3

I have been told by a few people that ETW provides a mechanism by which to capture syscalls made by user mode processes. I have enumerated the available providers and have only come up with two possible that might provide this information. The first was Microsoft-Windows-Kernel-Audit-API-Calls. This provider shows me the following data:

<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
 <System>
  <Provider Name="Microsoft-Windows-Kernel-Audit-API-Calls" Guid="{e02a841c-75a3-4fa7-afc8-ae09cf9b7f23}" />
  <EventID>5</EventID>
  <Version>0</Version>
  <Level>4</Level>
  <Task>0</Task>
  <Opcode>0</Opcode>
  <Keywords>0x0</Keywords>
  <TimeCreated SystemTime="2017-06-01T11:59:05.831179100-0500" />
  <Correlation ActivityID="{00000000-0000-0000-0000-000000000000}" />
  <Execution ProcessID="1860" ThreadID="9628" ProcessorID="1" KernelTime="210" UserTime="1260" />
  <Channel />
  <Computer />
 </System>
 <EventData>
  <Data Name="TargetProcessId">4294967295</Data>
  <Data Name="DesiredAccess"> 1052672</Data>
  <Data Name="ReturnCode">3221225483</Data>
 </EventData>
 <RenderingInfo Culture="en-US">
  <Level>Information </Level>
  <Opcode>Info </Opcode>
  <Provider>Microsoft-Windows-Kernel-Audit-API-Calls </Provider>
 </RenderingInfo>
</Event>

This looks promising, but does the EventId correspond to the syscall name? Is there any documentation detailing what the EventId actually signifies? I could not find anything relevant on MSDN or elsewhere. I'm specifically looking for API calls such as NtCreateFile, NtCreateThreadEx, NtAllocateVirtualMemory, etc.

The other provider I looked into was the "Windows Kernel Trace". This one actually allows for keywords such as "syscall" which will then provide you with SysClEnter/SysClExit logs, however these logs do not provide the process id that initiated them nor the API. They instead just give what appears to be the kernel address of the syscall being entered.

Is anyone who is more familiar with the inner workings of ETW able to provide an answer on how you would collect this information via ETW?

Chris
  • 83
  • 1
  • 3
  • 9

2 Answers2

0

You can easily monitor system calls related to any process in windows. Using cmd administrator, run this command:

logman start "NT Kernel Logger" -p "Windows Kernel Trace" (syscall) -o sys.etl -ets

and then stop it

logman stop "NT Kernel Logger" -ets

when you parse the .etl file using tracerpt

tracerpt sys.etl

You can see syscall addresses in the dumpfile.xml. Using windbg and starting it from the command line with this command:

windbg.exe -kl -c x*!nt*

You can see the addresses mapped to syscall names.

MoeKav
  • 147
  • 1
  • 16
0

A good repo that has an updated list of ETW events: https://github.com/jdu2600/Windows10EtwEvents

For my use case, none of the ETW events above worked. Just like you noted, there wasn't any supplementary information. After doing some research, I stumbled upon perfview from Microsoft; they have a NuGet packaged called Microsoft.Diagnostics.Tracing.TraceEvents for C#. The library makes a distinction between Providers and KernelProviders. The KernelProviders ended up being the solution for me.

As an example, you can subscribe to FileIOInit events (0x04000000). This provider generates FileIOFileCreate events that return FileIONameTraceData data. These traces contain PIDs and file names.

Here's a C# snippet that creates the trace session and adds a delegate to process file creation events

string sessionName = "MyTraceSession";
session = new TraceEventSession(sessionName, null);
session.StopOnDispose = true;

source = new ETWTraceEventSource(sessionName, TraceEventSourceType.Session);
registeredParser = new KernelTraceEventParser(source);

session.EnableKernelProvider(KernelTraceEventParser.Keywords.FileIOInit);
registeredParser.FileIOFileCreate += delegate (FileIONameTraceData data)
{
    ...
}

Hopefully this helps you with your problem!

Shaun
  • 245
  • 6
  • 15