fibratus: exploration and tracing of the Windows kernel
Fibratus
Fibratus is a tool for exploration and tracing of the Windows kernel. It lets you trap system-wide events such as process life-cycle, file system I/O, registry modifications or network requests among many other observability signals. In a nutshell, Fibratus allows for gaining deep operational visibility into the Windows kernel but also processes running on top of it.
Events can be shipped to a wide array of output sinks or dumped to capture files for local inspection and forensics analysis. The powerful filtering engine permits drilling into the event flux entrails.
You can use filaments to extend Fibratus with your own arsenal of tools and so leverage the power of the Python ecosystem.
Features
- ⚡ blazing fast
- 📡 collects a wide spectrum of kernel events – from process to network observability signals
- 🔍 the super powerful filtering engine
- 🐍 running Python scriptlets on top of kernel event flow
- 💽 capturing event flux to kcap files and replaying anywhere
- 🚀 transporting events to Elasticsearch, RabbitMQ or console sinks
- ✂️ transforming kernel events
- 🐞 scanning malicious processes and files with Yara
- 📁 PE (Portable Executable) introspection
Filtering
Fibratus supports basic filtering capabilities on kernel event names. To capture the specified kernel events, use fibratus run --filters
command. For example, fibratus run --filters CreateProcess Send
would capture the events related to process creation and data sending over network sockets. For a full list of the kernel, events see the table below.
Kernel event | Description |
---|---|
ContextSwitch | Scheduler selects a new thread to run |
CreateProcess | Creates a new process and its primary thread |
CreateThread | Creates a thread to execute within the virtual address space of the calling process |
TerminateProcess | Terminates the process and all of its threads |
TerminateThread | Terminates a thread |
LoadImage | Loads the module into the address space of the calling process |
UnloadImage | Frees the loaded module from the address space of the calling process |
CreateFile | Creates or opens a file or I/O device |
CloseFile | Closes the file or I/O device |
DeleteFile | Deletes an existing file or directory |
RenameFile | Renames a file or directory |
ReadFile | Reads data from the file or I/O device |
WriteFile | Writes data to the file or I/O device |
Send | Sends data on a connected socket |
Recv | Receives data from a connected socket |
Accept | Initiates the connection attempt from the remote or local TCP socket |
Connect | Establishes the connection to a TCP socket |
Disconnect | Closes the connection to a TCP socket |
Reconnect | Reconnects to a TCP socket |
RegCreateKey | Creates the registry key or opens it if the key already exists |
RegQueryKey | Retrieves information about the registry key |
RegOpenKey | Opens the registry key |
RegDeleteKey | Deletes a subkey and its values |
RegQueryValue | Retrieves the type and data of the value associated with an open registry key |
RegSetValue | Sets the data and type of a value under a registry key |
RegDeleteValue | Removes a value from the registry key |
Download & Usage
Copyright 2015/2016 by Nedim Sabic (RabbitStack)
Source: https://github.com/rabbitstack/