Monitor activity of (almost) any driver
zodiacon / drivermon Goto Github PK
View Code? Open in Web Editor NEWMonitor activity of any driver
License: MIT License
drivermon's Introduction
drivermon's People
Contributors
Stargazers
Watchers
Forkers
brownbelt louwangzhiyuy secretnonempty jajp777 techlord-rce chaojianhu abazhaniuk wmatw marcosd4h cupertinodude de8gman1990 moha19 heruix acealchemycyberblaze adslqa kumaran-git m00zh33 ykankaya tralivali1234 peterg75 vaginessa amohanta sameehj mmg1 developer191 zengkefu zzage heartisloss wgwjifeng kevinmiles orf53975 jackery001 tommyknockers fengjixuchui yonniee songbei6 attackgithub forkarepo xwlan killvxk y11en blackluny k3v1n1990s vmkc mmilmf dmarinescu lazerhawk itfenom hihod codingman kimkucheol csoite doytsujin benheise agatignol runonceex riviera12345 blue-infosec iamasbcx asdyxcyxc profnandaa radtek xiaoshzx baisilg skolbin-ssi ibrahim-elsakka jilvan1234 dimopouloselias crackercat fcccode hexcolors60 asdlei99 fishjam desertzk darkersquirrel ryanbekabe ttuanhung aeioyou ra2003 jerry-bond lilith2 gfnx410 whcoco elikar-km orpheusq isabella232 rajendra1185 xgreat liumorgan suxiaoyinger nasingfaund hopla pengchengyang skyn9ne zezebackup rakendrathapa dukecui83 archar123 solartheory gamousdrivermon's Issues
Failed to start driver. Exiting
I get this error when trying to run the last released version. Does DriverMon generates any logs where I can check why this could happen?
DeviceIoControl between drivers
Does it capture communication between drivers, or only processes?
I couldn't compile the source code
I received 65 error messages. Could you please help me?
feature request: import/export logs
Hi,
It would be a really cool feature if we could import/export logs captured for later analysis.
Csaba
One more BSOD on monitoring NTFS driver
Hi Pavel,
Please see the crash dump result screen shot.
I will keep the dump file for the moment If any further check on the dump file needed, just let me know.
Regards,
Ethan
Adding README
Can you add a README?
The description Monitor activity of any driver looks vague to me
Possibility to auto attach
Is this possible to auto attach as soon as the driver loads?
Blue screen in DriverMonitor.sys downloaded from AllTools repo
I observed a Blue screen due to DriverMonitor.sys, when i normally closed DriverMon.exe via its UI. The bugcheck code was DRIVER_UNLOADED_WITHOUT_CANCELLING_PENDING_OPERATIONS.
BSOD Error: DRIVER_IRQL_NOT_LESS_OR_EQUAL
I was monitoring mouclass and mouhid for a couple of seconds and the BSOD lit up. I don't know what I'm doing but here's the dump, Looks like I need more symbols for further investigation, but maybe it's enough for you to conclude if the blame is on me or if I stumbled upon something that needs attention?
Bugcheck Analysis (click to expand)
************* Path validation summary **************
Response Time (ms) Location
Deferred srv*
Symbol search path is: srv*
Executable search path is:
Windows 10 Kernel Version 19041 MP (8 procs) Free x64
Product: WinNt, suite: TerminalServer SingleUserTS
Edition build lab: 19041.1.amd64fre.vb_release.191206-1406
Machine Name:
Kernel base = 0xfffff805`56800000 PsLoadedModuleList = 0xfffff805`5742a1b0
Debug session time: Sat May 15 23:53:20.435 2021 (UTC + 2:00)
System Uptime: 3 days 7:27:46.655
Loading Kernel Symbols
...............................................................
................................................................
................................................................
.........................................................
Loading User Symbols
Loading unloaded module list
..................................................
For analysis of this file, run !analyze -v
nt!KeBugCheckEx:
fffff805`56bf6cf0 48894c2408 mov qword ptr [rsp+8],rcx ss:0018:ffffc105`6c99f390=000000000000000a
1: kd> !analyze -v
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************
DRIVER_IRQL_NOT_LESS_OR_EQUAL (d1)
An attempt was made to access a pageable (or completely invalid) address at an
interrupt request level (IRQL) that is too high. This is usually
caused by drivers using improper addresses.
