progmboy / openprocmon Goto Github PK

View Code? Open in Web Editor NEW

233.0 11.0 70.0 578 KB

open source process monitor

License: MIT License

C++ 44.82% C 52.62% CMake 2.56%

driver procmon windows sdk

openprocmon's Introduction

Openprocmon

open source process monitor

How to use

Use the procmon gui. (build and run procmon_gui.exe)
Use the sdk in you project(build and link sdk)
Hack the driver to implement your own EDR or something.

You don't have a digital signature yourself? It doesn't matter. You can use the original procmon driver, this sdk is 100% compatible with the original procmon driver. And of course, The original procmon driver can be replaced with this driver to learn how procmon works.

How to build

Prepare the environment

WDK

Install the last WDK

WTL

Download the last WTL library and put it in folder whatever you like. for example i put it in "D:\source\WTL10_9163"

Visual Studio

Open procmon.sln use visual studio
change the addtion include directoy of procmon_gui from "D:\source\WTL10_9163\Include" to yours
build.
sign the driver or disable driver signature enforcement.
run.

CMake

Install CMake.
Run cmake to generate the project

cmake .. -G "Visual Studio 16 2019" -A X64 -DWTL_ROOT_DIR=D:\source\WTL10_9163 -DWDK_WINVER=0x0A00

build

cmake --build . --config Release

sign the driver or disable driver signature enforcement.

!!!Please note that I don't how to use the cmake to sign the driver with test signature. please do it yourself!!

SDK example

#include <conio.h>
#include "../../sdk/procmonsdk/sdk.hpp"

class CMyEvent : public IEventCallback
{
public:
	virtual BOOL DoEvent(const CRefPtr<CEventView> pEventView)
	{

		ULONGLONG Time = pEventView->GetStartTime().QuadPart;

		LogMessage(L_INFO, TEXT("%llu Process %s Do 0x%x for %s"),
			Time,
			pEventView->GetProcessName().GetBuffer(),
			pEventView->GetEventOperator(),
			pEventView->GetPath().GetBuffer());
		return TRUE;
	}
};


int main()
{

	CEventMgr& Optmgr = Singleton<CEventMgr>::getInstance();
	CMonitorContoller& Monitormgr = Singleton<CMonitorContoller>::getInstance();
	CDrvLoader& Drvload = Singleton<CDrvLoader>::getInstance();
	
	if(!Drvload.Init(TEXT("PROCMON24"), TEXT("procmon.sys"))){
		return -1;
	}
	Optmgr.RegisterCallback(new CMyEvent);

	//
	// Try to connect to procmon driver
	//
	
	if (!Monitormgr.Connect()){
		LogMessage(L_ERROR, TEXT("Cannot connect to procmon driver"));
		return -1;
	}
	
	//
	// try to start monitor
	//
	
	Monitormgr.SetMonitor(TRUE, TRUE, FALSE);
	if (!Monitormgr.Start()){
		LogMessage(L_ERROR, TEXT("Cannot start the mointor"));
		return -1;
	}

	_getch();
	
	//
	// try to stop the monitor
	//
	
	Monitormgr.Stop();

	LogMessage(L_INFO, TEXT("!!!!!monitor stop press any key to start!!!!"));
	_getch();

	Monitormgr.Start();

	_getch();

	Monitormgr.Stop();
	Monitormgr.Destory();
	return 0;
}

It is pertty esay right?

GUI Snapshot

The GUI is still in Pre-Alpha state, and many features have yet to be improved. Wellcome PR.

main window:

properties windows

How to show stackframe with symbol

Go to windbg.exe directory copy the following files to the same directory with "procmon_gui.exe".

dbghelp.dll
symsrv.dll
symsrv.yes

Set the _NT_SYMBOL_PATH environment variable. for example:

srv*D:\reverse\symbols*https://msdl.microsoft.com/download/symbols

About another branch

Discover it yourself!!!

TODO

GUI

openprocmon's People

Contributors

Stargazers

Watchers

openprocmon's Issues

procmon for windows server 2008 re

Hi,

Openprocmon is not working on Windows server 2008 re, failed to load procmon driver.

Old Procmon.exe v3.33 is working fine on Win server 2008 but procmonXX.sys is not found in drivers folder.

Do you know which procmon.sys version works with Win server 2008 and where I can get the SYS file?

Thanks & Regards,
-Mak

How to get child PID

Hi,

Can you please guild me how can I get the child PID when on process create?

-Mak

Add signature mitigation check

请问能否发下成品

1、请问能否发下成品；
2、请问驱动部分是否逆向的procmon代码得到的，我看功能架构类似

注册表行为失效

Win32 bit build error LNK2001

Hi,

Getting following error with x86 (32bit) build configuration.

2>procmonsdk.lib(drvload.obj) : error LNK2001: unresolved external symbol __imp__NtUnloadDriver
2>procmonsdk.lib(drvload.obj) : error LNK2001: unresolved external symbol __imp__NtLoadDriver

Thanks & Regards,

Compiled lib throws LNK2019 error

Hi!
Trying to use precompiled sdk library, but each time it throws error on using of Drvload.Init(TEXT("PROCMON24"), TEXT("procmon.sys"))

Errors are:

