Reading Monitoring certain system calls done by a process in Windows, I'm wondering about a Windows equivalent to the ptrace system call or a programmatical workaround.
Asked
Active
Viewed 7,360 times
1 Answers
3
You can use ETW to trace system calls. When starting the trace, in EVENT_TRACE_PROPERTIES, you can add EVENT_TRACE_FLAG_SYSTEMCALL flag to EnableFlags. This enables SysCallEnter and SysCallLeave events, as described here.
Michael
- 52,910
- 5
- 118
- 142
-
2But SysCallEnter require Vista or Windows Server 2008, unfortunately. – JesperE May 15 '09 at 10:10
-
1Is it possible with ETW to find out the arguments to system calls? – David Roundy Apr 02 '15 at 01:07