Skip to content

Home

Jump to bottom
Jonathan Johnson edited this page Jan 27, 2025 · 7 revisions

About

JonMon is a telemetry sensor suite that was developed to help bring insight into sensor internals to the community. There are 4 major components to JonMon:

  1. The kernel driver. The driver serves to attach to various callback routines to return information around actions performed on objects like processes, registry keys/values, and threads.
  2. The minifilter. The minifilter leverages a post-callback that will attach to file I/O requests to return information around file creations, file deletes, named-pipe creations, and named pipe connections.
  3. The user-mode application - JonMon-Service. JonMon-Service installs as a service and is used as an ETW consumer for various providers.
  4. The JonMon ETW Provider - jonmon.man & jonmon.dll. The JonMon provider is a manifest-based provider that is used by both the kernel-mode and user-mode components to log actions they have found. Logs can be found in the EventViewer under Applications and ServiceLogs\JonMon\Operational.

JonMonv2 0-official

Installation

OS Support

Support for x64: 10.0.19045 - 10.0.26100

Support for ARM64: 10.0.22621 - 10.0.26100

Instructions

  • Download JonMon from the Release menu
  • Disable Secure Boot
  • Turn testsigning on - bcdedit /set TESTSIGNING on. Turning on DEBUG would help me narrow down any issues you have as well. To do this please input bcdedit /set DEBUG on
  • Restart Computer
  • Go to JonMon directory
  • Update JonMon Config
  • Install JonMon via JonMon-Service.exe -i

2 services will be created for you:

  • JonMon (User-Mode application)
  • JonMonDrv (Kernel Driver)

These services do not persist on boot. It is suggested if you want to run JonMon after installation and reboot to uninstall via JonMon-Service.exe -u, then re-install the services via JonMon-Service.exe -i. Otherwise all functionality is not guaranteed to work properly.

Uninstall

  • Run JonMon-Service.exe -u

Recommended Usage

  • Install JonMon
  • Execute behavior
  • Uninstall JonMon Events will stay within the Even-Viewer after removing JonMon. Due to JonMon not being tested over long periods of time, it is suggested to do a short collection.

Event Mapping

Please see EventMapping for all questions regarding events that JonMon collects, as well as any tuning that is being done.

JonMon Issues

I am happy to hear about any issues you have with JonMon, when submitting an issue please:

  • Precise on what the issue is
  • What you would like to see differently
  • If JonMon crashed your box, please include the minidump file so I can properly analyze the issue.

Note: Any issues that revolve around "Don't work please fix", will be closed immediately.

Warning

It is suggested to ONLY run JonMon in a VM. This is a research project and is not meant to be ran in production environments.

Clone this wiki locally