gosystract extracts all system calls that may be called within the execution path of a go application.
docker run --rm -it paulinhu/gosystract gosystractgo install github.com/pjbgf/gosystractIf you don't have $GOPATH/bin in your $PATH, prefix the command with:
PATH=$PATH:$GOPATH/bin gosystract
Note that gosystract has a dependency to the go tools when working against executable files. In that case, ensure that
gois in your $PATH.
Syntax
Usage:
gosystrac [flags] filePath
Flags:
--dumpfile, -d Handles a dump file instead of a go executable.
--template Defines a go template for the results.
Example: --template='{{- range . }}{{printf "%d - %s\n" .ID .Name}}{{- end}}'Running against gosystract itself:
$ gosystract $(which gosystract)
18 system calls found:
sched_yield (24)
futex (202)
write (1)
rt_sigprocmask (14)
getpid (39)
epoll_ctl (233)
gettid (186)
mmap (9)
tgkill (234)
rt_sigaction (13)
exit_group (231)
madvise (28)
read (0)
getpgrp (111)
arch_prctl (158)
readlinkat (267)
close (3)
fcntl (72)Running the sample dump file:
$ gosystract --dumpfile test/keyring.dump
20 system calls found:
sched_yield (24)
futex (202)
read (0)
write (1)
rt_sigprocmask (14)
getpid (39)
gettid (186)
tgkill (234)
rt_sigaction (13)
exit_group (231)
mmap (9)
madvise (28)
getpgrp (111)
arch_prctl (158)
epoll_ctl (233)
readlinkat (267)
close (3)
fcntl (72)
add_key (248)
keyctl (250)To generate a dump file from a go application use the go tool objdump:
$ go tool objdump goapp > goapp.dumppackage main
import "github.com/pjbgf/gosystract/cmd/systract"
func main() {
source := systract.NewExeReader("goapp")
syscalls, err := systract.Extract(source)
if err != nil {
panic(err)
}
for _, syscall := range syscalls {
fmt.Printf("%s (%d)\n", syscall.Name, syscall.ID)
}
}This application is licensed under the MIT License, you may obtain a copy of it here.