4

I want to check which windows api is being called by a running program. For example, if the process calls timeGetTime(), endprocess() or some other API I want to know this information and ideally displayed or stored in real time.

It would also suffice if I could choose which API I want to know is being used. I know this could be done with techniques like API hooking but I am looking for an existing program that can do this. Does there exist something like this? Any help would be appreciated.

StayOnTarget
  • 11,743
  • 10
  • 52
  • 81
Mark
  • 8,408
  • 15
  • 57
  • 81
  • So you mean you don't want to use [Detours](http://research.microsoft.com/en-us/projects/detours/)? – Roger Rowland Dec 30 '13 at 12:39
  • @RogerRowland: I am looking for an existing program where I can just point and click which file I want to monitor. Sorry if that is asking too much :( – Mark Dec 30 '13 at 12:40
  • Ok, it's not too much - if you have MS symbol files, you might try a profiler like [Glowcode](http://www.glowcode.com/). However, asking for tool recommendations is really off topic on SO. – Roger Rowland Dec 30 '13 at 12:44
  • @RogerRowland: Does it show which windows API is being used? From the introduction page I can't tell... – Mark Dec 30 '13 at 12:48
  • I use it for profiling my own apps, but if you have the symbol files, you can trace anything. It has a free trial period, why not give it a try. – Roger Rowland Dec 30 '13 at 12:49
  • 1
    Also, Google just [found this](http://www.rohitab.com/apimonitor) which looks promising. – Roger Rowland Dec 30 '13 at 12:52
  • @Roger *API Monitor* is fairly powerful. It also provides functionality to monitor COM calls, which other tools usually cannot see. – IInspectable Dec 30 '13 at 13:22
  • If you are looking for an existing program rather than writing your own, then the question belongs on SuperUser rather than StackOverflow (which is for programming questions). – Raymond Chen Dec 30 '13 at 16:38
  • If you are running under WoW64 you can easily hook all system calls as they go through the fs:[C0] bottleneck. – user2345215 Dec 30 '13 at 20:31

3 Answers3

7

The best Windows API sniffer I know is API Monitor. Although it's alpha version it always worked fine for me.

Sebastian
  • 3,764
  • 21
  • 28
3

check out Very Sleepy http://www.codersnotes.com/sleepy it does this kind of check

Lendmann
  • 836
  • 6
  • 3
  • hmmm, it does seem to show some api usage but I know some programs are using certain apis like timeGetTime but it's not showing that... – Mark Dec 30 '13 at 12:47
  • @Mark, do you need this information only in runtime or static info would be also sufficient? In case of static one could try Dependency Walker http://www.dependencywalker.com/ – Lendmann Dec 30 '13 at 12:54
  • Ideally I would like the information in realtime so I can see which function is actually being used. – Mark Dec 30 '13 at 13:08
  • 2
    @Mark This is less than ideal. You will have a hard time finding API calls that are only performed under certain conditions, like checking for an update once a week. The import table is more reliable in that respect. However, it will not contain entries for imports that are dynamically resolved through `LoadLibrary`/`GetProcAddress`. – IInspectable Dec 30 '13 at 13:20
1

I'm using WinAPIOverride to debug my windows applications, it's free and pretty easy:

WinAPIOverride is an advanced api monitoring software for 32 and 64 bits processes.
You can monitor and/or override any function of a process. 
This can be done for API functions or executable internal functions.

It tries to fill the gap between classical API monitoring softwares and debuggers.
It can break targeted application before or after a function call, allowing memory or registers changes; and it can directly call functions of the targeted application.
Marwen Trabelsi
  • 4,167
  • 8
  • 39
  • 80