系统监控开发套件(sysmon、promon、edr、终端安全、主机安全、零信任、上网行为管理)

Overview

Table of Contents

简介

iMonitorSDK是一款为终端、云端提供系统行为监控的开发套件。帮助安全、管理、审计等行业应用可以快速实现必要功能,而不用关心底层驱动的开发、维护和兼容性问题,让其可以专注于业务开发。

iMonitorSDK同时支持进程、文件、注册表、网络、系统等的监控,使用标准稳定的实现方式,同时支持Windows(XP-Win11)、Linux、MacOS。

具备如下核心功能

  • 进程、文件、注册表保护

  • 进程启动、模块加载拦截,模块注入

  • 文件拦截、重定向

  • 网络防火墙、流量代理、协议分析

  • 规则引擎、动态脚本

📦 适用于如下的产品

  • 主动防御

  • 终端管控

  • 入侵检测

  • 主机安全

  • 零信任

  • 上网行为管理

🔨 快速入门

示例一:进程启动拦截

SetBlock(); } }; int main() { MonitorManager manager; MonitorCallback callback; HRESULT hr = manager.Start(&callback); if (hr != S_OK) { printf("start failed = %08X\n", hr); return 0; } cxMSGUserSetMSGConfig config; config.Config[emMSGProcessCreate] = emMSGConfigSend; manager.InControl(config); WaitForExit("禁止进程名 cmd.exe 的进程启动"); return 0; } ">
class MonitorCallback : public IMonitorCallback
{
public:
	void OnCallback(IMonitorMessage* Message) override
	{
		if (Message->GetType() != emMSGProcessCreate)
			return;

		cxMSGProcessCreate* msg = (cxMSGProcessCreate*)Message;

		//
		// 禁止进程名 cmd.exe 的进程启动
		//

		if (msg->IsMatchPath(L"*\\cmd.exe"))
			msg->SetBlock();
	}
};

int main()
{
	MonitorManager manager;
	MonitorCallback callback;

	HRESULT hr = manager.Start(&callback);

	if (hr != S_OK) {
		printf("start failed = %08X\n", hr);
		return 0;
	}

	cxMSGUserSetMSGConfig config;
	config.Config[emMSGProcessCreate] = emMSGConfigSend;
	manager.InControl(config);

	WaitForExit("禁止进程名 cmd.exe 的进程启动");

	return 0;
}

示例二:自保护规则设置

用于字符串结尾,表示字符串结束或者是\\结尾,用于目录判断(比如protect> 匹配 protect 和 protect\\*) // { // // 添加进程、文件保护: 保护进程名是notepad.exe的进程不被结束、文件不被修改、删除 // cxMSGUserAddProtectRule rule; rule.ProtectType = emProtectTypeProcessPath | emProtectTypeFilePath; wcsncpy(rule.Path, L"*\\notepad.exe", MONITOR_MAX_BUFFER); manager.InControl(rule); } { // // 添加文件夹保护: 保护protect目录下面的文件不被外部修改、目录不被重命名、删除 // cxMSGUserAddProtectRule rule; rule.ProtectType = emProtectTypeFilePath; wcsncpy(rule.Path, L"*\\protect>", MONITOR_MAX_BUFFER); manager.InControl(rule); } { // // 添加注册表保护: 保护iMonitor键不被删除、修改,包括键值 // cxMSGUserAddProtectRule rule; rule.ProtectType = emProtectTypeRegPath; wcsncpy(rule.Path, L"*\\iMonitor>", MONITOR_MAX_BUFFER); manager.InControl(rule); } { // // 添加信任进程:可以操作被保护的进程、文件、注册表,但是进程本身不受保护 // cxMSGUserAddProtectRule rule; rule.ProtectType = emProtectTypeTrustProcess; wcsncpy(rule.Path, L"*taskkill*", MONITOR_MAX_BUFFER); manager.InControl(rule); } WaitForExit("自保护开启中"); manager.InControl(cxMSGUserRemoveAllProtectRule()); manager.InControl(cxMSGUserDisableProtect()); return 0; } ">
class MonitorCallback : public IMonitorCallback
{
public:
	void OnCallback(IMonitorMessage* Message) override
	{
	}
};

int main()
{
	MonitorManager manager;
	MonitorCallback callback;

	HRESULT hr = manager.Start(&callback);

	if (hr != S_OK) {
		printf("start failed = %08X\n", hr);
		return 0;
	}

	manager.InControl(cxMSGUserEnableProtect());

