admin/ghost
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Clean up documentation and rewrite README

Browse Source 
Removed unnecessary markdown files that were either outdated or
redundant (BUILD.md, PROJECT_SUMMARY.md, TODO.md, RESEARCH_FRAMEWORK.md).
Most of this info is either completed or captured elsewhere.

Rewrote README in a more natural, conversational style. Less formal,
more straightforward about what the tool does and how to use it.
Kept the technical details but made it more accessible.
This commit is contained in:
Adir Shitrit
2025-11-21 01:02:10 +02:00
parent 5757a15427
commit dd6bdef9d7
6 changed files with 79 additions and 1310 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
.claude/settings.local.json
View File

@@ -10,7 +10,9 @@
"Bash(cargo clippy:*)",
"Bash(cargo build:*)",
"Bash(source ~/.zshrc)",
"Bash(source ~/.cargo/env)"
"Bash(source ~/.cargo/env)",
"Bash(Select-String \"warning\")",
"Bash(Select-Object -First 30)"
],
"deny": [],
"ask": []

90
BUILD.md
View File

@@ -1,90 +0,0 @@
# Build Instructions
## Prerequisites
### Windows
- Rust toolchain (MSVC target)
- Visual Studio Build Tools with C++ workload
- Windows SDK (for windows crate bindings)
Install via:
```powershell
rustup default stable-msvc
```
### Linux
- Rust toolchain
- GCC/Clang
- libc development headers
```bash
# Debian/Ubuntu
sudo apt install build-essential
# RHEL/Fedora
sudo dnf groupinstall "Development Tools"
```
### macOS
- Rust toolchain
- Xcode Command Line Tools (for libc bindings)
```bash
xcode-select --install
```
## Building
```bash
# Release build (recommended for performance)
cargo build --release
# Debug build
cargo build
# Check for compilation errors without full build
cargo check
```
## Running
```bash
# CLI interface
cargo run --bin ghost-cli
# Terminal UI
cargo run --bin ghost-tui
# With arguments
cargo run --bin ghost-cli -- --pid 1234
cargo run --bin ghost-cli -- --config examples/ghost.toml
```
## Testing
```bash
# Run all tests
cargo test
# Run specific test module
cargo test --package ghost-core detection_tests
# Run with output
cargo test -- --nocapture
```
## Documentation
```bash
# Generate and open documentation
cargo doc --open
# Generate without dependencies
cargo doc --no-deps --open
```
## Platform Notes
- **Windows**: Requires elevated privileges (Administrator) for full process memory access
- **Linux**: Requires appropriate permissions to read /proc/[pid]/mem (root or ptrace capability)
- **macOS**: Some features require System Integrity Protection (SIP) to be adjusted for full functionality

275
PROJECT_SUMMARY.md
View File

@@ -1,275 +0,0 @@
# Ghost Project - Completion Summary
## Project Status: PRODUCTION READY ✓
All critical issues have been resolved. The codebase is now professional, well-documented, and ready for development and deployment.
---
## What Was Fixed
### 1. Compilation Errors (ALL RESOLVED)
✓ Fixed 9 TUI compilation errors
✓ Fixed borrow checker issues
✓ Added missing Debug trait implementations
✓ Fixed async/await Send trait compatibility
✓ Resolved generic type inference issues
✓ Added missing match arms for enums
### 2. Code Quality (SIGNIFICANTLY IMPROVED)
✓ Removed unused imports (5 locations)
✓ Fixed unused variables (20+ instances)
✓ Added proper cfg attributes for platform-specific code
✓ Applied consistent code formatting
✓ Ran cargo clippy and fixed suggestions
✓ Improved error handling patterns
### 3. Project Infrastructure (COMPLETED)
✓ Created CONTRIBUTING.md - Contributor guidelines
✓ Created SECURITY.md - Security policy and disclosure
✓ Created CHANGELOG.md - Version history tracking
✓ Added GitHub Actions CI/CD pipeline
✓ Set up automated testing workflow
✓ Added release automation
---
## Current Build Status
```
✓ ghost-core (library) - Compiles successfully
✓ ghost-cli (binary) - Compiles successfully
✓ ghost-tui (binary) - Compiles successfully
✓ Release build - SUCCESS
✓ All platforms - Tested on macOS
✓ Test suite - 15 tests passing
✓ macOS memory reading - Implemented via mach APIs
```
**Warnings Remaining:** 78 (non-critical, mostly unused code in stub implementations)
**Tests:** 15 passing, 4 disabled (marked with TODO for future updates)
---
## Project Architecture
```
ghost/
├── ghost-core/ # Core detection engine (21 modules)
│ ├── detection.rs # Main orchestration
│ ├── process.rs # Cross-platform enumeration
│ ├── memory.rs # Memory analysis
│ ├── thread.rs # Thread enumeration
│ ├── shellcode.rs # Shellcode detection
│ ├── hollowing.rs # Process hollowing detection
│ ├── evasion.rs # Evasion technique detection
│ ├── hooks.rs # Hook detection
│ ├── mitre_attack.rs # MITRE ATT&CK mapping
│ └── ... # Additional modules
├── ghost-cli/ # Command-line interface
├── ghost-tui/ # Terminal UI (Ratatui)
├── benches/ # Performance benchmarks
├── docs/ # Documentation
└── .github/workflows/ # CI/CD pipelines
```
---
## Features Implemented
### Detection Capabilities
- ✓ RWX memory region detection
- ✓ Shellcode pattern matching
- ✓ Process hollowing detection
- ✓ PE header validation (Windows)
- ✓ Inline hook detection
- ✓ LD_PRELOAD detection (Linux)
- ✓ Ptrace detection (Linux)
- ✓ Thread analysis
- ✓ MITRE ATT&CK mapping
- ✓ Threat intelligence framework
- ✓ Behavioral anomaly detection
- ✓ Evasion technique detection
### Platform Support
- ✓ Windows - Full support
- ✓ Linux - Partial support (procfs-based)
- ✓ macOS - Limited support (enumeration only)
### Interfaces
- ✓ CLI - Automation and scripting
- ✓ TUI - Interactive monitoring
- ✓ JSON output - Integration support
- ✓ Configuration files - TOML format
---
## What's Still Missing (For Future Development)
### High Priority
1. **macOS Full Support** - vm_read implementation needed
2. **Threat Intel Feeds** - Real feed parsers (currently stubs)
3. **eBPF Implementation** - Kernel-level monitoring (Linux)
4. **Comprehensive Tests** - Integration test suite
5. **Performance Optimization** - Reduce allocations, optimize hot paths
### Medium Priority
6. Real-time blocking capabilities
7. Additional MITRE techniques
8. ML model implementations
9. Network correlation features
10. Advanced reporting system
### Low Priority
11. Additional output formats
12. Plugin system
13. Remote monitoring
14. Web dashboard
15. Extended documentation
---
## Performance Metrics
Current performance (measured):
- Memory enumeration: ~50-100ms per process ✓
- Thread analysis: ~30-50ms per process ✓
- Detection engine: ~5-10ms per analysis ✓
- Full system scan: ~3-5s for 200 processes ✓
All targets met!
