-
Notifications
You must be signed in to change notification settings - Fork 43
Home
Welcome to the NtTrace wiki!
NtTrace provides a simple trace facility for the Windows Native API. It is roughly equivalent to strace on Linux.
The native API is the interface between the application space and the OS kernel; this API is provided by ntdll.dll. It is not very well documented, and changes between versions of Windows, but tracing execution of an application at this level can provide a clear view of its use of the operating system.
NtTrace uses the debugging interface on Windows to intercept the returns from the native API and display the input arguments and return code. Return codes are translated to Window error code and error messages where possible.
Example:
C:> NtTrace -filter File cmd
Process 2428 starting at 4AD0B814
Loaded DLL at 77F40000 ntdll.dll
NtOpenFile( FileHandle=0x12fb38 [0x14], DesiredAccess=SYNCHRONIZE|0x20, ObjectAttributes="\??\C:\WWW\NtTrace\", IoStatusBlock=0x0012FAE4 [0/1], ShareAccess=3, OpenOptions=0x21 ) => 0
NtQueryVolumeInformationFile( FileHandle=0x14, IoStatusBlock=0x0012FAE4 [0/8], FsInformation=0x12faf4, Length=8, FsInformationClass=4 [FileFsDeviceInformation] ) => 0
NtFsControlFile( FileHandle=0x14, Event=0, UserApcRoutine=null, UserApcContext=null, UserIoStatus=0x0012F754 [0/0], FsControlCode=0x00090028, InputBuffer=null, InputBufferLength=0, OutputBuffer=null, OutputBufferLength=0 ) => 0
NtQueryAttributesFile( ObjectAttributes="\??\C:\WINDOWS\system32\cmd.exe.Local", Attributes=0x0012FADC [0] ) => 0xc0000034
[2 'The system cannot find the file specified.']
...
NtWriteFile( FileHandle=4, Event=0, ApcRoutine=null, ApcContext=null, IoStatusBlock=0x0012FD8C [0/0x29], Buffer=0x4ad30e40, Length=0x29, ByteOffset=null, Key=null ) => 0
NtQueryVolumeInformationFile( FileHandle=4, IoStatusBlock=0x0012FB80 [0/8], FsInformation=0x12fb88, Length=8, FsInformationClass=4 [FileFsDeviceInformation] ) => 0
NtWriteFile( FileHandle=4, Event=0, ApcRoutine=null, ApcContext=null, IoStatusBlock=0x0012FB48 [0/2], Buffer=0x4ad30e40, Length=2, ByteOffset=null, Key=null ) => 0
NtQueryVolumeInformationFile( FileHandle=4, IoStatusBlock=0x0012FB84 [0/8], FsInformation=0x12fb8c, Length=8, FsInformationClass=4 [FileFsDeviceInformation] ) => 0
C:\WWW\NtTrace>NtWriteFile( FileHandle=4, Event=0, ApcRoutine=null, ApcContext=null, IoStatusBlock=0x0012FB4C [0/0xf], Buffer=0x4ad30e40, Length=0xf, ByteOffset=null, Key=null ) => 0
Process 2428 exit code: 0
Syntax:
nttrace [-a] [-e] [-config *] [-errors *] [-export *] [-filter *] [-category *] [-nonames] [-noexcept] [-out *] [-pre] [-stack] [-time] [-delta] [-pid] [-tid] [-nl] [pid | cmd <args>]
Options:
| -a | attach to existing process <cmd> rather than starting a fresh <cmd> |
| -e | Only log errors |
| -config | Specify config file |
| -errors | Comma delimited list of error codes to filter on |
| -export | Export symbols once loaded [for testing] |
| -filter | Comma delimited list of substrings to filter on |
| -category | Comma delimited list of categories to trace (eg File,Process,Registry, ? for list) * |
| -nonames | Don't name arguments |
| -noexcept | Don't process exceptions |
| -out | Output file |
| -pre | Trace pre-call as well as post-call |
| -stack | show stack trace |
| -time | show timestamp |
| -delta | show delta time |
| -pid | show process ID |
| -nl | force newline on OutputDebugString |
\* the full list of categories is soft-configured from NtTrace.cfg. As supplied the list is:
LPC, Memory, Object, Other, Process, Registry,
Security, Synchronization, Time, Transaction and WOW64.
### Build instructions for Microsoft Visual Studio At a Visual Studio command prompt type `nmake -f NtTrace.mak`
Note for the "not yet dead" Visual Studio 6
You need to ensure the Platform SDK is installed to pick up psapi.h/lib and DbgHelp.h/lib.
(See Readme.txt for full details)
Version 1439 - 16-Oct-2014
Recent changes:
- Clean compile with VC14 (CTP3)
- Add filter off logic
Recent changes:
- Ctrl+C now detaches from attached process (-a option) rather than terminating
- Add -nl option to force a newline on each output
- A few minor changes to NTDLL/Gdi32/User32 entry points
Version 1362 - 17-Jun-2013
Change summary:
- Add -config option to allow easier selection of configuration
- Add Gdi32Trace.cfg containing the NtGdi functions exported from Gdi32
- Add User32Trace.cfg containing the NtUser functions exported from User32
- A few minor changes to NTDLL entry points
- Better logging of 64bit C++ exceptions
- Display of RootDirectory for ObjectAttributes
Version 1139 - 25-May-2012
Change summary:
- Add entry points for the NtWow64 functions (available to 32-bit programs on 64-bit Windows)
- Add names and types to a few more entry points
- Improve handling of duplicate/output arguments
Version 967 - 17-Nov-2011
Change summary:
- Add X64 build (AMD64) - supports 32-bit and 64-bit targets
- Add new entry points for Windows 7
- Extend coverage of names for enumerated values
- Add basic LPC_MESSAGE unpacking
- Add -pre option to trace pre-call as well as post-call
- Don't dereference output only arguments on error