Tracing windows API calls

Question

I am currently working on a tool in .NET/Python that monitors certain events on a system, like writing specific registry keys or creating files with a special name.

I evaluated many possibilities, and as I don't have to care about WinXP support, I am using Event Tracing for Windows to get a real-time stream of all file and registry activities, and this works fine (by consuming events from the NT kernel logger).

Now, I have to extend my tool to monitor all calls to some Windows API functions like WriteProcessMemory, NtUnmapViewOfSection or VirtualAllocEx. I found many tools that allows me to trace all API calls from a single process, but hooking all processes isn't a good idea, is it?

Now I wonder if if there is a possibility to use ETW for this. Is there any provider provided by the kernel that notifies me of API calls? If not, what else can I do?

Summary: If I want to catch API calls, do I have to hook every single process?

Answer 1

Generally speaking, there are two approaches to intercepting system API calls; either user mode or kernel mode interception. For user mode API interception, you will have to hook every process to accurately capture/redirect every call to your desired API function. Kernel mode interception circumvents the need to hook every process, but also requires advanced low-level knowledge (and a cross-signed code signing certificate to run your code in kernel mode).

There are a number of libraries available that will provide API hooking functionality, but I believe the ones I know of all work primarily in user mode, i.e. requiring system-wide DLL injection into processes.