Vulnerability Development mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Capturing System Calls

From: lcamtuf () DIONE IDS PL (Michal Zalewski)
Date: Thu, 22 Jun 2000 23:22:21 +0200

On Thu, 22 Jun 2000, Jonathan Leto wrote:


If you can't modify the kernel, then there is really no way to modify
system calls, but you can see what system calls are being executed
with strace/ktrace/truss .


You can intercept / change behaviour of syscalls as well (of course, not
really, but by intercepting program execution and creating layer between a
program and kernel). Only for debugging, of course, as there's no way to
change syscall handlers from unprivledged userspace level, nor to affect
privledged programs (eg. setuids) launched from luserspace.


If you modify LD_PRELOAD and the application doesn't do the proper
security checks, you could modify library calls to libc or something
like that.


library calls != system calls; consider statically linked applications.

_______________________________________________________
Michal Zalewski [lcamtuf () tpi pl] [tp.internet/security]
[http://lcamtuf.na.export.pl] <=--=> bash$ :(){ :|:&};:
=-----=> God is real, unless declared integer. <=-----=
Previous By Date Next
Previous By Thread Next

Current thread: