快速开始
获取SDK
通过Github下载SDK:https://github.com/wecooperate/iMonitorSDK
执行SDK目录下面的build.bat即可编译SDK带的sample,通过sample可以快速了解和实现各种功能
示例说明
| 示例 | 说明 |
|---|---|
| imonitor_sample_all_hidden.cpp | 文件隐藏 |
| imonitor_sample_all_protect.cpp | 自保护 |
| imonitor_sample_all_redirect.cpp | 文件重定向 |
| imonitor_sample_all_rule.cpp | 应用层规则引擎 |
| imonitor_sample_all_rule_kernel.cpp | 内核规则引擎 |
| imonitor_sample_all_sandbox.cpp | 隔离沙箱 |
| imonitor_sample_all_sysmon.cpp | 异步采集 |
| imonitor_sample_enhance_config.cpp | 高级配置 |
| imonitor_sample_enhance_event.cpp | 自定义事件 |
| imonitor_sample_enhance_extension.cpp | 扩展事件字段 |
| imonitor_sample_enhance_filter.cpp | 快速过滤 |
| imonitor_sample_enhance_pending.cpp | 同步多线程处理 |
| imonitor_sample_enhance_rpc_caller.cpp | RPC远程调用溯源 |
| imonitor_sample_enhance_user_monitor.cpp | 用户层HOOK接入 |
| imonitor_sample_file_cleanup.cpp | 文件落地 |
| imonitor_sample_file_create.cpp | 拦截文件创建 |
| imonitor_sample_file_write.cpp | 拦截文件写 |
| imonitor_sample_process_create.cpp | 拦截进程创建 |
| imonitor_sample_process_inject_dll.cpp | 注入动态库 |
| imonitor_sample_process_loadlibrary.cpp | 拦截模块加载 |
| imonitor_sample_process_open.cpp | 进程打开 |
| imonitor_sample_process_remote_thread.cpp | 远程线程注入 |
| imonitor_sample_reg_create.cpp | 注册表创建 |
| imonitor_sample_reg_deletevalue.cpp | 删除注册表值 |
| imonitor_sample_socket_accept.cpp | AFD socket accept |
| imonitor_sample_socket_connect.cpp | AFD socket connect |
| imonitor_sample_socket_recv.cpp | AFD socket recv |
| imonitor_sample_socket_redirect.cpp | AFD socket redirect |
| imonitor_sample_viewer_file.cpp | 所有文件事件字段 |
| imonitor_sample_viewer_process.cpp | 所有进程事件字段 |
| imonitor_sample_viewer_reg.cpp | 所有注册表事件字段 |
| imonitor_sample_viewer_socket.cpp | 所有socket事件字段 |
| imonitor_sample_viewer_wfp.cpp | 所有网络事件字段 |
| imonitor_sample_wfp_accept.cpp | WFP accept |
| imonitor_sample_wfp_connect.cpp | WFP connect |
| imonitor_sample_wfp_dns.cpp | WFP dns |
| imonitor_sample_wfp_recv.cpp | WFP recv |
| imonitor_sample_wfp_redirect.cpp | WFP redirect |
手动接入SDK
- 从IMonitorCallback继承
- 通过MonitorManager传入IMonitorCallback启动
- 设置需要监控的消息
class MonitorCallback : public IMonitorCallback
{
public:
void OnCallback(IMonitorMessage* Message) override
{
if (Message->GetType() != emMSGProcessCreate)
return;
cxMSGProcessCreate* msg = (cxMSGProcessCreate*)Message;
//
// 禁止进程名 cmd.exe 的进程启动
//
if (msg->IsMatchPath(L"*\\cmd.exe"))
msg->SetBlock();
}
};
int main()
{
MonitorManager manager;
MonitorCallback callback;
HRESULT hr = manager.Start(&callback);
if (hr != S_OK) {
printf("start failed = %08X\n", hr);
return 0;
}
cxMSGUserSetMSGConfig config;
config.Config[emMSGProcessCreate] = emMSGConfigSend;
manager.InControl(config);
WaitForExit("禁止进程名 cmd.exe 的进程启动");
return 0;
}
更多的使用说明可以参考SDK的sample和文档的接口说明。