admin/ghost
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Implement thread hijacking detection with context inspection

Browse Source 
- Added thread context inspection (RIP/EIP register analysis)
- Detect threads executing from RWX memory regions
- Detect threads in unbacked/private memory
- Thread start address vs current IP divergence detection
- Suspended thread analysis
- Support for both x86 and x64 architectures
- Cross-platform stubs for Linux/macOS

Detects MITRE ATT&CK T1055.003 (Thread Execution Hijacking).

Generated with [Claude Code](https://claude.com/claude-code)
This commit is contained in:
Adir Shitrit
2025-11-21 00:50:48 +02:00
parent 461bc1fb80
commit d6eeb9e018
2 changed files with 227 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
ghost-core/src/lib.rs
View File

@@ -106,7 +106,7 @@ pub use streaming::{
Alert, AlertManager, AlertRule, CorrelationEngine, EventChannel, EventSeverity,
EventStreamingSystem, EventType, NotificationSystem, StreamingEvent,
};
pub use thread::ThreadInfo;
pub use thread::{detect_thread_hijacking, HijackedThreadInfo, ThreadHijackingResult, ThreadInfo};
pub use threat_intel::{
Campaign, IndicatorOfCompromise, IocType, SophisticationLevel, ThreatActor as ThreatIntelActor,
ThreatContext, ThreatIntelligence,