Name | Last modified | Size | Description | |
---|---|---|---|---|
Parent Directory | - | |||
strace.sys | 2002-04-20 00:03 | 553K | ||
strace.exe | 2002-01-23 02:15 | 440K | ||
strace-0.3.zip | 2005-10-19 16:20 | 311K | ||
strace-0.1.zip | 2002-04-10 16:24 | 225K | ||
ReadMe.html | 2000-03-07 22:02 | 6.2K | ||
README.html | 2003-01-31 12:14 | 9.0K | ||
LICENSE | 2003-01-31 12:14 | 2.4K | ||
[c:\strace] strace notepadand you should see something like:
1 133 139 NtOpenKey (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\notepad.exe"}, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 2 133 139 NtCreateEvent (0x100003, 0x0, 1, 0, ... 8, ) == 0x0 3 133 139 NtAllocateVirtualMemory (-1, 1243984, 0, 1244028, 8192, 4, ... ) == 0x0 4 133 139 NtAllocateVirtualMemory (-1, 1243980, 0, 1244032, 4096, 4, ... ) == 0x0 5 133 139 NtAllocateVirtualMemory (-1, 1243584, 0, 1243644, 4096, 4, ... ) == 0x0 6 133 139 NtOpenDirectoryObject (0x3, {24, 0, 0x40, 0, 0, "\KnownDlls"}, ... 12, ) == 0x0 7 133 139 NtOpenSymbolicLinkObject (0x1, {24, 12, 0x40, 0, 0, "KnownDllPath"}, ... 16, ) == 0x0 8 133 139 NtQuerySymbolicLinkObject (16, ... "C:\WINNT\system32", 0x0, ) == 0x0 9 133 139 NtClose (16, ... ) == 0x0 . . .
The first column is an identity, which lets you match up calls that don't complete immediately (and are broken onto two lines). The second and third columns are the process and thread ids of the thread making the call. Next is the name of the system call, the input parameters, three dots (...), then output parameters, and the return code.
You can also choose to strace a currently running process by specifying its pid, e.g., if you want to see what winlogon.exe does when you hit Ctrl-Alt-Del, find its pid with taskmgr, and then
[c:\strace] strace -p 34 1 34 33 NtUserPeekMessage (1244272, 0, 0, 0, 1, 1244192, ... ) == 0x1 2 34 33 NtUserLockWindowStation (68, ... ) == 0x1 3 34 33 NtUserOpenInputDesktop (0, 0, 33554432, ... ) == 0xd8 4 34 33 NtUserGetObjectInformation (216, 2, 0, 0, 1244100, ... ) == 0x0 5 34 33 NtUserGetObjectInformation (216, 2, 1294320, 16, 1244100, ... ) == 0x1 6 34 33 NtUserSwitchDesktop (84, ... 7 34 33 NtOpenKey (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Hardware\DeviceMap\Video"}, ... 244, ) == 0x0 8 34 33 NtQueryValueKey (244, "\Device\Video0", 1, -203229988, 512, -203229476, ... ) == 0x0 9 34 33 NtOpenKey (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Hardware Profiles\Current\System\CurrentControlSet\Services\mga64\Device0"}, ... 184, ) == 0x0 10 34 33 NtClose (244, ... ) == 0x0 . . .
You can choose to strace all processes, by specifying a pid of 0. Be sure to read the shortcomings section below before doing this.
strace [-e filterspec] [-o outputfile] [-p pid] [program-to-run args]
The available categories are as follows: ntos, win32k, system, object, memory, section, thread, process, job, token, synch, time, profile, port, file, key, security, misc, ntuser, ntgdi
The calls are divided up as in the chapters of Gary Nebbett's book Windows NT/2000 Native API Reference, except that his book doesn't cover the win32k calls, which I've broken down into ntuser and ntgdi calls.
strace -e ntos notepadMonitor notepad, but only the ntoskrnl calls, not the win32k ones.
strace -e !win32k notepadAnother way of saying the same thing.
strace -e port,section -p 82Monitor pid 82, but only for LPC port and section calls
strace -e !win32k,NtQueryDefaultLocale notepadMonitor notepad, but not win32k calls or NtQueryDefaultLocale
strace -o cmd.txt cmdMonitor cmd.exe, sending trace output to cmd.txt
The hooking is done by a device driver which also collects data. There is a user space application which loads the driver, tells it what to trace, and then pulls the data and prints it out.
Since NT doesn't provide a good means of putting proper security descriptors on devices (see sysinternals), and the workaround presented there is apparently still vulnerable to races, the strace device instead checks for the SeDebugPrivilege before allowing the user space application to open it. This means that by default, only administrators can run strace successfully. If non-admins are granted the SeDebugPrivilege, they'll be able to run strace as well, but the SeDebugPrivilege gives users multiple avenues of promoting themselves to admin, anyway.
Check out the source for all the gory details, although be warned that you need to be pretty up on the C preprocessor to understand it.
HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management\EnforceWriteProtectionto REG_DWORD 0. and reboot before using strace.
This disables the kernel from checking for errant memory overwrites, and is not a good thing, in general. It is currently necessary for strace because the system call table is write protected, and strace needs to modify it. Hopefully, a better solution will be found.