v6.2.0 · A behavioral intrusion detection system for Windows. Files are innocent until proven guilty at runtime. When malicious behavior is detected, the entire attack chain is traced to root and eliminated.
GIDR is not an antivirus. It doesn't quarantine files for looking suspicious. It doesn't care about entropy, imports, or missing signatures.
GIDR watches what processes do. When one crosses the line — dumps credentials, beacons to a C2 server, encrypts your files, installs a keylogger, or opens a reverse shell — GIDR traces the attack back to its root, kills every process in the chain, quarantines the attacker's files, removes their persistence, and blocks their IPs.
What GIDR ignores: high entropy, unsigned binaries, suspicious imports, packed executables, double extensions. These are logged for forensics but never trigger action.
What GIDR acts on: credential dumping, C2 beaconing, ransomware encryption, reverse shells, keylogger hooks, process injection, ETW tampering, lateral movement, data exfiltration, autonomous malware phoning home.
┌─────────────────────────────────────────────────────────────┐
│ RUNTIME MONITORS │
│ │
│ ProcessMonitor ETW Monitor NetworkMonitor │
│ (WMI events + (Event 4688/4689 (connection-to-PID │
│ polling fallback) zero-gap) correlation) │
│ │
│ FileMonitor SelfProtection AMSI Scanner │
│ (FileSystemWatcher (DACL, integrity, (script content │
│ on user paths) ETW tamper check) via Windows AMSI) │
└──────────────────────────┬──────────────────────────────────┘
▼
┌─────────────────────────────────────────────────────────────┐
│ BEHAVIORAL DETECTION │
│ │
│ Command-line analysis │ Parent-child chain rules │
│ (23 patterns, MITRE) │ (19 suspicious chains) │
│ │ │
│ Renamed LOLBin detection │ Reverse shell detection │
│ (OriginalFilename check) │ (shell + outbound connection) │
│ │ │
│ C2 beacon detection │ Autonomous malware detection │
│ (jitter analysis) │ (unknown process + network) │
│ │ │
│ Memory scanning │ Process hollowing detection │
│ (shellcode, reflective │ Token manipulation detection │
│ PE, RWX regions) │ Fileless execution detection │
│ │ │
│ Credential dump detect │ Ransomware detection │
│ (LSASS access, SAM dump) │ (mass rename, shadow delete) │
│ │ │
│ DLL hijack detection │ Keystroke injection detection │
│ DNS exfiltration detect │ Lateral movement detection │
│ ETW tamper detection │ Service tamper detection │
└──────────────────────────┬──────────────────────────────────┘
▼
┌─────────────────────────────────────────────────────────────┐
│ RESPONSE ENGINE (behavioral only) │
│ │
│ Static scan verdicts → LOG ONLY (never act) │
│ Behavioral detections → CHAIN TRACE AND NUKE │
└──────────────────────────┬──────────────────────────────────┘
▼
┌─────────────────────────────────────────────────────────────┐
│ CHAIN TRACER │
│ │
│ 1. Walk parent chain to find attack root │
│ 2. Collect all descendant processes │
│ 3. Kill entire process tree (leaves first) │
│ 4. Quarantine attacker executables (skip system binaries) │
│ 5. Hunt persistence (Run keys, scheduled tasks, startup) │
│ 6. Block attacker IPs (outbound firewall rules) │
└─────────────────────────────────────────────────────────────┘
# Build
build.cmd
# Bootstrap dependencies (downloads YARA + VC++ redist)
GIDR.exe bootstrap
# Start monitoring (requires Administrator)
GIDR.exe monitor
# Scan a file or directory (informational only — no auto-response)
GIDR.exe scan file.exe
GIDR.exe scan C:\Downloads -r
| Command | Description |
|---|---|
GIDR.exe monitor |
Start real-time intrusion detection (requires admin) |
GIDR.exe scan <path> |
Scan file or directory (informational, no auto-response) |
GIDR.exe scan <path> -r |
Scan recursively |
GIDR.exe bootstrap |
Download YARA engine and VC++ runtime |
GIDR.exe config |
Create default config.json |
GIDR.exe info |
Show engine status and configuration |
