|
1 | | -# MappedImagesDetector |
| 1 | +# MappedImagesDetector — Windows Memory Scanner for Antivirus & EDR |
2 | 2 |
|
3 | | -A native C++20 Windows tool to detect suspicious or unexpected mapped images in process address spaces and report related anomalies. The project is implemented in modern C++ (C++20) and targets Visual Studio (MSVC) using Win32 APIs. |
| 3 | +**Short description / SEO meta**: *MappedImagesDetector is a native C++20 Windows memory-scanning tool built for antivirus and EDR use — detects manual-mapped DLLs, erased PE headers, suspicious mapped images, IAT/CRT thunk anomalies and other memory-based stealth techniques used by modern malware.* |
4 | 4 |
|
5 | | -## Features |
| 5 | +> ?? **Defensive-only project.** This repository is explicitly for malware analysis, incident response, and defensive engineering. Do not use the techniques here to produce or deploy malware. Use responsibly and in accordance with law. |
6 | 6 |
|
7 | | -- Scan running processes for mapped modules and images |
8 | | -- Detect anomalies in memory mappings |
9 | | -- Lightweight, native implementation with minimal dependencies |
10 | | -- Test module for local validation |
| 7 | +--- |
11 | 8 |
|
12 | | -## Repository layout |
| 9 | +## Why this project exists (TL;DR) |
| 10 | +Modern malware frequently avoids disk-based indicators by manually mapping DLLs into process address spaces, erasing or corrupting PE headers, or creating executable regions with fake imports. Traditional on-disk scanners miss these threats. **MappedImagesDetector** finds suspicious mapped images in process memory and flags indicators of manual mapping and in-memory-only malware — the kind of stealth techniques commercial AV and EDR products must detect. |
13 | 11 |
|
14 | | -- `AnnomaliesDetector/` — core detection library and executable sources |
15 | | -- `TestModule/` — small test harness / DLL used during development |
16 | | -- `MappedImagesDetector.sln` — Visual Studio solution (open in VS 2019 / 2022) |
| 12 | +**SEO keywords included**: antivirus, EDR, memory scanner, manual-mapped DLL detection, erased PE header, IAT anomaly, Windows memory forensics, in-memory malware detection. |
17 | 13 |
|
18 | | -## Requirements |
| 14 | +--- |
| 15 | + |
| 16 | +## Key features (antivirus-focused) |
| 17 | + |
| 18 | +- **Detect manual-mapped DLLs** — identify modules that appear in memory without matching loaded modules on the process' LDR list. |
| 19 | +- **PE header inspection** — detect erased or tampered PE headers and tampered section tables. |
| 20 | +- **IAT & thunk anomaly detection** — spot IAT sequence inconsistencies and CRT thunk stubs commonly present in manual-mapped code. |
| 21 | +- **Executable-only region detection** — find suspicious RWX/EXEC-only pages that often host shellcode or unpacked payloads. |
| 22 | +- **Entropy & heuristic checks** — entropy analysis and heuristic scoring to reduce false positives. |
| 23 | +- **Lightweight native C++20 implementation** — minimal dependencies, designed for integration with antivirus/EDR stacks. |
| 24 | +- **Test harness & unit tests** — `TestModule/` provides safe, local test cases for validating detection logic. |
| 25 | +- **Extensible scoring** — generate a risk score per finding for integration into threat triage and automated response. |
| 26 | + |
| 27 | +--- |
| 28 | + |
| 29 | +## How it helps defenders (Concrete use cases) |
| 30 | +- **Incident response:** Find in-memory implants on compromised endpoints that disk scanners missed. |
| 31 | +- **Behavioral monitoring:** Add memory-based indicators to EDR telemetry for better context-aware blocking. |
| 32 | +- **Malware research:** Rapidly identify suspicious mapped images while analyzing samples in a sandbox. |
| 33 | +- **False-negative reduction:** Complement on-disk signatures with memory heuristics to catch modern in-memory-only threats. |
| 34 | + |
| 35 | +--- |
| 36 | + |
| 37 | +## High-level detection methods (non-abusive, defensive detail) |
| 38 | +The project combines multiple defensive heuristics rather than publishing exploit code: |
| 39 | + |
| 40 | +- Enumerate process virtual memory ranges and compare mapped images to the process module lists (PEB/LDR). |
| 41 | +- Read and validate in-memory PE headers where present; flag erased or inconsistent headers. |
| 42 | +- Validate Import Address Table (IAT) stubs and common CRT thunk patterns used by manual mappers. |
| 43 | +- Check for pages with suspicious protection flags (e.g., NX-disabled or RWX) and atypical section alignment. |
| 44 | +- Compute entropy and basic signatures for anomalous sections. |
| 45 | +- Produce a **Ban / Risk Confidence Score** per anomaly (configurable threshold for triage). |
19 | 46 |
|
20 | | -- Windows 10 or later |
21 | | -- Visual Studio 2019 or 2022 with C++ workload |
22 | | -- C++20 toolset (MSVC) |
| 47 | +--- |
23 | 48 |
|
24 | | -## Build |
| 49 | +## Repository layout |
| 50 | +``` |
| 51 | +AnomaliesDetector/ # core detection library and executable |
| 52 | +TestModule/ # safe test DLL used during development |
| 53 | +docs/ # documentation, threat model and blog-ready assets |
| 54 | +MappedImagesDetector.sln # Visual Studio solution |
| 55 | +LICENSE # license file (MIT recommended for tooling) |
| 56 | +``` |
25 | 57 |
|
26 | | -1. Open the solution file in Visual Studio: `MappedImagesDetector.sln`. |
27 | | -2. Select the desired configuration (`x64` recommended) and `Debug` or `Release`. |
28 | | -3. Build the solution (Build -> Build Solution). |
| 58 | +--- |
| 59 | + |
| 60 | +## Requirements |
| 61 | +- Windows 10 or later (x64 recommended) |
| 62 | +- Visual Studio 2019 / 2022 with C++ workload |
| 63 | +- MSVC toolset with C++20 (`/std:c++20`) |
29 | 64 |
|
30 | | -Alternatively, use MSBuild from the Developer Command Prompt: |
| 65 | +--- |
| 66 | + |
| 67 | +## Build & quick start |
| 68 | +1. Open `MappedImagesDetector.sln` in Visual Studio. |
| 69 | +2. Select `x64` and `Release` (recommended). |
| 70 | +3. Build (Build -> Build Solution) or run from Developer Command Prompt: |
31 | 71 |
|
32 | 72 | ```powershell |
33 | 73 | msbuild MappedImagesDetector.sln /p:Configuration=Release /p:Platform=x64 |
34 | 74 | ``` |
35 | 75 |
|
36 | | -Built binaries are placed in the project `bin` folders for the selected configuration (for example: `AnnomaliesDetector\x64\Release`). |
| 76 | +4. Built binaries appear under `AnomaliesDetector\x64\Release`. |
| 77 | + |
| 78 | +**Runtime**: run the scanner as an elevated user for full process enumeration. The test harness in `TestModule` is designed for local testing only — do not deploy it to production. |
| 79 | + |
| 80 | +--- |
| 81 | + |
| 82 | +## Usage & integration (AV / EDR guidance) |
| 83 | +- **Standalone**: run on-demand to produce a JSON/CSV report of memory anomalies for forensic analysis. |
| 84 | +- **EDR integration**: call the core library from an EDR sensor to enrich endpoint telemetry with memory-mapped anomalies. |
| 85 | +- **Automated response**: use the risk confidence score to trigger containment workflows or further automated analysis. |
37 | 86 |
|
38 | | -## Usage |
| 87 | +**Logging**: the project uses `CLogger` with configurable verbosity. For production, forward logs to your centralized SIEM or EDR telemetry. |
39 | 88 |
|
40 | | -- The primary executable and test artifacts are produced in the build output directories. |
41 | | -- Use the test harness in `TestModule` to validate detection logic during development. |
42 | | -- Logs are produced by the built-in logger (`CLogger`) and can be configured in source or at runtime depending on the build. |
| 89 | +--- |
43 | 90 |
|
44 | | -## Development notes |
| 91 | +## False positives & tuning |
| 92 | +Memory scanning produces noisy signals. To reduce false positives: |
45 | 93 |
|
46 | | -- The codebase follows a modular structure: `CMemoryMapper`, `CScanTask`, and `CLogger` contain the main scanning and logging logic. |
47 | | -- The project targets C++20; use `/std:c++20` in project settings when editing or creating new projects. |
48 | | -- Keep platform-specific code isolated where possible and prefer RAII for resource management. |
| 94 | +- Tune risk thresholds and whitelist known internal injectors/tooling. |
| 95 | +- Use whitelist paths/hashes and parent process heuristics. |
| 96 | +- Correlate findings with runtime behavior (network, process creation, module load events). |
| 97 | +- Use entropy and signature checks only as part of a multi-signal confidence model. |
49 | 98 |
|
50 | | -## Contributing |
| 99 | +--- |
51 | 100 |
|
52 | | -1. Fork the repository and create a feature branch. |
53 | | -2. Open a pull request with a clear description of changes and rationale. |
54 | | -3. Ensure builds succeed on Windows x64 and add tests where applicable. |
| 101 | +## Testing & validation |
| 102 | +- Use the included `TestModule` to validate detection of manual-mapped test payloads in a controlled lab. |
| 103 | +- Run the scanner in a VM snapshot to validate behavior against benign applications and record false-positive rates. |
| 104 | +- Add CI integration for builds and unit tests (recommended: GitHub Actions for Windows runners). |
| 105 | + |
| 106 | +--- |
| 107 | + |
| 108 | +## Threat model |
| 109 | +Target threats: memory-only implants, manual-mapped DLLs, reflective loaders, erasing PE header techniques, packers and in-memory unpacked payloads. Not intended for kernel rootkit discovery (use kernel-mode tools for that use case). |
| 110 | + |
| 111 | +--- |
| 112 | + |
| 113 | +## Contributing (defensive engineering welcome) |
| 114 | +1. Fork the repo. |
| 115 | +2. Create a feature branch (`feature/<descriptive-name>`). |
| 116 | +3. Add tests, run builds on Windows x64. |
| 117 | +4. Open a PR with clear description, tests and reproducible steps. |
| 118 | + |
| 119 | +**Note:** maintainers will reject pull requests that add offensive or malware-building content. This is a defensive project only. |
| 120 | + |
| 121 | +--- |
55 | 122 |
|
56 | 123 | ## License |
| 124 | +If absent, add an MIT license to maximize adoption in security projects and research. See `LICENSE`. |
| 125 | + |
| 126 | +--- |
57 | 127 |
|
58 | | -See `LICENSE` for details. If a license is not present, add one (MIT is a common choice for tooling projects). |
| 128 | +## Viral & outreach assets (use to promote responsibly) |
| 129 | +**Suggested tweet (short & clicky):** |
| 130 | +``` |
| 131 | +New tool: MappedImagesDetector — finds manual-mapped DLLs & in-memory implants that disk AV misses. Built in native C++20 for Windows. Defensive-only. ?? Fork + test: <github-repo> #infosec #malware #EDR #antivirus |
| 132 | +``` |
| 133 | + |
| 134 | +**LinkedIn post (longer):** |
| 135 | +``` |
| 136 | +If you're building defensive tooling or EDR telemetry, disk-based detection isn't enough. I released MappedImagesDetector — a native C++ memory scanner that detects manual-mapped DLLs, erased PE headers, and other in-memory stealth techniques used by modern implants. It's lightweight, fast, and designed for integration with SIEM/EDR. Defensive-only. Fork, validate, and contribute: <github-repo> |
| 137 | +``` |
| 138 | + |
| 139 | +**Blog post outline (1,000–1,500 words):** |
| 140 | +1. Intro: Why in-memory malware is the next frontier |
| 141 | +2. Anatomy of manual-mapped DLLs and common stealth tricks |
| 142 | +3. How MappedImagesDetector identifies them (approach, heuristics) |
| 143 | +4. Example incident response workflow |
| 144 | +5. Results from internal testing (false-positive rates, detection examples) |
| 145 | +6. How to integrate with your EDR |
| 146 | +7. Call to action: fork, test, contribute |
| 147 | + |
| 148 | +**Suggested hashtags**: `#infosec #malware #EDR #antivirus #memoryforensics #cybersecurity` |
| 149 | + |
| 150 | +--- |
59 | 151 |
|
60 | 152 | ## Contact |
| 153 | +For issues and feature requests open a GitHub issue. For sensitive malware samples or incident coordination, contact the maintainers privately by the channels listed in the repository. |
| 154 | + |
| 155 | +--- |
| 156 | + |
| 157 | +*This README focuses the original project toward antivirus and EDR use: defensive heuristics, integration advice, test harness guidance, and outreach assets to increase adoption while preventing misuse.* |
61 | 158 |
|
62 | | -For issues or feature requests, open an issue on GitHub in this repository. |
|
0 commit comments