Skip to content

moex01/MalfindBypass

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

1 Commit
src
src
 
 
.gitignore
.gitignore
 
 
LICENSE
LICENSE
 
 
README.md
README.md
 
 

Repository files navigation

MalfindBypass

Reflective PE loader that evades Volatility's malfind by exploiting VAD AllocationProtect immutability.

Technique

Malfind flags VAD regions with:

  • W+X permissions (WRITE + EXECUTE)
  • Dirty executable pages (EXECUTE-only with modified content)

This loader allocates memory as PAGE_READWRITE, writes the PE, then uses VirtualProtect to change sections to PAGE_EXECUTE_READ. The VAD's AllocationProtect field remains RW-, while actual page permissions become R-X. Malfind checks the VAD (sees RW-), misses the injection.

Project Structure

MalfindBypass/
├── src/
│   ├── main.cpp              # Entry point, PE loading, VirtualProtect bypass
│   ├── pe_parser.hpp         # PE header parsing and section enumeration
│   └── import_resolver.hpp   # IAT resolution via GetProcAddress
├── README.md
└── LICENSE

Building

cl /EHsc /O2 /Fe:MalfindBypass.exe src/main.cpp

Usage

MalfindBypass.exe <target.exe>

Process sleeps indefinitely. Take memory dump for analysis:

vol -f memory.raw windows.malfind --pid <PID>

Verification

Expected behavior:

  • VirtualQuery shows AllocationProtect: PAGE_READWRITE
  • VirtualQuery shows Protect: PAGE_EXECUTE_READ (for .text)
  • Malfind does NOT flag the region (VAD shows RW-, no EXECUTE)
  • PE executes normally (CPU uses actual page protections)

Disclaimer

For security research and educational purposes only.

License

MIT License - Copyright (c) 2025

About

Reflective PE loader that evades Volatility's malfind by exploiting VAD AllocationProtect immutability

Resources

Readme

License

View license
Activity

Stars

4 stars

Watchers

0 watching

Forks

1 fork
Report repository

Releases 1

v1.0.0 Latest
Jan 1, 2026

Packages

 
 
 

Contributors

Languages