- Added thread context inspection (RIP/EIP register analysis)
- Detect threads executing from RWX memory regions
- Detect threads in unbacked/private memory
- Thread start address vs current IP divergence detection
- Suspended thread analysis
- Support for both x86 and x64 architectures
- Cross-platform stubs for Linux/macOS
Detects MITRE ATT&CK T1055.003 (Thread Execution Hijacking).
Generated with [Claude Code](https://claude.com/claude-code)
- Added IAT hook scanning for all loaded modules in process
- Compare memory IAT entries with disk versions to detect hooks
- Enumerate modules and scan each for IAT modifications
- Automatic System32/SysWOW64 path resolution for DLLs
- Detailed logging of hook detection results
- Track hooked imports with function names and addresses
- Support for both 32-bit and 64-bit modules
Generated with [Claude Code](https://claude.com/claude-code)
- Implemented comprehensive PE parsing utilities
- Added IAT (Import Address Table) parsing from memory and disk
- Implemented IAT hook detection by comparing memory vs disk
- Added data directory and import descriptor parsing
- Helper functions for reading PE structures
- Cross-platform compilation support with Windows-specific code
- Support for both 32-bit and 64-bit PE files
Generated with [Claude Code](https://claude.com/claude-code)
- Remove unused import std::path::Path from hooks.rs
- Add #[derive(Debug)] to EbpfDetector
- Add missing mitre_analysis field to DetectionResult
- Change GhostError::Process to GhostError::Detection (variant doesn't exist)
- Prefix all unused event parameters with underscore in ebpf.rs
- Fix formatting in hooks.rs
All tests passing (24 total). Clippy clean with -D warnings.
- Box large enum variants in EventData to reduce memory footprint
- Add Default trait implementations for types with new() methods
- Replace or_insert_with(Vec::new) with or_default()
- Convert vec init+push patterns to vec! macro
- Fix field reassignment with default initialization
- Convert match to if for simple equality checks
- Remove unused Backend type parameters from TUI draw functions
- Apply rustfmt formatting
All tests passing (24 total). Zero clippy warnings. Ready for CI/CD.
- Remove unused mach vm_prot_t type and VM_PROT_* constants
- Remove unused EmailChannel.smtp_config field
- Remove unused AttributionEngine.campaigns field
- Remove unused BehaviorSignature.confidence_threshold field
- Prefix unused DetectionEngine._config with underscore
- Prefix unused MitreAttackEngine._campaigns with underscore
- Prefix unused NeuralMemoryAnalyzer._confidence_threshold with underscore
All tests passing (24 total). Clean build with zero warnings.
- Enhanced error handling with expanded GhostError variants and From impls
- Fixed race conditions in TUI (ui.rs unwrap calls)
- Added comprehensive module documentation with doc comments
- Improved type safety with proper validation in DetectionConfig
- Implemented Linux process enumeration via procfs
- Refactored TUI for better state management and removed emojis
- Enhanced CLI with proper logging initialization
- Added example configuration file (examples/ghost.toml)
- Updated README with complete feature documentation
- Added performance optimizations (saturating arithmetic, reduced clones)
- Improved testing framework with proper struct initialization
- Added validation and preset modes to DetectionConfig
