Over these past months I’ve been working on Fibratus - a tool for exploration and tracing of the Windows kernel. It’s about 90% completed, and the alpha release could be out the next month.
Fibratus is being developed in my "spare" time, i.e. outside working hours and when I can steal some time from my wife/daughter. Full-time job is very consuming. Because of that, keep in mind the release date could be delayed.
In a nutshell, Fibratus is a tool which is able to capture the most of the Windows kernel activity - process/thread creation and termination, file system I/O, registry, network activity, DLL loading/unloading and much more.
Fibratus has a very simple CLI which encapsulates the machinery to start the kernel event stream collector, enable filters or run the lightweight Python modules called filaments (more on this later). As you could see on the video teaser, when starting fibratus without command line options, it generates a lot of output. If you are interested in the particular kernel event, you can pass the --filters
parameter specifiying one or more events to watch. There are plans for supporting more complex filter expressions including logical operators, string matching, regular expressions, etc.
Where Fibratus really shines is when combined with filaments. As I already mentioned, the filaments allow to apply any type of custom logic on the kernel event stream. Do you need to emit the kernel event payloads to a RabbitMQ queue and perform aggregations, filtering, groupings or maybe you already have a remote HTTP endpoint to send the Fibratus capture? Use your favourite clients like pika or requests. Filaments open up the whole Python ecosystem for you. This is the perfect and non-invasive way to extend Fibratus and complement it with an already existing arsenal of security tools, penetration testing and performance monitoring tools. Without further ado, watch the video teaser and stay tuned for the upcoming Fibratus release.