@online{dwarfstd.org, author = {DWARF Committee}, title = {DWARF Debugging Information Format}, date = {2025-06-24}, url = {https://dwarfstd.org/}, } @manual{ld.so.8, title = {ld.so(8) -- System Manager's Manual -- Linux manual pages}, } @manual{dlsym.3, title = {dlsym(3) -- Library Functions Manual -- Linux manual pages}, } @manual{ld.1, title = {ld(1) -- GNU Development Tools -- Linux manual pages}, } @manual{gcc.1, title = {GCC(1) -- GNU -- Linux manual pages}, } @manual{ptrace.2, title = {ptrace(2) -- System Calls Manual -- Linux manual pages}, } @manual{strace.1, title = {STRACE(1) -- General Commands Manual -- Linux manual pages}, } @manual{ltrace.1, title = {LTRACE(1) -- User Commands -- Linux manual pages}, } @manual{ltrace.conf.5, title = {ltrace.conf(5) -- ltrace configuration file -- Linux manual pages}, } @manual{dladdr.3, title = {dladdr(3) -- Library Functions Manual -- Linux manual pages}, } @manual{readelf.1, title = {READELF(1) -- GNU Development Tools -- Linux manual pages}, } @manual{malloc.3, title = {malloc(3) -- Library Functions Manual -- Linux manual pages}, } @manual{getaddrinfo.3, title = {getaddrinfo(3) -- Library Functions Manual -- Linux manual pages}, } @manual{getline.3, title = {getline(3) -- Library Functions Manual -- Linux manual pages}, } @book{netsectools2005, author = {Dhanjani, Nitesh and Clarke, Justin}, title = {Network Security Tools}, subtitle = {Writing, Hacking, and Modifying Security Tools}, date = {April 2005}, isbn = {0-596-00794-9}, publisher = {O'Reilly}, url = {https://litux.nl/mirror/networksecuritytools/0596007949/toc.html}, } @book{linuxkernel, author = {Daniel P. Bovet and Marco Cesati}, title = {Understanding the Linux Kernel}, subtitle = {From I/O Ports to Process Management}, edition = {3rd}, date = {November 2005}, isbn = {978-0-596-00565-8}, publisher = {O'Reilly}, } @manual{gcc, title = {Using the GNU Compiler Collection (GCC)}, url = {https://gcc.gnu.org/onlinedocs/gcc/index.html}, } @manual{sud, title = {Syscall User Dispatch -- The Linux Kernel documentation}, url = {https://docs.kernel.org/admin-guide/syscall-user-dispatch.html}, } @inproceedings{zpoline, author = {Kenichi Yasukata and Hajime Tazaki and Pierre-Louis Aublin and Kenta Ishiguro}, title = {zpoline: a system call hook mechanism based on binary rewriting}, booktitle = {2023 USENIX Annual Technical Conference (USENIX ATC '23)}, year = {2023}, isbn = {978-1-939133-35-9}, address = {Boston, MA}, pages = {293--300}, url = {https://www.usenix.org/conference/atc23/presentation/yasukata}, publisher = {USENIX Association}, month = jul, } @article{datahook, author = {Hong, Quan and Li, Jiaqi and Zhang, Wen and Zhai, Lidong}, title = {DataHook: An Efficient and Lightweight System Call Hooking Technique without Instruction Modification}, year = {2025}, issue_date = {July 2025}, publisher = {Association for Computing Machinery}, address = {New York, NY, USA}, volume = {2}, number = {ISSTA}, url = {https://doi.org/10.1145/3728874}, doi = {10.1145/3728874}, journal = {Proc. ACM Softw. Eng.}, month = jun, articleno = {ISSTA005}, numpages = {21}, keywords = {DataHook, Hooking technique, Software analysis, Software debugging, System call}, } @article{lopez2017, title={A survey on function and system call hooking approaches}, author={Lopez, Juan and Babun, Leonardo and Aksu, Hidayet and Uluagac, A. Selcuk}, journal={Journal of Hardware and Systems Security}, volume={1}, number={2}, pages={114--136}, year={2017}, publisher={Springer}, } @masterthesis{kern2023, author = {Patrick Kern}, title = {Injecting Shared Libraries with LD\_PRELOAD for Cyber Deception}, school = {TU Wien}, year = {2023}, } @inproceedings{guo2011cde, title={CDE: Using system call interposition to automatically create portable software packages}, author={Guo, Philip J. and Engler, Dawson}, booktitle={2011 USENIX Annual Technical Conference (USENIX ATC 11)}, year={2011}, } @inproceedings{detours, title={Detours: Binary interception of Win32 functions}, author={Galen Hunt and Doug Brubacher}, booktitle={Windows NT 3rd symposium}, year={1999}, } @inproceedings{spillane2007, author = {Spillane, Richard P. and Wright, Charles P. and Sivathanu, Gopalan and Zadok, Erez}, title = {Rapid file system development using ptrace}, year = {2007}, isbn = {9781595937513}, publisher = {Association for Computing Machinery}, address = {New York, NY, USA}, url = {https://doi.org/10.1145/1281700.1281722}, doi = {10.1145/1281700.1281722}, booktitle = {Proceedings of the 2007 Workshop on Experimental Computer Science}, pages = {22–es}, keywords = {rapid prototyping, monitors}, location = {San Diego, California}, series = {ExpCS '07}, } @inproceedings{spif, author = {Sze, Wai Kit and Sekar, R.}, title = {Provenance-based Integrity Protection for Windows}, year = {2015}, isbn = {9781450336826}, publisher = {Association for Computing Machinery}, address = {New York, NY, USA}, url = {https://doi.org/10.1145/2818000.2818011}, doi = {10.1145/2818000.2818011}, booktitle = {Proceedings of the 31st Annual Computer Security Applications Conference}, pages = {211–220}, numpages = {10}, location = {Los Angeles, CA, USA}, series = {ACSAC '15}, } @inproceedings{ostia, title={Ostia: A Delegating Architecture for Secure System Call Interposition}, author={Garfinkel, Tal and Pfaff, Ben and Rosenblum, Mendel}, booktitle={NDSS}, year={2004}, } @inproceedings{fraser2000, author={Fraser, T. and Badger, L. and Feldman, M.}, booktitle={Proceedings DARPA Information Survivability Conference and Exposition. DISCEX'00}, title={Hardening COTS software with generic software wrappers}, year={2000}, volume={2}, number={}, pages={323-337 vol.2}, doi={10.1109/DISCEX.2000.821530}, }