问题
I have been told by a few people that ETW provides a mechanism by which to capture syscalls made by user mode processes. I have enumerated the available providers and have only come up with two possible that might provide this information. The first was Microsoft-Windows-Kernel-Audit-API-Calls. This provider shows me the following data:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="Microsoft-Windows-Kernel-Audit-API-Calls" Guid="{e02a841c-75a3-4fa7-afc8-ae09cf9b7f23}" />
<EventID>5</EventID>
<Version>0</Version>
<Level>4</Level>
<Task>0</Task>
<Opcode>0</Opcode>
<Keywords>0x0</Keywords>
<TimeCreated SystemTime="2017-06-01T11:59:05.831179100-0500" />
<Correlation ActivityID="{00000000-0000-0000-0000-000000000000}" />
<Execution ProcessID="1860" ThreadID="9628" ProcessorID="1" KernelTime="210" UserTime="1260" />
<Channel />
<Computer />
</System>
<EventData>
<Data Name="TargetProcessId">4294967295</Data>
<Data Name="DesiredAccess"> 1052672</Data>
<Data Name="ReturnCode">3221225483</Data>
</EventData>
<RenderingInfo Culture="en-US">
<Level>Information </Level>
<Opcode>Info </Opcode>
<Provider>Microsoft-Windows-Kernel-Audit-API-Calls </Provider>
</RenderingInfo>
</Event>This looks promising, but does the EventId correspond to the syscall name? Is there any documentation detailing what the EventId actually signifies? I could not find anything relevant on MSDN or elsewhere. I'm specifically looking for API calls such as NtCreateFile, NtCreateThreadEx, NtAllocateVirtualMemory, etc.
The other provider I looked into was the "Windows Kernel Trace". This one actually allows for keywords such as "syscall" which will then provide you with SysClEnter/SysClExit logs, however these logs do not provide the process id that initiated them nor the API. They instead just give what appears to be the kernel address of the syscall being entered.
Is anyone who is more familiar with the inner workings of ETW able to provide an answer on how you would collect this information via ETW?
回答1:
You can easily monitor system calls related to any process in windows. Using cmd administrator, run this command:
logman start "NT Kernel Logger" -p "Windows Kernel Trace" (syscall) -o sys.etl -ets
and then stop it
logman stop "NT Kernel Logger" -ets
when you parse the .etl file using tracerpt
tracerpt sys.etl
You can see syscall addresses in the dumpfile.xml. Using windbg and starting it from the command line with this command:
windbg.exe -kl -c x*!nt*
You can see the addresses mapped to syscall names.
来源:https://stackoverflow.com/questions/44338796/windows-user-mode-process-syscall-tracing-with-etw