Syscall Monitor
Introduction
This is a process monitoring tool (like Sysinternal's Process Monitor) implemented with Intel VT-X/EPT for Windows 7+.
Develop Environment
- Visual Studio 2015 update 3
- Windows SDK 10
- Windows Driver Kit 10
- QT5.7 for MSVC
Deployment
- QT GUI project: SyscallMonQT/SyscallMonQT.pro
- Windows kernel driver project: ddimon/DdiMon/DdiMon.vcxproj
- Remember to modify the shadow build path to /build32 or /build64 when configure the QT project
- Remember to modify the windeploy.exe path in deploy32/deploy64.bat, run deploy32/64.bat to deploy x86/x64 binary files to bin32/bin64
- Remember to sign the x64 kernel driver file
Platform
- x86 and x64 Windows 7, 8.1 and 10
- CPU with Intel VT-x and EPT technology support
Reference & Thanks
- BOOST http://www.boost.org/
- QT https://www.qt.io/
- HyperPlatform https://github.com/tandasat/HyperPlatform
- Capstone http://www.capstone-engine.org/
TODO
1.Optimize the memory usage issue.
Screenshots
TanakaYasen's fix
this repo forks from hzqst's Syscall-Monitor fix newest win10 BSOD
- lua filter
- event export function
- config.ini
- ETW instead of sys-thread
- unload SyscallMon.sys when exit the monitor UI
32-bit OS support is not tested.
Build Env
Visual Studio 2017 (Hyperplatform need newer VS version) Windows SDK 10 Windows Driver Kit 10 QT5.X for MSVC
How to build
1st. clone git clone http:this repos --recursive #--recursive make the dependencies (ddimon/hyperplatform/capstone) up-to-date 2nd. make link see ./boost_here.bat 3rd. open ./SyscallMon.sln & build Driver & sign the driver your self 4th. open ./SyscallMonUI/SyscallMon.pro & build ui
React
Typescript
Django
Laravel
Facebook
Microsoft
Google
Alibaba
D3
Tencent