From e6cf909e053442cf1264c38dd582f44126f7486f Mon Sep 17 00:00:00 2001
From: Adir Shitrit <adirshit212@gmail.com>
Date: Sat, 8 Nov 2025 11:05:35 +0200
Subject: [PATCH] add technical documentation for detection methods

---
 docs/DETECTION_METHODS.md | 101 ++++++++++++++++++++++++++++++++++++++
 1 file changed, 101 insertions(+)
 create mode 100644 docs/DETECTION_METHODS.md

diff --git a/docs/DETECTION_METHODS.md b/docs/DETECTION_METHODS.md
new file mode 100644
index 0000000..33abbf0
--- /dev/null
+++ b/docs/DETECTION_METHODS.md
@@ -0,0 +1,101 @@
+# Detection Methods
+
+This document details the techniques used by Ghost to detect process injection.
+
+## Memory-Based Detection
+
+### RWX Memory Regions
+
+**MITRE ATT&CK**: T1055
+
+Executable memory with write permissions is a strong indicator of code injection. Legitimate processes rarely need RWX pages except during JIT compilation.
+
+**Detection Logic**:
+- Enumerate all memory regions in target process
+- Flag regions with PAGE_EXECUTE_READWRITE protection
+- Confidence increases with number of RWX regions
+
+**False Positives**:
+- .NET/Java JIT compiler regions
+- V8/SpiderMonkey JavaScript engines
+- Legitimate debugging scenarios
+
+### Private Executable Memory
+
+Private memory regions (not backed by files) with execute permissions often contain injected shellcode.
+
+**Detection Logic**:
+- Check for MEM_PRIVATE regions with EXECUTE protection
+- Correlate with unsigned code patterns
+- Higher confidence if multiple regions present
+
+## Thread-Based Detection
+
+### Abnormal Thread Creation
+
+**MITRE ATT&CK**: T1055.001 (DLL Injection), T1055.002 (Portable Executable Injection)
+
+Monitors thread count changes over time. Sudden increases may indicate CreateRemoteThread injection.
+
+**Detection Logic**:
+- Baseline thread count for each process
+- Alert on new threads created between scans
+- Cross-reference with memory analysis
+
+### Remote Thread Detection
+
+Threads created by external processes via CreateRemoteThread or NtCreateThreadEx.
+
+**Detection Logic** (Planned):
+- Compare thread creator PID with owner PID
+- Check thread start addresses against known modules
+- Flag threads starting in private memory regions
+
+## Heuristic Analysis
+
+### Confidence Scoring
+
+Ghost uses weighted confidence scoring:
+
+| Indicator | Weight | Description |
+|-----------|--------|-------------|
+| RWX regions | 0.3 | Per region detected |
+| Private exec | 0.4 | >2 regions |
+| New threads | 0.2 | Per thread created |
+| Unsigned code | 0.5 | In executable region |
+
+**Thresholds**:
+- Clean: < 0.3
+- Suspicious: 0.3 - 0.7
+- Malicious: >= 0.7
+
+## Technique Coverage
+
+### Windows
+
+- [x] Classic DLL injection detection
+- [x] Memory region analysis
+- [x] Thread enumeration
+- [ ] APC injection detection
+- [ ] Process hollowing detection
+- [ ] Hook detection (IAT/EAT)
+- [ ] Reflective DLL injection
+
+### Linux
+
+- [ ] ptrace injection
+- [ ] LD_PRELOAD detection
+- [ ] process_vm_writev monitoring
+- [ ] Shared memory inspection
+
+### macOS
+
+- [ ] DYLD_INSERT_LIBRARIES
+- [ ] task_for_pid monitoring
+- [ ] Mach port analysis
+
+## References
+
+- MITRE ATT&CK T1055: Process Injection
+- Windows Internals 7th Edition
+- "Process Injection Techniques" - Elastic Security