Strace for NT

Strace for NT is a debugging/investigation utility for examining the NT system calls made by a process. It is meant to be used like the strace (or truss) on linux and other unix OSes.

What's new?

A new release, 0.3 (there was no public 0.2 release), which adds lots of features.

Filtering of calls by category or individual name
Preliminary support for Windows XP (but see caveats below)
Preliminary support for Windows NT 4 Terminal Server
Many more system call arguments decoded
Strace automatically filters out its own noise when doing "strace -p 0"
Version checking between the app and driver

How do I use it?

Take the strace.exe and strace.sys from the distribution (or build them from the sources yourself), and put them together in some directory on your local hard disk. Then, just run, e.g.,

[c:\strace] strace notepad

and you should see something like:

1 133 139 NtOpenKey (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\notepad.exe"}, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
2 133 139 NtCreateEvent (0x100003, 0x0, 1, 0, ... 8, ) == 0x0
3 133 139 NtAllocateVirtualMemory (-1, 1243984, 0, 1244028, 8192, 4, ... ) == 0x0
4 133 139 NtAllocateVirtualMemory (-1, 1243980, 0, 1244032, 4096, 4, ... ) == 0x0
5 133 139 NtAllocateVirtualMemory (-1, 1243584, 0, 1243644, 4096, 4, ... ) == 0x0
6 133 139 NtOpenDirectoryObject (0x3, {24, 0, 0x40, 0, 0, "\KnownDlls"}, ... 12, ) == 0x0
7 133 139 NtOpenSymbolicLinkObject (0x1, {24, 12, 0x40, 0, 0, "KnownDllPath"}, ... 16, ) == 0x0
8 133 139 NtQuerySymbolicLinkObject (16, ... "C:\WINNT\system32", 0x0, ) == 0x0
9 133 139 NtClose (16, ... ) == 0x0
.
.
.

The first column is an identity, which lets you match up calls that don't complete immediately (and are broken onto two lines). The second and third columns are the process and thread ids of the thread making the call. Next is the name of the system call, the input parameters, three dots (...), then output parameters, and the return code.

You can also choose to strace a currently running process by specifying its pid, e.g., if you want to see what winlogon.exe does when you hit Ctrl-Alt-Del, find its pid with taskmgr, and then

[c:\strace] strace -p 34
1 34 33 NtUserPeekMessage (1244272, 0, 0, 0, 1, 1244192, ... ) == 0x1
2 34 33 NtUserLockWindowStation (68, ... ) == 0x1
3 34 33 NtUserOpenInputDesktop (0, 0, 33554432, ... ) == 0xd8
4 34 33 NtUserGetObjectInformation (216, 2, 0, 0, 1244100, ... ) == 0x0
5 34 33 NtUserGetObjectInformation (216, 2, 1294320, 16, 1244100, ... ) == 0x1
6 34 33 NtUserSwitchDesktop (84, ... 
7 34 33 NtOpenKey (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Hardware\DeviceMap\Video"}, ... 244, ) == 0x0
8 34 33 NtQueryValueKey (244, "\Device\Video0", 1, -203229988, 512, -203229476, ... ) == 0x0
9 34 33 NtOpenKey (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Hardware Profiles\Current\System\CurrentControlSet\Services\mga64\Device0"}, ... 184, ) == 0x0
10 34 33 NtClose (244, ... ) == 0x0
.
.
.

You can choose to strace all processes, by specifying a pid of 0. Be sure to read the shortcomings section below before doing this.

What are all of the command line options supported?

The full usage is:

strace [-e filterspec] [-o outputfile] [-p pid] [program-to-run args]

-o outputfile : send output to outputfile instead of console. Useful if tracing a console program, since redirecting with "> outputfile" doesn't work so well then.
-p pid : trace the system calls of a particular process, or all processes, if pid is 0
-e filterspec : only monitor some system calls, instead of all.

filterspec is a comma separated list of categories or individual system calls, with an optional '!' at the beginning to indicate you want everything but the indicated calls.

