From Collaborative RCE Tool Library
Filter Monitor
| Tool name: | Filter Monitor |
|
||
|---|---|---|---|---|
| Author: | Daniel Pistelli | |||
| Website: | http://ntcore.com/filtermon.php | |||
| Current version: | 1.1.0 | |||
| Last updated: | October 20, 2009 | |||
| Direct D/L link: | Locally archived copy | |||
| License type: | Free | |||
| Description: | This utility can list kernel mode filters and also unregister them. Monitored filters are, for instance, registry filters, create process and thread notifications. FilterMon comes both for x64 and x86 and it should work on all Windows systems from Vista RTM to Windows 7 RTM. However, I only tested it on Windows 7 RTM on x64 and I can't guarantee that it will work on future versions of Windows as it relies heavily on system internals. As you probably all know the Service Descriptor Table has been a playground on x86 for all sorts of things: rootkits, anti-viruses, system monitors etc. On x64 modifying the Service Descriptor Table is no longer possible, at least not without subverting the Patch Guard technology. Thus, programs have now to rely on the filtering/notification technologies provided by Microsoft. And that's why I wrote this little utility which monitors some key filters. Since I haven't signed the driver of my utility, you have to press F8 at boot time and then select the "Disable Driver Signature Enforcement" option. If you have a multiple boot screen like myself, then you can take your time. Otherwise you have to press F8 frenetically to not miss right moment. |
|||
| Related URLs: |
|
|||
| Screenshot: |
|---|
 |
Feed containing all updates for this tool.
(please also edit it if you think it fits well in some additional category, since this can also be controlled)
You are welcome to add your own useful notes about this tool, for others to see!