0

I extract system call traces in windows with ETW using "logman" command.

Then I convert the file to text using tracerpt and convert the addresses to symbols using windbg. No problem.

My problem is after I get symbol names. I know that for example, NTOpenFile is called. How can I tell which file?

In general, how can I extract system call parameters? Does xperf help?

MoeKav
  • 147
  • 1
  • 16

1 Answers1

0

You cannot get the parameters. This level of detail is not provided by Microsoft. You can't get a process id or thread id either, which makes it pretty useless for analysis. All you get is the kernel RIP address of the system call which you can resolve with your own symbol lookup.

Chris
  • 83
  • 1
  • 3
  • 9
  • 1
    I know for sure that we can get pid and tid – MoeKav Jul 02 '18 at 17:46
  • Perhaps for the benefit of people looking for more details on ETW and syscalls, would you care to elaborate? It is definitely not provided as part of the trace, unless something has recently changed. I am assuming you would be referring to using context switch data to infer the process and thread? – Chris Jul 03 '18 at 19:01
  • You can find how to get syscall names in this thread: https://stackoverflow.com/a/48917399/4286125 – MoeKav Jul 03 '18 at 21:13
  • There is no recent change, but I still don’t know about the parameters of a syscall – MoeKav Jul 03 '18 at 21:14