GIDR.exe hash <file> |
Compute hashes and check reputation |
GIDR.exe restore |
List quarantined files |
GIDR.exe restore <index> <path> |
Restore a quarantined file |
GIDR.exe report |
Show last 24h threat summary |
GIDR.exe health |
System health check |
| Detection | What it catches | How |
|---|---|---|
| Reverse shell | cmd/powershell with outbound connection to non-standard port | NetworkMonitor PID correlation |
| C2 beaconing | Regular-interval outbound connections (low jitter) | Statistical interval analysis |
| Autonomous malware | Unknown process from temp/appdata with outbound connections | Process-to-connection mapping |
| Credential dumping | LSASS access, SAM/SECURITY hive dumping | Process + memory scanning |
| Ransomware | Mass file renames, shadow copy deletion, ransom notes | FileMonitor + command-line patterns |
| Process injection | CreateRemoteThread, APC injection, process hollowing | Memory scanning + API monitoring |
| Keylogger | SetWindowsHookEx keyboard hooks from unexpected processes | DLL + hook detection |
| Renamed LOLBin | powershell.exe renamed to update.exe (OriginalFilename mismatch) | PE version info check |
| Fileless execution | In-memory-only code with no backing file on disk | Memory region analysis |
| Lateral movement | PsExec, WMI remote exec, WinRM from unexpected sources | Command-line + network analysis |
| Data exfiltration | Large outbound transfers, DNS tunneling | Network volume + DNS port analysis |
| ETW tampering | ntdll!EtwEventWrite patched to RET (EDR blinding) | Memory prologue verification |
| Service tampering | Critical services being stopped or modified | Service state monitoring |
| Persistence creation | Run keys, scheduled tasks, startup folder modifications | Registry + task monitoring |
| Detection | What it logs |
|---|---|
| PE analysis | Imports, sections, capabilities, packer indicators |
| YARA rules | 9 rule files: C2, credentials, injection, ransomware, etc. |
| Entropy | File and section entropy analysis |
| Hash reputation | CIRCL, Cymru, MalwareBazaar lookups |
| AMSI | Script content scanning via Windows AMSI |
| Signature | Authenticode verification |
When a behavioral detection fires, GIDR doesn't just kill the offending process. It traces the entire attack:
Example: Credential dump detected
1. DETECT mimikatz.exe (PID 4521) accessing LSASS
│
2. TRACE UP 4521 ← powershell.exe (4200) ← cmd.exe (3800) ← dropper.exe (3100) ← explorer.exe (1200)
▲
3. ROOT dropper.exe is the attack root (first non-system ancestor)
│
4. TRACE DOWN dropper.exe → cmd.exe → powershell.exe → mimikatz.exe
→ beacon.exe → svchost_fake.exe
│
5. KILL Kill all 5 processes (leaves first: mimikatz, beacon, svchost_fake, then PS, cmd, dropper)
│
6. QUARANTINE Move dropper.exe, beacon.exe, svchost_fake.exe to Quarantine/
(cmd.exe, powershell.exe are system binaries — left alone)
│
7. PERSISTENCE Check Run keys, scheduled tasks, startup folder for anything
pointing to quarantined files → remove
│
8. BLOCK Find all outbound connections from the chain → firewall block
System binaries (cmd.exe, powershell.exe, svchost.exe, etc.) are never quarantined — they're legitimate tools that were abused. Only the attacker's own files get quarantined.
GIDR handles the "hacker is gone but malware is still active" scenario:
The NetworkMonitor correlates every TCP connection to its owning process. When it finds:
- An unknown process (not in the legitimate network process list) with outbound connections
- Especially from suspicious paths (temp, appdata, programdata)
- On non-standard ports (not 80/443)
- With beacon-like timing (regular intervals, low jitter)
...it enqueues a behavioral threat. The ResponseEngine calls ChainTracer, which traces the process back to whatever dropped it, kills the tree, quarantines the binaries, and blocks the C2 IPs.
