DeviceMon is a Windows Driver that implemented Virtualization Based PCI Device Monitor.
- Visual Studio 2015 update 3
- Windows SDK 10
- Windowr Driver Kit 10
- VMware 12 with EPT environment.
- Supports Multi-core processor environment
- Test environment with Windows 10 x64 RS4
DeviceMon will be on-going developed for support more PCI devices, and currently support monitoring SPI controller behavior, with SPI behavior monitoring, anyone send a cycle to SPI controller it can be captured by DeviceMon, means, in case of someone whose are trying to attack the Flash ROM, theoretically could be capture by DeviceMon. By intercepting a MMIO translation path, the communication between driver and devices could be easily exposed.
-
Compiled DeviceMon.sys
-
Enable Testsigning on x64:
bcdedit /set testsigning on -
Install DeviceMon.sys
sc create DeviceMon type= kernel binPath= C:\DeviceMon.syssc start DeviceMon -
start a service as following screen capture with its expected output
A demo has captured a malware that starting the attack and dumping the SPI Flash ROM.
