Hacker News Viewer

Top 20

Rewriting Every Syscall in a Linux Binary at Load Time

by riteshnoronha16 on 4/14/2026, 1:26:06 AM

https://amitlimaye1.substack.com/p/rewriting-every-syscall-in-a-linux

Comments

by: jmillikin

This might be a very dumb question, but if the process is being run under KVM to catch `int 0x03` then couldn't you also use KVM to catch `syscall` and execute the original binary as-is? I don't understand what value the instruction rewriting is providing here.

4/18/2026, 7:31:01 AM

by: coppsilgold

You mentioned SECCOMP_RET_TRACE, but there is also SECCOMP_RET_TRAP[1] which appears to perform better. There is also KVM. Both of these are options for gVisor: &lt;<a href="https:&#x2F;&#x2F;github.com&#x2F;google&#x2F;gvisor" rel="nofollow">https:&#x2F;&#x2F;github.com&#x2F;google&#x2F;gvisor</a>&gt;<p>[1] &lt;<a href="https:&#x2F;&#x2F;github.com&#x2F;google&#x2F;gvisor&#x2F;blob&#x2F;master&#x2F;pkg&#x2F;sentry&#x2F;platform&#x2F;systrap&#x2F;README.md" rel="nofollow">https:&#x2F;&#x2F;github.com&#x2F;google&#x2F;gvisor&#x2F;blob&#x2F;master&#x2F;pkg&#x2F;sentry&#x2F;plat...</a>&gt;

4/18/2026, 7:03:09 AM

by: xelaboi

You either have a writing style that is uncannily similar to what an LLM generates, or this article was substantially written by an LLM. I don&#x27;t know what it is about the style, but I just find it a bit exhausting, like an overfit on &quot;engaging writing&quot; that strips away sincerity.

4/18/2026, 8:43:21 AM

by: ozgrakkurt

Really informative writing thank you.<p>How secure does this make a binary? For example would you be able to run untrusted binary code inside a browser using a method like this?<p>Then can websites just use C++ instead of javascript for example?

4/18/2026, 7:45:30 AM

by: JSR_FDED

Love the detailed write up, thanks!<p>This is the kind of foundation that I would feel comfortable running agents on. It’s not the whole solution of course (yes agent, you’re allowed to delete this email but not that email can’t be solved at this level)… let me know when you tackle that next :-)

4/18/2026, 8:04:31 AM

by: hparadiz

I&#x27;ve been thinking of making a kernel patch that disables eBPF for certain processes as a privacy tool. Everyone is using eBPF now.

4/18/2026, 8:17:13 AM

by: CableNinja

I assume this would break observability through existing methods, right? If you were to strace a process that has been patched, would you see regular syscall data (as if it wasnt patched) or would your syscall replacement appear along the way?

4/14/2026, 3:38:40 AM

by: foota

Hah, I&#x27;ve been looking into something amusingly similar to track mmap syscalls for a process :)

4/18/2026, 7:07:00 AM

by: im3w1l

What about int 80h?

4/18/2026, 7:55:05 AM

by: edf13

[dead]

4/18/2026, 7:48:41 AM