This is a small tool which allows you to spawn a process and monitor all system calls made by the process, this includes all Nt* prefixed system service APIs from the System Service Descriptor Table (SSDT) as well as the System Service Descriptor Table Shadow (GUI/Graphics services). You can select SSDT service names in which to monitor and optionally block inside the utility, when a specific service is called (before transitioning from usermode to the kernel via syscall (AMD64) or INT 0x2E/SYSENTER (Intel x86)) the name of the API called will be logged along with the time/datestamp and the calling process and thread ID.
For Windows XP, Vista, 7, 8, 10 (64-bit)
This tool uses a clever method in order to hook all system calls requiring only a single hook (address replacement) and can capture ALL syscalls made by a process regardless of thread context (doesn't matter if a process has a single thread of 1,000). New threads are monitored prior to their entrypoints being called so you're ensured that no system calls are made prior to this tool's interception. This standalone tool works on all Windows NT-based x64 Operating Systems (Windows XP x64 - Windows 10 x64) and can monitoring 32-bit / WOW64 processes before they transition into 64-bit mode (since they're emulated on 64-bit architectures).
This tool is useful to security researchers as well as reverse engineers that are curious about WOW64 process emulation on x64 systems where monitoring this type of behavior is more difficult due to the added layers of abstraction and debugger limitations (Only WinDbg correctly continues debugging after the 64-bit mode switching where other debuggers fail once this transition occurs from 32-bit mode).
|Last Updated||November 5, 2017|
|Operating System||For Windows XP, Vista, 7, 8, 10 (64-bit)|
|File Size||2 MB|