none
Getting kernel API call stack RRS feed

  • Question

  • Hi,

    I am new to this driver development. Kindly guide.

    I want the kernel API call stack to display on the MFC based GUI.

    From the MFC application GUI, user will call any Win32 API, for example CreateFile().

    I need to dump all the kernel call stack, related to this createFile() API.

    means that which all APIs gets called internally, right from CreateFile of user mode, till the Kernel APIs calls.

    Can I achieve this without making a driver? Is there anyway from user level I can get the entire API call stack?

    Or writing a driver is the only solution. I cannot use any third party tool.

    Kindly suggest.

    Thanks in Advance.


    Thanks & Regards, Mayank Agarwal

    Tuesday, March 7, 2017 12:20 PM

Answers

  • The kernel stops for no one, so you won't be able to see what it is doing in real time. However, you could use the Windows Performance Recorder (WPR) to capture a trace, and then display the data with the Windows Performance Analyzer (WPA). Both are part the of Windows Assessment and Deployment Kit (ADK), which is free.

     -Brian


    Azius Developer Training www.azius.com Windows device driver, internals, security, & forensics training and consulting. Blog at www.azius.com/blog

    Tuesday, March 7, 2017 2:01 PM
    Moderator

All replies

  • The kernel stops for no one, so you won't be able to see what it is doing in real time. However, you could use the Windows Performance Recorder (WPR) to capture a trace, and then display the data with the Windows Performance Analyzer (WPA). Both are part the of Windows Assessment and Deployment Kit (ADK), which is free.

     -Brian


    Azius Developer Training www.azius.com Windows device driver, internals, security, & forensics training and consulting. Blog at www.azius.com/blog

    Tuesday, March 7, 2017 2:01 PM
    Moderator
  • As Brian pointed out there is some tracing you can get.  Even there you are going to have problems, a driver can receive a request, then issued other requests to fulfill the original request.  You will have no way to know what is actually being done on behalf of the original request.

    Why do you think you need this?   Describe what problem you are really trying to solve, and perhaps there is a specific solution.


    Don Burn Windows Driver Consulting Website: http://www.windrvr.com

    Tuesday, March 7, 2017 7:20 PM
  • I want the kernel API call stack to display on the MFC based GUI.

    Have a look at the ProcessHacker , it can do this.

    -- pa

    Tuesday, March 7, 2017 11:34 PM
  • Thanks Doron.

    This WPR works for Windows 8 and 8.1. 

    But can I capture the kernel trace programmatically? As I also need to capture the kernel stack trace in Windows XP and Windows 2003 server. So I am looking some ETW solution/driver. As I read somewhere that ETW /WPP works with older versions of windows to get the Kernel call trace. I am not getting sufficient material over the internet for implementing ETW for capturing the kernel call trace.

    Can you guide me or some sample driver which can capture the kernel call trace.

    Thanks in advance.


    Thanks & Regards, Mayank Agarwal

    Wednesday, March 8, 2017 5:57 AM
  • As Brian pointed out there is some tracing you can get.  Even there you are going to have problems, a driver can receive a request, then issued other requests to fulfill the original request.  You will have no way to know what is actually being done on behalf of the original request.

    Why do you think you need this?   Describe what problem you are really trying to solve, and perhaps there is a specific solution.


    Don Burn Windows Driver Consulting Website: http://www.windrvr.com

    Hi Don,

    the actual use case scenario is more or less similar to PROCMON(Process Monitor)

    When you execute PROCMON, it displays the operation name which is called by all the currently running processes.   Double click any of the operation name listed on the PROCMON GUI.

    It opens a dialog with the name "Event properties" with 3 tabs.

    Click on "stack" tab. This same data I need to display on my application GUI. For getting this data do I need to write a driver or I can achieve the same with some user level APIs. 

     Earlier I thought to use PROCMON by command line but there are some limitations due to that I cannot use this tool in my application. 

    Please guide.

    Thanks in Advance.


    Thanks & Regards, Mayank Agarwal

    Wednesday, March 8, 2017 9:35 AM