Sysinternals Homepage
Forum Home Forum Home > Sysinternals Utilities > Process Monitor
  New Posts New Posts RSS Feed - Implementation Funcs of Operations
  FAQ FAQ  Forum Search   Events   Register Register  Login Login

Implementation Funcs of Operations

 Post Reply Post Reply
Author
Message
WinLoader View Drop Down
Newbie
Newbie
Avatar

Joined: 16 July 2017
Location: California, USA
Status: Offline
Points: 5
Post Options Post Options   Thanks (0) Thanks(0)   Quote WinLoader Quote  Post ReplyReply Direct Link To This Post Topic: Implementation Funcs of Operations
    Posted: 16 July 2017 at 10:19pm
Hello,
I use ProcMon all day every day and I would like to learn which WIN32, NTDLL and/or ntoskrnl functions are implemented for the File System "Operations" listed in ProcMon. Is there any direct correlation or indexing that will tell me this information?

For example, I want to know which API calls are behind "Load Image" and "CreateFileMapping".

As a secondary question, is there any relation of the Operation name to its underlying implementation's function name? For example, there is a API called CreateFileMapping in Kernel32 but there is no API called "Load Image" (with a space). The lower the implementation details I can get, the better. I'm trying to find out exactly which Nt, Zw, Mm, etc... Funcs that these ops correspond to. Thanks.
Thanks,
WinLoader
Discuss Malware Reversing at https://malwareanalysisforums.com
Back to Top
sredna View Drop Down
Groupie
Groupie


Joined: 24 November 2016
Status: Offline
Points: 57
Post Options Post Options   Thanks (0) Thanks(0)   Quote sredna Quote  Post ReplyReply Direct Link To This Post Posted: 18 July 2017 at 11:04pm
These are process operations, not FS operations in ProcMon IIRC.
CreateFileMapping might be NtCreateSection and not actually CreateFileMapping. Load Image is probably LdrLoadDll (LoadLibrary) or a section loaded and mapped as SEC_IMAGE (on a phone right now, can't check).
 
You can just check the stack for the operation to see which functions are called...
Back to Top
WinLoader View Drop Down
Newbie
Newbie
Avatar

Joined: 16 July 2017
Location: California, USA
Status: Offline
Points: 5
Post Options Post Options   Thanks (0) Thanks(0)   Quote WinLoader Quote  Post ReplyReply Direct Link To This Post Posted: 09 August 2017 at 11:14pm
Got it, yeah I ended up using WinDbg to get it figured out. Maybe I can create a list sometime. :)
Thanks,
WinLoader
Discuss Malware Reversing at https://malwareanalysisforums.com
Back to Top
 Post Reply Post Reply
  Share Topic   

Forum Jump Forum Permissions View Drop Down

Forum Software by Web Wiz Forums® version 11.06
Copyright ©2001-2016 Web Wiz Ltd.