https://github.com/calladoum-elastic/canary-driver
Source code for the blog post "Ransomware in the honeypot: how we capture keys with sticky canary files"
https://github.com/calladoum-elastic/canary-driver
canary-files cpp20 dfir minidump minifilter-driver ransomware-detection windows
Last synced: 3 months ago
JSON representation
Source code for the blog post "Ransomware in the honeypot: how we capture keys with sticky canary files"
- Host: GitHub
- URL: https://github.com/calladoum-elastic/canary-driver
- Owner: calladoum-elastic
- License: other
- Created: 2023-10-30T22:12:50.000Z (over 1 year ago)
- Default Branch: main
- Last Pushed: 2024-02-27T21:11:01.000Z (over 1 year ago)
- Last Synced: 2025-03-21T09:51:11.793Z (3 months ago)
- Topics: canary-files, cpp20, dfir, minidump, minifilter-driver, ransomware-detection, windows
- Language: C++
- Homepage: https://www.elastic.co/security-labs/ransomware-in-the-honeypot-how-we-capture-keys
- Size: 309 KB
- Stars: 7
- Watchers: 1
- Forks: 1
- Open Issues: 0
-
Metadata Files:
- Readme: README.md
- License: LICENSE
Awesome Lists containing this project
README
# Canary Monitor
[](https://github.com/calladoum-elastic/canary-driver/actions/workflows/build.yml)
## Warning
This is not production quality code. Most of this code was developed in under a week, no serious testing was done.
Use at own risk.
## Setup
Download the pre-build binaries from GithubActions artifacts.
## Build
You'll need cmake, VS2022, and the SDK/WDK 2022
```
git clone https://github.com/calladoum-elastic/canary-driver
mkdir build
cmake -B ./build -S . -A x64
cmake --build ./build
cmake --install ./build
```
The binary `CanaryMonitor.exe` contains the driver embedded, it will self-extract and install on execution.
## Demo
[](https://youtu.be/dIUV175EV3Q)