What do you use to monitor system calls on Windows and Mac?

Something funny about Windows is that there are no documented system calls. That is, if you want to use some OS service you either call a function in a DLL or you make a COM call to a COM service.

If you click on the "show" button in this page

https://j00ru.vexillium.org/syscalls/nt/64/

you can see that the syscall numbers change from release to release!

I'm pretty sure that this tool

https://docs.microsoft.com/en-us/windows-hardware/drivers/de...

works by trapping calls to the DLL, which are stable.

On macOS you have Instruments, dtrace (which is what Instruments uses under the hood, IIRC), and strace. I haven't had much need for any of these, but you should be able to use dtrace for anything you'd use strace for and it will (or used to, has strace been improved?) get you much better performance while doing the tracing.

Use dtruss on Mac OS. The dtrace subsystem has become harder to use, though, with system protection active. Supposedly you can get it running again through these tricks https://apple.stackexchange.com/questions/208762/now-that-el... but haven't tried it out yet, as I had no need since my Yosemite upgrade to trace syscalls.

For Windows, I've used API Monitor a lot to track .dll and API calls.

http://www.rohitab.com/apimonitor