How can I monitor system calls in FreeBSD from source?

Question

How can I monitor system calls in FreeBSD from source?

How do I log system calls (syscall number and return value for int 0x80

and sysenter/syscall

) on FreeBSD 10.1 x86_64 from source?

I know I truss

can do the job, but I need to write other information like the buffer copyout

during every system call.

I tried to find the source code truss

but failed. Also I tried to trace them in amd64_syscall()

, but the result seems incomplete compared to the result truss

. Any idea on what features should I consider when implementing?

+3

system-calls freebsd

Windchaser June 13. 15 at 3:06

source to share

2 answers

Probably not exactly what you are looking for, but you can take a look at how the ktrace (1) / kdump (1) utilities work.

+2

Edward tomasz Napierala June 14. 15 at 21:33

source to share

employee of the month · Accepted Answer · 2015-06-13T07:24:23+0000

You have not specified why you need it. In particular, if you need it for security reasons, you are doing it wrong.

What do you mean that you have failed? The sources are here: http://bxr.su/FreeBSD/usr.bin/truss/

A common mechanism used by such tools is known as ptrace ( https://www.freebsd.org/cgi/man.cgi?query=ptrace ), and among other things, it allows monitored streams to be stopped as they execute syscalls.

It should be noted, however, that while such mechanisms allow all arguments to be copied, other threads may modify the memory pointed to by the above arguments after they have been copied, shortly before syscall does the same. You want to use MAC hooks if that worries you.

How can I monitor system calls in FreeBSD from source?

More articles: