ZoneOS home
Home Projects Links

ntstrace

This tool is a Windows NT native application, designed to trace system calls (Native API) and portions of RTL, just like Unix strace, without installing device driver (which is sometimes used to monitor system services table) and yet allowing trace calls at the lowest available for user-mode level.

Tool creates target process and inserts wrappers for ntdll functions before first thread is executed. On every such call wrapper code is launched, writing known information to standard output handle inherited from parent ntstrace process. This even allows monitoring loader initialization, which is quite hard to do with average user-mode debugger.

LdrInitializeThunk(...);
NtContinue(...);
RtlUserThreadStart(...);
mainCRTStartup(...);
main(...);
NtTerminateProcess(...);

How to

Traced process is created using following command, setting output handle to file trace.log. If output rediction is not set then process will not write logs to console since NtWriteFile is used and console output handle is not a file object.

ntstrace.exe C:\windows\notepad.exe arguments.txt > trace.log

Trace log will contain something like this:

(12C8.1378): NtQuerySymbolicLinkObject( LinkHandle = 0x0000000C = \KnownDlls\KnownDllPath ) = 0x00000000 LinkTarget = C:\Windows\system32 ReturnedLength = 0x00000028
(12C8.1378): NtClose( ObjectHandle = 0x0000000C = \KnownDlls\KnownDllPath ) = 0x00000000



Downloads: free for personal non-commercial use


Beta builds

 ArchitectureBuildPackage
Windows 7 x86 1.0.1.0 ZIP 25 Kb



Release notes

  • Published tool is quite early beta. Don't expect very stable universal multi-purpose program.
  • Process creation and startup mechanism in Windows NT is not a fixed algorithm. Utility was written and tested under Windows 7 x86 and could fail on other versions.
  • Tracing x86 processes on x86 systems only. Tracing WOW64 processes on x64 systems was neither studied nor tested.
  • It is not always possible to infer what to print on call and on return for any given API call, looking only at function prototype. Even more, huge part of NT API is not documented. Every such unknown call is printed as a void function taking 10 integers. Sometimes this is not enough (e.g. NtCreateFile have 11 arguments), but more often some trash like return frame is printed along with real arguments.
  • Activation context for new process is created by Win32 subsystem (not by the process itself) so it can not be traced inside child process.
  • There are a lot of different strace implementations for Windows, each having different purposes, requirements and abilities. Some of them are listed here.

New Versions of ntstrace

I have some plans to make some kind of extendable tool from ntstrace, e.g. allowing writing dll modules with custom arguments printers (arguments unpacking) or allowing tracing arbitrary module, not only ntdll. If you have something to suggest, it's the right time to write me your ideas.



Home | Projects | Links

Copyright © 2006-2011 Vasily Tarasov.