{"id":5135,"date":"2018-07-13T23:54:49","date_gmt":"2018-07-13T23:54:49","guid":{"rendered":"http:\/\/www.hexacorn.com\/blog\/?p=5135"},"modified":"2018-07-14T00:41:40","modified_gmt":"2018-07-14T00:41:40","slug":"logman-api-trace-lame-anti-tracing-trick","status":"publish","type":"post","link":"https:\/\/www.hexacorn.com\/blog\/2018\/07\/13\/logman-api-trace-lame-anti-tracing-trick\/","title":{"rendered":"logman &#038; API Trace &#038; lame anti-tracing trick :)"},"content":{"rendered":"<p>As I explained in my <a href=\"https:\/\/www.hexacorn.com\/blog\/2018\/06\/09\/logman-the-windows-volverine\/\">older post<\/a> I was playing around with an obscure logman functionality that could be used for API Tracing.<\/p>\n<p>Using these two commands:<\/p>\n<pre>logman create api foo -f bincirc \r\n-exe c:\\windows\\notepad.exe\r\n-o c:\\test\\notepad.etl\r\n<\/pre>\n<pre>logman start foo<\/pre>\n<p>one can start tracing API calls inside the Notepad. The resulting .etl file can be then parsed with <a href=\"http:\/\/www.hecfblog.com\/2018\/06\/etw-event-tracing-for-windows-and-etl.html\">ETL Parser<\/a> &#8211; a really cool tool from <a href=\"https:\/\/twitter.com\/HECFBlog\">@HECFBlog<\/a>&#8216;s <a href=\"https:\/\/twitter.com\/nicoleibrahim\">@nicoleibrahim<\/a>.<\/p>\n<p>When I came across it I thought API Tracing supported natively by OS is a cool and promising feature. So I thought at first&#8230; then I started digging deeper. In particular, I was curious how the functionality was implemented and why it didn&#8217;t work on Windows 10. After some poking around I think I found the answers.<\/p>\n<p>The functionality is implemented via Application patching using these SDB databases:<\/p>\n<ul>\n<li>c:\\WINDOWS\\AppPatch\\sysmain.sdb &#8211; 32-bit Win7<\/li>\n<li>c:\\WINDOWS\\AppPatch\\AppPatch64\\sysmain.sdb &#8211; 64-bit Win 7, at least in theory<\/li>\n<\/ul>\n<p>When used (the actual mechanism of loading the patch is not known to me at the moment), the system loads the following files into a traced application&#8217;s process:<\/p>\n<ul>\n<li>c:\\WINDOWS\\AppPatch\\apihex86.dll (win7 32)<\/li>\n<li>c:\\WINDOWS\\AppPatch\\AppPatch64\\apihex64.dll (win7 64), at least in theory<\/li>\n<\/ul>\n<p>Example from Windows 7 32-bit:<\/p>\n<p><a href=\"https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2018\/07\/apihex.png\"><img decoding=\"async\" loading=\"lazy\" class=\"aligncenter size-full wp-image-5139\" src=\"https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2018\/07\/apihex.png\" alt=\"\" width=\"488\" height=\"162\" srcset=\"https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2018\/07\/apihex.png 488w, https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2018\/07\/apihex-300x100.png 300w\" sizes=\"(max-width: 488px) 100vw, 488px\" \/><\/a>You will find a couple of other libs loaded inside the process as well.<\/p>\n<ul>\n<li>amxread.dll &#8211; API Tracing Manifest Read Library &#8211; possibly mapping APIs to their description (?) &#8211; have not spent too much time on it<\/li>\n<li>apilogen.dll &#8211; API Tracing Log Engine &#8211; it is responsible for the actual trace writes; anyone who has too much time on their hand could try to reverse it and improve the API Trace parser, but it&#8217;s probably not worth it<\/li>\n<\/ul>\n<p>With Windows 64-bit I couldn&#8217;t make it work despite ensuring all the commands were run from 64-bit processes; so&#8230; the &#8216;at least in theory&#8217; bits are referring to this problem. In any case, it&#8217;s probably an obscure mechanism that is no longer supported; this leads us to&#8230;<\/p>\n<p><strong>Question #2<\/strong><\/p>\n<p>Windows 10 doesn&#8217;t seem to support it. I couldn&#8217;t make it work either + I don&#8217;t see the aforementioned DLLs in any of the Windows subfolders. Well, there you go. A cool functionality that never stood a chance&#8230;\u00a0 oh well&#8230;<\/p>\n<p>Last, but not least &#8211; here&#8217;s your promised anti-* trick:<\/p>\n<ul>\n<li>check if your program is loading any of these listed DLLs and abort if any is found. I have added these to the <a href=\"https:\/\/www.hexacorn.com\/blog\/2018\/06\/09\/logman-the-windows-volverine\/\">list of naughty libraries<\/a> even I know the usefulness is close to nil. Still, what&#8217;s documented is better understood.