---
tags: 專題
---
# CDMC 2019 syscall table
ref.
https://filippo.io/linux-syscall-table/
https://man7.org/linux/man-pages/man2/
## all syscall table
all the system calls in CDMC 2019 data set
| syscall | similar | type | remark |
| --------------- |:---------- |:---------------------------- |:----------------------------------------------------------- |
| EXIT | exit | kernel/exit.c | |
| exit | EXIT | kernel/exit.c | |
| KILL | kill | kernel/signal.c | |
| kill | KILL | kernel/signal.c | |
| SIGCHLD | | signal系列 | [Unix 訊號](https://zh.wikipedia.org/wiki/Unix訊號) |
| SIGFPE | | signal系列 | |
| SIGILL | | signal系列 | |
| SIGPIPE | | signal系列 | |
| SIGSEGV | | signal系列 | |
| SIGTRAP | | signal系列 | |
| lseek | \_llseek | fs/read_write.c | |
| \_llseek | lseek | fs/read_write.c | |
| \_newselect | | fs/select.c | |
| access | | fs/open.c | |
| bind | | net/socket.c | |
| brk | | mm/mmap.c | |
| cacheflush | | | |
| chdir | | fs/open.c | |
| chmod | fchmod | fs/open.c | |
| fchmod | chmod | fs/open.c | |
| chroot | | fs/open.c | |
| clock_gettime | | kernel/posix-timers.c | |
| clone | | kernel/fork.c | |
| close | | fs/open.c | |
| connect | | net/socket.c | |
| dup2 | | fs/file.c | |
| epoll_create1 | | fs/eventpoll.c | |
| epoll_ctl | | fs/eventpoll.c | not implemented,但應該能算在同一系列的 |
| epoll_pwait | | fs/eventpoll.c | not implemented,但應該能算在同一系列的 |
| execve | | fs/exec.c | |
| exit_group | | kernel/exit.c | |
| fchown | fchown32 | fs/open.c | |
| fchown32 | fchown | fs/open.c | |
| fcntl | fcntl64 | fs/fcntl.c | |
| fcntl64 | fcntl | fs/fcntl.c | |
| flock | | fs/locks.c | |
| fork | vfork | kernel/fork.c | |
| vfork | fork | kernel/fork.c | |
| fstat | stat | fs/stat.c | |
| fstat64 | stat | fs/stat.c | |
| futex | | kernel/futex.c | |
| getcwd | | fs/dcache.c | |
| getdents | getdents64 | fs/readdir.c | |
| getdents64 | getdents | fs/readdir.c | |
| geteuid | geteuid32 | kernel/sys.c | |
| geteuid32 | geteuid | kernel/sys.c | |
| getpid | getppid | kernel/sys.c | |
| getppid | getpid | kernel/sys.c | |
| getrlimit | ugetrlimit | kernel/sys.c | limit系列 |
| getsockname | | net/socket.c | |
| getsockopt | | net/socket.c | |
| gettid | | kernel/sys.c | |
| gettimeofday | | kernel/time.c | |
| getuid | geteuid | kernel/sys.c | |
| getuid32 | getuid | kernel/sys.c | |
| ioctl | | fs/ioctl.c | |
| listen | | net/socket.c | |
| lstat64 | stat | fs/stat.c | |
| mkdir | | fs/namei.c | |
| mknod | | fs/namei.c | |
| mmap | mmap2 | arch/x86/kernel/sys_x86_64.c | |
| mmap2 | mmap | arch/x86/kernel/sys_x86_64.c | |
| mprotect | | mm/mprotect.c | |
| msgctl | | ipc/msg.c | |
| msgget | | ipc/msg.c | |
| msgrcv | | ipc/msg.c | |
| munmap | | mm/mmap.c | |
| nanosleep | | kernel/posix-timers.c | |
| open | | fs/open.c | |
| pipe | pipe2 | fs/pipe.c | |
| pipe2 | pipe | fs/pipe.c | |
| poll | | fs/select.c | |
| prctl | | kernel/sys.c | |
| prlimit64 | | kernel/sys.c | limit系列 |
| read | | fs/read_write.c | |
| readlink | | fs/stat.c | |
| readv | | fs/read_write.c | |
| recv | recv | net/socket.c | |
| recvfrom | recv | net/socket.c | |
| rename | | fs/namei.c | |
| restart_syscall | | kernel/signal.c | |
| rmdir | | fs/namei.c | |
| rt_sigaction | | kernel/signal.c | |
| rt_sigprocmask | | kernel/signal.c | |
| send | | net/socket.c | |
| sendfile64 | | fs/read_write.c | |
| sendto | | net/socket.c | |
| set_robust_list | | kernel/futex.c | |
| set_thread_area | | arch/x86/kernel/tls.c | |
| set_tid_address | | kernel/fork.c | |
| set_tls | | arch/x86/kernel/tls.c | [link](https://elixir.bootlin.com/linux/v4.9/ident/set_tls) |
| setpgid | | kernel/sys.c | |
| setpriority | | kernel/sys.c | |
| setresuid | | kernel/sys.c | |
| setresuid32 | setresuid | kernel/sys.c | |
| setrlimit | | kernel/sys.c | limit系列 |
| setsid | | kernel/sys.c | |
| setsockopt | | net/socket.c | |
| setuid | setuid32 | kernel/sys.c | |
| setuid32 | setuid | kernel/sys.c | |
| shmat | | ipc/shm.c | |
| shmdt | | ipc/shm.c | |
| shmget | | ipc/shm.c | |
| sigreturn | | arch/x86/kernel/signal.c | |
| socket | | net/socket.c | |
| stat | | fs/stat.c | |
| stat64 | stat | fs/stat.c | |
| sysinfo | | kernel/sys.c | |
| tgkill | tkill | kernel/signal.c | |
| time | | kernel/sys.c | |
| times | | kernel/sys.c | |
| tkill | | kernel/signal.c | |
| ugetrlimit | | kernel/sys.c | limit系列 |
| umask | | kernel/sys.c | |
| uname | | kernel/sys.c | |
| unlink | | fs/namei.c | |
