Issue
I want to make it so that syscalls from a particular process are controlled by another process (admin or same user, doesn't really matter to me.) I realize this gives some rootkit trojan vibes, but I'm not actually making malware; I just need an extra level of control over a specific process, not all of them. I also don't want to have to redefine every syscall (just, like read, write, connect and a couple more.)
What I don't want:
- one of those big rootkits that highjack the syscall table inside the kernel's memory.
- anything like
LD_PRELOAD - an answer that just says "you can't"
I'd rather not have to, like, use ptrace to make all instances of 0x0f 0x05 instead jump to some fancy shellcode (especially because that shellcode would be communicating over UDP with another computer.)
Any help would be much appreciated. Everything online about syscall highjacking just shows some source code to rewrite the syscall table.
Solution
Systemtap and eBPF are instrumentation frameworks that allow you to trace and analyze the behavior of the Linux kernel and user-space applications. With these tools, you can trace specific syscalls for a particular process and apply custom handlers. While still quite advanced, they provide a safer and more manageable way to achieve syscall interception compared to direct manipulation of the syscall table.
or, Seccomp (short for secure computing mode) allows you to apply fine-grained restrictions on the syscalls that a process can use. By using a Berkeley Packet Filter (BPF) program, you can filter and control the syscalls that are allowed or denied for a specific process. While seccomp wasn't initially designed for dynamic modification of syscalls, it can be utilized to restrict and control syscall behavior for targeted processes.
You mentioned you'd rather not use LD_PRELOAD, but it's worth noting that this technique allows you to intercept calls to specific functions, including syscalls, by preloading a shared library. While you mentioned you don't want to redefine every syscall, you can use this method to override only specific functions in the targeted process.
Answered By - Ziya Mert Karakas Answer Checked By - Pedro (WPSolving Volunteer)