how could I intercept linux sys calls?

Why can't you / don't want to use the LD_PRELOAD trick?

Example code here:

/* * File: soft_atimes.c * Author: D.J. Capelis * * Compile: * gcc -fPIC -c -o soft_atimes.o soft_atimes.c * gcc -shared -o soft_atimes.so soft_atimes.o -ldl * * Use: * LD_PRELOAD="./soft_atimes.so" command * * Copyright 2007 Regents of the University of California */#define _GNU_SOURCE#include <dlfcn.h>#define _FCNTL_H#include <sys/types.h>#include <bits/fcntl.h>#include <stddef.h>extern int errorno;int __thread (*_open)(const char * pathname, int flags, ...) = NULL;int __thread (*_open64)(const char * pathname, int flags, ...) = NULL;int open(const char * pathname, int flags, mode_t mode){    if (NULL == _open) {        _open = (int (*)(const char * pathname, int flags, ...)) dlsym(RTLD_NEXT, "open");    }    if(flags & O_CREAT)        return _open(pathname, flags | O_NOATIME, mode);    else        return _open(pathname, flags | O_NOATIME, 0);}int open64(const char * pathname, int flags, mode_t mode){    if (NULL == _open64) {        _open64 = (int (*)(const char * pathname, int flags, ...)) dlsym(RTLD_NEXT, "open64");    }    if(flags & O_CREAT)        return _open64(pathname, flags | O_NOATIME, mode);    else        return _open64(pathname, flags | O_NOATIME, 0);}

From what I understand... it is pretty much the LD_PRELOAD trick or a kernel module. There's not a whole lot of middle ground unless you want to run it under an emulator which can trap out to your function or do code re-writing on the actual binary to trap out to your function.

Assuming you can't modify the program and can't (or don't want to) modify the kernel, the LD_PRELOAD approach is the best one, assuming your application is fairly standard and isn't actually one that's maliciously trying to get past your interception. (In which case you will need one of the other techniques.)

Valgrind can be used to intercept any function call. If you need to intercept a system call in your finished product then this will be no use. However, if you are try to intercept during development then it can be very useful. I have frequently used this technique to intercept hashing functions so that I can control the returned hash for testing purposes.

In case you are not aware, Valgrind is mainly used for finding memory leaks and other memory related errors. But the underlying technology is basically an x86 emulator. It emulates your program and intercepts calls to malloc/free etc. The good thing is, you do not need to recompile to use it.

Valgrind has a feature that they term Function Wrapping, which is used to control the interception of functions. See section 3.2 of the Valgrind manual for details. You can setup function wrapping for any function you like. Once the call is intercepted the alternative function that you provide is then invoked.

Some applications can trick strace/ptrace not to run, so the only real option I've had is using systemtap

Systemtap can intercept a bunch of system calls if need be due to its wild card matching. Systemtap is not C, but a separate language. In basic mode, the systemtap should prevent you from doing stupid things, but it also can run in "expert mode" that falls back to allowing a developer to use C if that is required.

It does not require you to patch your kernel (Or at least shouldn't), and once a module has been compiled, you can copy it from a test/development box and insert it (via insmod) on a production system.

I have yet to find a linux application that has found a way to work around/avoid getting caught by systemtap.