admin/ghost
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
2239bd18a6ac4466344536af7c112ec995482334
ghost/CONTRIBUTING.md
Adir Shitrit 2239bd18a6 add comprehensive contributing guidelines
2025-11-08 11:09:45 +02:00

3.4 KiB
Raw Blame History

Contributing to Ghost

Development Setup

Prerequisites

  • Rust 1.70+ (stable)
  • Windows SDK for Windows development
  • Visual Studio Build Tools

Building

git clone https://github.com/yourusername/ghost.git
cd ghost
cargo build

Testing

cargo test
cargo run --bin ghost-cli

Code Style

Rust Guidelines

  • Use rustfmt with default settings
  • All public APIs must have documentation
  • Follow Rust naming conventions
  • Prefer explicit error handling over .unwrap()

Commit Messages

Follow conventional commits:

  • feat: add new detection technique
  • fix: resolve false positive in memory scanning
  • perf: optimize syscall hook performance
  • docs: update detection coverage matrix
  • refactor: extract platform-specific code

Detection Development

Adding New Techniques

  1. Research the injection method thoroughly
  2. Implement detection in ghost-core/src/detection.rs
  3. Add tests in tests/detection/
  4. Update documentation in docs/DETECTION_METHODS.md
  5. Add benchmark if performance critical

Platform Support

  • Windows: Primary platform, full feature support
  • Linux: eBPF-based detection (in progress)
  • macOS: Endpoint Security framework (planned)

Testing

Unit Tests

Focus on:

  • Detection accuracy (no false positives)
  • Edge case handling
  • Memory safety
  • Performance regressions

Integration Tests

  • Real injection techniques (in controlled environment)
  • Cross-platform compatibility
  • Performance benchmarks

Documentation

Code Comments

/// Detects process hollowing by analyzing memory layout gaps.
/// 
/// This technique monitors for unusual memory allocation patterns
/// where the original executable sections are unmapped and replaced
/// with malicious code while preserving the process structure.
///
/// # Arguments
/// * `regions` - Memory regions from VirtualQueryEx
///
/// # Returns
/// Confidence score 0.0-1.0 indicating hollowing likelihood

Security Considerations

  • All detection methods must be documented
  • Include MITRE ATT&CK technique mappings
  • Reference academic papers where applicable
  • Provide reproducible test cases

Review Process

Pull Requests

  1. All tests must pass
  2. Code coverage >85%
  3. Documentation updated
  4. Performance impact assessed
  5. Security review for new detection logic

Performance Requirements

  • Memory enumeration: <100ms per process
  • Thread analysis: <50ms per process
  • Detection engine: <10ms per analysis
  • Total scan time: <5s for 200 processes

Architecture

Core Principles

  • Zero false positives
  • Minimal performance impact
  • Cross-platform compatibility
  • Educational value

Module Structure

ghost-core/
├── detection.rs    # Core detection algorithms
├── memory.rs       # Memory enumeration
├── process.rs      # Process management  
├── thread.rs       # Thread analysis
└── platform/       # OS-specific implementations
    ├── windows/
    ├── linux/
    └── macos/

Security Research

Responsible Disclosure

  • Test only on systems you own
  • Report bypasses through security contacts
  • Include proof-of-concept code
  • Coordinate with maintainers

Research Areas

  • Novel injection techniques
  • Evasion methods
  • Performance optimizations
  • Anti-analysis detection

Questions?

Open an issue for:

  • Feature requests
  • Bug reports
  • Documentation improvements
  • Design discussions

For security issues, email: security@ghost-project.dev

Reference in New Issue View Git Blame Copy Permalink