Intercepting syscalls is very easy. In my mind, what you should do is
write a KLD that creates a syscall that mimicks the actions of what
syscall you are going to hijack. Your new syscall will only look at the
struct ##syscall_args *uap pointer [kernel land argument to syscall] and
modify it. After modifying, all you'll have to do is just call the old
syscall. In generic terms, here's what i did for hijacking open(2):
static int
open_wrap(struct proc *p, struct open_args *uap)
{
/* mess with what's getting pased */
ret = open(p, uap); /* call real open */
return(ret);
}
statitc struct sysent open_wrap_s = {
3,/* # of argumentsbeing passed to it */
open_wrap /* func pointer to our syscall */
};
static int
load_handler(...)
{
...
MOD_LOAD:
...
sysent[SYS_open] = open_wrap_s;
MOD_UNLOAD
sysent[SYS_open].sy_call = (sy_call_t *)open; /* put back old */
}
Then, all you'ld have to do is load the kld and your calls would be
intercepted by the wrapping syscall.
For more details:
http://subterrain.net/~awr/KLD-Tutorial/
Introduction to writing KLDs & an examples tar.gz
http://thc.pimmel.com/files/thc/bsdkern.html
Good tutorial on more blackhat related things to do
with KLDs.
Hope this helps.
Andrew
On Sun, 3 Sep 2000, Pavlin Ivanov Radoslavov wrote:
>
> I need to write some code that will be like a wrapper
> for some user-level binaries and will intercept some system calls
> before and after each call, and eventually modify the arguments
> and/or the result.
>
> First I was looking at ptrace(3), but seems that the
> *BSD ptrace doesn't have the equivalent of PTRACE_SYSCALL.
>
> I tried to use the /proc file system, but I ran into a problem.
> By adapting the truss(1) code I could intercept
> a child process's system calls (before and after the syscall is
> completed).
> However, if I want to modify the return result for example by
> writing to the registers (using write() to "/proc/%d/regs"), I get
> error "Device busy".
> The procfs(5) man page says that I can write to the registers only
> if the child process is stopped, but seems like that
> successful "ioctl(PIOCWAIT)" before the writing to the registers is
> not enough.
> Playing with writing "attach", "wait", etc. to /proc/%d/ctl
> didn't help either.
>
> I did some search around to find sample code how to modify the
> intercepted syscalls behavior, but coudn't find any. Any suggestions
> or ideas?
>
> Thanks,
> Pavlin
>
> P.S. Tested OS version: FreeBSD-4.1 and 3.2
>
>
> To Unsubscribe: send mail to [EMAIL PROTECTED]
> with "unsubscribe freebsd-hackers" in the body of the message
>
To Unsubscribe: send mail to [EMAIL PROTECTED]
with "unsubscribe freebsd-hackers" in the body of the message
