如何像 Wine 在 Linux 中那样记录 Windows 中的所有 API 调用?
我正在使用 Wine (Eudora) 调试 Linux 中的 Windows 应用程序,并使用 WINEDEBUGGER=+relay 创建 API 调用的(相当大的)日志。现在我已经发现问题所在,我想在本机窗口(好吧,实际上是 VirtualBox)中运行相同的应用程序,因此看看它的行为方式并比较差异(如果有)。
我知道有几个 Windows 工具可以跟踪 API 调用,但我需要一个可以生成与 wine 相同类型的日志的工具,因此我可以使用相同的工作流程:
配置记录器/跟踪器以排除给定列表函数(如 KERNEL32.SetLastError; KERNEL32.GetLastError; KERNEL32.FlsGetValue; ntdll.RtlEnterCriticalSection; ntdll.RtlLeaveCriticalSection,相当于 Wine 的
Debug\RelayExclude注册表项,这一点至关重要,因为它是 30MB 日志文件和 1.3 GB 日志文件之间的区别。 p>- 必须跟踪
所有其他调用,无论库/模块/dll/什么都必须不。 > 按模块排序或过滤,因为调用的顺序对我来说至关重要(这样我就可以回溯而不迷路)
像
一样轻松启动跟踪器跟踪器 c:\ProgramFiles\Eudora\Eudora.exe 2>巨大的日志文件.txt它启动Eudora,我执行我的操作,然后关闭Eudora。
当 Eudora 终止时,Tracer 就会停止。 Log 已准备好供我使用。
这里是 Wine 日志的一个片段,如果有帮助的话(类似的格式是可取的):
0009:Call advapi32.RegQueryValueW(80000000,0033b5dc L".txt",0033b9a0,0033bbac) ret=7e9a6c7a
0009:Ret advapi32.RegQueryValueW() retval=00000000 ret=7e9a6c7a
0009:Call advapi32.RegOpenKeyExW(80000000,0033b9a0 L"txtfile",00000000,02000000,0033a528) ret=7e9a3b66
0009:Ret advapi32.RegOpenKeyExW() retval=00000000 ret=7e9a3b66
0009:Call advapi32.RegCloseKey(000000d4) ret=7e9a3bbc
0009:Ret advapi32.RegCloseKey() retval=00000000 ret=7e9a3bbc
0009:Call advapi32.RegQueryValueW(80000000,0033b9a0 L"txtfile\\shell\\\\command",0033ada0,0033a52c) ret=7e9a3c04
0009:Ret advapi32.RegQueryValueW() retval=00000002 ret=7e9a3c04
0009:Call shlwapi.PathIsDirectoryW(0033e464 L"D:\\Arquivos\\Email\\attach\\carro.txt") ret=7e9a8a26
0009:Call KERNEL32.GetFileAttributesW(0033e464 L"D:\\Arquivos\\Email\\attach\\carro.txt") ret=7eb47738
0009:Ret KERNEL32.GetFileAttributesW() retval=00000020 ret=7eb47738
0009:Ret shlwapi.PathIsDirectoryW() retval=00000000 ret=7e9a8a26
0009:Call shlwapi.PathIsURLW(0033e464 L"D:\\Arquivos\\Email\\attach\\carro.txt") ret=7e9a8e68
0009:Ret shlwapi.PathIsURLW() retval=00000000 ret=7e9a8e68
0009:Call user32.LoadStringW(7e950000,000000a4,0033abb0,00000800) ret=7e9a3ac2
0009:Ret user32.LoadStringW() retval=00000041 ret=7e9a3ac2
0009:Call user32.MessageBoxW(000100c4,0033abb0 L"There is no Windows program configured to open this type of file.",00000000,00000010) ret=7e9a3a84
你能给我建议一个免费的、易于下载的软件吗,可以做到这一点,最重要的是,关于如何实现的准确说明此工作流程建议使用什么软件?
谢谢!
I'm debugging a windows application in Linux using Wine (Eudora), using WINEDEBUGGER=+relay to create a (rather massive) log of API calls. Now that I've spotted where the problem is, I want to run the same application in native windows (well, actually VirtualBox), so see how it behaves and compare the differences (if any).
