pub unsafe extern "C" fn dr_register_post_syscall_event(
func: Option<unsafe extern "C" fn(drcontext: *mut c_void, sysnum: c_int)>,
)Expand description
Registers a callback function for the post-syscall event. DR calls \p func whenever the application just finished invoking a system call, if any client asked for that system call number to be intercepted via the filter event (dr_register_filter_syscall_event()) or if DR itself needs to intercept the system call. Any client registering a pre- or post-syscall event should also register a filter event.
The result of the system call can be modified with dr_syscall_set_result() or dr_syscall_set_result_ex().
System calls that change control flow or terminate the current thread or process typically do not have a post-syscall event. These include SYS_exit, SYS_exit_group, SYS_execve, SYS_sigreturn, and SYS_rt_sigreturn on Linux, and NtTerminateThread, NtTerminateProcess (depending on the parameters), NtCallbackReturn, and NtContinue on Windows.
The application’s machine state can be accessed and set with dr_get_mcontext() and dr_set_mcontext().
On MacOS, whether 32-bit or 64-bit, the system call number passed (\p sysnum) has been normalized to a positive number with the top 8 bits set to 0x1 for a Mach system call, 0x3 for Machdep, and 0x0 for BSD (allowing the direct use of SYS_ constants). Access the raw eax register to view the unmodified number.
Additional system calls may be invoked by calling dr_syscall_invoke_another() prior to returning from the post-syscall event callback. The system call to be invoked should be specified with dr_syscall_set_sysnum(), and its parameters can be set with dr_syscall_set_param().