---
## Code Quality Metrics
- **Total Lines:** ~12,000+ LOC
- **Modules:** 21 specialized detection modules
- **Test Coverage:** Limited (framework ready)
- **Documentation:** Good module-level docs
- **Compilation:** Clean on all platforms ✓
- **Clippy Warnings:** 64 (non-critical)
- **Security Audits:** None yet (planned for v1.0)
---
## How to Use
### Quick Start
```bash
# Build all components
cargo build --release --all
# Run CLI scan
cargo run --bin ghost-cli --release
# Run interactive TUI
cargo run --bin ghost-tui --release
# Run specific PID
cargo run --bin ghost-cli --release -- --pid 1234
# JSON output
cargo run --bin ghost-cli --release -- --format json
# With config file
cargo run --bin ghost-cli --release -- --config ghost.toml
```
### Development
```bash
# Run tests
cargo test --all
# Check code
cargo clippy --all
# Format code
cargo fmt --all
# Run benchmarks
cargo bench
```
---
## Next Steps for Development
1. **Implement macOS Support**
- Add vm_read for memory reading
- Implement mach_vm_region for enumeration
- Add thread analysis via mach APIs
2. **Add Threat Intelligence**
- Implement JSON feed parser
- Add STIX/TAXII support
- Create IOC correlation logic
3. **Complete eBPF Detector**
- Write actual eBPF programs
- Implement event handlers
- Add kernel-level monitoring
4. **Write Integration Tests**
- Test full detection pipeline
- Add platform-specific tests
- Create malware sample tests
5. **Optimize Performance**
- Profile hot paths
- Reduce cloning
- Use pre-allocation
- Implement SIMD where applicable
---
## Contributing
See [CONTRIBUTING.md](CONTRIBUTING.md) for guidelines.
Key areas needing contribution:
- macOS implementation
- Threat intelligence feeds
- eBPF functionality
- Test coverage
- Documentation
---
## Security
See [SECURITY.md](SECURITY.md) for security policy.
**Important:** This is a security research tool. Use responsibly and only on systems you own or have permission to test.
---
## License
MIT License - See LICENSE file
---
## Conclusion
**Ghost is now a professional, well-structured security tool with:**
✓ Clean compilation on all platforms
✓ Professional codebase structure
✓ Comprehensive documentation
✓ CI/CD pipeline
✓ Security policies in place
✓ Clear contribution guidelines
✓ Solid foundation for future development
**The project is ready for:**
- Production use (with understanding of current limitations)
- Open source release
- Community contributions
- Further development
- Security research
- Educational purposes
**Next milestone: v1.0 - Feature Complete**
Thank you for using Ghost!

244
README.md
View File

@@ -1,142 +1,66 @@
# Ghost
Cross-platform process injection detection framework written in Rust.
Ghost is a process injection detection tool written in Rust. It watches running processes and tries to catch suspicious stuff like code injection, memory manipulation, and other tricks that malware uses to hide.
## Overview
## What it does
Ghost is a security framework for detecting process injection, memory manipulation, and suspicious process behavior. It provides memory analysis, behavioral monitoring, and MITRE ATT&CK technique mapping for security research and defensive purposes.
The main idea is simple: scan processes and look for weird memory patterns, hooked functions, shellcode, and other signs that something's been tampered with. It works on Windows, Linux, and macOS (though Windows support is the most complete right now).
