lunedì 20 aprile 2009 11:05Hello everyone,I want to monitor what happen in kernel after application call a specific API, such as Sleep or HeapAlloc.I find it is difficult to associate a user mode API with a kernel function, since the source code of kernel32.dll and ntdll.dll haven't been opened.At present, the best solution is guess for me.... Do you have any good advice?Thanks in advance.Jason
Tutte le risposte
lunedì 20 aprile 2009 22:46Hello Jason,
Did you try to put a breakpoint on your call (under debugger) and get the stack trace?
martedì 21 aprile 2009 02:04Hello Serge, thanks for your reply.Should I set the breakpoint in user mode or kernel mode?If in user mode, I can set break point, but I can not step into the user mode API dure to lack of source code.If in kernel mode, I don't know where to set the breakpoint. My idea is to know when I call Sleep or HeapAlloc in user mode, which kernel function does the kernel use to handle the API call.
martedì 21 aprile 2009 09:03Hi Jason,
To get a first impression what's going on in the kernel, you may want to use the process monitor of the Sysinternals tool suite. As far as I remember this tool allows you to monitor a process and detect what system calls occurred within the threads of the process. You may also provide Windows kernel debug information to the tool via the Microsoft Symbol Server in order to resolve system call function names to a virtual address.
Also, if you want to issue a break point into the kernel, WinDbg (or KD) allows you to specify symbolic names, e.g. bp nt!NtCreateProcess if you want to break into the CreateProcess system call. From that onwards, you may use the disassembly tool of WinDbg to get an idea of what's going on.