winstrace is a simple command line tool that can be used to trace system call behavior in a given application or running process. The tracing of system calls is done entirely in user-mode without the need for a device driver. Currently, this tool will only work on Windows XP SP2, Windows Server 2003, and Windows Vista. The goal of the tool is to provide an extensible way of analyzing system call behaviors. This is accomplished by providing a plugin interface. Plugins can register to be notified when a system call event occurs in the target process. This event will include things like the system call number, name, arguments, and other additional information that would be useful for analysis purposes. The current release includes two plugins. The first plugin is the 'display' plugin. This plugin will display system call information in a format similar to that shown below. It also supports displaying parameters in a "pretty" fashion, but that is tedious work and I'll never get around to it (hint: anyone want to implement this? :). [00000c24] NtOpenKey(0x0007FC74,0x80000000,0x0007F950) = 0xc0000034 [00000c24] NtOpenKeyedEvent(0x0007FB14,0x02000000,0x0007FAEC) = 0x00000000 [00000c24] NtQuerySystemInformation(0x00000000,0x0007FA50,0x0000002C,0x00000000) = 0x00000000 [00000c24] NtQuerySystemInformation(0x00000000,0x0007F928,0x0000002C,0x00000000) = 0x00000000 [00000c24] NtAllocateVirtualMemory(0xFFFFFFFF,0x0007F9C0,0x00000000,0x0007F9EC,0x00002000,0x00000004) = 0x00000000 The second plugin is the 'dumpioctl' plugin. The purpose of this plugin is to display information about IOCTLs that are sent to devices while an application is executing. The contents of the input buffer to each IOCTL are also displayed. This plugin is meant to be used to help make it possible to build more intelligent fuzzers by being able to capture "valid" input buffers that are sent to IOCTLs. The format of this output is shown below: [hdev=\Device\KsecDD,ctlcode=0x390008(access=any,method=buffered,func=2),inlen=256,outlen=256] 00000000: c7 31 dc 10 ce 84 74 2a 4b f6 03 bd d6 84 58 ce .1....t*K.....X. 00000010: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00000020: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00000030: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00000040: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00000050: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00000060: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00000070: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00000080: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00000090: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 000000a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 000000b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 000000c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 000000d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 000000e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 000000f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ That's about it for now. There are probably lots of other interesting plugins one could write.