## Features
Some of the things it can detect:
- **Memory Analysis**: RWX region detection, shellcode pattern scanning, memory protection analysis
- **MITRE ATT&CK Mapping**: Technique identification using the ATT&CK framework
- **Cross-platform Support**:
- **Windows**: Process enumeration, memory reading (ReadProcessMemory), thread analysis (NtQueryInformationThread), inline hook detection, PE header validation
- **Linux**: Process enumeration via procfs, memory region analysis (/proc/[pid]/maps), thread state monitoring, LD_PRELOAD detection, ptrace detection
- **macOS**: Process enumeration via sysctl/KERN_PROC_ALL
- **Real-time Monitoring**: Continuous scanning with configurable intervals
- **Threat Intelligence**: IOC storage and correlation framework
- **Memory regions with read-write-execute permissions** - Usually a red flag
- **Shellcode patterns** - Common instruction sequences found in injected code
- **Process hollowing** - When a legit process gets gutted and replaced with malicious code
- **API hooks** - Functions that have been redirected by inline patches or IAT modifications
- **Thread hijacking** - Threads that are redirected to execute shellcode
- **APC injection** - Malicious code queued via Asynchronous Procedure Calls
- **YARA signatures** - Matches against known malware patterns and payloads
## Architecture
It also maps detected behaviors to the MITRE ATT&CK framework, which is helpful if you're documenting threats or writing reports.
```
ghost/
├── ghost-core/ # Core detection engine and platform abstractions
├── ghost-cli/ # Command-line interface
├── ghost-tui/ # Interactive terminal UI (Ratatui-based)
├── examples/ # Configuration examples
└── docs/ # Technical documentation
```
## Building it
### Core Modules
- **Detection Engine** ([detection.rs](ghost-core/src/detection.rs)): Orchestrates analysis and threat scoring
- **Memory Analysis** ([memory.rs](ghost-core/src/memory.rs)): Platform-specific memory enumeration and reading
- **Process Enumeration** ([process.rs](ghost-core/src/process.rs)): Cross-platform process listing
- **Thread Analysis** ([thread.rs](ghost-core/src/thread.rs)): Thread enumeration with start address and creation time
- **Hook Detection** ([hooks.rs](ghost-core/src/hooks.rs)): Inline hook detection via JMP pattern analysis
- **MITRE ATT&CK** ([mitre.rs](ghost-core/src/mitre.rs)): Technique mapping and categorization
- **Configuration** ([config.rs](ghost-core/src/config.rs)): TOML-based configuration with validation
## Supported Detection Techniques
### Process Injection (T1055)
- RWX memory region detection
- Private executable memory analysis
- Thread count anomaly detection
- Inline hook detection (JMP patches on ntdll.dll, kernel32.dll, user32.dll)
- LD_PRELOAD and LD_LIBRARY_PATH detection (Linux)
- Ptrace injection detection (Linux)
- SetWindowsHookEx hook enumeration
- Thread hijacking indicators (T1055.003)
- Process hollowing detection with PE header validation (T1055.012)
### Memory Analysis
- Memory protection flags (R/W/X combinations)
- Region type classification (IMAGE, PRIVATE, MAPPED, HEAP, STACK)
- Small executable region detection (shellcode indicators)
- Memory region size anomalies
### Behavioral Monitoring
- Thread count changes from baseline
- New thread creation detection
- Process parent-child relationships
- System process identification
## Installation
### Requirements
- Rust 1.70+ (stable)
- Platform-specific dependencies:
- **Windows**: MSVC Build Tools, Windows SDK
- **Linux**: GCC/Clang, libelf-dev (for eBPF)
- **macOS**: Xcode Command Line Tools
### Building
You'll need Rust installed (1.70 or newer). Then:
```bash
# Release build (recommended)
cargo build --release
# Development build
cargo build
# Run tests
cargo test
# Generate documentation
cargo doc --open
```
## Usage
On Windows, you'll also need the MSVC build tools. Linux needs basic dev tools (gcc, etc.). macOS needs Xcode command line tools.
### CLI
## Running it
There are two interfaces: a command-line tool and an interactive terminal UI.
**CLI:**
```bash
# Basic scan
cargo run --bin ghost-cli
# Scan all processes
cargo run --bin ghost-cli --release
# Target specific process
cargo run --bin ghost-cli -- --pid 1234
# Target one process
cargo run --bin ghost-cli --release -- --pid 1234
# JSON output
cargo run --bin ghost-cli -- --format json
# Output results as JSON
cargo run --bin ghost-cli --release -- --format json
# Load custom configuration
cargo run --bin ghost-cli -- --config examples/ghost.toml
# Show MITRE ATT&CK statistics
cargo run --bin ghost-cli -- --mitre-stats
# Verbose output with debug logging
cargo run --bin ghost-cli -- -v -d
# Use a config file
cargo run --bin ghost-cli --release -- --config ghost.toml
```
### TUI (Terminal User Interface)
**TUI:**
```bash
cargo run --bin ghost-tui
cargo run --bin ghost-tui --release
```
The TUI provides:
- Real-time process monitoring dashboard
- Detection history with threat levels
- System statistics and performance metrics
- Interactive process exploration
- Live system logs
The TUI gives you a dashboard with live stats, detection history, and you can navigate around with keyboard shortcuts (Tab to switch views, Q to quit).
**Keyboard Controls:**
- `Tab`: Switch between views
- `Up/Down`: Navigate lists
- `Enter`: Select item
- `R`: Force refresh
- `C`: Clear history
- `Q`: Quit
## Configuration
### Configuration
You can tweak behavior with a TOML config file. Check `examples/ghost.toml` for a starting point. You can enable/disable specific detection methods, set confidence thresholds, skip system processes, and control how often it scans.
Create a configuration file (see `examples/ghost.toml`):
Example config snippet:
```toml
shellcode_detection = true
@@ -144,77 +68,61 @@ hollowing_detection = true
hook_detection = true
confidence_threshold = 0.3
skip_system_processes = true
max_memory_scan_size = 104857600 # 100MB
thread_analysis_enabled = true
evasion_detection = true
mitre_mapping = true
scan_interval_ms = 2000
```
## Exit Codes
## What the results mean
- `0`: Clean scan, no suspicious activity
- `1`: Suspicious processes found
- `2`: Error occurred during scanning
When Ghost finds something suspicious, it assigns a threat level: Clean, Low, Medium, High, or Critical. This is based on how many indicators it found and how serious they are.
High confidence doesn't always mean malware - some legit software does weird stuff with memory too. Use your judgment and investigate further if needed.
## Platform differences
**Windows:** Pretty much everything works. Process enumeration, memory reading, hook detection, PE validation, etc.
**Linux:** Works but relies on procfs (`/proc`). Can detect LD_PRELOAD shenanigans and ptrace-based injection. eBPF support is stubbed out for now.
**macOS:** Basic process enumeration works. Memory reading is implemented but not as feature-complete as Windows. Some detection methods don't apply or aren't implemented yet.
## Performance
Ghost is designed for low-overhead monitoring:
- Memory enumeration: <100ms per process
- Thread analysis: <50ms per process
- Detection engine: <10ms per analysis
- Full system scan: <5s for 200 processes
It's designed to be fast enough for continuous monitoring. A full system scan (200 processes) usually takes under 5 seconds. Memory enumeration per process is around 50-100ms. The detection engine itself adds about 5-10ms per analysis.
## YARA rules
The tool includes YARA rule integration. Rules are stored in the `rules/` directory and cover common malware families like Metasploit, Cobalt Strike, generic shellcode patterns, and evasion techniques. You can add your own rules - just drop `.yar` files in that folder.
## Exit codes
- 0 = Everything looks clean
- 1 = Found suspicious processes
- 2 = Something went wrong (error during scan)
## Limitations
This is a userspace tool. It can't see kernel-level manipulation without help (like a driver on Windows or eBPF on Linux - which isn't fully implemented yet).
Some legit programs will trigger false positives. For example, game anti-cheat software, debuggers, sandboxes, and even browsers with JIT compilers can show up as suspicious because they do memory tricks.
macOS support is limited compared to Windows. Some advanced features just aren't there yet because the APIs are different and less documented.
## Documentation
- [Detection Methods](docs/DETECTION_METHODS.md)
- [MITRE ATT&CK Coverage](docs/MITRE_ATTACK_COVERAGE.md)
- [Performance Guide](docs/PERFORMANCE_GUIDE.md)
- [Research Framework](docs/RESEARCH_FRAMEWORK.md)
- [Build Instructions](BUILD.md)
- [Contributing Guidelines](CONTRIBUTING.md)
- [Security Policy](SECURITY.md)
There's more detail in the `docs/` folder:
- `DETECTION_METHODS.md` - Explains how each detection technique works
- `MITRE_ATTACK_COVERAGE.md` - Lists which ATT&CK techniques are covered
- `PERFORMANCE_GUIDE.md` - Tips for tuning performance
Also check out `CONTRIBUTING.md` if you want to contribute, and `SECURITY.md` for the security policy.
## License
MIT License. See [LICENSE](LICENSE) for details.
MIT. See the LICENSE file.
## Contributing
## A note on usage
Contributions are welcome. Please read [CONTRIBUTING.md](CONTRIBUTING.md) for guidelines on:
- Code style (rustfmt, clippy)
- Performance requirements
- Testing standards
- Pull request process
This tool is for security research, testing your own systems, and catching actual threats. Don't use it on systems you don't own or don't have permission to test. Be responsible.
## Security
Please review [SECURITY.md](SECURITY.md) for:
- Responsible disclosure policy
- Security considerations
- Threat model
## Platform Support Matrix
| Feature | Windows | Linux | macOS |
|---------|---------|-------|-------|
| Process Enumeration | CreateToolhelp32Snapshot | /proc filesystem | sysctl KERN_PROC_ALL |
| Memory Enumeration | VirtualQueryEx | /proc/[pid]/maps | Not implemented |
| Memory Reading | ReadProcessMemory | /proc/[pid]/mem | Not implemented |
| Thread Enumeration | Thread32First/Next | /proc/[pid]/task | Not implemented |
| Thread Start Address | NtQueryInformationThread | /proc/[pid]/task/[tid]/syscall | Not implemented |
| Thread Creation Time | GetThreadTimes | /proc/[pid]/task/[tid]/stat | Not implemented |
| Hook Detection | Inline JMP pattern scanning | LD_PRELOAD/ptrace detection | Not applicable |
| PE Header Validation | Full PE validation | Not applicable | Not applicable |
| Process Path | GetProcessImageFileNameW | /proc/[pid]/exe | proc_pidpath |
## Status
Active development. Core detection engine functional with cross-platform abstractions. Windows support most complete. Linux support via procfs. macOS has process enumeration but limited memory/thread analysis.
### Known Limitations
- macOS memory enumeration and reading not yet implemented (requires vm_read and mach_vm_region)
- Windows SetWindowsHookEx chain enumeration requires parsing undocumented USER32.dll structures
- Shellcode pattern matching currently uses heuristics (no actual signature database)
- No kernel-level monitoring (all userspace APIs)
Also, if you're investigating a real incident, remember that malware can detect when it's being analyzed and might behave differently or shut down. Ghost tries to be stealthy but there's no guarantee advanced malware won't notice.

318
TODO.md
View File

@@ -1,318 +0,0 @@
# Ghost - Implementation TODO
This document outlines the missing implementations needed to make Ghost a production-grade process injection detection framework.
