pandaadir05
449cfe9708
Enhance process hollowing detection with deep PE comparison
...
Added comprehensive section-by-section PE comparison that reads the
executable from disk, parses PE sections, and compares them against
memory using SHA-256 hashing. Detects:
- Modified code sections (>5% difference from disk)
- Missing PE sections in memory
- Section hash mismatches
This catches sophisticated hollowing techniques that modify specific
code sections while preserving the PE header structure.
2025-11-21 01:08:49 +02:00
Adir Shitrit
bcf934fac2
Add YARA dependency and implement rule compilation
...
- Added yara crate v0.28 to ghost-core dependencies
- Implemented real YARA rule compilation from .yar/.yara files
- Added recursive rule file discovery in rules directory
- Implemented memory scanning with compiled YARA rules
- Added proper error handling for rule compilation and scanning
- Cross-platform memory reading support (Windows, Linux, macOS stub)
Generated with [Claude Code](https://claude.com/claude-code )
2025-11-21 00:35:37 +02:00
pandaadir05
944a8f5e6e
Fix Windows/macOS build errors - add Win32_UI feature and remove unused imports
2025-11-20 15:36:28 +02:00
pandaadir05
34007d11c1
fix: Resolve 44 compilation errors in ghost-core
2025-11-17 22:26:53 +02:00
pandaadir05
b1f098571d
feat: Add PE header validation and LD_PRELOAD detection
2025-11-17 22:02:41 +02:00
Adir Shitrit
fe3e5e3b21
add configuration system with TOML support
2025-11-08 12:20:53 +02:00
Adir Shitrit
cd61b89eb5
update dependencies for async and serialization support
2025-11-08 11:47:46 +02:00
Adir Shitrit
8b55344d9b
add ghost-core with basic process enumeration
2025-11-07 18:02:30 +02:00
