Skip to content

Syscall Hook

Domain: syscall-hook

System call hooking domain providing system call monitoring and mapping capabilities.

Profiles

  • full

Typical scenarios

  • System call monitoring
  • API hooking
  • Behavioral analysis

Common combinations

  • syscall-hook + process
  • syscall-hook + instrumentation

Full tool list (15)

ToolDescription
syscall_start_monitorStart syscall monitoring.
syscall_stop_monitorStop syscall interception and release all captured events.
syscall_capture_eventsCapture syscall events from the active or last monitoring session.
syscall_correlate_jsCorrelate captured syscalls with likely JavaScript functions.
syscall_filterFilter captured syscall events by name, PID, or return value.
syscall_get_statsGet syscall monitoring statistics.
syscall_ebpf_traceTrace syscalls on Linux with eBPF. Requires root or CAP_BPF.
syscall_resolve_ssnResolve NT syscall service numbers (SSN) from on-disk ntdll.dll. Parses the export table to extract Zw* → SSN mappings and locates a syscall;ret gadget for direct invocation stubs. Win32 only.
syscall_direct_invokeDirect NT syscall invocation guidance. Resolves SSN for a given NT function and returns a stub template with usage instructions for in-process direct syscall invocation. Bypasses user-mode hooks on ntdll.dll. Win32 only.
syscall_stack_captureCorrelate captured syscall events with real JS call stacks via debugger integration. Goes beyond static heuristics by querying live CDP call stacks for syscall→JS mapping. Falls back to heuristic-only mode when no debugger is attached.
syscall_trace_compareDiff two syscall trace snapshots to find appeared/disappeared syscalls and frequency changes. Useful for understanding what OS calls a JS operation triggers. Capture baseline events → perform the operation → capture target events → pass both arrays here. Use syscall_capture_events (or syscall_trace_export) to obtain each snapshot.
syscall_trace_exportExport captured syscall events to portable NDJSON with optional time-range filtering and deduplication. Returns both structured array and NDJSON string.
syscall_ebpf_attachLive eBPF syscall attach — spawns a bpftrace process, captures syscall events as structured JSON in real time, and returns them directly. Unlike syscall_ebpf_trace (script-generator), this tool actually runs bpftrace and captures output. Falls back to script mode on non-Linux or when bpftrace is unavailable. Requires bpftrace + CAP_BPF or root on Linux.
syscall_origin_mapBuild a unified syscall→JS origin map by integrating live CDP call stacks (syscall_stack_capture) with static timing heuristics (syscall_correlate_js). Aggregates recent syscall events by JavaScript function so callers can see which JS function triggered which syscalls and how often. Debugger stacks are preferred when available; heuristics fill the gaps.
syscall_pattern_detectScan captured syscall events for behavioral patterns relevant to reverse engineering: anti-debug probes (ptrace / IsDebuggerPresent), system fingerprinting (uname / getuid), filesystem enumeration (openat + getdents), network beaconing (connect / sendto), process spawning (clone / execve), and Windows registry probing. Returns classified patterns with evidence.

Released under AGPL-3.0-only