zgrp
asked on
Trace functions from user mode to kernel mode.
Hello EE guys,
I'm looking for a program or a way to write a program (in C) that allow me to trace all calls made from a function in user mode.
Example, when I call FindFirstFile() that is exported in Kernel32.dll, it call NtQueryDirectoryFile() (that is in ntddl.dll?).
What I want is a utility or way to write it in C, that allow me to track a function, for example I create a filter to "FindFirstFile()" and it will describe/output what functions it called and from what .dll, what kernel level functions it called (from where if possible), and if possible what kernel sub-functions it called and if is exported or not....
ps1: How much more information better.
ps2: Good answers will give more points... ;)
Thank you,
Regards
I'm looking for a program or a way to write a program (in C) that allow me to trace all calls made from a function in user mode.
Example, when I call FindFirstFile() that is exported in Kernel32.dll, it call NtQueryDirectoryFile() (that is in ntddl.dll?).
What I want is a utility or way to write it in C, that allow me to track a function, for example I create a filter to "FindFirstFile()" and it will describe/output what functions it called and from what .dll, what kernel level functions it called (from where if possible), and if possible what kernel sub-functions it called and if is exported or not....
ps1: How much more information better.
ps2: Good answers will give more points... ;)
Thank you,
Regards
ASKER
Hello Bill,
Thank you for your reply, but it's not what I'm looking for. I want exactilly what you typed: "I'm unsure of any tools which will discriminate usermode vs kernel calls".
Even if exist some book that have this references, it can be useful in some way.
Thank you,
Regards.
Thank you for your reply, but it's not what I'm looking for. I want exactilly what you typed: "I'm unsure of any tools which will discriminate usermode vs kernel calls".
Even if exist some book that have this references, it can be useful in some way.
Thank you,
Regards.
Hmmm...well Kernel mode has access to all user-mode functions but not the other way around,
Here are some good starting points:
Kernel Mode Fundamentals
http://www.microsoft.com/whdc/driver/kernel/default.mspx
C++ for Kernel Mode Drivers: Pros and Cons
http://www.microsoft.com/whdc/driver/kernel/KMcode.mspx
Kernel level functions are usually activated by device drivers, is that what you are workning on?
Wish I could help more
-Bill
Here are some good starting points:
Kernel Mode Fundamentals
http://www.microsoft.com/whdc/driver/kernel/default.mspx
C++ for Kernel Mode Drivers: Pros and Cons
http://www.microsoft.com/whdc/driver/kernel/KMcode.mspx
Kernel level functions are usually activated by device drivers, is that what you are workning on?
Wish I could help more
-Bill
ASKER
Hello,
Thank you for links, I'm already reading a book about DDK, but isn't it my question.
I want know how to someone discoverd this traces, for example, I found a intersting site with have some intersting trace level, check:
http://www.openrce.org/reference_library/win32_call_chains
Example to OpenProcess():
http://www.openrce.org/reference_library/win32_call_chains/2003SP0/KERNEL32/OpenProcess
It show:
" - KERNEL32 >> OpenProcess
MSDN 1. NtOpenProcess
MSDN 2. BaseSetLastNTError ADVAPI32, KERNEL32"
It's more or less what I want, but with more deep details, like this:
"- The OpenProcess() example
1 - OpenProcess calls NtOpenProcess.
2 - NtOpenProcess calls PsLookupProcessByProcessId to verify the process exists.
3 - PsLookupProcessByProcessId uses the PspCidTable to verify the processes exists.
4 - NtOpenProcess calls ObOpenObjectByPointer to get the handle to the process."
Got it? any idea how to track it?
ps: Do you know if is possible call Kernel calls or not exported kernel calls like (NtOpenProcess, PsLookupProcessByProcessId ) from user mode (without need a DDK module) ?
ps2: Increasing points 500! ;)
Thank you,
Regards,
Thank you for links, I'm already reading a book about DDK, but isn't it my question.
I want know how to someone discoverd this traces, for example, I found a intersting site with have some intersting trace level, check:
http://www.openrce.org/reference_library/win32_call_chains
Example to OpenProcess():
http://www.openrce.org/reference_library/win32_call_chains/2003SP0/KERNEL32/OpenProcess
It show:
" - KERNEL32 >> OpenProcess
MSDN 1. NtOpenProcess
MSDN 2. BaseSetLastNTError ADVAPI32, KERNEL32"
It's more or less what I want, but with more deep details, like this:
"- The OpenProcess() example
1 - OpenProcess calls NtOpenProcess.
2 - NtOpenProcess calls PsLookupProcessByProcessId
3 - PsLookupProcessByProcessId
4 - NtOpenProcess calls ObOpenObjectByPointer to get the handle to the process."
