monitoring OS API calls

Saulius Krasuckas saulius2 at ar.fi.lt
Sat Mar 25 03:58:12 CST 2006


Hi,

I mean Windows there - my primary aim is to monitor WinAPI calls.  There 
exists quite a few of monitor apps to achieve this.  But their nature is 
soft-intrusive - they patch system DLLs on disk or PE images in memory.

I'd like to monitor calling of a functions from a lower-level side.  One 
possibility is to rewrite system DLLs, which is hard in a case of Windows.  
Maybe another possibility can be to run OS in machine emulator and to 
break on reading/executing some virtual memory addresses?  I imagine 
physical memory maps into linear addresses which maps into virtual 
addresses (perhaps into unshared space of each win32 process).

Then it would be nice to implement a Debug Logging similar to one from the 
Wine project. [*]

What effort is needed to implement breaking of emulation on execution of 
given/defined virtual addresses (plus reading a CPU state and virtual 
memory) of different Windows OS versions inside machine emulator?

Can such code be put as some plugin to BOCHS or so?  Maybe I need to look 
at the different machine virtualization projects like Qemu?


[*] http://winehq.org/site/developer-cheatsheet



More information about the wine-devel mailing list