Tracking GetDC system wide

I need to track calls to GetDC GDI32 API. I have already explored all the IAT, Export Table, system wide patching by tracking process creation etc. I need to track the GetDCs without spying the processes on the system.

If there is a undocumented way of accessing the DC cache that is used for GetDCs it would be good. I only saw a way of acessing the global GDI handles table from PEB, which only stores handles that are being accessed, the entries are removed once ReleaseDC is called. Does the global handles table also store references to the DCs stored in the internal DC cache ?

1. Hook DrvBitBlt() by supplying a pointer to your function in the function
   table returned in DrvEnableDriver(). Than when you associate a surface in
   DrvEnableSurface() set the HOOK_BITBLT flag. GDI will see that you wish to
   optimize the bitblt and will call your function, you can track the call and
   its parameters. Finally punt back to the GDI using EngBitBlt() for the GDI
   to do its work.

2. CreateDC() calls DrvEnableSurface() which in turn supplies the GDI with
   a handle to the device’s surface. Surface objects only return the handle to
   your PDEV, SURFACE and or Device Bitmap if available. I am not sure if you
   can acquire the windows DC using these paramters.

Hope this helps a bit.