Skip to content
/ KernelMon Public

A ProcMon-esque tool for monitoring Windows Kernel Drivers

52 stars 13 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

alal4465/KernelMon

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

32 Commits
KernelMon
KernelMon
 
 
KernelMonitor
KernelMonitor
 
 
.gitattributes
.gitattributes
 
 
.gitignore
.gitignore
 
 
.gitmodules
.gitmodules
 
 
KernelMon.sln
KernelMon.sln
 
 
README.md
README.md
 
 

Repository files navigation

KernelMon

KernelMon is a virtualization-based driver monitoring infrastructure that draws inspiration from the Sysinternals suite and in particular, ProcMon.

It basically hooks prominent KernelMode API's (for now Zw's) and transfers this information in the form of logs to a usermode UI. KernelMon traces registry and fs reads and writes, process and thread operations.

Example:

kernelmonitor

Installation:

Note: Make sure to run this inside a VM!

You might need to follow some of the instructions at: https://revers.engineering/day-0-virtual-environment-setup-scripts-and-windbg/ before running the app. (more specifically, disabling driver signing enforcement).

Compile the driver(KernelMonitor.sys) and usermode app(KernelMon.exe).

Make a service for running the driver using the sc utility:

C:\Users\User> sc create KernelMonitor type= kernel binPath= <path-to-driver>

Run it:

C:\Users\User> sc start KernelMonitor

And then open the usermode app:

C:\Users\User> KernelMon.exe

How it works?

TBD

About

A ProcMon-esque tool for monitoring Windows Kernel Drivers

Topics

windows kernel cpp hypervisor sysinternals hooking monitoring-tool windowsinternals

Resources

Readme
Activity

Stars

52 stars

Watchers

5 watching

Forks

13 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages