Welcome to Syscall Monkey¶
TL;DR¶
Syscall Monkey
is a next-gen, cloud-native strace
:
- attach and detach processes using
ptrace
(Linux only) - intercept and manipulate their
syscalls
(block, change arguments, return value) - prepare scenarios in a simple
yaml
format - write advanced use cases using
syscallmonkey
as an SDK
Teaser¶
Change the return value¶
Here's how you can trick whoami
into thinking it runs as a different user. First, it works as expected:
root@f34cc94a6b6d:/# whoami
root
Use this scenario to always return 1 for the getuid
syscall:
# cat /examples/getuid-user1.yml
rules:
- name: switch geteuid to return a different user ID
match:
name: geteuid
modify:
return: 1
root@f34cc94a6b6d:/# monkey -s -c /examples/getuid-user1.yml whoami
daemon
This is because the user number 1 happens to be daemon on my system:
root@02a8cb7164ef:/# head -n2 /etc/passwd
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
Change an argument of the call¶
How about tricking the process to openat
a different file instead? Easy:
# cat /examples/openat-etc-passwd.yml
rules:
- name: trick the program to read a different file, instead of /etc/passwd
match:
name: openat
args:
- number: 1
string: "/etc/passwd"
modify:
args:
- number: 1
string: "/tmp/passwd"
root@f34cc94a6b6d:/# whoami
root
root@bc2f54570070:/# echo "LOL-HACKED:x:0:0:root:/root:/bin/bash" > /tmp/passwd
root@bc2f54570070:/# monkey -s -c /examples/openat-etc-passwd.yml whoami
LOL-HACKED