workflows/build.yml) or [BUILD.md](./docs/BUILD.md) ``` -------------------------------- ### Advanced uprobe configuration for call_constructors in linker64 Source: https://github.com/seeflowerx/stackplz/blob/dev/docs/CONFIG.md This JSON configuration demonstrates advanced uprobe usage by hooking `__dl__ZN6soinfo17call_constructorsEv` in `linker64`. It captures multiple parameters: the `soinfo` pointer, the `soname` (filtered for 'libjiagu'), the `init_array_count_` (as a pointer to int), and the `init_array_` (as a pointer array of size 6). ```json { "type": "uprobe", "library": "linker64", "points": [ { "name": "__dl__ZN6soinfo17call_constructorsEv", "params": [ {"type": "ptr"}, {"type": "std", "read_op": "x0+408", "filter": ["w:libjiagu"]}, {"type": "*int", "read_op": "x0+160"}, {"type": "ptr_arr", "size":"6", "read_op": "x0+152."} ] } ] } ``` -------------------------------- ### Batch Trace Apps and Isolated Processes Source: https://github.com/seeflowerx/stackplz/blob/dev/README.md This command demonstrates tracing both a specific application (`com.starbucks.cn`) and all isolated processes (`iso`). It hooks the `openat` system call and directs the output to `tmp.log`. This is useful for monitoring file access across different types of processes. ```bash ./stackplz -n com.starbucks.cn,iso --syscall openat -o tmp.log ``` -------------------------------- ### Trace Syscalls with Stackplz Source: https://github.com/seeflowerx/stackplz/blob/dev/README.md This command traces specific system calls (connect, sendto, recvfrom) for a given Android package, logging the output to a file in hex format. It shows how to specify syscalls and output format. ```bash ./stackplz -n com.starbucks.cn --syscall connect,sendto,recvfrom -o tmp.log --dumphex ``` -------------------------------- ### Output Formatting and Logging with Stackplz Source: https://context7.com/seeflowerx/stackplz/llms.txt Covers various options for controlling stackplz's output, including hexdump format, JSON output, quiet mode, and displaying additional metadata. It also details how to dump raw events and parse them later. ```bash ./stackplz -n com.starbucks.cn --syscall sendto --dumphex --color -o tmp.log ``` ```bash ./stackplz -n com.starbucks.cn --syscall openat --json -o tmp.log ``` ```bash ./stackplz -n com.starbucks.cn --syscall openat -o tmp.log --quiet ``` ```bash ./stackplz -n com.starbucks.cn --syscall openat --showtime --showuid -o tmp.log ``` ```bash ./stackplz -n com.starbucks.cn --syscall all --dump -o raw_events.bin ``` ```bash ./stackplz --parse raw_events.bin ``` -------------------------------- ### Uprobe Hooking on Native Libraries Source: https://context7.com/seeflowerx/stackplz/llms.txt This snippet illustrates how to hook native library functions using uprobes. It covers hooking by symbol name, at specific library offsets, and with detailed argument type and size specifications, including reading from stack offsets. It also shows how to hook both entry and exit points of functions and parse complex structures like soinfo. ```bash # Hook libc functions by symbol name ./stackplz -n com.starbucks.cn --point strstr[str,str] --point open[str,int] -o tmp.log # Output format: # [PID|TID|COMM] function_name(arg0=value, arg1=value) LR:address PC:address SP:address # Example: [12345|12345|.starbucks.cn] strstr(a0="hello world", a1="world") LR:0x7f8a9b2c40 PC:0x7f8a9b2c44 SP:0x7ff1234560 ``` ```bash # Hook custom library with offset ./stackplz -n com.sfx.ebpf --lib libnative-lib.so -w 0x9542c[str,str] ``` ```bash # Hook with specific register reading and size specification ./stackplz --name com.sfx.ebpf -w write[int,buf:x2,int] ./stackplz --name com.sfx.ebpf -w write[int,buf:32,int] ``` ```bash # Advanced: read from stack offset ./stackplz --name com.sfx.ebpf -w 0xA94E8[int:x1,ptr:sp+0x30-0x2c] ./stackplz --name com.sfx.ebpf -w 0xA94E8[int:x1,buf:8:sp+0x30-0x2c] ``` ```bash # Hook with entry and exit offsets ./stackplz -n com.termux -w gettimeofday[timeval,timezone]0x4B320 ./stackplz -n com.termux -w 0x9D150[int,buf:x2,int]0x9D164 --dumphex --color ``` ```bash # Parse soinfo structure at call_constructors ./stackplz -n com.coolapk.market -l linker64 -w __dl__ZN6soinfo17call_constructorsEv[ptr,std.f0:x0+408,*int:x0+160,ptr_arr:6:x0+152.] -f w:libjiagu --dumphex --color ``` -------------------------------- ### Advanced Options in Stackplz Source: https://context7.com/seeflowerx/stackplz/llms.txt Details advanced configuration options for stackplz, such as increasing the perf buffer size, customizing stack size, disabling BPF feature checks, explicitly declaring BTF support, including high-frequency system threads, and showing all registers. ```bash ./stackplz -n com.starbucks.cn -b 32 --syscall all -o tmp.log ``` ```bash ./stackplz -n com.sfx.ebpf --syscall openat --stack --stack-size 16384 ``` ```bash ./stackplz -n com.sfx.ebpf --syscall openat --nocheck ``` ```bash ./stackplz -n com.sfx.ebpf --syscall openat --btf ``` ```bash ./stackplz -n com.sfx.ebpf --syscall all --full-tname ``` ```bash ./stackplz -n com.sfx.ebpf --syscall openat --regs ``` -------------------------------- ### JSON Configuration for Syscall Hooks in Stackplz Source: https://context7.com/seeflowerx/stackplz/llms.txt Demonstrates a JSON configuration file for setting up syscall hooks in stackplz. It defines the hook type as 'syscall' and specifies system calls by their number ('nr') or name, including detailed parameter definitions and filters. ```json { "type": "syscall", "points": [ { "nr": 29, "name": "ioctl", "params": [ {"name": "fd", "type": "int"}, {"name": "cmd", "type": "ptr", "filter": ["eq:0xc0306201"]}, {"name": "arg", "type": "ptr"}, {"name": "ret", "type": "ptr"} ] }, { "nr": 206, "name": "sendto", "params": [ {"name": "sockfd", "type": "int"}, {"name": "buf", "type": "buf", "more": "enter", "size": "x2"}, {"name": "len", "type": "size_t"}, {"name": "flags", "type": "int", "format": "msg_flags"}, {"name": "addr", "type": "sockaddr"}, {"name": "addrlen", "type": "socklen_t"}, {"name": "ret", "type": "int"} ] } ] } ``` -------------------------------- ### Signal Injection and Process Control Source: https://context7.com/seeflowerx/stackplz/llms.txt This snippet shows how to control process behavior by injecting signals when specific events occur. It demonstrates sending SIGSTOP when a uprobe hits a function or when a syscall is triggered. This is useful for pausing execution at critical points for debugging or analysis. ```bash # Send SIGSTOP when uprobe hits ./stackplz -n com.sfx.ebpf --lib libnative-lib.so -w _Z5func1v --stack --kill SIGSTOP ``` ```bash # Send SIGSTOP when syscall hits ./stackplz -n com.starbucks.cn --syscall exit --kill SIGSTOP --stack ``` -------------------------------- ### Print init_array_count_ and init_array_ Content Source: https://github.com/seeflowerx/stackplz/blob/dev/README.md This command uses stackplz to print the content of `init_array_count_` and `init_array_` at specified memory offsets within a given process. It leverages the linker64 library and a specific function call to pinpoint the data. The output can be in hex format. ```bash ./stackplz -n com.coolapk.market -l linker64 -w __dl__ZN6soinfo17call_constructorsEv[ptr,std.f0:x0+408,*int:x0+152.] -f w:libjiagu --dumphex --color ``` -------------------------------- ### Trace Syscalls with Argument Parsing and Hexdump Source: https://context7.com/seeflowerx/stackplz/llms.txt This snippet demonstrates tracing specific network syscalls (connect, sendto, recvfrom) for a given package name with hexdump output. It showcases filtering by syscall names and enabling detailed hex output for arguments. The output format includes PID, TID, COMM, syscall name, arguments with parsed values, and register states. ```bash # Trace network syscalls for Starbucks app with hexdump output ./stackplz -n com.starbucks.cn --syscall connect,sendto,recvfrom -o tmp.log --dumphex # Output format: # [PID|TID|COMM] syscall_name(arg0=value, arg1=value, ...) LR:address PC:address SP:address # Example: [12345|12345|.starbucks.cn] connect(sockfd=42, addr=sockaddr_in{family=AF_INET, port=443, addr=192.168.1.1}, addrlen=16) LR:0x7f8a9b2c40 PC:0x7f8a9b2c44 SP:0x7ff1234560 ``` ```bash # Trace all file-related syscalls excluding openat ./stackplz -n com.xingin.xhs -s %file --no-syscall openat ``` ```bash # Trace syscalls with custom argument types (int, ptr, hex format) ./stackplz -n com.termux -w writev[int,ptr,intx]s ``` ```bash # Trace syscall entry and exit with struct details ./stackplz -n com.termux -w writev[ptrx,buf,ptrx]ss --dumphex --color ``` -------------------------------- ### Batch Trace Processes Excluding a Specific UID Source: https://github.com/seeflowerx/stackplz/blob/dev/README.md This command illustrates how to trace all application processes (`-n app`) while excluding a specific user ID (`--no-uid 10084`). It targets the `open` function with specified argument types (`str`, `int`) and outputs the trace data to a file named `tmp.log`. ```bash ./stackplz -n app --no-uid 10084 --point open[str,int] -o tmp.log ``` -------------------------------- ### Argument Filtering with Stackplz Source: https://context7.com/seeflowerx/stackplz/llms.txt Illustrates various filtering techniques for stackplz, including whitelisting and blacklisting file paths, comparing register values, and performing buffer hex comparisons. These filters help narrow down the captured data to specific operations or values. ```bash ./stackplz -n com.starbucks.cn -s openat:f0.f1.f2 -f w:/system -f w:/dev -o tmp.log ``` ```bash ./stackplz -n com.starbucks.cn -s openat -f b:/system/lib64 -o tmp.log ``` ```bash ./stackplz -n com.chinarainbow.tft -w memcpy[ptr,ptr,int,ptr.f0:lr] -f eq:0x748a484d2c --stack --kill SIGSTOP ``` ```bash ./stackplz -n com.netease.cloudmusic -w sendto[int,buf.f0:x2,int] -f bx:73ea68 -o tmp.log --dumphex --color --stack ``` -------------------------------- ### Extract soinfo Data with Stackplz Source: https://github.com/seeflowerx/stackplz/blob/dev/README.md This command demonstrates how to hook into the `call_constructors` function within `linker64.so` to extract `soinfo` details, specifically the name and full path of loaded libraries. It uses string formatting specifiers to parse specific fields from the `soinfo` structure. ```bash ./stackplz -n com.coolapk.market -l linker64 -w __dl__ZN6soinfo17call_constructorsEv[ptr,str.f0:x0+409,str:x0+448.] -f w:libjiagu ``` ```bash ./stackplz -n com.coolapk.market -l linker64 -w __dl__ZN6soinfo17call_constructorsEv[ptr,std.f0:x0+408,std:x0+432] -f w:libjiagu ``` -------------------------------- ### LR Comparison with Stack Tracing Source: https://github.com/seeflowerx/stackplz/blob/dev/README.md This command traces the `memcpy` function in the `com.chinarainbow.tft` application, focusing on the Link Register (`lr`) value. It uses an equality filter (`-f eq:`) to compare the `lr` value against a specific hexadecimal address. The `--stack` and `--kill SIGSTOP` options are used to capture stack information and pause the process for analysis. ```bash ./stackplz -n com.chinarainbow.tft -w memcpy[ptr,ptr,int,ptr.f0:lr] -f eq:0x748a484d2c --stack --kill SIGSTOP ``` -------------------------------- ### Stack Unwinding and Java Stack Tracing with Stackplz Source: https://context7.com/seeflowerx/stackplz/llms.txt Explains how to enable stack unwinding with and without symbols, as well as how to generate Java stack traces. Options like --stack, --mstack, --jstack, --showpc, and --getoff control the depth and detail of the stack information captured. ```bash ./stackplz -n com.sfx.ebpf --syscall openat --stack -o tmp.log ``` ```bash ./stackplz -n com.sfx.ebpf --syscall openat --mstack -o tmp.log ``` ```bash ./stackplz -n com.wsy.crashcatcher -w raise --stack --jstack --showpc --kill SIGSTOP ``` ```bash ./stackplz -n com.sfx.ebpf --syscall openat --stack --showpc ``` ```bash ./stackplz -n com.sfx.ebpf --syscall openat --stack --getoff ``` -------------------------------- ### Stackplz Syscall Groups: File and Process Operations Source: https://context7.com/seeflowerx/stackplz/llms.txt Demonstrates how to use Stackplz to trace system calls categorized into 'file operations' and 'process operations'. This allows for focused monitoring of file I/O, process creation, and execution-related system calls. ```bash # All syscalls ./stackplz -n app -s all # File operations ./stackplz -n app -s %file # open, openat, close, read, write, etc. ./stackplz -n app -s %read # read, readv, pread64, etc. ./stackplz -n app -s %write # write, writev, pwrite64, etc. ./stackplz -n app -s %attr # chmod, chown, stat, etc. # Process operations ./stackplz -n app -s %process # fork, vfork, execve, etc. ./stackplz -n app -s %clone # clone, clone3 ./stackplz -n app -s %exec # execve, execveat ``` -------------------------------- ### Stackplz Supported Argument Types: Basic Source: https://context7.com/seeflowerx/stackplz/llms.txt Lists the basic data types supported by Stackplz for system call arguments. This includes various integer sizes, string types, array types, and type aliases, essential for defining system call parameters. ```bash # Integer types int, uint, int8, uint8, int16, uint16, int32, uint32, int64, uint64 # Pointer and string types ptr, str (C string), std (std::string) # Array types int_arr, uint_arr, ptr_arr, string_array # Type aliases size_t (uint64), ssize_t (int64), socklen_t (uint32) # Buffer type buf, buffer (requires size specification) # Format modifiers intx (hex output), ptrx (hex output) *int (pointer to int), *ptr (pointer to pointer) ``` -------------------------------- ### Buffer Data Comparison with Hexdump Source: https://github.com/seeflowerx/stackplz/blob/dev/README.md This command traces the `sendto` function in the `com.netease.cloudmusic` application, specifically comparing the buffer data (`buf.f0:x2`). It uses the `bx` filter to perform a byte comparison against a hexadecimal value (`73ea68`) and outputs the results with hexdump and color formatting to `tmp.log`. The `--stack` option is also included. ```bash ./stackplz -n com.netease.cloudmusic -w sendto[int,buf.f0:x2,int] -f bx:73ea68 -o tmp.log --dumphex --color --stack ``` -------------------------------- ### Hook Syscalls with Custom Argument Types Source: https://github.com/seeflowerx/stackplz/blob/dev/README.md Demonstrates hooking syscalls with custom argument type parsing. The 's' suffix hooks on syscall exit, and 'x' indicates hex output. This allows for detailed inspection of syscall parameters. ```bash ./stackplz -n com.termux -w writev[int,ptr,intx]s ``` ```bash ./stackplz -n com.termux -w writev[ptrx,buf,ptrx]ss --dumphex --color ``` -------------------------------- ### Batch Trace Syscalls with Group Filtering Source: https://github.com/seeflowerx/stackplz/blob/dev/README.md This command traces specific syscall groups (`%file`, `%net`) for the `com.xingin.xhs` application, while excluding the `openat` syscall. The output is directed to `tmp.log`. This allows for focused monitoring of network and file-related operations. ```bash ./stackplz -n com.xingin.xhs -s %file,%net --no-syscall openat ``` -------------------------------- ### Process Filtering and Targeting Source: https://context7.com/seeflowerx/stackplz/llms.txt This snippet details various methods for filtering and targeting processes for stack tracing. It covers targeting by package name, UID, PID, TID, and thread name. Blacklisting options and targeting process groups (root, system, shell, app, iso) are also demonstrated, allowing for precise control over which processes are monitored. ```bash # Target by package name ./stackplz -n com.starbucks.cn --point open[str,int] ``` ```bash # Target by UID ./stackplz -u 10084 --syscall openat ``` ```bash # Target by PID/TID ./stackplz -p 12345 --syscall all ./stackplz -t 12346 --syscall openat ``` ```bash # Target by thread name (max 16 bytes) ./stackplz --tname RenderThread --syscall write ``` ```bash # Blacklist filtering ./stackplz --no-uid 10084 --no-pid 12345 --syscall all ./stackplz --no-tname RenderThread --syscall all ``` ```bash # Process group targeting: root, system, shell, app, iso ./stackplz -n app --no-uid 10084 --point open[str,int] ./stackplz -n com.starbucks.cn,iso --syscall openat ``` -------------------------------- ### Send Signals on Uprobe Hit with Stackplz Source: https://github.com/seeflowerx/stackplz/blob/dev/README.md This demonstrates how to use stackplz to send a signal (e.g., SIGSTOP) to a process when a specific uprobe hook is hit. This is useful for pausing a process to dump