open source process monitor
- Use the procmon gui. (build and run procmon_gui.exe)
- Use the sdk in you project(build and link sdk)
You don't have a digital signature yourself? It doesn't matter. You can use the original procmon driver, this sdk is 100% compatible with the original procmon driver.
#include <conio.h> #include "../../sdk/procmonsdk/sdk.hpp" class CMyEvent : public IEventCallback { public: virtual BOOL DoEvent(const CRefPtr<CEventView> pEventView) { ULONGLONG Time = pEventView->GetStartTime().QuadPart; LogMessage(L_INFO, TEXT("%llu Process %s Do 0x%x for %s"), Time, pEventView->GetProcessName().GetBuffer(), pEventView->GetEventOperator(), pEventView->GetPath().GetBuffer()); return TRUE; } }; int main() { CEventMgr& Optmgr = Singleton<CEventMgr>::getInstance(); CMonitorContoller& Monitormgr = Singleton<CMonitorContoller>::getInstance(); Optmgr.RegisterCallback(new CMyEvent); // // Try to connect to procmon driver // if (!Monitormgr.Connect()){ LogMessage(L_ERROR, TEXT("Cannot connect to procmon driver")); return -1; } // // try to start monitor // Monitormgr.SetMonitor(TRUE, TRUE, FALSE); if (!Monitormgr.Start()){ LogMessage(L_ERROR, TEXT("Cannot start the mointor")); return -1; } _getch(); // // try to stop the monitor // Monitormgr.Stop(); LogMessage(L_INFO, TEXT("!!!!!monitor stop press any key to start!!!!")); _getch(); Monitormgr.Start(); _getch(); Monitormgr.Stop(); Monitormgr.Destory(); return 0; }It is pertty esay right?
main window:
properties windows
- Driver load example.
- Filter dialog.
- Filter apply processing dialog.
- Save the capture log to file.
- Load capture log.
- Load Driver.
- Sybmol support for call stack view.
- Integrity level parse.
- Registery event capture.
- Parse detail for File/Registery Event.
- Filter plugin support.