{"id":13841378,"url":"https://github.com/wecooperate/iMonitorSDK","last_synced_at":"2025-07-11T12:31:46.178Z","repository":{"id":41070123,"uuid":"410185177","full_name":"wecooperate/iMonitorSDK","owner":"wecooperate","description":"The world's most powerful System Activity Monitor Engine    ·  一款功能强大的终端行为采集防御开发套件     ~  旨在帮助EDR、零信任、数据安全、审计管控等终端安全软件可以快速实现产品功能， 而不用关心底层驱动的开发、维护和兼容性问题，让其可以专注于业务开发","archived":false,"fork":false,"pushed_at":"2025-02-19T12:30:07.000Z","size":60878,"stargazers_count":346,"open_issues_count":0,"forks_count":82,"subscribers_count":11,"default_branch":"master","last_synced_at":"2025-02-19T13:31:23.881Z","etag":null,"topics":["access-control","defender","edr","endpoint-security","etw","kernel","monitoring-tool","procmon","security","sysmon","zero-trust"],"latest_commit_sha":null,"homepage":"https://trustsing.com/iMonitorSDK","language":"C++","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/wecooperate.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2021-09-25T05:31:27.000Z","updated_at":"2025-02-19T12:30:12.000Z","dependencies_parsed_at":"2023-09-26T18:00:07.534Z","dependency_job_id":"a35afc75-e32a-45b0-ad9e-751e90eda077","html_url":"https://github.com/wecooperate/iMonitorSDK","commit_stats":null,"previous_names":[],"tags_count":15,"template":false,"template_full_name":null,"purl":"pkg:github/wecooperate/iMonitorSDK","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/wecooperate%2FiMonitorSDK","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/wecooperate%2FiMonitorSDK/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/wecooperate%2FiMonitorSDK/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/wecooperate%2FiMonitorSDK/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/wecooperate","download_url":"https://codeload.github.com/wecooperate/iMonitorSDK/tar.gz/refs/heads/master","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/wecooperate%2FiMonitorSDK/sbom","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":264806680,"owners_count":23666674,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["access-control","defender","edr","endpoint-security","etw","kernel","monitoring-tool","procmon","security","sysmon","zero-trust"],"created_at":"2024-08-04T17:01:09.641Z","updated_at":"2025-07-11T12:31:41.147Z","avatar_url":"https://github.com/wecooperate.png","language":"C++","readme":"[中文](./README_zh.md)\n\n## Introduction\n\niMonitorSDK is a development kit that provides system behavior monitoring for endpoint and the cloud security. \n\nIt is designed to help industrial applications such as security, endpoint management, and auditing can quickly implement necessary functions without worrying about the development, maintenance and compatibility of kernel drivers, allowing them to focus on business development.\n\niMonitorSDK uses a communication framework based on message protocol to make driver development more stable and fast. All monitoring is implemented in a stable, standard way and supports Windows from XP to Win11. Linux and MacOS are also planning support.\n\nUsing iMonitorSDK, you can realize self-protection, process interception, ransomware defense, active defense, Internet behavior management and other endpoint security functions at a very low cost.\n\n**To prevent the SDK from being used illegally, apply to support@trustsing.com for a test SDK using your enterprise email address. The remarks describe the company information and usage scenarios.