| utimensat | | fs/utimes.c | |
| wait4 | waitpid | kernel/exit.c | |
| waitpid | wait4 | kernel/exit.c | [跟wait4比較](https://programmer.help/blogs/linux-kernel-learning-notes-4-wait-waitpid-wait3-and-wait4.html) |
| write | | fs/read_write.c | |
| writev | | fs/read_write.c | |
## 可能可以合併的syscall
| 合併成 | syscall |
| --------- |:------------------------------------------- |
| exit | EXIT, exit |
| kill | KILL,kill |
| lseek | \_llseek, lseek |
| chmod | fchmod, chmod |
| fchown | fchown32, fchown |
| fcntl | fcntl64, fcntl |
| stat | fstat, fstat64, lstat64, stat64 , stat |
| getdents | getdents64, getdents |
| getuid | getuid32, getuid, geteuid32, geteuid |
| getpid | getppid, getpid |
| getrlimit | ugetrlimit, getrlimit, prlimit64, setrlimit |
| setuid | setuid32,setuid |
| tkill | tgkill, tkill |
| wait4 | wait4, waitpid |
| mmap | mmap, mmap2 |
| pipe | pipe, pipe2 |
| recv | recv, recvfrom |
| setresuid | setresuid, setresuid32 |
| setuid | setuid, setuid32 |
## System calls
ref. [Mastering-Malware-Analysis Ch10 dissecting Linux and IoT Malware](https://learning.oreilly.com/library/view/mastering-malware-analysis/9781789610789/906bc77c-e194-4412-bcef-42920ddd60f3.xhtml#uuid-3e3393e1-a80f-4251-8b7b-e98532cfeb6c )
System calls (syscalls) is the interface between the program and the kernel of the OS it is running on. They allow user mode software to get access to things such as hardware-related or process management services in a structured and secure way.
Here are some examples of the system calls that are commonly used by malware.
### Filesystem
These syscalls provide all the necessary functionality to interact with the FS. Here are some examples:
open/openat/creat: Open and possibly create a file
read/readv/preadv: Get data from the file descriptor
write/writev/pwritev: Put data in the file descriptor
readdir/getdents: Read the content of the directory, for example, to search for files of interest
access: Check file permissions, for example, for valuable data or own modules
chmod: Change file permissions
chdir/chroot: Change the current or root directory
rename: Change the name of a file
unlink/unlinkat: Can be used to delete a file, for example, to corrupt the system or hide traces of malware
rmdir: Remove the directory
### Network
Network-related syscalls are built around sockets. So far, there are no syscalls working with high-level protocols such as HTTP. Here are the ones that are commonly used by malware:
socket: Create a socket
connect: Connect to the remote server, for example, a C&C or another malicious peer
bind: Bind an address to the socket, for example, a port to listen on
listen: Listen for connections on a particular socket
accept: Accept a remote connection
send/sendto/write/...: Send data, for example, to steal some information or request new commands
sendfile: Move data between two descriptors. It is optimized in terms of performance compared to using the combination of read and write
recv/recvfrom/read/...: Receive data, for example, new modules to deploy or new commands
### Process management
These syscalls can be used by malware to either create new processes or search for existing ones (for example, to detect AV software/reverse engineering tools or find a process containing valuable data). Here are some common examples:
fork/vfork: Create a child process, for example, a copy of itself
execve/execveat: Execute a specified program, for example, another module
prctl: Allows various operations on the process, for example, a name change
kill: Send a signal to the program, for example, to force it to stop operating
### Other
Some syscalls can be used by malware for more specific purposes, for example, self-defense:
signal: This can be used to set a new handler for a particular signal and then invoke it to disrupt debugging, for example, for SIGTRAP, which is commonly used for breakpoints
ptrace: This syscall is commonly used by debugging tools in order to trace executable files, but it can also be used by malware to detect their presence or to prevent them from doing it by tracing itself
Of course, there are many more syscalls, and the sample you're working on may use many of them in order to operate properly. The selection that's been provided describes some of the top picks that may be worth paying attention to when understanding malware functionality.
Sign in with Wallet
Connect another wallet