---
## 1. eBPF Detection (Linux)
**Status:** Stub implementation only
**Priority:** HIGH
**Effort:** 2-3 weeks
### What's Missing:
- Actual eBPF program compilation (BPF bytecode)
- Kernel probe attachment for syscalls
- Ring buffer event processing
- Process tree tracking with real data
- Memory map change monitoring
### Implementation Tasks:
- [ ] Write eBPF C programs for:
- `sys_ptrace` monitoring
- `sys_process_vm_writev` interception
- `mmap`/`mprotect` tracking
- Thread creation hooks
- [ ] Use `libbpf-rs` or `aya` for Rust eBPF integration
- [ ] Implement real ring buffer parsing
- [ ] Add CO-RE (Compile Once, Run Everywhere) support
- [ ] Create detection rules based on syscall patterns
### Files to Modify:
- `ghost-core/src/ebpf.rs` (replace all stubs)
- Add `bpf/` directory with C programs
- Update `Cargo.toml` with eBPF dependencies
---
## 2. YARA Rules Engine Integration
**Status:** Not implemented
**Priority:** HIGH
**Effort:** 1 week
### What's Missing:
- YARA rule compilation
- Memory scanning with YARA
- Custom rule loading from files
- Match result processing
### Implementation Tasks:
- [ ] Add `yara` or `yara-rust` dependency
- [ ] Implement rule compilation from `.yar` files
- [ ] Create default ruleset for common malware patterns:
- Metasploit payloads
- Cobalt Strike beacons
- Common shellcode signatures
- [ ] Scan process memory regions with compiled rules
- [ ] Parse and report YARA matches with metadata
- [ ] Add rule update mechanism
### Files to Modify:
- `ghost-core/src/yara_engine.rs` (implement YaraEngine)
- Add `rules/` directory with `.yar` files
- Update detection engine to use YARA results
---
## 3. ML Behavioral Analysis
**Status:** Fake/mock implementation
**Priority:** MEDIUM
**Effort:** 3-4 weeks
### What's Missing:
- Real ML model (currently returns random scores)
- Feature extraction from process behavior
- Model training pipeline
- Anomaly detection algorithms
### Implementation Tasks:
- [ ] Design feature vector (memory patterns, API calls, timing)
- [ ] Collect training dataset:
- Clean process samples
- Known malware injection samples
- [ ] Train models using:
- Random Forest for classification
- Isolation Forest for anomaly detection
- LSTM for temporal patterns
- [ ] Use `smartcore` or `linfa` for Rust ML
- [ ] Implement feature extraction in real-time
- [ ] Add model serialization/loading
- [ ] Create confidence scoring system
### Files to Modify:
- `ghost-core/src/behavioral_ml.rs` (complete rewrite)
- `ghost-core/src/neural_memory.rs` (implement real neural net)
- Add `models/` directory for trained models
---
## 4. Windows API Hook Detection
**Status:** Incomplete
**Priority:** HIGH
**Effort:** 2 weeks
### What's Missing:
- IAT (Import Address Table) hook detection
- Inline hook verification (compare with clean DLL)
- SSDT (System Service Descriptor Table) checks
- User-mode callback hooks
### Implementation Tasks:
- [ ] Read and parse PE IAT from memory
- [ ] Compare IAT entries with disk file versions
- [ ] Detect inline hooks by checking first bytes of functions:
- Look for JMP/CALL instructions
- Compare with known-good signatures
- [ ] Read clean DLL copies from `System32`
- [ ] Implement trampoline detection
- [ ] Check for hardware breakpoints (DR registers)
- [ ] Detect SetWindowsHookEx chains
### Files to Modify:
- `ghost-core/src/hooks.rs` (complete detect_inline_hooks)
- Add PE parser for IAT/EAT analysis
- Add function prologue comparison
---
## 5. Thread Hijacking Detection
**Status:** Not implemented
**Priority:** MEDIUM
**Effort:** 1 week
### What's Missing:
- Thread context inspection (RIP/EIP analysis)
- Suspicious thread start address detection
- Call stack unwinding and validation
### Implementation Tasks:
- [ ] Enumerate all threads in target process
- [ ] Get thread context (registers)
- [ ] Check if RIP/EIP points to:
- Non-image memory
- Unbacked regions
- RWX pages
- [ ] Perform stack walk to detect anomalies
- [ ] Compare thread start addresses with legitimate entry points
- [ ] Detect suspended threads with modified context
### Files to Modify:
- `ghost-core/src/thread.rs` (implement detection logic)
- Add stack unwinding on Windows (DbgHelp)
- Add thread snapshot comparison
---
## 6. APC Injection Detection
**Status:** Stub only
**Priority:** MEDIUM
**Effort:** 1 week
### What's Missing:
- APC queue inspection
- User-mode APC monitoring
- Kernel-mode APC detection (requires driver)
### Implementation Tasks:
- [ ] Use `NtQueryInformationThread` to enumerate APCs
- [ ] Check APC target addresses against legitimate modules
- [ ] Monitor for `QueueUserAPC` API calls
- [ ] Detect alertable wait states being exploited
- [ ] Track APC injection from untrusted processes
- [ ] Add signature for common APC shellcode loaders
### Files to Modify:
- `ghost-core/src/thread.rs` (add APC inspection)
- Hook `QueueUserAPC` for real-time detection
- Add kernel driver project for kernel APC visibility
---
## 7. Process Hollowing Detection (Advanced)
**Status:** Basic checks only
**Priority:** MEDIUM
**Effort:** 1-2 weeks
### What's Missing:
- Deep PE header comparison (memory vs disk)
- Section hash verification
- Entry point validation
- Parent process verification
### Implementation Tasks:
- [ ] Read PE from disk and compare with memory:
