MapDetection

Detect manualmapped images remotely, without hassle

Confirmed Detections

Extreme Injector -> detected
Xenos -> detected (even with Add Loader reference enabled)

How does it work?

MapDetection has two modes, deep and quick.

Quick mode

Iterates every process thread, collecting allocation bases from thread starts and instruction pointers. It then scans every unique allocation base for any anomalies.

Deep mode

Run quick scan, then traverse the virtual memory space for any executable pages that do not belong to a module. (Will lead to false positives)

Anomalies MapDetection looks for

Valid PE headers (MZ signature, PE magic bytes and architecture)
Module is linked correctly to module list
Valid allocation type (MEM_IMAGE)
Valid allocation flags

Name		Name	Last commit message	Last commit date
Latest commit History 17 Commits
.vs		.vs
Properties		Properties
bin/x64/Release		bin/x64/Release
.gitignore		.gitignore
App.config		App.config
LICENSE		LICENSE
Logger.cs		Logger.cs
MapDetection.csproj		MapDetection.csproj
MapDetection.sln		MapDetection.sln
MapDetector.cs		MapDetector.cs
Natives.cs		Natives.cs
ProcessExtensions.cs		ProcessExtensions.cs
Program.cs		Program.cs
README.md		README.md
app.manifest		app.manifest

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Repository files navigation

MapDetection

Confirmed Detections

How does it work?

Quick mode

Deep mode

Anomalies MapDetection looks for

Example of a manually mapped, possibly malicious, image that was picked up by MapDetection

About

Releases

Packages

Languages

License

vmcall/MapDetection

Folders and files

Latest commit

History

Repository files navigation

MapDetection

Confirmed Detections

How does it work?

Quick mode

Deep mode

Anomalies MapDetection looks for

Example of a manually mapped, possibly malicious, image that was picked up by MapDetection

About

Resources

License

Stars

Watchers

Forks

Releases

Packages 0

Languages

Packages