Skip to content

Home

Jump to bottom
Jonathan Johnson edited this page Sep 28, 2023 · 5 revisions

About

JonMon is a telemetry sensor suite that was developed to help bring insight into sensor internals to the community. There are 4 major components to JonMon:

  1. The kernel driver. The driver serves to attach to various callback routines to return information around actions performed on objects like processes, registry keys/values, and threads.
  2. The minifilter. The minifilter leverages a post-callback that will attach to file I/O requests to return information around file creations, file deletes, named-pipe creations, and named pipe connections.
  3. The user-mode application - JonMon-Service. JonMon-Service installs as a service and is used as an ETW consumer for various providers.
  4. The JonMon ETW Provider - jonmon.man & jonmon.dll. The JonMon provider is a manifest-based provider that is used by both the kernel-mode and user-mode components to log actions they have found. Logs can be found in the EventViewer under Applications and ServiceLogs\JonMon\Operational.

image

Installation

OS Support

Minimum OS: Win10 - 19045.2486

  • Does support Win11.

Instructions

  • Download JonMon from the Release menu
  • Disable Secure Boot
  • Turn testsigning on - bcdedit /set TESTSIGNING on. Turning on DEBUG would help me narrow down any issues you have as well. To do this please input bcdedit /set DEBUG on
  • Restart Computer
  • Go to JonMon directory
  • Install JonMon via JonMon-Service.exe -i

2 services will be created for you:

  • JonMon (User-Mode application)
  • JonMonDrv (Kernel Driver)

These services do not persist on boot. It is suggested if you want to run JonMon after installation and reboot to uninstall via JonMon-Service.exe -u, then re-install the services via JonMon-Service.exe -i. Otherwise all functionality is not guaranteed to work properly.

Uninstall

  • Run JonMon-Service.exe -u

Recommended Usage

  • Install JonMon
  • Execute behavior
  • Uninstall JonMon Events will stay within the Even-Viewer after removing JonMon. Due to JonMon not being tested over long periods of time, it is suggested to do a short collection.

Compilation

If you want to compile JonMon do the following:

  • Go in the JonMonProvider directory and run the following:
  • mc.exe -km JonMon.man
  • rc.exe jonmon.rc
  • link.exe /noentry /machine:x64 /dll /out:jonmon.dll .\jonmon.res
  • Load up JonMon in Visual Studio
  • Include "jtime.h" (within the JonMon directory) in JonMon.h within the JonMonProvider
  • Build solution

Event Mapping

Please see EventMapping for all questions regarding events that JonMon collects, as well as any tuning that is being done.

JonMon Issues

I am happy to hear about any issues you have with JonMon, when submitting an issue please:

  • Precise on what the issue is
  • What you would like to see differently
  • If JonMon crashed your box, please include the minidump file so I can properly analyze the issue.

Note: Any issues that revolve around "Don't work please fix", will be closed immediately.

Warning

It is suggested to ONLY run JonMon in a VM. This is a research project and is not meant to be ran in production environments.

Clone this wiki locally