A modern tool for Windows kernel exploration and tracing with a focus on security
VirtualAlloc
and VirtualFree
events. Read more
MapViewFile
and UnmapViewFile
events and mapped-files state. Read more
DuplicateHandle
event Read more
QueryDns
and ReplyDns
events Read more
RegCloseKey
eventimage.signature.type
/image.signature.level
filter fields Read more
CreateFile
events with image format parametersps.sid
filter field contains the raw SID value, e.g. S-1-5-18
create_options
parameter to CreateFile
eventsLoadImage
/UnloadImage
eventspe
filter field set and allow lazily value extraction Read more
golang.org/sys/windows
package for the vast majority of API calls and structuresgolang.org/sys/windows
golangci-lint
linters to version 1.52.2
Ktype
type to accommodate 2-bytes event hook identifierssaferwall/pe
package for version resource parsingRegCloseKey
to the list of ignored eventsSystem
process image from the list of ignored processeskstream.raw-event-parsing
config flag as binary event parsing is the default option nowLoadImage
eventsyara
tests hanging issuessid
parameter and the ps.sid
filter fields contain the raw SID value instead of the username/domain tupleoperation
parameter name in the CreateFile
event is renamed to create_disposition
share_mask
parameter contains the full permission name, e.g. READ|WRITE|DELETE
comm
parameter name in process events is renamed to cmdline
yara
filter function. This opens up new possibilities in terms of combining behavior and signature-based detections Read more
kevt.arg
filter field is able to extract any event parameter by its internal name. For example, kevt.arg[exe]
would extract the process image executable pathfibratus list fields
to check deprecated fields statusprocess.uuid
filter field as a more robust alternative to process id fields that is resistant to repetitionin/iin
operators should operate on LHS/RHS values of slice typeDriver
object typesps.sibling.args
filter field~=
operator for case-insensitive string comparisons in filtersis_minidump
filter function for checking the signature of minidump
files Read more
libyara
to version 4.2content-type
config flag for email alert senderlabels
and description
attributes in rule groupsand
and or
operatorsinclude
/exclude
rule policiesinclude
produces a matchselector
attribute will fail to load. As a workaround, remove the selector attribute and include it as a first condition in the rule.not
operator can negate complex paren expressions and functionsOpenProcess
and OpenThread
eventscidr_contains
function implementation should return a correct value if no subnets are matched--kstream.raw-event-parsing=true
OpenProcess
and OpenThread
events Read more
ps.sibling.*
, ps.domain
, and ps.username
filter fields Read more
exe
parameter to CreateThread
eventsthread.pid
filter field for matching the target thread's process idin
, startswith
, and endswith
operatorscidr_contains
and md5
functionsdip.names
and sip.names
filter fieldsnot
operator in filtersmatches
and imatches
string matching operatorsfile.extension
filter fieldgo-yara
packagehandle
interceptor when publishing deferred CreateHandle
eventsTdhGetPropertySize
API call for static parameter typesfibratus version
outputRecvUDPv4
event type GUIDhandle
interceptor should return the CloseHandle
event when entering the deferred mapThe new generation Fibratus tool release!