CallMon

CallMon is a system call monitoring tool that works on Windows 10 versions 2004+ using PsAltSystemCallHandlers.

Usage

• CallMon requires driver signature enforcement (DSE) to be disabled.
• Download release here (or download and build from source)
• Ensure both CallMon.exe and AltCall.sys are in the same directory
• Run CallMon.exe as an administrator
• Click on "Initialize"
• Enter a process's ID in the text field and click "Add Process"

Architecture

CallMon is comprised of a kernel driver (AltCall.sys) and a GUI application (CallMon.exe). Together, these programs work to provide API introspection for monitored processes. The driver and GUI application communicate via a named pipe (\\.\pipe\CallMonPipe). The data passed by the driver to usermode consists of a custom header which contains the process id and stack information along with a KTRAP_FRAME structure received from the alt syscall handler function.

Performance Impacts

Because the system call handler function is called everytime a targeted process preforms a call (and in the context of the targeted process), heavy API usage programs will experience a drop in performance due to the transfer of data back to the CallMon GUI process.

Resources

0xcpu's Research on AltSyscallHandlers

Rust Driver Version

Optionally, there is a version of the AltCall.sys driver written in Rust. The sources and binary are included only in the repository and not in the release. I highly recommended reading not-matthias' (his code was the foundation for the Rust version) blog post on building Windows drivers in Rust. In addition, I will mention that I worked on this to better my Rust skills and not to make a memory safe driver. I heavily used "unsafe" Rust code, and kernel interactions in themselves can always go awire.

Build

If you are not already on the nightly channel, change to it using:
rustup toolchain install nightly
Override using:
rustup override set nightly

C VS. Rust

Besides, the obvious syntax differences, I also made some design changes:

• Rust version uses ProbeForRead instead of MmHighestUserAddress and MmIsAddressValid check for stack pointer.
• Rust version has no remove process IOCTL handling function (possibly coming soon?) now has support for removing processes!