strace on Linux.
ntdll.dll. It is not very well documented, and changes between versions of Windows, but tracing execution of an application at this level can provide a clear view of its use of the operating system.
NtTrace uses the debugging interface on Windows to intercept the returns from the native API and display the input arguments and return code. Return codes are translated to Window error code and error messages where possible.
(Click here for some links to other similar tools.)
Example:
Options:
* the full list of categories is soft-configured from NtTrace.cfg. As supplied the list is:
Atom, Debug, Device, Environment, File, Job,
LPC, Memory, Object, Other, Process, Registry,
Security, Synchronization and Time.
You can either use NtTrace.exe and NtTrace.cfg unchanged, or rebuild from the source.
Build instructions for Microsoft Visual Studio
At a Visual Studio command prompt type
Note for Visual Studio 6
You need to ensure the Platform SDK is installed to pick up psapi.h/lib and DbgHelp.h/lib.
(See Readme.txt for full details)
Version 967 - 17-Nov-2011
C:> NtTrace -filter File cmd
Process 2428 starting at 4AD0B814
Loaded DLL at 77F40000 ntdll.dll
NtOpenFile( FileHandle=0x12fb38 [0x14], DesiredAccess=SYNCHRONIZE|0x20, ObjectAttributes="\??\C:\WWW\NtTrace\", IoStatusBlock=0x0012FAE4 [0/1], ShareAccess=3, OpenOptions=0x21 ) => 0
NtQueryVolumeInformationFile( FileHandle=0x14, IoStatusBlock=0x0012FAE4 [0/8], FsInformation=0x12faf4, Length=8, FsInformationClass=4 [FileFsDeviceInformation] ) => 0
NtFsControlFile( FileHandle=0x14, Event=0, UserApcRoutine=null, UserApcContext=null, UserIoStatus=0x0012F754 [0/0], FsControlCode=0x00090028, InputBuffer=null, InputBufferLength=0, OutputBuffer=null, OutputBufferLength=0 ) => 0
NtQueryAttributesFile( ObjectAttributes="\??\C:\WINDOWS\system32\cmd.exe.Local", Attributes=0x0012FADC [0] ) => 0xc0000034
[2 'The system cannot find the file specified.']
...
NtWriteFile( FileHandle=4, Event=0, ApcRoutine=null, ApcContext=null, IoStatusBlock=0x0012FD8C [0/0x29], Buffer=0x4ad30e40, Length=0x29, ByteOffset=null, Key=null ) => 0
NtQueryVolumeInformationFile( FileHandle=4, IoStatusBlock=0x0012FB80 [0/8], FsInformation=0x12fb88, Length=8, FsInformationClass=4 [FileFsDeviceInformation] ) => 0
NtWriteFile( FileHandle=4, Event=0, ApcRoutine=null, ApcContext=null, IoStatusBlock=0x0012FB48 [0/2], Buffer=0x4ad30e40, Length=2, ByteOffset=null, Key=null ) => 0
NtQueryVolumeInformationFile( FileHandle=4, IoStatusBlock=0x0012FB84 [0/8], FsInformation=0x12fb8c, Length=8, FsInformationClass=4 [FileFsDeviceInformation] ) => 0
C:\WWW\NtTrace>NtWriteFile( FileHandle=4, Event=0, ApcRoutine=null, ApcContext=null, IoStatusBlock=0x0012FB4C [0/0xf], Buffer=0x4ad30e40, Length=0xf, ByteOffset=null, Key=null ) => 0
Process 2428 exit code: 0
nttrace [-a] [-e] [-errors *] [-export *] [-filter *] [-category *] [-nonames] [-noexcept] [-out *] [-pre] [-stack] [-time] [-delta] [-pid] [-tid] [pid | cmd
-a attach to existing process <cmd> rather than starting a fresh <cmd> -e Only log errors -errors Comma delimited list of error codes to filter on -export Export symbols once loaded [for testing] -filter Comma delimited list of substrings to filter on -category Comma delimited list of categories to trace (eg File,Process,Registry, ? for list) * -nonames Don't name arguments -noexcept Don't process exceptions -out Output file -pre Trace pre-call as well as post-call -stack show stack trace -time show timestamp -delta show delta time -pid show process ID -tid show thread ID
Download NtTrace as:
'nmake -f NtTrace.mak'
Version 1120 - 07-Apr-2012
Recent changes:
Recent changes:
If you have any queries or comments about NtTrace, please email