Вопрос
How do I determine which processes are using WS2_32 to receive data from a socket?
What I'd like is, for example, to simply output a call stack whenever some process calls ws2_32!WSARecv or ws2_32!recv so that I know where the call came from.
I suspect I may need to use WinDbg with kb, but have never done true kernel-level debugging with kb before. I have done a fair amount of process-level debugging with cdb and WinDbg PC-to-PC over a serial connection.
I've been Googling, but so far nothing I've read gives a clear way of doing it. If someone can point me in the right direction I'd appreciate it. I'm not afraid to spend time reading, I just don't want to waste more time going down rabbit holes.
Thanks in advance for your ideas.
[edit] Thank you Marc for the hint of using XPerf and also for the link. This was exactly what I needed.
Решение
ETW using xperf (or WPA on Win8.x) is better suited for this task. The article ‘Hidden’ ETW Stack Trace Feature – Get Stacks All Over the Place! does exactly what you want.
In that article they are looking for callers of ws2_32!socket so it'll be easy to follow their steps and look for callers of ws2_32!WSASend and ws2_32!send instead.
Другие советы
This is not a WinDbg solution, but maybe helpful for someone who comes here and wants to do a similar thing without kernel debugging.
Rohitab API Monitor provides API logging capabilities. In the API filter tool window select WS2_32.dll, then check the methods WSARecv and recv.
Drawbacks of this approach:
https://stackoverflow.com/questions/22262712
italiano
english
français
española
中国
日本の
العربية
Deutsch
한국어
Português
Russian