D
DioIPS

ETW & AMSI

Usermode

Usermode monitoring components using Event Tracing for Windows (ETW) and Antimalware Scan Interface (AMSI) for additional visibility.

Overview

While the kernel driver provides comprehensive system monitoring, ETW and AMSI offer additional usermode visibility that complements kernel-level detection.

ETW

Subscribe to Windows ETW providers for events like .NET assembly loading, PowerShell execution, and more.

AMSI

Receive script content from AMSI-integrated applications like PowerShell, VBScript, and JScript.

ETW Providers

ProviderEvents
Microsoft-Windows-PowerShellScript block logging, command execution
Microsoft-Windows-DotNETRuntimeAssembly loading, JIT compilation
Microsoft-Windows-Kernel-ProcessProcess start/stop (usermode view)

Features

ETW Consumer
Event Tracing for Windows consumer for usermode events
AMSI Provider
Antimalware Scan Interface provider for script scanning

Usage

  1. Start the DioIPS application
  2. ETW consumer starts automatically
  3. View ETW events in the ETW tab
  4. AMSI events appear when scripts are executed