Trace functions from user mode to kernel mode.

Hello EE guys,

I'm looking for a program or a way to write a program (in C) that allow me to trace all calls made from a function in user mode.

Example, when I call FindFirstFile() that is exported in Kernel32.dll, it call NtQueryDirectoryFile() (that is in ntddl.dll?).

What I want is a utility or way to write it in C, that allow me to track a function, for example I create a filter to "FindFirstFile()" and it will describe/output what functions it called and from what .dll, what kernel level functions it called (from where if possible), and if possible what kernel sub-functions it called and if is exported or not....

ps1: How much more information better.

ps2: Good answers will give more points... ;)

Thank you,

Regards
LVL 3
zgrpAsked:
Who is Participating?
 
wnrossConnect With a Mentor Commented:
APISpy:  I had looked at it myself many years ago so I could not remember how detailed it was.

NTSpy: Did you try to anaylze the code?  The technique should still be valid albeit based on very old source.  The only thought is
that later kernels may attempt to block bypassing int2e calls.

Now another approach is to patch the API, Microsoft R&D has source for a library called Detour which patches API library calls
The code can be found at http://research.microsoft.com/sn/detours/
The code does not compile under VC++ 2005 without some Makefile changes:

Add the following to CFLAGS
      /GS- -D_CRT_SECURE_NO_DEPRECATE /Zc:forScope- /Zc:wchar_t- \
      /wd4867 /wd4733

So
CFLAGS = /nologo /Zi $(CLIB) /Gi- /Gm- /W4 /WX /FR "/I$(DTRINCD)" "/I$(INCD)"

becomes
CFLAGS = /nologo /Zi $(CLIB) /Gi- /Gm- /W4 /WX /FR "/I$(DTRINCD)" "/I$(INCD)" \               <--- note the space and "\"
      /GS- -D_CRT_SECURE_NO_DEPRECATE /Zc:forScope- /Zc:wchar_t- \
      /wd4867 /wd4733

This API Patching library might get a little closer.

Cheers,
-Bill
0
 
wnrossCommented:
Well, al ot of that you can get from dependency walker, http://www.dependencywalker.com
Its a MS tool, a version of which is usually supplied with Visual Studio.  The tool allows you to see what DLL's are
linked from you executable and what functions are actually used from those DLL's

Ideally, you use the profiling feature to see the actual runtime behavior.

Now that doesn't entirely answer your question, but it is a good baseline and should be informative

As for the rest, well, I'm unsure of any tools which will discriminate usermode vs kernel calls, but I used to use CC-RIDER
when I was doing device driver development for windows, It gave excellent call-tree graphs

http://www.cc-rider.com/

That was several (!!) years ago, so the technology landscape has changed, so here's a new (brief) survey:

* CScout (CScout Pubilc License)
   http://www.spinellis.gr/cscout/
* Understand for C/C++ (commercial)
   http://www.scitools.com/ucpp.html
* Visual Studio has a call browser:
   http://msdn2.microsoft.com/en-us/library/z3zaa390.aspx

Hope that gets you started

Cheers,
-Bill
0
 
zgrpAuthor Commented:
Hello Bill,

Thank you for your reply, but it's not what I'm looking for. I want exactilly what you typed: "I'm unsure of any tools which will discriminate usermode vs kernel calls".

Even if exist some book that have this references, it can be useful in some way.

Thank you,

Regards.
0
Introducing Cloud Class® training courses

Tech changes fast. You can learn faster. That’s why we’re bringing professional training courses to Experts Exchange. With a subscription, you can access all the Cloud Class® courses to expand your education, prep for certifications, and get top-notch instructions.

 
wnrossCommented:
Hmmm...well Kernel mode has access to all user-mode functions but not the other way around,

Here are some good starting points:
Kernel Mode Fundamentals
  http://www.microsoft.com/whdc/driver/kernel/default.mspx
C++ for Kernel Mode Drivers: Pros and Cons
  http://www.microsoft.com/whdc/driver/kernel/KMcode.mspx

Kernel level functions are usually activated by device drivers, is that what you are workning on?

Wish I could help more
-Bill
0
 
zgrpAuthor Commented:
Hello,

Thank you for links, I'm already reading a book about DDK, but isn't it my question.

I want know how to someone discoverd this traces, for example, I found a intersting site with have some intersting trace level, check:

http://www.openrce.org/reference_library/win32_call_chains

Example to OpenProcess():

http://www.openrce.org/reference_library/win32_call_chains/2003SP0/KERNEL32/OpenProcess

It show:

" -  KERNEL32 >> OpenProcess
MSDN               1. NtOpenProcess                
MSDN               2. BaseSetLastNTError                ADVAPI32, KERNEL32"

It's more or less what I want, but with more deep details, like this:

"- The OpenProcess() example
1 - OpenProcess calls NtOpenProcess.
2 - NtOpenProcess calls PsLookupProcessByProcessId to verify the process exists.
3 - PsLookupProcessByProcessId uses the PspCidTable to verify the processes exists.
4 - NtOpenProcess calls ObOpenObjectByPointer to get the handle to the process."

Got it? any idea how to track it?

ps: Do you know if is possible call Kernel calls or not exported kernel calls like (NtOpenProcess, PsLookupProcessByProcessId) from user mode (without need a DDK module) ?

ps2: Increasing points 500! ;)

Thank you,

Regards,
0
 
wnrossCommented:
Did you try profiling with dependecy walker? Seriously, it does a lot of this.


Also, here's a detailed article that will go a long ways towards what you want programatically:
http://www.internals.com/articles/apispy/apispy.htm

In particular the guts of an NT System Call hook using the INT2E interface can be found at
http://cmp.phys.msu.su:8000/ntclub/

Now, this latter program (NTSpy) does not work on XP, it will have to be recompiled first, but the process should still work, the above link gives full
source to their program.

Cheers,
-Bill
0
 
zgrpAuthor Commented:
Hello  wnross,

Thank you for assistence.

I had tryed the Dependency Walker it apper good (don't know if it's able to make what I need), however the problem is that the program I want to track create another file and start it, so the Dependency Walker stop to monitor at this point. :(

I tryed open the created process, but happen the something, it create another program with another name... :(

Like this:

"GetProcAddress(0x77E40000 [KERNEL32.DLL], "WTSGetActiveConsoleSessionId") called from "KJH.EXE" at address 0x004311E7 and returned 0x77E41A2D.
GetProcAddress(0x77160000 [OLE32.DLL], "CoCreateInstanceEx") called from "OLEAUT32.DLL" at address 0x77127CFC and returned 0x77164E83.
LoadLibraryExW("C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\CWFHFKKH.exe", 0x00000000, LOAD_LIBRARY_AS_DATAFILE) called from "VERSION.DLL" at address 0x77B913CE.
Mapped "CWFHFKKH.EXE" as a data file into memory at address 0x00AA0001.
LoadLibraryExW("C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\CWFHFKKH.exe", 0x00000000, LOAD_LIBRARY_AS_DATAFILE) returned 0x00AA0001.
LoadLibraryExW("C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\CWFHFKKH.exe", 0x00000000, LOAD_LIBRARY_AS_DATAFILE) called from "VERSION.DLL" at address 0x77B914DC.
Mapped "CWFHFKKH.EXE" as a data file into memory at address 0x00AA0001.
LoadLibraryExW("C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\CWFHFKKH.exe", 0x00000000, LOAD_LIBRARY_AS_DATAFILE) returned 0x00AA0001.
LoadLibraryW("rpcrt4.dll") called from "RPCRT4.DLL" at address 0x77C734AB.
LoadLibraryW("rpcrt4.dll") returned 0x77C50000."

ps: I'm using it in RootkitReaveler (http://www.sysinternals.com/Utilities/RootkitRevealer.html).

If you have any idea how to deal with it...

I'm downloading the NTspy to check...

Thank you,

Regards,
0
 
zgrpAuthor Commented:
Tested Ntspy in my Windows 2003, it open normal, but when I click in "start" or "filter" the application terminate. :(

Maybe not compatible with new Windows versions...

Regards,
0
 
wnrossCommented:
Yeah, like I said, they give you source, but it doesn't work in XP.  I recommend recompilation

What are you looking at anyway?  Some kind of Soft-ice wrapper or a trojan?
Also did you look at API Spy?

Cheers,
-Bill
0
 
zgrpAuthor Commented:
Hello wnross,

> Yeah, like I said, they give you source, but it doesn't work in XP.  I recommend >recompilation

My recompilation doesn't worked, I mailed the author, maybe something changed in Windows 2003 that it doesn't work anymore?!?! :(

>What are you looking at anyway?  Some kind of Soft-ice wrapper or a trojan?

Well, I'm loking for a tool to this kind of trace from user level VS deep kernel Level with intention of:

- help me in understand better the call relation between user vs kernel level (just curious).

- Help me in my project to University (http://www.experts-exchange.com/Programming/Q_21833012.html).

- Help me in how to a virus scanner in access is made (http://www.experts-exchange.com/Programming/Q_21832990.html).

You are welcome to participate in this other threads too if you want. ;)

>Also did you look at API Spy?

Yes, but it's just user-level tracer (not kernel calls, for example the ZWfamilly-calls).

Regards,
0
 
zgrpAuthor Commented:
Hi wnross,

Sorry for long delay...

I will try run NTspy in Windows2000 if work, good. :)

Intersting this Detour, it doesn't compile it's example (the example that detect detour running) into Dev-C++ and MSVC 6.0 and no success. Exist some trick for it?

Do you know how this detour work? If it patch the API functions in the memory like CreateRemoteThread()? Or if it patch the .ddl files in hard-disk (like ntdll.dll, kernel32.dll, ...) ?

Thank you,

Cheers
0
 
zgrpAuthor Commented:
Any idea wnross ?
0
 
wnrossCommented:
Hi zgrp,

No secrets to recompiling here, I've set up a test bench and just started to see where it may be breaking.

-Bill
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.