BlueLight is an open-source kernel component for kernel-mode process activity monitoring and setup for user-mode API calls monitoring.
The goal of this project is to create a Windows kernel component for EDR system, specifically, BLUESPAWN - an open-source EDR.
BlueLight built using file-system mini-filter driver which sends events to user-mode over communication port.
In addition, the driver uses injdrv for injecting custom DLL to every thread (right after loading kernel32.dll).
Currently implemented:
- Process Creation / Termination
- Thread Creation / Termination
- Remote Thread Creation
- Image Loading