interceptor

Interceptor is a lib based on ptrace that intercepts and modifies Linux system calls. It currently only supports x86_64 architecture.

Usage

Write a function whose signature is same as a syscall, and mark it as #[syscall], and you are done.

#[syscall]
fn openat(dfd: i32, mut filename: *const c_char, flags: i32, mode: i32) -> i32 {
    // do something before syscall, logging, changing arguments, etc.

    let ret = real!(dfd, filename, flags, mode);

    // do something after syscall, modifing return value..
}

See more detail in examples

Extra Info

Memory in target

We use "LD_PRELOAD" trick to insert a so into target process to malloc extra memory needed when modified a pointer argument which has larger length.

Remove dependency libgcc_s.so.1

Some glibc released without libgcc_s.so.1, we removed this dependency using link script "linker_without_libgcc.wrap".

special handling of parameter "*const *const c_char"

This parameter is used in syscall like execve's const char *const argv[].

We treat *const *const c_char as *const c_char for convenience. That's say, original pointer to pointer has been converted to pointer's content after content. For example:

original

this ptr's address is inside target process, can not be used directly.

after converted

memory is reallocated in interceptor instance, so address changed.

usage

you can use helper function [read_ptr_to_ptr] to read content from converted ptr. and use [write_ptr_to_ptr] to write back.