MayBe (Process File System call audit)

1 - About

maybe runs processes under the control of ptrace to show which file system modifications would perform a process.

2 - Engine

maybe intercepts the system calls that is about to make changes to the file system, it logs that call, and then modifies CPU registers to both redirect the call to an invalid syscall ID (effectively turning it into a no-op) and set the return value of that no-op call to one indicating success of the original call.

3 - Documentation / Reference

os/maybe.txt ยท Last modified: 2018/09/22 12:10 by gerardnico