How could I know what happen in kernel when I call a user mode API RRS feed

  • Question

  • Hello everyone,

    I want to monitor what happen in kernel after application call a specific API, such as Sleep or HeapAlloc.
    I find it is difficult to associate a user mode API with a kernel function, since the source code of kernel32.dll and ntdll.dll haven't been opened.
    At present, the best solution is guess for me.... Do you have any good advice? 

    Thanks in advance.

    Monday, April 20, 2009 11:05 AM

All replies

  • Hello Jason,

    Did you try to put a breakpoint on your call (under debugger) and get the stack trace?

    Monday, April 20, 2009 10:46 PM
  • Hello Serge, thanks for your reply.

    Should I set the breakpoint in user mode or kernel mode?
    If in user mode, I can set break point, but I can not step into the user mode API dure to lack of source code.
    If in kernel mode, I don't know where to set the breakpoint. My idea is to know when I call Sleep or HeapAlloc in user mode, which kernel function does the kernel use to handle the API call.

    Tuesday, April 21, 2009 2:04 AM
  • Hi Jason,

    To get a first impression what's going on in the kernel, you may want to use the process monitor of the Sysinternals tool suite. As far as I remember this tool allows you to monitor a process and detect what system calls occurred within the threads of the process. You may also provide Windows kernel debug information to the tool via the Microsoft Symbol Server in order to resolve system call function names to a virtual address.

    Also, if you want to issue a break point into the kernel, WinDbg (or KD) allows you to specify symbolic names, e.g. bp nt!NtCreateProcess if you want to break into the CreateProcess system call. From that onwards, you may use the disassembly tool of WinDbg to get an idea of what's going on.

    Best regards,
    Tuesday, April 21, 2009 9:03 AM