Jamil
Reputation: 2160
Recording Syscalls in windows
I have been searching for some time now on ways to get syscalls in realtime on windows. I have looked at couple of posts here at stackoverflow and elsewhere but could not find anything easy enough that I could follow. I have looked at procmon but its output has been pretty unstable. Same binary on two systems has generated different number of entries. Perhaps I lack the pre-requisite knowledge to do such stuff. Any help/recommendation is welcome.
I have looked at these link before:
- System Calls in windows & Native API?
- http://www.codeguru.com/cpp/w-p/system/devicedriverdevelopment/article.php/c8035
- http://technet.microsoft.com/en-us/sysinternals/bb897447.aspx
Regards
Upvotes: 0
Views: 1571
Answers (2)
Roland Pihlakas
Reputation: 4573
If You are satisfied with sampling approach then You could try this:
typedef struct _THREAD_LAST_SYSCALL_INFORMATION
{
PVOID FirstArgument;
USHORT SystemCallNumber;
} THREAD_LAST_SYSCALL_INFORMATION, *PTHREAD_LAST_SYSCALL_INFORMATION;
THREAD_LAST_SYSCALL_INFORMATION lastSystemCall;
NtQueryInformationThread(
hThread,
ThreadLastSystemCall,
&lastSystemCall,
sizeof(THREAD_LAST_SYSCALL_INFORMATION),
NULL
);
where ThreadLastSystemCall = 21
Upvotes: 0
Related Questions
- Monitoring certain system calls done by a process in Windows
- Viewing how Windows syscalls are handled by OS
- Capturing Win32 messages
- How to monitor Windows system API calls an application makes?
- Keeping a log of system calls
- Determine underlying calls triggered by Windows GUI action
- How can I track system call in win32 API program with debugger(VS 2013)?
- Low-overhead I/O monitoring on Windows
- Listen to WM_SYSCOMMAND Events
- Consuming Windows NT Kernel System Call Trace Session Dumps