memory. It also shows how to resume a stopped process. ```bash ./stackplz -n com.sfx.ebpf --lib libnative-lib.so -w _Z5func1v --stack --kill SIGSTOP ``` ```bash ./stackplz -n com.starbucks.cn --syscall exit --kill SIGSTOP --stack ``` ```bash kill -SIGCONT 4326 ``` -------------------------------- ### Detailed Java Stack Trace Output Source: https://github.com/seeflowerx/stackplz/blob/dev/README.md This command demonstrates how to obtain detailed Java stack traces using stackplz_arm64. It targets the `raise` function for the `com.wsy.crashcatcher` application and requires `--stack`, `--jstack`, `--showpc`, and `--kill SIGSTOP` options. The `--kill SIGSTOP` option pauses the application, allowing for the Java stack to be captured. ```bash ./stackplz_arm64 -n com.wsy.crashcatcher -w raise --stack --jstack --showpc --kill SIGSTOP ``` -------------------------------- ### Stackplz Syscall Groups: Other Operations and Combinations Source: https://context7.com/seeflowerx/stackplz/llms.txt Covers miscellaneous system call groups in Stackplz, such as exit, duplication, epoll, and stat operations. It also demonstrates combining multiple groups and excluding specific syscalls for refined tracing. ```bash # Other groups ./stackplz -n app -s %exit # exit, exit_group ./stackplz -n app -s %dup # dup, dup2, dup3 ./stackplz -n app -s %epoll # epoll_create, epoll_ctl, epoll_wait, etc. ./stackplz -n app -s %stat # stat, fstat, lstat, etc. # Combine groups and exclude specific syscalls ./stackplz -n app -s %file,%net --no-syscall openat,recvfrom ``` -------------------------------- ### Frida Script: Dynamic Hardware Breakpoint Registration Source: https://context7.com/seeflowerx/stackplz/llms.txt A Frida JavaScript script to dynamically register hardware breakpoints. It connects to the Stackplz RPC server, sends breakpoint configurations (address, type, size), and logs the responses. It supports read-write and execution breakpoints. ```javascript function log(msg) { console.log(`${msg}`); } async function SetHWBrk(brk_addr, brk_type) { try { let brk_options = { brk_pid: -1, // -1 = all processes, or specific PID brk_len: 4, // breakpoint length (1, 2, 4, 8 bytes) brk_type: brk_type, // "r", "w", "rw", "x" brk_addr: brk_addr // breakpoint address }; // Connect to stackplz RPC server let conn = await Socket.connect({ family: "ipv4", host: "localhost", port: 41718 }); let payload = JSON.stringify(brk_options); log(`brk_options -> ${payload}`); // Send payload size (4 bytes, little-endian) let size_buffer = Memory.alloc(4); size_buffer.writeU32(payload.length); await conn.output.writeAll(size_buffer.readByteArray(4)); // Send payload let payload_buffer = Memory.alloc(payload.length); payload_buffer.writeUtf8String(payload); await conn.output.writeAll(payload_buffer.readByteArray(payload.length)); // Read response size let resp_size_buffer = await conn.input.readAll(4); let resp_size = resp_size_buffer.unwrap().readU32(); // Read response let resp = await conn.input.readAll(resp_size); log(`resp -> ${hexdump(resp)}`); await conn.close(); } catch (error) { log(`[SetHWBrk] error ${error}`); } } function do_hw_brk() { try { let lib = Process.getModuleByName("libnative-lib.so"); SetHWBrk(lib.base.add(0xaaaa), "rw"); // read-write breakpoint SetHWBrk(lib.base.add(0x1111), "x"); // execution breakpoint } catch (error) { log(`error ${error}`); } } rpc.exports = { do_hw_brk: do_hw_brk } // Usage in Frida REPL: // frida -U -f com.example.app -l frida_hw_brk.js // > rpc.exports.do_hw_brk() ``` -------------------------------- ### Trace Function at Address with Data Types Source: https://github.com/seeflowerx/stackplz/blob/dev/README.md This command traces a function at a specific memory address (`0x9D150`) within the `com.termux` application. It defines the expected data types of the arguments (`int`, `buf:x2`, `int`) and enables hex dumping with color output for detailed analysis. ```bash ./stackplz -n com.termux -w 0x9D150[int,buf:x2,int]0x9D164 --dumphex --color ``` -------------------------------- ### Stackplz Syscall Groups: Network and Signal Operations Source: https://context7.com/seeflowerx/stackplz/llms.txt