3

How to log system calls (the syscall number and the return value, for both int 0x80 and sysenter/syscall) on FreeBSD 10.1 x86_64 from source code?

I know truss can do the work, but I need to log other information like the buffer of copyout during each system call.

I tried to locate the source code of truss, but failed. Also I tried to trace them in amd64_syscall(), but the result seems to be incomplete compared to the result of truss. Any idea about which functions should I care about in the implementation?

WindChaser
  • 960
  • 1
  • 10
  • 30

2 Answers2

2

You have not specified why do you need any of this. In particular, if you need this for security purposes, you are doing it wrong.

What do you mean you failed? Sources are here: http://bxr.su/FreeBSD/usr.bin/truss/

General mechanism used by tools like this is known as ptrace (https://www.freebsd.org/cgi/man.cgi?query=ptrace), and amongst other things it allows stopping traced threads as they execute syscalls.

However, one has to note that while such mechanisms allow you to copy all arguments, other threads can change memory pointed to by aforementioned args after you copy them, just before the syscall does the same. You want to use MAC hooks if this is of any concern to you.

  • Not for security purposes. As in the source code, `truss` is implemented by using `ptrace()`, right? What does ``just before the syscall does the same'' mean? – WindChaser Jun 13 '15 at 20:49
2

Probably not exactly what you're looking for, but you might want to take a look at how ktrace(1)/kdump(1) utilities work.

Edward Tomasz Napierala
  • 1,766
  • 13
  • 12
  • I discovered that there are two return values for syscalls, `td_retval[0]` and `td_retval[1]`. Usually only the `td_retval[0]` is used, or both of them? – WindChaser Jun 14 '15 at 21:35
  • There are two return values for things like fork(2), where a different value is returned for the parent and the child. In more usual syscalls the return value is in td_retval[0]. – Edward Tomasz Napierala Jun 14 '15 at 21:37