1

I'm trying to log all calls to ntdll!NtAllocateVirtualMemory of a third party process, to produce a log file with all parameters (also OUT parameters) and call stack.

I've tried using WinDbg with this breakpoint:

bp ntdll!ntallocatevirtualmemory "r $t1 = poi(poi(@esp+8)); r $t2 = poi(poi(@esp+10h)); r $t3 = poi(@esp+14h); r $t4 = poi(@esp+18h); r $t7 = poi(esp); g @$t7; r $t5 = @eax; r $t6 = poi(poi(@esp-14h)); .printf /D \"Asked: 0x%.8X Size: 0x%.8X AllocType: 0x%.8X Protect: 0x%.8X Result: 0x%.8X Got: 0x%.8X\n\", @$t1, @$t2, @$t3, @$t4, @$t5, @$t6; kcL10; gc"

Which is nice, but causes WinDbg to hang and stop responding.

Is there a proper way to make this work with WinDbg? Is there another tool that could provide reliable stack unwinding and log API calls?

Thanks

iMz-
  • 11
  • 2
  • For earlier versions of Windows there was so called "debug version". Not sure whether such exists for Windows 7. – i486 Mar 24 '15 at 13:29
  • Without more context this sounds like an [XY problem](http://xyproblem.info/). Surely there's a good reason for you to do what you're doing, maybe you can elaborate on why you want to this and another solution can be found? – Patrick Quirk Mar 24 '15 at 13:33
  • I'm sorry. As I exaplained, my goal is to log all calls to ntdll!NtAllocateVirtualMemory, including parameters and call stack. Thanks(: – iMz- Mar 24 '15 at 13:41
  • One of possible ways is using PIN tool for binary instrumentation: https://software.intel.com/en-us/articles/pin-a-dynamic-binary-instrumentation-tool – Vasily Ryabov Mar 24 '15 at 13:42
  • @iMz- What I meant was, why are you trying to log this information? Imagine you had this log file, what would you do with it? Someone may be able to propose an alternative solution if you describe why you want to log these calls. – Patrick Quirk Mar 24 '15 at 14:11
  • Oh, I'm just trying to learn about heap management in some programs, and wanted to see the different modules that end up calling this function. I'm actually more interested in the stack traces, but I also want ntallocatevirtualmemory's data. – iMz- Mar 24 '15 at 14:33
  • @i486 checked versions of Windows still exist on subscription MSDN, if that's what you're referring to – andlabs Mar 24 '15 at 14:51
  • There's a *return address* pseudo register, so you could simplify your `r $t7 = poi(esp); g @$t7` statements into `g @$ra`, or even just `gu`. – IInspectable Mar 24 '15 at 16:36
  • 1
    Have you seen http://www.rohitab.com/apimonitor ? This tool is perfect for logging system method calls. – Sebastian Apr 02 '15 at 06:51

0 Answers0