Illustrates Stackplz usage for tracing 'network operations' and 'signal operations'. This enables targeted analysis of system calls related to network communication (sockets, connections) and signal handling (process signaling). ```bash # Network operations ./stackplz -n app -s %net # socket, connect, bind, listen, accept, etc. ./stackplz -n app -s %send # send, sendto, sendmsg, etc. ./stackplz -n app -s %recv # recv, recvfrom, recvmsg, etc. # Signal operations ./stackplz -n app -s %signal # kill, tkill, tgkill, rt_sigaction, etc. ./stackplz -n app -s %kill # kill, tkill, tgkill ``` -------------------------------- ### Stackplz Configuration: IP Address Filtering Source: https://context7.com/seeflowerx/stackplz/llms.txt Defines a system call configuration for 'connect' with IP address filtering. It specifies parameters for IPv4 and IPv6 addresses, allowing selective connection tracing based on provided IP filters. ```json { "type": "syscall", "points": [ { "nr": 203, "name": "connect", "params": [ {"name": "sockfd", "type": "int"}, {"name": "addr", "type": "sockaddr"}, {"name": "addrlen", "type": "uint32"}, {"name": "v4_filter", "type": "buf", "size": "4", "read_op": "x1+0x4", "filter": ["addr:192.168.1.1"]}, {"name": "v6_filter", "type": "buf", "size": "4", "read_op": "x1+0x14", "filter": ["addr:2001:db8::1"]}, {"name": "ret", "type": "int"} ] } ] } ``` -------------------------------- ### Read Data Based on Register Values or Size with Stackplz Source: https://github.com/seeflowerx/stackplz/blob/dev/README.md This demonstrates advanced usage of stackplz for reading data. It shows how to specify data size using register values (e.g., ':x2'), fixed sizes (e.g., ':32'), or hex values (e.g., ':0x10'). It also covers reading from memory addresses relative to the stack pointer (sp). ```bash ./stackplz --name com.sfx.ebpf -w write[int,buf:x2,int] ``` ```bash ./stackplz --name com.sfx.ebpf -w write[int,buf:32,int] ``` ```bash ./stackplz --name com.sfx.ebpf -w write[int,buf:0x10,int] ``` ```bash ./stackplz --name com.sfx.ebpf -w 0xA94E8[int:x1,ptr:sp+0x30-0x2c] ``` ```bash ./stackplz --name com.sfx.ebpf -w 0xA94E8[int:x1,buf:8:sp+0x30-0x2c] ``` ```bash ./stackplz --name com.sfx.ebpf -w 0xA94E8[int,int] ``` ```bash ./stackplz --name com.sfx.ebpf -w 0xA94E8[int:x1,int:x0] ``` -------------------------------- ### Stackplz Supported Argument Types: Complex Structures Source: https://context7.com/seeflowerx/stackplz/llms.txt Details the complex structure types supported by Stackplz for system call arguments. This covers common structures related to networking, time, signals, and system information, facilitating the analysis of system calls involving these structures. ```bash # Network structures sockaddr, msghdr, iovec # Time structures timespec, timeval, timezone, itimerspec # Signal structures sigset, siginfo, sigaction, stack_t # System structures stat, statfs, utsname, rusage, sysinfo # Other structures epollevent, pollfd, dirent, pthread_attr ``` -------------------------------- ### Auto-resume Stopped Processes with Stackplz Source: https://context7.com/seeflowerx/stackplz/llms.txt Demonstrates how to automatically resume processes that have been stopped by stackplz. This can be done by specifying the --auto flag or by manually sending a SIGCONT signal to the process ID (PID). Alternatively, pressing 'c' in the stackplz terminal will also resume the process. ```bash ./stackplz -n com.sfx.ebpf --lib libnative-lib.so -w _Z5func1v --stack --kill SIGSTOP --auto ``` ```bash kill -SIGCONT ``` -------------------------------- ### Adjusting Perf Event Buffer Size in Stackplz Source: https://github.com/seeflowerx/stackplz/blob/dev/README.md When encountering 'perf event ring buffer full' errors, increase the buffer size per CPU using the `-b` flag. The default is 8MB. Ensure to monitor for allocation failures after increasing the buffer size, as this might indicate memory pressure. ```bash ./stackplz -n com.starbucks.cn -b 32 --syscall all -o tmp.log ``` === COMPLETE CONTENT === This response contains all available snippets from this library. No additional content exists. Do not make further requests.