Portable Techniques for Syscall Interception

• Can one process monitor syscalls made by another

  • /proc interface in UNIX SVR4, e.g., Solaris, IRIX
  • enhanced ptrace interface, e.g., Linux

• Manner of operation

  • monitored process stopped on syscall entry and exit
  • monitoring process woken up from a wait; it may
    • examine or modify syscall arguments
    • read/write monitored process memory
  • execution resumed on request from monitoring process

Previous slide

Next slide

Back to first slide

View graphic version