none
More than Procmon >> [?] RRS feed

  • Question

  • Using Procmon tool i am able to trace a file's behavior and it's access to other files (dll,exe ) and such. 

    But i am in a limitation. i not only want to see which dll or other exe  are pokes to ( access ) but in that dll which content it's accessing ! 

    Your help will be greatly appreciated! 

    Thursday, April 7, 2016 11:30 PM

Answers

  • For file access you can build your own mini-filter starting with the Filespy sample.  This will allow you to see the read and write operations, though if the file is memory mapped you will only see the pages being accessed. 


    Don Burn Windows Driver Consulting Website: http://www.windrvr.com

    Thursday, April 7, 2016 11:36 PM

All replies

  • For file access you can build your own mini-filter starting with the Filespy sample.  This will allow you to see the read and write operations, though if the file is memory mapped you will only see the pages being accessed. 


    Don Burn Windows Driver Consulting Website: http://www.windrvr.com

    Thursday, April 7, 2016 11:36 PM
  • If you want to see how the application calls Windows API functions defined in kernel32.dll and other Windows DLLs, then you could try Logger and LogViewer from the Debugging Tools for Windows package.

    When I last used Logger some years ago, it tended to crash the target application. Perhaps I was using it incorrectly or perhaps it has been improved since then.

    Friday, April 8, 2016 8:08 AM