Track windows API calls

Question

2.00/5 (2 votes)

See more:

Hello Guys,

I'm sure many of you must have done it. This is what I need.
Count number of calls made to specific Windows API (Say ReplaceFile or ReadFile or Openfile) by any process running across the system. Also if possible keep a track of number of calls per process.

I'm planning to code this in VBScript(.vbs) But suggestions are welcome.

Regards,
Darshan

What I have tried:

I have tried Absolutely Nothing as I don't know what to start with.

Posted 25-Mar-16 0:19am

Darshan Parab

Updated 25-Mar-16 7:25am

Add a Solution

Comments

enhzflep 25-Mar-16 6:35am

Search for API hooking

[no name] 25-Mar-16 8:34am

I think this is a good hint, can't vote 5 here for this :(

enhzflep 26-Mar-16 1:23am

Thanks mate, the points are irrelevant. My only interest is in obtaining a good outcome for the OP. :)
Hope you're enjoying the long-weekend.

Afzaal Ahmad Zeeshan 25-Mar-16 6:36am

You would need to create a Windows service, that handles each and every command being executed. Then it would see if that is the action it needs to track and log... In other words, you need to modify the kernel to log the services, otherwise, you need to write a service that runs on the top of kernel and logs the code calls.

Darshan Parab 25-Mar-16 6:47am

I was thinking something like that. A process running in the background and tracking the system calls. My problem is I'm totally unaware of how to do that. I mean how to grab a call made to Windows API by any running process.

Afzaal Ahmad Zeeshan 25-Mar-16 7:13am

That is because even an intermediate programmer would need to understand how a call is passed on to kernel and how a response is generated and so on. In many cases, this can be done using Win32 API in C. Google would help you out in this.

Richard MacCutchan 25-Mar-16 8:11am

VBScript is not the sort of language that could handle such a complex application.

1 solution

Add a Solution

Add your solution here

Treat my content as plain text, not as HTML

Preview 0

…

Existing Members

Sign in to your account

...or Join us

Download, Vote, Comment, Publish.

Your Email
Password
Forgot your password?

Your Email
This email is in use. Do you need your password?
Optional Password

I have read and agree to the Terms of Service and Privacy Policy
Please subscribe me to the CodeProject newsletters

When answering a question please:

Read the question carefully.
Understand that English isn't everyone's first language so be lenient of bad spelling and grammar.
If a question is poorly phrased then either ask for clarification, ignore it, or edit the question and fix the problem. Insults are not welcome.
Don't tell someone to read the manual. Chances are they have and don't get it. Provide an answer or move on to the next question.

Let's work to help developers, not make them feel stupid.

This content, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)

Dave Kreskowiak · Accepted Answer · 2016-03-25T07:25:00

Solution 1

You cannot do this in VBScript.

You need an API hooking library, like Detours[^]. Get your checkbook out. You're going to need it.

There are alternatives[^], but in all cases, they are not going to work in VBScript.

Posted 25-Mar-16 7:25am

Dave Kreskowiak

Comments

F-ES Sitecore 25-Mar-16 14:18pm

Agreed. The only way you could do this "from vbscript" is to write a COM object that does the hooking and you automate\query the COM object via VBScript.