0

I have been searching for some time now on ways to get syscalls in realtime on windows. I have looked at couple of posts here at stackoverflow and elsewhere but could not find anything easy enough that I could follow. I have looked at procmon but its output has been pretty unstable. Same binary on two systems has generated different number of entries. Perhaps I lack the pre-requisite knowledge to do such stuff. Any help/recommendation is welcome.

I have looked at these link before:

Regards

Community
  • 1
  • 1
Jamil
  • 2,150
  • 1
  • 19
  • 20
  • 1
    What exactly are you trying to do? Do you want to make calls to the NT subsystem, or monitor activity? If the former, then the three links you supplied are a good place to start. If the latter, then I would suggest procmon. I would expect it to provide different output on different systems, or even different output on multiple runs of the same program on the same system, depending on the state of the system and the program as you're running it. – Jim Mischel Feb 10 '11 at 16:43
  • Actually I want to monitor/record syscalls. Procmon is excellent tool but then again its output is non steady as you mentioned. I wonder why it is non steady and how can I make it steady. Also, to make picture clear I am trying to map C functions like printf, getche etc to syscalls generated by windows. – Jamil Feb 10 '11 at 18:42
  • To really monitor syscalls you would need to patch the syscall entry table in kernel mode. This is dangerous and difficult, esp in 64 bit versions of windows to discourage ISVs from doing this. C functions like printf are handled in user mode and do not involve syscalls until they get to output which would either be a out of process LPC call to CSRSS or a file write depending on if a real console is connected.It would be more helpful to know what you are trying to accomplish. – Chris Smith Feb 11 '11 at 18:35

2 Answers2

0

Depending on the version of Windows you are using, the answer to your question is probably Event Tracing for Windows (ETW) which can do syscall logging [link]

canzar
  • 340
  • 4
  • 17
0

If You are satisfied with sampling approach then You could try this:

typedef struct _THREAD_LAST_SYSCALL_INFORMATION
{
    PVOID FirstArgument;
    USHORT SystemCallNumber;

} THREAD_LAST_SYSCALL_INFORMATION, *PTHREAD_LAST_SYSCALL_INFORMATION;

THREAD_LAST_SYSCALL_INFORMATION lastSystemCall;
NtQueryInformationThread(
    hThread,
    ThreadLastSystemCall,
    &lastSystemCall,
    sizeof(THREAD_LAST_SYSCALL_INFORMATION),
    NULL
);

where ThreadLastSystemCall = 21

Roland Pihlakas
  • 4,246
  • 2
  • 43
  • 64