#syscalls #userspace #intercept #intercepting

libsyscall-intercept

Userspace syscall intercepting library

3 releases

0.1.2 Jul 23, 2023
0.1.1 Jul 23, 2023
0.1.0 Jul 22, 2023

#57 in #userspace

MIT license

475KB
11K SLoC

C 5.5K SLoC // 0.3% comments GNU Style Assembly 3.5K SLoC // 0.1% comments Perl 1K SLoC // 0.2% comments Shell 491 SLoC // 0.6% comments RPM Specfile 68 SLoC Rust 39 SLoC // 0.3% comments C++ 7 SLoC // 0.8% comments

syscall-intercept-rs

Requirements

Install dependencies in Ubuntu.

sudo apt install cmake libcapstone-dev

lib of syscall_intercept also are required.[FIXME] github addr of syscall_intercept

https://github.com/pmem/syscall_intercept

Add the following lines to your Cargo.toml:

[dependencies]
libsyscall-intercept = "0.1.1"

Usage

lib.rs in your code

use std::cell::Cell;
#[macro_use]
extern crate ctor;
use libsyscall_intercept::{set_hook_fn,InterceptResult};


#[ctor]
fn init_preload() {
    unsafe { set_hook_fn(hook) };
}

extern "C" fn hook(
    num: i64,
    _a0: i64,
    _a1: i64,
    _a2: i64,
    _a3: i64,
    _a4: i64,
    _a5: i64,
    result: *mut i64,
) -> i32 {
    // detect and avoid recursive interception
    let _guard = match InterceptGuard::try_lock() {
        Some(g) => g,
        None => return InterceptResult::Forward as i32,
    };
    if num == libc::SYS_getdents64 || num == libc::SYS_getdents {
        unsafe {
            *result =  -libc::ENOTSUP as i64;
        } 
        return InterceptResult::Hook as i32;
    }
    InterceptResult::Forward as i32
}

thread_local! {
    static INTERCEPTED: Cell<bool> = Cell::new(false);
}

struct InterceptGuard;

impl InterceptGuard {
    fn try_lock() -> Option<Self> {
        INTERCEPTED.with(|x| {
            if x.get() {
                None
            } else {
                x.set(true);
                Some(InterceptGuard)
            }
        })
    }
}

impl Drop for InterceptGuard {
    fn drop(&mut self) {
        INTERCEPTED.with(|x| x.set(false));
    }
}

Cargo.toml as below

[package]
name = "my-lib-test"
version = "0.1.0"
edition = "2021"

# See more keys and their definitions at https://doc.rust-lang.org/cargo/reference/manifest.html


[dependencies]
ctor = "0.2.0"
libc = "0.2"
libsyscall-intercept = "0.1.1"


[lib]
name = "rintercept"
crate-type = ["dylib"]

and then run command :

cargo build
LD_PRELOAD=./target/debug/librintercept.so ls

will see command ls is not support.

Dependencies

~0–2.2MB
~44K SLoC