3

I need to hijack all operating system calls of my own process. I cannot rewrite code as it is partly not my code (plug-ins). I need to be able to decide within my implementation of a specific system call, if I want to call the original implementation or not.

Operating systems will be at first windows xp and higher versions. Later os x 10.5 and higher will follow. Starting on windows with 32 bit versions, later for all operating systems also 64 bit versions.

I found a lot of documentation and tools about hooking other processes but I would hope my job is much simpler and I would hope for some source code.

Thanks a lot in advance, Bernd.

to-die-for
  • 33
  • 1
  • 4
  • Frankly, *all* system calls is a lot. The best would perhaps be to write a loadable kernel module in which you hook every single syscall there is. In my opinion an approach covering only the system calls relevant to your problem would be a smarter move. – 0xC0000022L May 22 '11 at 21:39

3 Answers3

1

There are many hooking libraries that will let you do this, for example Detours or madCodeHook on Windows. No doubt there are similar libraries on OSX, I just don't know them!

It's very easy to hook a routine and replace it with your own implementation. It's less easy to retain the option of running the original routine in some circumstances, and that's where using a hooking library will take the pain away for you.

David Heffernan
  • 601,492
  • 42
  • 1,072
  • 1,490
  • When choosing a hooking library, or implementing one yourself, make sure it is thread safe! – Grim May 23 '11 at 12:53
  • Thanks. At first I thought, yah, I know these libraries. But actually your answer inspired me to rethink and now I see a way to actually use one of these libraries. So, thanks a lot. – to-die-for May 24 '11 at 23:06
1

On Mac OS X, you can override functions with the DYLD_INTERPOSE macro (and DYLD_INSERT_LIBRARIES, if needed). This answer has an example: Ansi C patch using dlsym compiles OK under linux but fails on Mac Os X

Community
  • 1
  • 1
bk1e
  • 23,871
  • 6
  • 54
  • 65
0

For Windows, there is the open source alternative to Microsoft Detours called EasyHook:

Alexander
  • 2,320
  • 2
  • 25
  • 33