Panoptes Logo

Overview

Panoptes is an Endpoint Detection and Response (EDR) system designed for educational purposes to understand Windows Kernel Drivers, ETW, and Windows system interactions. This is not intended for production use.

Demo

Link to video

Features

MSI installer for easy installation and removal
Persistent storage using RocksDB for improved response time
JSON-formatted logs compatible with ELK, HELK, and other SIEM solutions
Kernel-level DLL injection using Kernel Asynchronous Procedure Call (kAPC)
Kernel Callbacks monitoring:
- Process Creation
- DLL loading
- Kernel Driver loading
- Thread/Process/Desktop handle operations
Userland NTAPI function hooks
Static Analysis using Yara-X with ability to use custom rules
PE file analysis (Headers, Digital Signatures, Sections) using LIEF
AMSI scanning integration
JSON configuration file with built-in linter
Right-click context menu integration
Command-line interface for scanning
Comprehensive unit testing using Google Tests (IN PROGRESS)

About the Name

Panoptes, meaning "all-seeing," comes from Greek mythology. Argus Panoptes was a giant with a hundred eyes who served as a guardian to the Greek Gods. Learn more about Argus Panoptes

Architecture

Panoptes is designed with flexibility in mind, allowing users to customize deployment through a JSON configuration file. Panoptes is also packaged using Wix Toolset MSI file for easy installation and uninstallation.

EDR Architecture Overview

The system uses gRPC for communication between the main service, containers, and tools. The kernel component is configured as an ETW provider, enabling real-time event monitoring and scan queuing.

Core Components

Kernel Driver Callbacks

The kernel driver implements several callbacks for system event monitoring:

Process creation/termination
Module/driver loading
Process handle operations (IN PROGRESS)
Registry modifications (IN PROGRESS)

Currently implemented:

PsSetCreateProcessNotifyRoutineEx
PsSetLoadImageNotifyRoutine

Planned implementations:

ObRegisterCallbacks
CmRegisterCallbackEx
PsSetCreateThreadNotifyRoutine

Note: Currently the kernel driver is hardcoded to only inject the hooking DLL into Detect it Easy (die.exe)

Userland Hooks

Panoptes injects a DLL module into processes during early creation stages using kernel-level injection. This ensures comprehensive event capture from process start to finish. Current API hooks include:

NtWriteVirtualMemory
NtModifyBootEntry
NtMapViewOfSectionEx
NtMapViewOfSection
MORE TO BE ADDED

Extensibility Modules

Panoptes uses a container-based architecture for its modules, providing:

Fault isolation
Improved stability
Easy module addition
Better resource management
Parallel processing capabilities

Core Modules

PanoptesYara
- Core detection module
- Uses VirusTotal/Yara-X
- Supports custom compiled rules
- Compatible with awesome-yara rules or many others
PanoptesPE
- PE file analysis module
- Uses LIEF Project
- Provides detailed binary analysis
- Supports multiple binary formats in future Panoptes may be supported on other operating systems
PanoptesAMSI
- Optional AMSI integration
- Uses AmsiScanBuffer
- Compatible with existing antivirus solutions
- Not an AMSI Scan Provider

Installation

Download the MSI installer from the Releases page
To use the Panoptes Kernel Driver ensure that testsigning is enabled using the following command:
bcdedit /set TESTSIGNING ON

Then restart your system
Run the MSI installer
Place compiled Yara-X rules in C:\Program Files\Panoptes\
Start PanoptesService.exe as Administrator

Compiling Custom Rules

yr.exe compile <PATH_TO_YARA_RULES_FOLDER> -o rules.pkg

Usage

Right-click files to scan
Use command-line interface for batch scanning
Monitor notifications for detections
Check quarantine folder: C:\ProgramData\Panoptes\Quarantine
View logs: C:\ProgramData\Panoptes\Logs

Development Setup

Prerequisites

Visual Studio 2022 with C++ desktop development workload
vcpkg (included with Visual Studio or standalone)
Windows Driver Kit (WDK) (for kernel driver builds)
Test signing enabled (for driver development)
Virtual Machine configured for Windows Kernel Debugging using WinDbg

Set the VCPKG_ROOT environment variable to your vcpkg installation:

# If installed with Visual Studio
$env:VCPKG_ROOT = "C:\Program Files\Microsoft Visual Studio\2022\Professional\VC\vcpkg"
 
# Or set it permanently
[System.Environment]::SetEnvironmentVariable("VCPKG_ROOT", "C:\Program Files\Microsoft Visual Studio\2022\Professional\VC\vcpkg", "User")

For kernel development environment setup, see:

Building with CMake

The project uses a single CMake preset with the Visual Studio multi-config generator. You configure once and choose Debug/Release at build time.

Configure

cmake --preset default

Build

# Debug build (with debug symbols for your code)
cmake --build build/default --config Debug
 
# Release build (optimized)
cmake --build build/default --config Release

Build the Kernel Driver

cmake --preset default -DBUILD_DRIVER=ON

cmake --build build/default --config Debug --target PanoptesDriver

Run Tests

cd bin/tests/Debug
./PanoptesAMSITest.exe
./PanoptesPETest.exe
./PanoptesYaraTest.exe
./PanoptesLinterTest.exe

CMake Build Options

The following options can be passed during configuration with -D:

Option	Default	Description
`BUILD_DRIVER`	OFF	Build the kernel driver package (requires WDK)
`BUILD_GRPC`	ON	Generate gRPC code from protobuf definitions
`BUILD_DOC`	OFF	Build Doxygen documentation
`BUILD_WIX_INSTALLER`	OFF	Build the Wix MSI installer package

Example with multiple options:

cmake --preset default -DBUILD_DRIVER=ON -DBUILD_DOC=ON

cmake --build build/default --config Release

Building the MSI Installer

The MSI installer requires WiX Toolset v5 and its extensions:

# Install WiX v5 CLI tool
dotnet tool install --global wix --version 5.0.0
 
# Install required WiX extensions
wix extension add -g WixToolset.UI.wixext/5.0.0
wix extension add -g WixToolset.Util.wixext/5.0.0

Then configure and build:

cmake --preset default -DBUILD_WIX_INSTALLER=ON -DBUILD_DRIVER=ON
cmake --build build/default --config Release
cmake --build build/default --config Release --target installer

The MSI will be output to bin/installer/PanoptesInstaller.msi.