I know there are several windows tools that can trace API calls, but i need one that can generate the same kind of log as wine does, so I can use the same workflow:
Configure the logger/tracer to exclude a given list of functions (as in
KERNEL32.SetLastError; KERNEL32.GetLastError; KERNEL32.FlsGetValue; ntdll.RtlEnterCriticalSection; ntdll.RtlLeaveCriticalSection, equivalent to Wine'sDebug\RelayExcluderegistry entry. This is crucial, since its the difference between a 30MB logfile and a 1.3 GB oneAll other calls must be traced, regardless of library/module/dll/whatever. They must not be sorted or filtered by module, since the order the calls are made is crucial for me (so I can backtrack and not get lost)
Start the tracer as easily as
tracer c:\ProgramFiles\Eudora\Eudora.exe 2> hugelogfile.txtIt launches Eudora, I perform my actions, and close Eudora.
Tracer stops when Eudora terminates. Log is ready for me to play with.
Here is a snippet of a Wine log, if it helps (similar format is desirable):
0009:Call advapi32.RegQueryValueW(80000000,0033b5dc L".txt",0033b9a0,0033bbac) ret=7e9a6c7a
0009:Ret advapi32.RegQueryValueW() retval=00000000 ret=7e9a6c7a
0009:Call advapi32.RegOpenKeyExW(80000000,0033b9a0 L"txtfile",00000000,02000000,0033a528) ret=7e9a3b66
0009:Ret advapi32.RegOpenKeyExW() retval=00000000 ret=7e9a3b66
0009:Call advapi32.RegCloseKey(000000d4) ret=7e9a3bbc
0009:Ret advapi32.RegCloseKey() retval=00000000 ret=7e9a3bbc
0009:Call advapi32.RegQueryValueW(80000000,0033b9a0 L"txtfile\\shell\\\\command",0033ada0,0033a52c) ret=7e9a3c04
0009:Ret advapi32.RegQueryValueW() retval=00000002 ret=7e9a3c04
0009:Call shlwapi.PathIsDirectoryW(0033e464 L"D:\\Arquivos\\Email\\attach\\carro.txt") ret=7e9a8a26
0009:Call KERNEL32.GetFileAttributesW(0033e464 L"D:\\Arquivos\\Email\\attach\\carro.txt") ret=7eb47738
0009:Ret KERNEL32.GetFileAttributesW() retval=00000020 ret=7eb47738
0009:Ret shlwapi.PathIsDirectoryW() retval=00000000 ret=7e9a8a26
0009:Call shlwapi.PathIsURLW(0033e464 L"D:\\Arquivos\\Email\\attach\\carro.txt") ret=7e9a8e68
0009:Ret shlwapi.PathIsURLW() retval=00000000 ret=7e9a8e68
0009:Call user32.LoadStringW(7e950000,000000a4,0033abb0,00000800) ret=7e9a3ac2
0009:Ret user32.LoadStringW() retval=00000041 ret=7e9a3ac2
0009:Call user32.MessageBoxW(000100c4,0033abb0 L"There is no Windows program configured to open this type of file.",00000000,00000010) ret=7e9a3a84
Can you please suggest me with a free, easily downloadable software that can do that, and, most importantly, exact instructions on how to achieve this workflow the suggested software?
Thanks!
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(2)
WinAPIOverride 可以进行这种跟踪(以及更多)。
WinAPIOverride can do that kind of tracing (and a lot more).
一般来说,除了 WINE 之外没有什么可以给你你正在寻找的踪迹。 WINE 之所以可以,是因为它不使用实际的 Windows DLL 和库,而是使用逆向工程的,其中添加了大量额外的日志记录。
话虽如此,您始终可以尝试将远程调试器附加到正在运行的 Eudora 进程,看看是否能得到任何结果,但这很可能是徒劳的。
In general, nothing other than WINE can give you the trace you are looking for. The reason WINE can is because it doesn't use actual Windows DLLs and libraries but uses reverse-engineered ones that have had a LARGE amount of additional logging added in.
That being said, you could always try to attach a remote debugger to a running Eudora process and see if you get anything, but this is likely to be fruitless.