I'm trying to intercept all "syscall"s for my code. I'm able to receive the calls, but for some reason my implementation of syscall is not equivalent, because at some point the program crashes if I activate the replacement, while it works without the replacement.
The reason why I'm doing this is to understand better which calls in my program (and its dependencies) use which syscall's. I know I could use things like ptrace, etc. but now for me it's really more about understanding why this does not work. This is running on arm64 linux.
Here my syscall replacement implementation:
long syscall(long number, ...){
printf("Intercepted syscall: %lu\n", number);
va_list original_args;
va_start(original_args, number);
long (*original_syscall)(long number, ...) = NULL;
original_syscall = (long (*)(long, ...))dlsym(RTLD_NEXT, "syscall");
long result = original_syscall(number, original_args);
va_end(original_args);
return result;
}
Here the logs:
Intercepted syscall: 178
Intercepted syscall: 178
Intercepted syscall: 178
Intercepted syscall: 178
Intercepted syscall: 178
Intercepted syscall: 57
Fatal signal 6 (SIGABRT), code -1 (SI_QUEUE) in tid 3606 (Thread-2)
What you want to do is not very easy to do in C. You would have to manually parse the argument list (because there is no standard way to redirect a
va_list
to a variadic function).It is probably easier to use assembly (not tested):
The idea being that you leave the argument list intact (preserving all possible register arguments
x0
-x7
) and simply jump to the original system call function (viabr
). Since the return address is already inx30
, the function will return to our caller and not to us. This is an optimization that compilers already apply to wrappers, but unfortunately there's no way to forward the varargs list to another variadic function in C.As @stark mentioned, the
printf
may perform awrite
, which can lead to infinite recursion (especially becausestdout
is line-buffered and the\n
flushes it). The only real "safe" place where you can attempt to log your data is memory (and try to write it later), but that brings a whole lot of headaches by itself so I wouldn't recommend it.