Catch C runtime function calls with Sysinternals.ProcMon

Is there a way to get _stat() C runtime functions caug开发者_如何学JAVAht in ProcMon

Not directly, because (as @Preet Sangha explained) it works below the CRT level. However, it does show you a call stack, and _stat does access a file. So if ProcMon has access to your executable symbols and you know which file to watch, you might see _stat in the call stack of that file's access.

If that is not enough, further describe your scenario.

Note that there are tools for hooking at the code level - see How can I hook Windows functions in C/C++?

ProcMon intercepts calls at the Window levels (specifically NTxxxx and ZWxxxx calls I think). These are way lower than the C runt time library - so I suspect no.