Richard Andrew x64 wrote:I would like to create an API hooking DLL that logs and documents the API calls that a given process makes. (It's my million-dollar product idea)
Hooking? Are you sure that you actually have a solid plan for what you want to do? What are you defining as 'API calls'? Are you referring to a specific Microsoft API?
Sounds like you want to perform instrumentation[^]? Are you looking to implement something like Intel VTune[^]?
If so check out DynamoRIO [^].
Richard Andrew x64 wrote:Let me point out that all of the user mode ways of doing this are not acceptable because I need the DLL to be injected before any user code executes in the target process, including TLS callbacks.
Have you experimented with the CreateProcess function[^] and the
DEBUG_ONLY_THIS_PROCESS flags combined with
CREATE_SUSPENDED? This should give you access to the process before anything as executed including TLS callbacks.
Is there a specific reason why you believe that you need to use a device driver? Are you trying to avoid the TLS callbacks and process initialization for a single process or system-wide?
From usermode you can use the Application Compatibility Toolkit[^] to load a DLL into any process system-wide immediately after kernel32/user32 is loaded and before any usermode code has executed.
On Windows 10 you can get the AppCompat toolkit as part of the Windows Assessment and Deployment Kit[^].