Tracing an application from startup

From Nektra Advanced Computing Wiki

Template:TOC limit

Contents 1 Introduction 2 Tracing a process from startup: Step by step 2.1 Selecting function groups 2.2 Select a program to trace 2.3 Start tracing! 2.4 Tracing 2.5 5. Unhooking

Introduction

SpyStudio lets you trace almost any process you want at almost any moment of its execution, but sometimes you need to monitor its behaviour from its very creation. In this tutorial you will learn how to hook a process without losing track of any of its function calls.

Tracing a process from startup: Step by step

Selecting function groups

The first step is to select the function groups to trace. This is done checking and unchecking items in the menu bar, under the "Monitor" drop-down menu. See SpyStudio Group Selection for details on function groups.

Select a program to trace

In the upper-left corner of the SpyStudio window you will find two text boxes. The first one is labeled "Execute and Hook". Enter the name of the executable file to trace in it. It is possible to either write the full path of the executable file you want trace (extension included) or browse it using the button labeled "..." which is right next to the text box.

It is possible to also specify parameters for the executable file. Simply write them in the "Parameters" text box as if you were writing them in the command line. They will be appended after the path of the file.

Start tracing!

Once you are done specifying the executable file and its parameters, click on the "Execute and Hook" button (the one with a "play" symbol on it) and the process will be launched and hooked before it makes any function calls.

Now you are tracing the process from its very startup!

Tracing

SpyStudio hooks all the functions included in the checked function groups and logs information on each call made to them by the hooked process. This information is shown both almost raw in the "Trace" tab and totally interpreted in the other tabs ("Registry", "Files", "Windows", etc).

See SpyStudio Interpreting Tracing Output for more information on how to interpret SpyStudio logs.

5. Unhooking

To stop tracing a process you can:

• Right-click on the process in the "Running processes" list on the left of the SpyStudio window and then select "Unhook".
• Select "Analysis" in the menu bar and then "Stop All" (Shift + F5).
• Terminate the process normally. This will automatically unhook the process before it exits.