How could I know what happen in kernel when I call a user mode API

All replies

• 

  

  1

  Sign in to vote

  Hello Jason,
  
  Did you try to put a breakpoint on your call (under debugger) and get the stack trace?
  
  Thanks,
  Serge

  Monday, April 20, 2009 10:46 PM
• 

  

  0

  Sign in to vote

  Hello Serge, thanks for your reply.

  
  

  Should I set the breakpoint in user mode or kernel mode?

  If in user mode, I can set break point, but I can not step into the user mode API dure to lack of source code.

  If in kernel mode, I don't know where to set the breakpoint. My idea is to know when I call Sleep or HeapAlloc in user mode, which kernel function does the kernel use to handle the API call.

  ---

  最近有了小宝宝，他比较淘气，所以来这里的时间少了挺多。非常抱歉。

  Tuesday, April 21, 2009 2:04 AM
• 

  

  1

  Sign in to vote

  Hi Jason,
  
  To get a first impression what's going on in the kernel, you may want to use the process monitor of the Sysinternals tool suite. As far as I remember this tool allows you to monitor a process and detect what system calls occurred within the threads of the process. You may also provide Windows kernel debug information to the tool via the Microsoft Symbol Server in order to resolve system call function names to a virtual address.
  
  Also, if you want to issue a break point into the kernel, WinDbg (or KD) allows you to specify symbolic names, e.g. bp nt!NtCreateProcess if you want to break into the CreateProcess system call. From that onwards, you may use the disassembly tool of WinDbg to get an idea of what's going on.
  
  Best regards,
  Alex

  ---

  http://www.dcl.hpi.uni-potsdam.de/research/WRK

  Tuesday, April 21, 2009 9:03 AM