commit 55a8a90ce9e1af378d33766b3a62de6e569b8109 Author: Adir Shitrit Date: Fri Nov 7 18:01:19 2025 +0200 initial project structure diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..584b22d --- /dev/null +++ b/.gitignore @@ -0,0 +1,31 @@ +# Rust +target/ +**/*.rs.bk +*.pdb +Cargo.lock + +# OS +.DS_Store +Thumbs.db + +# IDE +.vscode/ +.idea/ +*.swp +*.swo + +# Build artifacts +*.exe +*.dll +*.so +*.dylib +*.sys + +# Test outputs +/test-results/ +/bench/results/ +*.log + +# Local config +.env +config.local.toml diff --git a/Cargo.toml b/Cargo.toml new file mode 100644 index 0000000..e6e7f77 --- /dev/null +++ b/Cargo.toml @@ -0,0 +1,17 @@ +[workspace] +members = [ + "ghost-core", +] +resolver = "2" + +[workspace.package] +version = "0.1.0" +edition = "2021" +authors = ["Ghost Team"] +license = "MIT" + +[workspace.dependencies] +anyhow = "1.0" +thiserror = "1.0" +log = "0.4" +env_logger = "0.11" diff --git a/README.md b/README.md new file mode 100644 index 0000000..dc44e95 --- /dev/null +++ b/README.md @@ -0,0 +1,46 @@ +# Ghost + +Cross-platform process injection detection framework. + +## Overview + +Ghost is a real-time detection system for identifying process injection techniques across Windows, Linux, and macOS platforms. It combines kernel-level monitoring with behavioral analysis to detect advanced injection methods. + +## Architecture + +- **ghost-core**: Core detection engine and platform abstraction +- **ghost-drivers**: Platform-specific kernel components +- **ghost-tui**: Terminal user interface +- **ghost-lib**: Shared libraries and utilities +- **ghost-rules**: Detection rules and signatures + +## Supported Techniques + +### Windows +- Classic DLL injection (CreateRemoteThread) +- APC injection (NtQueueApcThread) +- Process hollowing +- Thread hijacking +- SetWindowsHookEx injection +- Reflective DLL injection + +### Linux +- ptrace injection +- LD_PRELOAD manipulation +- process_vm_writev injection +- Shared memory injection + +### macOS +- DYLD_INSERT_LIBRARIES +- task_for_pid injection +- Mach port manipulation + +## Building + +```bash +cargo build --release +``` + +## Status + +Early development. Windows support in progress.