Tracer for buildroot qemu linux system

1. Tracer selection

1.1 SystemTap

What is System Tap and Why others chose System Tap?

Collecting syscall information is informative during dynamic analysis.

In computing, a system call (commonly abbreviated to syscall) is the programmatic way in which a computer program requests a service from the kernel of the operating system on which it is executed. This may include hardware-related services (for example, accessing a hard disk drive), creation and execution of new processes, and communication with integral kernel services such as process scheduling. System calls provide an essential interface between a process and the operating system. (from wiki)

Syscalls include:

	文件和设备访问类 比如open/close/read/write/chmod等
	进程管理类 fork/clone/execve/exit/getpid等
	信号类 signal/sigaction/kill 等
	内存管理 brk/mmap/mlock等
	进程间通信IPC shmget/semget * 信号量，共享内存，消息队列等
	网络通信 socket/connect/sendto/sendmsg 等
    etc

The paper, LiSa, introduced two kinds of tracing techniques including program tracing and kernel-level tracing.
For example, strace is a tool for program tracing.
But there exists some anti-debugging malware. Malware sample used:

ptrace(PTRACE_TRACEME, 0, 0, 0)

Some screenshot of this sandbox:

Thanks to -1 result of ptrace result, sample found out it was traced. What’s more, strace is slow.

Cross-Compile Linux Kernel

Follow the guidance in this website Deprecated
We found that buildroot is easier to use to build both kernel and rootfs.
Just follow several steps:

make qemu_ppc_e500mc_defconfig # defconfig lies on ./config dir
make menuconfig # Then configure anything you need, mainly choose the binary package you need and the external toolchain
# In the menuconfig, you can configure password and ban
make

A much more formal README:

Buildroot is a simple, efficient and easy-to-use tool to generate embedded
Linux systems through cross-compilation.

The documentation can be found in docs/manual. You can generate a text
document with 'make manual-text' and read output/docs/manual/manual.text.
Online documentation can be found at http://buildroot.org/docs.html

To build and use the buildroot stuff, do the following:

1) run 'make menuconfig'
2) select the target architecture and the packages you wish to compile
3) run 'make'
4) wait while it compiles
5) find the kernel, bootloader, root filesystem, etc. in output/images

You do not need to be root to build or run buildroot.  Have fun!

Buildroot comes with a basic configuration for a number of boards. Run
'make list-defconfigs' to view the list of provided configurations.

Please feed suggestions, bug reports, insults, and bribes back to the
buildroot mailing list: buildroot@buildroot