Flag: Tornado!
Hurricane!
|
|
Topic created on: October 30, 2006 22:08 CST by kris  .
Can anyone recommend a tool for performing API monitoring on Windows?
I basically just want ltrace...with the ability to easily filter on the particular libraries/calls that I care about.
I've tried several, each of which has some fatal flaw:
1. rohitab.com API Monitor (Misses calls, crashes some processes on XP)
2. apimonitor.com API Monitor (Misses many calls)
3. autodebug.com Auto Debug (Can't custom define sets of calls, can't save results in free version, but probably the best I've found so far)
4. iDefense SysAnalyzer (limited API calls that it monitors, can't specify args for program being launched. Open source though, I should fix it instead of complaining ;-))
I've thought about building on top of PaiMei's hooking functionality to build my own, but before I go down that road I'd like to make sure I'm not reinventing the wheel.
Thanks,
-Kris
|
If I recall correctly WinDbg ships with an executable, logger.exe, that can accomplish this task. I think I may have used it once in the past so don't quote me on it.
|
Hey Kris,
For this purpose, I generally use windbg's logexts.dll. Logext's is really good for doing stuff that might bottleneck (like logging allocations/free's) but, it also has an module which will log specific calls into libraries you are interested in. I have included a snippit of the windbg logexts output below:
<snip>
0:003> !load logexts
0:003> !logexts.help
Windows API Logging Extensions v2.09
Main control:
!loge [dir] Enable logging. Output directory optional.
!logi [dir] Initialize but don't enable logging.
!logd Disable logging.
Output:
!logo List output settings.
!logo [e|d] [d|t|v] Enable/disable output:
d - Debugger
t - Text file
v - Verbose log
Categories:
!logc List all categories.
!logc p # List APIs in category #.
!logc [e|d] * Enable/disable all categories.
!logc [e|d] # [#] [#] ... Enable/disable category #.
Buffer access:
!logb p Print buffer contents to debugger.
!logb f Flush buffer to log files.
Module inclusion/exclusion:
!logm Display module inclusion/exclusion list.
!logm [i|x] [DLL] [DLL] ... Specify module inclusion/exclusion list.
</snip>
|
> sa7ori: Hey Kris,
> For this purpose, I generally use windbg\'s logexts.dll. Logext\'s is really good for doing stuff that might bottleneck (like logging allocations/free\'s) but, it also has an module which will log specific calls into libraries you are interested in. I have included a snippit of the windbg logexts output below:
> <snip>
>
> 0:003> !load logexts
> 0:003> !logexts.help
>
> Windows API Logging Extensions v2.09
>
> Main control:
> !loge [dir] Enable logging. Output directory optional.
> !logi [dir] Initialize but don\'t enable logging.
> !logd Disable logging.
>
> Output:
> !logo List output settings.
> !logo [e|d] [d|t|v] Enable/disable output:
> d - Debugger
> t - Text file
> v - Verbose log
>
> Categories:
> !logc List all categories.
> !logc p # List APIs in category #.
> !logc [e|d] * Enable/disable all categories.
> !logc [e|d] # [#] [#] ... Enable/disable category #.
>
> Buffer access:
> !logb p Print buffer contents to debugger.
> !logb f Flush buffer to log files.
>
> Module inclusion/exclusion:
> !logm Display module inclusion/exclusion list.
> !logm [i|x] [DLL] [DLL] ... Specify module inclusion/exclusion list.
> </snip>
P.S. I have often wondered the most efficient way to do this (since we really cant set break on access for the whole range of a dll's mapped memory). I suspect that what most tools do is set break on access at base of the export table (or dllbase), but this makes me wonder if stuff might 'cache' resolved addresses to exports in the dll we wanna monitor, and if so how to monitor those calls. especially .NET stuff...
|
|
oops, sorry didnt meant to include quoted response in that last post.... i suck at computers.
|
Thanks for all the replies...
Plenty of new stuff to play with! I'll be exploring all the links (probably over the weekend) and post an update of my experiences...
|
|
Try API Monitor from http://kakeeware.com - select individual/multiple API by system dll or by 'groups' (by function type). Free, fast. Shows API call, caller, some args. Only thing I've seen better is TracePlus/Win32 ($$!!!!).
|
If you need something more flexible:
#needs pefile.py (dbkza.org) and hooking.py (utils dir)
from pefile import *
from hooking import *
from pydbg import *
from pydbg.defines import *
import sys
num_args=4
def create_entry(name):
def hook_entry(dbg,args):
print "\n>> %s" % name
for i in range(num_args):
arg=dbg.get_arg(i)
print "\targ %i : 0x%x" % (i,arg)
print "\t\t", dbg.smart_dereference(arg)
return DBG_CONTINUE
return hook_entry
def create_return(name):
def hook_return(dbg,args,retval):
print "<< %s retval: 0x%x" % (name,dbg.context.Eax)
return DBG_CONTINUE
return hook_return
def set_hooks(dbg):
print "setting hooks"
hc=hook_container()
for entry in pe.DIRECTORY_ENTRY_IMPORT:
for func in entry.imports:
print 'hook ',func.name," in ",entry.dll
if entry.dll != 'kernel32.dll':
hookadd=dbg.func_resolve_debuggee(entry.dll,func.name)
try:
hc.add(dbg,hookadd, 4, create_entry(func.name), create_return(func.name))
except:
print 'failed setting hook for %s' % func.name
print 'set hook'
print "done"
return DBG_CONTINUE
def set_hooks2(dbg):
print 'setting hooks'
return DBG_CONTINUE
try:
prog = sys.argv[1]
pid = int(sys.argv[2])
except:
print 'usage: %s [executable] [pid]' % sys.argv[0]
sys.exit()
pe=PE(prog)
print "pe parsed"
dbg=pydbg()
dbg.attach(pid)
set_hooks(dbg)
dbg.run()
|
> xz: If you need something more flexible:
This code gives me an idea about a problem I had some time ago. I was loosing hook calls (using the hooking lib) in some API intensive appz. Maybe cross-checking results from different tools would help in the diagnostic process. I'm putting it in my to-do list ;D
|
I recently found a program named WinAPIOverride32 which is very effective in spying on api functions(system and application independent) as well as injecting your own functions in place of the original. Other neat features is that you can choose to spy on only certain functions. This is the feature I like the most because I made a Vulnerable Function file that the program gets the functions to watch from. the file obviously includes functions such as lstrcpy, lstrcmp, sprintf, etc. Also WinAPIOverride32 has VERY good documentation and has a pretty intuitive interface. The documentation also includes some tutorials on how to use the different features (which is too many for me to list here). All-in-all I don't know if you have found the api spy that you/anybody is looking for, but this one is something that should be checked out. You can find it at http://jacquelin.potier.free.fr/winapioverride32/
--Austyn
|
Our team has recently launched a free tool to monitor API calls and interact with them (i.e: changing parameters, breaking on the call), we would be glad to hear your opinions for current & next releases. You can see the details on http://www.nektra.com/products/spystudio/index.php
srw
|
Hi all,
I checked out kerberos, which seems very nice indeed (thanks nezumi).
All others don't seem to be able to trace all the functions I want, or don't attach to running processes or whatever.
I have a couple of issues with kerberos though:
- So far as I can see, it doesn't deal with multi-threading at all (beyond doing some primitive synchronization by setting a flag).
- It writes directly to a file, so how does it work when tracing file-writing APIs (i.e. how does it avoid infinite recursion?)
There is also a bit of code which I don't get, but I'll post another thread on that.
I've been working on my own hooking engine which uses hot-patch style hooking and my own pure user-mode logging engine (i.e. it never calls out of the hooking module during trace - thereby making infinite recursions impossible), but have run into a number of issues related to stack corruption.
Does anyone have a good detours based engine which can hook all exports of any library?
|
|
If you examine the code in kerberos a little more, you see the hook code set that global to 1 for "executing hook" then it changes it to 0 after it is done executing. If you read a little further into the code, you'll see that when it makes an intercept, it restores every API back to original bytes, then on return, it places the jumps back on top of every API. Ugly, but prevents recursion when it goes to write.
|
|
is there any "reliable" api monitor for kernel mode?
|
Note: Registration is required to post to the forums.
|
|
|
|
There are 31,320 total registered users.
|
|
![[+] expand](/imagery/files/soysauce_blueprint.gif){kind=link}