我正在寻找 Systrace 的 Windows 等效项或至少 strace。我知道
StraceNT,但想知道是否还有其他选择那里。具体来说,我正在寻找一种以编程方式强制执行系统调用策略的特定方法,尽管这可以是事后发生的,而不是主动阻止它们。
目前有没有好的方法可以做到这一点?
I'm looking for a Windows equivalent of Systrace or at least strace. I'm aware of
StraceNT, but wondering if there are any more alternatives out there. Specifically, I'm looking for a specific way to programmatically enforce system call policies, though this can be after the fact rather than actively stopping them.
Is there a good way to do this currently?
发布评论
评论(9)
几个选项:
进程监视器
另外,请参阅这篇有关内置工具的文章Windows 7:
核心操作系统工具
A few options:
Process Monitor
Also, see this article about tools built into Windows 7:
Core OS Tools
WinDbg 的 Logger.exe 最接近 strace: https ://learn.microsoft.com/en-us/windows-hardware/drivers/debugger/logger-and-logviewer
编辑:还有windbg的wt:https://learn.microsoft.com/en-us/windows-hardware/驱动程序/调试器/wt--trace-and-watch-data-
WinDbg's Logger.exe is the closest to strace: https://learn.microsoft.com/en-us/windows-hardware/drivers/debugger/logger-and-logviewer
EDIT: There's also windbg's wt: https://learn.microsoft.com/en-us/windows-hardware/drivers/debugger/wt--trace-and-watch-data-
Dr. Memory (http://drmemory.org) 工具附带了一个名为 drstrace 的系统调用跟踪工具,该工具列出了所有系统调用目标应用程序进行的调用及其参数: http://drmemory.org/strace_for_windows.html
对于以编程方式执行系统调用策略,您可以使用与 drstrace 相同的底层引擎:DynamoRIO 工具平台 (http://dynamorio.org) 和 DrSyscall 系统调用监控库 (http://drmemory.org/docs/page_drsyscall.html)。它们使用动态二进制翻译技术,这确实会产生一些开销(稳定状态下为 20%-30%,但在运行新代码(例如启动大型桌面应用程序)时要高得多),这可能适合也可能不适合您的目的。
The Dr. Memory (http://drmemory.org) tool comes with a system call tracing tool called drstrace that lists all system calls made by a target application along with their arguments: http://drmemory.org/strace_for_windows.html
For programmatically enforcing system call policies, you could use the same underlying engines as drstrace: the DynamoRIO tool platform (http://dynamorio.org) and the DrSyscall system call monitoring library (http://drmemory.org/docs/page_drsyscall.html). These use dynamic binary translation technology, which does incur some overhead (20%-30% in steady state, but much higher when running new code such as launching a big desktop app), which may or may not be suitable for your purposes.
API Monitor 看起来对此非常有用。
API Monitor looks very useful for this purpose.
这是一篇非常有趣的文章,我不知道它是否达到了您正在寻找的目标,但我认为您可能会发现它会引导您走向您想要的方向。
http://jbremer.org/intercepting-system-calls-on-x86_64-窗口/
Here is a pretty intersting article, I don't know if it hits the target you are looking for but I think you may find it leading you in the direction you want.
http://jbremer.org/intercepting-system-calls-on-x86_64-windows/
有多种工具都是围绕 Xperf 构建的。它相当复杂,但非常强大 - 请参阅快速入门指南。 Windows 性能分析页面上还有其他有用的资源
There are several tools all built around Xperf. It's rather complex but very powerful -- see the quick start guide. There are other useful resources on the Windows Performance Analysis page
strace 可从 Cygwin 的 cygwin 软件包 中获取。你可以下载它
来自 Cygwin 镜像,例如:
strace 是少数不依赖于Cygwin DLL,
因此您应该能够将 strace.exe 复制到您想要的位置并使用它。
strace is available from Cygwin in the cygwin package. You can download it
from a Cygwin mirror, for example:
strace is one of the few Cygwin programs that does not rely on the Cygwin DLL,
so you should be able to just copy
strace.exeto where you want and use it.您可以使用 Mark Russinovich 编写的进程监视器。这是一个非常棒的小应用程序,它允许您附加到系统上任何正在运行的进程,并查看该进程当前正在进行的所有系统调用。
https://technet.microsoft.com/en-us/sysinternals/processmonitor。 ASPX
You can use process monitor written by Mark Russinovich. This is a fantastic little application that will allow you to attach to any running process on the system and see all of the system calls that process is currently making.
https://technet.microsoft.com/en-us/sysinternals/processmonitor.aspx
strace 支持 通过安装 Windwos Git,正如 Michael Fox 提到的,可能对复杂/Windows 软件没有用。
strace supported By installation of Windwos Git,as Michael Fox Mention Maybe not useful for complex/windows software.