apimon not working for WoW64 processes

[skvl]

Abstract

There is no apimon messages for SysWOW64\*.dll hooks.

How to reproduce

• Provide --dll-hooks-list like that: SysWOW64\ntdll.dll,NtGetContextThread,log,handle,pcontext
• Provide --json-wow /path/to/wow/ntdll.json (thanks to @icedevml to notice that)
• Run Windows 7 SP1 x64 (or other supported Windows x64)
• Run drakvuf with apimon enabled
• Execute x86 sample which uses GetThreadContext

Expected behavior

• In STDOUT see something like: apimon ... Method=NtGetContextThread ...

Actual behavior

• No messages in STDOUT from apimon

Additional info

• With WinDbg one could check that ntdll!NtGetContextThread is executed
• In debug messages one could see that breakpoint is set: Trap added @ PA 0x229ddc20 RPA 0xff009c20 Page 141789 for NtGetContextThread.
• If one add MEMACCESS execution hook on the page with the function it could be seen that there are multiple exits. Though:
  • The exits take place at random addresses inside varios functions (at the middle or the end)
  • There is no exits for the requested function

At the time this issue really starting to mess with my head! Any help is appreciated.

[icedevml]

You need to start DRAKVUF with WOW64 NTDLL profile as far as I remember. Otherwise 32 bit processes will not be tracked.

[skvl]

@icedevml thanks a lot. Though I understand this. As I've noted drakvuf detects and traps the DLL.

[icedevml]

For (hmmm) historical reasons you need to provide --json-wow profile.json which would be the profile generated out of PDB corresponding to C:\Windows\SysWOW64\ntdll.dll.

[skvl]

Thanks! I have updated the instruction to reproduce the error.

[hexrays4711]

This seems to be related to https://github.com/tklengyel/drakvuf/issues/1667. Setting --json-wow does unfortunately not solve the problems.