README
¶
Fibratus
A modern tool for the Windows kernel exploration and observability
Get Started »
Docs
•
Filaments
•
Download
•
Discussions
What is Fibratus?
Fibratus is a tool for exploration and tracing of the Windows kernel. It lets you trap system-wide events such as process life-cycle, file system I/O, registry modifications or network requests among many other observability signals. In a nutshell, Fibratus allows for gaining deep operational visibility into the Windows kernel but also processes running on top of it.
Events can be shipped to a wide array of output sinks or dumped to capture files for local inspection and forensics analysis. The powerful filtering engine permits drilling into the event flux entrails.
You can use filaments to extend Fibratus with your own arsenal of tools and so leverage the power of the Python ecosystem.
Features
- ⚡ blazing fast
- 📡 collects a wide spectrum of kernel events - from process to network observability signals
- 🔍 super powerful filtering engine
- 🐍 running Python scriptlets on top of kernel event flow
- 💽 capturing event flux to kcap files and replaying anywhere
- 🚀 transporting events to Elasticsearch, RabbitMQ or console sinks
- ✂ transforming kernel events
- 🪲 scanning malicious processes and files with Yara
- 📁 PE (Portable Executable) introspection
Documentation
Setup
- Installation
- Building from source
- Running as standalone binary
- Running as Windows Service
- CLI
- Configuration
Events
Filters
Captures
Filaments
Outputs
Transformers
Alerts
PE (Portable Executable)
YARA
Troubleshooting
Developed with ❤️ by Nedim Šabić Šabić
Logo designed with ❤️ by Karina Slizova
Directories
¶
| Path | Synopsis |
|---|---|
|
cmd
|
|
|
pkg
|
|
|
kevent
Package kevent defines the fundamental data structures that underpin the state of every kernel event pushed from the consumer.
|
Package kevent defines the fundamental data structures that underpin the state of every kernel event pushed from the consumer. |
|
kstream
Package kstream contains facilities for controlling the kernel logger session and opening kernel event stream for the purpose of collecting and processing kernel events.
|
Package kstream contains facilities for controlling the kernel logger session and opening kernel event stream for the purpose of collecting and processing kernel events. |
|
outputs/amqp/_fixtures/garagemq/amqp
Package amqp for read, write, parse amqp frames Autogenerated code.
|
Package amqp for read, write, parse amqp frames Autogenerated code. |
|
pe
Package pe contains different facilities for dealing with Portable Executable specifics and digging out valuable insights from it.
|
Package pe contains different facilities for dealing with Portable Executable specifics and digging out valuable insights from it. |
|
ps
Package ps contains process's state snapshotter implementation.
|
Package ps contains process's state snapshotter implementation. |
|
syscall
Package syscall contains the definitions of functions, structures and constants for interacting with the Windows API.
|
Package syscall contains the definitions of functions, structures and constants for interacting with the Windows API. |
|
util/fasttemplate
Package fasttemplate implements simple and fast template library.
|
Package fasttemplate implements simple and fast template library. |