	//
	// Path路径支持通配符
	//	* 表示任意n个字符
	//	? 表示任意一个字符
	//	> 用于字符串结尾,表示字符串结束或者是\\结尾,用于目录判断(比如protect> 匹配 protect 和 protect\\*)
	//
	{
		//
		// 添加进程、文件保护: 保护进程名是notepad.exe的进程不被结束、文件不被修改、删除
		//
		cxMSGUserAddProtectRule rule;
		rule.ProtectType = emProtectTypeProcessPath | emProtectTypeFilePath;
		wcsncpy(rule.Path, L"*\\notepad.exe", MONITOR_MAX_BUFFER);
		manager.InControl(rule);
	}

	{
		//
		// 添加文件夹保护: 保护protect目录下面的文件不被外部修改、目录不被重命名、删除
		//
		cxMSGUserAddProtectRule rule;
		rule.ProtectType = emProtectTypeFilePath;
		wcsncpy(rule.Path, L"*\\protect>", MONITOR_MAX_BUFFER);
		manager.InControl(rule);
	}

	{
		//
		// 添加注册表保护: 保护iMonitor键不被删除、修改,包括键值
		//
		cxMSGUserAddProtectRule rule;
		rule.ProtectType = emProtectTypeRegPath;
		wcsncpy(rule.Path, L"*\\iMonitor>", MONITOR_MAX_BUFFER);
		manager.InControl(rule);
	}

	{
		//
		// 添加信任进程:可以操作被保护的进程、文件、注册表,但是进程本身不受保护
		//
		cxMSGUserAddProtectRule rule;
		rule.ProtectType = emProtectTypeTrustProcess;
		wcsncpy(rule.Path, L"*taskkill*", MONITOR_MAX_BUFFER);
		manager.InControl(rule);
	}

	WaitForExit("自保护开启中");

	manager.InControl(cxMSGUserRemoveAllProtectRule());
	manager.InControl(cxMSGUserDisableProtect());

	return 0;
}

示例三:sysmon

%S\n", msg->GetTypeName(), msg->GetFormatedString(emMSGFieldCurrentProcessPath)); for (ULONG i = emMSGFieldCurrentProcessCommandline; i < msg->GetFieldCount(); i++) { printf("\t%30S : %-30S\n", msg->GetFieldName(i), msg->GetFormatedString(i)); } } }; int main() { MonitorManager manager; MonitorCallback callback; HRESULT hr = manager.Start(&callback); if (hr != S_OK) { printf("start failed = %08X\n", hr); return 0; } cxMSGUserSetMSGConfig config; for (int i = 0; i < emMSGMax; i++) { config.Config[i] = emMSGConfigPost; } manager.InControl(config); WaitForExit(""); return 0; } ">
class MonitorCallback : public IMonitorCallback
{
public:
	void OnCallback(IMonitorMessage* msg) override
	{
		printf("%S ==> %S\n", msg->GetTypeName(), msg->GetFormatedString(emMSGFieldCurrentProcessPath));

		for (ULONG i = emMSGFieldCurrentProcessCommandline; i < msg->GetFieldCount(); i++) {
			printf("\t%30S : %-30S\n", msg->GetFieldName(i), msg->GetFormatedString(i));
		}
	}
};

int main()
{
	MonitorManager manager;
	MonitorCallback callback;

	HRESULT hr = manager.Start(&callback);

	if (hr != S_OK) {
		printf("start failed = %08X\n", hr);
		return 0;
	}

	cxMSGUserSetMSGConfig config;
	for (int i = 0; i < emMSGMax; i++) {
		config.Config[i] = emMSGConfigPost;
	}
	manager.InControl(config);

	WaitForExit("");

	return 0;
}

示例四:上网行为管理(基于网络重定向的方式实现,支持https,详细参考http_access_control例子)

更多的示例可以参考sample目录。

详细说明请参考SDK说明文档。

使用授权

免责说明:

iMonitorSDK(以下称本SDK)只授权给为正规的企业厂商使用。禁止用于危害企业、个人安全等任何非法的场景。

本SDK带有内核驱动程序,虽然已经经过稳定测试,长期运行验证,但因为硬件、环境等原因,不可避免会存在兼容性问题,在使用本SDK前,请先在业务对应的环境系统中充分测试后再实际接入使用。

非法授权、非法使用而造成的经济损失、法律问题都于本SDK提供团队无关。

在您使用本SDK前,视为您已经知悉并且遵守此免责说明。

不同授权的功能差异:

