strace on Linux.
ntdll.dll. It is not very well documented, and changes between versions of Windows, but tracing execution of an application at this level can provide a clear view of its use of the operating system.
NtTrace uses the debugging interface on Windows to intercept the returns from the native API and display the input arguments and return code. Return codes are translated to Window error code and error messages where possible.
(Click here for some links to other similar tools.)
Example:
C:> NtTrace -filter File cmd
Process 2428 starting at 4AD0B814 with command line "cmd"
Loaded DLL at 77F40000 ntdll.dll
NtOpenFile(FileHandle=0x12fb38 [0x14], DesiredAccess=SYNCHRONIZE|0x20, ObjectAttributes="\??\C:\WWW\NtTrace\", IoStatusBlock=0x0012FAE4 [0/1], ShareAccess=3, OpenOptions=0x21) => 0
NtQueryVolumeInformationFile(FileHandle=0x14, IoStatusBlock=0x0012FAE4 [0/8], FsInformation=0x12faf4, Length=8, FsInformationClass=4 [FileFsDeviceInformation]) => 0
NtFsControlFile(FileHandle=0x14, Event=0, UserApcRoutine=null, UserApcContext=null, UserIoStatus=0x0012F754 [0/0], FsControlCode=0x00090028, InputBuffer=null, InputBufferLength=0, OutputBuffer=null, OutputBufferLength=0) => 0
NtQueryAttributesFile(ObjectAttributes="\??\C:\WINDOWS\system32\cmd.exe.Local", Attributes=0x0012FADC [0]) => 0xc0000034
[2 'The system cannot find the file specified.']
...
NtWriteFile(FileHandle=4, Event=0, ApcRoutine=null, ApcContext=null, IoStatusBlock=0x0012FD8C [0/0x29], Buffer=0x4ad30e40, Length=0x29, ByteOffset=null, Key=null) => 0
NtQueryVolumeInformationFile(FileHandle=4, IoStatusBlock=0x0012FB80 [0/8], FsInformation=0x12fb88, Length=8, FsInformationClass=4 [FileFsDeviceInformation]) => 0
NtWriteFile(FileHandle=4, Event=0, ApcRoutine=null, ApcContext=null, IoStatusBlock=0x0012FB48 [0/2], Buffer=0x4ad30e40, Length=2, ByteOffset=null, Key=null) => 0
NtQueryVolumeInformationFile(FileHandle=4, IoStatusBlock=0x0012FB84 [0/8], FsInformation=0x12fb8c, Length=8, FsInformationClass=4 [FileFsDeviceInformation]) => 0
C:\WWW\NtTrace>NtWriteFile(FileHandle=4, Event=0, ApcRoutine=null, ApcContext=null, IoStatusBlock=0x0012FB4C [0/0xf], Buffer=0x4ad30e40, Length=0xf, ByteOffset=null, Key=null) => 0
Process 2428 exit code: 0
nttrace [-a] [-e] [-v] [-config *] [-errors *] [-export *] [-filter *] [-category *] [-hd] [-nonames] [-nodlls] [-noexcept] [-out *] [-pre] [-stack] [-time] [-delta] [-pid] [-tid] [-nl] [pid | cmd <args>]
Options:
| -a | attach to existing process <pid or cmd> rather than starting a fresh <cmd> |
| -e | Only log errors |
| -v | More verbose logging |
| -config | Specify config file |
| -errors | Comma delimited list of error codes to filter on |
| -export | Export symbols once loaded [for testing] |
| -filter | Comma delimited list of substrings to filter on |
| -category | Comma delimited list of categories to trace (eg File,Process,Registry, ? for list) * |
| -hd | Don't use debug heap |
| -nonames | Don't name arguments |
| -nodlls | Don't process DLL load/unload |
| -noexcept | Don't process exceptions |
| -out | Output file |
| -pre | Trace pre-call as well as post-call |
| -stack | show stack trace |
| -time | show timestamp |
| -delta | show delta time |
| -pid | show process ID |
| -tid | show thread ID |
| -nl | force newline on OutputDebugString |
* the full list of categories is soft-configured from NtTrace.cfg. As supplied the list is:
Build instructions for Microsoft Visual Studio
At a Visual Studio command prompt type 'nmake -f NtTrace.mak'
Build the appropriate binary (32-bit or 64-bit) for your target program.
(See Readme.txt for full details)
cvconst.h, from the DIA SDK in Visual Studio
Version 1139 - 25-May-2012
Change summary:
Version 967 - 17-Nov-2011
Change summary: