DownWithUp/CallMon

Stars
128
Rank 279,462 (Top 6 %)
Language
C
Created about 4 years ago
Updated about 4 years ago

DownWithUp/CallMon

DownWithUp

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

CallMon is an experimental system call monitoring tool that works on Windows 10 versions 2004+ using PsAltSystemCallHandlers

CallMon

CallMon is a system call monitoring tool that works on Windows 10 versions 2004+ using PsAltSystemCallHandlers.

Usage

CallMon requires driver signature enforcement (DSE) to be disabled.
Download release here (or download and build from source)
Ensure both CallMon.exe and AltCall.sys are in the same directory
Run CallMon.exe as an administrator
Click on "Initialize"
Enter a process's ID in the text field and click "Add Process"

Architecture

CallMon is comprised of a kernel driver (AltCall.sys) and a GUI application (CallMon.exe). Together, these programs work to provide API introspection for monitored processes. The driver and GUI application communicate via a named pipe (\\.\pipe\CallMonPipe). The data passed by the driver to usermode consists of a custom header which contains the process id and stack information along with a KTRAP_FRAME structure received from the alt syscall handler function.

Performance Impacts

Because the system call handler function is called everytime a targeted process preforms a call (and in the context of the targeted process), heavy API usage programs will experience a drop in performance due to the transfer of data back to the CallMon GUI process.

Resources

0xcpu's Research on AltSyscallHandlers

Rust Driver Version

Optionally, there is a version of the AltCall.sys driver written in Rust. The sources and binary are included only in the repository and not in the release. I highly recommended reading not-matthias' (his code was the foundation for the Rust version) blog post on building Windows drivers in Rust. In addition, I will mention that I worked on this to better my Rust skills and not to make a memory safe driver. I heavily used "unsafe" Rust code, and kernel interactions in themselves can always go awire.

Build

If you are not already on the nightly channel, change to it using:
rustup toolchain install nightly
Override using:
rustup override set nightly

C VS. Rust

Besides, the obvious syntax differences, I also made some design changes:

Rust version uses ProbeForRead instead of MmHighestUserAddress and MmIsAddressValid check for stack pointer.
Rust version ~~has no remove process IOCTL handling function (possibly coming soon?)~~ now has support for removing processes!

DynamicKernelShellcode

An example of how x64 kernel shellcode can dynamically find and use APIs

ALPC-Example

An example of a client and server using Windows' ALPC functions to send and receive data.

CVE-Stockpile

Master list of all my vulnerability discoveries. Mostly 3rd party kernel drivers.

CVE-2018-16712

PoC Code for CVE-2018-16712 (exploit by MmMapIoSpace)

WarbirdExamples

An example of how to use Microsoft Windows Warbird technology

WhoCalls_C

WhoCalls can query a directory of files, find the binaries, and search for a user specified Win API import. It and works with both 32-bit (PE) and 64-bit (PE32+) file formats (.exe, .dll, .sys)

KLoad_C

A simple command line utility to quickly load and unload Windows drivers

WinPools

WinPools is an example of how Windows kernel big pool addresses can be leaking using NtQuerySystemInformation

WHPHook

Simple DLL and client app that work together to hook all the functions in WinHvPlatform.dll in order to provide logging and introspection at the hypervisor level

CVE-2018-15499

PoC code for CVE-2018-15499 (exploit race condition for BSoD)

Windows-Syscalls-Examples

Examples of how to use Syscalls in various Windows versions and architectures.

DbgKeystone

A keystone engine powered Windows Debugger extension

IOCTL-Flooder

IOCTL-Flooder is a verbose tool designed to help with Windows driver fuzzing by brute forcing IOCTLs on loaded drivers. GetLastError is used to guess validity

KLoad

A simple command line utility to quickly load and unload Windows drivers

FakeDriverPoC

This is a PoC driver which creates a fake driver and device object with the intent on allowing a user mode program to communicate with a "fake" driver and device.

CVE-2018-16713

PoC code for CVE-2018-16713 (exploit by rdmsr)

CVE-2018-18714

PoC Code for CVE-2018-18714 (exploit by stack overflow)

CVE-2018-18026

PoC Code for CVE-2018-18026 (exploit by stack overflow)

soplock

The Simple Opportunistic Lock tool

CVE-2018-16711

PoC code for CVE-2018-16711 (exploit by wrmsr)

The-Good-Bad-Code

Pushing the limits of bad programming practices. Abusing APIs. Destroying utility programs.

SHA-ME

A pure WinAPI program that demonstrates translating a file into a SHA-256 hash. Designed to be used as a utility.

Code-Rewrites

Programs and scripts I've ported to other languages, mostly for fun.

Spoof-Task-Manager

An example showing how a mutex can stop taskmgr.exe from loading

wat

The Linux coreutils spin off of cat, but for Windows.

SystemsWork

A repo containing examples relating to various aspects of Windows internals and processor features

HyperCalc

An Intel HAXM powered, protected mode, 32 bit, hypervisor addition calculator, written in Rust.

Check-Administrator-Status

A spin off of Command Prompt Add-ons. This includes examples of how to check privilege status.

Driver-Easy-Research

Python scripts for manipulating Driver Easy's servers

bswap

A Windbg extension for swapping byte endianness.

Musical-Processes

Turn a process' memory into music (32-bit only)

WhoCalls

A program which can query a directory of files, find the binaries, and search for a specified Win API import.

downwithup.github.io

Personal website