Menu
Methods of which I'm aware of intercepting system calls are the following.
So you see all the above mentioned methods have flaws. So my question is what is the way to intercept system calls without modifying the kernel and with minimal overhead.
514
If you can't modify the kernel, you must modify the application. You need to somehow intercept the int/syscall/sysenter instructions, either by setting a break point there (if you can handle them within the application in Linux; you can in Windows by using SEH/VEH) or by hooking the instruction in a more intrusive way (changing it to jmp to the code that would get save the system call number and parameters, perform the original int/syscall/sysenter and jmp back).
EDIT: Oh, I've forgot to add that finding those instructions can be a challenge. You may be unable to correctly identify them in the compiled binary. You can miss some (especially those created at run time) and you can take some other instructions for int/syscall/sysenter (if your code analysis isn't perfect). OTOH, finding them at run time (by analyzing individual instructions (or blocks of them) prior to executing/emulating them) is going to incur a performance hit.
In any event, most likely the performance issues are directly related to the number of system calls being made and to the amount of logged/traced information. If you cut that down (i.e. select only the interesting system calls and parameters) and/or collect only the information about, say, the last 10000 system calls and keep the data in memory and save it to a file just once (at the end of the app), you'll have much better performance.
89
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
