Vulnerability Development mailing list archives
Re: Capturing System Calls
From: edsel () ADAP ORG (Edsel Adap)
Date: Thu, 22 Jun 2000 16:41:32 -0400
On Thu, Jun 22, 2000 at 04:32:41PM -0400, Whyte, Jesse wrote:
You used to be able to do a limited set of this with sotruss...
Yes. apptrace supercedes sotruss. They are based on the same mechanism. sotruss was 'demo-ware' or proof of concept. apptrace pretty-prints the arguments to the functions. And on the subject of changing the behavior of function calls, apptrace uses what are called interceptor objects. By replacing those, one can use apptrace to catch function calls and make them do whatever they want.
-----Original Message----- From: Edsel Adap [mailto:edsel () ADAP ORG] Sent: Thursday, June 22, 2000 2:33 PM To: VULN-DEV () SECURITYFOCUS COM Subject: Re: Capturing System Calls On Solaris 8, there is a new command called apptrace, which allows you to watch calls to libraries. It can watch application-> library calls, library->library calls. On Thu, Jun 22, 2000 at 10:27:34AM -0700, Oliver Friedrichs wrote:If you only want to see what a program is doing, use 'truss' on solaris, 'ktrace' on bsd. DESCRIPTION The truss utility executes the specified command and pro- duces a trace of the system calls it performs, the signals it receives, and the machine faults it incurs. Each line of the trace output reports either the fault or signal name or the system call name with its arguments and return value(s). System call arguments are displayed symbolically when possi- If you want to interactively trace the process, use the 'ptrace()' system call. - Oliver-----Original Message----- From: Green Charles Contr AFRL/IFGB [mailto:Charles.Green () RL AF MIL] Sent: Thursday, June 22, 2000 9:23 AM To: VULN-DEV () SECURITYFOCUS COM Subject: Capturing System Calls On UNIX Systems, (FreeBSD, Linux, Solaris) is there a way to capture/modify system calls calls from an application with out modifying the kernel (or using kernel modules) - preferably in userspace? The reason I ask is that a group of us are being asked to evaluate a piece of software for my company but they've put some heavy restrictions on how we do it. One of the restriction is that we're not allowed to modify the kernel.-- Edsel Adap edsel () adap org http://www.adap.org/~edsel/ LINUX - the choice of the GNU generation "Netscape is an application which grows to fill all available memory." - me
-- Edsel Adap edsel () adap org http://www.adap.org/~edsel/ LINUX - the choice of the GNU generation "Netscape is an application which grows to fill all available memory." - me
Current thread:
- Re: Capturing System Calls Oliver Friedrichs (Jun 22)
- Re: Capturing System Calls Jason Legate (Jun 22)
- Re: Capturing System Calls Edsel Adap (Jun 22)
- <Possible follow-ups>
- Re: Capturing System Calls Robert G. Ferrell (Jun 22)
- Re: Capturing System Calls Everhart, Glenn (FUSA) (Jun 22)
- Re: Capturing System Calls Badger, Lee (Jun 22)
- Re: Capturing System Calls Badger, Lee (Jun 22)
- Re: Capturing System Calls Whyte, Jesse (Jun 22)
- Re: Capturing System Calls Edsel Adap (Jun 22)
- Re: Capturing System Calls Green Charles Contr AFRL/IFGB (Jun 22)
- Re: Capturing System Calls Todd Garrison (Jun 22)
- Re: Capturing System Calls Jason Legate (Jun 23)
- Re: Capturing System Calls TeeSPy (Jun 23)
- Re: Capturing System Calls Job de Haas (Jun 23)
- Re: Capturing System Calls Todd Garrison (Jun 22)
- Re: Capturing System Calls Marcy Abene (Jun 22)
- Re: Capturing System Calls Green Charles Contr AFRL/IFGB (Jun 22)
- Re: Capturing System Calls Joel Eriksson (Jun 23)
- Re: Capturing System Calls Darren Moffat - Solaris Sustaining Engineering (Jun 23)