[14278] in bugtraq
[ANNOUNCE] strace for NT
daemon@ATHENA.MIT.EDU (tsabin@RAZOR.BINDVIEW.COM)
Tue Mar 14 19:54:50 2000
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Message-Id: <m3snxuraaw.fsf@buckaroo.qnz.org>
Date: Mon, 13 Mar 2000 13:31:51 -0500
Reply-To: tsabin@RAZOR.BINDVIEW.COM
From: tsabin@RAZOR.BINDVIEW.COM
X-To: bugtraq@securityfocus.com
To: BUGTRAQ@SECURITYFOCUS.COM
Hi,
I've written a debugging/investigation utility for examining the NT
system calls made by a process. It is meant to be used like the strace
on linux and other unix OSes.
An example:
[c:\strace] strace notepad
1 133 139 NtOpenKey (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\notepad.exe"}, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
2 133 139 NtCreateEvent (0x100003, 0x0, 1, 0, ... 8, ) == 0x0
3 133 139 NtAllocateVirtualMemory (-1, 1243984, 0, 1244028, 8192, 4, ... ) == 0x0
4 133 139 NtAllocateVirtualMemory (-1, 1243980, 0, 1244032, 4096, 4, ... ) == 0x0
5 133 139 NtAllocateVirtualMemory (-1, 1243584, 0, 1243644, 4096, 4, ... ) == 0x0
6 133 139 NtOpenDirectoryObject (0x3, {24, 0, 0x40, 0, 0, "\KnownDlls"}, ... 12, ) == 0x0
7 133 139 NtOpenSymbolicLinkObject (0x1, {24, 12, 0x40, 0, 0, "KnownDllPath"}, ... 16, ) == 0x0
8 133 139 NtQuerySymbolicLinkObject (16, ... "C:\WINNT\system32", 0x0, ) == 0x0
.
.
.
For more information and download (including source), see
http://razor.bindview.com/tools/desc/strace_readme.html.
Todd
