- Implemented comprehensive PE parsing utilities
- Added IAT (Import Address Table) parsing from memory and disk
- Implemented IAT hook detection by comparing memory vs disk
- Added data directory and import descriptor parsing
- Helper functions for reading PE structures
- Cross-platform compilation support with Windows-specific code
- Support for both 32-bit and 64-bit PE files
Generated with [Claude Code](https://claude.com/claude-code)
Created professional YARA ruleset covering:
- Metasploit payloads and encoders (Meterpreter, Shikata Ga Nai)
- Cobalt Strike beacons and C2 profiles
- Generic shellcode patterns (PEB/TEB access, API hashing)
- Process injection techniques (hollowing, DLL injection, APC)
- Advanced injection (AtomBombing, Process Doppelganging, Early Bird)
- Evasion techniques (anti-debug, anti-VM, AMSI/ETW bypass)
Each rule includes metadata for threat level and MITRE ATT&CK mapping.
Generated with [Claude Code](https://claude.com/claude-code)
- Remove unused import std::path::Path from hooks.rs
- Add #[derive(Debug)] to EbpfDetector
- Add missing mitre_analysis field to DetectionResult
- Change GhostError::Process to GhostError::Detection (variant doesn't exist)
- Prefix all unused event parameters with underscore in ebpf.rs
- Fix formatting in hooks.rs
All tests passing (24 total). Clippy clean with -D warnings.
- Box large enum variants in EventData to reduce memory footprint
- Add Default trait implementations for types with new() methods
- Replace or_insert_with(Vec::new) with or_default()
- Convert vec init+push patterns to vec! macro
- Fix field reassignment with default initialization
- Convert match to if for simple equality checks
- Remove unused Backend type parameters from TUI draw functions
- Apply rustfmt formatting
All tests passing (24 total). Zero clippy warnings. Ready for CI/CD.
- Remove unused mach vm_prot_t type and VM_PROT_* constants
- Remove unused EmailChannel.smtp_config field
- Remove unused AttributionEngine.campaigns field
- Remove unused BehaviorSignature.confidence_threshold field
- Prefix unused DetectionEngine._config with underscore
- Prefix unused MitreAttackEngine._campaigns with underscore
- Prefix unused NeuralMemoryAnalyzer._confidence_threshold with underscore
All tests passing (24 total). Clean build with zero warnings.
- Enhanced error handling with expanded GhostError variants and From impls
- Fixed race conditions in TUI (ui.rs unwrap calls)
- Added comprehensive module documentation with doc comments
- Improved type safety with proper validation in DetectionConfig
- Implemented Linux process enumeration via procfs
- Refactored TUI for better state management and removed emojis
- Enhanced CLI with proper logging initialization
- Added example configuration file (examples/ghost.toml)
- Updated README with complete feature documentation
- Added performance optimizations (saturating arithmetic, reduced clones)
- Improved testing framework with proper struct initialization
- Added validation and preset modes to DetectionConfig
