tracing AND intercepting syscalls?
Kostik Belousov
kostikbel at gmail.com
Sat Dec 2 11:48:46 PST 2006
On Sat, Dec 02, 2006 at 05:32:06PM +0100, Stanislav Ochotnicky wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256
>
> Hi
>
> I'm doing some research concerning tracing and intercepting of syscalls.
> Ideally this would be done in userspace. It doesn't have to be
> system-wide. It would be enough if I could fork/exec new process, and
> somehow be noticed every time it makes syscall, with ability to alter
> arguments/return values. I (more or less) need similar interface like
> linux ptrace when called with PTRACE_SYSCALL. systrace utility does the
> same thing in OpenBSD/linux. I've been through some mailing lists and
> their archives, read FreeBSD developers guide,TrustedBSD's MAC framework
> intro, man pages, asked on IRC and god knows what else and couldn't find
> a solution. Here's what I have found out so far about interfaces that
> resemble what I need:
>
> ptrace: unable to trace syscalls, only singlestep, this would be too
> slow imho, not mentioning problems with identifying syscalls.
>
Did you look at PT_SYSCALL, PT_TO_SCE and PT_TO_SCX ptrace(2) facilities ?
> /proc interface: more or less like ptrace, better with modifying memory
> of process etc. but also unable to trace syscalls
Read the man pages and code of the truss(1) and strace(1) utilities.
Truss is available in base system, strace is in the ports.
>
> ktrace: almost there, able to trace syscalls, but it only writes them to
> file, and thus i cannot intercept them.
>
> trustedbsd's MAC framework: i've read manual, looked at source etc. And
> I couldn't find a way to stop at every syscall certain process has made.
> There is mac_syscall() function but as far as I could tell, it only
> registers new syscall. All in all, it seems that it should have some way
> to do this, maybe I just couldn't find it.
>
> If kernel module/change is needed I would appreciate push in right
> direction.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 187 bytes
Desc: not available
Url : http://lists.freebsd.org/pipermail/freebsd-hackers/attachments/20061202/7178ee8f/attachment.pgp
More information about the freebsd-hackers
mailing list