If kernel debugger is available get stack backtrace.
Arguments:
Arg1: ffffc7020d110000, memory referenced
Arg2: 0000000000000002, IRQL
Arg3: 0000000000000000, value 0 = read operation, 1 = write operation
Arg4: fffff80551831ee0, address which referenced memory
Debugging Details:
------------------
KEY_VALUES_STRING: 1
Key : Analysis.CPU.mSec
Value: 2811
Key : Analysis.DebugAnalysisManager
Value: Create
Key : Analysis.Elapsed.mSec
Value: 3891
Key : Analysis.Init.CPU.mSec
Value: 90577
Key : Analysis.Init.Elapsed.mSec
Value: 161799
Key : Analysis.Memory.CommitPeak.Mb
Value: 540
Key : WER.OS.Branch
Value: vb_release
Key : WER.OS.Timestamp
Value: 2019-12-06T14:06:00Z
Key : WER.OS.Version
Value: 10.0.19041.1
BUGCHECK_CODE: d1
BUGCHECK_P1: ffffc7020d110000
BUGCHECK_P2: 2
BUGCHECK_P3: 0
BUGCHECK_P4: fffff80551831ee0
READ_ADDRESS: Unable to get NonPagedPoolStart
Unable to get NonPagedPoolEnd
Unable to get PagedPoolStart
Unable to get PagedPoolEnd
ffffc7020d110000
CUSTOMER_CRASH_COUNT: 1
PROCESS_NAME: DriverMon.exe
TRAP_FRAME: ffffc1056c99f4d0 -- (.trap 0xffffc1056c99f4d0)
NOTE: The trap frame does not contain all registers.
Some register values may be zeroed or incorrect.
rax=ffffc7020d10ac90 rbx=0000000000000000 rcx=ffff8000c80c02b0
rdx=000047014504fd48 rsi=0000000000000000 rdi=0000000000000000
rip=fffff80551831ee0 rsp=ffffc1056c99f668 rbp=0000000000100000
r8=0000000000000011 r9=000000000000007e r10=ffffa20000000000
r11=ffff8000c80baf48 r12=0000000000000000 r13=0000000000000000
r14=0000000000000000 r15=0000000000000000
iopl=0 nv up ei pl nz na po nc
DriverMonitor+0x1ee0:
fffff805`51831ee0 f30f6f0411 movdqu xmm0,xmmword ptr [rcx+rdx] ds:ffffc702`0d10fff8=????????????????????????????????
Resetting default scope
STACK_TEXT:
ffffc105`6c99f388 fffff805`56c08c69 : 00000000`0000000a ffffc702`0d110000 00000000`00000002 00000000`00000000 : nt!KeBugCheckEx
ffffc105`6c99f390 fffff805`56c04f69 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : nt!KiBugCheckDispatch+0x69
ffffc105`6c99f4d0 fffff805`51831ee0 : fffff805`51831995 ffffc702`08176fa0 00000000`00000000 ffffc702`00000000 : nt!KiPageFault+0x469
ffffc105`6c99f668 fffff805`51831995 : ffffc702`08176fa0 00000000`00000000 ffffc702`00000000 ffffc105`6c99f6c8 : DriverMonitor+0x1ee0
ffffc105`6c99f670 ffffc702`08176fa0 : 00000000`00000000 ffffc702`00000000 ffffc105`6c99f6c8 ffffc702`25009510 : DriverMonitor+0x1995
ffffc105`6c99f678 00000000`00000000 : ffffc702`00000000 ffffc105`6c99f6c8 ffffc702`25009510 ffffc702`37bb50b0 : 0xffffc702`08176fa0
SYMBOL_NAME: DriverMonitor+1ee0
MODULE_NAME: DriverMonitor
IMAGE_NAME: DriverMonitor.sys
STACK_COMMAND: .thread ; .cxr ; kb
BUCKET_ID_FUNC_OFFSET: 1ee0
FAILURE_BUCKET_ID: AV_DriverMonitor!unknown_function
OS_VERSION: 10.0.19041.1
BUILDLAB_STR: vb_release
OSPLATFORM_TYPE: x64
OSNAME: Windows 10
FAILURE_ID_HASH: {4f5158b2-0e58-081a-733b-e73855c05577}
Followup: MachineOwner
---------
1: kd> .trap 0xffffc1056c99f4d0
NOTE: The trap frame does not contain all registers.
