How to log system calls (the syscall number and the return value, for both int 0x80
and sysenter/syscall
) on FreeBSD 10.1 x86_64 from source code?
I know truss
can do the work, but I need to log other information like the buffer of copyout
during each system call.
I tried to locate the source code of truss
, but failed. Also I tried to trace them in amd64_syscall()
, but the result seems to be incomplete compared to the result of truss
. Any idea about which functions should I care about in the implementation?
You have not specified why do you need any of this. In particular, if you need this for security purposes, you are doing it wrong.
What do you mean you failed? Sources are here: http://bxr.su/FreeBSD/usr.bin/truss/
General mechanism used by tools like this is known as ptrace (https://www.freebsd.org/cgi/man.cgi?query=ptrace), and amongst other things it allows stopping traced threads as they execute syscalls.
However, one has to note that while such mechanisms allow you to copy all arguments, other threads can change memory pointed to by aforementioned args after you copy them, just before the syscall does the same. You want to use MAC hooks if this is of any concern to you.