Working under OS X Lion, I've done some work with code injection to interpose system calls on a process-by-process basis recently.
I've learned a lot along the way, and it now looks like it would make more sense, at least for research purposes, to "simply" interpose all calls to certain system functions, such as pwrite
, if such a thing is possible.
Is it possible to get my code called instead of the OS for every call to certain system calls (e.g. pwrite
) from every process?
And if so, can I know what process has made the call?
Edit: Lest anyone think I'm a malware author because of the nature of my question, I'll explain why I'm here now, asking what I'm asking:
I'm trying to get a big, complex piece of closed-source software working like it should. Why not wait for the vendor to fix it? Two years ago they starting pointing fingers at another party, and that party pointed right back. The situation is preposterous, and it is worth trying to overcome without either party's assistance because this software gets used by film and video production people who charge hundreds of dollars an hour for their creatively- and technically-advanced efforts, and shouldn't be wasting their time wrestling their tools.
The problem with my efforts thus far are that I need to use code injection and interposing to find the source of the problem (this is what I referred to above as "research"). Once I find the source of the problem, the solution might also be injection and interposing, or replacement of a dynamic library, or some obscure low-level system tuning, or who knows what? The software I'm analyzing is sprawling, and it in turn leverages other frameworks, libraries and background tasks, some of which is part of OS X, and some of which is part of the software package in question. Code injection and interposing on a component-by-component basis has become a little crazy, which is why I'd like to spy on what's going on at the system call end of things, so I can see, for example, where all pwrite
calls originate and the specifics of the calls.
I hope this clarification helps, and that someone can point me in the right direction. Thanks!
You should look at DTrace: http://en.wikipedia.org/wiki/DTrace It's part of OS X now. For interposing, I think there are several approaches, many of which will probably be twarted by Gatekeeper/Code Signing. If that's not a worry, you might be able to use otool to edit the app linkage to have it load modified versions of it's libraries. For code injection, I believe people have hacked this in the past with Input Components... but I really don't know if that still works. Not really an answer I guess.