trace powershell behavior with apimon

[yuno-x]

Hi.

I am trying to trace powershell behavior using apimon.
However, some behavior cannot be traced.
(The current code does not work for apimon, so I use the code prior to 9/1.)

For example, when I try to create a directory named "abcxyz" by mkdir abcxyz in powershell, I can observe in the Process Monitor that the CreateDirectoryW function in kernelbase.dll is called (see image).

However, when I check the behavior in apimon using the list of dlls and functions, I cannot see that the CreateDirectoryW function in kernelbase.dll creates a directory "abcxyz".

$ cat dll_list.txt 
kernel32.dll,CreateDirectoryW,log,lpctstr,lpsecurity_attributes
kernel32.dll,CreateDirectoryExW,log,lpwstr,lpwstr,lpsecurity_attributes
kernel32.dll,RemoveDirectoryA,log,lpctstr
kernel32.dll,RemoveDirectoryW,log,lpwstr
kernelbase.dll,CreateDirectoryW,log,lpctstr,lpsecurity_attributes
kernelbase.dll,CreateDirectoryExW,log,lpwstr,lpwstr,lpsecurity_attributes
kernelbase.dll,RemoveDirectoryA,log,lpctstr
kernelbase.dll,RemoveDirectoryW,log,lpwstr

$ sudo drakvuf -r ~/win10.json -d win10 -o json -a apimon --dll-hooks-list ~/dll_list.txt
1701615115.875129 DRAKVUF v1.1-git20230814174240+6c3e56e-1 Copyright (C) 2014-2023 Tamas K Lengyel
{ "Plugin": "apimon", "Event": "dll_loaded", "Rva": { "CreateDirectoryW": 151104, "CreateDirectoryExW": 236048, "RemoveDirectoryA": 152096, "RemoveDirectoryW": 152112 }, "DllBase": "0x7ffc8db90000", "DllName": "\\Windows\\System32\\kernel32.dll", "PID": 1424 }
{ "Plugin": "apimon", "Event": "dll_loaded", "Rva": { "CreateDirectoryW": 236784, "CreateDirectoryExW": 943536, "RemoveDirectoryA": 1217776, "RemoveDirectoryW": 519536 }, "DllBase": "0x7ffc8beb0000", "DllName": "\\Windows\\System32\\KernelBase.dll", "PID": 1424 }
{ "Plugin": "apimon", "Event": "dll_loaded", "Rva": { "CreateDirectoryW": 151104, "CreateDirectoryExW": 236048, "RemoveDirectoryA": 152096, "RemoveDirectoryW": 152112 }, "DllBase": "0x7ffc8db90000", "DllName": "\\Windows\\System32\\kernel32.dll", "PID": 6028 }
{ "Plugin": "apimon", "Event": "dll_loaded", "Rva": { "CreateDirectoryW": 236784, "CreateDirectoryExW": 943536, "RemoveDirectoryA": 1217776, "RemoveDirectoryW": 519536 }, "DllBase": "0x7ffc8beb0000", "DllName": "\\Windows\\System32\\KernelBase.dll", "PID": 6028 }
{"Plugin":"apimon","TimeStamp":"1701615119.705076","PID":1424,"PPID":2064,"TID":5588,"UserId":0,"ProcessName":"\\Device\\HarddiskVolume2\\Windows\\System32\\SearchProtocolHost.exe","Method":"CreateDirectoryW","EventUID":"0x970","Event":"api_called","CLSID":null,"CalledFrom":"0x7ffc84f86d71","ReturnValue":"0x0","FromModule":"propsys.dll","Arguments":["Arg0=0x44ed4f5ca0:\"C\"","Arg1=0x0"]}
{"Plugin":"apimon","TimeStamp":"1701615119.718089","PID":1424,"PPID":2064,"TID":5588,"UserId":0,"ProcessName":"\\Device\\HarddiskVolume2\\Windows\\System32\\SearchProtocolHost.exe","Method":"CreateDirectoryW","EventUID":"0x97b","Event":"api_called","CLSID":null,"CalledFrom":"0x7ffc84f86d71","ReturnValue":"0x0","FromModule":"propsys.dll","Arguments":["Arg0=0x44ed4f57d0:\"C\"","Arg1=0x0"]}

(Excludeed dll_discovered results)

Do you know how to trace this function call exactly to see how powershell behaves?
Thank you.