The WindowsMonitor plugin implements the detection of module and process loads/unloads on the Windows operating system. It can be referred to as “Interceptor” by other plugins. The plugin catches the invocation of specific kernel functions to detect these events.
Indicates the version of the Windows kernel to monitor. These functions have different locations in different versions. Specifying a wrong version will prevent the plugin from detecting the events.
Specifies whether the plugin should track user-mode events like DLL load and unload. If you do not analyze user-mode applications, assigning false to this setting will reduce the amount of instrumentation.
Specifies whether the plugin should track driver load and unload. If you do not analyze kernel-mode drivers, assigning false to this setting will reduce the amount of instrumentation.
If not specified, the default value is false.
For debugging only. In normal operation must be set to true.
For debugging only. In normal operation must be set to true.
For debugging only. In normal operation must be set to true.
pluginsConfig.WindowsMonitor = {
version="XPSP3",
userMode=true,
kernelMode=true,
monitorModuleLoad=true,
monitorModuleUnload=true,
monitorProcessUnload=true
}