From owner-freebsd-hackers@FreeBSD.ORG Sat Dec 2 16:32:13 2006 Return-Path: X-Original-To: freebsd-hackers@freebsd.org Delivered-To: freebsd-hackers@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id C9BBE16A407 for ; Sat, 2 Dec 2006 16:32:13 +0000 (UTC) (envelope-from stanislav.ochotnicky@kmit.sk) Received: from alibaba.kmit.sk (alibaba.kmit.sk [194.160.28.1]) by mx1.FreeBSD.org (Postfix) with ESMTP id 180E243CA2 for ; Sat, 2 Dec 2006 16:31:52 +0000 (GMT) (envelope-from stanislav.ochotnicky@kmit.sk) Received: from localhost (localhost.localdomain [127.0.0.1]) by alibaba.kmit.sk (Postfix) with ESMTP id 7D62D7F96 for ; Sat, 2 Dec 2006 17:32:12 +0100 (CET) Received: from [10.10.0.6] (gw.kmit.sk [194.160.28.62]) by alibaba.kmit.sk (Postfix) with ESMTP id E42A27F94 for ; Sat, 2 Dec 2006 17:32:11 +0100 (CET) Message-ID: <4571AA86.1060303@kmit.sk> Date: Sat, 02 Dec 2006 17:32:06 +0100 From: Stanislav Ochotnicky MIME-Version: 1.0 To: freebsd-hackers@freebsd.org X-Enigmail-Version: 0.94.0.0 Content-Type: text/plain; charset=ISO-8859-2 Content-Transfer-Encoding: 7bit Subject: tracing AND intercepting syscalls? X-BeenThere: freebsd-hackers@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Technical Discussions relating to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 02 Dec 2006 16:32:13 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Hi I'm doing some research concerning tracing and intercepting of syscalls. Ideally this would be done in userspace. It doesn't have to be system-wide. It would be enough if I could fork/exec new process, and somehow be noticed every time it makes syscall, with ability to alter arguments/return values. I (more or less) need similar interface like linux ptrace when called with PTRACE_SYSCALL. systrace utility does the same thing in OpenBSD/linux. I've been through some mailing lists and their archives, read FreeBSD developers guide,TrustedBSD's MAC framework intro, man pages, asked on IRC and god knows what else and couldn't find a solution. Here's what I have found out so far about interfaces that resemble what I need: ptrace: unable to trace syscalls, only singlestep, this would be too slow imho, not mentioning problems with identifying syscalls. /proc interface: more or less like ptrace, better with modifying memory of process etc. but also unable to trace syscalls ktrace: almost there, able to trace syscalls, but it only writes them to file, and thus i cannot intercept them. trustedbsd's MAC framework: i've read manual, looked at source etc. And I couldn't find a way to stop at every syscall certain process has made. There is mac_syscall() function but as far as I could tell, it only registers new syscall. All in all, it seems that it should have some way to do this, maybe I just couldn't find it. If kernel module/change is needed I would appreciate push in right direction. Any help would be appreciated. Thanks in advance Stanislav Ochotnicky -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (GNU/Linux) iD8DBQFFcaqGul7h5FTXf/MRCDDDAJ4jkBkfkb09PJhM83ZXUI27HH81YgCfeBC+ 6YbAsDWcCbvWDmPGiU655RU= =sZgU -----END PGP SIGNATURE-----