A Survey on Function and System Call Hooking Approaches

Functions and system calls are effective indicators of the behavior of a process. These subroutines are useful for identifying unauthorized behavior caused by malware or for developing a better understanding of the lower-level operations of an application. Code obfuscation, however, often prevents u...

Full description

Saved in:
Bibliographic Details
Published in:Journal of hardware and systems security Vol. 1; no. 2; pp. 114 - 136
Main Authors: Lopez, Juan, Babun, Leonardo, Aksu, Hidayet, Uluagac, A. Selcuk
Format: Journal Article
Language:English
Published: Cham Springer International Publishing 01.06.2017
Springer Nature B.V
Subjects:
Application programming interface
Circuits and Systems
Computer Hardware
Engineering
Information Systems Applications (incl.Internet)
Libraries
Linux
Malware
Mobile operating systems
Operating systems
Resource utilization
Software
Subroutines
Systems and Data Security
Function interception
Hooking techniques
Function interposition
Function instrumentation
API calls
Binary instrumentation
System calls
ISSN:2509-3428, 2509-3436
Online Access:Get full text
Tags: Add Tag
No Tags, Be the first to tag this record!
Description
Summary:Functions and system calls are effective indicators of the behavior of a process. These subroutines are useful for identifying unauthorized behavior caused by malware or for developing a better understanding of the lower-level operations of an application. Code obfuscation, however, often prevents user monitoring and modification of subroutine calls. Subroutine hooking offers a solution to this limitation. Function and system call hooking approaches allow for subroutine instrumentation, making hooking a valuable and versatile skill across industry and academia. In this survey, we present several criteria for the classification and selection of hooking tools and techniques as well as an examination of the major hooking approaches used on Windows, Linux, macOS, iOS, and Android operating systems. We also evaluate and compare the performance of different subroutine hooking tools and techniques based on computing resource utilization such as CPU time, memory, and wall-clock time. To the best of our knowledge, this is the first paper that encompasses both system call and function hooking techniques and tools across the major desktop and mobile operating systems.
Bibliography:ObjectType-Article-1
SourceType-Scholarly Journals-1
ObjectType-Feature-2
content type line 14
ISSN:2509-3428
2509-3436
DOI:10.1007/s41635-017-0013-2