I am trying to monitor Windows API calls. I have read about it and found there is no easier way to monitor API calls system wide than by using kernel drivers. I was wondering if there is any other method to do this system wide? Also if anyone knows of some tutorial on how to monitor API calls using kernel drivers?
I have looked at Microsoft detours and other hooking options but they don't provide for system wide hooking. Also there are other methods which only work for user32.dll
CodePudding user response:
Kernel drivers, who have access to all processes and system calls, are one method for monitoring Windows API calls system-wide. However, there are alternative methods, such as the following:
- ETW (Event Tracing for Windows) - ETW is a high-performance event tracing framework for monitoring various system events, including API calls.
- Performance Monitoring Counters can track various system performance metrics, such as API call counts and performance.
- Inline Hooking - Another technique for monitoring API calls is inline hooking, which involves overwriting the first few instructions of an API function to redirect execution to a custom handler.
The Windows Driver Kit (WDK) documentation, which provides a comprehensive guide on writing and deploying kernel drivers in Windows, contains a tutorial on monitoring API calls using kernel drivers.
It is important to note that monitoring API calls can have security implications because it requires access to system-level data and functions. It is advised to use these techniques with caution and to put proper security measures in place.
Here are some resources that you can use to learn more about Windows API call monitoring:
- Event Tracing for Windows (ETW) - https://docs.microsoft.com/en-us/windows/win32/etw/
- Windows Driver Kit (WDK) - https://docs.microsoft.com/en-us/windows-hardware/drivers/
- Windows System Programming, 4th Edition by Johnson M. Hart - This book provides a comprehensive guide to Windows system programming, including a chapter on kernel-mode programming, which covers the basics of kernel drivers.
- Inline Hooking - https://www.codeproject.com/Articles/2082/API-hooking-revealed
- Windows API Hooking Techniques - https://www.codeproject.com/Articles/2050/Windows-API-Hooking-Techniques
These resources should provide a good starting point for learning about Windows API call monitoring.
CodePudding user response:
@Prathamesh nale
I have a similar question which I posted in this topic (just a moment ago): API call hooking with Detours/Inline hooking
@2MuchC0ff33 Thank you for your reaction. What I don't understand, Detours doesn't support inline hooking, but why is inline hooking not by definition system wide. Since the process does not call the custom DLL, but the real DLL, and the real DLL is the one who invokes the custom DLL (I know... trampoline and stuff). But in such a case..I would say... it can be applied to every process that calls a certain Wi32 API function, could you please tell me why I'm wrong (I am wrong that for sure, because otherwise Detours would support it).
Okay, I read something... I didn't know that the bytes are replaced in the memory of the process.. now it makes sense, since this jump etc. only applies to that specific process, not in general