tracing AND intercepting syscalls?

[Stanislav Ochotnicky]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Hi

I'm doing some research concerning tracing and intercepting of syscalls.
Ideally this would be done in userspace. It doesn't have to be
system-wide. It would be enough if I could fork/exec new process, and
somehow be noticed every time it makes syscall, with ability to alter
arguments/return values. I (more or less) need similar interface like
linux ptrace when called with PTRACE_SYSCALL. systrace utility does the
same thing in OpenBSD/linux. I've been through some mailing lists and
their archives, read FreeBSD developers guide,TrustedBSD's MAC framework
intro, man pages, asked on IRC and god knows what else and couldn't find
a solution. Here's what I have found out so far about interfaces that
resemble what I need:

ptrace: unable to trace syscalls, only singlestep, this would be too
slow imho, not mentioning problems with identifying syscalls.

/proc interface: more or less like ptrace, better with modifying memory
of process etc. but also unable to trace syscalls

ktrace: almost there, able to trace syscalls, but it only writes them to
file, and thus i cannot intercept them.

trustedbsd's MAC framework: i've read manual, looked at source etc. And
I couldn't find a way to stop at every syscall certain process has made.
There is mac_syscall() function but as far as I could tell, it only
registers new syscall. All in all, it seems that it should have some way
to do this, maybe I just couldn't find it.

If kernel module/change is needed I would appreciate push in right
direction.

Any help would be appreciated.

Thanks in advance
Stanislav Ochotnicky

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (GNU/Linux)

iD8DBQFFcaqGul7h5FTXf/MRCDDDAJ4jkBkfkb09PJhM83ZXUI27HH81YgCfeBC+
6YbAsDWcCbvWDmPGiU655RU=
=sZgU
-----END PGP SIGNATURE-----