2

Working under OS X Lion, I've done some work with code injection to interpose system calls on a process-by-process basis recently.

I've learned a lot along the way, and it now looks like it would make more sense, at least for research purposes, to "simply" interpose all calls to certain system functions, such as pwrite, if such a thing is possible.

Is it possible to get my code called instead of the OS for every call to certain system calls (e.g. pwrite) from every process?

And if so, can I know what process has made the call?

Edit: Lest anyone think I'm a malware author because of the nature of my question, I'll explain why I'm here now, asking what I'm asking:

I'm trying to get a big, complex piece of closed-source software working like it should. Why not wait for the vendor to fix it? Two years ago they starting pointing fingers at another party, and that party pointed right back. The situation is preposterous, and it is worth trying to overcome without either party's assistance because this software gets used by film and video production people who charge hundreds of dollars an hour for their creatively- and technically-advanced efforts, and shouldn't be wasting their time wrestling their tools.

The problem with my efforts thus far are that I need to use code injection and interposing to find the source of the problem (this is what I referred to above as "research"). Once I find the source of the problem, the solution might also be injection and interposing, or replacement of a dynamic library, or some obscure low-level system tuning, or who knows what? The software I'm analyzing is sprawling, and it in turn leverages other frameworks, libraries and background tasks, some of which is part of OS X, and some of which is part of the software package in question. Code injection and interposing on a component-by-component basis has become a little crazy, which is why I'd like to spy on what's going on at the system call end of things, so I can see, for example, where all pwrite calls originate and the specifics of the calls.

I hope this clarification helps, and that someone can point me in the right direction. Thanks!

bland328
  • 319
  • 1
  • 4
  • 13
  • *[long sprawling discussion deleted]* – Robert Harvey Jul 31 '12 at 22:52
  • In response to your edit - this is a PUBLIC FORUM into which you are trying to drag skilled and experienced developers into giving advice on a subject that you acknowledge is already in dispute between two vendors. I don't want to go there, neither should anyone else on SO. – Martin James Jul 31 '12 at 22:53
  • 1
    @MartinJames: Sadly, it appears that while Windows is very receptive to stacks of filter drivers _(as utilized by many virus scanners)_, OS X doesn't support the concept. – bland328 Jul 31 '12 at 22:54

1 Answers1

0

You should look at DTrace: http://en.wikipedia.org/wiki/DTrace It's part of OS X now. For interposing, I think there are several approaches, many of which will probably be twarted by Gatekeeper/Code Signing. If that's not a worry, you might be able to use otool to edit the app linkage to have it load modified versions of it's libraries. For code injection, I believe people have hacked this in the past with Input Components... but I really don't know if that still works. Not really an answer I guess.

nielsbot
  • 15,922
  • 4
  • 48
  • 73
  • Thanks very much for the advice on DTrace. I got some very decent results with it many weeks ago, but eventually stopped using it because of the limitations of the D language, particularly in the area of flow control. Given how few options I'm down to now, I appreciate the reminder, and think I'll give it another try. – bland328 Jul 31 '12 at 23:23
  • Also, for the record, the [Inject and Interpose](https://github.com/comex/inject_and_interpose) project is very useful for tidy injection and interposing! – bland328 Jul 31 '12 at 23:29