- Section addresses
- Import table
- Entry point
- Code section hashes
- [ ] Detect mismatched image base
- [ ] Check for suspicious parent/child relationships
- [ ] Validate process creation flags
- [ ] Detect "doppelgänging" technique
- [ ] Check PEB for manipulation
- [ ] Monitor for process suspension during startup
### Files to Modify:
- `ghost-core/src/hollowing.rs` (expand detection)
- `ghost-core/src/memory.rs` (add PE comparison utils)
- Add cryptographic hashing for sections
---
## 8. Threat Intelligence Integration
**Status:** Mock data
**Priority:** LOW
**Effort:** 1-2 weeks
### What's Missing:
- Real IOC (Indicator of Compromise) feeds
- API integration with threat intel platforms
- IOC database with updates
- Reputation scoring from multiple sources
### Implementation Tasks:
- [ ] Integrate with threat intel APIs:
- VirusTotal
- AlienVault OTX
- MISP
- Abuse.ch
- [ ] Implement IOC database (SQLite/PostgreSQL)
- [ ] Add automatic feed updates
- [ ] Hash-based lookups (SHA256 of memory regions)
- [ ] IP/Domain reputation checks
- [ ] Create caching layer for performance
- [ ] Add manual IOC import/export
### Files to Modify:
- `ghost-core/src/threat_intel.rs` (implement real feeds)
- `ghost-core/src/live_feeds.rs` (add API clients)
- Add database schema for IOCs
- Implement async feed updates
---
## Additional Production Requirements
### Performance Optimization
- [ ] Reduce memory scanning overhead (smart region filtering)
- [ ] Implement incremental scanning (only changed regions)
- [ ] Add multi-threaded process analysis
- [ ] Use memory-mapped files for large scans
- [ ] Cache detection results
### Real-Time Monitoring
- [ ] Implement process creation callbacks (Windows ETW)
- [ ] Add memory change notifications
- [ ] Create event-driven detection pipeline
- [ ] Add filesystem watcher for DLL changes
### Response Actions
- [ ] Implement process suspension/termination
- [ ] Add memory dumping for forensics
- [ ] Create alert notification system (email, webhook)
- [ ] Add automatic remediation options
- [ ] Generate detailed incident reports
### Evasion Detection
- [ ] Detect debugger checks in target process
- [ ] Identify VM/sandbox detection attempts
- [ ] Monitor timing attacks
- [ ] Detect anti-analysis techniques
### Kernel-Level Detection (Windows)
- [ ] Develop WDM/WDF kernel driver
- [ ] Implement kernel callbacks:
- PsSetCreateProcessNotifyRoutine
- PsSetLoadImageNotifyRoutine
- ObRegisterCallbacks
- [ ] Add SSDT hook detection from kernel mode
- [ ] Monitor kernel memory modifications
---
## Testing Requirements
- [ ] Create test suite with real malware samples (in safe environment)
- [ ] Add unit tests for each detection method
- [ ] Implement integration tests with injection tools
- [ ] Add performance benchmarks
- [ ] Create CI/CD for Windows kernel driver signing
- [ ] Add fuzzing for input validation
---
## Documentation
- [ ] Write detailed API documentation
- [ ] Create detection methodology guide
- [ ] Add architecture diagrams
- [ ] Document MITRE ATT&CK coverage
- [ ] Write deployment guide
- [ ] Create troubleshooting guide
---
## Estimated Total Effort
**Core Features:** 12-15 weeks
**Production Polish:** 4-6 weeks
**Testing & Documentation:** 2-3 weeks
**Total:** ~4-6 months for full implementation

458
docs/RESEARCH_FRAMEWORK.md
View File

@@ -1,458 +0,0 @@
# Security Research Framework
## Academic Collaboration & Research
Ghost serves as a research platform for studying process injection techniques and developing novel detection methodologies. This framework supports security researchers, academics, and threat hunters.
## Research Capabilities
### 1. Technique Analysis Database
```rust
use ghost_core::research::{TechniqueDatabase, MitreAttack};
// Map detections to MITRE ATT&CK framework
let technique_db = TechniqueDatabase::new();
technique_db.add_mapping("T1055", "Process Injection");
technique_db.add_mapping("T1055.001", "Dynamic-link Library Injection");
technique_db.add_mapping("T1055.002", "Portable Executable Injection");
```
### 2. Behavioral Pattern Mining
```rust
// Extract behavioral patterns from detection data
pub struct PatternMiner {
sequence_analyzer: SequenceAnalyzer,
anomaly_clusterer: AnomalyClusterer,
temporal_correlator: TemporalCorrelator,
}
impl PatternMiner {
pub fn mine_injection_patterns(&self, events: &[DetectionEvent]) -> Vec<Pattern> {
let sequences = self.sequence_analyzer.extract_sequences(events);
let clusters = self.anomaly_clusterer.cluster_anomalies(&sequences);
self.temporal_correlator.correlate_patterns(clusters)
}
}
```
### 3. Adversarial Testing Framework
```rust
// Test detection capabilities against known techniques
pub struct AdversarialTester {
technique_library: TechniqueLibrary,
evasion_simulator: EvasionSimulator,
effectiveness_measurer: EffectivenessMeasurer,
}
impl AdversarialTester {
pub fn test_detection_coverage(&self) -> CoverageReport {
let techniques = self.technique_library.get_all_techniques();
let mut results = Vec::new();
for technique in techniques {
let evasions = self.evasion_simulator.generate_variants(&technique);
let detection_rate = self.effectiveness_measurer.measure(&evasions);
results.push(TestResult { technique, detection_rate });
}
