• Stars
    star
    128
  • Rank 281,044 (Top 6 %)
  • Language
    C
  • Created over 4 years ago
  • Updated about 4 years ago

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

CallMon is an experimental system call monitoring tool that works on Windows 10 versions 2004+ using PsAltSystemCallHandlers

CallMon

CallMon is a system call monitoring tool that works on Windows 10 versions 2004+ using PsAltSystemCallHandlers.

Usage

  • CallMon requires driver signature enforcement (DSE) to be disabled.
  • Download release here (or download and build from source)
  • Ensure both CallMon.exe and AltCall.sys are in the same directory
  • Run CallMon.exe as an administrator
  • Click on "Initialize"
  • Enter a process's ID in the text field and click "Add Process"

Architecture

CallMon is comprised of a kernel driver (AltCall.sys) and a GUI application (CallMon.exe). Together, these programs work to provide API introspection for monitored processes. The driver and GUI application communicate via a named pipe (\\.\pipe\CallMonPipe). The data passed by the driver to usermode consists of a custom header which contains the process id and stack information along with a KTRAP_FRAME structure received from the alt syscall handler function.

Performance Impacts

Because the system call handler function is called everytime a targeted process preforms a call (and in the context of the targeted process), heavy API usage programs will experience a drop in performance due to the transfer of data back to the CallMon GUI process.

Resources

0xcpu's Research on AltSyscallHandlers

Rust Driver Version

Optionally, there is a version of the AltCall.sys driver written in Rust. The sources and binary are included only in the repository and not in the release. I highly recommended reading not-matthias' (his code was the foundation for the Rust version) blog post on building Windows drivers in Rust. In addition, I will mention that I worked on this to better my Rust skills and not to make a memory safe driver. I heavily used "unsafe" Rust code, and kernel interactions in themselves can always go awire.

Build

If you are not already on the nightly channel, change to it using:
rustup toolchain install nightly
Override using:
rustup override set nightly

C VS. Rust

Besides, the obvious syntax differences, I also made some design changes:

  • Rust version uses ProbeForRead instead of MmHighestUserAddress and MmIsAddressValid check for stack pointer.
  • Rust version has no remove process IOCTL handling function (possibly coming soon?) now has support for removing processes!

More Repositories

1

DynamicKernelShellcode

An example of how x64 kernel shellcode can dynamically find and use APIs
Assembly
103
star
2

ALPC-Example

An example of a client and server using Windows' ALPC functions to send and receive data.
C
88
star
3

CVE-Stockpile

Master list of all my vulnerability discoveries. Mostly 3rd party kernel drivers.
C
47
star
4

CVE-2018-16712

PoC Code for CVE-2018-16712 (exploit by MmMapIoSpace)
C
25
star
5

WarbirdExamples

An example of how to use Microsoft Windows Warbird technology
C
24
star
6

WhoCalls_C

WhoCalls can query a directory of files, find the binaries, and search for a user specified Win API import. It and works with both 32-bit (PE) and 64-bit (PE32+) file formats (.exe, .dll, .sys)
C
17
star
7

KLoad_C

A simple command line utility to quickly load and unload Windows drivers
C
16
star
8

WinPools

WinPools is an example of how Windows kernel big pool addresses can be leaking using NtQuerySystemInformation
C
14
star
9

WHPHook

Simple DLL and client app that work together to hook all the functions in WinHvPlatform.dll in order to provide logging and introspection at the hypervisor level
C++
13
star
10

CVE-2018-15499

PoC code for CVE-2018-15499 (exploit race condition for BSoD)
C
11
star
11

DbgKeystone

A keystone engine powered Windows Debugger extension
C
10
star
12

Windows-Syscalls-Examples

Examples of how to use Syscalls in various Windows versions and architectures.
Assembly
10
star
13

IOCTL-Flooder

IOCTL-Flooder is a verbose tool designed to help with Windows driver fuzzing by brute forcing IOCTLs on loaded drivers. GetLastError is used to guess validity
C
10
star
14

KLoad

A simple command line utility to quickly load and unload Windows drivers
Rust
9
star
15

FakeDriverPoC

This is a PoC driver which creates a fake driver and device object with the intent on allowing a user mode program to communicate with a "fake" driver and device.
C
7
star
16

CVE-2018-16713

PoC code for CVE-2018-16713 (exploit by rdmsr)
C
6
star
17

CVE-2018-18714

PoC Code for CVE-2018-18714 (exploit by stack overflow)
C
6
star
18

CVE-2018-18026

PoC Code for CVE-2018-18026 (exploit by stack overflow)
C
6
star
19

soplock

The Simple Opportunistic Lock tool
C
5
star
20

CVE-2018-16711

PoC code for CVE-2018-16711 (exploit by wrmsr)
C
5
star
21

SHA-ME

A pure WinAPI program that demonstrates translating a file into a SHA-256 hash. Designed to be used as a utility.
C
4
star
22

Code-Rewrites

Programs and scripts I've ported to other languages, mostly for fun.
Pascal
4
star
23

Spoof-Task-Manager

An example showing how a mutex can stop taskmgr.exe from loading
Assembly
4
star
24

wat

The Linux coreutils spin off of cat, but for Windows.
Assembly
4
star
25

The-Good-Bad-Code

Pushing the limits of bad programming practices. Abusing APIs. Destroying utility programs.
Assembly
4
star
26

SystemsWork

A repo containing examples relating to various aspects of Windows internals and processor features
C
3
star
27

HyperCalc

An Intel HAXM powered, protected mode, 32 bit, hypervisor addition calculator, written in Rust.
Rust
3
star
28

Check-Administrator-Status

A spin off of Command Prompt Add-ons. This includes examples of how to check privilege status.
Assembly
3
star
29

Driver-Easy-Research

Python scripts for manipulating Driver Easy's servers
Python
3
star
30

bswap

A Windbg extension for swapping byte endianness.
C
2
star
31

Musical-Processes

Turn a process' memory into music (32-bit only)
Pascal
2
star
32

WhoCalls

A program which can query a directory of files, find the binaries, and search for a specified Win API import.
Rust
1
star
33

downwithup.github.io

Personal website
HTML
1
star