Skip to content
A lightweight CLI tool that finds system calls being called inside golang applications.
Go Makefile Dockerfile
Branch: master
Clone or download
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Permalink
Type Name Latest commit message Commit time
Failed to load latest commit information.
.github
.vscode
cmd
test
.gitattributes
.gitignore
Dockerfile
LICENSE
Makefile
README.md
go.mod
go.sum
gosec.json
package.go

README.md

gosystract

gosystract extracts all system calls that may be called within the execution path of a go application.

codecov Dependabot Status GoReport GoDoc build MIT License

Installation:

using container image

docker run --rm -it paulinhu/gosystract gosystract

using go environment

go install github.com/pjbgf/gosystract

If you don't have $GOPATH/bin in your $PATH, prefix the command with:

PATH=$PATH:$GOPATH/bin gosystract

Note that gosystract has a dependency to the go tools when working against executable files. In that case, ensure that go is in your $PATH.

Command-line Usage:

Syntax

Usage:

	gosystrac [flags] filePath

Flags:
    --dumpfile, -d    Handles a dump file instead of a go executable.
    --template        Defines a go template for the results.
                      Example: --template='{{- range . }}{{printf "%d - %s\n" .ID .Name}}{{- end}}'

Running against gosystract itself:

$ gosystract $(which gosystract)

18 system calls found:
    sched_yield (24)
    futex (202)
    write (1)
    rt_sigprocmask (14)
    getpid (39)
    epoll_ctl (233)
    gettid (186)
    mmap (9)
    tgkill (234)
    rt_sigaction (13)
    exit_group (231)
    madvise (28)
    read (0)
    getpgrp (111)
    arch_prctl (158)
    readlinkat (267)
    close (3)
    fcntl (72)

Running the sample dump file:

$ gosystract --dumpfile test/keyring.dump

20 system calls found:
    sched_yield (24)
    futex (202)
    read (0)
    write (1)
    rt_sigprocmask (14)
    getpid (39)
    gettid (186)
    tgkill (234)
    rt_sigaction (13)
    exit_group (231)
    mmap (9)
    madvise (28)
    getpgrp (111)
    arch_prctl (158)
    epoll_ctl (233)
    readlinkat (267)
    close (3)
    fcntl (72)
    add_key (248)
    keyctl (250)

To generate a dump file from a go application use the go tool objdump:

$ go tool objdump goapp > goapp.dump

Using it programmatically

package main

import "github.com/pjbgf/gosystract/cmd/systract"

func main() {
	source := systract.NewExeReader("goapp")
	syscalls, err := systract.Extract(source)
	if err != nil {
		panic(err)
	}

    for _, syscall := range syscalls {
        fmt.Printf("%s (%d)\n", syscall.Name, syscall.ID)
    }
}

License

This application is licensed under the MIT License, you may obtain a copy of it here.

You can’t perform that action at this time.