?
Solved

Trace functions from user mode to kernel mode.

Posted on 2006-04-30
15
Medium Priority
?
1,197 Views
Last Modified: 2012-08-14
Hello EE guys,

I'm looking for a program or a way to write a program (in C) that allow me to trace all calls made from a function in user mode.

Example, when I call FindFirstFile() that is exported in Kernel32.dll, it call NtQueryDirectoryFile() (that is in ntddl.dll?).

What I want is a utility or way to write it in C, that allow me to track a function, for example I create a filter to "FindFirstFile()" and it will describe/output what functions it called and from what .dll, what kernel level functions it called (from where if possible), and if possible what kernel sub-functions it called and if is exported or not....

ps1: How much more information better.

ps2: Good answers will give more points... ;)

Thank you,

Regards
0
Comment
Question by:zgrp
  • 7
  • 6
13 Comments
 
LVL 7

Expert Comment

by:wnross
ID: 16577424
Well, al ot of that you can get from dependency walker, http://www.dependencywalker.com
Its a MS tool, a version of which is usually supplied with Visual Studio.  The tool allows you to see what DLL's are
linked from you executable and what functions are actually used from those DLL's

Ideally, you use the profiling feature to see the actual runtime behavior.

Now that doesn't entirely answer your question, but it is a good baseline and should be informative

As for the rest, well, I'm unsure of any tools which will discriminate usermode vs kernel calls, but I used to use CC-RIDER
when I was doing device driver development for windows, It gave excellent call-tree graphs

http://www.cc-rider.com/

That was several (!!) years ago, so the technology landscape has changed, so here's a new (brief) survey:

* CScout (CScout Pubilc License)
   http://www.spinellis.gr/cscout/
* Understand for C/C++ (commercial)
   http://www.scitools.com/ucpp.html
* Visual Studio has a call browser:
   http://msdn2.microsoft.com/en-us/library/z3zaa390.aspx

Hope that gets you started

Cheers,
-Bill
0
 
LVL 3

Author Comment

by:zgrp
ID: 16577761
Hello Bill,

Thank you for your reply, but it's not what I'm looking for. I want exactilly what you typed: "I'm unsure of any tools which will discriminate usermode vs kernel calls".

Even if exist some book that have this references, it can be useful in some way.

Thank you,

Regards.
0
 
LVL 7

Expert Comment

by:wnross
ID: 16580414
Hmmm...well Kernel mode has access to all user-mode functions but not the other way around,

Here are some good starting points:
Kernel Mode Fundamentals
  http://www.microsoft.com/whdc/driver/kernel/default.mspx
C++ for Kernel Mode Drivers: Pros and Cons
  http://www.microsoft.com/whdc/driver/kernel/KMcode.mspx

Kernel level functions are usually activated by device drivers, is that what you are workning on?

Wish I could help more
-Bill
0
VIDEO: THE CONCERTO CLOUD FOR HEALTHCARE

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

 
LVL 3

Author Comment

by:zgrp
ID: 16587630
Hello,

Thank you for links, I'm already reading a book about DDK, but isn't it my question.

I want know how to someone discoverd this traces, for example, I found a intersting site with have some intersting trace level, check:

http://www.openrce.org/reference_library/win32_call_chains

Example to OpenProcess():

http://www.openrce.org/reference_library/win32_call_chains/2003SP0/KERNEL32/OpenProcess

It show:

" -  KERNEL32 >> OpenProcess
MSDN               1. NtOpenProcess                
MSDN               2. BaseSetLastNTError                ADVAPI32, KERNEL32"

It's more or less what I want, but with more deep details, like this:

"- The OpenProcess() example
1 - OpenProcess calls NtOpenProcess.
2 - NtOpenProcess calls PsLookupProcessByProcessId to verify the process exists.
3 - PsLookupProcessByProcessId uses the PspCidTable to verify the processes exists.
4 - NtOpenProcess calls ObOpenObjectByPointer to get the handle to the process."

Got it? any idea how to track it?

ps: Do you know if is possible call Kernel calls or not exported kernel calls like (NtOpenProcess, PsLookupProcessByProcessId) from user mode (without need a DDK module) ?

ps2: Increasing points 500! ;)

Thank you,

Regards,
0
 
LVL 7

Expert Comment

by:wnross
ID: 16590198
Did you try profiling with dependecy walker? Seriously, it does a lot of this.


Also, here's a detailed article that will go a long ways towards what you want programatically:
http://www.internals.com/articles/apispy/apispy.htm

In particular the guts of an NT System Call hook using the INT2E interface can be found at
http://cmp.phys.msu.su:8000/ntclub/

Now, this latter program (NTSpy) does not work on XP, it will have to be recompiled first, but the process should still work, the above link gives full
source to their program.

Cheers,
-Bill
0
 
LVL 3

Author Comment

by:zgrp
ID: 16592036
Hello  wnross,

Thank you for assistence.

I had tryed the Dependency Walker it apper good (don't know if it's able to make what I need), however the problem is that the program I want to track create another file and start it, so the Dependency Walker stop to monitor at this point. :(

I tryed open the created process, but happen the something, it create another program with another name... :(

Like this:

"GetProcAddress(0x77E40000 [KERNEL32.DLL], "WTSGetActiveConsoleSessionId") called from "KJH.EXE" at address 0x004311E7 and returned 0x77E41A2D.
GetProcAddress(0x77160000 [OLE32.DLL], "CoCreateInstanceEx") called from "OLEAUT32.DLL" at address 0x77127CFC and returned 0x77164E83.
LoadLibraryExW("C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\CWFHFKKH.exe", 0x00000000, LOAD_LIBRARY_AS_DATAFILE) called from "VERSION.DLL" at address 0x77B913CE.
Mapped "CWFHFKKH.EXE" as a data file into memory at address 0x00AA0001.
LoadLibraryExW("C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\CWFHFKKH.exe", 0x00000000, LOAD_LIBRARY_AS_DATAFILE) returned 0x00AA0001.
LoadLibraryExW("C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\CWFHFKKH.exe", 0x00000000, LOAD_LIBRARY_AS_DATAFILE) called from "VERSION.DLL" at address 0x77B914DC.
Mapped "CWFHFKKH.EXE" as a data file into memory at address 0x00AA0001.
LoadLibraryExW("C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\CWFHFKKH.exe", 0x00000000, LOAD_LIBRARY_AS_DATAFILE) returned 0x00AA0001.
LoadLibraryW("rpcrt4.dll") called from "RPCRT4.DLL" at address 0x77C734AB.
LoadLibraryW("rpcrt4.dll") returned 0x77C50000."

ps: I'm using it in RootkitReaveler (http://www.sysinternals.com/Utilities/RootkitRevealer.html).

If you have any idea how to deal with it...

I'm downloading the NTspy to check...

Thank you,

Regards,
0
 
LVL 3

Author Comment

by:zgrp
ID: 16592235
Tested Ntspy in my Windows 2003, it open normal, but when I click in "start" or "filter" the application terminate. :(

Maybe not compatible with new Windows versions...

Regards,
0
 
LVL 7

Expert Comment

by:wnross
ID: 16592604
Yeah, like I said, they give you source, but it doesn't work in XP.  I recommend recompilation

What are you looking at anyway?  Some kind of Soft-ice wrapper or a trojan?
Also did you look at API Spy?

Cheers,
-Bill
0
 
LVL 3

Author Comment

by:zgrp
ID: 16597711
Hello wnross,

> Yeah, like I said, they give you source, but it doesn't work in XP.  I recommend >recompilation

My recompilation doesn't worked, I mailed the author, maybe something changed in Windows 2003 that it doesn't work anymore?!?! :(

>What are you looking at anyway?  Some kind of Soft-ice wrapper or a trojan?

Well, I'm loking for a tool to this kind of trace from user level VS deep kernel Level with intention of:

- help me in understand better the call relation between user vs kernel level (just curious).

- Help me in my project to University (http://www.experts-exchange.com/Programming/Q_21833012.html).

- Help me in how to a virus scanner in access is made (http://www.experts-exchange.com/Programming/Q_21832990.html).

You are welcome to participate in this other threads too if you want. ;)

>Also did you look at API Spy?

Yes, but it's just user-level tracer (not kernel calls, for example the ZWfamilly-calls).

Regards,
0
 
LVL 7

Accepted Solution

by:
wnross earned 2000 total points
ID: 16601562
APISpy:  I had looked at it myself many years ago so I could not remember how detailed it was.

NTSpy: Did you try to anaylze the code?  The technique should still be valid albeit based on very old source.  The only thought is
that later kernels may attempt to block bypassing int2e calls.

Now another approach is to patch the API, Microsoft R&D has source for a library called Detour which patches API library calls
The code can be found at http://research.microsoft.com/sn/detours/
The code does not compile under VC++ 2005 without some Makefile changes:

Add the following to CFLAGS
      /GS- -D_CRT_SECURE_NO_DEPRECATE /Zc:forScope- /Zc:wchar_t- \
      /wd4867 /wd4733

So
CFLAGS = /nologo /Zi $(CLIB) /Gi- /Gm- /W4 /WX /FR "/I$(DTRINCD)" "/I$(INCD)"

becomes
CFLAGS = /nologo /Zi $(CLIB) /Gi- /Gm- /W4 /WX /FR "/I$(DTRINCD)" "/I$(INCD)" \               <--- note the space and "\"
      /GS- -D_CRT_SECURE_NO_DEPRECATE /Zc:forScope- /Zc:wchar_t- \
      /wd4867 /wd4733

This API Patching library might get a little closer.

Cheers,
-Bill
0
 
LVL 3

Author Comment

by:zgrp
ID: 16729656
Hi wnross,

Sorry for long delay...

I will try run NTspy in Windows2000 if work, good. :)

Intersting this Detour, it doesn't compile it's example (the example that detect detour running) into Dev-C++ and MSVC 6.0 and no success. Exist some trick for it?

Do you know how this detour work? If it patch the API functions in the memory like CreateRemoteThread()? Or if it patch the .ddl files in hard-disk (like ntdll.dll, kernel32.dll, ...) ?

Thank you,

Cheers
0
 
LVL 3

Author Comment

by:zgrp
ID: 16885620
Any idea wnross ?
0
 
LVL 7

Expert Comment

by:wnross
ID: 16886639
Hi zgrp,

No secrets to recompiling here, I've set up a test bench and just started to see where it may be breaking.

-Bill
0

Featured Post

Prep for the ITIL® Foundation Certification Exam

December’s Course of the Month is now available! Enroll to learn ITIL® Foundation best practices for delivering IT services effectively and efficiently.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Although it can be difficult to imagine, someday your child will have a career of his or her own. He or she will likely start a family, buy a home and start having their own children. So, while being a kid is still extremely important, it’s also …
We live in a world of interfaces like the one in the title picture. VBA also allows to use interfaces which offers a lot of possibilities. This article describes how to use interfaces in VBA and how to work around their bugs.
In this seventh video of the Xpdf series, we discuss and demonstrate the PDFfonts utility, which lists all the fonts used in a PDF file. It does this via a command line interface, making it suitable for use in programs, scripts, batch files — any pl…
Screencast - Getting to Know the Pipeline

830 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question