This catches:
- RATs phoning home on a timer
- Cryptominers connecting to mining pools
- Backdoors waiting for commands
- Data stealers uploading to attacker infrastructure
- Any persistent malware with network activity
| Feature | What it does |
|---|---|
| Process DACL | Restricts the GIDR process handle so non-admin users can't taskkill it |
| Self-integrity | Hashes own executable at startup, verifies periodically |
| Config tamper detection | Freezes allowlists if config.json is modified at runtime |
| ETW integrity | Checks ntdll!EtwEventWrite prologue for RET patches |
| Debugger detection | Alerts if a debugger is attached to the GIDR process |
| Module integrity | Snapshots loaded DLLs, detects DLL hijacking in install directory |
| ETW event flow | Alerts if no process creation events arrive for 5 minutes |
Place config.json next to GIDR.exe. All settings are optional — defaults are sane.
{
"autoKillThreats": false,
"autoQuarantine": false,
"alertThreshold": 50,
"jsonLogging": true,
"exclusionPaths": [],
"allowlistHashes": [],
"allowlistPaths": [],
"allowlistSigners": [],
"additionalProtectedProcesses": [],
"extraRulePaths": []
}The autoKillThreats and autoQuarantine settings only affect static scan results. Behavioral detections always trigger chain-trace-and-nuke regardless of these settings.
GIDR ships with 9 YARA rule files:
| Rule File | What it detects |
|---|---|
c2_frameworks.yar |
Cobalt Strike, Metasploit, Empire, Covenant |
credential_tools.yar |
Mimikatz, LaZagne, SharpDPAPI, Rubeus |
process_injection.yar |
Shellcode loaders, reflective DLL injection |
ransomware.yar |
Known ransomware families and behaviors |
persistence.yar |
Registry persistence, scheduled task abuse |
lolbins.yar |
LOLBin abuse patterns |
amsi_bypass.yar |
AMSI bypass techniques |
exfiltration.yar |
Data staging and exfiltration tools |
malware_generic.yar |
Generic malware indicators |
Add custom rules by placing .yar files in the Rules/ directory or adding paths to extraRulePaths in config.json.
GIDR can run as a Windows service for persistent monitoring:
# Install as service
sc create GIDR binPath= "C:\path\to\GIDR.exe monitor" start= auto
sc start GIDR
# Remove service
sc stop GIDR
sc delete GIDR
| File | Content |
|---|---|
Logs/gidr_log.txt |
Main log (all events) |
Logs/stability_log.txt |
Startup, shutdown, health checks |
Logs/chain_tracer.log |
Full chain trace details |
Logs/network_detections.log |
Network threat detections |
Logs/process_monitor.log |
Process creation analysis |
Logs/etw_monitor.log |
ETW events and integrity checks |
Logs/self_protection.log |
Self-protection events |
Logs/gidr_events.jsonl |
Structured JSON events (for SIEM) |
# Requires .NET Framework 4.x (csc.exe)
build.cmd
# With code signing
build.cmd sign certificate.pfx password
# With Inno Setup installer
build.cmd installer
Output: bin/GIDR.exe
- No kernel-level visibility (kernel rootkits can hide from user-mode monitoring)
- Memory scanner requires sufficient process access rights
- ETW monitoring requires "Audit Process Creation" policy enabled
- AMSI depends on registered AV engine (typically Defender)
- Network monitoring is connection-based, not packet-level
- Chain tracing depends on process still being alive when detected
- PowerShell-based attackers who clean up quickly may evade detection
For authorized defensive, administrative, research, or educational use only.
- Use only on systems where you have explicit permission
- Validate in a test environment before production use
- Provided "AS IS" without warranties of any kind
- Authors are not liable for damages, data loss, or downtime
GIDR v6.2.0 — Built by Gorstak