Got it? any idea how to track it?
ps: Do you know if is possible call Kernel calls or not exported kernel calls like (NtOpenProcess, PsLookupProcessByProcessId
ps2: Increasing points 500! ;)
Thank you,
Regards,
Did you try profiling with dependecy walker? Seriously, it does a lot of this.
Also, here's a detailed article that will go a long ways towards what you want programatically:
http://www.internals.com/articles/apispy/apispy.htm
In particular the guts of an NT System Call hook using the INT2E interface can be found at
http://cmp.phys.msu.su:8000/ntclub/
Now, this latter program (NTSpy) does not work on XP, it will have to be recompiled first, but the process should still work, the above link gives full
source to their program.
Cheers,
-Bill
Also, here's a detailed article that will go a long ways towards what you want programatically:
http://www.internals.com/articles/apispy/apispy.htm
In particular the guts of an NT System Call hook using the INT2E interface can be found at
http://cmp.phys.msu.su:8000/ntclub/
Now, this latter program (NTSpy) does not work on XP, it will have to be recompiled first, but the process should still work, the above link gives full
source to their program.
Cheers,
-Bill
ASKER
Hello wnross,
Thank you for assistence.
I had tryed the Dependency Walker it apper good (don't know if it's able to make what I need), however the problem is that the program I want to track create another file and start it, so the Dependency Walker stop to monitor at this point. :(
I tryed open the created process, but happen the something, it create another program with another name... :(
Like this:
"GetProcAddress(0x77E40000 [KERNEL32.DLL], "WTSGetActiveConsoleSessio nId") called from "KJH.EXE" at address 0x004311E7 and returned 0x77E41A2D.
GetProcAddress(0x77160000 [OLE32.DLL], "CoCreateInstanceEx") called from "OLEAUT32.DLL" at address 0x77127CFC and returned 0x77164E83.
LoadLibraryExW("C:\DOCUME~ 1\ADMINI~1 \LOCALS~1\ Temp\CWFHF KKH.exe", 0x00000000, LOAD_LIBRARY_AS_DATAFILE) called from "VERSION.DLL" at address 0x77B913CE.
Mapped "CWFHFKKH.EXE" as a data file into memory at address 0x00AA0001.
LoadLibraryExW("C:\DOCUME~ 1\ADMINI~1 \LOCALS~1\ Temp\CWFHF KKH.exe", 0x00000000, LOAD_LIBRARY_AS_DATAFILE) returned 0x00AA0001.
LoadLibraryExW("C:\DOCUME~ 1\ADMINI~1 \LOCALS~1\ Temp\CWFHF KKH.exe", 0x00000000, LOAD_LIBRARY_AS_DATAFILE) called from "VERSION.DLL" at address 0x77B914DC.
Mapped "CWFHFKKH.EXE" as a data file into memory at address 0x00AA0001.
LoadLibraryExW("C:\DOCUME~ 1\ADMINI~1 \LOCALS~1\ Temp\CWFHF KKH.exe", 0x00000000, LOAD_LIBRARY_AS_DATAFILE) returned 0x00AA0001.
LoadLibraryW("rpcrt4.dll") called from "RPCRT4.DLL" at address 0x77C734AB.
LoadLibraryW("rpcrt4.dll") returned 0x77C50000."
ps: I'm using it in RootkitReaveler (http://www.sysinternals.com/Utilities/RootkitRevealer.html).
If you have any idea how to deal with it...
I'm downloading the NTspy to check...
Thank you,
Regards,
Thank you for assistence.
I had tryed the Dependency Walker it apper good (don't know if it's able to make what I need), however the problem is that the program I want to track create another file and start it, so the Dependency Walker stop to monitor at this point. :(
I tryed open the created process, but happen the something, it create another program with another name... :(
Like this:
"GetProcAddress(0x77E40000
GetProcAddress(0x77160000 [OLE32.DLL], "CoCreateInstanceEx") called from "OLEAUT32.DLL" at address 0x77127CFC and returned 0x77164E83.
LoadLibraryExW("C:\DOCUME~
Mapped "CWFHFKKH.EXE" as a data file into memory at address 0x00AA0001.
LoadLibraryExW("C:\DOCUME~
LoadLibraryExW("C:\DOCUME~
Mapped "CWFHFKKH.EXE" as a data file into memory at address 0x00AA0001.
LoadLibraryExW("C:\DOCUME~
LoadLibraryW("rpcrt4.dll")
LoadLibraryW("rpcrt4.dll")
ps: I'm using it in RootkitReaveler (http://www.sysinternals.com/Utilities/RootkitRevealer.html).
If you have any idea how to deal with it...
I'm downloading the NTspy to check...
Thank you,
Regards,
ASKER
Tested Ntspy in my Windows 2003, it open normal, but when I click in "start" or "filter" the application terminate. :(
Maybe not compatible with new Windows versions...
Regards,
Maybe not compatible with new Windows versions...
Regards,
Yeah, like I said, they give you source, but it doesn't work in XP. I recommend recompilation
What are you looking at anyway? Some kind of Soft-ice wrapper or a trojan?
Also did you look at API Spy?
Cheers,
-Bill
What are you looking at anyway? Some kind of Soft-ice wrapper or a trojan?
Also did you look at API Spy?
Cheers,
-Bill
ASKER
Hello wnross,
> Yeah, like I said, they give you source, but it doesn't work in XP. I recommend >recompilation
My recompilation doesn't worked, I mailed the author, maybe something changed in Windows 2003 that it doesn't work anymore?!?! :(
>What are you looking at anyway? Some kind of Soft-ice wrapper or a trojan?
Well, I'm loking for a tool to this kind of trace from user level VS deep kernel Level with intention of:
- help me in understand better the call relation between user vs kernel level (just curious).
- Help me in my project to University (https://www.experts-exchange.com/questions/21833012/Dump-Registry-and-Files-in-low-level.html).
- Help me in how to a virus scanner in access is made (https://www.experts-exchange.com/questions/21832990/On-Access-Scanner-example-Kernel-Level-Win32.html).
You are welcome to participate in this other threads too if you want. ;)
>Also did you look at API Spy?
Yes, but it's just user-level tracer (not kernel calls, for example the ZWfamilly-calls).
Regards,
> Yeah, like I said, they give you source, but it doesn't work in XP. I recommend >recompilation
My recompilation doesn't worked, I mailed the author, maybe something changed in Windows 2003 that it doesn't work anymore?!?! :(
>What are you looking at anyway? Some kind of Soft-ice wrapper or a trojan?
Well, I'm loking for a tool to this kind of trace from user level VS deep kernel Level with intention of:
- help me in understand better the call relation between user vs kernel level (just curious).
- Help me in my project to University (https://www.experts-exchange.com/questions/21833012/Dump-Registry-and-Files-in-low-level.html).
- Help me in how to a virus scanner in access is made (https://www.experts-exchange.com/questions/21832990/On-Access-Scanner-example-Kernel-Level-Win32.html).
You are welcome to participate in this other threads too if you want. ;)
>Also did you look at API Spy?
Yes, but it's just user-level tracer (not kernel calls, for example the ZWfamilly-calls).
Regards,
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Hi wnross,
Sorry for long delay...
I will try run NTspy in Windows2000 if work, good. :)
Intersting this Detour, it doesn't compile it's example (the example that detect detour running) into Dev-C++ and MSVC 6.0 and no success. Exist some trick for it?
Do you know how this detour work? If it patch the API functions in the memory like CreateRemoteThread()? Or if it patch the .ddl files in hard-disk (like ntdll.dll, kernel32.dll, ...) ?
Thank you,
Cheers
Sorry for long delay...
I will try run NTspy in Windows2000 if work, good. :)
Intersting this Detour, it doesn't compile it's example (the example that detect detour running) into Dev-C++ and MSVC 6.0 and no success. Exist some trick for it?
Do you know how this detour work? If it patch the API functions in the memory like CreateRemoteThread()? Or if it patch the .ddl files in hard-disk (like ntdll.dll, kernel32.dll, ...) ?
Thank you,
Cheers
ASKER
Any idea wnross ?
Hi zgrp,
No secrets to recompiling here, I've set up a test bench and just started to see where it may be breaking.
-Bill
No secrets to recompiling here, I've set up a test bench and just started to see where it may be breaking.
-Bill
Its a MS tool, a version of which is usually supplied with Visual Studio. The tool allows you to see what DLL's are
linked from you executable and what functions are actually used from those DLL's
Ideally, you use the profiling feature to see the actual runtime behavior.
Now that doesn't entirely answer your question, but it is a good baseline and should be informative
As for the rest, well, I'm unsure of any tools which will discriminate usermode vs kernel calls, but I used to use CC-RIDER
when I was doing device driver development for windows, It gave excellent call-tree graphs
http://www.cc-rider.com/
That was several (!!) years ago, so the technology landscape has changed, so here's a new (brief) survey:
* CScout (CScout Pubilc License)
http://www.spinellis.gr/cscout/
* Understand for C/C++ (commercial)
http://www.scitools.com/ucpp.html
* Visual Studio has a call browser:
http://msdn2.microsoft.com/en-us/library/z3zaa390.aspx
Hope that gets you started
Cheers,
-Bill