Tracing System calls

Linux

Tracing system calls on Linux is straightforward. The ptrace API lets one process trace all system calls made by another process, and the command-line program strace uses ptrace to allow a user to do the same.

• strace(1)
• ptrace(2)
• Write Yourself an Strace in 70 Lines of Code

Mac OS X

Tracing system calls on Mac OS X is a little harder, but more powerful. The dtrace system ships with Macs starting with Mac OS X 10.5. Unlike strace, however, support for dtrace has to be built in to programs. Mac OS X ships with several thousand probes (the attachment points), and most normal monitoring is covered. Brendan Gregg’s blog has a Mac OS X-specific dtrace page, as an example, and there are other useful tutorials

• Top 10 DTrace scripts for Mac OS X
• Hooked on DTrace, part 1

Apple added ptrace to Mac OS X, maybe. There’s a man page for it, but no strace program for user-level use. I’ll have to try writing some code.

• ptrace(2)

There are ways to hook/override program and system functions at runtime. These work but aren’t truly supported, so are of most use for debugging situations.

• mach_override
• mach_inject

Amit Singh went the kernel extension approach to get access to system calls

• Re-routing System Calls

While there are definitely nefarious uses for this stuff, it can be used for developers too. For example, this paper talks about rootkits, but the techniques also make for great developer tools.

• Advance Mac OS X Rootkits

BSD

The equivalent to ptrace on BSD is ktrace. Unfortunately, ktrace is not available on Mac OS X. That’s annoying, because it is complementary to DTrace, which is an awesome sysop-level tool, but does not give complete access to all system calls. Mac OS X had ktrace in 10.4 and earlier.

• ktrace(1)
• ktrace(2)

Windows

There is the amazing Process Monitor, which traces all file and registry actions. However, this is strictly a user-level program, you work with it through its GUI. It’s very useful, but does not give you system-call level access from your own source code.

• STRACE EQUIVALENT FOR WINDOWS

There is a fairly new project called StraceNT. It comes with source code.

• StraceNT - A System Call Tracer for Windows
• github/intellectualheaven/stracent

Dr. Memory comes with “strace for Windows” called drstrace.

• github/DynamoRIO/drmemory
• System Call Tracer (“strace”) for Windows

Event Tracing for Windows (ETW) is the Microsoft official technique, and has several programs layered on top.

• Core OS Events in Windows 7, Part 1

There is Logger and LogView, also Microsoft tools

• Logger and LogViewer

There is NtTrace

• NtTrace - Native API tracing for Windows

An article

• Intercepting System Calls on x86_64 Windows

fabricate

This is a python build tool that watches for files that have changed as a result of running a command. It uses strace on Linux but does filetime watching on Windows, so maybe look for how to get Python on Windows to use one of the other file monitoring solutions?

• fabricate
• fabricate issue 3

tup

The tup build tool uses DLL injection on Windows to detect file I/O.

• tup

ninja

The ninja tool also does filesystem watching, I think.

Ninja

Google “building in the cloud”

This is a FUSE-based approach, so not exactly tracing system calls.

Build in the Cloud: Accessing Source Code