Kapimon : Kernel API Monitor ( Version 2.0 )

  1. Introduction

    KAPIMON can be used to hook kernel and device drivers APIs for trouble-shooting purposes. It also offers a special option that automatically hooks ExAllocatePoolWithTag, ExFreePoolWithTag to trace kernel pool allocations.

     

  2. Setup

    KAPIMON has two components : KAPIMON.EXE a user mode program that interacts with the user and TRACE.SYS, a kernel mode driver which is installed and loaded as a standard Windows NT service.

    To install KAPIMON, copy kapimo.exe and trace.sys  files on a local drive's subdirectory and create a symbol subdirectory and copy the symbol files for the Windows NT and service pack installed on your system.

    Symbols :

    KAPIMON works with symbol files that are provided with the standard Windows NT builds. It uses IMAGEHLP.DLL to load symbolic information for kernel, HAL and device drivers. This is very similar to the use of symbolic information by Windows NT kernel debugger.

    You can define "_NT_SYMBOL_PATH" as an environment variable pointing to the location of symbol files for the current build/service pack running on your system. This could also be done by using the –p [symbol path] option from the command line. If neither of these two options are used, KAPIMON will prompt you for the symbol path. The minimum symbol file required is the NTOKRNL.DBG  file.

     

  3. Basic features

    HOOKING an API

    KAPMON is used to hook kernel mode APIs. The –h option from the command line activates this feature. Optionally –hr can be used to allow hooking functions at the function entry and on the function return, making the function return value available. When working with symbolic info, Kapimon uses the Fpo info to decide wheather a symbol could be an API or a global variable. This information could be wrong for a function that does not have any Fpo info. The -hrf option makes it possible to hook all symbols available for the system's components.

     

    Once an API is hooked, the trace driver’s hook routine will take control when the API gets called. The hook routine will then log the call ( the call parameters and the stack back trace), and returns control to the function being called.

    A very simple mechanism to hook functions. The function prolog is replaced by a jump to the hook routine dedicated for this purpose. The hook routine saves the call context, logs the call , restores the context and returns to the function being called. The control from the called function to the hook routine and back is transfered by using the "jump" instruction.

    As an example lets take ExAllocatePoolWithTag function. This function has the following function prolog :

    NT!ExAllocatPoolWithTag :

    80109b36 55 push ebp
    80109b37 8b442408 mov eax,[esp+0x8]
    80109b3b 8bec mov ebp,esp
    80109b3d 83e001 and eax,0x1
    80109b40 83ec20 sub esp,0x20
    80109b43 8945f4 mov [ebp-0xc],eax
    80109b46 53 push ebx
    80109b47 56 push esi
    80109b48 57 push edi

    KAPIMON will change the code as follows :

    NT!ExAllocatPoolWithTag :

    80109b36 ff25149eb4fb jmp dword ptr [fbb49e14] (Trace!HookRoutineXXX)
    80109b3c 90 nop
    80109b3d 83e001 and eax,0x1
    80109b40 83ec20 sub esp,0x20
    80109b43 8945f4 mov [ebp-0xc],eax
    80109b46 53 push ebx
    80109b47 56 push esi
    80109b48 57 push edi

    When ExAllocatePoolWithTag gets called, the jump instruction reroutes control to the TRACE hook routine that is something similar to the following :

    Trace!HookRoutine :

    fbb48150 9c pushfd
    fbb48151 60 pushad
    fbb48152 6a02 push HookNumber
    fbb48154 e893010000 call Trace!LogTheCall
    fbb48159 61

    popad

    fbb4815a 9d popfd
    fbb4815b 55 push ebp
    fbb4815c 8bec mov ebp,esp
    fbb4815e 83ec10 sub esp,0x10
    fbb48161 ff25e09eb4fb jmp dword ptr [fbb49ee0] (NT!ExAllocatPoolWithTag+8 )

    It is very important to keep in mind the above mechanism. Only those APIs that have a similar function prolog allow the use of this mechanism and can be hooked safely. Attempting to hook functions that do not use a standard function prolog might make the system crash.

    KAPIMON, in this version, does very little verification on function prologs. The user has to make sure that this assumption applies to the functions being hooked. Moreover, not much filtering is done on the symbols that are loaded for kernel modules. These symbols could be functions, global variables or strings. Attempting to hook global variables could also make the system crash ( the variable value will be overwritten by the jump instruction).

    HOOKING an API with Return Value

    When hooking an API with return value, TRACE gains control at the function entry and at the function return. The EAX register value is considered to be the function’s return value and is logged in the trace buffer. The return value has a meaning only if the function uses EAX for it's return value.

     

    Tracking Pool allocations

    Selecting "Hook->Trace Kernel pool allocations" hooks ExAllocatePoolWithTag, and it’s counterpart and ExFreePoolWithTag. This option will trace kernel drivers’ calls to memory allocation/free functions. When this option is used,  the user interface tries to match memory allocations with their free counterparts and keep trak of memory that has been allocated and not freed.

  4. KAPIMON and Trace buffers

    Two Capture buffers are used : Kernel and user.

    The kernel capture buffer is allocated by the trace.sys form non-paged pool. This buffer can be resized from the "options menu -> Capture Buffer ( Non Paged)".

    User mode capture buffer is allocated by KAPIMON.EXE. The current size is hard coded to 15000 entries. When the buffer is full, KAPIMON simply resets it by disregarding the buffer's content.

  5. Filtering

    Filtering can be used to filter calls from the capture buffer.

    The Filter Dialog box has two parts : the kernel mode filters and the user mode filters.

    Kernel mode filters can be used to filter calls coming from selected modules ( checked ) in the filter list. Trace.sys simply disregards calls containing a selected module in the stack back trace.

    User mode filtering is applied by the user mode interface, after the kernel buffer is transferred to the user mode buffer.

    Two types of user mode filtering are available : Filtering on Modules and filtering on Tags.

    Filtering on modules can be used to include modules that are selected. KAPIMON will rescan the stack back trace and will keep those entries that have an API from the selected modules in the call path.

    Tag Filtering, is only useful when tracing memory allocations. Tags are the third parameter of ExAllocatePoolWithTag. When the tag filtering  options is selected,  the tag filter value is matched with the third parameter to the call.

    The "tag" value in the filter dialog, can be up to four characters. Blank is considered to be a wildcard. Example : the tag "T" will match to any tag starting with T. I.e : Tcpt,Thre,...

  6. Command line options

    KAPIMON has the following command line options :

    -A

    Load all symbolic information. By default only symbols for NTOSKRNL are loaded. The –A option allows to load the symbols for all kernel components running on the system.

    -C

    Start as a remote client.

    -F [File Name]

    Load capture file. When started with –F option KAPIMON can only be used to read capture files. No other options are availeable.

    -H[R][F]

    Enable Hooking API’s feature.

    [R] enable hooking entry and return.

    [F] More flexible  hooking.

    -M

    Start memory tracing

    -P

    Specifies the symbol path

    -S

    Start the remote server option

  7. Capture files

The ".KMN" file extension is used to save a capture file. By default, captures are saved with minimum symbolic info. This allows for smaller capture files. A files saved with minimum info contains the capture buffer plus the module table entries.

If the option menu’s "Save Capture with symbolic info" is checked then the symbolic info is also saved in the capture file. 

To load a capture file :

  • Start "KAPIMON –F[filenam]" . KAPIMON will load symbols, if present,  from the capture file.
  • File->Open with  KAPIMON started without  the –F option will use the symbols loaded for the system it is running on.

 

  1. Remote

    TBW

  2. Systems supported

Intel Platform Only !

mono-processor systems Only!

Download KAPIMON.ZIP

Download KAPIMON.ZIP 4.1 XP/2003