Skip to content
Live hunting of code injection techniques
C++ C CMake HTML M4 Perl
Branch: master
Clone or download
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Permalink
Type Name Latest commit message Commit time
Failed to load latest commit information.
conf
include Adding helper methods. Bugfixing May 4, 2019
libs Adding back ETW service logic Aug 11, 2018
src Minor bugfixing Aug 22, 2019
utilities Minor bugfixing Aug 22, 2019
.appveyor.yml Fixing Appveyor - Attempt #1 May 4, 2019
.gitignore Minor bugfixing Aug 22, 2019
LICENSE Initial commit Aug 9, 2018
README.md Minor bugfixing Aug 22, 2019
memhunter.sln First commit Aug 9, 2018
memhunter.vcxproj Adding back ETW service logic Aug 11, 2018
memhunter.vcxproj.filters Adding back ETW service logic Aug 11, 2018

README.md

Build status Appveyor Latest Commit MIT license

Memhunter

Automated hunting of memory resident malware at scale

This project is WORK IN PROGRESS. Expect feature changes and binary releases on the upcoming weeks.

Overview

Memhunter is an endpoint sensor tool that is specialized in detecing resident malware, improving the threat hunter analysis process and remediation times. The tool detects and reports memory-resident malware living on endpoint processes. Memhunter detects known malicious memory injection techniques. The detection process is performed through live analysis and without needing memory dumps. The tool was designed as a replacement of memory forensic volatility plugins such as malfind and hollowfind. The idea of not requiring memory dumps helps on performing the memory resident malware threat hunting at scale, without manual analysis, and without the complex infrastructure needed to move dumps to forensic environments.

The detection process is performed through a combination of endpoint data collection and memory inspection scanners. The tool is a standalone binary that, upon execution, deploys itself as a windows service. Once running as a service, memhunter starts the collection of ETW events that might indicate code injection attacks. The live stream of collected data events is feed into memory inspection scanners that use detection heuristics to down select the potential attacks. The entire detection process does not require human intervention, neither memory dumps, and it can be performed by the tool itself at scale.

Besides the data collection and hunting heuristics, the project has also led to the creation of a companion tool called "minjector" that contains +15 code injection techniques. The minjector tool cannot onlybe used to exercise memhunter detections, but also as a one-stop location to learn on well-known code injection techniques out there.

Architecture deck available here

Example 1: Manual run to exercise detection of reflective DLL injection - Video here

Manual run to exercise detection of reflective DLL injection

Example 2: Manual run to exercise detection of process hollowing injection - Video here

Manual run to exercise detection of process hollowing injection

You can’t perform that action at this time.