Fibratus Versions Save

A modern tool for Windows kernel exploration and tracing with a focus on security

v0.7.2

6 years ago
  • fixes skips filtering on Windows 7 (fs / dll events)
  • kstreamc now keeps a separate thread map to bind thread to its process

v0.7.1

7 years ago
  • spying on a specific process image (--image flag)
  • file system output
  • configuration file validation through schema definition
  • fixed C to Python data type castings

v0.7.0

7 years ago
  • integration with YARA tool
  • standalone Windows installer
  • minor bug fixes and code refactoring

v0.6.1

7 years ago
  • support for RenameFile and SetFileInformation kernel events
  • pid and file_object fields in file system events
  • filament processing in thread context
  • several bug fixes

v0.6.0

7 years ago
  • high performance GIL-free kernel event stream collector
  • image meta registry provides PE (Portable Exectuable) headers, sections, imports, file information, etc
  • streaming kernel events to multiple output sinks
  • switched to logbook for detailed startup logging info

v0.4.1

7 years ago
  • authentication support for elasticsearch output adapter

v0.4.0

7 years ago
  • per-pid process spying support (--pid command line flag)
  • excluding processes from the trace through the configuration file
  • ElasticSearch output adapter
  • performance improvements on the kernel stream collector

v0.3.0

7 years ago
  • context switch instrumentation support
  • --cswitch command line flag to enable context switch kernel events

v0.2.3

7 years ago
  • minor changes to MANIFEST.in artifact
  • installing via pip

v0.2.0

7 years ago
  • in process filament execution
  • streaming kernel events via output adapters (SMTP, AMQP)
  • writing to console using the standard Windows API
  • asciiart package
  • fixed landscape style violations and code smells
  • shipping new filaments
  • resolve filaments directory from environment variable
  • check for the kernel event filters when calling the process method on filament
  • initialize the kernel event params when hive or key does not satisfy the condition in RegSetValue or RegQueryValue
  • yaml configuration file parser
  • changed setup.py to install kstreamc to site-packages
  • --no-enum-handles to disable the system handles enumeration on startup
  • migrated from coveralls to codecov
  • added more unit tests
  • improved code coverage
  • code refactoring and comments
  • new logo