Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Is this is a good way to intercept system calls?

Tags:

c

linux

gcc

x86-64

glibc

I am writing a tool. A part of that tool will be its ability to log the parameters of the system calls. Alright I can use ptrace for that purpose, but ptrace is pretty slow. A faster method that came to my mind was to modify the glibc. But this is getting difficult, as gcc magically inserts its own built in functions as system call wrappers than using the code defined in glibc. Using -fno-builtin is also not helping there.

So I came up with this idea of writing a shared library, which includes every system call wrapper, such as mmap and then perform the logging before calling the actual system call wrapper function. For example pseudo code of what my mmap would look like is given below.

int mmap(...)
{
 log_parameters(...);
 call_original_mmap(...);
 ...
}

Then I can use LD_PRELOAD to load this library firstup. Do you think this idea will work, or am I missing something?

like image 272
MetallicPriest Avatar asked May 21 '12 16:05

MetallicPriest

People also ask

How system calls are intercepted?

The key in intercepting system calls is to modify the sys_call_table kernel data structure. This table is an array which contains as many entries as there are system calls.

Can system calls be interrupted?

System calls can be interrupted by any signal, this includes such signals as SIGINT (generated by CTRL-C), SIGHUP, etc.

What is system call tracing?

A system call is a programmatic way a program requests a service from the kernel, and strace is a powerful tool that allows you to trace the thin layer between user processes and the Linux kernel.

What happens when you make a system call?

System call provides the services of the operating system to the user programs via Application Program Interface(API). It provides an interface between a process and operating system to allow user-level processes to request services of the operating system. System calls are the only entry points into the kernel system.

1 Answers

No method that you can possibly dream up in user-space will work seamlessly with any application. Fortunately for you, there is already support for doing exactly what you want to do in the kernel. Kprobes and Kretprobes allow you to examine the state of the machine just preceeding and following a system call.

Documentation here: https://www.kernel.org/doc/Documentation/kprobes.txt

like image 110
Max DeLiso Avatar answered Sep 22 '22 17:09

Max DeLiso
Sign in to Comment

Related questions

worst-case time complexity of str.find in python
Is it possible to mock a C function using python?
nf_conntrack_helper_register of unregistred port reutrn error
Hello World for common clock framework driver on Raspberry Pi 3
Why printf() does not output to a file, when stdout is redirected to that file?
Windows Defender Antivirus API
Fast I/O in c, stdin/out
How to handle varargs with NativeCall
How to convert a c string into its escaped version in c?
Tree with multiple child nodes and next node
Linux : Check if message queue is empty
Understanding pthread_detach
Is getnameinfo memory leaking confirmed?
Detect recursion robustly even in the presence of non-local jumps
C11 memory fence usage
GCC/x86 inline asm: How do you tell gcc that inline assembly section will modify %esp?
How do I schedule a pthread_cond_signal() such that it always follows a pthread_cond_wait() on another thread?
Exploit a buffer overflow
Wrong argument type to a standard library function defined as macro
Does the C11 memory model really conflict with common optimizations?

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!