Re: Capturing System Calls

[GlennEverhart () FIRSTUSA COM (Everhart, Glenn (FUSA))]

I'd have a look at some back issues of Phrack or on Packetstorm
for info on loadable kernel modules. Examples have been published
of how to use same to take over the upper half of kernel calls
in Linux and in Solaris. This seems the most sensible way to trap
calls, since one need not rebuild kernel to do so. Sorry I don't
have exact ref off the top of my head. BTW there was info for
freeBSD also.

-----Original Message-----
From: Jonathan Leto [mailto:jonathan () leto net]
Sent: Thursday, June 22, 2000 1:15 PM
To: VULN-DEV () SECURITYFOCUS COM
Subject: Re: Capturing System Calls

On Thu, Jun 22, 2000 at 12:23:27PM -0400, Green Charles Contr AFRL/IFGB
wrote:
> On UNIX Systems, (FreeBSD, Linux, Solaris) is there a way to
capture/modify
> system calls calls from an application with out modifying the kernel (or
> using kernel modules) - preferably in userspace? The reason I ask is that
a
> group of us are being asked to evaluate a piece of software for my company
> but they've put some heavy restrictions on how we do it. One of the
> restriction is that we're not allowed to modify the kernel.

If you can't modify the kernel, then there is really no way to modify system
calls,
but you can see what system calls are being executed with
strace/ktrace/truss . If
you modify LD_PRELOAD and the application doesn't do the proper security
checks, you
could modify library calls to libc or something like that.

--
jonathan () leto net
"With pain comes clarity."