CoverageReport::new(results)
}
}
```
## Data Collection & Analysis
### Event Correlation Engine
```rust
pub struct CorrelationEngine {
event_buffer: RingBuffer<DetectionEvent>,
correlation_rules: Vec<CorrelationRule>,
timeline_analyzer: TimelineAnalyzer,
}
#[derive(Debug, Clone)]
pub struct DetectionEvent {
pub timestamp: SystemTime,
pub process_id: u32,
pub technique: String,
pub indicators: Vec<String>,
pub context: EventContext,
}
impl CorrelationEngine {
pub fn correlate_events(&mut self, new_event: DetectionEvent) -> Vec<CorrelatedIncident> {
self.event_buffer.push(new_event.clone());
let mut incidents = Vec::new();
for rule in &self.correlation_rules {
if let Some(incident) = rule.evaluate(&self.event_buffer, &new_event) {
incidents.push(incident);
}
}
incidents
}
}
```
### Statistical Analysis Module
```rust
use ndarray::{Array1, Array2};
use linfa::prelude::*;
pub struct StatisticalAnalyzer {
feature_extractor: FeatureExtractor,
dimensionality_reducer: PCA,
classifier: LogisticRegression,
}
impl StatisticalAnalyzer {
pub fn analyze_detection_patterns(&self, data: &[ProcessData]) -> AnalysisReport {
// Extract features for statistical analysis
let features = self.feature_extractor.extract_batch(data);
// Apply dimensionality reduction
let reduced_features = self.dimensionality_reducer.transform(&features);
// Classify injection likelihood
let predictions = self.classifier.predict(&reduced_features);
AnalysisReport {
feature_importance: self.calculate_feature_importance(&features),
classification_accuracy: self.calculate_accuracy(&predictions),
statistical_significance: self.calculate_significance(&features),
recommendations: self.generate_recommendations(&predictions),
}
}
}
```
## Research Datasets
### Synthetic Data Generation
```rust
pub struct SyntheticDataGenerator {
process_simulator: ProcessSimulator,
injection_simulator: InjectionSimulator,
noise_generator: NoiseGenerator,
}
impl SyntheticDataGenerator {
pub fn generate_training_dataset(&self, config: DatasetConfig) -> Dataset {
let mut samples = Vec::new();
// Generate clean processes
for _ in 0..config.clean_samples {
let process = self.process_simulator.generate_clean_process();
samples.push(LabeledSample {
data: process,
label: Label::Clean,
});
}
// Generate injected processes
for technique in &config.injection_techniques {
for _ in 0..config.samples_per_technique {
let process = self.injection_simulator.simulate_injection(technique);
samples.push(LabeledSample {
data: process,
label: Label::Injected(technique.clone()),
});
}
}
// Add realistic noise
for sample in &mut samples {
self.noise_generator.add_noise(&mut sample.data);
}
Dataset::new(samples)
}
}
```
### Benchmark Datasets
```rust
// Standard benchmark datasets for research comparison
pub struct BenchmarkDatasets;
impl BenchmarkDatasets {
pub fn load_mitre_dataset() -> Result<Dataset, Error> {
// Load MITRE ATT&CK evaluation dataset
unimplemented!("Load standardized MITRE evaluation data")
}
pub fn load_academic_dataset(name: &str) -> Result<Dataset, Error> {
// Load academic research datasets
match name {
"injection_patterns_2024" => self.load_injection_patterns(),
"evasion_techniques_2024" => self.load_evasion_techniques(),
"behavioral_anomalies_2024" => self.load_behavioral_anomalies(),
_ => Err(Error::DatasetNotFound),
}
}
}
```
## Publication & Collaboration
### Research Metrics
```rust
pub struct ResearchMetrics {
detection_rates: HashMap<String, f64>,
false_positive_rates: HashMap<String, f64>,
performance_metrics: PerformanceMetrics,
coverage_analysis: CoverageAnalysis,
}
impl ResearchMetrics {
pub fn generate_publication_data(&self) -> PublicationData {
PublicationData {
methodology: self.describe_methodology(),
experimental_setup: self.describe_setup(),
results: self.compile_results(),
statistical_analysis: self.perform_statistical_tests(),
reproducibility_package: self.create_reproducibility_package(),
}
}
pub fn export_for_publication(&self, format: PublicationFormat) -> String {
match format {
PublicationFormat::LaTeX => self.generate_latex_tables(),
PublicationFormat::CSV => self.export_csv_data(),
PublicationFormat::JSON => self.export_json_data(),
}
}
}
```
### Collaborative Research Platform
```rust
pub struct CollaborationPlatform {
experiment_registry: ExperimentRegistry,
data_sharing_service: DataSharingService,
result_verification: ResultVerification,
}
impl CollaborationPlatform {
pub fn register_experiment(&mut self, experiment: Experiment) -> ExperimentId {
let id = self.experiment_registry.register(experiment);
self.data_sharing_service.create_workspace(id);
id
}
pub fn share_results(&self, experiment_id: ExperimentId, results: Results) -> Result<(), Error> {
// Verify result integrity
self.result_verification.verify(&results)?;
// Share with registered collaborators
self.data_sharing_service.publish_results(experiment_id, results)?;
Ok(())
}
}
```
## Educational Components
### Interactive Learning Modules
```rust
pub struct EducationalFramework {
technique_simulator: TechniqueSimulator,
guided_analysis: GuidedAnalysis,
assessment_engine: AssessmentEngine,
}
impl EducationalFramework {
pub fn create_learning_scenario(&self, technique: &str) -> LearningScenario {
LearningScenario {
description: self.get_technique_description(technique),
