Dr. Memory

System Call Tracer ("strace") for Windows

The Dr. Memory package includes a system call tracing tool for Windows, or "strace for Windows", called drstrace. It uses the Dr. Memory Framework to monitor all system calls executed by a target application and record a trace of those calls along with their arguments.

Here is some example output from tracing calc.exe:

        arg 0: 0x740122ad (type=HANDLE, size=0x4)
        arg 1: 0x20 (type=int, size=0x4)
        arg 2: 0x001fcd10 (type=*, size=0x4)
        arg 3: 0x0 (type=bool, size=0x4)
    succeeded =>
        arg 2:  (type=*, size=0x4)
        retval: 0x9 (type=int, size=0x4)
        arg 0: 0x001fcd0c (type=HANDLE*, size=0x4)
        arg 1: 0x109 (type=unsigned int, size=0x4)
        arg 2: len=0x18, root=0x3c, name=150/152 "SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback", att=0x40, sd=0x00000000, sqos=0x00000000 (type=OBJECT_ATTRIBUTES*, size=0x4)
        arg 3: REG_OPTION_RESERVED or REG_OPTION_NON_VOLATILE (type=named constant, value=0x0, size=0x4)
    succeeded =>
        arg 0: 0x001fcd0c => 0x134 (type=HANDLE*, size=0x4)
        retval: 0x0 (type=NTSTATUS, size=0x4)
        arg 0: 0x134 (type=HANDLE, size=0x4)
        arg 1: 0x4 (type=named constant, size=0x4)
        arg 2: 0x001fcb5c (type=*, size=0x4)
        arg 3: 0xb0 (type=unsigned int, size=0x4)
        arg 4: 0x001fca34 (type=unsigned int*, size=0x4)
    succeeded =>
        arg 2: _KEY_CACHED_INFORMATION {_LARGE_INTEGER {0x1ca043f05a7a595}, int=0x0, int=0x4, int=0x1a, int=0x1, int=0xc, int=0x18, int=0x22} (type=*, size=0x4)
        arg 4: 0x001fca34 => 0x28 (type=unsigned int*, size=0x4)
        retval: 0x0 (type=NTSTATUS, size=0x4)

For more information, see the documentation for drstrace.