Trace APDU on Windows

APDUTrace is an internally developed tool that inserts a kernel filter driver into the smart card reader driver stack. It captures APDU traffic at the lowest possible level — exactly as the reader sees it.

API Monitor can trace Win32 API calls and display APDU commands and responses, including from a running lsass.exe. Works on x86 and x64.

To get meaningful APDU output, you need to extend the API Monitor XML definitions.

In scard.h.xml — add the disposition enum

<!-- [SCARD_DISPOSITION] -->
<Variable Name="[SCARD_DISPOSITION]" Type="Alias" Base="LONG">
    <Display Name="LONG" />
    <Enum>
        <Set Name="SCARD_LEAVE_CARD"   Value="0" />
        <Set Name="SCARD_RESET_CARD"   Value="1" />
        <Set Name="SCARD_UNPOWER_CARD" Value="2" />
        <Set Name="SCARD_EJECT_CARD"   Value="3" />
    </Enum>
</Variable>

In winscard.xml — update three functions

<Api Name="SCardDisconnect">
    <Param Type="SCARDHANDLE"         Name="hCard" />
    <Param Type="[SCARD_DISPOSITION]" Name="dwDisposition" />
    <Return Type="[SCARD_ERROR]" />
</Api>

<Api Name="SCardEndTransaction">
    <Param Type="SCARDHANDLE"         Name="hCard" />
    <Param Type="[SCARD_DISPOSITION]" Name="dwDisposition" />
    <Return Type="[SCARD_ERROR]" />
</Api>

<Api Name="SCardTransmit">
    <Param Type="SCARDHANDLE"          Name="hCard" />
    <Param Type="LPCSCARD_IO_REQUEST"  Name="pioSendPci" />
    <Param Type="LPCBYTE"              Name="pbSendBuffer"  Count="cbSendLength" />
    <Param Type="DWORD"                Name="cbSendLength" />
    <Param Type="LPSCARD_IO_REQUEST"   Name="pioRecvPci" />
    <Param Type="LPBYTE"               Name="pbRecvBuffer"  PostCount="pcbRecvLength" />
    <Param Type="LPDWORD"              Name="pcbRecvLength" />
    <Return Type="[SCARD_ERROR]" />
</Api>

With these definitions, API Monitor will display card resets, commands sent, and responses received with human-readable disposition values.