Skip to content

vmcall/MapDetection

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

17 Commits
.vs
.vs
 
 
Properties
Properties
 
 
bin/x64/Release
bin/x64/Release
 
 
.gitignore
.gitignore
 
 
App.config
App.config
 
 
LICENSE
LICENSE
 
 
Logger.cs
Logger.cs
 
 
MapDetection.csproj
MapDetection.csproj
 
 
MapDetection.sln
MapDetection.sln
 
 
MapDetector.cs
MapDetector.cs
 
 
Natives.cs
Natives.cs
 
 
ProcessExtensions.cs
ProcessExtensions.cs
 
 
Program.cs
Program.cs
 
 
README.md
README.md
 
 
app.manifest
app.manifest
 
 

Repository files navigation

MapDetection

Detect manualmapped images remotely, without hassle

Confirmed Detections

  • Extreme Injector -> detected
  • Xenos -> detected (even with Add Loader reference enabled)

How does it work?

MapDetection has two modes, deep and quick.

Quick mode

Iterates every process thread, collecting allocation bases from thread starts and instruction pointers. It then scans every unique allocation base for any anomalies.

Deep mode

Run quick scan, then traverse the virtual memory space for any executable pages that do not belong to a module. (Will lead to false positives)

Anomalies MapDetection looks for

  • Valid PE headers (MZ signature, PE magic bytes and architecture)
  • Module is linked correctly to module list
  • Valid allocation type (MEM_IMAGE)
  • Valid allocation flags

Example of a manually mapped, possibly malicious, image that was picked up by MapDetection

Map Detection

About

Detect manualmapped images remotely, without hassle

Resources

Readme

License

GPL-3.0 license
Activity

Stars

152 stars

Watchers

10 watching

Forks

40 forks
Report repository

Releases

No releases published

Packages

 
 
 

Languages