Rust driver based on https://github.com/zodiacon/windowskernelprogrammingbook/tree/master/chapter09/SysMon. The goal is to monitor system actions like:
- process creation
- thread creation
- image load
- registry set
- Install dependencies, like SDK, WDK and rust on build machine
- You should use VM to test driver
- You need set machine to test mode:
bcdedit.exe -set TESTSIGNING ONand reboot
- Clone the repository
- Produce cert:
cargo xtask cert - Build and sign driver:
cargo xtask driver - Build client:
cargo xtask client
- Install driver:
sc create sysmon type=kernel binPath=<driver.sys path> - Start driver:
sc start sysmon - Run client to get events:
sysmon-client.exe - Finally stop driver:
sc stop sysmon
- sysmon-km - driver project which gather particular events from system
- sysmon-um - user mode program to read and display events saved by driver
- common - shared info between driver and client, like format of data send from driver to client
- xtask - build system
- Move from makefile.toml to xtask
- add BSD3 license
- add unit tests, audit and add mock tests
- github actions
- move to official sdk
- use OCSF schema to store events
- Driver with rust by not-mattias
- System monitor by Pavel Yosifovich