none
API's mapping ? RRS feed

  • Question

  • How do i find out APIs such Create File End's up to T think that been done with Windbg and some command's we can trace it end with NTOSKNL.exe than an interrupt which takes this call to specified driver such , can you please refer an guide or explain?

    Thanks

    Monday, December 12, 2016 11:48 AM

Answers

  • This is messy, Windbg does not allow you to step across the user space to kernel space boundary, so you need to do a lot of work.  What are you really trying to do?   You give the example of a specified driver, typically you can look at the create file call and understand if it is going to go to a device, or to a file system.   For a device Windbg will let you find the DEVICE_OBJECT and you can put a breakpoint on the IRP_MJ_CREATE entry.    A file system can be more complex, but it also have a DEVICE_OBJECT.

    If you are trying to understand this stuff, take a look at the Windows Internal book https://technet.microsoft.com/en-us/sysinternals/bb963901.aspx


    Don Burn Windows Driver Consulting Website: http://www.windrvr.com

    Monday, December 12, 2016 12:22 PM
  • For explanation how Windows system calls work, see this book.

    Monday, December 12, 2016 12:34 PM

All replies

  • This is messy, Windbg does not allow you to step across the user space to kernel space boundary, so you need to do a lot of work.  What are you really trying to do?   You give the example of a specified driver, typically you can look at the create file call and understand if it is going to go to a device, or to a file system.   For a device Windbg will let you find the DEVICE_OBJECT and you can put a breakpoint on the IRP_MJ_CREATE entry.    A file system can be more complex, but it also have a DEVICE_OBJECT.

    If you are trying to understand this stuff, take a look at the Windows Internal book https://technet.microsoft.com/en-us/sysinternals/bb963901.aspx


    Don Burn Windows Driver Consulting Website: http://www.windrvr.com

    Monday, December 12, 2016 12:22 PM
  • For explanation how Windows system calls work, see this book.

    Monday, December 12, 2016 12:34 PM