Cosmos is the base project for Extended Detection and Response (XDR) solution for Windows, The XDR part will be pushed later on, consisting of a secure kernel driver and modern Rust-based userland client. Currerntly the user space part is written in Rust however it can be written in any language. It provides comprehensive real-time process, thread, and image monitoring capabilities for security research, malware analysis, and system behavior monitoring.
USERLAND (Ring 3)
CosmosGuard (Rust Client)
Real-time Process Monitoring
IOCTL Communication
Process Deduplication
DeviceIoControl()
\\.\CosmosLink
KERNEL (Ring 0)
Cosmos.sys (Kernel Driver)
PsSetLoadImageNotifyRoutine()
PsSetCreateProcessNotifyRoutine()
PsSetCreateThreadNotifyRoutine()
Secure IOCTL Interface
Process Hash Table Tracking
- Restricted Device Access: SDDL permissions limit access to Administrators and SYSTEM only
- Secure Device Creation: Uses
IoCreateDeviceSecurewith proper permission enforcement - Code Signing: Includes automated certificate generation and driver signing scripts
- Buffer Validation: Comprehensive input validation for all IOCTL operations
- Memory Safety: Rust userland client prevents common memory vulnerabilities
- Multi-Source Process Detection: Combines multiple Windows notification mechanisms
- Short-Lived Process Capture: Detects ephemeral processes often missed by traditional monitoring
- Real-Time Event Processing: Low-latency notification callbacks
- Secure Communication: Protected IOCTL interface for userland communication
- Comprehensive Cleanup: Proper resource management and unload procedures
- Real-Time Monitoring: 200ms polling interval for responsive detection
- Process Deduplication: Prevents duplicate event reporting
- Cross-Platform Rust: Memory-safe implementation with Windows API bindings
- Detailed Process Information: PID, PPID, image path, memory layout, and capture source
- Error Resilience: Robust error handling and connection recovery
- Operating System: Windows 10/11 (x64 or ARM64)
- Privileges: Administrator rights required
- Development:
- Visual Studio 2022 with Windows Driver Kit (WDK)
- Rust toolchain for userland client
- Windows SDK 10.0.26100.1 or later
- Install Visual Studio 2022 with C++ workload
- Install Windows Driver Kit (WDK) via NuGet or installer
- Install Rust:
winget install Rustlang.Rust.MSVC
# Open Developer Command Prompt as Administrator
cd code/Cosmos
msbuild Cosmos.sln /p:Configuration=Release /p:Platform=x64cd code/Cosmos/cosmosguard
cargo build --release# Run as Administrator
.\GenerateCertAndSelfSignCompiledCosmos.ps1# Install self-signed certificate (development/testing only)
certlm.msc
# Import CosmosDriverCert.cer to "Trusted Root Certification Authorities"# Run as Administrator
bcdedit /set testsigning on
# Reboot required# Method 1: Using Device Manager
# Add Legacy Hardware -> Install from disk -> Select Cosmos.inf
# Method 2: Using sc.exe
sc create Cosmos binPath= "C:\path\to\Cosmos.sys" type= kernel
sc start Cosmos# Run as Administrator
.\cosmosguard.exeCosmosGuard - Real-time Process Monitor
========================================
Connecting to Cosmos kernel driver...
PID: 1234 | PPID: 456 | Base: 0x7ff6abc00000 | Size: 0x12000 | Source: ImageLoad | Image: C:\Windows\System32\notepad.exe
PID: 5678 | PPID: 1234 | Base: 0x7ff7def00000 | Size: 0x8000 | Source: CreateNotify | Image: C:\Windows\System32\cmd.exe
PID: 9012 | PPID: 5678 | Base: 0x0 | Size: 0x0 | Source: CreateNotify | Image: C:\temp\malware.exe
| Source | Description | Use Case |
|---|---|---|
ImageLoad |
Detected via PsSetLoadImageNotifyRoutine() |
Primary detection - full image information |
CreateNotify |
Detected via PsSetCreateProcessNotifyRoutine() |
Backup detection - parent-child relationships |
LocateFallback |
Detected via SeLocateProcessImageName() |
Last resort - EPROCESS structure parsing |
- Secure kernel driver with WDM architecture
- Multi-source process tracking and deduplication
- IOCTL-based kernel-userland communication
- Rust userland client with real-time monitoring
- Automated driver signing and certificate generation
- Comprehensive error handling and cleanup
- Thread-level monitoring implementation
- Configuration file support for userland client
- Event filtering and rule-based alerting
- Performance optimization and profiling
- ETW (Event Tracing for Windows) integration
- Network connection monitoring
- File system activity tracking
- Registry access monitoring
- Advanced behavioral analysis
# Check driver signing status
signtool verify /pa Cosmos.sys
# Verify certificate installation
certlm.msc
# Check test signing mode
bcdedit /enum {current}# Ensure running as Administrator
whoami /groups | findstr "S-1-5-32-544"
# Check SDDL permissions# Verify symbolic link exists
dir \\.\CosmosLink
# Check driver status
sc query CosmosMIT License - See LICENSE file for details.
This software is intended for security research, malware analysis, and educational purposes only.
- Self-signed drivers reduce system security and should only be used in isolated test environments
- Production deployments require Microsoft-signed drivers or WHQL certification
- The authors are not responsible for any system damage or security vulnerabilities
- Always test in virtual machines before deploying on production systems
- Fork the repository
- Create a feature branch (
git checkout -b feature/new-monitoring) - Commit your changes (
git commit -am 'Add new monitoring capability') - Push to the branch (
git push origin feature/new-monitoring) - Create a Pull Request
- Windows Driver Kit Documentation
- SDDL Security Descriptors
- Process and Thread Notifications
- Rust Windows API Bindings
Author: Udi Shamir
Copyright: 2024 - 2025 Udi Shamir. All Rights Reserved.