Tamper system calls behavior with QEMU

Question

I don't know if this is the right place, but I don't know where I could ask. I'd like to change the system call behavior inside QEMU (or even inside the kernel if I can make this modification temporary), for instance if I call the read(fd) call, I would like to hook for this call and maybe change the file descriptor or the content itself. I would like to have a general structure like this, maybe by using a plugin or I don't know what:

syscall_interceptor(syscall, syscall_parameters){
    new_parameters = tamper(syscall_parameters)
    syscall(new_parameters )
}

something like that. Is it possible? How?

Answer 1

To solve this problem with qemu, you can change the syscall handler for x64 TCG mode. It's a function named helper_syscall in qemu\target\i386\seg_helper.c source file. You need the second one (#else branch of #if defined(CONFIG_USER_ONLY)). After changing the code you have to build qemu.

According to this a sys_read syscall should have: rax = 0, rdi = fd, rsi = buf, rdx = count.

You can add the changes at the top of the handler:

void helper_syscall(CPUX86State *env, int next_eip_addend)
{
    int selector;

    if (0 == env->regs[R_EAX]) {
      //sys_read syscall
      //env->regs[R_EDI] - fd, change it, to change fd value:
      // env->regs[R_EDI] = newFd;
      //env->regs[R_ESI] - buf pointer
      //env->regs[R_EDX] - count

      //To rewrite buf contents, use cpu_memory_rw_debug
      //and set write address to rsi:
      //CPUState *cpu = env_cpu(env);
      //if (cpu_memory_rw_debug(cpu, env->regs[R_ESI], 
      //                     (uint8_t *)&newContents, newContents size, 1))
      //{
      //  handle buf write error here.
      //}
    }
    .....

See comments in the code snippet and dont forget to check buffer size before you rewrite the buffer.