Vulnerability Development mailing list archives

Re: Capturing System Calls

From: edsel () ADAP ORG (Edsel Adap)
Date: Thu, 22 Jun 2000 16:41:32 -0400


On Thu, Jun 22, 2000 at 04:32:41PM -0400, Whyte, Jesse wrote:

You used to be able to do a limited set of this with sotruss...


Yes. apptrace supercedes sotruss.  They are based on the same
mechanism.  sotruss was 'demo-ware' or proof of concept.
apptrace pretty-prints the arguments to the functions.

And on the subject of changing the behavior of function calls, apptrace
uses what are called interceptor objects.  By replacing those, one can
use apptrace to catch function calls and make them do whatever they
want.

-----Original Message-----
From: Edsel Adap [mailto:edsel () ADAP ORG]
Sent: Thursday, June 22, 2000 2:33 PM
To: VULN-DEV () SECURITYFOCUS COM
Subject: Re: Capturing System Calls

On Solaris 8, there is a new command called apptrace, which allows you
to watch calls to libraries.  It can watch application-> library calls,
library->library calls.

On Thu, Jun 22, 2000 at 10:27:34AM -0700, Oliver Friedrichs wrote:

If you only want to see what a program is doing, use 'truss' on solaris,
'ktrace' on bsd.

DESCRIPTION
     The truss  utility executes the specified command  and  pro-
     duces  a  trace of the system calls it performs, the signals
     it receives, and the machine faults it incurs. Each line  of
     the  trace output reports either the fault or signal name or
     the system call name with its arguments and return value(s).
     System call arguments are displayed symbolically when possi-

If you want to interactively trace the process, use the 'ptrace()' system
call.

- Oliver

-----Original Message-----
From: Green Charles Contr AFRL/IFGB [mailto:Charles.Green () RL AF MIL]
Sent: Thursday, June 22, 2000 9:23 AM
To: VULN-DEV () SECURITYFOCUS COM
Subject: Capturing System Calls

On UNIX Systems, (FreeBSD, Linux, Solaris) is there a way to
capture/modify
system calls calls from an application with out modifying the
kernel (or
using kernel modules) - preferably in userspace? The reason I
ask is that a
group of us are being asked to evaluate a piece of software
for my company
but they've put some heavy restrictions on how we do it. One of the
restriction is that we're not allowed to modify the kernel.


--
Edsel Adap
edsel () adap org
http://www.adap.org/~edsel/          LINUX - the choice of the GNU
generation

"Netscape is an application which grows to fill all available memory."  - me


--
Edsel Adap
edsel () adap org
http://www.adap.org/~edsel/          LINUX - the choice of the GNU generation

"Netscape is an application which grows to fill all available memory."  - me

Current thread:

Re: Capturing System Calls Oliver Friedrichs (Jun 22)
- Re: Capturing System Calls Jason Legate (Jun 22)
- Re: Capturing System Calls Edsel Adap (Jun 22)
- <Possible follow-ups>
- Re: Capturing System Calls Robert G. Ferrell (Jun 22)
- Re: Capturing System Calls Everhart, Glenn (FUSA) (Jun 22)
- Re: Capturing System Calls Badger, Lee (Jun 22)
- Re: Capturing System Calls Badger, Lee (Jun 22)
- Re: Capturing System Calls Whyte, Jesse (Jun 22)
  - Re: Capturing System Calls Edsel Adap (Jun 22)
- Re: Capturing System Calls Green Charles Contr AFRL/IFGB (Jun 22)
  - Re: Capturing System Calls Todd Garrison (Jun 22)
    - Re: Capturing System Calls Jason Legate (Jun 23)
    - Re: Capturing System Calls TeeSPy (Jun 23)
  - Re: Capturing System Calls Job de Haas (Jun 23)
- Re: Capturing System Calls Marcy Abene (Jun 22)
- Re: Capturing System Calls Green Charles Contr AFRL/IFGB (Jun 22)
  - Re: Capturing System Calls Joel Eriksson (Jun 23)
- Re: Capturing System Calls Darren Moffat - Solaris Sustaining Engineering (Jun 23)