Skip to content

系统监控开发套件(sysmon、promon、edr、终端安全、主机安全、零信任、上网行为管理)

Notifications You must be signed in to change notification settings

voonyn/iMonitorSDK

 
 

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

49 Commits
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 

Repository files navigation

中文

Introduction

iMonitorSDK is a development kit that provides system behavior monitoring for endpoint and the cloud security.

It is designed to help industrial applications such as security, endpoint management, and auditing can quickly implement necessary functions without worrying about the development, maintenance and compatibility of kernel drivers, allowing them to focus on business development.

iMonitorSDK uses a communication framework based on message protocol to make driver development more stable and fast. All monitoring is implemented in a stable, standard way and supports Windows from XP to Win11. Linux and MacOS are also planning support.

Using iMonitorSDK, you can realize self-protection, process interception, ransomware defense, active defense, Internet behavior management and other endpoint security functions at a very low cost.

✨ Core Functions

  • Process, File, Registry, Network real-time monitoring, support interception and prohibition

  • Process, File, Registry Protection

  • Process startup, module loading interception, module injection

  • File interception and redirection

  • Network firewall, traffic proxy, protocol analysis

  • Rule engine, script support

📦 Applicable to the following products

  • Endpoint Security Management System
  • EDR
  • HIPS
  • Cloud Security
  • Zero trust
  • Internet Access Control

🔨 Quick start

Example 1: Process start interception

class MonitorCallback : public IMonitorCallback
{
public:
	void OnCallback(IMonitorMessage* Message) override
	{
		if (Message->GetType() != emMSGProcessCreate)
			return;

		cxMSGProcessCreate* msg = (cxMSGProcessCreate*)Message;

		//
		// Block the process of the process name cmd.exe from starting
		//

		if (msg->IsMatchPath(L"*\\cmd.exe"))
			msg->SetBlock();
	}
};

int main()
{
	MonitorManager manager;
	MonitorCallback callback;

	HRESULT hr = manager.Start(&callback);

	if (hr != S_OK) {
		printf("start failed = %08X\n", hr);
		return 0;
	}

	cxMSGUserSetMSGConfig config;
	config.Config[emMSGProcessCreate] = emMSGConfigSend;
	manager.InControl(config);

	WaitForExit("Block the process of the process name cmd.exe from starting");

	return 0;
}

Example 2: Self-protection

class MonitorCallback : public IMonitorCallback
{
public:
	void OnCallback(IMonitorMessage* Message) override
	{}
};

int main()
{
	MonitorManager manager;
	MonitorCallback callback;

	HRESULT hr = manager.Start(&callback);

	if (hr != S_OK) {
		printf("start failed = %08X\n", hr);
		return 0;
	}

	manager.InControl(cxMSGUserEnableProtect());

	{
		cxMSGUserAddProtectRule rule;
		rule.ProtectType = emProtectTypeProcessPath | emProtectTypeFilePath;
		wcsncpy(rule.Path, L"*\\notepad.exe", MONITOR_MAX_BUFFER);
		manager.InControl(rule);
	}

	{
		cxMSGUserAddProtectRule rule;
		rule.ProtectType = emProtectTypeFilePath;
		wcsncpy(rule.Path, L"*\\protect>", MONITOR_MAX_BUFFER);
		manager.InControl(rule);
	}

	{
		cxMSGUserAddProtectRule rule;
		rule.ProtectType = emProtectTypeRegPath;
		wcsncpy(rule.Path, L"*\\iMonitor>", MONITOR_MAX_BUFFER);
		manager.InControl(rule);
	}

	{
		cxMSGUserAddProtectRule rule;
		rule.ProtectType = emProtectTypeTrustProcess;
		wcsncpy(rule.Path, L"*taskkill*", MONITOR_MAX_BUFFER);
		manager.InControl(rule);
	}

	WaitForExit("SelfProtect");

	manager.InControl(cxMSGUserRemoveAllProtectRule());
	manager.InControl(cxMSGUserDisableProtect());

	return 0;
}

Example 3: Sysmon

class MonitorCallback : public IMonitorCallback
{
public:
	void OnCallback(IMonitorMessage* msg) override
	{
		printf("%S ==> %S\n", msg->GetTypeName(), msg->GetFormatedString(emMSGFieldCurrentProcessPath));

		for (ULONG i = emMSGFieldCurrentProcessCommandline; i < msg->GetFieldCount(); i++) {
			printf("\t%30S : %-30S\n", msg->GetFieldName(i), msg->GetFormatedString(i));
		}
	}
};

int main()
{
	MonitorManager manager;
	MonitorCallback callback;

	HRESULT hr = manager.Start(&callback);

	if (hr != S_OK) {
		printf("start failed = %08X\n", hr);
		return 0;
	}

	cxMSGUserSetMSGConfig config;
	for (int i = 0; i < emMSGMax; i++) {
		config.Config[i] = emMSGConfigPost;
	}
	manager.InControl(config);

	WaitForExit("");

	return 0;
}

Example 4: Internet Access Control (based on network redirection, support https, refer to http_access_control example for details)

More examples can refer to the sample directory.

Products using this SDK

License

contact via email ([email protected]) for a licence

About Us

Excellent people, do professional things.

wecooperate is a company dedicated to providing basic services and integrated management platform for enterprise management, striving to become the entrance of enterprise management and promoting the standardization and digitization of enterprise management.

About

系统监控开发套件(sysmon、promon、edr、终端安全、主机安全、零信任、上网行为管理)

Resources

Stars

Watchers

Forks

Packages

No packages published

Languages

  • C++ 93.1%
  • C 5.9%
  • Batchfile 1.0%