[英]Windows User Mode Process Syscall Tracing With ETW
I have been told by a few people that ETW provides a mechanism by which to capture syscalls made by user mode processes. 有人告诉我,ETW提供了一种机制来捕获用户模式进程进行的系统调用。 I have enumerated the available providers and have only come up with two possible that might provide this information. 我列举了可用的提供程序,仅提出了两种可能提供此信息的方法。 The first was Microsoft-Windows-Kernel-Audit-API-Calls. 第一个是Microsoft Windows Windows内核审核API调用。 This provider shows me the following data: 该提供程序向我显示了以下数据:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"> <System> <Provider Name="Microsoft-Windows-Kernel-Audit-API-Calls" Guid="{e02a841c-75a3-4fa7-afc8-ae09cf9b7f23}" /> <EventID>5</EventID> <Version>0</Version> <Level>4</Level> <Task>0</Task> <Opcode>0</Opcode> <Keywords>0x0</Keywords> <TimeCreated SystemTime="2017-06-01T11:59:05.831179100-0500" /> <Correlation ActivityID="{00000000-0000-0000-0000-000000000000}" /> <Execution ProcessID="1860" ThreadID="9628" ProcessorID="1" KernelTime="210" UserTime="1260" /> <Channel /> <Computer /> </System> <EventData> <Data Name="TargetProcessId">4294967295</Data> <Data Name="DesiredAccess"> 1052672</Data> <Data Name="ReturnCode">3221225483</Data> </EventData> <RenderingInfo Culture="en-US"> <Level>Information </Level> <Opcode>Info </Opcode> <Provider>Microsoft-Windows-Kernel-Audit-API-Calls </Provider> </RenderingInfo> </Event>
This looks promising, but does the EventId correspond to the syscall name? 这看起来很有希望,但是EventId是否对应于syscall名称? Is there any documentation detailing what the EventId actually signifies? 是否有详细说明EventId实际含义的文档? I could not find anything relevant on MSDN or elsewhere. 我在MSDN或其他地方找不到任何相关的内容。 I'm specifically looking for API calls such as NtCreateFile, NtCreateThreadEx, NtAllocateVirtualMemory, etc. 我专门在寻找API调用,例如NtCreateFile,NtCreateThreadEx,NtAllocateVirtualMemory等。
The other provider I looked into was the "Windows Kernel Trace". 我调查过的另一个提供程序是“ Windows Kernel Trace”。 This one actually allows for keywords such as "syscall" which will then provide you with SysClEnter/SysClExit logs, however these logs do not provide the process id that initiated them nor the API. 这实际上允许使用诸如“ syscall”之类的关键字,这些关键字随后将为您提供SysClEnter / SysClExit日志,但是这些日志既不提供启动它们的进程ID,也不提供API。 They instead just give what appears to be the kernel address of the syscall being entered. 相反,它们只是给出似乎是所输入syscall的内核地址的内容。
Is anyone who is more familiar with the inner workings of ETW able to provide an answer on how you would collect this information via ETW? 有谁对ETW的内部运作更为熟悉的人能够为您提供如何通过ETW收集此信息的答案吗?
You can easily monitor system calls related to any process in windows. 您可以轻松监视与Windows中任何进程相关的系统调用。 Using cmd administrator, run this command: 使用cmd管理员,运行以下命令:
logman start "NT Kernel Logger" -p "Windows Kernel Trace" (syscall) -o sys.etl -ets
and then stop it 然后停止
logman stop "NT Kernel Logger" -ets
when you parse the .etl file using tracerpt 当您使用tracerpt解析.etl文件时
tracerpt sys.etl
You can see syscall addresses in the dumpfile.xml. 您可以在dumpfile.xml中看到系统调用地址。 Using windbg and starting it from the command line with this command: 使用windbg并使用以下命令从命令行启动它:
windbg.exe -kl -c x*!nt*
You can see the addresses mapped to syscall names. 您可以看到映射到syscall名称的地址。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.