Small research project for detecting various kinds of in-memory stealth techniques.
Download the latest release here.
The current version supports the following detections:
- Suspicious CONTEXT structures pointing to VirtualProtect functions. (Targets research by Austin Hudson Foliage and Ekko by Cracked5pider).
- Validation of MZ/PE headers in memory to detect process hollowing variants.
- Unbacked executable regions running at high integrity.
- Modified code used in module stomping/overwriting.
- Various other anomalies.