Skip to content
/ KLog Public

KLog -- Kernel Logger plugin for Process Hacker

4 stars 3 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

tigros/KLog

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

33 Commits
KLogProcessHacker
KLogProcessHacker
 
 
plugins/KLog
plugins/KLog
 
 
README.md
README.md
 
 

Repository files navigation

KLog -- Kernel Logger

KLog is used to log all processes started, it uses a driver to catch processes starting at the root rather than using a polling method, which means fast closing processes will not be missed. ETW or WMI methods don't miss anything but getting the command line arguments of fast closing processes is next to impossible using those methods, which is where KLog has an advantage.

Once the driver is compiled the system will need to be in Test Mode because it is Test signed. Hopefully someday this will be rectified, if you are willing to MS sign it with your credentials please let me know, it would be very much appreciated!

To put Windows in Test Mode run these 2 commands from an elevated cmd prompt:

bcdedit.exe /set nointegritychecks on
bcdedit /set testsigning on

Also, a minor change is required in ProcessHacker\main.c to bypass the .sig check. In main.c look for PhInitializeKph funtion then after the KphConnect2Ex call, bypass the .sig check with a goto or whatever method you prefer.

This program is based on the good work of the Battelle Memorial Institute team, see https://github.com/HoneProject for more information.

About

KLog -- Kernel Logger plugin for Process Hacker

Resources

Readme
Activity

Stars

4 stars

Watchers

2 watching

Forks

3 forks
Report repository

Releases 1

catch possible null command line causing crash Latest
Feb 20, 2020

Packages

No packages published

Languages