"Hiding" a system call from ltrace and strace
Is there a way to hide the system call from strace
and the dynamic library call from ltrace
? For example using system
( <stdlib.h>
).
In the last class for my software development in this semester the instructor showed us that we could eliminate the use of the library function call system
in many parts of the shell of the project, we assigned, instead of the more complex fork
, exec
, readdir
, stat
, dup
and pipe
system calls that we were told use.
The way it works system
, he said, is you simply pass the command line you want to execute: system("cmd [flags] [args]; cmd && cmd");
and there you are.
We shouldn't have used this feature, but he said he didn't test our programs. One way to hide its use would be to hide it with macro definitions etc. However, ltrace
it can still track system
when used via macros. I believe it even finds it when called from a separate program, such as `execvp (" ./prgrm_with_system ", ...).
My chance to use it is gone, but I'm really curious to know if there is a way to hide system
from even ltrace
.
source to share
system()
does nothing of that kind of magic. It doesn't even do anything that smart (and using it is often a code smell). It is also not a system call in the sense that the term "syscall" refers.
You can trivially create your own version system()
using the basic system calls fork()
and execve()
, and the workaround detection using ltrace
... but strace
will still show those calls.
You can also get around ltrace
with static linking, but since for systems that need kernel help you can do without system calls, you can't do without them - so tools like strace, sysdig, truss, dtrace, and local equivalents cannot be avoided so easily (without exploiting security vulnerabilities in the OS or the tools themselves).
source to share