The available categories are as follows: ntos, win32k, system, object, memory, section, thread, process, job, token, synch, time, profile, port, file, key, security, misc, ntuser, ntgdi

The calls are divided up as in the chapters of Gary Nebbett's book Windows NT/2000 Native API Reference, except that his book doesn't cover the win32k calls, which I've broken down into ntuser and ntgdi calls.

Examples

strace -e ntos notepad

Monitor notepad, but only the ntoskrnl calls, not the win32k ones.

strace -e !win32k notepad

Another way of saying the same thing.

strace -e port,section -p 82

Monitor pid 82, but only for LPC port and section calls

strace -e !win32k,NtQueryDefaultLocale notepad

Monitor notepad, but not win32k calls or NtQueryDefaultLocale

strace -o cmd.txt cmd

Monitor cmd.exe, sending trace output to cmd.txt

How does it work?

It uses the same system call hooking technique described by Undocumented Windows NT, and used by NTRegMon and other utilities. What make strace different is that is hooks every system call instead of just selected ones.

The hooking is done by a device driver which also collects data. There is a user space application which loads the driver, tells it what to trace, and then pulls the data and prints it out.

Since NT doesn't provide a good means of putting proper security descriptors on devices (see sysinternals), and the workaround presented there is apparently still vulnerable to races, the strace device instead checks for the SeDebugPrivilege before allowing the user space application to open it. This means that by default, only administrators can run strace successfully. If non-admins are granted the SeDebugPrivilege, they'll be able to run strace as well, but the SeDebugPrivilege gives users multiple avenues of promoting themselves to admin, anyway.

Check out the source for all the gory details, although be warned that you need to be pretty up on the C preprocessor to understand it.

What versions of NT does it support? Does it support XP?

Strace works on NT4 SP4, SP5, and SP6; Windows 2000 GA, SP1, SP2, and SP3, and has preliminary support for Windows XP. On Windows XP, it is necessary to set the registry key

HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management\EnforceWriteProtection

to REG_DWORD 0. and reboot before using strace.

This disables the kernel from checking for errant memory overwrites, and is not a good thing, in general. It is currently necessary for strace because the system call table is write protected, and strace needs to modify it. Hopefully, a better solution will be found.

Shortcomings

It doesn't pass the ntcrash test, so don't run it on a production box or you may be in for a nasty surprise (BSOD). There's code which is meant to prevent this, but it's not effective. I'm not sure why at this point.
There are still lots of NT system calls that aren't documented anywhere, especially the win32k ones. Argument types for many calls need to be figured out before they can be decoded.
For technical reasons, once loaded the driver will not let you unload it. So, if you want to get rid of it completely, you'll need to reboot. The reason for this is that because it hooks every system call there will be outstanding calls with return addresses in strace's driver. If the driver is unloaded, the system will blue screen when it eventually tries to return to that address.
You can only be doing one strace at a time. Actually, that's a limitation in the driver, so if you run two strace apps, you'll probably end up with both of them outputing the trace of whichever one started last.
Beware stracing csrss without redirecting to a file. All writes to a console apparently go through csrss, so you can get some really bad feedback going on.
It doesn't interact well with other system call hooking applications. E.g., Sysinternals' Process Explorer cannot be used at the same time as strace.

Warnings

This should still be considered an early release and of BETA quality. As mentioned above, it's possible that you may get blue screens as a result of using it. Be sure to read all of the Shortcomings above.

Is there source?

Yes. Full source code is provided, under the terms of BindView's Open Source license (included in the distribution). There's quite a lot that can be added, including the parameter types of tons of system calls, so if you know of any that aren't included, please send me mail at tsabin@razor.bindview.com. Also, feel free to contribute actual code, subject to the license.

Download

Strace-0.3.zip

Feedback

Any questions or concerns can be sent to tsabin@razor.bindview.com. Also, I'd be interested to hear how strace is being used by people, if you care to share.