<\/li>\n<\/ul>\n<p>And one more bit:<\/p>\n<p>When the command to create API trace is called, the system adds this Reghitry key:<\/p>\n<ul>\n<li>HKLM\\SOFTWARE\\Microsoft\\Windows NT\\<br \/>\nCurrentVersion\\Schedule\\TaskCache\\Tree\\<br \/>\nMicrosoft\\Windows\\PLA\\foo<\/li>\n<\/ul>\n<p><a href=\"https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2018\/07\/logman2.png\"><img decoding=\"async\" loading=\"lazy\" class=\"aligncenter wp-image-5149\" src=\"https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2018\/07\/logman2.png\" alt=\"\" width=\"500\" height=\"125\" srcset=\"https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2018\/07\/logman2.png 869w, https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2018\/07\/logman2-300x75.png 300w, https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2018\/07\/logman2-768x192.png 768w\" sizes=\"(max-width: 500px) 100vw, 500px\" \/><\/a><\/p>\n<p>and<\/p>\n<ul>\n<li>HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\<br \/>\nSchedule\\TaskCache\\<br \/>\nPlain\\{F95FD9E0-54DB-464C-B379-FF720B10726A}<\/li>\n<\/ul>\n<p><a href=\"https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2018\/07\/logman4.png\"><img decoding=\"async\" loading=\"lazy\" class=\"aligncenter wp-image-5154\" src=\"https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2018\/07\/logman4.png\" alt=\"\" width=\"500\" height=\"117\" srcset=\"https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2018\/07\/logman4.png 925w, https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2018\/07\/logman4-300x70.png 300w, https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2018\/07\/logman4-768x180.png 768w\" sizes=\"(max-width: 500px) 100vw, 500px\" \/><\/a><\/p>\n<p>&nbsp;<\/p>\n<ul>\n<li>HKLM\\SOFTWARE\\Microsoft\\Windows NT\\<br \/>\nCurrentVersion\\Schedule\\TaskCache\\<br \/>\nTasks\\{F95FD9E0-54DB-464C-B379-FF720B10726A}<\/li>\n<\/ul>\n<p><a href=\"https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2018\/07\/logman3.png\"><img decoding=\"async\" loading=\"lazy\" class=\"aligncenter wp-image-5153\" src=\"https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2018\/07\/logman3.png\" alt=\"\" width=\"500\" height=\"125\" srcset=\"https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2018\/07\/logman3.png 869w, https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2018\/07\/logman3-300x75.png 300w, https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2018\/07\/logman3-768x192.png 768w\" sizes=\"(max-width: 500px) 100vw, 500px\" \/><\/a><\/p>\n<p>It survives the reboot, but the trace needs to be restarted.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>As I explained in my older post I was playing around with an obscure logman functionality that could be used for API Tracing. Using these two commands: logman create api foo -f bincirc -exe c:\\windows\\notepad.exe -o c:\\test\\notepad.etl logman start foo &hellip; <a href=\"https:\/\/www.hexacorn.com\/blog\/2018\/07\/13\/logman-api-trace-lame-anti-tracing-trick\/\">Continue reading <span class=\"meta-nav\">&rarr;<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":[],"categories":[53,9,67],"tags":[],"_links":{"self":[{"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/posts\/5135"}],"collection":[{"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/comments?post=5135"}],"version-history":[{"count":13,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/posts\/5135\/revisions"}],"predecessor-version":[{"id":5157,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/posts\/5135\/revisions\/5157"}],"wp:attachment":[{"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/media?parent=5135"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/categories?post=5135"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/tags?post=5135"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}