Indirect syscalls hooking

[ByteCrew]

Hi all,

I'm actually working with syscalls utilities from the main API set (not dr_syscall) and everything is going well. However I need to know how does DRIO hook the system call invocation. 

For example, if a certain routine does a dynamic syscall resolution by pushing the raw syscall number in the eax register and then it invokes syscall instruction, will the pre_syscall_event be triggered? Because if it is not triggered I will not intercept all the Nt syscalls invoked in this way I guess.  

Thank you. 

[sharma...@google.com]

Hi,

As documented for dr_register_filter_syscall_event, "If a system call number is not determinable, the filter event will not be called, but the pre and post events will be called."

For the pre and post events: we check the syscall num register, so the system call number does not need to be statically determinable. For the filter event: we pass only the statically determined syscall num.

Hope this helps.

Abhinav