**\n\n### [Documents](https://imonitorsdk.com/)\n\n### ✨ Core Functions\n\n- Process, File, Registry, Network real-time monitoring, support interception and prohibition\n\n- Process, File, Registry Protection\n\n- Process startup, module loading interception, module injection\n\n- File interception and redirection\n\n- Network firewall, traffic proxy, protocol analysis\n- Rule engine, script support\n\n### 📦 Applicable to the following products\n\n- Endpoint Security Management System\n- EDR\n- HIPS\n- Cloud Security\n- Zero trust\n- Internet Access Control\n\n### 🔨 Quick start\n\nExample 1: Process start interception\n\n```c++\nclass MonitorCallback : public IMonitorCallback\n{\npublic:\n\tvoid OnCallback(IMonitorMessage* Message) override\n\t{\n\t\tif (Message-\u003eGetType() != emMSGProcessCreate)\n\t\t\treturn;\n\n\t\tcxMSGProcessCreate* msg = (cxMSGProcessCreate*)Message;\n\n\t\t//\n\t\t// Block the process of the process name cmd.exe from starting\n\t\t//\n\n\t\tif (msg-\u003eIsMatchPath(L\"*\\\\cmd.exe\"))\n\t\t\tmsg-\u003eSetBlock();\n\t}\n};\n\nint main()\n{\n\tMonitorManager manager;\n\tMonitorCallback callback;\n\n\tHRESULT hr = manager.Start(\u0026callback);\n\n\tif (hr != S_OK) {\n\t\tprintf(\"start failed = %08X\\n\", hr);\n\t\treturn 0;\n\t}\n\n\tcxMSGUserSetMSGConfig config;\n\tconfig.Config[emMSGProcessCreate] = emMSGConfigSend;\n\tmanager.InControl(config);\n\n\tWaitForExit(\"Block the process of the process name cmd.exe from starting\");\n\n\treturn 0;\n}\n```\n\nExample 2: Self-protection\n\n```c++\nclass MonitorCallback : public IMonitorCallback\n{\npublic:\n\tvoid OnCallback(IMonitorMessage* Message) override\n\t{}\n};\n\nint main()\n{\n\tMonitorManager manager;\n\tMonitorCallback callback;\n\n\tHRESULT hr = manager.Start(\u0026callback);\n\n\tif (hr != S_OK) {\n\t\tprintf(\"start failed = %08X\\n\", hr);\n\t\treturn 0;\n\t}\n\n\tmanager.InControl(cxMSGUserEnableProtect());\n\n\t{\n\t\tcxMSGUserAddProtectRule rule;\n\t\trule.ProtectType = emProtectTypeProcessPath | emProtectTypeFilePath;\n\t\twcsncpy(rule.Path, L\"*\\\\notepad.exe\", MONITOR_MAX_BUFFER);\n\t\tmanager.InControl(rule);\n\t}\n\n\t{\n\t\tcxMSGUserAddProtectRule rule;\n\t\trule.ProtectType = emProtectTypeFilePath;\n\t\twcsncpy(rule.Path, L\"*\\\\protect\u003e\", MONITOR_MAX_BUFFER);\n\t\tmanager.InControl(rule);\n\t}\n\n\t{\n\t\tcxMSGUserAddProtectRule rule;\n\t\trule.ProtectType = emProtectTypeRegPath;\n\t\twcsncpy(rule.Path, L\"*\\\\iMonitor\u003e\", MONITOR_MAX_BUFFER);\n\t\tmanager.InControl(rule);\n\t}\n\n\t{\n\t\tcxMSGUserAddProtectRule rule;\n\t\trule.ProtectType = emProtectTypeTrustProcess;\n\t\twcsncpy(rule.Path, L\"*taskkill*\", MONITOR_MAX_BUFFER);\n\t\tmanager.InControl(rule);\n\t}\n\n\tWaitForExit(\"SelfProtect\");\n\n\tmanager.InControl(cxMSGUserRemoveAllProtectRule());\n\tmanager.InControl(cxMSGUserDisableProtect());\n\n\treturn 0;\n}\n```\n\nExample 3: Sysmon\n\n```c++\nclass MonitorCallback : public IMonitorCallback\n{\npublic:\n\tvoid OnCallback(IMonitorMessage* msg) override\n\t{\n\t\tprintf(\"%S ==\u003e %S\\n\", msg-\u003eGetTypeName(), msg-\u003eGetFormatedString(emMSGFieldCurrentProcessPath));\n\n\t\tfor (ULONG i = emMSGFieldCurrentProcessCommandline; i \u003c msg-\u003eGetFieldCount(); i++) {\n\t\t\tprintf(\"\\t%30S : %-30S\\n\", msg-\u003eGetFieldName(i), msg-\u003eGetFormatedString(i));\n\t\t}\n\t}\n};\n\nint main()\n{\n\tMonitorManager manager;\n\tMonitorCallback callback;\n\n\tHRESULT hr = manager.Start(\u0026callback);\n\n\tif (hr != S_OK) {\n\t\tprintf(\"start failed = %08X\\n\", hr);\n\t\treturn 0;\n\t}\n\n\tcxMSGUserSetMSGConfig config;\n\tfor (int i = 0; i \u003c emMSGMax; i++) {\n\t\tconfig.Config[i] = emMSGConfigPost;\n\t}\n\tmanager.InControl(config);\n\n\tWaitForExit(\"\");\n\n\treturn 0;\n}\n```\n\n\u003cimg src=\"./doc/sysmon.gif\" /\u003e\n\nExample 4: Internet Access Control (based on network redirection, support https, refer to http_access_control example for details)\n\n![](./doc/ac.png)\n\nMore examples can refer to the sample directory.\n\n## Products using this SDK\n\n- [iMonitor - Endpoint Behavior Analysis System](https://github.com/wecooperate/iMonitor)\n- [iDefender - Endpoint Defense System](https://github.com/wecooperate/iDefender)\n\n## License \n[ contact via email (admin@trustsing.com) for a licence ](mailto://admin@trustsing.com)\n\n","funding_links":[],"categories":["C++"],"sub_categories":[],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fwecooperate%2FiMonitorSDK","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fwecooperate%2FiMonitorSDK","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fwecooperate%2FiMonitorSDK/lists"}