Dr. Memory
System Call Tracer for Windows

drstrace is a system call tracing tool for Windows. It uses the Dr. Memory Framework to monitor all system calls executed by a target application.

To use drstrace, simply launch it on the target application of your choice. By default, its output is sent to log files in the current directory, one per process. A different location for these files can be specified with the -logdir parameter. Here is a simple example:

bin/drstrace.exe -- calc

This command will result in data written to a file named drstrace.calc.exe.<pid>.<counter>.log in the current directory. For example: drstrace.calc.exe.13408.0000.log.

Here is some example output from that file:

NtGdiGetTextFaceW
arg 0: 0x740122ad (type=HANDLE, size=0x4)
arg 1: 0x20 (type=int, size=0x4)
arg 2: 0x001fcd10 (type=<struct>*, size=0x4)
arg 3: 0x0 (type=bool, size=0x4)
succeeded =>
arg 2: <NYI> (type=<struct>*, size=0x4)
retval: 0x9 (type=int, size=0x4)
NtOpenKeyEx
arg 0: 0x001fcd0c (type=HANDLE*, size=0x4)
arg 1: 0x109 (type=unsigned int, size=0x4)
arg 2: len=0x18, root=0x3c, name=150/152 "SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback", att=0x40, sd=0x00000000, sqos=0x00000000 (type=OBJECT_ATTRIBUTES*, size=0x4)
arg 3: REG_OPTION_RESERVED or REG_OPTION_NON_VOLATILE (type=named constant, value=0x0, size=0x4)
succeeded =>
arg 0: 0x001fcd0c => 0x134 (type=HANDLE*, size=0x4)
retval: 0x0 (type=NTSTATUS, size=0x4)
NtQueryKey.KeyCachedInformation
arg 0: 0x134 (type=HANDLE, size=0x4)
arg 1: 0x4 (type=named constant, size=0x4)
arg 2: 0x001fcb5c (type=<struct>*, size=0x4)
arg 3: 0xb0 (type=unsigned int, size=0x4)
arg 4: 0x001fca34 (type=unsigned int*, size=0x4)
succeeded =>
arg 2: _KEY_CACHED_INFORMATION {_LARGE_INTEGER {0x1ca043f05a7a595}, int=0x0, int=0x4, int=0x1a, int=0x1, int=0xc, int=0x18, int=0x22} (type=<struct>*, size=0x4)
arg 4: 0x001fca34 => 0x28 (type=unsigned int*, size=0x4)
retval: 0x0 (type=NTSTATUS, size=0x4)

Child Processes

By default, drstrace traces all child processes. The runtime option -no_follow_children overrides this and only traces the parent process.

Symbol Usage

In order to report detailed system call type information on Windows, drstrace relies on debug symbol information (specifically, WinTypes.pdb). The first time the tool is executed, it retrieves this data over the network, caching it locally for future use. The location of the cache is by default a local directory. If the _NT_SYMBOL_PATH environment variable is set, or if the -symcache_path runtime option is set, the specified directory will be used for caching the symbol data.

Limitations

Window of Tracing

Currently, drstrace starts logging only at the start of the executable's entry point. Thus, system calls executed by the initialization code in statically imported shared libraries will not be seen. However, the logging for child processes when the parent is under the control of drstrace starts earlier, during shared library initialization. Future versions will provide an earlier start point for the initial process.

Windows XP and 2000 Console Output

On Windows XP and Windows 2000, when drstrace is run from the cmd console and its output is not sent to a file, the printed output stops prior to the final system call. This is due to drstrace tracing past where the application's console state in csrss is cleaned up, preventing any further writes to the console by that process. Use a file if complete output is required.