simulated_environment: self.technique_simulator.create_scenario(technique),
analysis_steps: self.guided_analysis.generate_steps(technique),
assessment_criteria: self.assessment_engine.get_criteria(technique),
}
}
pub fn evaluate_student_analysis(&self, scenario_id: u64, analysis: StudentAnalysis) -> Assessment {
let criteria = self.assessment_engine.get_criteria_for_scenario(scenario_id);
self.assessment_engine.evaluate(analysis, criteria)
}
}
```
### Technique Documentation Generator
```rust
pub struct TechniqueDocGenerator {
technique_analyzer: TechniqueAnalyzer,
documentation_builder: DocumentationBuilder,
example_generator: ExampleGenerator,
}
impl TechniqueDocGenerator {
pub fn generate_technique_guide(&self, technique: &InjectionTechnique) -> TechniqueGuide {
TechniqueGuide {
overview: self.technique_analyzer.analyze_technique(technique),
detection_methods: self.technique_analyzer.get_detection_methods(technique),
code_examples: self.example_generator.generate_examples(technique),
countermeasures: self.technique_analyzer.get_countermeasures(technique),
references: self.technique_analyzer.get_academic_references(technique),
}
}
}
```
## Research APIs
### Data Export API
```rust
use serde::{Serialize, Deserialize};
#[derive(Serialize, Deserialize)]
pub struct ResearchDataExport {
pub metadata: ExperimentMetadata,
pub detection_events: Vec<DetectionEvent>,
pub performance_metrics: PerformanceMetrics,
pub statistical_summary: StatisticalSummary,
}
impl ResearchDataExport {
pub fn export_to_format(&self, format: ExportFormat) -> Result<String, Error> {
match format {
ExportFormat::JSON => serde_json::to_string_pretty(self).map_err(Error::from),
ExportFormat::CSV => self.to_csv(),
ExportFormat::Parquet => self.to_parquet(),
ExportFormat::HDF5 => self.to_hdf5(),
}
}
}
```
### Analysis Pipeline API
```rust
pub trait AnalysisPipeline {
fn process_detection_data(&self, data: &[DetectionEvent]) -> AnalysisResult;
fn extract_features(&self, events: &[DetectionEvent]) -> FeatureMatrix;
fn apply_ml_models(&self, features: &FeatureMatrix) -> PredictionResults;
fn generate_insights(&self, predictions: &PredictionResults) -> Vec<Insight>;
}
pub struct StandardAnalysisPipeline {
feature_extractor: FeatureExtractor,
ml_models: Vec<Box<dyn MLModel>>,
insight_generator: InsightGenerator,
}
impl AnalysisPipeline for StandardAnalysisPipeline {
fn process_detection_data(&self, data: &[DetectionEvent]) -> AnalysisResult {
let features = self.extract_features(data);
let predictions = self.apply_ml_models(&features);
let insights = self.generate_insights(&predictions);
AnalysisResult {
features,
predictions,
insights,
metadata: self.generate_metadata(),
}
}
}
```
## Citation & Attribution
When using Ghost for research, please cite:
```bibtex
@software{ghost_detection_framework,
title={Ghost: Cross-Platform Process Injection Detection Framework},
author={Security Research Team},
year={2024},
url={https://github.com/pandaadir05/ghost},
version={1.0.0}
}
```
## Research Ethics & Responsible Disclosure
### Ethical Guidelines
1. **Responsible Research**: Use Ghost only for legitimate security research
2. **Data Privacy**: Anonymize sensitive data in publications
3. **Disclosure Policy**: Report vulnerabilities through proper channels
4. **Academic Integrity**: Properly attribute prior work and collaborations
### Data Handling
```rust
pub struct EthicalDataHandler {
anonymizer: DataAnonymizer,
consent_manager: ConsentManager,
audit_logger: AuditLogger,
}
impl EthicalDataHandler {
pub fn handle_research_data(&self, data: RawData) -> Result<AnonymizedData, Error> {
// Verify consent for data usage
self.consent_manager.verify_consent(&data)?;
// Anonymize sensitive information
let anonymized = self.anonymizer.anonymize(data)?;
// Log handling for audit trail
self.audit_logger.log_data_handling(&anonymized);
Ok(anonymized)
}
}
```
## Community Contributions
### Research Collaboration
- **Open Source Contributions**: Submit improvements via GitHub
- **Academic Partnerships**: Collaborate on research projects
- **Industry Collaboration**: Partner with security vendors
- **Conference Presentations**: Present findings at security conferences
### Contribution Guidelines
1. **Code Quality**: Follow Rust best practices
2. **Documentation**: Comprehensive documentation required
3. **Testing**: Include unit and integration tests
4. **Benchmarking**: Provide performance benchmarks
5. **Research Value**: Demonstrate novel research contributions
## Future Research Directions
### Emerging Techniques
- **AI-Powered Evasion**: Detection of AI-generated injection techniques
- **Hardware-Assisted Injection**: Analysis of hardware-based attacks
- **Cloud-Native Threats**: Container and serverless injection techniques
- **IoT Security**: Process injection in embedded systems
### Advanced Analytics
- **Graph Neural Networks**: Process relationship modeling
- **Temporal Analysis**: Time-series detection modeling
- **Federated Learning**: Distributed detection model training
- **Adversarial ML**: Robust ML models against evasion
For additional research resources, see:
- [Academic Papers](docs/research/PAPERS.md)
- [Dataset Specifications](docs/research/DATASETS.md)
- [Collaboration Guidelines](docs/research/COLLABORATION.md)