Some register values may be zeroed or incorrect.
rax=ffffc7020d10ac90 rbx=0000000000000000 rcx=ffff8000c80c02b0
rdx=000047014504fd48 rsi=0000000000000000 rdi=0000000000000000
rip=fffff80551831ee0 rsp=ffffc1056c99f668 rbp=0000000000100000
r8=0000000000000011 r9=000000000000007e r10=ffffa20000000000
r11=ffff8000c80baf48 r12=0000000000000000 r13=0000000000000000
r14=0000000000000000 r15=0000000000000000
iopl=0 nv up ei pl nz na po nc
DriverMonitor+0x1ee0:
fffff805`51831ee0 f30f6f0411 movdqu xmm0,xmmword ptr [rcx+rdx] ds:ffffc702`0d10fff8=????????????????????????????????
1: kd> lmvm DriverMonitor
Browse full module list
start end module name
fffff805`51830000 fffff805`51839000 DriverMonitor T (no symbols)
Loaded symbol image file: DriverMonitor.sys
Image path: \??\C:\Users\xxxxx\Downloads\System\DriverMon\DriverMon\DriverMonitor.sys
Image name: DriverMonitor.sys
Browse all global symbols functions data
Timestamp: Wed May 22 07:59:24 2019 (5CE4E53C)
CheckSum: 00008D1C
ImageSize: 00009000
Translations: 0000.04b0 0000.04e4 0409.04b0 0409.04e4
Information from resource tables:
SfDataGrid Compile error
The code won't compile with this error:
\DriverMon\DriverMon\Resources\Styles.xaml(11,73): error MC3066: 'SfDataGrid'
\DriverMon\DriverMon\Views\MainView.xaml(48,10): error MC3074: 'SfDataGrid'
where can i get sf:SfDataGrid?
[Feature] Use hexdump view to export to file
Hi,
First of, thanks for the great tool. I've been searching for quite time for a clean driver monitor, and this is exactly what I wanted.
I was wondering if it could be possible to add to the hexdump view a functionality to export to file on disk, so that it could be later analyzed through hexeditors or bindiffers?
I'm no C# guru but if you accept PRs I'd be happy to do that.
Thanks.
CLR20r3 error when launching application
Microsoft Windows 7 Ultimate x86
app cannot by started - failed to load driver:
DriverMon-0.2-alpha:
EventType clr20r3
P 01: DriverMon.exe
P 02: 1.0.0.0
P 03: 59ff3a57
P 04: DriverMon
P 05: 1.0.0.0
P 06: 59ff3a57
P 07: 8
P 08: 67
P 09: System.ComponentModel.Win32
OS version: 6.1.7601.2.1.0.256.1
next info 1: 0a9e
next info 2: 0a9e372d3b4ad19135b953a78882e789
next info 3: 0a9e
next info 4: 0a9e372d3b4ad19135b953a78882e789
DriverMon-0.3-beta:
EventType clr20r3
P 01: DriverMon.exe
P 02: 1.0.0.0
P 03: 5a0c2db1
P 04: DriverMon
P 05: 1.0.0.0
P 06: 5a0c2db1
P 07: cc
P 08: 0
P 09: System.NullReferenceException
OS version: 6.1.7601.2.1.0.256.1
next info 1: 0a9e
next info 2: 0a9e372d3b4ad19135b953a78882e789
next info 3: 0a9e
next info 4: 0a9e372d3b4ad19135b953a78882e789
DriverLog, driver added but no further output.
Figure out from DriverMon debugging:
"string driverName = driver.Directory + "\" + driver.Name;"
The syntax to call DriverLog should be:
DriverLog.exe \driver\KObjExp
Output from Terminal:
Successfully added driver \driver\KObjExp
Then SysExp.exe was started and expected to see some result like in DriverMon, but actually not any output.
::WaitForSingleObject(hEvent, INFINITE);
It seems that waiting here but there is no event generated.
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. ๐๐๐
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google โค๏ธ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.