monitoring OS API calls
Saulius Krasuckas
saulius2 at ar.fi.lt
Sat Mar 25 03:58:12 CST 2006
Hi,
I mean Windows there - my primary aim is to monitor WinAPI calls. There
exists quite a few of monitor apps to achieve this. But their nature is
soft-intrusive - they patch system DLLs on disk or PE images in memory.
I'd like to monitor calling of a functions from a lower-level side. One
possibility is to rewrite system DLLs, which is hard in a case of Windows.
Maybe another possibility can be to run OS in machine emulator and to
break on reading/executing some virtual memory addresses? I imagine
physical memory maps into linear addresses which maps into virtual
addresses (perhaps into unshared space of each win32 process).
Then it would be nice to implement a Debug Logging similar to one from the
Wine project. [*]
What effort is needed to implement breaking of emulation on execution of
given/defined virtual addresses (plus reading a CPU state and virtual
memory) of different Windows OS versions inside machine emulator?
Can such code be put as some plugin to BOCHS or so? Maybe I need to look
at the different machine virtualization projects like Qemu?
[*] http://winehq.org/site/developer-cheatsheet
More information about the wine-devel
mailing list