[build] test.obj : error LNK2019: unresolved external symbol "int __cdecl LogMessage(enum LEVEL,char const *,...)" (?LogMessage@@YAHW4LEVEL@@PEBDZZ) referenced in function "public: virtual int __cdecl CMyEvent::DoEvent(class CRefPtr<class CEventView>)" (?DoEvent@CMyEvent@@UEAAHV?$CRefPtr@VCEventView@@@@@Z) [D:\code\testsdk\build\apps\agent.vcxproj]
[build]     Hint on symbols that are defined and could potentially match:
[build]       "int __cdecl LogMessage(enum LEVEL,wchar_t const *,...)" (?LogMessage@@YAHW4LEVEL@@PEB_WZZ)
[build] test.obj : error LNK2019: unresolved external symbol "public: class ATL::CStringT<char,class ATL::StrTraitATL<char,class ATL::ChTraitsCRT<char> > > __cdecl CEventView::GetPath(void)" (?GetPath@CEventView@@QEAA?AV?$CStringT@DV?$StrTraitATL@DV?$ChTraitsCRT@D@ATL@@@ATL@@@ATL@@XZ) referenced in function "public: virtual int __cdecl CMyEvent::DoEvent(class CRefPtr<class CEventView>)" (?DoEvent@CMyEvent@@UEAAHV?$CRefPtr@VCEventView@@@@@Z) [D:\code\testsdk\build\apps\agent.vcxproj]
[build] test.obj : error LNK2019: unresolved external symbol "public: class ATL::CStringT<char,class ATL::StrTraitATL<char,class ATL::ChTraitsCRT<char> > > __cdecl CEventView::GetProcessName(void)" (?GetProcessName@CEventView@@QEAA?AV?$CStringT@DV?$StrTraitATL@DV?$ChTraitsCRT@D@ATL@@@ATL@@@ATL@@XZ) referenced in function "public: virtual int __cdecl CMyEvent::DoEvent(class CRefPtr<class CEventView>)" (?DoEvent@CMyEvent@@UEAAHV?$CRefPtr@VCEventView@@@@@Z) [D:\code\testsdk\build\apps\agent.vcxproj]
[build] D:\code\testsdk\build\apps\Release\test.exe : fatal error LNK1120: 4 unresolved externals [D:\code\testsdk\build\apps\agent.vcxproj]
[build] Build finished with exit code 1

Code I'm trying to build:

...
#include <libprocmon/sdk.hpp>
#include <atlstr.h>
#include <atltime.h>

int main(int argc, char *argv[])
{
    CEventMgr &Optmgr = Singleton<CEventMgr>::getInstance();
    CMonitorContoller &Monitormgr = Singleton<CMonitorContoller>::getInstance();
    CDrvLoader &Drvload = Singleton<CDrvLoader>::getInstance();

   //error is on this step
    if (!Drvload.Init(TEXT("PROCMON24"), TEXT("procmon.sys")))
    {
        return -1;
    }
    Optmgr.RegisterCallback(new CMyEvent);
        ...
}

CMakeLists looks like this:

add_executable(test test.cpp)

# libprocmon link
set(PROCMON_INCLUDE_DIR ${HoneyCornAgent_SOURCE_DIR}/include/libprocmon/)
set(PROCMON_LIBRARY ${HoneyCornAgent_SOURCE_DIR}/src/libprocmon/libprocmon.lib )

include_directories(${PROCMON_INCLUDE_DIR})
include_directories(${HoneyCornAgent_SOURCE_DIR}/src/libprocmon)
include_directories(${HoneyCornAgent_SOURCE_DIR}/lib/procmonsdk/)
include_directories(${HoneyCornAgent_SOURCE_DIR}/lib/procmonsdk/kernel)
include_directories(${HoneyCornAgent_SOURCE_DIR}/lib/procmonsdk/WTL10_10320/Include)
link_directories(${HoneyCornAgent_SOURCE_DIR}/lib/procmonsdk/)
link_directories(${HoneyCornAgent_SOURCE_DIR}/lib/procmonsdk/kernel)
link_directories(${HoneyCornAgent_SOURCE_DIR}/lib/procmonsdk/WTL10_10320/Include)
link_directories(${HoneyCornAgent_SOURCE_DIR}/src/libprocmon)
link_directories({PROCMON_INCLUDE_DIR})

add_library(libprocmon STATIC IMPORTED)
set_target_properties(libprocmon PROPERTIES
  IMPORTED_LOCATION ${PROCMON_LIBRARY}
  INTERFACE_INCLUDE_DIRECTORIES ${PROCMON_INCLUDE_DIR}
)

 target_link_libraries(agent PRIVATE wsock32 ws2_32 atls crypt32 normaliz wldap32 kernel32 user32 gdi32 winspool comdlg32 advapi32 shell32 ole32 oleaut32 uuid odbc32 odbccp32 libprocmon)

Library was build using visualstudio as per instruction. The code I'm trying to use based on testsdk.cpp

Am I missing something or it's library building issue?

Registry Path

Hello,

Can you please help me to get the registry key path same like file path in CString CFileEvent::GetPath()

I am not sure what structure to be use in case of registry.

Thanks in advance!

-Mak

Network Activity.

Hi,

Is it possible to show the network activity using SDK?

-Mak

More than one include filter.

Hi,

I want to add more then two include filter but when I add it no data logged. Please see below filters.

m_Filter.AddFilter(emProcessName, emCMPIs, emRETInclude, TEXT("notepad.exe"));
m_Filter.AddFilter(emProcessName, emCMPIs, emRETInclude, TEXT("WinMergeU.exe"));

I want to use both filters, can you please help to to fix this issue?

Thanks,
-Mak

progmboy / openprocmon Goto Github PK

openprocmon's Introduction

Openprocmon

Menu

How to use

How to build

Prepare the environment

Visual Studio

CMake

SDK example

GUI Snapshot

How to show stackframe with symbol

About another branch

TODO

GUI

openprocmon's People

Contributors

Stargazers

Watchers

Forkers

openprocmon's Issues

Recommend Projects

Recommend Topics

Recommend Org