I'm debugging a windows application in Linux using Wine (Eudora), using WINEDEBUGGER=+relay to create a (rather massive) log of API calls. Now that I've spotted where the problem is, I want to run the same application in native windows (well, actually VirtualBox), so see how it behaves and compare the differences (if any).
I know there are several windows tools that can trace API calls, but i need one that can generate the same kind of log as wine does, so I can use the same workflow:
Configure the logger/tracer to exclude a given list of functions (as in KERNEL32.SetLastError; KERNEL32.GetLastError; KERNEL32.FlsGetValue; ntdll.RtlEnterCriticalSection; ntdll.RtlLeaveCriticalSection, equivalent to Wine's Debug\RelayExclude registry entry. This is crucial, since its the difference between a 30MB logfile and a 1.3 GB one
All other calls must be traced, regardless of library/module/dll/whatever. They must not be sorted or filtered by module, since the order the calls are made is crucial for me (so I can backtrack and not get lost)
Start the tracer as easily as tracer c:\ProgramFiles\Eudora\Eudora.exe 2> hugelogfile.txt
It launches Eudora, I perform my actions, and close Eudora.
Tracer stops when Eudora terminates. Log is ready for me to play with.
Here is a snippet of a Wine log, if it helps (similar format is desirable):
0009:Call advapi32.RegQueryValueW(80000000,0033b5dc L".txt",0033b9a0,0033bbac) ret=7e9a6c7a
0009:Ret advapi32.RegQueryValueW() retval=00000000 ret=7e9a6c7a
0009:Call advapi32.RegOpenKeyExW(80000000,0033b9a0 L"txtfile",00000000,02000000,0033a528) ret=7e9a3b66
0009:Ret advapi32.RegOpenKeyExW() retval=00000000 ret=7e9a3b66
0009:Call advapi32.RegCloseKey(000000d4) ret=7e9a3bbc
0009:Ret advapi32.RegCloseKey() retval=00000000 ret=7e9a3bbc
0009:Call advapi32.RegQueryValueW(80000000,0033b9a0 L"txtfile\\shell\\\\command",0033ada0,0033a52c) ret=7e9a3c04
0009:Ret advapi32.RegQueryValueW() retval=00000002 ret=7e9a3c04
0009:Call shlwapi.PathIsDirectoryW(0033e464 L"D:\\Arquivos\\Email\\attach\\carro.txt") ret=7e9a8a26
0009:Call KERNEL32.GetFileAttributesW(0033e464 L"D:\\Arquivos\\Email\\attach\\carro.txt") ret=7eb47738
0009:Ret KERNEL32.GetFileAttributesW() retval=00000020 ret=7eb47738
0009:Ret shlwapi.PathIsDirectoryW() retval=00000000 ret=7e9a8a26
0009:Call shlwapi.PathIsURLW(0033e464 L"D:\\Arquivos\\Email\\attach\\carro.txt") ret=7e9a8e68
0009:Ret shlwapi.PathIsURLW() retval=00000000 ret=7e9a8e68
0009:Call user32.LoadStringW(7e950000,000000a4,0033abb0,00000800) ret=7e9a3ac2
0009:Ret user32.LoadStringW() retval=00000041 ret=7e9a3ac2
0009:Call user32.MessageBoxW(000100c4,0033abb0 L"There is no Windows program configured to open this type of file.",00000000,00000010) ret=7e9a3a84
Can you please suggest me with a free, easily downloadable software that can do that, and, most importantly, exact instructions on how to achieve this workflow the suggested software?
Thanks!
WinAPIOverride can do that kind of tracing (and a lot more).