Reading Monitoring certain system calls done by a process in Windows, I'm wondering about a Windows equivalent to the ptrace system call or a programmatical workaround.
Asked
Active
Viewed 8,643 times
1 Answers
4
You can use ETW to trace system calls. When starting the trace, in EVENT_TRACE_PROPERTIES, you can add EVENT_TRACE_FLAG_SYSTEMCALL flag to EnableFlags. This enables SysCallEnter and SysCallLeave events, as described here.
Michael
- 54,279
- 5
- 125
- 144
-
2But SysCallEnter require Vista or Windows Server 2008, unfortunately. – JesperE May 15 '09 at 10:10
-
1Is it possible with ETW to find out the arguments to system calls? – David Roundy Apr 02 '15 at 01:07