使用ETW的Windows用户模式进程Syscall跟踪 [英] Windows User Mode Process Syscall Tracing With ETW

问题描述

一些人告诉我，ETW提供了一种机制来捕获由用户模式进程进行的系统调用.我已经列举了可用的提供程序，仅提出了两种可能提供此信息的方法.第一个是Microsoft-Windows-Kernel-Audit-API-Calls.该提供程序向我显示了以下数据:

I have been told by a few people that ETW provides a mechanism by which to capture syscalls made by user mode processes. I have enumerated the available providers and have only come up with two possible that might provide this information. The first was Microsoft-Windows-Kernel-Audit-API-Calls. This provider shows me the following data:

<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
	<System>
		<Provider Name="Microsoft-Windows-Kernel-Audit-API-Calls" Guid="{e02a841c-75a3-4fa7-afc8-ae09cf9b7f23}" />
		<EventID>5</EventID>
		<Version>0</Version>
		<Level>4</Level>
		<Task>0</Task>
		<Opcode>0</Opcode>
		<Keywords>0x0</Keywords>
		<TimeCreated SystemTime="2017-06-01T11:59:05.831179100-0500" />
		<Correlation ActivityID="{00000000-0000-0000-0000-000000000000}" />
		<Execution ProcessID="1860" ThreadID="9628" ProcessorID="1" KernelTime="210" UserTime="1260" />
		<Channel />
		<Computer />
	</System>
	<EventData>
		<Data Name="TargetProcessId">4294967295</Data>
		<Data Name="DesiredAccess"> 1052672</Data>
		<Data Name="ReturnCode">3221225483</Data>
	</EventData>
	<RenderingInfo Culture="en-US">
		<Level>Information </Level>
		<Opcode>Info </Opcode>
		<Provider>Microsoft-Windows-Kernel-Audit-API-Calls </Provider>
	</RenderingInfo>
</Event>

这看起来很有希望，但是EventId是否对应于syscall名称?是否有详细说明EventId实际含义的文档?我在MSDN或其他地方找不到任何相关的内容.我正在专门寻找API调用，例如NtCreateFile，NtCreateThreadEx，NtAllocateVirtualMemory等.

This looks promising, but does the EventId correspond to the syscall name? Is there any documentation detailing what the EventId actually signifies? I could not find anything relevant on MSDN or elsewhere. I'm specifically looking for API calls such as NtCreateFile, NtCreateThreadEx, NtAllocateVirtualMemory, etc.

我研究过的另一个提供程序是"Windows Kernel Trace".这实际上允许使用诸如"syscall"之类的关键字，这些关键字随后将为您提供SysClEnter/SysClExit日志，但是这些日志既不提供启动它们的进程ID，也不提供API.相反，它们只是给出似乎是输入的syscall的内核地址的内容.

The other provider I looked into was the "Windows Kernel Trace". This one actually allows for keywords such as "syscall" which will then provide you with SysClEnter/SysClExit logs, however these logs do not provide the process id that initiated them nor the API. They instead just give what appears to be the kernel address of the syscall being entered.

更了解ETW内部工作原理的人是否能够提供有关如何通过ETW收集此信息的答案?

Is anyone who is more familiar with the inner workings of ETW able to provide an answer on how you would collect this information via ETW?

推荐答案

您可以轻松监视与Windows中任何进程相关的系统调用.使用cmd管理员，运行以下命令:

You can easily monitor system calls related to any process in windows. Using cmd administrator, run this command:

logman start "NT Kernel Logger" -p "Windows Kernel Trace" (syscall) -o sys.etl -ets

然后停止

logman stop "NT Kernel Logger" -ets

使用tracerpt解析.etl文件时

when you parse the .etl file using tracerpt

tracerpt sys.etl

您可以在dumpfile.xml中看到系统调用地址. 使用windbg并使用以下命令从命令行启动它:

You can see syscall addresses in the dumpfile.xml. Using windbg and starting it from the command line with this command:

windbg.exe -kl -c x*!nt*

您可以看到映射到系统调用名称的地址.

You can see the addresses mapped to syscall names.

这篇关于使用ETW的Windows用户模式进程Syscall跟踪的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！