功能说明 免费授权 企业授权 企业定制授权
进程监控
文件监控
注册表监控
网络监控
自保护
网络协议代理
内核对象定制
配置签发
规则引擎
Javascript脚本支持
Linux支持
MacOS支持
源码
服务支持 邮件、GitHub 邮件、GitHub、微信、远程桌面

授权请通过邮箱([email protected])联系。

加入我们

优秀的人,做专业的事。

创信长荣科技是一家致力于为企业管理提供基础服务、一体化管理平台,力争成为企业管理入口,促进企业管理标准化、数字化的企业。我们的目标是拒绝内卷,让每个人更好的工作和生活。

我们的成员有来自金山、360、腾讯等企业的优秀人才,具备深厚的技术水平。目前正在创业筹划中,现在加入有可能成为创始合伙人。无论是内核开发、架构设计、前端后台,只要是优秀的人,我们都需要你。

You might also like...
RefleXXion is a utility designed to aid in bypassing user-mode hooks utilised by AV/EPP/EDR etc
RefleXXion is a utility designed to aid in bypassing user-mode hooks utilised by AV/EPP/EDR etc

Introduction RefleXXion is a utility designed to aid in bypassing user-mode hooks utilised by AV/EPP/EDR etc. In order to bypass the user-mode hooks,

Releases(2.0.0)
Owner
人因梦想而伟大
null
Sysmon event simulation utility which can be used to simulate the attacks to generate the Sysmon Event logs for testing the EDR detections and correlation rules by Blue teams.

SysmonSimulator SysmonSimulator is an Open source Windows event simulation utility created in C language, that can be used to simulate most of the att

Scarred Monk 652 Sep 21, 2022
The Linux port of the Sysinternals Sysmon tool.

SysinternalsEBPF build and install instructions Dependencies For Ubuntu: sudo apt update sudo apt install build-essential gcc g++ make cmake libelf-de

Sysinternals 155 Sep 24, 2022
Sysmon For Linux install and build instructions

The packages are available in the official Microsoft Linux repositories and instructions on how to install the packages for the different Linux distributions can be found in the Installation instructions.

Sysinternals 1.2k Sep 18, 2022
Project to check which Nt/Zw functions your local EDR is hooking

Probatorum EDR Userland Hook Checker Probatorum will check which Nt/Zw functions your local EDR is hooking. Most credit for this code goes to SolomonS

null 150 Sep 15, 2022
Proof of concept Beacon Object File (BOF) that attempts to detect userland hooks in place by AV/EDR

Detect-Hooks Detect-Hooks is a proof of concept Beacon Object File (BOF) that attempts to detect userland API hooks in place by AV/EDR. The BOF will r

anthemtotheego 121 Aug 27, 2022
x64 Assembly HalosGate direct System Caller to evade EDR UserLand hooks

ASM HalosGate Direct System Caller Assembly HalosGate implementation that directly calls Windows System Calls, evades EDR User Land hooks, and display

Bobby Cooke 124 Sep 19, 2022
Skrull is a malware DRM, that prevents Automatic Sample Submission by AV/EDR and Signature Scanning from Kernel.

Skrull is a malware DRM, that prevents Automatic Sample Submission by AV/EDR and Signature Scanning from Kernel. It generates launchers that can run malware on the victim using the Process Ghosting technique. Also, launchers are totally anti-copy and naturally broken when got submitted.

Sheng-Hao Ma 404 Sep 21, 2022
Shellcode loader written in rust. Strives to evade modern EDR solutions.

Pestilence What is pestilence? Pestilence is a shellcode loader written in rust. It strives to evade modern EDR solutions. How does it work? It loads

Daniil Nababkin 25 Sep 15, 2022
eBPF-based EDR for Linux

ebpf-edr A proof-of-concept eBPF-based EDR for Linux Seems to be working fine with the 20 basic rules implemented. Logs the alerts to stdout at the mo

null 15 Aug 3, 2022
EDRSandBlast is a tool written in C that weaponize a vulnerable signed driver to bypass EDR detections and LSASS protections

EDRSandBlast is a tool written in C that weaponize a vulnerable signed driver to bypass EDR detections (Kernel callbacks and ETW TI provider) and LSASS protections. Multiple userland unhooking techniques are also implemented to evade userland monitoring.

Wavestone - Cybersecurity & Digital Trust 709 Sep 16, 2022