Ecosyste.ms: Awesome
An open API service indexing awesome lists of open source software.
https://github.com/wecooperate/iMonitorSDK
The world's most powerful System Activity Monitor Engine · 一款功能强大的终端行为采集防御开发套件 ~ 旨在帮助EDR、零信任、数据安全、审计管控等终端安全软件可以快速实现产品功能, 而不用关心底层驱动的开发、维护和兼容性问题,让其可以专注于业务开发
https://github.com/wecooperate/iMonitorSDK
access-control defender edr endpoint-security etw kernel monitoring-tool procmon security sysmon zero-trust
Last synced: about 2 months ago
JSON representation
The world's most powerful System Activity Monitor Engine · 一款功能强大的终端行为采集防御开发套件 ~ 旨在帮助EDR、零信任、数据安全、审计管控等终端安全软件可以快速实现产品功能, 而不用关心底层驱动的开发、维护和兼容性问题,让其可以专注于业务开发
- Host: GitHub
- URL: https://github.com/wecooperate/iMonitorSDK
- Owner: wecooperate
- Created: 2021-09-25T05:31:27.000Z (over 3 years ago)
- Default Branch: master
- Last Pushed: 2024-08-21T13:45:13.000Z (5 months ago)
- Last Synced: 2024-08-22T14:24:11.142Z (5 months ago)
- Topics: access-control, defender, edr, endpoint-security, etw, kernel, monitoring-tool, procmon, security, sysmon, zero-trust
- Language: Batchfile
- Homepage: https://trustsing.com/iMonitorSDK
- Size: 37.2 MB
- Stars: 341
- Watchers: 11
- Forks: 80
- Open Issues: 0
-
Metadata Files:
- Readme: README.md
Awesome Lists containing this project
- awesome-hacking-lists - wecooperate/iMonitorSDK - The world's most powerful System Activity Monitor Engine · 一款功能强大的终端行为采集防御开发套件 ~ 旨在帮助EDR、零信任、数据安全、审计管控等终端安全软件可以快速实现产品功能, 而不用关心底层驱动的开发、维护和兼容性问题,让其可以专注于业务开发 (Batchfile)
README
[中文](./README_zh.md)
## Introduction
iMonitorSDK is a development kit that provides system behavior monitoring for endpoint and the cloud security.
It is designed to help industrial applications such as security, endpoint management, and auditing can quickly implement necessary functions without worrying about the development, maintenance and compatibility of kernel drivers, allowing them to focus on business development.
iMonitorSDK uses a communication framework based on message protocol to make driver development more stable and fast. All monitoring is implemented in a stable, standard way and supports Windows from XP to Win11. Linux and MacOS are also planning support.
Using iMonitorSDK, you can realize self-protection, process interception, ransomware defense, active defense, Internet behavior management and other endpoint security functions at a very low cost.
**To prevent the SDK from being used illegally, apply to [email protected] for a test SDK using your enterprise email address. The remarks describe the company information and usage scenarios.**
### [Documents](https://imonitorsdk.com/)
### ✨ Core Functions
- Process, File, Registry, Network real-time monitoring, support interception and prohibition
- Process, File, Registry Protection
- Process startup, module loading interception, module injection
- File interception and redirection
- Network firewall, traffic proxy, protocol analysis
- Rule engine, script support### 📦 Applicable to the following products
- Endpoint Security Management System
- EDR
- HIPS
- Cloud Security
- Zero trust
- Internet Access Control### 🔨 Quick start
Example 1: Process start interception
```c++
class MonitorCallback : public IMonitorCallback
{
public:
void OnCallback(IMonitorMessage* Message) override
{
if (Message->GetType() != emMSGProcessCreate)
return;cxMSGProcessCreate* msg = (cxMSGProcessCreate*)Message;
//
// Block the process of the process name cmd.exe from starting
//if (msg->IsMatchPath(L"*\\cmd.exe"))
msg->SetBlock();
}
};int main()
{
MonitorManager manager;
MonitorCallback callback;HRESULT hr = manager.Start(&callback);
if (hr != S_OK) {
printf("start failed = %08X\n", hr);
return 0;
}cxMSGUserSetMSGConfig config;
config.Config[emMSGProcessCreate] = emMSGConfigSend;
manager.InControl(config);WaitForExit("Block the process of the process name cmd.exe from starting");
return 0;
}
```Example 2: Self-protection
```c++
class MonitorCallback : public IMonitorCallback
{
public:
void OnCallback(IMonitorMessage* Message) override
{}
};int main()
{
MonitorManager manager;
MonitorCallback callback;HRESULT hr = manager.Start(&callback);
if (hr != S_OK) {
printf("start failed = %08X\n", hr);
return 0;
}manager.InControl(cxMSGUserEnableProtect());
{
cxMSGUserAddProtectRule rule;
rule.ProtectType = emProtectTypeProcessPath | emProtectTypeFilePath;
wcsncpy(rule.Path, L"*\\notepad.exe", MONITOR_MAX_BUFFER);
manager.InControl(rule);
}{
cxMSGUserAddProtectRule rule;
rule.ProtectType = emProtectTypeFilePath;
wcsncpy(rule.Path, L"*\\protect>", MONITOR_MAX_BUFFER);
manager.InControl(rule);
}{
cxMSGUserAddProtectRule rule;
rule.ProtectType = emProtectTypeRegPath;
wcsncpy(rule.Path, L"*\\iMonitor>", MONITOR_MAX_BUFFER);
manager.InControl(rule);
}{
cxMSGUserAddProtectRule rule;
rule.ProtectType = emProtectTypeTrustProcess;
wcsncpy(rule.Path, L"*taskkill*", MONITOR_MAX_BUFFER);
manager.InControl(rule);
}WaitForExit("SelfProtect");
manager.InControl(cxMSGUserRemoveAllProtectRule());
manager.InControl(cxMSGUserDisableProtect());return 0;
}
```Example 3: Sysmon
```c++
class MonitorCallback : public IMonitorCallback
{
public:
void OnCallback(IMonitorMessage* msg) override
{
printf("%S ==> %S\n", msg->GetTypeName(), msg->GetFormatedString(emMSGFieldCurrentProcessPath));for (ULONG i = emMSGFieldCurrentProcessCommandline; i < msg->GetFieldCount(); i++) {
printf("\t%30S : %-30S\n", msg->GetFieldName(i), msg->GetFormatedString(i));
}
}
};int main()
{
MonitorManager manager;
MonitorCallback callback;HRESULT hr = manager.Start(&callback);
if (hr != S_OK) {
printf("start failed = %08X\n", hr);
return 0;
}cxMSGUserSetMSGConfig config;
for (int i = 0; i < emMSGMax; i++) {
config.Config[i] = emMSGConfigPost;
}
manager.InControl(config);WaitForExit("");
return 0;
}
```Example 4: Internet Access Control (based on network redirection, support https, refer to http_access_control example for details)
![](./doc/ac.png)
More examples can refer to the sample directory.
## Products using this SDK
- [iMonitor - Endpoint Behavior Analysis System](https://github.com/wecooperate/iMonitor)
- [iDefender - Endpoint Defense System](https://github.com/wecooperate/iDefender)## License
[ contact via email ([email protected]) for a licence ](mailto://[email protected])