#syscalls #interception #api-bindings

syscall-intercept

Userspace syscall intercepting library

1 unstable release

0.1.0 Jun 23, 2022

#3 in #interception

MIT license

475KB
11K SLoC

C 5.5K SLoC // 0.3% comments GNU Style Assembly 3.5K SLoC // 0.1% comments Perl 1K SLoC // 0.2% comments Shell 491 SLoC // 0.6% comments RPM Specfile 68 SLoC Rust 32 SLoC C++ 7 SLoC // 0.8% comments

syscall-intercept-rs

Crate Docs CI

A Rust wrapper of pmem/syscall_intercept, a system call intercepting library on x86_64 Linux.

Usage

Install dependencies:

sudo apt install cmake libcapstone-dev

Add the following lines to your Cargo.toml:

[dependencies]
syscall-intercept = "0.1"

Define your syscall hook function:

use syscall_intercept::*;

extern "C" fn hook(
    num: isize,
    a0: isize,
    a1: isize,
    a2: isize,
    a3: isize,
    a4: isize,
    a5: isize,
    result: &mut isize,
) -> InterceptResult {
    ...
}

Enable or disable interception:

unsafe { set_hook_fn(hook) };
unsafe { unset_hook_fn() };

Issue syscall without being intercepted:

let ret = unsafe { syscall_no_intercept(libc::SYS_exit as _, 0) };

License

MIT License

No runtime deps

~225KB