Now on Windows

Using StraceNT I was able to get this output.

Here’s a snippet:

IntellectualHeaven (R) System Call Tracer for NT, 2K, XP, 2K3.
Copyright (C) Pankaj Garg. All rights reserved.

Tracing command: [“pdbstr” -r -p:accessiblemarshal.pdb -i:am3.stream -s:srcsrv]
[T3600] TlsGetValue(1, 0, 2bfef8, 182020, …) = 2c7778
[T3600] EnterCriticalSection(77c61b30, 2c7778, 2bfed0, 77c3a03b, …) = 0
[T3600] LeaveCriticalSection(77c61b30, 2bfed0, 77c3a0fa, d, …) = 0
[T3600] EnterCriticalSection(77c61b18, 2c7778, 2bfed0, 77c3a06c, …) = 0
[T3600] LeaveCriticalSection(77c61b18, 2bfed0, 77c3a108, c, …) = 0
[T3600] HeapFree(2c0000, 0, 2c7778, 0, …) = 1
[T3600] TlsSetValue(1, 0, 0, 2bfef8, …) = 1
[T2556] LeaveCriticalSection(2c1fdc, 6f1c0, 77c2d154, 4, …) = 0
[T2556] LeaveCriticalSection(2c7718, 6f1d8, 77c3b967, 13, …) = 0
[T2556] HeapFree(2c0000, 0, 2caa48, 1058d24, …) = 1

The results are certainly a bit clearer looking than the Linux/Wine results. I am still clueless however to the deeper meaning. I’ve been told I need to talk to timeless on IRC, that he is the one with major knowledge on reverse engineering.

This is turning into quite the rabbit hole.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.