Hi ,guys I want to record system calls (including parameters) invoked by an application from the kernel. Somebody told me I can hook all system calls or hook the sysenter, however, I don’t know how to do it. By the way, I have tried the strace utility, but it seemed that the strace provided me more system calls than what I expected. For example: I build a program containing only "open, lseek, read, write and close" system calls for a simple file operation, but strace returned me more system calls, such as "access, fstat64 and so on", than those mentioned above. why?
views:
86answers:
4
+5
A:
strace is going to be a much easier way to go.
The extra system calls you're seeing are those performed by your process before your code takes control - for example, the dynamic loader loading the libc library.
caf
2010-07-31 11:05:24
Thanks a lot! caf. According to your response, I rebuilt an application named empty.c as the follwing: "void main() { }". However, there are still system calls captureed by strace, for example: execve, brk, access, ...... where do these system calls come from?
2010-07-31 15:12:50
`execve` is the process changing from a forked copy of `strace` itself into your program by loading the program image. `brk` is used internally in `malloc`, which is perhaps being called by the dynamic linker. Compiling with `-static` might reduce them, but due to glibc's bloat, you'll need to build against another libc like uClibc if you want to eliminate them all.
R..
2010-07-31 15:33:26
Thanks a lot! R... It seems that these "extra" system calls appear at the same place and in the same order for every stracing, so it may be insignificant to my work. I will try tomorrow.
2010-07-31 16:03:08
+1
A:
You might want to try attaching strace to a running process
strace -p pid
It might be a good idea to run the program, have it wait for an event, attach to it and then trigger the event.
Cheers!
qdot
2010-07-31 17:00:55
A:
There are numerous ways to trace system calls, both from user-space (strace) and from kernel-space. I would recommend starting with strace and using this as long as it suites your needs. Moving on to other solution requires greater learning curves.
To address your need to filter the output of strace, use the -e option. See man strace for instructions on using it to limit what you are capturing.
Noah Watkins
2010-08-04 16:52:56
A:
Firstly, thank you all very much for your replies. The problem is not solved yet.
With some experiments with strace, I think strace cannot meet my requirements. There are two main reasons:
stracereturns more system calls than what I expect. Of more importance,-pand-eoption seem not suitable for my work. Regarding the-poption, I do not want to attach to any specific application, and I just want to record system calls in a common way. Regarding the-eoption,-ewill filter some system calls I really want to recrod, i.e, system calls that are not "added" by thestracebut in fact exist in the application;stracereturns concrete values instead of symbols for some parameters. In my work, I want to trace informaiton flow by using the symbol-execution technolgy, however, returning concrete values make it impossible.
So I decide to record system calls from the kenerl without using strace. Could you show me how to do this in a little more detailed way?