Hi,
I'm writing a monitor program that can be notified once a process makes an execve system call and then stop that process for examining before it starts to run the new code. I know I can ptrace a process to achieve this, but I do not want to ptrace every process in the system. Is it possible? Thanks.
Sort of. You can use LD_PRELOAD to trap the dynamic glibc call to exec, which is what snoopylogger does. However, it is useless against static-compiled programs and programs which make the syscall directly. For these cases, you must write a kernel module that traps the underlying system call.
Under linux, there is an "selinux" module which can do this trapping for you, but I don't know if you can configure it to examine the code in question.