Minimal overhead way of intercepting system calls without modifying the kernel

 

Methods of which I'm aware of intercepting system calls are the following.

  • Using ptrace, but this seems to have a high overhead. According to my knowledge, tools like strace also use ptrace internally.
  • Using a kernel module to change the system call table, but according to my knowledge, this method is no more possible in later linux kernels.
  • Using LD_PRELOAD. But this won't work if for example you directly make a system call without using some wrapper library function for that system call.

    • So you see all the above mentioned methods have flaws. So my question is what is the way to intercept system calls without modifying the kernel and with minimal overhead.

    If you can't modify the kernel, you must modify the application. You need to somehow intercept the int / syscall / sysenter instructions, either by setting a break point there (if you can handle them within the application in Linux; you can in Windows by using SEH/VEH) or by hooking the instruction in a more intrusive way (changing it to jmp to the code that would get save the system call number and parameters, perform the original int / syscall / sysenter and jmp back).

    EDIT : Oh, I've forgot to add that finding those instructions can be a challenge. You may be unable to correctly identify them in the compiled binary. You can miss some (especially those created at run time) and you can take some other instructions for int / syscall / sysenter (if your code analysis isn't perfect). OTOH, finding them at run time (by analyzing individual instructions (or blocks of them) prior to executing/emulating them) is going to incur a performance hit.

    In any event, most likely the performance issues are directly related to the number of system calls being made and to the amount of logged/traced information. If you cut that down (ie select only the interesting system calls and parameters) and/or collect only the information about, say, the last 10000 system calls and keep the data in memory and save it to a file just once (at the end of the app), you'll have much better performance.

    Look at using a dynamic instrumentation framework eg DTrace or SystemTap. One or both should be available for your platform.

    Pintool might also help; it's available for Linux too.

    链接地址: http://www.djcxy.com/p/66368.html

    上一篇: 用ptrace()取消系统调用

    下一篇: 在不修改内核的情况下拦截系统调用的最小开销方式