Kernel Telemetry & Detection Platform for Windows
Sleepwalker is built for:
- malware analysis
- suspicious process investigation
- endpoint telemetry review
- evidence-heavy detection triage
It captures process, thread, handle, image, registry, APC, and detection telemetry, then groups related activity into operator-facing detections and evidence views.
Most telemetry tools are good at collecting data and bad at helping an analyst work through it.
Sleepwalker is meant to close that gap:
- the main operator panel gives a live view of what matters now
- the detection chain groups related events into something reviewable
- the inspectors let you drill into the actual evidence when a detection needs validation
The point is not just to log activity. The point is to help an operator move from signal to evidence quickly.
The main interface is the primary workspace for live triage and session review.
It brings together:
- event timeline
- event log
- ETW activity
- heuristics
- process relations
- backend/session state
- time-travel controls for historical review
This is where an operator attaches to a target, watches activity arrive, and pivots into deeper evidence when something suspicious shows up.
The detection chain is the most important investigation view in the platform.
It groups detections by event and detection key so the operator can review related activity as a single chain instead of a pile of disconnected records.
This is where Sleepwalker becomes useful instead of just noisy.
The detection chain helps answer:
- what happened
- why it was flagged
- which events belong together
- what evidence supports the detection
From there, the operator can pivot into the raw underlying records and supporting inspectors.
When a detection needs validation, Sleepwalker exposes the underlying evidence through dedicated inspectors.
Key views include:
-
ETW Inspector
Review grouped ETW occurrences and inspect enriched event details. -
Handle Evidence
Inspect suspicious handle activity, access masks, origin context, captured frames, memory region details, and related payload data. -
Thread Stack
Review stack snapshots during live capture or while moving through historical samples. -
Process Relations
See actor-to-target relationships such as suspicious opens, remote thread activity, and linked intent chains.
These views exist to support investigation, not decoration. Which is a rare design goal these days.
Representative detections include:
- direct syscall suspect handle activity
- stack integrity anomalies on handle operations
- remote thread creation
- remote thread start in non-image executable memory
- remote thread activity outside the main image
- thread hijack and thread-context abuse
- remote APC creation suspects
- process hollowing and injection intent chains
- suspicious
ntdllimage path or mapping behavior - multiple
ntdllimage mappings - high-value registry activity
- driver dispatch or object tamper drift
For the full contract and field-level details, see API.md.
Sleepwalker is split into a few main parts:
-
kernel/
KMDF driver, kernel telemetry, ETW emission, and kernel-side correlation -
user/controller/
broker/controller service, IPC, ETW handling, and runtime correlation -
user/sensor/
SleepwalkerSensorCore.dll,SleepwalkerClient.exe,SleepwalkerTestSuite.exe -
interface/
WPF analyst interface for live capture, time travel, and evidence review -
abi/
shared IOCTL and IPC contracts
- The operator selects or launches a target process.
- The interface talks to
SleepwalkerSensorCore.dll. - The sensor core reaches the controller over broker IPC.
- The controller owns the driver handle and ETW ingestion path.
- Telemetry is collected, correlated, and sent back to the interface.
- The main panel updates live, and the operator can pivot into detections and evidence views.
- Sessions can be saved, reopened, imported, or exported for later review.
Common projects:
vcxproj/Sleepwalker.vcxprojvcxproj/SleepwalkerController.vcxprojvcxproj/SleepwalkerSensorCore.vcxprojvcxproj/SleepwalkerClient.vcxprojvcxproj/SleepwalkerIoctlTest.vcxprojinterface/SleepwalkerInterface.csproj
Common runtime artifacts:
sleepwlkr.sysSleepwlkrController.exeSleepwalkerSensorCore.dllSleepwalkerClient.exeSleepwalkerIoctlTest.exeSleepwalkerInterface.exe
See these docs for setup and usage: