Proof-of-concept scripts demonstrating how remote thread–based injection techniques work at a conceptual level, and how defenders can detect related artifacts using memory inspection. Implemented in Python with ctypes for low-level Windows API access.
injector.py
A raw implementation of the "Allocate-Write-Execute" chain. It forces a target process (like Notepad) to load a user-defined DLL by spawning a remote thread directly at LoadLibraryA.
hunter.py
A detection script that bypasses standard libraries to query the Windows Kernel (NtQueryInformationThread). It scans for threads that begin execution at the LoadLibraryA memory address—a high-fidelity indicator of this specific injection technique.
These scripts are intended for learning how Windows memory and thread telemetry can be leveraged for detection. They are not production tools and should be run only in isolated lab environments.
The detection logic is a starting point. It highlights core concepts but is not hardened. Contributions that improve performance, add noise-reduction logic, or enhance contextual enrichment are welcome.