MayBe (Process File System call audit)


maybe runs processes under the control of ptrace to show which file system modifications would perform a process.


maybe intercepts the system calls that is about to make changes to the file system, it logs that call, and then modifies CPU registers to both redirect the call to an invalid syscall ID (effectively turning it into a no-op) and set the return value of that no-op call to one indicating success of the original call.

Documentation / Reference

Powered by ComboStrap