Welcome to Syscall Monkey

TL;DR

Syscall Monkey is a next-gen, cloud-native strace:

• attach and detach processes using ptrace (Linux only)
• intercept and manipulate their syscalls (block, change arguments, return value)
• prepare scenarios in a simple yaml format
• write advanced use cases using syscallmonkey as an SDK

Teaser

Change the return value

Here's how you can trick whoami into thinking it runs as a different user. First, it works as expected:

root@f34cc94a6b6d:/# whoami
root

Use this scenario to always return 1 for the getuid syscall:

# cat /examples/getuid-user1.yml
rules:
  - name: switch geteuid to return a different user ID
    match:
      name: geteuid
    modify:
      return: 1

root@f34cc94a6b6d:/# monkey -s -c /examples/getuid-user1.yml whoami
daemon

This is because the user number 1 happens to be daemon on my system:

root@02a8cb7164ef:/# head -n2 /etc/passwd 
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin

Change an argument of the call

How about tricking the process to openat a different file instead? Easy:

# cat /examples/openat-etc-passwd.yml
rules:
  - name: trick the program to read a different file, instead of /etc/passwd
    match:
      name: openat
      args:
        - number: 1
          string: "/etc/passwd"
    modify:
      args:
        - number: 1
          string: "/tmp/passwd"

root@f34cc94a6b6d:/# whoami
root
root@bc2f54570070:/# echo "LOL-HACKED:x:0:0:root:/root:/bin/bash" > /tmp/passwd
root@bc2f54570070:/# monkey -s -c /examples/openat-etc-passwd.yml whoami
LOL-HACKED