Date: Sat, 2 Dec 2006 21:48:40 +0200 From: Kostik Belousov <kostikbel@gmail.com> To: Stanislav Ochotnicky <stanislav.ochotnicky@kmit.sk> Cc: freebsd-hackers@freebsd.org Subject: Re: tracing AND intercepting syscalls? Message-ID: <20061202194840.GD35681@deviant.kiev.zoral.com.ua> In-Reply-To: <4571AA86.1060303@kmit.sk> References: <4571AA86.1060303@kmit.sk>
next in thread | previous in thread | raw e-mail | index | archive | help
--pZs/OQEoSSbxGlYw Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Sat, Dec 02, 2006 at 05:32:06PM +0100, Stanislav Ochotnicky wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA256 >=20 > Hi >=20 > I'm doing some research concerning tracing and intercepting of syscalls. > Ideally this would be done in userspace. It doesn't have to be > system-wide. It would be enough if I could fork/exec new process, and > somehow be noticed every time it makes syscall, with ability to alter > arguments/return values. I (more or less) need similar interface like > linux ptrace when called with PTRACE_SYSCALL. systrace utility does the > same thing in OpenBSD/linux. I've been through some mailing lists and > their archives, read FreeBSD developers guide,TrustedBSD's MAC framework > intro, man pages, asked on IRC and god knows what else and couldn't find > a solution. Here's what I have found out so far about interfaces that > resemble what I need: >=20 > ptrace: unable to trace syscalls, only singlestep, this would be too > slow imho, not mentioning problems with identifying syscalls. >=20 Did you look at PT_SYSCALL, PT_TO_SCE and PT_TO_SCX ptrace(2) facilities ? > /proc interface: more or less like ptrace, better with modifying memory > of process etc. but also unable to trace syscalls Read the man pages and code of the truss(1) and strace(1) utilities. Truss is available in base system, strace is in the ports. >=20 > ktrace: almost there, able to trace syscalls, but it only writes them to > file, and thus i cannot intercept them. >=20 > trustedbsd's MAC framework: i've read manual, looked at source etc. And > I couldn't find a way to stop at every syscall certain process has made. > There is mac_syscall() function but as far as I could tell, it only > registers new syscall. All in all, it seems that it should have some way > to do this, maybe I just couldn't find it. >=20 > If kernel module/change is needed I would appreciate push in right > direction. --pZs/OQEoSSbxGlYw Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (FreeBSD) iD8DBQFFcdiXC3+MBN1Mb4gRAkAMAJ93SvYCHPbI4WJCna8WhsAdZ0If8wCfabyR eDaE3BrA1QqJeR91Ot19fkE= =tdbZ -----END PGP SIGNATURE----- --pZs/OQEoSSbxGlYw--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20061202194840.GD35681>